Presentation on theme: "Leveraging Continuous View to Hunt Malware. Why hunt for malware? Scanned services Unauthorized systems Patches Config Unauthorized software Malware Malware."— Presentation transcript:
Leveraging Continuous View to Hunt Malware
Why hunt for malware? Scanned services Unauthorized systems Patches Config Unauthorized software Malware Malware is another form of vulnerable software that has been introduced into your network. Hunting modern malware is much more about enterprise vulnerability and configuration auditing that traditional anti-virus agent based discovery. At one end of the spectrum, finding an open port can make you fail a compliance audit. On the other end of the spectrum, you can have a fully patched systems with a RAT, Trojan, botnet,.etc on it. Traditional Vulnerability Management
Advanced Analytics Massive App Library Updated Daily. Dashboard and Report Designer Connectors for Complete Context Unique Sensors 100% Asset Discovery YOUR NETWORK Unique Underlying Architecture
Port Scans Botnet Malware System Tests Real-time Ports User Agents Network Logs DNS & Web Queries Netflow Process Logs Botnet Anomalies
2D Dashboards Data mining 3D Visualization Spreadsheets Command Line Tools
Topics Sweet Orange RedKit ComFoo RAT Zeus P2P Neutrino Tenable Botnet/Malware Detection Technology
Hunting for IP Addresses http://www.malwaresigs.com/2013/07/30/malvertising-on-youtube-com-redirects-to-sweet-orange-ek/ Sweet Orange Exploit Kit
List of IP addresses associated with Sweet Orange URI associated with systems redirected to Sweet orange web pages
LCE has events (mostly from PVS) to these IPs
Example URI from blog: Detected query with PVS: The sniffed URIs match URI !!!
Indicators from May 2013 DHS Weekly Synopsis Product RedKit
Keyword search for PVS plugin 7039 Generic SC searches for Nessus scan results Manual search of hosted URL/URI content in any result, including port Independent PVS 7039 Are we hosting RedKit content?
Did someone query RedKit content? Search LCE proxy logs Search PVS Web logs Search PVS & DNS logs Refine search to avoid generic match Search PVS logs: Example Domain_Summary query
Secrets of the Comfoo Masters http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/ Comfoo RAT
Look for failed credential Nessus scans “ipnat” running in system logs
PVS will log the queries and they can be discoverable as shown below.
Nessus web scan results – which ports? PVS web scan sniffing results – all ports!
PVS plugin 2 – client side usage PVS plugin 16 – outbound client side usage
The detected port traffic on 1688 was bittorrent
type : AUDIT_POWERSHELL description: "Comfoo Masters - Find DLLs" value_type : POLICY_TEXT value_data : "" powershell_option: CAN_BE_NULL powershell_args: "get-childitem -recurse c:\ -include cmmos.dll,jacpet.dll,javadb.dll,mszlobm.dll,netfram. dll,netman.dll,ntdapie.dll,ntdelu.dll,ntobm.dll,odbm.dl l,senss.dll,suddec.dll,tabcteng.dll,vmmreg32.dll,wini nete.dll -erroraction silentlycontinue|select directory,name|format-list" Search file system for evidence of Comfoo.
257 domain names Powerful command-line search associative-search.sh Searches DNS, MD5 & SSL https://discussions.nessus.org/ message/19698#19698 Ran 1 hour to search all domain names across 6 months of data
Infected computer has BOTH UDP and TCP ports open between 10,000 and 30,000
Manually finding systems with TCP and UDP ports between 10,000 and 30,000 is tricky. Need to save a list of IPs with UDP 10,000 to 30,000 and then filter that list with a TCP filter of 10,000 to 30,000 Filter on an asset list of IPs with UDP ports 10k to 30k for those IPs with TCP ports in the same range.
These hashes were already part of the malware cloud database; i.e., Nessus or LCE Client would have found these.
A New Exploit Kit in Neutrino http://blog.trendmicro.com/trendlabs-security-intelligence/a-new-exploit-kit-in-neutrino/ Neutrino
Also Covered at MalwareSigs http://www.malwaresigs.com/2013/08/29/30-days-of-neutrino-domainsips/ http://www.malwaresigs.com/2013/08/29/30-days-of-neutrino-domainsips/ Neutrino Take IPs from blog post and create a SecurityCenter watchlist named Neutrino
Search for any hits in past 30 days and then do a port summary to see port 8000 activity. Search for any hits in past 30 days and then do a port summary to see port 8000 activity. Extend search to 50 days and see some more activity.
VirusTotal claimed the following DNS names were in use by Neutrino on various dates
On Aug 5, we saw lots of queries for ifjtjdhcywssbhdxk.dyndns-mail.com recorded by the PVS. This DNS name was NOT on the list from the blog for Aug 5 th nor any other day, but was very close. Differences in DNS names at VirusTotal and in “live” use can result from many things including variants and different behaviors based on where it is run.
Tenable Botnet/Malware Detection Technology
Passive Web Traffic Analysis Malicious Process Detection Botnet Detection based on IP reputation
PVS passively logs all DNS lookups, web queries and network traffic in real-time. This event indicates there have been nine web queries in the past 30 days which were related to known botnet activity.
These are the nine queries, each one to a known malicious botnet or malware related site.
Nessus scans identify malicious processes with cross-industry index of known bad hashes
LCE Windows agents perform malware detection on all running processes.
The LCE checks all IDS, login, netflow & PVS logs against a botnet reputation database
Nessus checks systems for active botnet connections, settings and content
Nessus also identifies systems running unique and unknown processes
Each of these checks, and many others, is leveraged by real- time dashboards to identify malware