View
3
Download
0
Category
Preview:
Citation preview
©2008TeamCymru
Stephen Gill Chief Scientist Team Cymru
Malware Hash Registry Harnessing the power of AntiVirus Aggregation
January, 2009
CONFIDENTIAL ©2008TeamCymru
©2008TeamCymru
Agenda
CONFIDENTIAL ©2008TeamCymru
• Introduction• Purpose• Access• Usage,Tools,Applications• Statistics• LookingtotheFuture• Conclusion
©2008TeamCymru
• Began as a hobby in 1998; Incorporated in 2004. • Network of researchers dedicated to supporting the
Internet community in maintaining security; non-profit • Funded by multinational banks, CERTs/CSIRTS, security
vendors… and you? • Global investigators previously from Dutch NHTCC, UK
Scotland Yard, Polish Police, USSS • OurMission:TheWHOandtheWHY
Copyright©2008TeamCymru
©2008TeamCymru
TheInternet
©2008TeamCymru
Malware’sEffectontheInternet
©2008TeamCymru
Malware
• SamplesSkyrocketing:onenewvirusevery2seconds
• Vectors:– people– mobileviruses– DriveBydownloads– fileinfectors(ievirut)– USBdrives.spreadinglikewildfireinAsiaPac– Officeprograms– Middleman:arppoisoning
©2008TeamCymru
Enter,theMalwareHashRegistry
• Inanutshell:queryourserviceforacomputedMD5orSHA‐1hashofafile– ifitisknownmalwarewedisplayanAVdetectionRateandlastseentimestamp
• SimilartoIPtoASNreleasedseveralyearsago:– http://www.team‐cymru.org/Services/ip‐to‐asn.html
– TranslatesIpstoBGPASNsviaWhoisandHTTP– Highlysuccessful
©2008TeamCymru
Enter,theMalwareHashRegistry
• ComplementsAVextremelywell.– MaintainingHashesinsignaturesisimpractical(1(1GB+size)
– Wetakecareofthatbystoringitinthecloud
– LetsAVcontinuetodowhatitdoesbest:detectmalwarebasedonsignaturesandheuristics.
• Freefornon‐commercialuse
©2008TeamCymru
AccessMethods
• AccessisavailableovertheInternetvia:– Whois:TCP43– Netcat:TCP43(bulkwhois)– DNS:UDP53
• Possiblycominglater:– InstantMessaging– HTTP– Yourideashere…
©2008TeamCymru
Architecture
MHRMalwareDB AVQueue
Queries
©2008TeamCymru
Usage• Whois&Netcat
• DNS
©2008TeamCymru
Applications
• Hardware– Comingsoontoaroutervendornearyou…
– BROappliance– Yourideashere…
• Software
- MailServers- Forensics- Poorman’sAV
- TheSky’sthelimit
©2008TeamCymru
SneakPeek:WinMHR
©2008TeamCymru
AV’sEffectiveness
• Wecollectapproximately~30K+uniquemalwaresamplesperday.
• UsingcurrentAVsignaturesandenginesfrom32AVvendors,thedetectionrateiscirca28%.
• 30dayslaterthedetectionratecanbeashighas50%.Yay.:/
©2008TeamCymru
MHR’sEffectiveness
• AccordingtoOnePrivatestudy:– MHRimprovedAV’shitrateby50%!
• ContributionsWelcomed!!!– AVengines(fromvendor)– Malwaresamples– Suggestionsforimprovement– Moralsupport– Coffee
©2008TeamCymru
MHR’sAdoption
• Inthefirst5days,over750kqueries• 10M+queriesinJan2009
• BROAddoninthefirstdayhttp://wiki.github.com/sethhall/bro_scripts/the‐malware‐hash‐
registry‐and‐bro‐ids
RealtimeHTTPMonitoring
• LinuxHostActiveScanning
©2008TeamCymru
FutureAddons
• KernelDrivertowatchfornewprocesses• MonitoringofsubprocessesandDLLs(svchost.exe)
©2008TeamCymru
FAQ• HowdoIinterprettheoutput?
• It’snottoobad,justtwonumberstoworryabout:timestamp(unix),anddetectionrate
• Howdoyoucollectmalware?
• Howdon’twecollectmalware...• CanIdownloadyourhashregistrydatabase?
• Itisnotpublicallyavailable,butyoumaycontactusaboutadatasharingagreement.
• CanIhaveasampleofthefile…?
• PleaseseetheFAQ
©2008TeamCymru
FAQ• WhichAVEngines?
• Undisclosed• Tellmemoreaboutyourmalwaredatabase?
• Talktomeafterwards.• ShouldIjuststopusingananti‐viruspackage?
• NO!PleasecontinuetouseAV!• Howup‐to‐dateisyourregistry?
• Updatedonce,daily.• HowdoIreportaFalsePositive?
• http://www.team‐cymru.org/Services/MHR/
©2008TeamCymru
TeamCymrucanHelpYou!• Detection
– Flows, Feeds, Compromised devices – Have questions about your network or IPs?
Talk to me afterwards. • Investigation
– Cyber who dunnit? • Prevention • Mitigation • Collaboration
©2008TeamCymru
Thank you for your time!
Copyright©2008TeamCymru
©2008TeamCymru
ConcludingRemarks
• Questions?
©2008TeamCymru
MoreInformation
• http://www.team‐cymru.org/Services/MHR/
Recommended