malware response
TRANSCRIPT
Malware ResponseOregon Department of Education
CISSP basics (CIA)
• The loss of any of these three is bad:• Confidentiality• Integrity• Availability
CAUTION: If you suspect a crime has been committed (significant data breach), contain the system and then do not do anything further.
The Problem
• Malware threatens CIA, respond accordingly• All signature-based antivirus programs miss some malware• Malware usually comes in bunches• Malware is designed to resist removal (persist)• It is very unlikely that one tool will remove all malware• Multiple tools give you a 50% chance of saving the machine• The other 50% of the time, it’s faster to re-image the machine
Rule 1
• Do not over react.• Some malware requires immediate action, but the situation is unlikely
to get worse in a few seconds. • However, you can lose valuable evidence by over reacting.
The framework (SANS 6-steps)
• Preparation• Identification• Containment• Eradication• Recovery• Lessons learned
Vulnerability
• A weakness in a computer system that may allow unintended action or access• Usually fixed with a patch• “Zero-Day” means it is known but no patch is available• “Zero-Day Attack” means bad guys are already exploiting the zero-day
vulnerability• See Common Vulnerabilities and Exposures (CVE)
Exploit
• A piece of code or technique that takes advantage of a vulnerability (e.g. unpatched software) to negatively affect the system• Often shared amongst virus writers who then wrap it up and set it
free• Can be detected heuristically and should be treated as any other
malware• Risk=See CVE#
Malware
• Sometimes people use the work “virus” generically to mean malware• Many instances of malware have elements from two or more of the
characteristics associated with lists below• Installs or runs without user’s knowledge• Does something malicious or unwanted• Tries to be sneaky• Is not easy to disable or remove• Risk=It depends…
Preparation
• Knowledge of the threat• Know what it does
• Spread to other systems• Steal data• Erase (or encrypt) data• Keystroke log• Download other malware• Mess with industrial controls!• Allow your machine to be covertly used by a third party• Serve you up unwanted ads or pop-ups• EVADE, RESIST, PERSIST!
• Know how to find it• Know how to remove it• Know how to prevent it from coming back
Worm
• Can affect the Confidentiality, Integrity, and/or the Availability of data• Very dangerous because it can spread from computer to computer
without a human doing anything (e.g. opening an attachment or plugging in an infected flash drive), which means it can spread very quickly• Risk=VERY HIGH
Virus
• Can affect the Confidentiality, Integrity, and/or the Availability of data• Dangerous because it can spread from computer to computer but
requires a human doing something (e.g. opening an attachment or plugging in an infected flash drive), which means it can be slowed by awareness• Risk=HIGH
Trojan
• Malware that is disguised as a program you want or is part of a program you thin you want• Iliad• Can affect the Confidentiality, Integrity, and/or the Availability of data• By far the most common malware today• Does not spread by itself• Is downloaded or copied, usually from a website or a downloaded
program (e.g. screensaver)• Risk=HIGH
Ransomware
• Affects Availability of data• Encrypts your data and demands a payment to decrypt• Risk=HIGH
Logic Bomb
• Can affect the Confidentiality, Integrity, and/or the Availability of data• A piece of malware designed to activate at a specific time or during a
specific event• Risk=HIGH
Backdoor
• Can affect the Confidentiality, Integrity, and/or the Availability of data• A piece of malware designed allow covert access into a system• Risk=HIGH
Rootkit
• Can affect the Confidentiality, Integrity, and/or the Availability of data• A piece of malware that gains complete control of a computer by
embedding itself into the operating system (OS)• Harder to detect and remove• Risk=HIGH
Bootkit
• Can affect the Confidentiality, Integrity, and/or the Availability of data• Similar to a rootkit but loads before (or under) the OS• Uses direct hardware control to make it harder to detect and remove• Risk=HIGH
Keylogger
• Can affect the Confidentiality, Integrity, and/or the Availability of data• Logs keystrokes and/or mouse clicks and sends to third party• Great for stealing passwords• Risk=HIGH
Advanced Persistent Threat (APT)
• Can affect the Confidentiality, Integrity, and/or the Availability of data• Is designed to infect a computer and remain undetected for a long
time (years!)• Usually hard to detect and remove because they don’t make a lot of
noise and get the attention of antivirus vendors• Often used against high value targets• Risk=HIGH
Botnet
• Can affect the Integrity, and/or the Availability of data• Is designed to link your computer to a bad guy’s network and put it
under his control• Usually waits for further orders from the Bot Master (Herder)• Can be used to launch a Distributed Denial of Service (DDOS) attack
against a third party to disguise an attack and increase volume• Can “borrow” some of your computing power for whatever purpose• Often used against high value targets• Risk=HIGH
Remote Access Tools (RAT)
• Malware that provides remote access• If used legitimately, they are fine• If not, they are bad• Can be covertly used• Risk=Low/High
Downloader
• Malware that downloads other malware• Most likely there will be other malware on the machine soon after it is
activated• Risk=Low/High
Spyware
• Can affect the Confidentiality of data• Acts like other types of malware but its main purpose is monitoring
your activity for some nefarious purpose• Risk=Moderate
Malicious Browser Helper Object (BHO)• Can affect the Confidentiality or Integrity of data• Add-on to your browser (similar to Flash Player)• Monitors or manipulates your web browsing• Risk=Moderate
Dialers
• Don’t see them around much anymore – for obvious reasons• Used to dial a 900 number for $$ or to dial a bad guys number• Risk=Low
Adware/Riskware
• Can affect the Confidentiality or Integrity of data• Acts like other types of malware but its main purpose is monitor your
activity and serve up relevant (or not) advertisements• May cause other problems or risks• Risk=Moderate
Cookies
• Can affect YOUR Confidentiality• Small files left on your machine by websites you visit• Sometimes read by subsequent websites you visit• Risk=Low
Potentially Unwanted Program (PUP)
• Software that is not necessarily desirable but tries to avoid being stereotyped as “malware”• Some antivirus programs will not remove it automatically• May be able to be removed via Control Panel• “Hack tools”• Can do just about anything, but can threaten security (CIA)• Risk=Low
Is it “malware”? Does it matter?
• Installs or runs without user’s knowledge• Does something malicious or unwanted• Tries to be sneaky• Is not easy to disable or remove• Risk=It depends…
Preparation
• Loaner machines• Local administrator account• Know how to boot from a CD and boot into Safe Mode• Virus Response Toolkit
• ESET SysInspector• Process Explorer• Emsisoft Pro EEK• Comodo CCE (x86 and x64)• HitManPro 3 (x86 and x64)• Symantec NPE• Ccleaner• Rescue CD• WWW (MMPC and Virustotal.com)
Signs of Malware Infection
• AV or IPS alert• Suspicious email• Problems with browser• Slow, unstable, some websites blocked, homepage changes, pop-ups, toolbars
• Overall system slowness or instability• Unknown programs installed• Missing or corrupt files
Identification
• There is no surefire way to find and remove malware• Like a banker, the best way to spot something wrong is to be very
familiar with what is right• This is why signature-based antivirus has a surprisingly bad detection
rate – especially against new or targeted malware• AV-Comparatives.org• The best way is to detect changes, but Windows makes this difficult
Identification and Containment
• Open a ticket• If the malware is spreading or spewing, unplug the network• Document the initial symptoms or alerts• Run SysInspector and HiJackFree and document findings• Check timestamps on suspicious files• Update the local antivirus and run a full scan• Run any suspicious files through VirusTotal.com• Check the HASH (Advanced)• Research viruses on Microsoft Malware Response Center or other AV site
Where Malware Hides and How it Persists (Demo) – Advanced Analysis• Run SysInspector and check:• Running Processes• Network Connections• Autostart Items• Services• Drivers• Critical Files
• Run Process Explorer and check suspicious processes with Virustotal plug-in
New Fancy Detection Methods – Advanced Analysis
• Why signature detection is failing• Wanted posters at airport checkpoints
• Heuristics• If it does things only a virus would do, it’s probably a virus
• Whitelisting• Baseline• Cloud-based
• Host-based Firewalls and Intrusion Prevention Systems• Anything out of the ordinary• Messing with sensitive areas
• Sandboxing• Defenses that actually spawn a little VM and run suspicious files
Using Timestamps to Identify Malicious Changes (Demo) – Advanced Analysis• Yes, hackers can change timestamps• Understanding timestamp attributes MAC• Understand that running a full scan (or doing anything) will change
timestamps• Search for files by date range• Sort by time/date• Examine suspicious files• If malware files are found, identify all files with similar timestamps• Non-executable files may contain stolen data
Cleaning (DEMO)
• Safe mode?• Run Emsisoft Pro EEK• Run Comodo CCE• Run HitManPro 3• Run Symantec NPE• Install and run Ccleaner• Boot and scan from a LiveCD• Static Analysis (Advanced Concept)• System Restore?
Recovery
• If the machine is “clean”, return it to service – but monitor it for a few days.• Patch the OS and all applications to prevent re-infection.• If the machine cannot be cleaned successfully, or is re-infected, re-
image it after helping the customer recover needed files.• Do not allow persistently infected or vulnerable machine back into
service• Advise the customer to change all passwords used on that PC
Lessons learned
• Attempt to determine the source of infection• Share information with other technicians• Document all your findings• Close the ticket (with pertinent information) after monitoring to
ensure the system is clean
Malware Response Workflow
• Service desk receives notification or report of malware• Service desk opens a tracker ticket• Identify the risk and contain if necessary• Document the details• Run tools and scans to identify and clean the virus• Keep a close eye on the machine over the next few days for recurrence of any
symptoms• Have customer change passwords• Patch system• Share info (in tracker or in person)• Close the ticket
Checklist
Prepare and update your USB kit Ticket (document the alert info) Disconnect if needed Loaner PC (if needed) SysInspector Process Explorer HiJackFree Update and run local AV Timestamps Emsisoft EEK Comodo CCE HitManPro Symantec NPE MalwareBytes ARK
CCleaner LiveCD scan Research malware See if you can find the source Return to service or re-image Monitor further if needed Have customer change passwords Document all findings
S