Leveraging Continuous View to Hunt Malware
Why hunt for malware?
Scanned services
Unauthorized
systems
Patches
Config
Unauthorized
software
Malware
Malware is another form of vulnerable software that has been introduced into your network.
Hunting modern malware is much more about enterprise vulnerability and configuration auditing that traditional anti-virus agent based discovery.
At one end of the spectrum, finding an open port can make you fail a compliance audit. On the other end of the spectrum, you can have a fully patched systems with a RAT, Trojan, botnet, .etc on it.
Traditional Vulnerability Management
Advanced Analytics
Massive App Library Updated Daily.
Dashboard and Report Designer
Connectors for Complete
Context
Unique Sensors100% Asset
Discovery
YOUR NETWORK
Unique Underlying Architecture
• Port Scans• Botnet• Malware• System Tests
• Real-time Ports• User Agents• Network Logs• DNS & Web Queries
• Netflow• Process Logs• Botnet • Anomalies
• 2D Dashboards• Data mining• 3D Visualization
• Spreadsheets• Command Line Tools
Topics• Sweet Orange• RedKit• ComFoo RAT• Zeus P2P• Neutrino• Tenable Botnet/Malware Detection Technology
Hunting for IP Addresseshttp://www.malwaresigs.com/2013/07/30/malvertising-on-youtube-com-redirects-to-sweet-orange-ek/
Sweet Orange Exploit Kit
List of IP addressesassociated with SweetOrange
URI associated withsystems redirected toSweet orange web pages
Create watchlist
LCE has events (mostly from PVS) to these IPs
Example URI from blog:
Detected query with PVS:The sniffed URIs match URI !!!
Indicators from May 2013DHS Weekly Synopsis Product
RedKit
• Keyword search for PVS plugin 7039
• Generic SC searches for Nessus scan results
Manual search of hosted URL/URI content in any result, including port Independent PVS 7039
Are we hosting RedKit content?
Did someone query RedKit content?• Search LCE proxy logs• Search PVS Web logs• Search PVS & DNS logs
Refine search to avoid generic match
Search PVS logs:
Example Domain_Summary query
Secrets of the Comfoo Mastershttp://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/
Comfoo RAT
• Look for failed credential Nessus scans• “ipnat” running in system logs
PVS will log the queries andthey can be discoverable asshown below.
• Nessus web scan results – which ports?
• PVS web scan sniffingresults – all ports!
• PVS plugin 2 – client side usage• PVS plugin 16 – outbound client side usage
The detected port traffic on 1688 was bittorrent
<custom_item>type: AUDIT_POWERSHELLdescription: "Comfoo Masters - ServiceDLL Check"value_type: POLICY_TEXTvalue_data: "(cmmos.dll|jacpet.dll|javadb.dll|mszlobm.dll|netfram.dll|netman.dll|ntdapie.dll|ntdelu.dll|ntobm.dll|odbm.dll|senss.dll|suddec.dll|tabcteng.dll|vmmreg32.dll|wininete.dll)”powershell_args : "Get-ItemProperty HKLM:\system\CurrentControlSet\Services\*\Parameters | select PSPath,ServiceDll | format-list"check_type : CHECK_NOT_REGEXpowershell_option : CAN_BE_NULL</item>
Search registry for evidence of Comfoo.
<custom_item> type : AUDIT_POWERSHELL description: "Comfoo Masters - Find DLLs" value_type : POLICY_TEXT value_data : "" powershell_option: CAN_BE_NULL powershell_args: "get-childitem -recurse c:\ -include cmmos.dll,jacpet.dll,javadb.dll,mszlobm.dll,netfram.dll,netman.dll,ntdapie.dll,ntdelu.dll,ntobm.dll,odbm.dll,senss.dll,suddec.dll,tabcteng.dll,vmmreg32.dll,wininete.dll -erroraction silentlycontinue|select directory,name|format-list"</custom_item>
Search file system for evidence of Comfoo.
• 257 domain names• Powerful command-line search• associative-search.sh• Searches DNS, MD5 & SSL• https://discussions.nessus.org/
message/19698#19698• Ran 1 hour to search all domain
names across 6 months of data
http://www.cert.pl/PDF/2013-06-p2p-rap_en.pdf
ZeuS-P2P
Infected computer has BOTH UDP and TCP ports open between 10,000 and 30,000
Manually finding systems with TCP and UDP ports between 10,000 and 30,000 is tricky.
Need to save a list of IPs with UDP 10,000 to 30,000 and then filter that list with a TCP filter of 10,000 to 30,000
Filter on an asset list of IPs with UDP ports 10k to 30k for those IPs with TCP ports in the same range.
These hashes were already part of the malware cloud database; i.e., Nessus or LCE Client would have found these.
A New Exploit Kit in Neutrinohttp://blog.trendmicro.com/trendlabs-security-intelligence/a-new-exploit-kit-in-neutrino/
Neutrino
Also Covered at MalwareSigshttp://www.malwaresigs.com/2013/08/29/30-days-of-neutrino-domainsips/
Neutrino
Take IPs from blog post and create a SecurityCenter watchlist named Neutrino
Search for any hits in past 30 days and then do a port summaryto see port 8000 activity.
Extend search to 50 days and see some more activity.
VirusTotal claimed the following DNS names were in use by Neutrino on various dates
On Aug 5, we saw lots of queries for ifjtjdhcywssbhdxk.dyndns-mail.com recorded by the PVS.
This DNS name was NOT on the list from the blog for Aug 5th nor any other day, but was very close.
Differences in DNS names at VirusTotal and in “live” use can result from many things including variants and different behaviors based on where it is run.
Tenable Botnet/Malware Detection Technology
Tenable Botnet/Malware Detection Technology
• Passive Web Traffic Analysis • Malicious Process Detection• Botnet Detection based on IP reputation
PVS passively logs all DNS lookups, web queries and network traffic in real-time.
This event indicates there have been nine web queries in the past 30 days which were related to known botnet activity.
These are the nine queries, each one to a known malicious botnet or malware related site.
Nessus scans identify malicious processes with cross-industry index of known bad hashes
LCE Windows agents perform malware detection on all running processes.
The LCE checks all IDS, login, netflow & PVS logs against a botnet reputation database
Nessus checks systems for active botnet connections, settings and content
Nessus also identifies systems running unique and unknown processes
Each of these checks, and many others, is leveraged by real-time dashboards to identify malware