malware incident response presentation
TRANSCRIPT
Malware Incident Response
Enterprise Security Office Forum
February 23, 2010
2
Welcome
Theresa Masse, State CISO
Introduction
State Incident Response Team John Ritchie Shaun Gatherum
State Data Center Intrusion Detection Team Mike Bushman
Introduction
State Incident Response Team Incident Response Across Agencies
Many incidents involving Malware
This Forum Is Brought To You By… Forensics Experience With Malware IDS Trend Analysis
5
Agenda
Malware Prevention
Malware Trends and Dangers
Intrusion Detection – State Data Center
Desktop Detection and Cleanup
Detection Toolkit
Questions
6
Prevention Is (Still) the Best Defense
Old, Tired, Repetitious, but…
Prevention Saves Money! Malware can take 2-4hrs of
technician time + end user
time.Most effective method of
dealing with malware is to prevent it in the first place!!!
Prevention Strategies
Patch EverythingEducate End UsersRestrict Admin RightsUse all of your AV features including
heuristic scansUse Website Reputation FiltersHave vulnerability/configuration
management program
Reputation Based Filter
Configuration Management
Malware Trends
John Ritchie
No More Fun and Games
Malware is Big Business Crime
ID Theft = $$$ Espionage – A Developing Trend
Trade Secrets = $$$ Government Advantage = $$$
$$$ = R&D, Product ImprovementDetermined Attacks
Not Just Opportunistic
39
2621
17 1713 12
7 6 5
051015202530354045
Top 10 Malware Dec 2009
Oregon Top 10
Modern Malware Trends
Increasingly Sophisticated Evasive, Hide Themselves
Rootkits, bootkits, Self-Defense
Disable AV, rootkits Multiple Channels of Communication
Fast-flux DNS, protocol flexibility, distributed C&C Extremely Flexible
Morphing, adaptive, high-tech, modularHigh Quality Software
Rapid Product Improvement
Modern Malware Trends
Data Stealing! Browser Hooks, Key Loggers Login Credential Theft (Passwords) Credit Card Information PII
Which Agencies Have This Data?
Data Theft and the Oregon Consumer ID Theft Protection Act
Defense Components
Anti-Virus Software Always Playing Catch-up Agencies Slow to Upgrade
Agency Security Practices Malware Prevention Malware Detection and Incident Response Security Awareness
Network Intrusion Detection Systems
16
State IDS Architecture
Mike Bushman
17
SDC Perimeter Intrusion Detection
Multi-vendor Inspection at Internet Connections
Why Detection & Not Prevention?- Encrypted & local attack vectors Webmail (HTTPS://), USB drives, & MP3 players- The IDS sensors typically only see the aftermath –phone home (workstation posture is key to prevention –patches and protection)
The Overall Picture-At the perimeter the IP seen may be a firewall, proxy, or other external IP with thousands of hosts behind it-Perimeter IDS is blind to internal events unless they can phone home-There are so many perimeter attacks that signatures must be carefully enabled and managed
19
Signature and Rule Management
-A ‘Perimeter’ IDS policy exists and takes into account the physical location of the sensor
(Do we want to fill the database with worms simply knocking on the perimeter door? –no)
-Multi-sourced rule updates & custom alerts(Accurate but old, new outbreaks, unique to us)
-SDC Policy contains over 4000 active IDS rules and nearly 23,000 disabled rules(A known bot-net knocking on our perimeter door –disabled)
-A typical one-week period may add 25-62 new rules and update 1000-2000 existing rules. The rules are all evaluated for relevancy before being activated and uploaded
21
Where We Are Headed
Agency-based IDS Sensors
-Sensor can see the internal IP address and identify the host
-Captive malware blocked at the agency firewall & not seen at the perimeter can be identified
-Enable more IDS signatures since we have eliminated perimeter noise and are behind the firewall
-Allow agency access to IDS reports –scope refined to agency IP space only
23
SDC Perimeter Intrusion Detection
With all those firewalls, web filtering, perimeter & agency IDS boxes we should at least spot an incident in progress right?
There are always exceptions:-The latest variant-Encryption-Alternate routes (rogue & not)
Workstation posture is still criticalEducate, patch and protect…
SDC Malware Detection and NotificationMike Bushman
26
Intrusion Detection
Intrusion detection is the process of discovering, analyzing and reporting unauthorized or damaging network or computer activities.
Snort
Capable of performing real-time traffic analysis and packet logging on IP networks.
Used to monitor network traffic and scan for signatures that represent potential attacks, worms, and unusual activities.
Helps identify potentially compromised machines, information leaks, active and passive attacks.
28
Snort
Can perform protocol analysis, content searching/matching and be used to detect a variety of attacks and probes.
Primarily a signature based detection engine, not unlike anti virus engines.
Looks for signatures in data streams and packet headers that are known to indicate an attack, potential attack or data leak.
We are using over 4,000 rules. Snort will only log the packets which triggered an alert.
29
IDS Malware Detection and Notification
30
What Do We Watch For?
Trojans Malware Data Stealing Trojans Keyloggers Possible Data Loss Fake Anti Virus installs E-Cards Downloader apps Spyware SPAM BOTS Hack attempts Worms Backdoors Policy violations like Peer2Peer File Sharing
31
Snort Alert Key Information
Destination IP address(es) Host name if discovered GET or POST command in the packet
32
What Snort Sees and Alerts On
Waledac Trojan Signature – A Data Stealing Trojan
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS(msg:"ET TROJAN Waledac Beacon Traffic Detected";flow:to_server,established; content:"POST /"; depth:6;content:"|0d0a|Referer\: Mozilla|0d 0a|"; nocase; within:50;content:"|0d0a|User-Agent\: Mozilla|0d 0a|"; within:120; content:"a="; nocase;within: 100; classtype:trojanactivity;reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081231; sid:2008958; rev:1;)
What Snort Sees And Alerts On
POST /odry.png HTTP/1.1
000 : 50 4F 53 54 20 2F 6F 64 72 79 2E 70 6E 67 20 48 POST /odry.png H010 : 54 54 50 2F 31 2E 31 0D 0A 52 65 66 65 72 65 72 TTP/1.1..Referer020 : 3A 20 4D 6F 7A 69 6C 6C 61 0D 0A 41 63 63 65 70 : Mozilla..Accep030 : 74 3A 20 2A 2F 2A 0D 0A 43 6F 6E 74 65 6E 74 2D t: */*..Content-040 : 54 79 70 65 3A 20 61 70 70 6C 69 63 61 74 69 6F Type: applicatio050 : 6E 2F 78 2D 77 77 77 2D 66 6F 72 6D 2D 75 72 6C n/x-www-form-url060 : 65 6E 63 6F 64 65 64 0D 0A 55 73 65 72 2D 41 67 encoded..User-Ag070 : 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 0D 0A 48 6F ent: Mozilla..Ho080 : 73 74 3A 20 31 31 39 2E 36 34 2E 39 34 2E 31 39 st: 119.64.94.19090 : 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 ..Content-Length0a0 : 3A 20 33 35 35 39 0D 0A 43 61 63 68 65 2D 43 6F : 3559..Cache-Co0b0 : 6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 68 65 0D ntrol: no-cache.0c0 : 0A 58 2D 4E 6F 76 49 4E 65 74 3A 20 76 31 2E 32 .X-NovINet: v1.20d0 : 0D 0A 0D 0A ....
34
NERO Abuse Reports
What follows is the NERO Daily Abuse Report. Timestamps are GMT. Please investigate the host(s) mentioned below and follow up to [email protected].
------------------------------------------------------------------------------------------------ IP Address | Time last seen | Type | Add. info------------------------------------------------------------------------------------------------ xxx.xxx.xxx.xxx | 2010-Feb-16 16:08:43 | BOTS | srcport 63228 mwtype Torpig xxx.xxx.xxx.xxx | 2010-Feb-16 16:34:59 | BOTS | srcport 1277 mwtype Torpig xxx.xxx.xxx.xxx | 2010-Feb-16 17:17:21 | BOTS | srcport 5432 mwtype Mebroot xxx.xxx.xxx.xxx | 2010-Feb-16 17:17:27 | BOTS | srcport 5441 mwtype Mebroot
35
How to Investigate NERO Abuse Reports
zgrep xxx.xxx.xxx.xxx log.2010021609.gz | grep 63228
Feb 16 2010 08:08:43 Built dynamic TCP translation from inside 192.168.xxx.xxx/9365 to outside xxx.xxx.xxx.xxx/63228
Feb 16 2010 08:08:43 Built outbound TCP connection for inside:192.168.xxx.xxx/9365 (xxx.xxx.xxx.xxx/63228) to outside:91.19.47.137/80
IP Location: Germany Deutsche Telekom Ag Resolve Host: p5B132F89.dip.t-dialin.net IP Address: 91.19.47.137
It is very important to note that there were NO Snort signatures for this activity.
36
Wireshark
Wireshark® is the world's most popular network protocol analyzer.
08:26:12 159.121.203.1 91.213.94.131
HTTP POST /cgi-bin/forms.cgi HTTP/1.1 (application/octet-stream)
POST /cgi-bin/forms.cgi HTTP/1.1
Host: 91.213.94.131 = Ukraine
Content-Disposition: form-data; name="upload_file”; filename="152108717.32“
basic_auth_http://www.sandisk.com/lpupdate?custom=1.5.0.4&brand=cruzer&unique=4b75810b&ver
capacity=1037041664&used=97714176&apps=7&user=u3demo&pass=u3demo
37
Recommendations Customers of these workstations change all personal
and business passwords.
Do not plug an infected workstation back into the network. Examine the workstation offline.
Malware tools are not perfect. There is not a single tool that finds everything.
Err on the side of caution.
38
Recommendations Tools are simply that...just tools. As you work with
malware, it’s important to have many ways to confirm your results. It’s just as important NOT to totally rely on your tools to provide you with the answers.
In essence you want to look at malware from many different angles and never forget that your tools are only so good and may not provide you with the complete answer.
39
REMEMBER
Nothing found;
does not
mean that nothing is there.
Rebuild that workstation!!!
40
You Do Not Want This Email…
You do not want to receive this email from me. Unfortunately it happens at least once a week.
If this workstation was “cleaned”, you need new soap. I recommend one called “rebuild it”.
Anti-Virus Software
Shaun Gatherum
Anti-Virus Software
AV has several detection methodologies Signatures Heuristics Behavior Cloud Prevention
Signatures
Always playing catch upOur experience
The newer the malware, the poorer the detection rate
Detection improves over time
VirustotalSeptember 2009
Virustotal 4 months later
Heuristics
If it walks like and talks like a virus, chances are it’s a …
Behavior
Recognizes malware based on criteria and then blocks it
Cloud Prevention/Detection
Uses multiple detection engines and advanced heuristics
The Future of Malware
Zeus Sold as a kit Purchaser can customize Each build is unique
Avoids A/V signatures Feature rich
Botnet control Data stealing
Key stroke logging SSL field injection
Downloader Installs more malware
Root Kit / Boot kit Remote Nuke In short it does whatever you
want it to do. Prevention
Cleaning vs. Reimaging
Our experience: cleaning will fail to completely remove malware. Reasons
Hooked AV Root/Boot kits Trojaned DLL’s Registry entries Other unknown malware
Reimaging Must replace MBR (master boot record) Time consuming More effective than cleaning Not practical for large out breaks
Cleaning Methodology
Understand what malware is on the system
Independently scan to identify malware locations and if other malware is present.
Remove malware Independently scan to verify removalMonitor at the network level (for days)
SIRT Malware Identification ToolkitJohn Ritchie
53
SIRT Malware Identification Toolkit
What Is It? Open Source Boot CD and Forensic Toolkit
Based on SIRT Malware Investigations
What Does It Do? Keep It Simple
Safe, Effective ID of Malware
Determine Infection Time
Determine Infection Source
What You Will Need
SIRT Toolkit Boot CDVictim Machine (Powered Off)Fully-Patched Windows Machine
With Kaspersky Anti-Virus Why Kaspersky? What About Other AV Products?
Crossover Cable or Switch/Hub (Optional but Recommended)
USB Thumb Drive
The Process – Checklist
Crossover Cable to Windows Machine Boot Victim From Toolkit CD Insert Thumb Drive
NO Autorun Software Please! Configure Network Share Victim Drive Scan Drive with AV Product(s) Generate Filesystem Timeline Identify Malware With Virustotal Identify Time of Infection With Timeline Identify Source of Infection
Toolkit Demonstration
Toolkit Recap
Boot From CDScan From A Different MachineFind Files and Identify ThemFind Time of InfectionFind Source of Infection
When To Use the Toolkit
Summary
Recap Modern Malware State Network IDS Problems with Anti-virus, malware cleaning Identification Toolkit Recovery Process
Summary
Prevention Patch OS, All Software Full-strength Anti-virus Policy Enforcement Education Prevention Saves Money
References Virustotal
http://www.virustotal.com/ Drop My Rights
http://download.microsoft.com/download/f/2/e/f2e49491-efde-4bca-9057-adc89c476ed4/DropMyRights.msi
Web Of Trust http://www.mywot.com/
Secunia Online Software Inspector http://secunia.com/vulnerability_scanning/online/
Kaspersky AntiVirus http://www.kaspersky.com/kaspersky_anti-virus
Avast! http://www.avast.com/free-antivirus-download
ClamAV http://www.clamav.net/
62
Questions?