Malware Management

YOU CAN FIND THE MOST ADVANCED MALWARE, EVEN THE SNEAKY NSA STUFF

WITH THIS METHOD

Michael Gough – Founder

Malware Archaeology.com

Who am I

• Blue Team Defender Ninja, Malware Archaeologist, Logoholic

• @HackerHurricane

• Inventor of the Malware Management Framework

• I love malware and malware discovery – send me your good stuff ;-)

• I love logs – they tell us Who, What, Where, When and hopefully How– Created the “Windows Logging Cheat Sheet”

• We discovered this May 2012• Met with the Feds ;-)

We know a bit about this one

Why we are here

• To learn something you CAN take this back to work and do it tomorrow!

• Learn actionable Malware Management

• Provide you resources

• Education - Security 101

• And to avoid….

You’re Next97,000 76 Mil + 8 Mil

1000+ Businesses395 Stores

4.5 Million

25,000

4.9 Million

4.03 Million

105k trans

40 Million

40+70 Million

$148 Mil

33 locations

650k - 2010??????

76,000

670,000

1900 locations

145 Million

20,0003 Million

35,000

60,000 alerts

990,000

56 Mil

550,000

TBD

Citigroup, E*Trade Financial Corp., Regions Financial Crop, HSBC Holdings and ADP

??????

Malware Management

• Anyone NOT practice Vulnerability Management?

• Malware Management is basically the same thing

• Review Malware Analysis, Reports, Descriptions to tweak your tools and logs of where to look/monitor first

Create a Matrix of Indicators

RECENT EXAMPLES

CryptoLocker

• Ransomware

• Stupid malware

• Dropped executable in %AppData% root

– C:\Users\<username>\AppData\Roaming

• There are NEVER any .EXE’s here

• User initiated by clicking on something or Email

– But drive by infection possible too

Crypto Variants

Log for CryptoLocker type event

Dropped in the root of %AppData%

\AppData\Roaming

Enable Auditing – EventID4663

BlackPoS

• Target… YAY

• Many others

• After getting some stuff for the house (Target) I went to get a Sub for lunch (Jimmy John’s) and then shopping for a new suit (Neiman Marcus) and then off to the craft store to get kids stuff for school (Michael’s) and after all that running around I needed a drink (Spec’s)

BlackPoS

BlackPoS

BlackPoS iSight Recommendations

BackOff

• Home Depot – Got Toliet?

• Many others, possibly 1000+

• And then after dinner (P.F. Changs) I went to the building supply (Home Depot) to pick up some studs… and then did a night deposit at the bank (Chase, Citi..)

BackOff – Great Reporting Example

US-CERT Alert (TA14-212A)

BackOff

US-CERT Alert (TA14-212A)

BackOff

US-CERT Alert (TA14-212A)

Actionable PoS Detection

• %AppData% (Roaming\New Dir)

• Looks like Java, Adobe, but its not normally installed to these locations

• Installs Service

• Updates the Run Key

Now ATM’s??? - Tyupkin

• More Stoopidmalware

• Dropped in System32

• EventID 4663

• Run Key

Works for Linux too - Mayhem

• Jedi Tip

• Compare:

• \proc to items running with ps

• Things in \proc not in ps are suspicious

Windows is broken

• You don’t need an 0-Day

• Just a credential (Users click on stuff)

• Or just visit a website – drive-bys

• Targeted phish

• Etc, etc, etc.

• Drop a DLL next to any .EXE and BAM! Infected (DLL injection)

• If you have the creds, just execute it and move on

What is your strategy?

• Do you believe you can prevent a breach?

• Do you believe you can detect a breach

– Within the average 210 days?

– Within 30 days?

– Within a week?

– Within a few days?

– Within a day?

– Within hours?

What is your strategy

• Or are you going to be told by a third party (90%+)

• How do you address advanced attacks?

• Does your strategy include being proactive at looking for attacks targeting your specific industry?

The Malware Management Framework

• How do you validate your systems are clean of something like BlackPos or BackOff?

• Stuxnet, Flame, Duqu, SkyWiper, etc.

• The next thing…

• Did you look for these?

You’re Next97,000 76 Mil + 8 Mil

1000+ Businesses395 Stores

4.5 Million

25,000

4.9 Million

4.03 Million

105k trans

40 Million

40+70 Million

$148 Mil

33 locations

650k - 2010??????

76,000

670,000

1900 locations

145 Million

20,0003 Million

35,000

60,000 alerts

990,000

56 Mil

550,000

TBD

Citigroup, E*Trade Financial Corp., Regions Financial Crop, HSBC Holdings and ADP

??????

Malware Management

• You will see patterns• %AppData%• %Temp%• \Windows, \Windows\System32,

\Windows\System32\WBEM• Reg Keys, Domains, IP’s, etc.• Many other indicators• Build a Malware Matrix• Tweak your tools or scripts… or pick 1 or 10

systems and do it manually!

Malware Management

• Do you know what is Good vs. Bad on your systems?

• Do you re-image suspect or confirmed systems with malware?

In Summary

• Malware is noisy

• We can detect it

• Malware Management Framework WORKS

• Create a Malware Matrix

• Tweak your tools and logging

• It only takes an hour or two a week

• YOU CAN DO IT!

Resources• Our Website

– www.MalwareArchaeology.com

• The Malware Management Framework– MalwareManagementFramework.Org

• Malware Report Standard– To consistently report on what you found to others

• MalwareArchaeology.com/resources– Windows Logging Cheat Sheet

• HackerHurricane.com - BLOG– List of most malware analysis I read – Send me more!

Questions?

You can find us at:

• Michael@MalwareArchaeology.com

• MalwareArchaeology.com

• @HackerHurricane

• HackerHurricane.com (Blog)

• Yes – We do consulting ;-)