Transcript Onion, not parfait
Onion, not parfait:
Today's security check-up and malware for the rest of us
Jared DeMott, lifelong haX0r
•
Qualified for this talk?
You decide … rounded out by groups, cons, and talks like this – NSA • My deep dive into a whole new world - security focused – Booz Allen Hamilton • Level 3 consultant - Reverse Engineering – Applied Security, Inc.
• GPF sprung to life – VDA Labs, LLC • Founder - Further opened the eyes of many to the effects of fuzzing – Defcon CTF Campion • Was part of the l@stplace team during another winning 2007 season – HBGary, Inc.
• All but the kitchen sink guy, started working with Malware – Author and Speaker (Black Hat, Defcon, and Toorcon) • Ari Takanen, Charlie Miller, and I have a book coming out very soon!
– Ferris State University • Assistant Professor - focus on OS, security, programming, and more – Crucial Secuity, Inc • Security Researcher
Layers of Security
• • Computer Science as a field is growing all the time – More and more users each year Security is one such sub-field and it is growing Technology Users Low Level Policy Low Level Technical Threats
High Level Policy
• Decision making and risk management – Should come from above – Are CIOs, CSO, etc always qualified for this?
• For example did anyone follow DailyDave thread on AV being dead, that occurred a while ago?
– Sandboxing to be discussed later – Need formal processes to make good decisions • Business continuity • Disaster recovery • Data security – Are Nation-states really our threat?
• For big business and government contractors … YES!
– Booz allen spear-fish that went public a bit ago • Not so much for small to mids, schools, etc … they worry about keeping their head above water, and hoping the network works.
Technology
• • • What’s it good for? How has it improved our lives?
– I’m waiting for my RFID tag and mark of the beast Who knows, but it can transform business – Just ask people in health care • Technology is exploding in this field and is changing the way people are able to receive care – Just ask online sales, which didn’t really exists pre 1990’s Usage – We need security to be sure technology is used well, or to perform the Incident Response (IR) when it’s not • Yes even though current security solutions aren’t perfect
Some current working Attacks
• • • • • 0day to the desktop – In 2008, client side bugs are alive and kicking!
The old thumb drive outside the bank trick – Rootkit Insider payoff – Rootkit Stealing and modifying hardware (supply chain) – Rootkit Simple .exe in email – – Run this file for pics of whoever == Rootkit .com was one of the best I’ve ever received
Defense
• • Can technology defend against technology?
– Application filtering firewall with a buffer overflow, what were we thinking there?
– – Same for IDS, AV, Wireshark, etc.
Clearly we’ve got to rid ourselves of the buffer overflow to have a real shot at reliable computing • We’re finally seeing this begin to happen – Modern protections in 64 bit machines are impressive But, weak passwords, sniffing, lost hardware, social engineering, hardware modified in transit – Defenders have to think of it all! The attacker need only find one route in
Users
• • • Average Users – Just want to do their job, play games, edit pictures of the grand kids, whatever. • Need security training.
Power Users – Growing. Many users have complex needs and those annoying Vista pop-ups, personal firewalls issues, etc. • Just disable all that stuff, right? Need Policies and training.
Either way, 0day to the desktop – We still can’t trust our software
So what’s to be done?
• • Totally depends on the scope of your organization – Someone has to sit down and think about these issues, and do the best you can with available money • ah… risk management, my favorite oxymoron Also totally depends on the layer at which you work – CIO response should differ from software developer or incident responder, or secretary
Lets discuss some lower layer examples
(more on each of these) • • • • • Security at the Desktop is a MUST!
• Who knows how to do this?
Auditing the internal and external network policy is, at minimum, a show of due diligence • Penetration Tests are great for raising internal awareness Watch your website • Web auditing Fuzzing for security and robustness • Securing software … we hope the OS will continue to get stronger as well Responding to Security Incidents (IR) • Being prepared or know who to call
Desktop Security
• • • • Could we go to a thin client that doesn’t save settings – Pwned on Monday, clean on Tuesday?
– Probably would save desktop support costs AV – Does it really help? Show proof.
DLP – Does it really work? Show proof.
Host hardening – Local policy lockdown, registry tweaks, etc – No local Admin?
– Looks like XP might hang on until Windows 7?
Network Management
• • • • Wireless security – WEP, right? (not … how about WPA2 with AES) Database security – Talk to our British friend, Mr. Litchfield Server security – Lock ‘em down in VLANs while you’re at it Failover (Disaster/Continuity) – Redundant Internet links – Multiple servers – Nightly backups
Net Admin (Cont.)
• • Network auditing: Yesterday protection (not 0day) – Think something like Nessus to be sure your hosts are all up-to-date – Is there a better way to be sure boxes are built right the first time?
• Imaging type solution • Allow real time updates from M$?
Network activity monitoring and logging – The network is hostile, can your IDS find the needle?
• Probably not … though anomaly could work on SCADA or other “quiet” networks • Keep good system logs anyway, this will be important again someday, when IDS finds a way to add value again
Web Auditing
• • Think about all the issues we’ve seen – SQL injections • Input sanitization is the root problem for many bug types – PHP file inclusions – Old school CGI command injections – XSS – – Insecure permissions on pages Weak login schemes – Etc.
Some one needs to be thinking about this for your organization – http://www.owasp.org/
Fuzzing
• • Fuzzing for security and robustness – Since many application still have to be developed in C type languages (able to manually manage memory) • For bonus pts, why isn’t the Vista Kernel dev’ed in .py?
– Other languages could have stability issues if not exploitable overflows • A telecoms 0day == interruption of service Mutation vs. Generation – One is often quicker while the other tends to get better coverage. Boils down to cost. Read our book.
Incident Response (IR)
• • Responding to Security Incidents. (How big is this onion anyway?) – 1 st • response team The key here is handling information well – Disk forensics • Remember when the FBI came knocking? Old-school preservation style. Snag disk. Image it. Search it. Send you to jail. Do not pass go. Do not collect $200.
– – E-discovery Live memory analysis – Malware analysis Can these actions be scaled to the Enterprise?
– Probably, for the right price… but, process is key for court.
Enterprise Tools
• • You can’t physically pull the disk off each workstation, can you?
No, but virtually you can: Agent based – Push kernel module to desired hosts via SMS or PsExec • Host code is called “the servlet” by Guidance, Inc (EnCase).
– Used to suck off permanent storage (hard disk data) and “live” memory (RAM) • Catalogs; only does full suckage when required – Scan disk for anomalous files • Guidance uses bit9 database; good, bad, or unknown lots – Rate which ones look “worst” • Mandiant’s red curtain is freeware … I’m surprised EnCase Enterprise doesn’t have this feature
E-Discovery
• • • Key word searching across file, email, and even memory in some cases Used to discover interesting data – An example might be searching for the text string “SECRET” on an UNCLASSIFIED network • Why would we do that?
Litigation is the word you’ll hear – – The way hip Lawyers role Indicates a search for evidence during a particular court case to support one side or the other
Live Memory Analysis
• • The kernel agent can collect all or some of running memory as well A tool like HBGary’s Responder could be used to analyze this memory – Memory-only Rootkits are TODAYS threat – Good malware/rootkits maybe able to avoid dirtying the disk altogether • If that’s so, how are you going to detect them with your current forensic toolkit?
Malware Analysis
• • This is where it gets interesting – So, you’ve found some executable code and you either don’t know if it’s malware, or you know it is, but aren’t sure what it’s doing • How can you understand what this nasty business is doing to/on your host/network??
Perhaps like other fields an “Art+Science” but here I think we need more science.
– We need a repeatable methodology that holds water in court if need be
High level thoughts on Malware
• • • For malware to be doing something useful (like stealing data) it’s likely got to be doing some type of network comms • Will likely use a covert channel, such as DNS or HTTP. Think Command & Control to do Data Exfil It will likely not want to be discovered • May download and install a rootkit and delete itself • Might just hide in plain sight … what’s in your sys32 dir?
If discovered it desires to make analysis difficult • Packed, obfuscated, encrypted, jacked up in some other interesting way
Malware Analysis != IR
• • So as we stated before IR includes many steps Analyzing potential malware is just one of the steps – Some guys at Intel have done some cool new work addressing the IR information handling problem at large •
Rapid Assessment & Potential Incident Examination Report
– http://code.google.com/p/rapier
My Home Grown Malware Analysis
(Not an exhaustive or “best” list) 1. Document how the malware was discovered 2. Get the filename(s) of malware 3. View the file properties for kicks, though this information can easily be spoofed.
– Note if much file property information is included • Vendor, etc – What is the modified time?
– What is the file size?
– File hash? Use the WinMD5 utility • Google for this hash, you might get lucky – Mandiant’s Freeware Red Curtain will give you a threat score • guess as to whether or not the file is Malicious – If you’re not worried about sharing, you can upload to http://www.virustotal.com
(multiple virus scans) http://www.norman.com/microsites/nsic/Technology/en-us (see in a bit)
Home Grown: File Inspection
4. If possible, determine how the file was created and if it includes obfuscation. – Open the file in PEid.
5. If possible, determine if the PE headers look normal. – Open the file in PEView.
6. Open the file in IDA pro – Are there any interesting strings?
– Are the strings visible or obfuscated?
– Is the code flow normal or does is start with funny decryption/unpacking routines?
– Save further REing for later unless something really sticks out. A dynamic run trace is the next best step in understanding your malware.
Home Grown: Execution
7. Prepare to execute in your test lab – Take a VM snapshot so you can roll back after execution – Launch Wireshark.
– Launch other utilities such as process explorer, file explorer, and filemon if desired – Execute RegShot to get a baseline of the system – Launch the malware and note Registry changes and Network connections • Note whatever else interesting happens. CAUTION: At this point you are probably infected with something.
– If it’s dialing out, it may be desirable to set up a fake server to play with command and control plus any data exfiltration it may have.
Home Grown: Dynamic Investigation
8. Reversing the Malware with Immunity debugger, windbg, Responder – Yes, we’re talking just about Windows here – Roll back to the previous snap shot – For Inspector • Open the Wintel Node Agent Debugger in the VM • Start a new Inspector project • • Connect to the debugger with Inspector Start the malware via Inspector • • Analyze the binary (may set bps) Run the malware analysis plugin script to see what pops out – Cool freeware tools like:
Malware Unpacking Framework For ImmDbg
• http://muffi.googlecode.com/ by JMS
Home Grown: Dynamic Investigation
• • Analyze key .dlls and set further breakpoints • W32_32.dll and winsock.dll for network activity – WSARecvFrom, WSASendTo, etc.
• Kernel32.dll for process manipulation and file modification – LoadLibrary, CreateProces, FindFile, etc.
• advapi32.dll for registry modifications – CreateNewKey, SetKeyValue, etc Execute the software to begin a runtrace – A graph will begin to appear as the software is executed • Could be useful to search runtrace samples for strings such as IP address, passwords, etc • How to proceed depends on the nature of the investigation/malware … more of an Art … ooops…
However, SandBoxes are cool
• A Sandbox/Sandnet attempts to automate prior steps and boil down results 1. Quicker/Scales 2. No hardcore RE person required
3. Repeatable
(Hold water in court?) However, could fail if • Too tricky –
Virtualization detection and/or escape
» Would be a problem for VM home grown solution too » Only an air gapped net solves this – – slow to use network, like 1 week after install Will only run if in, for example, the Outlook directory, etc • Manual/Static RE is required for complete analysis
Sample Output from Norman
[Name]: W32/Backdoor. Sig Name: Suspicious_P.gen
[ Detection Info ] * Compressed: NO. TLS hooks: NO * Executable type: Application * Executable file structure: OK [ General information ] * Drops files in %WINSYS% folder.
* File length: 237562 bytes.
[ Changes to filesystem ] * Creates file C:\WINDOWS\SYSTEM32\service.exe.
* Deletes file 256.
[ Changes to registry ] * Creates key "HKLM\Software\\Microsoft\\Windows".
* Sets value "Microsoft Update"="service.exe" in key “HKLM\Software\\Microsoft\\Windows".
* Creates key "HKCU\Software\".
* Sets value "Microsoft Update"="service.exe" in key “HKCU\Software\".
Sample Norman Output (cont.)
[ Network services ] * Looks for an Internet connection.
* Connects to [REMOVED] on port 6667 (TCP).
* Connects to [REMOVED] * IRC: Uses password [REMOVED] * IRC: Uses nickname [REMOVED] * IRC: Uses username [REMOVED] * IRC: Joins channel [REMOVED] with password [REMOVED] * IRC: Sets the usermode for user [REMOVED] to i.
[ Process/window information ] * Creates a mutex By Crash.
* Creates process "C:\WINDOWS\SYSTEM32\service.exe".
[ Signature Scanning ] * C:\WINDOWS\SYSTEM32\service.exe (237562 bytes) : Suspicious_P.gen.
Case Study
• • • Got a file called sample.exe from a friend He wanted me to take a quick peek at it, since he though it was ugly but no AV product he had could confirm that Lets see what Norman says…
Hmm… in this case Norman pooped
sample.exe : Not detected by Sandbox (Signature: NO_VIRUS) [ DetectionInfo ] * Sandbox name: NO_MALWARE * Signature name: NO_VIRUS * Compressed: NO TLS hooks: NO * Executable type: Application * Executable file structure: OK [ General information ] * File length: 210944 bytes.
* MD5 hash: 27f4b3938997383576137cd7036dda25.
[ Process/window information ] * Attempts to open CLSID {148BD52A-A2AB-11CE-B11F 00AA00530503}.
Case study: Try my home brew
1. Received a file from a friend 2. Name = “sample.exe” 3. File properties – Not much listed – Time: Looks unreliable – Size: 206KB – MD5: 27f4b3938997383576137cd7036dda25 – Red Curtain reports that it looks malicious, as the threat score is over 1.0. See next slide.
Hash and Properties: Fairly normal here
Mandiant Red Curtain: >1 == badness
Case Study (cont.)
4. PEid – No build type detectable, Win32 GUI 5. PEView – Looks Normal 6. IDA Pro – Initial Interesting Strings: • Looks like a bunch of strings are present but are unreadable statically – Code looks funny … a lot of moving, XORing, etc and than a LoadLibraryA + GetProcAddress to begin with – First func from main took ~100 int’s as parameters
PEID and PEView
IDA Pro
Case Study (cont.)
7. Upon Execution – Regshot noticed a bunch of changes – Wireshark snagged an outbound connection • Very suspect here “GET /upd/check?version=0.1unk&fxp=1d8af2a6eeb2863b26ca5ac162b60d5c784b0f4e5d972acacad8d535529e5ac14f14a867 HTTP/1.1
Accept: */* Accept-Encoding: gzip, deflate User-Agent: KRSystem v1.0
Host: upd.host-domain-lookup.com
Connection: Keep-Alive” “HTTP/1.1 304 Not Modified Connection: close Server: Yaws/1.68 Yet Another Web Server Date: Wed, 30 Jan 2008 13:59:05 GMT Content-Length: 13 Content-Type: text/html not modified”
Case Study (cont.)
8. Inspector – Reverted to clean snapshoot, started remote debugger, started new project, connected to debugger, analyzed sample (this is cool can bypass anti debugging and packing), analyzed .dlls, viewed strings, etc… – – Difficult to know which API calls to hook MAP script provided convoluted results – – Run trace not trivial to apply correctly Graph unclear – • • All-in-all, not a great tool for a “first pass” look Better for very advanced users I am looking forward to their new “Responder” product, which attempts to find rootkits in running memory
Inspector Screen Shot
Other Sandboxes
• • • Norman pooped on this one This one did better – CWSandbox Tried some others as well – ThreatExpert – Joebox – Etc.
Sample XML from CWSandBox
New CW Look
Hmm… states one of it’s primary actions, but have hunch it’s worse than that. Didn’t provide as much information as CWSandbox.
Joebox
• • Gave some good information But doesn’t include network information, etc. yet – Seems to have good potential, but lacks robustness as of now
Boiling down results
• • • • • For large corps, scalability is important and Sandboxes give us that – However, like anything else, they’re not fail proof Norman boils down the results well – But didn’t work in this case ThreatExpert – Seemed ok Joebox has great potential – Missing key features CWSandbox did the best here IMHO – XML is busy, so new web interface is nice – Recent work to escape CW has been made public for kiddies
Summary
• Onions smell … security can to, but we keep at it. – – We need to find ways to stem the tide of 0days We need to find ways to detect memory-only Rootkits • Responder via Encase? Or Mandiant’s MIR technology?
– Once we do, malware won’t go away • Insider threat, thumb drive, hacked hardware in transit, etc – We’ll need some sort of reliable computing help from our operating system/hardware • Hypervisor protection?
– Monitoring, IR, and many other branches will always be important, even as roles and technology change