©2008TeamCymru

Stephen Gill Chief Scientist Team Cymru

Malware Hash Registry Harnessing the power of AntiVirus Aggregation

January, 2009

CONFIDENTIAL ©2008TeamCymru

©2008TeamCymru

Agenda

CONFIDENTIAL ©2008TeamCymru

•  Introduction•  Purpose•  Access•  Usage,Tools,Applications•  Statistics•  LookingtotheFuture•  Conclusion

©2008TeamCymru

•  Began as a hobby in 1998; Incorporated in 2004. •  Network of researchers dedicated to supporting the

Internet community in maintaining security; non-profit •  Funded by multinational banks, CERTs/CSIRTS, security

vendors… and you? •  Global investigators previously from Dutch NHTCC, UK

Scotland Yard, Polish Police, USSS •  OurMission:TheWHOandtheWHY

Copyright©2008TeamCymru

©2008TeamCymru

TheInternet

©2008TeamCymru

Malware’sEffectontheInternet

©2008TeamCymru

Malware

•  SamplesSkyrocketing:onenewvirusevery2seconds

•  Vectors:–  people–  mobileviruses–  DriveBydownloads–  fileinfectors(ievirut)–  USBdrives.spreadinglikewildfireinAsiaPac–  Officeprograms–  Middleman:arppoisoning

©2008TeamCymru

Enter,theMalwareHashRegistry

•  Inanutshell:queryourserviceforacomputedMD5orSHA‐1hashofafile–  ifitisknownmalwarewedisplayanAVdetectionRateandlastseentimestamp

•  SimilartoIPtoASNreleasedseveralyearsago:– http://www.team‐cymru.org/Services/ip‐to‐asn.html

– TranslatesIpstoBGPASNsviaWhoisandHTTP– Highlysuccessful

©2008TeamCymru

Enter,theMalwareHashRegistry

•  ComplementsAVextremelywell.– MaintainingHashesinsignaturesisimpractical(1(1GB+size)

– Wetakecareofthatbystoringitinthecloud

– LetsAVcontinuetodowhatitdoesbest:detectmalwarebasedonsignaturesandheuristics.

•  Freefornon‐commercialuse

©2008TeamCymru

AccessMethods

•  AccessisavailableovertheInternetvia:– Whois:TCP43– Netcat:TCP43(bulkwhois)– DNS:UDP53

•  Possiblycominglater:–  InstantMessaging–  HTTP–  Yourideashere…

©2008TeamCymru

Architecture

MHRMalwareDB AVQueue

Queries

©2008TeamCymru

Usage•  Whois&Netcat

•  DNS

©2008TeamCymru

Applications

•  Hardware–  Comingsoontoaroutervendornearyou…

–  BROappliance–  Yourideashere…

•  Software

-  MailServers-  Forensics-  Poorman’sAV

-  TheSky’sthelimit

©2008TeamCymru

SneakPeek:WinMHR

©2008TeamCymru

AV’sEffectiveness

•  Wecollectapproximately~30K+uniquemalwaresamplesperday.

•  UsingcurrentAVsignaturesandenginesfrom32AVvendors,thedetectionrateiscirca28%.

•  30dayslaterthedetectionratecanbeashighas50%.Yay.:/

©2008TeamCymru

MHR’sEffectiveness

•  AccordingtoOnePrivatestudy:– MHRimprovedAV’shitrateby50%!

•  ContributionsWelcomed!!!– AVengines(fromvendor)– Malwaresamples– Suggestionsforimprovement– Moralsupport– Coffee

©2008TeamCymru

MHR’sAdoption

•  Inthefirst5days,over750kqueries•  10M+queriesinJan2009

•  BROAddoninthefirstdayhttp://wiki.github.com/sethhall/bro_scripts/the‐malware‐hash‐

registry‐and‐bro‐ids

RealtimeHTTPMonitoring

•  LinuxHostActiveScanning

©2008TeamCymru

FutureAddons

•  KernelDrivertowatchfornewprocesses•  MonitoringofsubprocessesandDLLs(svchost.exe)

©2008TeamCymru

FAQ•  HowdoIinterprettheoutput?

•  It’snottoobad,justtwonumberstoworryabout:timestamp(unix),anddetectionrate

•  Howdoyoucollectmalware?

•  Howdon’twecollectmalware...•  CanIdownloadyourhashregistrydatabase?

•  Itisnotpublicallyavailable,butyoumaycontactusaboutadatasharingagreement.

•  CanIhaveasampleofthefile…?

•  PleaseseetheFAQ

©2008TeamCymru

FAQ•  WhichAVEngines?

•  Undisclosed•  Tellmemoreaboutyourmalwaredatabase?

•  Talktomeafterwards.•  ShouldIjuststopusingananti‐viruspackage?

•  NO!PleasecontinuetouseAV!•  Howup‐to‐dateisyourregistry?

•  Updatedonce,daily.•  HowdoIreportaFalsePositive?

•  http://www.team‐cymru.org/Services/MHR/

©2008TeamCymru

TeamCymrucanHelpYou!•  Detection

– Flows, Feeds, Compromised devices – Have questions about your network or IPs?

Talk to me afterwards. •  Investigation

– Cyber who dunnit? •  Prevention •  Mitigation •  Collaboration

©2008TeamCymru

Thank you for your time!

Copyright©2008TeamCymru

©2008TeamCymru

ConcludingRemarks

•  Questions?

©2008TeamCymru

MoreInformation

•  http://www.team‐cymru.org/Services/MHR/