Blackhat Europe, State Of Malware: Family Ties
Written by Peter Silberman
Ero and I will be in Barcelona presenting at Blackhat Europe 2010. Our talk is called State of
Malware: Family Ties. This talk focuses on malware families. We thought about interesting research we could do in the same vein as our last talk, State of Malware: Explosion of the Axis of Evil. We decided to look at malware families.
There’s a lot to gather from malware families, from a mass malware perspective looking at conficker, bagel, waldeac, storm worm, rustock, etc. Equally important is examining APT families. MANDIANT tracks over 20 different families. Each family means something different to us. When we see one family at a client site, we might immediately pull Indicators of Compromise (IOC) for other APT families that are closely related. If we find another group, we might quickly start figuring out what was exfiltrated because we know that group and its actors are solely there to move information out. A lot can be extracted from the families we track and that is why clustering malware into families from a targeted perspective is so important.
Ero and I wonder about a few things:
- Do mass malware families share enough common attributes across families? Example, does conficker share code with waledac? If so, is it enough so that we could consider them members of a sub family. Also maybe proving they were written by the same author(s) or group of authors.
- Do mass malware families share code amongst APT samples? Example, this could mean that we find samples of subseven that match some of our APT backdoors (again just an example).
These two questions alone are very interesting because the results could indicate some author of a mass malware sample is also authoring malware for targeted attacks.
But we didn’t stop there. We also wondered:
- Do rootkits from rootkit.com have very high similarities to rootkits found by MANDIANT and out in the wild?
- Do APT samples of family A share enough in common to be also classified as part of family B? We can draw a lot of interesting conclusions if this is the case.
These are all interesting questions, but we had a lot of disappointments when doing the research and some ah ha moments where we thought about theories and realized why some wouldn’t be true. We also had some finds that we were surprised with, specifically regarding APT. We’ll be sharing the results on April 14th at 4:45. It should be fun. Our talk has a lot of diagrams, a lot of IDA screen shots, and a great video that Ero made.
If you can’t make it to Barcelona, we will be posting our slides and a follow up blog post. Stay tuned! I also have recently updated the slides for Advanced Memory Forensics in Incident Response for Black Hat USA to include an APT case study and a ton of additional information on observing the behavior of malware in memory.
Tags: Advanced Persistent Threat, APT, blackhat, MANDIANT
DOD Cyber Crime: New Audit Viewer/Memoryze
Written by Peter Silberman
MANDIANT is going to be at DOD Cyber Crime this year. Jamie and I have both been heads down for many weeks now working on some pretty cool stuff. We are starting to come up for air and what that means for you is updates to Memoryze and Audit Viewer. We will be releasing new versions of each that coincide with DC3. I, along with many of my co-workers, will be presenting and attending. My talk abstract is very ambiguous so I thought I’d take a brief second to discuss both the talk and the changes to Audit Viewer and Memoryze.
The talk is going to be interactive. And dammit I don’t care if you don’t want to interact with me. I’m both very convincing, persistent and well…charming! You will feel compelled to join in on this talk. I promise. I know this because I’m bringing bribes… And yes, I’m bringing what you are thinking.
This talk will contain a brief intro to memory analysis, a FAQ etc. We are not going to waste much time on the nitty gritty since most people are not interested in how we chop off the last 12 bits to get a physical offset from a virtual address. I know, you just fell asleep a little. During this talk I will make a case for why memory analysis is important. I will pull from pervious APT investigations where disk analysis failed and had to be used in conjunction with memory analysis. Finally, we will discuss MANDIANT’s Malware Rating Index (MRI). We will finish with real APT incident demos where I’ll walk through the investigation of an infected system with APT.
Now, a little more about MRI. MRI is a huge update to Audit Viewer. Instead of going after a fish (malware) with a hook (signatures), I’m going after fish (malware) with a drag net (MRI). The goal of this feature is twofold. First it is going to help pinpoint specific processes that should be investigated further while attempting to eliminate some of the non-suspicious processes and get them out of the analyst’s way. It’s also designed to try and make APT detection easier. A lot of work went into looking at our samples and how they behave etc, and coming up with definable behaviors that trap those little creatures. MRI is made up of two components. The first component is a definable behavior rule set that is completely customizable. It is made up of three different types of rules:
- Process Path Verification – allows users to define what processes should be launched from what directories. This triggers on malware that copies and names itself after svchost or other system processes to subdirectories within system folders. For example a default rule is that svchost can only be executed from \windows\system32. Any time we see it running from somewhere else we flag the process.
- Process User Verification – allows users to define what processes should be running under what users. This triggers on malware spawning svchost for purposes of unmapping image bases or hiding dlls within spawned svchost. So, for example, if malware copies itself to system32\dllcache and then names itself svchost.exe, you can define a rule saying svchost.exe should be running as local service, network service, or system. When Audit Viewer see svchost running as administrator it gets flagged.
- Process Handle Inspection – this allows you to define specific rules pertaining to malware or generic behavior. For example a default rule is to flag svchost or iexplore anytime it has a process handle to cmd.exe. There is just no good reason for this to _EVER_ happen. You can also define rules based on specific malware, for example if a3c mutant is present then flag the process as being infected with sality.
All of these features are configurable from the UI by going to operations -> Configure MANDIANT MRI.
The second component of MRI is a process address space scoring mechanism. We will be releasing an update to Memoryze at DC3. The new release will contain bug fixes as well as a new feature called “Verify Digital Signatures.” When this parameter is turned on memoryze will perform a “digital signature check” on all loaded modules. This can only be enabled on live memory analysis. The digital signature check verifies the module on disk is digitally signed. We do a bunch of math and use our Least Frequency of Occurrence to trust modules that aren’t signed but occur in more than X% of processes. Where X is defined by the user. We won’t flag or catch modified binaries in memory. So if a rootkit is doing userland hooking (it should be ashamed) we won’t know about it because we are checking disk to determine if it is digitally signed. There are a lot of reasons why we can’t verify in memory digital signatures. It might make an interesting blog to detail all the reasons. With that said, this new feature gives us a good working idea of how much of the loaded modules in the process address space are signed and therefore trusted. It’s had fantastic results thus far. I’ve been using it on old incidents to see if we could have sped up results using these new methods. The answer seems to be yes in a lot of cases.
After DC3 I’ll have more blogs detailing how you can use and write better rules for MRI. But for now there will be a default distribution that you can use and modify. Again, like always, Audit Viewer is open source and free. Which means you can see the logic and rules behind MRI. Memoryze is and will stay free.
If you are going to be at DC3 and want to grab a beer I will be there from Sun (night)-Weds. Unfortunately I’m going to be missing all the great talks on Thurs so I can leave to compete in the Tough Guy Challenge. You are more than welcome to join at this race in Northern England. As I understand it there are still some open slots! See everyone at DC3!
Tags: APT, Audit Viewer, DC3, DOD Cyber Crime, malware, Malware Rating Index, MANDIANT, Memoryze, MRI
. 21 Jan 10 | Conferences | Comments (0)
Join us for The Fresh Prints of Mal-Ware Webinar Series: Explosion of the Axis of Evil!
Written by Peter Silberman
In September I had the chance to speak at Source Barcelona with Ero Carrera. We gave a talk entitled State Of Malware: Explosion of the Axis of Evil. Both Ero and I really enjoyed giving this talk and the content is so new, we’ve decided to give it again as a free webinar on Nov 5th at 2pm. You’ll get the same content, and Ero and I will be speaking. You’ll also get the added bonus of getting to ask us questions.
I know you’re wondering, ‘Should I be interested in this talk?’ The answer is unequivocally yes. First, you get to hear my and Ero’s angelic voices, which alone is worth the price of admission (free).
Second, this talk runs the gamut of information. Ero will discuss volume, how much VirusTotal sees on a day-to-day basis. He will also cover popular families (I bet you can’t guess which is the most popular, and no it doesn’t start with my and end in doom). Ero will also discuss obfuscation, what trends Virus Total is seeing, what kinds of packers, etc.
I will discuss the Advanced Persistent Threat, specifically speaking about the malware these attackers leave behind. I will discuss how the malware commonly behaves, what it can look like, and why it’s so hard to catch these guys.
You will get interesting statistics like what percent of APT backdoors are detected by any engine VirusTotal supports. You might also see a statistic like what percent of APT uses encryption when communicating.
We’ll cover information that can be interesting to a network administrator trying to protect his company, a CSO who wants to understand the threat landscape better, forensicators who are trying to catch these guys, malware analysts who are curious about behavior, and those who just want to hear our voices!
Hope you guys can join us for a good time, I know Ero and I really enjoyed giving this talk at Source Barcelona and are looking forward to doing it again.
You can sign up for the webinar here.
Tags: Advanced Persistent Threat, APT, Ero Carrera, Fresh Prints of Mal-Ware, MANDIANT, virus total
. 26 Oct 09 | General | Comments (0)
State Of Malware: Explosion of the Axis of Evil, slides etc
Written by Peter Silberman
Last week Ero Carrera and I spoke at Source Barcelona. As I mentioned previously on this blog we were both very excited to give this talk. The talk went very well! We could not have asked for a better audience. The conference itself was also a blast, and I recommend Barcelona to anyone and everyone.
We’ve gotten around to uploading the slides. They include all the statistics we came up with for this talk. When you review the slides take a look at slide 16 “Complexity of Mydoom” and slide 17 “Complexity of Kraken.” These two slides depict control flow graphs of the popular malware Craken and MyDoom. Notice how much functionality is crammed into these binaries. As an Anti Virus company that’s a lot of data and bytes to work with to generate a successful signature.
Now look at slide 44 “Sample BA”, it’s the control flow graph of an APT sample. Notice some differences? Our hope is this talk gets people thinking about the different types of threats, different malware families make to organizations, as well as the clear differences between APT and mass malware.
Tags: APT, malware, MANDIANT, source, source barcelona, virus total
. 05 Oct 09 | General | Comments (0)
The changing battlefield in Memory
Written by Peter Silberman
Steve Davis and I gave a talk at Blackhat and at Defcon called Metasploit Autopsy: Reconstructing the scene of the crime. Giving the talk was a blast; both Steve and I were thrilled to be given an opportunity to give a defensive security talk on the Metasploit track. During our talk and in several interviews, we stated that some aspects of computer security are a cat and mouse game. When you make a technique, tool, or other knowledge public people have a chance to analyze what you have done. This analysis can lead to better code, improvements to ideas, or in some cases the breaking of said tools. In the case of Metasploit Forensic Framework (MSFF), the newest release of Metasploit flat out broke MSFF. First, let me give you some background. When we first started writing the tool, we quickly realized that breaking MSFF would take a single line change to Meterpreter. The fix is simple. In our talk, we discussed that when meterpreter called free the received/sent packets were not scrubbed and lay around memory for hours. MSFF capitalized on this using Memoryze to acquire the processes address space which included the process’s freed memory. HD and crew were nice enough to wait to patch Meterpreter until after our talk. Meterpreter was patched Saturday with memset’s, which zero out the packet data before the memory is freed.
With this fix, our current technique to reconstruct what Meterpreter sent or received does not work. The Metasploit project has broken that ability successfully (something we expected). Our detection will evolve, and HD discussed some ideas he had to make detecting the Meterpreter binary harder. Currently, MSFF can still be used to identify the injected binaries in a process’s address space. The Meterpreter binary contains too much code and has too many features to effectively hide in memory. If and when HD patches the reflective loader to scrub Meterpreter’s binary data, we’ll update MSFF with some fix, more as a proof concept than anything else, to continue to identify the injected DLLs. Hope everyone’s recovered from Vegas!
A huge thanks go to Ping, Nikita, Jeff Moss, Val Smith and HD for putting the Metasploit track together. It was not easy, but it went great. A huge thanks to the defcon speakers, who were very flexible.
Tags: blackhat, MANDIANT, Memoryze, metasploit, metasploit forensic framework, meterpreter, msff
. 13 Aug 09 | General | Comments (0)
Pass the M-unition
Written by Jamie Butler
Welcome to M-unition, MANDIANT’s new, external blog for sharing interesting research, new tools and thought provoking ideas. MANDIANT’s employees come from a diverse background with a wide range of interests and specialities, and M-unition will reflect that.
M-unition will focus on techniques and tools to identify and analyze indicators of compromise on a host or throughout an entire enterprise. While much of the content will leverage the tools and techniques we use, it is our desire to build upon others doing similar work in the community. At M-unition, we will share information to combat a whole host of problems. No pun intended.
Tags: blog, M-unition, MANDIANT, welcome
. 17 Nov 08 | General | Comments (0)
