Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malware detection with OSSEC

Similar presentations


Presentation on theme: "Malware detection with OSSEC"— Presentation transcript:

1 Malware detection with OSSEC
@santiagobassett

2 Setting up a malware lab
Collection Analysis Detection @santiagobassett

3 MW collection techniques
Honeypots Web spiders - honeyclients Malware crawlers @santiagobassett

4 Honeypot Dionaea: Low interaction honeypot that emulates vulnerable network services. (written in C) nmap dionaea Starting Nmap 6.00 ( ) at :04 PDT Nmap scan report for dionaea ( XXX) Host is up (0.070s latency). Not shown: 992 closed ports PORT STATE SERVICE 21/tcp open ftp 42/tcp open nameserver 80/tcp open http 135/tcp open msrpc 443/tcp open https 445/tcp open microsoft-ds 1433/tcp open ms-sql-s 3306/tcp open mysql Nmap done: 1 IP address (1 host up) scanned in 1.16 seconds @santiagobassett

5 Honeypot results Captured 126 unique binaries in 3 months
Highly detected by clamav (80%) clamscan * 022aeb126d2d80e683f7f2a3ee920874: Trojan.Spy FOUND 05800e1eb e4c946d4a0fecb: Backdoor.Floder-3 FOUND c0bc9ba51222c165f2d61: Worm.Autorun-7683 FOUND 0682f3dfbdab7c040ac9307c50792d0a: Trojan.Buzus-9369 FOUND 074b815d9ded01b516a62e3b739caa10: Win.Trojan.Agent FOUND 07fea c5addc20e237cdd0f0: Win.Trojan.Jorik-1388 FOUND ff5a8b8bfa4e25cbaa524: Worm.Autorun-7516 FOUND 0a9f1cd12f1b34ca71fa585e87e91c7d: OK 0b4c ee a49b8: Win.Trojan.Injector-8166 FOUND 0feae931ee71a495614f14f3c1d37246: Trojan.Mybot-5073 FOUND 10ec7cb47314a2c08decb25e53fedcfa: Trojan.Injector-558 FOUND 1205a52e42687c922aa4d3700d778398: Trojan.Kazy-1372 FOUND 12fb a7797c2d02df29b57c640: Trojan.Spy FOUND 16b0357b804d9651d9057b61d78bee08: Win.Trojan.Agent FOUND 1a813b6ea08a47f2997e2e4215eba96b: WIN.Trojan.IRCBot-1225 FOUND SCAN SUMMARY Known viruses: Engine version: Scanned directories: 0 Scanned files: 126 Infected files: 101 Data scanned: MB Data read: MB (ratio 0.97:1) Time: sec (0 m 56 s) @santiagobassett

6 Honeyclient Thug: Low interaction honeyclient, used to detect drive-by-download attacks. (Python) Thug emulates: Core browser functionality ActiveX controls Browser plugins @santiagobassett

7 Drive by download attack
@santiagobassett

8 Honeyclient results @santiagobassett
./thug.py webgalleriet.no/ [ :58:31] [HTTP] URL: (Status: 200, Referrer: [ :58:31] [HTTP] URL: (Content-type: application/javascript, MD5: d484fa08997df765852c6ad283ec52c6) [ :58:31] <iframe align="center" frameborder="no" height="2" name="Twitter" scrolling="auto" src=" width="2"></iframe> [ :58:31] [iframe redirection] -> [ :58:31] [URL Classifier] URL: (Rule: Redkit 1, Classification: Landing page, Exploit Kit) @santiagobassett

9 Malware crawlers Retrieve files using malware tracking sites.
(Python) (Python) @santiagobassett

10 Malware tracking site

11 Malware crawlers results
Captured 345 unique binaries in 15 minutes Poorly detected by clamav (16%) clamscan * 02d36dff08b63b123d2d2a36089e3d97: OK 03a6ac145099cf77bf5c7af : OK 03e49fb415aacf9d2c90821ff : OK 0568a72d4c5a2eb510207ca45b8d8799: OK 06ddb91e1d5f056590dfeef71a2da264: JS.Iframe-2 FOUND 074fbceca8fe84bae582a7a114b2ce94: HTML.Iframe-63 FOUND acc370f2adec7869b9bc5bc5c: OK 08d53833d032d71c1e7ffd3cddcd2a5e: JS.Iframe-2 FOUND 0ac790c459a0ef9bb a2d57: OK 0cc1c5c2ef510bd9f587abbc402d04a3: OK 0e3c692048a35c06ffe81a473ffd1d41: OK 136264a09b94bf8f08278b0045a84905: OK 13e78b2bab4a0ae9a3c2003d3f004dd1: JS.Obfus-31 FOUND SCAN SUMMARY Known viruses: Engine version: Scanned directories: 0 Scanned files: 235 Infected files: 38 Data scanned: MB Data read: MB (ratio 1.14:1) Time: sec (4 m 14 s) @santiagobassett

12 Malware database - Viper
Binary analysis and management framework. (Python) @santiagobassett

13 Static Analysis - Yara Flexible, human-readable rules for identifying malicious streams. Can be used to analyze: files memory (volatility) network streams. private rule APT1_RARSilent_EXE_PDF { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $winrar1 = "WINRAR.SFX" wide ascii $winrar2 = ";The comment below contains SFX script commands" wide ascii $winrar3 = "Silent=1" wide ascii $str1 = /Setup=[\s\w\"]+\.(exe|pdf|doc)/ $str2 = "Steup=\"" wide ascii condition: all of ($winrar*) and 1 of ($str*) } @santiagobassett

14 Static Analysis - Yara @santiagobassett
rule APT1_WEBC2_TABLE { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $msg1 = "Fail To Execute The Command" wide ascii $msg2 = "Execute The Command Successfully" wide ascii $gif1 = /\w+\.gif/ $gif2 = "GIF89" wide ascii condition: 3 of them } viper > find name 3f2fda43121d888428b66717b984a7fb | # | Name | Mime | MD | Tags | | 1 | 3F2FDA43121D888428B66717B984A7FB | application/x-dosexec | 3f2fda43121d888428b66717b984a7fb | apt | viper > open -l 1 [*] Session opened on /home/santiago/viper/binaries/6/a/f/2/6af2116c4b59c69917e0e25efe4530a127830e2ed383ea91e0eebfa1cae4b78e viper 3F2FDA43121D888428B66717B984A7FB > yara scan [*] Scanning 3F2FDA43121D888428B66717B984A7FB (6af2116c4b59c69917e0e25efe4530a127830e2ed383ea91e0eebfa1cae4b78e) | Rule | String | Offset | Content | | APT1_WEBC2_TABLE | $msg1 | | Fail To Execute The Command | | APT1_WEBC2_TABLE | $msg2 | | Execute The Command Successfully | | APT1_WEBC2_TABLE | $gif1 | | sdwefa.gif | | APT1_WEBC2_TABLE | $gif1 | | dwefa.gif | | APT1_WEBC2_TABLE | $gif1 | | wefa.gif | | APT1_WEBC2_TABLE | $gif1 | | efa.gif | | APT1_WEBC2_TABLE | $gif1 | | fa.gif | | APT1_WEBC2_TABLE | $gif1 | | a.gif | | APT1_WEBC2_TABLE | $gif2 | | GIF | viper 3F2FDA43121D888428B66717B984A7FB > yara rules | # | Path | | 1 | data/yara/hangover.yara | | 2 | data/yara/citizenlab.yara | | 3 | data/yara/APT_NGO_wuaclt_PDF.yara | | 4 | data/yara/kins.yara | | 5 | data/yara/themask.yara | | 6 | data/yara/vmdetect.yara | | 7 | data/yara/index.yara | | 8 | data/yara/GeorBotBinary.yara | | 9 | data/yara/leverage.yar | | 10 | data/yara/apt1.yara | | 11 | data/yara/GeorBotMemory.yara | | 12 | data/yara/rats.yara | | 13 | data/yara/embedded.yara | | 14 | data/yara/urausy_skypedat.yar | | 15 | data/yara/fpu.yara | @santiagobassett

15 Static Analysis – Trojan Dropper
viper 0A37D49E798F50C8F1010D5CFDE0E851 > pe sections [*] PE Sections: | Name | RVA | VirtualSize | RawDataSize | Entropy | | .text | 0x1000 | 0xbe8f | | | | .rdata | 0xd000 | 0x | | | | .data | 0xf000 | 0x19cb8 | | | | .CRT | 0x29000 | 0x | | | | .rsrc | 0x2a000 | 0x7fd | | | viper 0A37D49E798F50C8F1010D5CFDE0E851 > pe imports ... [*] DLL: ADVAPI32.dll - 0x40d000: RegCloseKey - 0x40d004: RegOpenKeyExA - 0x40d008: RegQueryValueExA - 0x40d00c: RegCreateKeyExA - 0x40d010: RegSetValueExA viper 0A37D49E798F50C8F1010D5CFDE0E851 > pe compiletime [*] Compile Time: :27:58 viper 0A37D49E798F50C8F1010D5CFDE0E851 > yara scan [*] Scanning 0A37D49E798F50C8F1010D5CFDE0E851 (dbf c9d900e69ea2a108f d299b511265b78620a b) viper 0A37D49E798F50C8F1010D5CFDE0E851 > fuzzy [*] 1 relevant matches found | Score | Name | SHA | | 68% | 003EE3D21DF AE976F8BA67CC | 2803fba5fbe908f c2a387caef8f00a5f0f194bfc6b4d9f89026d53621 | viper 0A37D49E798F50C8F1010D5CFDE0E851 > virustotal [*] VirusTotal Report: | Antivirus | Signature | | nProtect | Trojan.Downloader.JKVR | | McAfee | Artemis!0A37D49E798F | | K7GW | Trojan-Downloader | | NANO-Antivirus | Trojan.Win32.Agent.hbmsz | | Symantec | Downloader | | TotalDefense | Win32/FakeDoc_i | | TrendMicro-HouseCall | TROJ_DLOADER.VTG | | Avast | Win32:Trojan-gen | | ClamAV | Trojan.Downloader | | Kaspersky | Trojan-Downloader.Win32.Agent.thb | | BitDefender | Trojan.Downloader.JKVR | | Agnitum | Trojan.DL.Agent!virRS0ijj7k | | Emsisoft | Trojan.Downloader.JKVR (B) | | Comodo | TrojWare.Win32.TrojanDownloader.Agent.thb_30 | | F-Secure | Trojan.Downloader.JKVR | | TrendMicro | TROJ_DLOADER.VTG | | McAfee-GW-Edition | Artemis!0A37D49E798F | | Sophos | Troj/DwnLdr-IYR | | Jiangmin | TrojanDownloader.Agent.boly | | Antiy-AVL | Trojan/Win32.Agent.gen | | Microsoft | TrojanDownloader:Win32/Pingbed.A | | Commtouch | W32/Downloader.NIHT | | AhnLab-V | Dropper/Malware | | VBA | TrojanDownloader.Agent | | ESET-NOD | a variant of Win32/Agent.TUJ | | Fortinet | W32/Scar.SJU!tr | | AVG | Downloader.Agent2.HEL | | Panda | Trj/Downloader.MDW | @santiagobassett

16 Fuzzy hash match info @santiagobassett

17 Dynamic Analysis - Cuckoo
Automated malware analysis. Runs binary files in virtual machines to study their behavior. Traces Win32 API calls Files created, deleted and downloaded Memory dumps of malicious processes Network traffic pcaps Integrated with yara, virustotal and volatility among other tools. Supports Virtualbox KVM and Vmware. @santiagobassett

18 Dynamic Analysis – Trojan Dropper
@santiagobassett

19 Behavioral Analysis – Filesystem
@santiagobassett

20 Behavioral Analysis - Filesystem
@santiagobassett

21 Behavioral Analysis – Network
@santiagobassett

22 Behavioral Analysis – Network
@santiagobassett

23 Behavioral Analysis - Network
sudo tcpdump -s 0 -XX -AA -nn -r dump.pcap | grep -A reading from file dump.pcap, link-type EN10MB (Ethernet) 23:32: IP > : /0/0 A (50) 0x0000: f165 0a '#.e..'.....E. 0x0010: 004e eca d11 97d c0a8 .N x0020: f9c7 003a ef52 d12f g.5...:.R./.... 0x0030: :32: IP > : Flags [S], seq , win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 0x0000: 0a f '.....'#.e..E. 0x0010: ab a c0a fe9 0x0020: 9b06 c00e be7 3c9f P..< x0030: 2000 e b :32: IP > : Flags [S], seq , win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 0x0010: c c0a fe9 23:32: IP > : Flags [S], seq , win 8192, options [mss 1460,nop,nop,sackOK], length 0 0x0010: dc ed c0a fe9 0x0020: 9b06 c00e be7 3c9f P..<.....p. 0x0030: 2000 f63a b : @santiagobassett

24 Behavioral Analysis – Registry
@santiagobassett

25 Memory Analysis - Volatility
vol.py psxview --profile=Win7SP1x86 -f memory.dmp Volatility Foundation Volatility Framework 2.4 Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd 0x7b6fa500 audiodg.exe True False True True True True True 0x7b7afd40 sppsvc.exe True False True True True True True 0x779fb808 svchost.exe True False True True True True True 0x7b7be710 svchost.exe True False True True True True True 0x7c4ea7d8 VBoxService.ex True False True True True True True 0x7b6f4030 svchost.exe True False True True True True True 0x7b7bb618 svchost.exe True False True True True True True 0x7cd99a58 AcroRD32.exe True False True True True True True 0x7b4fa030 SearchIndexer True False True True True True True 0x7b94a858 taskhost.exe True False True True True True True vol.py memdump --profile=Win7SP1x86 -f memory.dmp -D ./ -p 3080 ************************************************************************ Writing AcroRD32.exe [ 3080] to 3080.dmp strings 3080.dmp | grep -i garyhart w.garyhart.com st: tp:// @santiagobassett

26 Memory Analysis - Yara @santiagobassett
yara /home/santiago/viper/data/yara/apt1.yara 3080.dmp APT1_WEBC2_UGX 3080.dmp rule APT1_WEBC2_UGX { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1” strings: $persis = "SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN" wide ascii $exe = "DefWatch.exe" wide ascii $html = "index1.html" wide ascii $cmd1 = wide ascii $cmd2 = wide ascii $cmd3 = wide ascii condition: 3 of them } @santiagobassett

27 OSSEC - Rootcheck Used for rootkits and malware detection. It can be used to: Look for suspicious files. Inspect files and registry keys for common rootkits/malware entries. Look for hidden processes and network ports. @santiagobassett

28 OSSEC – Rule for Trojan Dropper
[Trojan Dropper] [all] [0A37D49E798F50C8F1010D5CFDE0E851] f:C:\Users\IEUser\AppData\Local\Temp\AcroRD32.exe; r:HKEY_USERS\S \Software\Microsoft\Windows\CurrentVersion\Run -> Acroread -> r:AcroRD32.exe; p:r:AcroRD32.exe; /var/ossec/etc/shared/win_malware_rcl.txt @santiagobassett

29 OSSEC – Alert for Trojan Dropper
alienvault:/var/ossec/bin# ./rootcheck_control -L -i 001 Policy and auditing events for agent 'Windows7 (001) ': Resolved events: ** No entries found. Last scan: 2014 Sep 12 18:54:24 Windows Audit: Null sessions allowed. Windows Malware: Trojan Dropper. File: C:\Users\IEUser\AppData\Local\Temp\AcroRD32.exe. Reference: 0A37D49E798F50C8F1010D5CFDE0E851 . @santiagobassett

30 Demo – Alert for Trojan Dropper
@santiagobassett

31 Future Work Use/create Cuckoo signatures to identify different malware patterns (droppers, downloaders, trojans, rootkits, …) Create Cuckoo reporting module to report (JSON) on those patterns that OSSEC can detect. Python tool to parse module output and generate rootcheck rules. Add/improve OSSEC malware detection capabilities. @santiagobassett

32 Thank you! @santiagobassett


Download ppt "Malware detection with OSSEC"

Similar presentations


Ads by Google