1 / 45

Leveraging Continuous View to Hunt Malware

Leveraging Continuous View to Hunt Malware. Why hunt for malware?. Malware is another form of vulnerable software that has been introduced into your network.

elden
Download Presentation

Leveraging Continuous View to Hunt Malware

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Leveraging Continuous View to Hunt Malware

  2. Why hunt for malware? Malware is another form of vulnerable software that has been introduced into your network. Hunting modern malware is much more about enterprise vulnerability and configuration auditing that traditional anti-virus agent based discovery. At one end of the spectrum, finding an open port can make you fail a compliance audit. On the other end of the spectrum, you can have a fully patched systems with a RAT, Trojan, botnet, .etc on it. Traditional Vulnerability Management

  3. Unique Underlying Architecture Advanced Analytics Connectors for Complete Context Massive App Library Updated Daily. Unique Sensors100% Asset Discovery Dashboard and Report Designer YOUR NETWORK

  4. Port Scans • Botnet • Malware • System Tests • Real-time Ports • User Agents • Network Logs • DNS & Web Queries • Netflow • Process Logs • Botnet • Anomalies

  5. 2D Dashboards • Data mining • 3D Visualization • Spreadsheets • Command Line Tools

  6. Topics Sweet Orange RedKit ComFoo RAT Zeus P2P Neutrino Tenable Botnet/Malware Detection Technology

  7. Sweet Orange Exploit Kit Hunting for IP Addresses http://www.malwaresigs.com/2013/07/30/malvertising-on-youtube-com-redirects-to-sweet-orange-ek/

  8. URI associated withsystems redirected to Sweet orange web pages List of IP addressesassociated with SweetOrange

  9. Create watchlist

  10. LCE has events (mostly from PVS) to these IPs

  11. Example URI from blog: The sniffed URIs match URI !!! Detected query with PVS:

  12. RedKit Indicators from May 2013DHS Weekly Synopsis Product

  13. Are we hosting RedKit content? • Keyword search for PVS plugin 7039 • Generic SC searches for Nessus scan results Manual search of hosted URL/URI content in any result, including port Independent PVS 7039

  14. Did someone query RedKitcontent? • Search LCE proxy logs • Search PVS Web logs • Search PVS & DNS logs • Search PVS logs: Example Domain_Summary query Refine search to avoid generic match

  15. Comfoo RAT Secrets of the Comfoo Masters http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/

  16. Look for failed credential Nessus scans • “ipnat” running in system logs

  17. PVS will log the queries andthey can be discoverable asshown below.

  18. Nessus web scan results – which ports? • PVS web scan sniffingresults – all ports!

  19. PVS plugin 2 – client side usage • PVS plugin 16 – outbound client side usage

  20. The detected port traffic on 1688 was bittorrent

  21. <custom_item> type: AUDIT_POWERSHELL description: "Comfoo Masters - ServiceDLL Check" value_type: POLICY_TEXT value_data: "(cmmos.dll|jacpet.dll|javadb.dll|mszlobm.dll|netfram.dll|netman.dll|ntdapie.dll|ntdelu.dll|ntobm.dll|odbm.dll|senss.dll|suddec.dll|tabcteng.dll|vmmreg32.dll|wininete.dll)”powershell_args  : "Get-ItemProperty HKLM:\system\CurrentControlSet\Services\*\Parameters | select PSPath,ServiceDll | format-list" check_type : CHECK_NOT_REGEX powershell_option : CAN_BE_NULL </item> Search registry for evidence of Comfoo.

  22. <custom_item>  type           : AUDIT_POWERSHELL  description: "Comfoo Masters - Find DLLs" value_type : POLICY_TEXT value_data : "" powershell_option: CAN_BE_NULL powershell_args: "get-childitem -recurse c:\ -include cmmos.dll,jacpet.dll,javadb.dll,mszlobm.dll,netfram.dll,netman.dll,ntdapie.dll,ntdelu.dll,ntobm.dll,odbm.dll,senss.dll,suddec.dll,tabcteng.dll,vmmreg32.dll,wininete.dll -erroractionsilentlycontinue|selectdirectory,name|format-list" </custom_item> Search file system for evidence of Comfoo.

  23. 257 domain names • Powerful command-line search • associative-search.sh • Searches DNS, MD5& SSL • https://discussions.nessus.org/message/19698#19698 • Ran 1 hour to search all domain names across 6 months of data

  24. ZeuS-P2P http://www.cert.pl/PDF/2013-06-p2p-rap_en.pdf

  25. Infected computer has BOTH UDPand TCP ports open between 10,000 and 30,000

  26. Manually finding systems with TCP and UDP ports between 10,000 and 30,000 is tricky. Need to save a list of IPs with UDP 10,000 to 30,000 and then filter that list with a TCP filter of 10,000 to 30,000 Filter on an asset list of IPs with UDP ports 10k to 30k for those IPs with TCP ports in the same range.

  27. These hashes were already part of the malware cloud database; i.e., Nessus or LCE Client would have found these.

  28. Neutrino A New Exploit Kit in Neutrino http://blog.trendmicro.com/trendlabs-security-intelligence/a-new-exploit-kit-in-neutrino/

  29. Neutrino Take IPs from blog post and createa SecurityCenter watchlist named Neutrino Also Covered at MalwareSigshttp://www.malwaresigs.com/2013/08/29/30-days-of-neutrino-domainsips/

  30. Search for any hits in past 30 days and then do a port summary to see port 8000 activity. Extend search to 50 days and see some more activity.

  31. VirusTotal claimed the following DNS names were in use by Neutrino on various dates

  32. On Aug 5, we saw lots of queries for ifjtjdhcywssbhdxk.dyndns-mail.comrecorded by the PVS. This DNS name was NOT on the list from the blog for Aug 5thnor any other day, but was very close. Differences in DNS names at VirusTotal and in “live” use can result from many things including variants and different behaviors based on where it is run.

  33. Tenable Botnet/Malware Detection Technology

  34. Tenable Botnet/Malware Detection Technology Passive Web Traffic Analysis Malicious Process Detection Botnet Detection based on IP reputation

  35. PVS passively logs all DNS lookups, web queries and network traffic in real-time. This event indicates there have been nine web queries in the past 30 days which were related to known botnet activity.

  36. These are the nine queries, each one to a known malicious botnet or malware related site.

  37. Nessus scans identify malicious processes with cross-industry index of known bad hashes

  38. LCE Windows agents perform malware detection on all running processes.

  39. The LCE checks all IDS, login, netflow & PVS logs against a botnet reputation database

  40. Nessus checks systems for active botnet connections, settings and content

  41. Nessus also identifies systems running unique and unknown processes

  42. Each of these checks, and many others, is leveraged by real-time dashboards to identify malware

More Related