leveraging continuous view to hunt malware

45
Leveraging Continuous View to Hunt Malware

Upload: elden

Post on 23-Feb-2016

66 views

Category:

Documents


7 download

DESCRIPTION

Leveraging Continuous View to Hunt Malware. Why hunt for malware?. Malware is another form of vulnerable software that has been introduced into your network. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Leveraging Continuous View  to Hunt  Malware

Leveraging Continuous View to Hunt Malware

Page 2: Leveraging Continuous View  to Hunt  Malware

Why hunt for malware?

Scanned services

Unauthorized

systems

Patches

Config

Unauthorized

software

Malware

Malware is another form of vulnerable software that has been introduced into your network.

Hunting modern malware is much more about enterprise vulnerability and configuration auditing that traditional anti-virus agent based discovery.

At one end of the spectrum, finding an open port can make you fail a compliance audit. On the other end of the spectrum, you can have a fully patched systems with a RAT, Trojan, botnet, .etc on it.

Traditional Vulnerability Management

Page 3: Leveraging Continuous View  to Hunt  Malware

Advanced Analytics

Massive App Library Updated Daily.

Dashboard and Report Designer

Connectors for Complete

Context

Unique Sensors100% Asset

Discovery

YOUR NETWORK

Unique Underlying Architecture

Page 4: Leveraging Continuous View  to Hunt  Malware

• Port Scans• Botnet• Malware• System Tests

• Real-time Ports• User Agents• Network Logs• DNS & Web Queries

• Netflow• Process Logs• Botnet • Anomalies

Page 5: Leveraging Continuous View  to Hunt  Malware

• 2D Dashboards• Data mining• 3D Visualization

• Spreadsheets• Command Line Tools

Page 6: Leveraging Continuous View  to Hunt  Malware

Topics• Sweet Orange• RedKit• ComFoo RAT• Zeus P2P• Neutrino• Tenable Botnet/Malware Detection Technology

Page 8: Leveraging Continuous View  to Hunt  Malware

List of IP addressesassociated with SweetOrange

URI associated withsystems redirected toSweet orange web pages

Page 9: Leveraging Continuous View  to Hunt  Malware

Create watchlist

Page 10: Leveraging Continuous View  to Hunt  Malware

LCE has events (mostly from PVS) to these IPs

Page 11: Leveraging Continuous View  to Hunt  Malware

Example URI from blog:

Detected query with PVS:The sniffed URIs match URI !!!

Page 12: Leveraging Continuous View  to Hunt  Malware

Indicators from May 2013DHS Weekly Synopsis Product

RedKit

Page 13: Leveraging Continuous View  to Hunt  Malware
Page 14: Leveraging Continuous View  to Hunt  Malware

• Keyword search for PVS plugin 7039

• Generic SC searches for Nessus scan results

Manual search of hosted URL/URI content in any result, including port Independent PVS 7039

Are we hosting RedKit content?

Page 15: Leveraging Continuous View  to Hunt  Malware

Did someone query RedKit content?• Search LCE proxy logs• Search PVS Web logs• Search PVS & DNS logs

Refine search to avoid generic match

Search PVS logs:

Example Domain_Summary query

Page 17: Leveraging Continuous View  to Hunt  Malware

• Look for failed credential Nessus scans• “ipnat” running in system logs

Page 18: Leveraging Continuous View  to Hunt  Malware

PVS will log the queries andthey can be discoverable asshown below.

Page 19: Leveraging Continuous View  to Hunt  Malware

• Nessus web scan results – which ports?

• PVS web scan sniffingresults – all ports!

Page 20: Leveraging Continuous View  to Hunt  Malware
Page 21: Leveraging Continuous View  to Hunt  Malware

• PVS plugin 2 – client side usage• PVS plugin 16 – outbound client side usage

Page 22: Leveraging Continuous View  to Hunt  Malware

The detected port traffic on 1688 was bittorrent

Page 23: Leveraging Continuous View  to Hunt  Malware
Page 24: Leveraging Continuous View  to Hunt  Malware

<custom_item>type: AUDIT_POWERSHELLdescription: "Comfoo Masters - ServiceDLL Check"value_type: POLICY_TEXTvalue_data: "(cmmos.dll|jacpet.dll|javadb.dll|mszlobm.dll|netfram.dll|netman.dll|ntdapie.dll|ntdelu.dll|ntobm.dll|odbm.dll|senss.dll|suddec.dll|tabcteng.dll|vmmreg32.dll|wininete.dll)”powershell_args  : "Get-ItemProperty HKLM:\system\CurrentControlSet\Services\*\Parameters | select PSPath,ServiceDll | format-list"check_type : CHECK_NOT_REGEXpowershell_option : CAN_BE_NULL</item>

Search registry for evidence of Comfoo.

Page 25: Leveraging Continuous View  to Hunt  Malware

<custom_item> type           : AUDIT_POWERSHELL description: "Comfoo Masters - Find DLLs" value_type : POLICY_TEXT value_data : "" powershell_option: CAN_BE_NULL powershell_args: "get-childitem -recurse c:\ -include cmmos.dll,jacpet.dll,javadb.dll,mszlobm.dll,netfram.dll,netman.dll,ntdapie.dll,ntdelu.dll,ntobm.dll,odbm.dll,senss.dll,suddec.dll,tabcteng.dll,vmmreg32.dll,wininete.dll -erroraction silentlycontinue|select directory,name|format-list"</custom_item>

Search file system for evidence of Comfoo.

Page 26: Leveraging Continuous View  to Hunt  Malware

• 257 domain names• Powerful command-line search• associative-search.sh• Searches DNS, MD5 & SSL• https://discussions.nessus.org/

message/19698#19698• Ran 1 hour to search all domain

names across 6 months of data

Page 28: Leveraging Continuous View  to Hunt  Malware

Infected computer has BOTH UDP and TCP ports open between 10,000 and 30,000

Page 29: Leveraging Continuous View  to Hunt  Malware

Manually finding systems with TCP and UDP ports between 10,000 and 30,000 is tricky.

Need to save a list of IPs with UDP 10,000 to 30,000 and then filter that list with a TCP filter of 10,000 to 30,000

Filter on an asset list of IPs with UDP ports 10k to 30k for those IPs with TCP ports in the same range.

Page 30: Leveraging Continuous View  to Hunt  Malware

These hashes were already part of the malware cloud database; i.e., Nessus or LCE Client would have found these.

Page 32: Leveraging Continuous View  to Hunt  Malware

Also Covered at MalwareSigshttp://www.malwaresigs.com/2013/08/29/30-days-of-neutrino-domainsips/

Neutrino

Take IPs from blog post and create a SecurityCenter watchlist named Neutrino

Page 33: Leveraging Continuous View  to Hunt  Malware

Search for any hits in past 30 days and then do a port summaryto see port 8000 activity.

Extend search to 50 days and see some more activity.

Page 34: Leveraging Continuous View  to Hunt  Malware

VirusTotal claimed the following DNS names were in use by Neutrino on various dates

Page 35: Leveraging Continuous View  to Hunt  Malware

On Aug 5, we saw lots of queries for ifjtjdhcywssbhdxk.dyndns-mail.com recorded by the PVS.

This DNS name was NOT on the list from the blog for Aug 5th nor any other day, but was very close.

Differences in DNS names at VirusTotal and in “live” use can result from many things including variants and different behaviors based on where it is run.

Page 36: Leveraging Continuous View  to Hunt  Malware

Tenable Botnet/Malware Detection Technology

Page 37: Leveraging Continuous View  to Hunt  Malware

Tenable Botnet/Malware Detection Technology

• Passive Web Traffic Analysis • Malicious Process Detection• Botnet Detection based on IP reputation

Page 38: Leveraging Continuous View  to Hunt  Malware

PVS passively logs all DNS lookups, web queries and network traffic in real-time.

This event indicates there have been nine web queries in the past 30 days which were related to known botnet activity.

Page 39: Leveraging Continuous View  to Hunt  Malware

These are the nine queries, each one to a known malicious botnet or malware related site.

Page 40: Leveraging Continuous View  to Hunt  Malware

Nessus scans identify malicious processes with cross-industry index of known bad hashes

Page 41: Leveraging Continuous View  to Hunt  Malware

LCE Windows agents perform malware detection on all running processes.

Page 42: Leveraging Continuous View  to Hunt  Malware

The LCE checks all IDS, login, netflow & PVS logs against a botnet reputation database

Page 43: Leveraging Continuous View  to Hunt  Malware

Nessus checks systems for active botnet connections, settings and content

Page 44: Leveraging Continuous View  to Hunt  Malware

Nessus also identifies systems running unique and unknown processes

Page 45: Leveraging Continuous View  to Hunt  Malware

Each of these checks, and many others, is leveraged by real-time dashboards to identify malware