Detect Malware No One Else Can… Rapidly Identify it’s capabilities, Mitigate the Threat with Actionable Risk Intelligence
Air Force Research Labs Dept Homeland Security (HSARPA) HBGary Background Founded in 2003 Government R&D, Services 2007 Became a commercial product company Solutions: Enterprise Host Intrusion Detection Live Windows Memory Forensics & Incident Response Malicious Code Detection Automated Reverse Engineering R&D Funding Next Generation Software Reverse Engineering Tools Kernel Virtual Machine Host Analyzer Virtual Machine Debugger Air Force Research Labs Botnet Detection and Mitigation H/W Assisted System Security Monitor Subcontractor to AFCO Systems Development Dept Homeland Security (HSARPA)
What is Digital DNA Digital DNA is A Software and Malware Classification System Microsoft Windows Platforms A programming language with logic used to create rules for identifying malware and the Advanced Persistent Threat (APT) A system to identify all executable code in RAM and present the behaviors & characteristics so analysts can quickly identify if a machine has unauthorized or unwanted executable code running on Windows Workstations and Servers.
Design Goals of Digital DNA Rapidly Identify Unknown Malicious Code: Zero day – new malware Known malware mutations Identify programming techniques for specific factors Identify program behaviors Help Remove 99% of “Noise” and focus on “Signal”
Goals of Digital DNA Rapidly determine Is it malicious? Does it warrant deeper investigation? Identify behavioral traits of the malware There are hundreds of traits Can be broadly grouped into six behavioral categories (“malware analysis factors” )
HBGary DDNA Technology Digital DNA (Behavioral Analysis) Code Reverse Engineering Physical Memory Forensics GOALS: Gain the lowest level of diagnostic visibility in order to detect malware and malicious behaviors To obtain our goals we combined the latest advances in Memory Forensics & Reverse Engineering technology. The result was Digital DNA.
Ranking Software Modules by Threat Severity Software Behavioral Traits Digital DNA Ranking Software Modules by Threat Severity 0B 8A C2 05 0F 51 03 0F 64 27 27 7B ED 06 19 42 00 C2 02 21 3D 00 63 02 21 8A C2 0F 51 0F 64 Software Behavioral Traits
B[00 24 73 ??]k ANDS[>004] C”QueueAPC”{arg0:0A,arg} What’s in a Trait? 04 0F 51 B[00 24 73 ??]k ANDS[>004] C”QueueAPC”{arg0:0A,arg} The rule is a specified like a regular expression, it matches against automatically reverse engineered details and contains Boolean logic. These rules are considered intellectual property and not shown to the user. Unique hash code Weight / Control flags The trait, description, and underlying rule are held in a database
Advantages of our approach Forensic Quality Approach Analysis is 100% offline Like Crash Dump Analysis – No Code Running! Automated Reverse Engineering Engine Digital DNA™ detects zero-day threats 5+ years of reverse engineering technology AUTOMATED! No Reverse Engineering expertise required
Office Document, Video, etc… 2009 Attack Trends DISK FILE IE, Adobe, MS Word, PPT, Excel, Firefox, Flash, Java IN MEMORY IMAGE OS Loader Internet Browsers PDF, Active X, Flash Office Document, Video, etc… You cannot prevent these exploits from getting in…
“Build a Better Mousetrap” The Opportunity “Build a Better Mousetrap”
Our Technology and Methodology Offline memory analysis Unprecedented Visibility Like “Crash Dump Analysis” No code is running to fool our analysis Detect Automate Malware Analysis Identify behaviors, what was stolen Generate “Malware Intelligence Report” Diagnose Block IP’s/Domains at the gateway IDS/IPS – create new rules to mitigate the threat Develop optimal corrective action plan Respond
It really can’t get any easier than this What is Digital DNA? New Approach to Detecting Zero Day Malware Detects Malware regardless of how it was packaged Diagnose and Report on Code behaviors Programming techniques are classified with clear descriptions “Reverse Engineering for Dummies” Identify variants across the Enterprise It really can’t get any easier than this
Advantages of Digital DNA Forensic Quality Approach Analysis is 100% offline Like Crash Dump Analysis – No Code Running – see everything Automated Malware Analysis The value of Automated Reverse Engineering Digital DNA™ detects zero-day threats 5+ years of reverse engineering technology AUTOMATED! No Reverse Engineering expertise required
Ranking Software Modules by Threat Severity Software Behavioral Traits Digital DNA Ranking Software Modules by Threat Severity 0B 8A C2 05 0F 51 03 0F 64 27 27 7B ED 06 19 42 00 C2 02 21 3D 00 63 02 21 8A C2 0F 51 0F 64 Software Behavioral Traits
Fuzzy Search
5,000 Malware is sequenced every 24 hours
Over 2,500 Traits are categorized into Factor, Group, and Subgroup. This is our “Genome” We expect to have 10,000 Traits by end of year
HBGary Enterprise Malware Detection
Enterprise Solutions 1 Analyst : N machines Enterprise Digital DNA – McAfee EPO & Verdasys Enterprise Malware/Rootkit Detection & Reporting Distributed Physical Memory Analysis with Digital DNA Rapid Response Policy Lockdown Enterprise Responder – Guidance Software Encase Enterprise Solution Suspicious & Malicious Code Detection
Integration with McAfee ePO Available Now! ePO Agents (Endpoints) Digital DNA Module Server SQL HBGary Server Module ePO Console Responder Workstation Schedule Events HBGary Portal WPMA = Windows Physical Memory Analysis
HBGary Products with Digital DNA
Digital DNA Product Line Enterprise Digital DNA – McAfee ePO, Guidance Software, Verdasys Enterprise Malware/Rootkit Detection & Reporting Distributed Physical Memory Analysis with Digital DNA Rapid Response Policy Lockdown Responder Professional – Stand Alone Software for 1 analyst Comprehensive physical memory and malware investigation platform Host Intrusion Detection & Incident Response Live Windows Forensics Automated Malware Analysis Computer incident responders, malware analysts, security assessments Digital DNA
MD5 Doesn’t Work in Memory
Why MD5’s Don’t Work in Memory In memory, once executing, a file is represented in a new way that cannot be easily be back referenced to a file checksum Digital DNA™ does not change, even if the underlying file does Digital DNA is calculated from what the software DOES (it’s behavior), not how it was compiled or packaged
In memory, traditional checksums don’t work DISK FILE IN MEMORY IMAGE 100% dynamic Copied in full Copied in part OS Loader In memory, traditional checksums don’t work MD5 Checksum is not consistent Digital DNA remains consistent MD5 Checksum reliable
White-listing on disk doesn’t prevent malware from being in memory Internet Document PDF, Active X, Flash Office Document, Video, etc… DISK FILE IN MEMORY IMAGE Public Attack-kits have used memory-only injection for over 5 years OS Loader White-listing on disk doesn’t prevent malware from being in memory MD5 Checksum is whitelisted Whitelisted code does not mean secure code Process is trusted
Same malware compiled in three different ways DISK FILE IN MEMORY IMAGE Same malware compiled in three different ways OS Loader MD5 Checksums all different Digital DNA remains consistent
Digital DNA defeats packers IN MEMORY IMAGE Packer #1 Packer #2 Decrypted Original OS Loader Digital DNA defeats packers Starting Malware Packed Malware Digital DNA remains consistent
Digital DNA detects toolkits IN MEMORY IMAGE OS Loader Digital DNA detects toolkits Malware Tookit Different Malware Authors Using Same Toolkit Toolkit DNA Detected Packed
Dramatically Improve Host Security with: Conclusion Dramatically Improve Host Security with: Memory Forensics can detect malicious code that nothing else can… Not only for Incident Response Should be used during Security Assessments Today Malware Analysis should be brought in house It can help you… minimize costs and impact. Rapidly Identify the “Scope of Breach” Mitigate the threat before you have a anti-virus signature Minimize & Manage Enterprise Risk
Future at HBGary Development Initiatives Webinar Series Partnerships Active Defense – HBGary Enterprise Technology Recon – Next Gen Sandbox for automated malware analysis Digital DNA v2 – Advanced mapping of malware genome Webinar Series Memory Forensics Responder Pro with Digital DNA Rapid Malware Analysis to mitigate the threat Partnerships Guidance Software McAfee Verdasys some others announced soon
Demo Thank you very much sales@hbgary.com
Why Memory Analysis is Unique Better Detection Traditional Forensics & Security Software
Perform Malware Analysis This looks suspicious! Understand Malware: Create Signatures Bolster defenses Attribution Computer Network Defense (CND) Identify a binary’s capabilities Recover Command and Control functions Recover passwords and encryption keys View decrypted packets and files Computer Forensics