1 / 25

Instant Situational Awareness: Finding Malware like a HoneyBadger

Instant Situational Awareness: Finding Malware like a HoneyBadger. John ‘JB’ Bisaillon, CISSP Digital Scepter Corporation. Agenda. Malware capabilities and uses Malware behavior Evidence of malware infection Rootkits – special methods needed

alexa
Download Presentation

Instant Situational Awareness: Finding Malware like a HoneyBadger

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Instant Situational Awareness: Finding Malware like a HoneyBadger John ‘JB’ Bisaillon, CISSP Digital Scepter Corporation

  2. Agenda • Malware capabilities and uses • Malware behavior • Evidence of malware infection • Rootkits – special methods needed • Introducing a new tool that can find evidence of malware on your network in 15 seconds And plenty of demos…

  3. About the Presenter • John ‘JB’ Bisaillon, CISSP • Sales Engineer for Digital Scepter • Previously: • Sr. Information Assurance Engineer for DoD contractor • Nationwide technical trainer of penetration testing and ‘ethical hacking’ courses

  4. About Digital Scepter • Boutique Security-Focused Systems Integrator and Value-Added Reseller • http://digitalscepter.com

  5. What is a HoneyBadger? • “The world’s most fearless creature” according to the Guinness Book of World Records • Going up against a nest of bees or a king cobra: “I don’t care” attitude

  6. Malware Distribution Methods • E-Mail Attachments & Links • Web downloads for Freeware Software • Browser and E-mail Software Bugs (‘drive-by downloads’) • Physical Access/ Storage Media (CDs, USB drives) • Peer to Peer File Sharing • Network Shares • IM / IRC Chat Rooms • Usenet Newsgroups

  7. Malware Capabilities • Remote Access / Backdoors • Password stealing & sending • Keyloggers • Surveillance • Destruction of data • Denial Of Service • Spamming • Security software detection and termination

  8. Ultimate Purposes of Malware • Industrial espionage / Intellectual property theft • Nation-state cyber warfare • Monetary gain • Hacktivism • Just for Fun? - not so important nowadays

  9. Finding Malware • You first need to know what it does in order to look for evidence of it. • But how do you know what a piece of malware does? • You could execute it yourself in a sandboxed environment and monitor: • New network connections • New processes • Registry changes • File system changes • Etc…

  10. Sample Zero-Day Malware Analysis • Wildfire feature found on Palo Alto Networks firewalls

  11. Sample Palo Alto Networks Wildfire Report

  12. Common Behaviors We Can Look For • AutoStart methods • New listening ports • New services • Weakened OS or web browser security • New executable or dll files in Windows System directory

  13. AutoStart Methods Modifications to any of these can cause malware to keep running after reboots: • System files (autoexec.bat, system.ini, win.ini, etc) • Registry Keys • Startup folder

  14. BackDoor: SubSeven SubSeven is a backdoor program that enables hackers to gain full access to Windows systems through a network connection. The attacker can delete and modify files, kill running processes, start new processes, capture keystrokes, and even image the remote system’s desktop.

  15. Advanced Trojans: Process Injection • Some trojans like Back Orifice and Beast inject their DLL process into some other running process • The result is that the trojan is harder to detect as their process doesn’t show up in Task Manager • Countermeasures: • Use a hidden process viewer like Inzider • Prevent injection using Process Guard

  16. Advanced Trojans: Beast • Beast is a powerful trojan incorporating DLL injection • It has built-in anti-virus killing features • The client, server, and server editor are contained in one file

  17. Port Monitoring Software • To quickly reveal what active connections are established, as well as any listening ports, use the built-in netstat command • When a suspicious port is found, use one of the following tools to map the open port to a running executable and process name or id: • Port Explorer • Fport • TCPview Beast trojan running on port 6666

  18. Process Monitoring Software • Listing running processes and associated DLLs and attributes can help identify malicious software. • One should become familiar with standard Windows processes so that suspicious processes can be easily identified. • Beware that malware will often rename processes with the same name that existing Windows processes uses! Process Monitoring Software: • Process Viewer • Process Monitor • Process Explorer • Task Manager

  19. RootKits The primary purpose of a rootkit is to allow an attacker unregulated and undetected access to a compromised system repeatedly. Rootkitsare used by a hacker for various reasons: • Hide a backdoor processes • Elevate process privileges • Hide files • Hide registry entries • Disable auditing and edit event logs • Redirect executable files • Hide device drivers • Hide user accounts

  20. Windows XP Rootkit • Hides processes, files, registry entries, and network sockets

  21. Search for Evidence Everywhere, Instantly • What if you could search for evidence not on a single machine, but for thousands of machines at the same time?

  22. Run Scripts to Find Evidence using Tanium

  23. Suspicious AutoRun Registry Entries

  24. Suspicious Network Connections

  25. Suspicious Processes

More Related