zero day malware detection/prevention using open source software

Copyright © 2015 CyberSecurity Malaysia Copyright © 2015 CyberSecurity Malaysia

ZERO DAY MALWARE DETECTION/PREVENTION USING

OPEN SOURCE SOFTWARE PROOF OF CONCEPT

Malware Research

Center

MyCERT

Copyright © 2015 CyberSecurity Malaysia

Outline

• Introduction

• Motivations

• Objective

• Process Flow

• The Open Source components

• Moving Forward

2


Introduction

• Fathi Kamil Bin Mohad Zainuddin.

• Senior Analyst in Malware Research

Centre, MyCERT.

3


Introduction

• Computer security issues have emerged ever since the

Internet was introduced. Organizations and security

researchers have increased the efforts in ensuring that

security threats are detected and mitigated in a timely

manner. Today, as computer attacks tend to be malware-

centric, the cyber criminals have introduced

sophistication in their attack techniques that makes the

traditional way of protecting the enterprise with firewalls,

intrusion detection systems and antivirus software at the

network perimeter ineffective.

4


Introduction

• To produce tools or capability on 0-day malware

detection / prevention using open source software.

• There are many Open Source network security

components doing their purpose very well in the market.

• Known Open Source network security product such as

Snort, Suricata, Dionaea, Kippo, Glastopf, Ntop, Xplico,

Wireshark, etc.

• All we need is to glue them to achieve our purpose.

5


Motivations

• We have deployed LebahNet (Honeynet) previously, but

later we found out that:

– Dionaea plugins are difficult to maintain in order to follow

the vulnerability trends to get new malware binaries.

– We need an expert to maintain the plugins.

– We have done some attack simulation using Metasploit but

produced poor results. Not all vulnerability attacks

captured by Dionaea.

• Network packets contains many information which might

also include malicious documents, binaries and web

communication which are not extracted from the

network.

6


Objective

• Capture & identify the malicious documents,

binaries, and web accesses from the network

through packet capturing.

• Simulating the malicious files / webs in sandbox

environment.

• Collect known malicious information provided by

sandbox into a central database.

• Generate callback signature from sandbox result to

detect/prevent further malicious activities.

• Distribute malicious information among sensors.

7


Components – Network IDS / IPS

8

• Suricata is a high performance Network IDS, IPS and

Network Security Monitoring engine.

• Top 3 reasons:

– Highly Scalable.

– Protocol Identification.

– File Identification, MD5 Checksums, and File Extraction.

• For the purpose, Suricata can produce:

– Alert log.

– File extraction based on signature within HTTP & SMTP.

http://blog.inliniac.net/2011/11/29/file-extraction-in-suricata/

http://blog.inliniac.net/2014/11/11/smtp-file-extraction-in-suricata/

– HTTP log.



• Enabling file extraction - /etc/suricata/suricata.yml

9



• Suricata file extraction rules -

/etc/suricata/rules/files.rules

10



• File extraction output - /var/log/suricata/files/

11



• HTTP Logs

12



• Drawback - High CPU processing

• Suricata is a high performance NIDS/NIPS and utilizing all

CPU cores compared to Snort NIDS/NIPS. It will utilizing

GPU cores.

• PF_RING can be used to bypass Linux OS TCP/IP stack.

Suricata running in userspace will get direct access to the

network buffer from the network card (kernelspace) without

going through most of OS layers.

• You might want to read an article in 2012 “Suricata, to

10Gbps and beyond”

https://home.regit.org/2012/07/suricata-to-10gbps-and-

beyond/

13


Components – Sandboxing

14

• Cuckoo Sandbox is a malware analysis system.

• It produces native functions and Windows API calls

traces, copies of files created and deleted from the file

system, dump of the memory of the selected process,

full memory dump of the analysis machine, screenshots

of the desktop during the execution of the malware

analysis, network dump generated by the machine used

for the analysis.

• For the purpose, extracted files / web access from the

Suricata will be tested in simulation environment using

Cuckoo Sandbox.


Components – Sandboxing (Anti-VM) • Nowadays malware equipped with anti-VM code to

detect if it is running inside sandbox environment

through registry, CPU flags, BIOS, file system, etc.

• Bypassing Sandboxes For Fun

https://www.botconf.eu/bypassing-sandboxes-for-fun/

• Defeat anti-VM malware, refer VMCloak,

VBoxAntiVMDetectHardened, etc.

• You can try using Pafish to detect whether you are

running inside virtualization / sandbox environment.

https://github.com/a0rtega/pafish

15


Components – Sandboxing (Anti-VM) • Hardened Anti-VM Detection

16


Components – Sandboxing (Anti-VM) • Sandbox detection using Pafish

17


Components – SSL Decryption

• viewssld - SSL Decryption for Network Monitoring.

• Nowadays malware exploiting SSL encryption to bypass

network security detection.

• IT security admin can enforce HTTPS / SSL interception

by registering Firewall / Proxy root certificate for every

PC inside an organization.

• By providing private key to viewssld, it can decrypt every

HTTPS communication and send to Network IDS for

malware collection & intrusion alert.

18


Process Flow

19


Moving Forward

• Enhancing Cuckoo sandbox environment

• Defeating Anti-VM / Sandbox Hardening

• Exploitation detection (Buffer/Heap Overflow,

Payload)

• Produce more valuable information

• Improve the process flow

20


Malware Research Lab (Tools)

• Our team has also developed tools for our daily operation:

– BotNet Checker: Botnet detection based on IP address.

– LebahNet: Distributed Honeynet.

– MyKotakPasir: Virtualization sandboxing.

– AndBox: Android sandboxing.

– ESPot: ElasticSearch Honeypot.

– DontExploitMe: Browser Based IPS.

– DontPhishMe: Phishing Site Blocker for Browser (Firefox,

Chrome, Internet Explorer).

– MyLipas: Web Defacement Crawler.

– Many others.

21



• BotNet Checker –

http://botnet.honeynet.org.my/

22



• DontPhishMe & Antiphishing.My –

https://www.antiphishing.my/

23


• Coordinated Malware Eradication And Remediation Project

(CMERP) & CyberDEF (Detection, Eradication & Forensics)

What is it? • A comprehensive solution for

detection, eradication and forensic of malware in cyberspace

What are the benefits? • Helps organization to strengthen

and defend their organisation by preparing the CSIRT team with required skill, policy and procedure in place

• The capability of the team will be strengthen by participating in cyber exercise activity tailored for the organization

• With the necessary resources and skills in place, steps and measures can be taken to eradicate threat

24


Contacts

• Web: http://www.cybersecurity.my

• Web: http://www.mycert.org.my

• Web: www.cybersafe.my

• Report Incident:

[email protected]

25

http://www.cybersecurity.my

http://www.mycert.org.my

http://www.cybersafe.my

mailto:[email protected]