Upload
michael-gough
View
328
Download
2
Tags:
Embed Size (px)
Citation preview
Malware Management
YOU CAN FIND THE MOST ADVANCED MALWARE, EVEN THE SNEAKY NSA STUFF
WITH THIS METHOD
Michael Gough – Founder
Malware Archaeology.com
Who am I
• Blue Team Defender Ninja, Malware Archaeologist, Logoholic
• @HackerHurricane
• Inventor of the Malware Management Framework
• I love malware and malware discovery – send me your good stuff ;-)
• I love logs – they tell us Who, What, Where, When and hopefully How– Created the “Windows Logging Cheat Sheet”
Why we are here
• To learn something you CAN take this back to work and do it tomorrow!
• Learn actionable Malware Management
• Provide you resources
• Education - Security 101
• And to avoid….
You’re Next97,000 76 Mil + 8 Mil
1000+ Businesses395 Stores
4.5 Million
25,000
4.9 Million
4.03 Million
105k trans
40 Million
40+70 Million
$148 Mil
33 locations
650k - 2010??????
76,000
670,000
1900 locations
145 Million
20,0003 Million
35,000
60,000 alerts
990,000
56 Mil
550,000
TBD
Citigroup, E*Trade Financial Corp., Regions Financial Crop, HSBC Holdings and ADP
??????
Malware Management
• Anyone NOT practice Vulnerability Management?
• Malware Management is basically the same thing
• Review Malware Analysis, Reports, Descriptions to tweak your tools and logs of where to look/monitor first
CryptoLocker
• Ransomware
• Stupid malware
• Dropped executable in %AppData% root
– C:\Users\<username>\AppData\Roaming
• There are NEVER any .EXE’s here
• User initiated by clicking on something or Email
– But drive by infection possible too
Log for CryptoLocker type event
Dropped in the root of %AppData%
\AppData\Roaming
Enable Auditing – EventID4663
BlackPoS
• Target… YAY
• Many others
• After getting some stuff for the house (Target) I went to get a Sub for lunch (Jimmy John’s) and then shopping for a new suit (Neiman Marcus) and then off to the craft store to get kids stuff for school (Michael’s) and after all that running around I needed a drink (Spec’s)
BackOff
• Home Depot – Got Toliet?
• Many others, possibly 1000+
• And then after dinner (P.F. Changs) I went to the building supply (Home Depot) to pick up some studs… and then did a night deposit at the bank (Chase, Citi..)
Actionable PoS Detection
• %AppData% (Roaming\New Dir)
• Looks like Java, Adobe, but its not normally installed to these locations
• Installs Service
• Updates the Run Key
Works for Linux too - Mayhem
• Jedi Tip
• Compare:
• \proc to items running with ps
• Things in \proc not in ps are suspicious
Windows is broken
• You don’t need an 0-Day
• Just a credential (Users click on stuff)
• Or just visit a website – drive-bys
• Targeted phish
• Etc, etc, etc.
• Drop a DLL next to any .EXE and BAM! Infected (DLL injection)
• If you have the creds, just execute it and move on
What is your strategy?
• Do you believe you can prevent a breach?
• Do you believe you can detect a breach
– Within the average 210 days?
– Within 30 days?
– Within a week?
– Within a few days?
– Within a day?
– Within hours?
What is your strategy
• Or are you going to be told by a third party (90%+)
• How do you address advanced attacks?
• Does your strategy include being proactive at looking for attacks targeting your specific industry?
The Malware Management Framework
• How do you validate your systems are clean of something like BlackPos or BackOff?
• Stuxnet, Flame, Duqu, SkyWiper, etc.
• The next thing…
• Did you look for these?
You’re Next97,000 76 Mil + 8 Mil
1000+ Businesses395 Stores
4.5 Million
25,000
4.9 Million
4.03 Million
105k trans
40 Million
40+70 Million
$148 Mil
33 locations
650k - 2010??????
76,000
670,000
1900 locations
145 Million
20,0003 Million
35,000
60,000 alerts
990,000
56 Mil
550,000
TBD
Citigroup, E*Trade Financial Corp., Regions Financial Crop, HSBC Holdings and ADP
??????
Malware Management
• You will see patterns• %AppData%• %Temp%• \Windows, \Windows\System32,
\Windows\System32\WBEM• Reg Keys, Domains, IP’s, etc.• Many other indicators• Build a Malware Matrix• Tweak your tools or scripts… or pick 1 or 10
systems and do it manually!
Malware Management
• Do you know what is Good vs. Bad on your systems?
• Do you re-image suspect or confirmed systems with malware?
In Summary
• Malware is noisy
• We can detect it
• Malware Management Framework WORKS
• Create a Malware Matrix
• Tweak your tools and logging
• It only takes an hour or two a week
• YOU CAN DO IT!
Resources• Our Website
– www.MalwareArchaeology.com
• The Malware Management Framework– MalwareManagementFramework.Org
• Malware Report Standard– To consistently report on what you found to others
• MalwareArchaeology.com/resources– Windows Logging Cheat Sheet
• HackerHurricane.com - BLOG– List of most malware analysis I read – Send me more!
Questions?
You can find us at:
• MalwareArchaeology.com
• @HackerHurricane
• HackerHurricane.com (Blog)
• Yes – We do consulting ;-)