Live Malware Analysis for the Incident Responder

Military Strategists agree… A Successful defense begins with good intelligence about the enemies tactics and techniques

Agenda Resources for lab exercises The Problem: Cybercrime is rampant Live Analysis should be part of Incident Response Goals of Live Analysis Live Analysis Methodology Tools and Techniques Case Study & Lab Exercises Zero Day - Readme.pdf – received 3/26/2009 Resources for lab exercises

Speakers Rich Cummings CTO at HBGary 2007 - 2009 Director Security Engineering, Guidance Software 2002-2007 Principal Consultant, Network Associates 1997 - 2000 Incident Response, Computer Investigations Penetration Testing

Why Bring Malware Analysis In-House? Goes beyond anti-virus applications… Detection and remediation based on signatures for malware is so 1990’s…. Answer the following questions: What happened? What is being stolen? How did it happen? How do we clean it up? When did the infection occur? Possibly Who is behind it?

The Problem

# of New Malware Every Day!

Top 3 AV companies don’t detect 80% of new malware Anti-virus Shortcomings Source: “Eighty percent of new malware defeats antivirus”, ZDNet Australia, July 19, 2006 Top 3 AV companies don’t detect 80% of new malware The sheer volume and complexity of computer viruses being released on the Internet today has the anti-virus industry on the defensive, experts say, underscoring the need for consumers to avoid relying on anti-virus software alone to keep their…computers safe and secure. Source: “Anti-Virus Firms Scrambling to Keep Up ”, The Washington Post, March 19, 2008 8

Cybercrime Market Currently larger than global drug trade $350 Billion per year Some malware authors make 6 figure income every month*! *http://voices.washingtonpost.com/securityfix/2009/03/obscene_profits_fuel_rogue_ant.html

How Did We Get Here?

Cybercrime Evolution Cybercrime Authors have evolved over the last 30 years Continued improvement and innovation Capitalistic Shadow Economy - Competition Malware Authors Professional Software Development Lifecycle model Professional Quality Assurance Product doesn’t ship until code is undetected by latest Antivirus products

Antivirus has not evolved Antivirus Engines have not evolved much over the last 30 years Signature based, re-active & pro-active Incidents growing in frequency and sophistication Heuristics has failed – Why fix it, were making money! The Antivirus business model provides an annual revenue stream – why change it?

It’s not a matter of if but when you will be compromised

Why Live Analysis Vs Static Analysis

Static Analysis is tough… Many challenges to deal with: Packing Obfuscation Encryption Polymorphic engines Requires more skilled analyst Must read assembly language Takes a long time…

Static Analysis is tough… Add more

Live Analysis is Easier We Run the Malware We log activities while malware executes Live analysis often removes the need for unpacking and removing the obfuscation layers Add more

Live Analysis is Easier Add more

Goals of Live Malware Analysis

Basic Goals of Malware Analysis Identify the following: Is it malware/crimeware? How does it install itself? Does it use Self Defense? What are the information security implications? How does it communicate? How does it steal stuff? What does it steal? How do I clean it up ASAP?

Goals for Corp Security Analyst Identify how it got in so we can quickly clean it up… Is it malware/crimeware? How does it install itself? Does it use Self Defense? What are the information security implications? How does it communicate? How does it steal stuff? What does it steal? How do I clean it up ASAP?

Goals for Law Enforcement Identify Is it malware/crimeware? How does it install itself? Does it use Self Defense? What are the information security implications? How does it communicate? How does it steal stuff? What does it steal?

Goals for Govt Org’s Identify Is it written by kids or professionals Who is behind the attack Foreign govt’s Kids? How does it install itself? How do I clean it up? What is the attack vector? Does it use Self Defense? How does it communicate? What and How does it steal my information?

Goals of Malware Analysis Rapidly determine Is it malicious or not? Does it warrant deeper investigation? Identify specific behaviors of the malware We broadly group the behaviors into six categories we call Attribution Factors Malware Analysis Factors

Malware Analysis & Attribution Factors Installation and Deployment Communication Information Security Self Defense Command and Control Development

Installation and Deployment Factors Does it use the registry? Does it drop any files? Does it attempt to infect other machines on the network? Does it sleep and awaken later?

Communication Factors Where does it connect to on the Internet? Drop point IP addresses or DNS names Does it allow incoming connections? Does it use encryption? Does it use stego?

Information Security Factors Identifies the risks associated with the binary What does it steal? Does it sniff keystrokes? Can it destroy data? Can it alter or inject data? Does it download additional tools?

Self Defense Factors Does it have self-defense? Does it use stealth? Does it bypass parts of the operating system? Does it bypass virus scanners?

Command and Control Factors How is the malware controlled by its master? Do commands come from a cutout site? What commands does it support? Sniffing, logging, file system? Attack? Poison Pill - Self-destruct? Self-uninstall / silent modes?

Development Factors In what country was the malware created? Was it professionally developed? Are there multiple versions? Is there a platform involved? Is the a toolkit involved? Are there multiple parts developed by different groups or developers?

Malware Analysis Tools

Crimeware Analysis Questions How does it communicate with? With Whom? Does it steal my information? If so What? How does it survive a reboot? Who created it? What does it do to my networks and how do I clean it up?

Live Demonstration readme.pdf

Our Lab Setup VMware Workstation & ESX Server HBGary Flypaper (free download hbgary.com) Wireshark - free Netwitness – Investigator SysInternals - Free Responder Professional with Digital DNA (evaluation version available on our web site good for 15 days)

Self Defense Techniques Encryption Polymorphic engines Metamorphic engines Packing Themida, VMProtect, UPX, Aspack and 100’s more Rootkit techniques

Anti-Debugging Techniques Ways for a program to detect if it is being run under the control of a debugger Used to prevent or slow the process of reverse-engineering Commercial executable protectors Packers Malicious software

Static Binary Analysis Target malware is not running Disassemble the binary (.EXE, .SYS, .DLL) Strings: human-readable Symbols: imported functions N.B.: Winsock driver é network capabilities Functions and subroutines Malware countermeasures Packers Encrypters

Tools for Malware Analysis Sysinternals: filemon, regmon, tdimon, etc. Winbat IDA Pro: Interactive disassembler Ollydbg WinDbg SoftICE: kernel debugger PEiD: identifies over 470 executable signatures/packers PE Explorer InCtrl5 DeDe: Delphi executable reverser REC: reverse engineering compiler Programmer’s file editor HBGary Responder™

Who are Incident Responders? Corporate Security Analysts Corporate Security Officers Corporate Legal Council & HR Federal, Local Law Enforcement Computer Forensic Investigators Home PC user…..

Malware Analysis = Reverse Engineering Static Analysis Dead Listing IDA Pro Difficult – You must understand Assembly Language Dynamic Analysis Live Runtime

Today’s Cybercrime Problem There is a lot worth stealing Information is 100% digital and exposed Identities are digital Attackers are motivated and well-funded Funded Criminal and State-sponsored Malware is sophisticated and targeted Existing security isn’t stopping the attacks

Anti-virus Shortcomings Source: “Eighty percent of new malware defeats antivirus”, ZDNet Australia, July 19, 2006 Top 3 AV companies don’t detect 80% of new malware The sheer volume and complexity of computer viruses being released on the Internet today has the anti-virus industry on the defensive, experts say, underscoring the need for consumers to avoid relying on anti-virus software alone to keep their…computers safe and secure. Source: “Anti-Virus Firms Scrambling to Keep Up ”, The Washington Post, March 19, 2008 43

Malware Analysis Tools (freeware) Ollydbg Sysinternals (now microsoft) Procmon, filemon, regmon, tdimon, etc Inctrl-5

Additional Resources for malware analysis Ollydbg Sysinternals (now microsoft) Procmon, filemon, regmon, tdimon, etc Inctrl-5

Any Questions? Thank you for your time. HBGary

HBGary Core Technology

Physical Memory Forensics Core Technology Digital DNA (Behavioral Analysis) Engineering Reverse Code Physical Memory Forensics

Offline Physical Memory Analysis The Core Technology Offline Physical Memory Analysis Rootkit Detection Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations This is The Advantage! Rebuilds underlying undocumented data structures Rebuilds running state of machine “exposes all objects ” Malware cannot hide itself actively

The Core Technology Offline Physical Memory Analysis Rootkit Detection Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations Direct Kernel Object Manipulation Detection Hook Detection IDT/SSDT/Driver Chains These tricks expose themselves by interacting with OS Crossview Based Analysis

The Core Technology Offline Physical Memory Analysis Rootkit Detection Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations Code is Disassembled Integration with Flypaper & RECon Code is extracted from RAM Code Visualization

The Core Technology Offline Physical Memory Analysis Rootkit Detection Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations ALL Memory is Scanned A Threat Score is provided for all code Code Behavior Identification White & Black List Code /Behaviors

The Core Technology Offline Physical Memory Analysis Rootkit Detection Automated Malware Analysis Digital DNA Alerting & Reporting Reports can be sent to Enterprise Console Behavioral Analysis Scan and others Custom Reports in XML, RTF, PDF, other Alert on Suspicious Behaviors and coding tricks

Advantages of our approach Forensic Quality Approach Analysis is 100% offline Like Crash Dump Analysis – No Code Running! Automated Reverse Engineering Engine Digital DNA™ detects zero-day threats 5+ years of reverse engineering technology AUTOMATED! No Reverse Engineering expertise required

Memory Forensics and Incident Response Products

Stand Alone Products 1 Analyst : 1 Machine Responder Professional Comprehensive physical memory and malware investigation platform Host Intrusion Detection & Incident Response Live Windows Forensics Automated Malware Analysis Computer incident responders, malware analysts, security assessments Digital DNA Responder Field Edition Comprehensive Memory Investigation platform. Geared towards Law Enforcement and computer forensic investigators Basic Malware Analysis

HBGary Enterprise Malware Detection

Enterprise Products 1 Analyst : N machines Enterprise Digital DNA – McAfee EPO Solution Enterprise Malware/Rootkit Detection & Reporting Distributed Physical Memory Analysis with Digital DNA Rapid Response Policy Lockdown Enterprise Responder – Guidance Software Encase Enterprise Solution Suspicious & Malicious Code Detection

Client Testimonials

Client Testimonial 1 of the Largest Pharmaceutical Co’s Under attack every day Uses Enterprise Anti Virus Sends malware to vendor Waits for signature 1-8 hours - Uses Responder Pro – Responder provides immediate critical intelligence to secure the network and mitigate the threat to the data

Client Testimonial 2 1 of the largest Entertainment Co’s Under attack every day & Uses Enterprise Anti Virus When a machine is compromised, they perform various levels of remediation with their antivirus vendor signatures. Once the machine is determined clean by the AntiVirus software, they use our technology to verify the machine is no longer infected… Findings: about 50% of machines are still infected…

Conclusion Improve Enterprise Security Posture With Memory Forensics & Malware Analysis Memory Forensics can detect malicious code that nothing else can… Memory Forensics is not only for Incident Response Memory Forensics can be used during Security Assessments too Malware Analysis should be brought in house Malware Analysis can help you… minimize costs and impact. identify the “Scope of Breach” mitigate the threat before you have a anti-virus signature

Questions? Thank you very much sales@hbgary.com