Malware Incident Response by ahr13625

VIEWS: 177 PAGES: 62

									Malware Incident
Response

 Enterprise Security Office
          Forum
       February 23, 2010
Welcome
 Theresa Masse, State CISO




                              2
Introduction
 State Incident Response Team
     John Ritchie
     Shaun Gatherum
 State Data Center Intrusion Detection
 Team
     Mike Bushman
Introduction
 State Incident Response Team
     Incident Response Across Agencies
          Many incidents involving Malware


 This Forum Is Brought To You By…
   Forensics Experience With Malware
   IDS Trend Analysis
Agenda
 Malware Prevention

 Malware Trends and Dangers

 Intrusion Detection – State Data Center

 Desktop Detection and Cleanup

 Detection Toolkit

 Questions
                                            5
Prevention Is (Still) the
Best Defense
 Old, Tired, Repetitious, but…
 Prevention Saves Money!
     Malware can take 2-4hrs of
      technician time + end user
      time.
 Most effective method of
 dealing with malware is
 to prevent it in the first
 place!!!
                                   6
Prevention Strategies
 Patch Everything
 Educate End Users
 Restrict Admin Rights
 Use all of your AV features including
  heuristic scans
 Use Website Reputation Filters
 Have vulnerability/configuration
  management program
Reputation Based Filter
Configuration
Management
Malware Trends
 John Ritchie
No More Fun and Games
 Malware is Big Business
     Crime
          ID Theft = $$$
     Espionage – A Developing Trend
          Trade Secrets = $$$
          Government Advantage = $$$

 $$$ = R&D, Product Improvement
 Determined Attacks
     Not Just Opportunistic
      Oregon Top 10
                    Top 10 Malware Dec 2009
45
     39
40
35
30        26
25             21
20                    17     17
15                                 13     12
10                                             7   6   5
 5
 0
Modern Malware Trends
 Increasingly Sophisticated
     Evasive, Hide Themselves
          Rootkits, bootkits,
     Self-Defense
          Disable AV, rootkits
     Multiple Channels of Communication
          Fast-flux DNS, protocol flexibility, distributed C&C
     Extremely Flexible
          Morphing, adaptive, high-tech, modular
 High Quality Software
          Rapid Product Improvement
Modern Malware Trends
 Data Stealing!
     Browser Hooks, Key Loggers
     Login Credential Theft (Passwords)
     Credit Card Information
     PII

 Which Agencies Have This Data?

 Data Theft and the Oregon Consumer
 ID Theft Protection Act
Defense Components
 Anti-Virus Software
   Always Playing Catch-up
   Agencies Slow to Upgrade
 Agency Security Practices
   Malware Prevention
   Malware Detection and Incident Response
   Security Awareness
 Network Intrusion Detection Systems
State IDS Architecture
 Mike Bushman




                         16
  SDC Perimeter Intrusion
       Detection
Multi-vendor Inspection at Internet Connections
Why Detection & Not Prevention?
   - Encrypted & local attack vectors
    Webmail (HTTPS://), USB drives, & MP3 players
   - The IDS sensors typically only see the aftermath –phone home
    (workstation posture is key to prevention –patches and
   protection)


The Overall Picture
  -At the perimeter the IP seen may be a firewall, proxy, or other external
   IP with thousands of hosts behind it
   -Perimeter IDS is blind to internal events unless they can phone home
   -There are so many perimeter attacks that signatures must be carefully
   enabled and managed
                                                                              17
       Signature and Rule
          Management
-A „Perimeter‟ IDS policy exists and takes into account the
physical location of the sensor
 (Do we want to fill the database with worms simply knocking on the perimeter
door? –no)

-Multi-sourced rule updates & custom alerts
 (Accurate but old, new outbreaks, unique to us)

-SDC Policy contains over 4000 active IDS rules and nearly
23,000 disabled rules
(A known bot-net knocking on our perimeter door –disabled)

-A typical one-week period may add 25-62 new rules and update
1000-2000 existing rules. The rules are all evaluated for
relevancy before being activated and uploaded

                                                                                19
  Where We Are Headed
Agency-based IDS Sensors

 -Sensor can see the internal IP address and identify
 the host

 -Captive malware blocked at the agency firewall & not
 seen at the perimeter can be identified

 -Enable more IDS signatures since we have eliminated
 perimeter noise and are behind the firewall

 -Allow agency access to IDS reports –scope refined to
 agency IP space only
                                                         21
SDC Perimeter Intrusion
     Detection

With all those firewalls, web filtering, perimeter &
agency IDS boxes we should at least spot an incident
in progress right?

There are always exceptions:
    -The latest variant
    -Encryption
    -Alternate routes (rogue & not)

Workstation posture is still critical
   Educate, patch and protect…
                                                       23
SDC Malware Detection
and Notification
 Mike Bushman
 Intrusion Detection

Intrusion detection is the process of
discovering, analyzing and reporting
unauthorized or damaging network or
computer activities.




                                        26
                  Snort



 Capable of performing real-time traffic analysis and
  packet logging on IP networks.
 Used to monitor network traffic and scan for
  signatures that represent potential attacks, worms,
  and unusual activities.
 Helps identify potentially compromised machines,
  information leaks, active and passive attacks.
                    Snort
 Can perform protocol analysis, content
  searching/matching and be used to detect a variety of
  attacks and probes.
 Primarily a signature based detection engine, not
  unlike anti virus engines.
 Looks for signatures in data streams and packet
  headers that are known to indicate an attack, potential
  attack or data leak.
 We are using over 4,000 rules. Snort will only log the
  packets which triggered an alert.

                                                            28
IDS Malware Detection
   and Notification




                        29
    What Do We Watch For?
   Trojans
   Malware
   Data Stealing Trojans
   Keyloggers
   Possible Data Loss
   Fake Anti Virus installs
   E-Cards
   Downloader apps
   Spyware
   SPAM
   BOTS
   Hack attempts
   Worms
   Backdoors                                       30
   Policy violations like Peer2Peer File Sharing
         Snort Alert Key
          Information
 Destination IP address(es)
 Host name if discovered
 GET or POST command in the packet




                                      31
    What Snort Sees and
         Alerts On
Waledac Trojan Signature – A Data Stealing Trojan
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"ET TROJAN Waledac Beacon Traffic Detected";
flow:to_server,established; content:"POST /"; depth:6;
content:"|0d0a|Referer\: Mozilla|0d 0a|"; nocase; within:50;
content:"|0d0a|User-Agent\: Mozilla|0d 0a|"; within:120;
content:"a="; nocase;within: 100; classtype:trojanactivity;
reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Cal
endar.20081231; sid:2008958; rev:1;)




                                                               32
    What Snort Sees And
         Alerts On
POST /odry.png HTTP/1.1

000 : 50 4F 53 54 20 2F 6F 64 72 79 2E 70 6E 67 20 48 POST /odry.png H
010 : 54 54 50 2F 31 2E 31 0D 0A 52 65 66 65 72 65 72 TTP/1.1..Referer
020 : 3A 20 4D 6F 7A 69 6C 6C 61 0D 0A 41 63 63 65 70 : Mozilla..Accep
030 : 74 3A 20 2A 2F 2A 0D 0A 43 6F 6E 74 65 6E 74 2D t: */*..Content-
040 : 54 79 70 65 3A 20 61 70 70 6C 69 63 61 74 69 6F Type: applicatio
050 : 6E 2F 78 2D 77 77 77 2D 66 6F 72 6D 2D 75 72 6C n/x-www-form-url
060 : 65 6E 63 6F 64 65 64 0D 0A 55 73 65 72 2D 41 67 encoded..User-Ag
070 : 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 0D 0A 48 6F ent: Mozilla..Ho
080 : 73 74 3A 20 31 31 39 2E 36 34 2E 39 34 2E 31 39 st: 119.64.94.19
090 : 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 ..Content-Length
0a0 : 3A 20 33 35 35 39 0D 0A 43 61 63 68 65 2D 43 6F : 3559..Cache-Co
0b0 : 6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 68 65 0D ntrol: no-cache.
0c0 : 0A 58 2D 4E 6F 76 49 4E 65 74 3A 20 76 31 2E 32 .X-NovINet: v1.2
0d0 : 0D 0A 0D 0A                        ....
        NERO Abuse Reports

    What follows is the NERO Daily Abuse Report.
    Timestamps are GMT. Please investigate the host(s)
    mentioned below and follow up to abuse@nero.net.
------------------------------------------------------------------------------------------------
      IP Address |            Time last seen             | Type | Add. info
------------------------------------------------------------------------------------------------
   xxx.xxx.xxx.xxx | 2010-Feb-16 16:08:43 | BOTS | srcport 63228 mwtype Torpig
   xxx.xxx.xxx.xxx | 2010-Feb-16 16:34:59 | BOTS | srcport 1277 mwtype Torpig
   xxx.xxx.xxx.xxx | 2010-Feb-16 17:17:21 | BOTS | srcport 5432 mwtype Mebroot
   xxx.xxx.xxx.xxx | 2010-Feb-16 17:17:27 | BOTS | srcport 5441 mwtype Mebroot




                                                                                                   34
  How to Investigate NERO
      Abuse Reports
 zgrep xxx.xxx.xxx.xxx log.2010021609.gz | grep 63228

 Feb 16 2010 08:08:43 Built dynamic TCP translation from inside
  192.168.xxx.xxx/9365 to outside xxx.xxx.xxx.xxx/63228

 Feb 16 2010 08:08:43 Built outbound TCP connection for
  inside:192.168.xxx.xxx/9365 (xxx.xxx.xxx.xxx/63228) to
  outside:91.19.47.137/80

 IP Location: Germany Deutsche Telekom Ag Resolve Host:
  p5B132F89.dip.t-dialin.net IP Address: 91.19.47.137


 It is very important to note that there were NO Snort
   signatures for this activity.
                                                                   35
                  Wireshark
 Wireshark® is the world's most popular network protocol analyzer.
 08:26:12       159.121.203.1         91.213.94.131
 HTTP POST /cgi-bin/forms.cgi HTTP/1.1 (application/octet-
  stream)
 POST /cgi-bin/forms.cgi HTTP/1.1
 Host: 91.213.94.131 = Ukraine
 Content-Disposition: form-data; name="upload_file”;
  filename="152108717.32“
 basic_auth_http://www.sandisk.com/lpupdate?custom=1.5.0.4&br
  and=cruzer&unique=4b75810b&ver
 capacity=1037041664&used=97714176&apps=7&user=u3demo&
  pass=u3demo
                                                                  36
       Recommendations
 Customers of these workstations change all personal
  and business passwords.
 Do not plug an infected workstation back into the
  network. Examine the workstation offline.
 Malware tools are not perfect. There is not a single
  tool that finds everything.
 Err on the side of caution.




                                                         37
       Recommendations
 Tools are simply that...just tools. As you work with
  malware, it‟s important to have many ways to confirm
  your results. It‟s just as important NOT to totally rely
  on your tools to provide you with the answers.
 In essence you want to look at malware from many
  different angles and never forget that your tools are
  only so good and may not provide you with the
  complete answer.




                                                             38
  REMEMBER


      Nothing found;
         does not
mean that nothing is there.
Rebuild that workstation!!!


                              39
   You Do Not Want This
         Email…
You do not want to receive this email from me.
  Unfortunately it happens at least once a week.
If this workstation was “cleaned”, you need new soap. I
    recommend one called “rebuild it”.




                                                          40
Anti-Virus Software
 Shaun Gatherum
Anti-Virus Software
 AV has several detection methodologies
   Signatures
   Heuristics
   Behavior
   Cloud Prevention
Signatures
 Always playing catch up
 Our experience
     The newer the malware, the poorer the
      detection rate
 Detection improves over time
   Virustotal
September 2009
  Virustotal
4 months later
Heuristics
 If it walks like and talks like a virus,
  chances are it‟s a …
Behavior
 Recognizes malware based on criteria
 and then blocks it
          Cloud
   Prevention/Detection
 Uses multiple detection engines and
 advanced heuristics
The Future of Malware
            Zeus
               Sold as a kit
               Purchaser can customize
               Each build is unique
                      Avoids A/V signatures
                 Feature rich
                      Botnet control
                      Data stealing
                          Key stroke logging
                          SSL field injection
                      Downloader
                          Installs more malware
                      Root Kit / Boot kit
                      Remote Nuke
                      In short it does whatever
                       you want it to do.
            Prevention
Cleaning vs. Reimaging
 Our experience: cleaning will fail to
 completely remove malware.
     Reasons
          Hooked AV
          Root/Boot kits
          Trojaned DLL‟s
          Registry entries
          Other unknown malware
 Reimaging
     Must replace MBR (master boot record)
     Time consuming
     More effective than cleaning
     Not practical for large out breaks
Cleaning Methodology
 Understand what malware is on the
  system
 Independently scan to identify malware
  locations and if other malware is
  present.
 Remove malware
 Independently scan to verify removal
 Monitor at the network level (for days)
SIRT Malware
Identification Toolkit
 John Ritchie
SIRT Malware
Identification Toolkit
 What Is It?
     Open Source Boot CD and Forensic Toolkit
     Based on SIRT Malware Investigations

 What Does It Do?
     Keep It Simple
     Safe, Effective ID of Malware
     Determine Infection Time
     Determine Infection Source
                                                 53
What You Will Need
 SIRT Toolkit Boot CD
 Victim Machine (Powered Off)
 Fully-Patched Windows Machine
     With Kaspersky Anti-Virus
          Why Kaspersky?
          What About Other AV Products?
 Crossover Cable or Switch/Hub
     (Optional but Recommended)
 USB Thumb Drive
The Process – Checklist
 Crossover Cable to Windows Machine
 Boot Victim From Toolkit CD
 Insert Thumb Drive
      NO Autorun Software Please!
   Configure Network
   Share Victim Drive
   Scan Drive with AV Product(s)
   Generate Filesystem Timeline
   Identify Malware With Virustotal
   Identify Time of Infection With Timeline
   Identify Source of Infection
Toolkit Demonstration
Toolkit Recap
 Boot From CD
 Scan From A Different Machine
 Find Files and Identify Them
 Find Time of Infection
 Find Source of Infection
When To Use the Toolkit
Summary
 Recap
   Modern Malware
   State Network IDS
   Problems with Anti-virus, malware cleaning
   Identification Toolkit
   Recovery Process
Summary
 Prevention
   Patch OS, All Software
   Full-strength Anti-virus
   Policy Enforcement
   Education
   Prevention Saves Money
References
 Virustotal
      http://www.virustotal.com/
   Drop My Rights
      http://download.microsoft.com/download/f/2/e/f2e49491-
       efde-4bca-9057-adc89c476ed4/DropMyRights.msi
   Web Of Trust
      http://www.mywot.com/
   Secunia Online Software Inspector
      http://secunia.com/vulnerability_scanning/online/
   Kaspersky AntiVirus
      http://www.kaspersky.com/kaspersky_anti-virus
   Avast!
      http://www.avast.com/free-antivirus-download
   ClamAV
      http://www.clamav.net/
Questions?




             62

								
To top