Presentation is loading. Please wait.

Presentation is loading. Please wait.

Leveraging Continuous View to Hunt Malware. Why hunt for malware? Scanned services Unauthorized systems Patches Config Unauthorized software Malware Malware.

Published byMakena Rounds Modified over 10 years ago

Similar presentations

Presentation on theme: "Leveraging Continuous View to Hunt Malware. Why hunt for malware? Scanned services Unauthorized systems Patches Config Unauthorized software Malware Malware."— Presentation transcript:

1 Leveraging Continuous View to Hunt Malware

2 Why hunt for malware? Scanned services Unauthorized systems Patches Config Unauthorized software Malware Malware is another form of vulnerable software that has been introduced into your network. Hunting modern malware is much more about enterprise vulnerability and configuration auditing that traditional anti-virus agent based discovery. At one end of the spectrum, finding an open port can make you fail a compliance audit. On the other end of the spectrum, you can have a fully patched systems with a RAT, Trojan, botnet,.etc on it. Traditional Vulnerability Management

3 Advanced Analytics Massive App Library Updated Daily. Dashboard and Report Designer Connectors for Complete Context Unique Sensors 100% Asset Discovery YOUR NETWORK Unique Underlying Architecture

4 Port Scans Botnet Malware System Tests Real-time Ports User Agents Network Logs DNS & Web Queries Netflow Process Logs Botnet Anomalies

5 2D Dashboards Data mining 3D Visualization Spreadsheets Command Line Tools

6 Topics Sweet Orange RedKit ComFoo RAT Zeus P2P Neutrino Tenable Botnet/Malware Detection Technology

7 Hunting for IP Addresses http://www.malwaresigs.com/2013/07/30/malvertising-on-youtube-com-redirects-to-sweet-orange-ek/ Sweet Orange Exploit Kit

8 List of IP addresses associated with Sweet Orange URI associated with systems redirected to Sweet orange web pages

9 Create watchlist

10 LCE has events (mostly from PVS) to these IPs

11 Example URI from blog: Detected query with PVS: The sniffed URIs match URI !!!

12 Indicators from May 2013 DHS Weekly Synopsis Product RedKit

13

14 Keyword search for PVS plugin 7039 Generic SC searches for Nessus scan results Manual search of hosted URL/URI content in any result, including port Independent PVS 7039 Are we hosting RedKit content?

15 Did someone query RedKit content? Search LCE proxy logs Search PVS Web logs Search PVS & DNS logs Refine search to avoid generic match Search PVS logs: Example Domain_Summary query

16 Secrets of the Comfoo Masters http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/ Comfoo RAT

17 Look for failed credential Nessus scans “ipnat” running in system logs

18 PVS will log the queries and they can be discoverable as shown below.

19 Nessus web scan results – which ports? PVS web scan sniffing results – all ports!

20

21 PVS plugin 2 – client side usage PVS plugin 16 – outbound client side usage

22 The detected port traffic on 1688 was bittorrent

23

24 type: AUDIT_POWERSHELL description: "Comfoo Masters - ServiceDLL Check" value_type: POLICY_TEXT value_data: "(cmmos.dll|jacpet.dll|javadb.dll|mszlobm.dll|netfram.dll|netman.dll|ntdapie.dll|ntdelu.dll|ntobm.dll|odbm.d ll|senss.dll|suddec.dll|tabcteng.dll|vmmreg32.dll|wini nete.dll)” powershell_args : "Get-ItemProperty HKLM:\system\CurrentControlSet\Services\*\Param eters | select PSPath,ServiceDll | format-list" check_type : CHECK_NOT_REGEX powershell_option : CAN_BE_NULL Search registry for evidence of Comfoo.

25 type : AUDIT_POWERSHELL description: "Comfoo Masters - Find DLLs" value_type : POLICY_TEXT value_data : "" powershell_option: CAN_BE_NULL powershell_args: "get-childitem -recurse c:\ -include cmmos.dll,jacpet.dll,javadb.dll,mszlobm.dll,netfram. dll,netman.dll,ntdapie.dll,ntdelu.dll,ntobm.dll,odbm.dl l,senss.dll,suddec.dll,tabcteng.dll,vmmreg32.dll,wini nete.dll -erroraction silentlycontinue|select directory,name|format-list" Search file system for evidence of Comfoo.

26 257 domain names Powerful command-line search associative-search.sh Searches DNS, MD5 & SSL https://discussions.nessus.org/ message/19698#19698 Ran 1 hour to search all domain names across 6 months of data

27 http://www.cert.pl/PDF/2013-06-p2p-rap_en.pdf ZeuS-P2P

28 Infected computer has BOTH UDP and TCP ports open between 10,000 and 30,000

29 Manually finding systems with TCP and UDP ports between 10,000 and 30,000 is tricky. Need to save a list of IPs with UDP 10,000 to 30,000 and then filter that list with a TCP filter of 10,000 to 30,000 Filter on an asset list of IPs with UDP ports 10k to 30k for those IPs with TCP ports in the same range.

30 These hashes were already part of the malware cloud database; i.e., Nessus or LCE Client would have found these.

31 A New Exploit Kit in Neutrino http://blog.trendmicro.com/trendlabs-security-intelligence/a-new-exploit-kit-in-neutrino/ Neutrino

32 Also Covered at MalwareSigs http://www.malwaresigs.com/2013/08/29/30-days-of-neutrino-domainsips/ http://www.malwaresigs.com/2013/08/29/30-days-of-neutrino-domainsips/ Neutrino Take IPs from blog post and create a SecurityCenter watchlist named Neutrino

33 Search for any hits in past 30 days and then do a port summary to see port 8000 activity. Search for any hits in past 30 days and then do a port summary to see port 8000 activity. Extend search to 50 days and see some more activity.

34 VirusTotal claimed the following DNS names were in use by Neutrino on various dates

35 On Aug 5, we saw lots of queries for ifjtjdhcywssbhdxk.dyndns-mail.com recorded by the PVS. This DNS name was NOT on the list from the blog for Aug 5 th nor any other day, but was very close. Differences in DNS names at VirusTotal and in “live” use can result from many things including variants and different behaviors based on where it is run.

36 Tenable Botnet/Malware Detection Technology

37 Passive Web Traffic Analysis Malicious Process Detection Botnet Detection based on IP reputation

38 PVS passively logs all DNS lookups, web queries and network traffic in real-time. This event indicates there have been nine web queries in the past 30 days which were related to known botnet activity.

39 These are the nine queries, each one to a known malicious botnet or malware related site.

40 Nessus scans identify malicious processes with cross-industry index of known bad hashes

41 LCE Windows agents perform malware detection on all running processes.

42 The LCE checks all IDS, login, netflow & PVS logs against a botnet reputation database

43 Nessus checks systems for active botnet connections, settings and content

44 Nessus also identifies systems running unique and unknown processes

45 Each of these checks, and many others, is leveraged by real- time dashboards to identify malware

Download ppt "Leveraging Continuous View to Hunt Malware. Why hunt for malware? Scanned services Unauthorized systems Patches Config Unauthorized software Malware Malware."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
3D Tool Examples Dave Breslin (@ Tenable Discussions Forum)

3D Tool Examples Dave Breslin Tenable Discussions Forum)
Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect.

Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect.
Www.accessdata.com Digital Investigations of Any Kind ONE COMPANY Cyber Intelligence Response Technology (CIRT)

Digital Investigations of Any Kind ONE COMPANY Cyber Intelligence Response Technology (CIRT)
ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.

ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.
A look into Bullet Proof Hosting November 2014 - DefCamp 5 Silviu Sofronie – Head of Forensics

A look into Bullet Proof Hosting November DefCamp 5 Silviu Sofronie – Head of Forensics
Using PI to Aggregate & Correlate Security Events to Detect Cyber Attacks Dale Peterson Digital Bond, Inc.

Using PI to Aggregate & Correlate Security Events to Detect Cyber Attacks Dale Peterson Digital Bond, Inc.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.

Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
Vulnerability Assessments with Nessus 3 Columbia Area LUG January 10 2007.

Vulnerability Assessments with Nessus 3 Columbia Area LUG January
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

Similar presentations

Ads by Google