1 / 29

Instant Situational Awareness: Finding Malware like a HoneyBadger

Instant Situational Awareness: Finding Malware like a HoneyBadger. John ‘JB’ Bisaillon, CISSP Digital Scepter Corporation. About the Presenter. John ‘JB’ Bisaillon, CISSP Sales Engineer for Digital Scepter Previously: Sr. Information Assurance Engineer for DoD contractor

pegeen
Download Presentation

Instant Situational Awareness: Finding Malware like a HoneyBadger

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Instant Situational Awareness: Finding Malware like a HoneyBadger John ‘JB’ Bisaillon, CISSP Digital Scepter Corporation

  2. About the Presenter • John ‘JB’ Bisaillon, CISSP • Sales Engineer for Digital Scepter • Previously: • Sr. Information Assurance Engineer for DoD contractor • Nationwide technical trainer of penetration testing and ‘ethical hacking’ courses

  3. About Digital Scepter • Boutique Security-Focused Systems Integrator and Value-Added Reseller • http://digitalscepter.com

  4. What is a HoneyBadger? • “The world’s most fearless creature” according to the Guinness Book of World Records • Going up against a nest of bees or a king cobra: “I don’t care” attitude

  5. Agenda • The Need for Instant Situational Awareness • Malware capabilities and uses • Malware behavior • Evidence of malware infection • Introducing a new tool that can find evidence of malware on your network in 15 seconds And plenty of demos…

  6. Reality…Nothing is 100% foolproof • Prevention will ultimately fail • Zero day malware • Misconfiguration/design • Human error/social engineering • Therefore must continously monitor and detect security breaches ‘Unsinkable’ Titanic

  7. You Need Instant Situational Awareness • What apps/processes/services are running? • What network connections ? • Who is logged on? • What config changes have just occurred? • Ideally you want this information from all the machines in your network, and fast!

  8. Malware is Constantly Evolving • Good guys can’t keep up with new threats in terms of signatures… • You need to understand how malware behaves and use this info to detect security breaches • What if you could easily write ‘sensors’ that look for malware behavior on all your machines in just a few seconds ? That would give you situational awareness (stay tuned!)

  9. Malware Distribution Methods • E-Mail Attachments & Links • Web downloads for Freeware Software • Browser and E-mail Software Bugs (‘drive-by downloads’) • Physical Access/ Storage Media (CDs, USB drives) • Peer to Peer File Sharing • Network Shares • IM / IRC Chat Rooms • Usenet Newsgroups

  10. Malware Capabilities • Remote Access / Backdoors • Password stealing & sending • Keyloggers • Surveillance • Destruction of data • Denial Of Service • Spamming • Security software detection and termination

  11. Evasive Network Communications • SSL encryption • Port hopping • Tunneling • Anonymizers/circumventors • Proxies • Encoding and obfuscation

  12. Ultimate Purposes of Malware • Industrial espionage / Intellectual property theft • Nation-state cyber warfare • Monetary gain • Hacktivism • Just for Fun? - not so important nowadays

  13. Finding Malware • You first need to know what it does in order to look for evidence of it. • But how do you know what a piece of malware does? • You could execute it yourself in a sandboxed environment and monitor: • New network connections • New processes • Registry changes • File system changes • Etc…

  14. Sample Zero-Day Malware Analysis • Wildfire feature found on Palo Alto Networks firewalls

  15. Sample Palo Alto Networks Wildfire Report

  16. Common Behaviors We Can Look For • AutoStart methods • New listening ports • Weakened OS security • Weakened web browser security • New executable or dll files in Windows System directory • New services

  17. AutoStart Methods Modifications to any of these can cause malware to keep running after reboots: • System files (autoexec.bat, system.ini, win.ini, etc) • Registry Keys • Startup folder

  18. Process Monitoring Software • Listing running processes and associated DLLs and attributes can help identify malicious software. • One should become familiar with standard Windows processes so that suspicious processes can be easily identified. • Beware that malware will often rename processes with the same name that existing Windows processes uses! Process Monitoring Software: • Process Viewer • Process Monitor • Process Explorer • Task Manager

  19. Port Monitoring Software • To quickly reveal what active connections are established, as well as any listening ports, use the built-in netstat command • When a suspicious port is found, use one of the following tools to map the open port to a running executable and process name or id: • Port Explorer • Fport • TCPview Beast trojan running on port 6666

  20. Advanced Trojans: Process Injection • Some trojans like Back Orifice and Beast inject their DLL process into some other running process • The result is that the trojan is harder to detect as their process doesn’t show up in Task Manager • Countermeasures: • Use a hidden process viewer like Inzider • Prevent injection using Process Guard

  21. BackDoor: SubSeven SubSeven is a backdoor program that enables hackers to gain full access to Windows systems through a network connection. The attacker can delete and modify files, kill running processes, start new processes, capture keystrokes, and even image the remote system’s desktop.

  22. Advanced Trojans: Beast • Beast is a powerful trojan incorporating DLL injection • It has built-in anti-virus killing features • The client, server, and server editor are contained in one file

  23. Search for Evidence Everywhere, Instantly • What if you could search for evidence not on a single machine, but for thousands of machines at the same time? And get the results back in just seconds?

  24. Radical Topology

  25. Run Scripts to Find Evidence using Tanium

  26. Time for Live Demos • Running VMs that are already infected…

  27. Suspicious AutoRun Registry Entries

  28. Suspicious Network Connections

  29. Suspicious Processes

More Related