Strategies for Landing an Oracle DBA Job as a Fresher
Â
Commodity malware means YOU
1. Commodity malware means YOU!
And everybody in this room, letâs
look at one called Dridex
Michael Gough â Founder
MalwareArchaeology.com
MalwareArchaeology.com
2. Who am I
⢠Blue Team Defender Ninja, Malware Archaeologist, Logoholic
⢠I love âproperlyâ configured logs â they tell us Who, What, Where,
When and hopefully How
Creator of
âWindows Logging Cheat Sheetâ
âWindows PowerShell Logging Cheat Sheetâ
âWindows Splunk Logging Cheat Sheetâ
âMalware Management Frameworkâ
⢠Co-Creator of âLog-MDâ â Log Malicious Discovery Tool
â With @Boettcherpwned â Brakeing Down Security PodCast
⢠@HackerHurricane also my Blog
MalwareArchaeology.com
3. Goal
⢠Interaction â Donât be a Ding Dong, ask a
question⌠you WILL be rewarded for positive
synergy!
⢠Learn how us Ninjaâs do it so you can too
⢠We have a NEW Tool for YOU!!!
MalwareArchaeology.com
9. Top 8 threats
⢠These are what we see most
⢠What all of YOU see most
⢠The 20% of what AV focuses on
⢠We can learn a lot from this
MalwareArchaeology.com
10. Dridex movin on up
MalwareArchaeology.com
Mandiant M-Trends2016 Report
11. More of the same
According to CheckPointâs ThreatCloud in 2015âŚ
⢠3000 different malware âfamiliesâ
⢠80% have been active for years, some for 8
years
⢠Top 100 which accounted for 90% of all
attacks in 2015, only 3 were new and were
outside the Top 40
⢠More proof Malware Management works
MalwareArchaeology.com
13. Sophos SaysâŚ
⢠70% of malware is unique to 1 company (APT)
⢠80% of malware is unique to 10 or less (APT)
⢠That meansâŚ
⢠20% of malware is what the AV industry focuses
on, but it is what most of you and everyone in
this room sees and gets by:
â Attachments in email
â URL in email
â Surfing the web
⢠Ads
⢠WordPress, Drupal, JoomlaâŚ
MalwareArchaeology.com
14. Types of Malware
I say there are basically two types of malware:
⢠Commodity malware â The 20% the AV
industry focuses on
⢠Advanced malware â The 80% that the AV
industry does not focus on and âmayâ get
around to IF you force them by being a client
or if they have multiple customers that receive
it in a particular industry (e.g. retail PoS)
MalwareArchaeology.com
15. Commodity malware
⢠This is the stuff you and everyone in the room
gets and sees, your family, friends and clients
too
⢠Emails, URLâs surfing
⢠Most is Commodity malware
⢠Pwned Ad networks
⢠Some will be NEW
⢠Some will be APT
MalwareArchaeology.com
16. VirusTotal
⢠Commodity malware will be detected within a
few days
⢠APT⌠not so much
⢠I still have samples from 2012 that have ZERO
detection ;-(
⢠And I gave 12 AV companies a copy of it
⢠Shows how much they care about APT
MalwareArchaeology.com
17. Malware evolves
⢠So must we
⢠Darwin says so
⢠Evolve or die
⢠Well⌠Evolve or get breached anyways
⢠Which means an RGE !!!
â Resume Generating Event
MalwareArchaeology.com
18. Before Dridex
⢠Zeus â 2007
â SpyEye evolved from Zeus
â Bugat/Cridex evolved from Zeus
â Gameover Zeus taken down 2014
⢠Bugat & Cridex - 2012
⢠Dridex â Late 2014
â Generated 15,000 emails daily
⢠C2 Servers taken down Dec 2015
⢠Now we have Locky
MalwareArchaeology.com
25. Dridex
⢠We have probably all seen one of these
⢠Did I say Commodity Malware?
⢠Uses Word documents that are hard for email
gateways to detect
⢠Yes, users have to âEnable Macrosesâ but they
would NEVER do thatâŚ
MalwareArchaeology.com
26. Commodity Malware
Smarter than ever
⢠In 2015 I have witnessed things with
commodity malware usually reserved for APT
â Because they are evolving from APT
⢠More use of scripts to avoid AV detection
⢠More use of PowerShell backdoors!
⢠More stealthy persistence
MalwareArchaeology.com
28. Dridex Artifacts .BAT
⢠Do I have a network connection
⢠What language am I
⢠Set variables for the name of the .VBS script
MalwareArchaeology.com
29. Dridex Artifacts .VBS
⢠Notice the path %temp%
⢠Ah HellâŚ
⢠Build the PowerShell script execution
MalwareArchaeology.com
32. Dridex Artifacts - .PS1
⢠Domains to phone home to
⢠Path - %temp%
MalwareArchaeology.com
33. Dridex Artifacts - .PS1
⢠8 + .exe â Payload name
⢠444.jpg â Stats file looks like >>>>
⢠User Agent to emulate a browser
⢠Download the files
⢠Assemble the names .vbs, .jpg, .bat, .PS1
⢠Sleep 15
⢠Execute the payload - cmd.exe %file%
⢠Remove the files
MalwareArchaeology.com
34. VM Aware⌠What do I say?
⢠Use Bare Bones to do analysis
MalwareArchaeology.com
35. Persistence
⢠New method towards the end of 2015
⢠Nothing in the Registry showing persistence while
system was running
⢠In memory only until system shutdown
⢠Then we caught the bugger, with good auditing of
course and
MalwareArchaeology.com
36. Malware Management
⢠Proof it works
⢠If you look at Zeus, Cridex and Dridex, you are
better prepared for Locky
⢠Learn from History
⢠Your defenses and detection MUST evolve too
⢠Read the malware analysis and breach reports
⢠Tweak your tools
⢠Focus on new kewl hooks and artifacts
MalwareArchaeology.com
37. How we harvested malware
⢠Yay Email!!!
⢠Since the primary delivery was Phishing, we were
able to grab copies of the Word documents
⢠Executed in the Lab
⢠Grabbed the artifacts
⢠Updated our Detection
⢠We knew if anyone fell for it and opened them
⢠We knew what to cleanup
MalwareArchaeology.com
38. How we harvested malware
⢠File Copy loop in Directories discovered
â @echo off
â cls
â md captured
â :Redo
â robocopy . Captured /E /B /r:0 /w:1 /np /xo /xd Captured
â Goto Redo
â :End
⢠Ninja Tip:
â Great to do in Labs for User space AppData
MalwareArchaeology.com
41. MalwareArchaeology.com
⢠Log and Malicious Discovery tool
⢠When you run the tool, it tells you what
auditing and settings to configure that it
requires. LOG-MD wonât harvest anything
until you configure the system!
⢠Once the system and/or GPO is configured
1. Clear the logs
2. Infect the system
3. Run Log-MD
4. Review âReport.csvâ in Excel
42. Functions
MalwareArchaeology.com
⢠Audit Report of log settings compared to:
â The âWindows Logging Cheat Sheetâ
â Center for Internet Security (CIS) Benchmarks
â Also USGCB and AU ACSC
⢠White lists to filter out the known good
â By IP Address
â By Process Command Line and/or Process Name
â By File and Registry locations (requires File and
Registry auditing to be set)
⢠Report.csv - data from logs specific to security
43. Purpose
MalwareArchaeology.com
⢠Malware Analysis Lab
⢠Investigate a suspect system
⢠Audit Advanced Audit Policy settings
⢠Help MOVE or PUSH security forward
⢠Give the IR folks what they need and the Feds too
⢠Take a full system (File and Reg) snapshot to compare to another
system and report the differences
⢠Discover tricky malware artifacts
⢠SPEED !
⢠Deploy with anything you want, SCCM, LanDesk, PSExec, PS, etcâŚ
⢠Replace several tools we use today with one easy to use utility that
does much more
⢠To answer the question: Is this system infected or clean?
⢠And do it quickly !
44. Free Edition
MalwareArchaeology.com
⢠Harvest security relevant log data
⢠Whitelist log events by IP, Cmd Line, Process
and File / Registry audit locations
⢠Perform a full File Baseline of a system
⢠Compare a suspect system to a Baseline or Dir
⢠Perform a full Registry snapshot of a system
⢠Compare a suspect system to a Reg Baseline
⢠Look for Large Registry Keys for hidden
payloads
45. MalwareArchaeology.com
⢠Everything the Free Edition does andâŚ
⢠More reports, breakdown of things to look for
⢠Specify the Output directory
⢠Harvest Sysmon logs
⢠Harvest WLS Logs
⢠Whitelist Hash compare results
⢠Whitelist Registry compare results
⢠Create a Master-Digest to exclude unique files
⢠Free updates for 1 year, expect a new release
every quarter
⢠Manual â How to use LOG-MD Professional
46. MalwareArchaeology.com
Future Versions â In the works!
⢠WhoIs lookups of IP Addresses called
⢠VirusTotal lookups of discovered files
⢠Find parent-less processes
⢠Assess all processes and create a Whitelist
⢠Assess all services and create a Whitelist
⢠VirusTotal lookups of unknown or new processes
and services
⢠PowerShell details
⢠Other API calls to security vendors
51. Use the power of Excel
MalwareArchaeology.com
⢠The reports are in .CSV format
⢠Excel has sorting and Filters
⢠Filters are AWESOME to thin out your results
⢠You might take filtered results and add them
to your whitelist once vetted
⢠Save to .XLS and format, color code and
produce your report
⢠For .TXT files use NotePad++
52. So what do we get?
MalwareArchaeology.com
⢠WHAT Processes executed
⢠WHERE it executed from
⢠IPâs to enter into Log Management to see
WHO else opened the malware
⢠Details needed to remediate infection
⢠Details to improve your Active Defense!
⢠I did this inâŚ
15 Minutes!
53. Resources
MalwareArchaeology.com
⢠Websites
â Log-MD.com The tool
⢠The âWindows Logging Cheat Sheetâ
â MalwareArchaeology.com
⢠Malware Analysis Report links too
â To start your Malware Management program
⢠This presentation is on SlideShare
â Search for MalwareArchaeology or LOG-MD
54. Testers for RC-1
MalwareArchaeology.com
⢠May 1st 2016 - launch date
⢠Looking for a few good testersâŚ
â of LOG-MD Professional
⢠Test the manual and tool and provide feedback
⢠You WILL be rewarded for the effort ;-)
⢠You heard it here first !
⢠A gift from your local Austin Security
Professionals
55. Questions?
MalwareArchaeology.com
You can find us at:
⢠Log-MD.com
⢠@HackerHurricane
⢠@Boettcherpwned
⢠MalwareArchaeology.com
⢠HackerHurricane.com (blog)
⢠http://www.slideshare.net â LinkedIn now