Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
Are malware sandboxes as good
as manual analysis?
Michael Gough – Founder
MalwareArchaeology.com
Co-creator of
MalwareArch...
Who am I
• Blue Team Defender Ninja, Malware Archaeologist, Logoholic
• I love “properly” configured logs – they tell us W...
Malware evolves
• So must we
• Darwin says so
• Evolve or die
• Well… Evolve or get breached anyways
• Getting breached me...
And because you want to catch
these guys… or worse
• Ben Ten (Not PowerShell)
• Carlos (MetaSploit)
• Dave (SET)
• Kevin t...
So what is
sandbox analysis?
MalwareArchaeology.com
Sandbox analysis
• You have a piece of malware and want to get a
quick analysis of the sample
• So you use a Cloud based a...
Free Sandbox solutions
• Hybrid-Analysis (Payload Security Free) (32bit only)
• Malwr.com (Free)
• Comodo Instant Malware ...
Paid Sandbox solutions
• Payload Security (Paid)
• Joe Sandbox Cloud (Paid)
• Lastline (Paid)
• Reversing Labs (Paid)
• Bi...
Sandbox solutions
Build your own
• Cuckoo Sandbox
• REMnux – Lenny Zeltsers NIX Distro
• Zero Wine (Linux)
• Buster Sandbo...
What is
Manual Analysis?
MalwareArchaeology.com
Manual Analysis
My definition
• Evaluation of malware on a bare bones or bare
metal system to exactly mimic what is used i...
Manual Analysis
• Detonate the malware on bare bones or bare
metal hardware
• Use whatever tools you want
– I have a train...
So what is the difference?
Really???
MalwareArchaeology.com
The Future
My Prediction
• Cloud and VM based solutions will need to have a
bare bones bare metal option to deal with
malw...
Time to disclose a Cloud
provider that has a
serious flaw ;-)
MalwareArchaeology.com
Hey, I got a FAX!!!
• Typical Phish
• A FAX.. SERIOUSLY?
• So 90’s…
• Word Doc attached
• Date: 08/30/16
• Time: 11:15am
M...
Simple Manual Analysis
• 7-Zip
• Contains
Macros
MalwareArchaeology.com
Simple Manual Analysis
• Strings or Type
• Shows a Macro
• “Document_Open” shows autorun when the
document is opened
Malwa...
Simple Manual Analysis
• OfficeMalScanner – Seems malicious
MalwareArchaeology.com
Simple Manual Analysis
• In 1 minute or less I was able to tell this Word
DOC is malicious with very basic analysis
• To b...
Email Gateway
MalwareArchaeology.com
• Date: 08/30/16
• Time: 12:02pm
• 47 Mins later, another copy
CLEAN ???
And a couple more…
• Clean???
MalwareArchaeology.com
VawTrak
Even AV actually caught it
• Same
Day !
MalwareArchaeology.com
VawTrak
VirusTotal
• VT Score 28/53
• Date: 9/8/16
• 8 Days later
• AV has a Sig
• Clearly BAD
MalwareArchaeology.com
Let’s see what a
Cloud analysis shows
MalwareArchaeology.com
Reverse.IT
MalwareArchaeology.com
Reverse.IT
MalwareArchaeology.com
Reverse.IT
MalwareArchaeology.com
Reversing Labs
MalwareArchaeology.com
Anubis – Now shut down
MalwareArchaeology.com
MALWR
MalwareArchaeology.com
ThreatExpert
MalwareArchaeology.com
viCheck
MalwareArchaeology.com
Artifacts / Indicators
• What do we want to get out of any analysis?
– URL’s What websites were visited
– IP’s Communicati...
Artifacts / Indicators
• Why do we want this data?
• We need to know who else got infected
– The IP’s and URL’s
• What was...
Now let’s see what
Manual analysis shows
MalwareArchaeology.com
Artifacts URL’s
• A little script I run during analysis
• And…
• Google
MalwareArchaeology.com
Process Artifacts
• What launched
• Linked processes – Bad EXE calls WinHost32.exe
MalwareArchaeology.com
Creator
ID
Proce...
Artifacts IP’s
• What talked to Whom
• Wait… WinHost32 did not show up in the
Cloud Analysis
MalwareArchaeology.com
File & Dir Artifacts
• Files involved
• Directories involved
MalwareArchaeology.com
Persistence
• Run Key created
MalwareArchaeology.com
Artifacts - Sysmon
• What loaded the image
• Signed or not
• Hashes
MalwareArchaeology.com
• Another little
script I run
MalwareArchaeology.com
Let’s Compare
MalwareArchaeology.com
Artifacts / Indicators
– URL’s
– IP’s
– All Filenames
– All Directories used
– Autoruns used
– Config changes
– Metadata
–...
Sandbox or Manual?
• Paid solutions work better than Free ones
• Many samples failed to execute due to VM aware
• Not as m...
So what do we use for
manual analysis?
MalwareArchaeology.com
MalwareArchaeology.com
• Log and Malicious Discovery tool
• When you run the tool, it tells you what
auditing and settings...
Functions
MalwareArchaeology.com
• Audit Report of log settings compared to:
– The “Windows Logging Cheat Sheet”
– Center ...
Audit Settings Report
MalwareArchaeology.com
Summary of Reports
MalwareArchaeology.com
Purpose
MalwareArchaeology.com
• Malware Analysis Lab – Why we initially developed it
• Investigate a suspect system
• Aud...
Free Edition
MalwareArchaeology.com
• Audit your settings – Do you comply?
• Harvest security relevant log data
• Whitelis...
MalwareArchaeology.com
• Everything the Free Edition does and…
• More reports, breakdown of things to look for
• Specify t...
MalwareArchaeology.com
Future Versions – In the works!
• PowerShell details
• WhoIs lookups of IP Addresses called
• Virus...
MalwareArchaeology.com
NEW Feature!
• WhoIs lookups of IP’s
VawTrak
So what do we get?
MalwareArchaeology.com
• WHAT Processes executed
• WHERE it executed from
• IP’s to enter into Log Mana...
Resources
MalwareArchaeology.com
• Websites
– Log-MD.com The tool
• The “Windows Logging Cheat Sheet”
– MalwareArchaeology...
Questions?
MalwareArchaeology.com
You can find us at:
• Log-MD.com
• @HackerHurricane
• @Boettcherpwned
• MalwareArchaeolo...
Próxima SlideShare
Cargando en…5
×

Sandbox vs manual malware analysis v1.1

1.158 visualizaciones

Publicado el

DerbyCon 2016
Malware Archaeology
LOG-MD

Publicado en: Tecnología
  • Sé el primero en comentar

Sandbox vs manual malware analysis v1.1

  1. 1. Are malware sandboxes as good as manual analysis? Michael Gough – Founder MalwareArchaeology.com Co-creator of MalwareArchaeology.com
  2. 2. Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of • Malware Management Framework • Several Windows Logging Cheat Sheets • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @BrakeSec • @HackerHurricane and also my Blog MalwareArchaeology.com
  3. 3. Malware evolves • So must we • Darwin says so • Evolve or die • Well… Evolve or get breached anyways • Getting breached means an RGE !!! – Resume Generating Event MalwareArchaeology.com
  4. 4. And because you want to catch these guys… or worse • Ben Ten (Not PowerShell) • Carlos (MetaSploit) • Dave (SET) • Kevin too (Pen Tester) MalwareArchaeology.com
  5. 5. So what is sandbox analysis? MalwareArchaeology.com
  6. 6. Sandbox analysis • You have a piece of malware and want to get a quick analysis of the sample • So you use a Cloud based analysis solution • Or roll your own • Generally built on VM’s (not bare bones HW) • Also solutions used by border devices like Email, Web Proxies, Next Gen Firewall Cloud ad-on and automated reversing solutions MalwareArchaeology.com
  7. 7. Free Sandbox solutions • Hybrid-Analysis (Payload Security Free) (32bit only) • Malwr.com (Free) • Comodo Instant Malware Analysis (Free) • DeepViz (Free) • ThreatExpert (Free) • viCheck (Free) • VirusTotal? (Free and Paid) Lenny Zeltser website: – https://zeltser.com/automated-malware-analysis/ MalwareArchaeology.com
  8. 8. Paid Sandbox solutions • Payload Security (Paid) • Joe Sandbox Cloud (Paid) • Lastline (Paid) • Reversing Labs (Paid) • Binary Guard (Paid) (Bare metal) • ThreatTrack (Paid) Lenny Zeltser website: – https://zeltser.com/automated-malware-analysis/ MalwareArchaeology.com
  9. 9. Sandbox solutions Build your own • Cuckoo Sandbox • REMnux – Lenny Zeltsers NIX Distro • Zero Wine (Linux) • Buster Sandbox • Malhuer • Cloud Server with your configuration • You must harder the Sandbox to look as real (bare bones) as possible • Lenny Zeltser website: – https://zeltser.com/malware-analysis-tool-frameworks/ MalwareArchaeology.com
  10. 10. What is Manual Analysis? MalwareArchaeology.com
  11. 11. Manual Analysis My definition • Evaluation of malware on a bare bones or bare metal system to exactly mimic what is used in production • No Virtual Machines • No Cloud • Might mimic VM environment in use like ESXi, XEN, Hyper-V, AWS, etc. but can still do it on barebones • That you can do quickly! < 1hr MalwareArchaeology.com
  12. 12. Manual Analysis • Detonate the malware on bare bones or bare metal hardware • Use whatever tools you want – I have a training course on Malware Discovery and Basic Analysis (Bite me Tyler ;-) • Treat malware like it was designed – To be detonated on bare bones or bare metal hardware MalwareArchaeology.com
  13. 13. So what is the difference? Really??? MalwareArchaeology.com
  14. 14. The Future My Prediction • Cloud and VM based solutions will need to have a bare bones bare metal option to deal with malware that will not detonate on sandboxes • Sandbox solutions will need to create Virtual solutions to match the what VM environments we use like XEN, ESXi, AWS, Hyper-V, etc. • Malware WILL evolve to detonate on only what it was designed for to avoid analysis MalwareArchaeology.com
  15. 15. Time to disclose a Cloud provider that has a serious flaw ;-) MalwareArchaeology.com
  16. 16. Hey, I got a FAX!!! • Typical Phish • A FAX.. SERIOUSLY? • So 90’s… • Word Doc attached • Date: 08/30/16 • Time: 11:15am MalwareArchaeology.com
  17. 17. Simple Manual Analysis • 7-Zip • Contains Macros MalwareArchaeology.com
  18. 18. Simple Manual Analysis • Strings or Type • Shows a Macro • “Document_Open” shows autorun when the document is opened MalwareArchaeology.com
  19. 19. Simple Manual Analysis • OfficeMalScanner – Seems malicious MalwareArchaeology.com
  20. 20. Simple Manual Analysis • In 1 minute or less I was able to tell this Word DOC is malicious with very basic analysis • To be certain the file is bad, we could detonate it in a lab or an online solution • Let’s see what the fancy pants Email Cloud Sandbox says about it MalwareArchaeology.com
  21. 21. Email Gateway MalwareArchaeology.com • Date: 08/30/16 • Time: 12:02pm • 47 Mins later, another copy CLEAN ???
  22. 22. And a couple more… • Clean??? MalwareArchaeology.com VawTrak
  23. 23. Even AV actually caught it • Same Day ! MalwareArchaeology.com VawTrak
  24. 24. VirusTotal • VT Score 28/53 • Date: 9/8/16 • 8 Days later • AV has a Sig • Clearly BAD MalwareArchaeology.com
  25. 25. Let’s see what a Cloud analysis shows MalwareArchaeology.com
  26. 26. Reverse.IT MalwareArchaeology.com
  27. 27. Reverse.IT MalwareArchaeology.com
  28. 28. Reverse.IT MalwareArchaeology.com
  29. 29. Reversing Labs MalwareArchaeology.com
  30. 30. Anubis – Now shut down MalwareArchaeology.com
  31. 31. MALWR MalwareArchaeology.com
  32. 32. ThreatExpert MalwareArchaeology.com
  33. 33. viCheck MalwareArchaeology.com
  34. 34. Artifacts / Indicators • What do we want to get out of any analysis? – URL’s What websites were visited – IP’s Communications – Filenames What files were added – Directories used Where does it live – Autoruns used How does it launch – Config changes What changed – Metadata Details – Signed Digital Signatures – Behavior What actually happened – Network info Traffic behavior - Net Flow MalwareArchaeology.com
  35. 35. Artifacts / Indicators • Why do we want this data? • We need to know who else got infected – The IP’s and URL’s • What was added • What was changed • So we know whether to – Re-image – IF we can clean it up MalwareArchaeology.com
  36. 36. Now let’s see what Manual analysis shows MalwareArchaeology.com
  37. 37. Artifacts URL’s • A little script I run during analysis • And… • Google MalwareArchaeology.com
  38. 38. Process Artifacts • What launched • Linked processes – Bad EXE calls WinHost32.exe MalwareArchaeology.com Creator ID Process ID Process Name
  39. 39. Artifacts IP’s • What talked to Whom • Wait… WinHost32 did not show up in the Cloud Analysis MalwareArchaeology.com
  40. 40. File & Dir Artifacts • Files involved • Directories involved MalwareArchaeology.com
  41. 41. Persistence • Run Key created MalwareArchaeology.com
  42. 42. Artifacts - Sysmon • What loaded the image • Signed or not • Hashes MalwareArchaeology.com
  43. 43. • Another little script I run MalwareArchaeology.com
  44. 44. Let’s Compare MalwareArchaeology.com
  45. 45. Artifacts / Indicators – URL’s – IP’s – All Filenames – All Directories used – Autoruns used – Config changes – Metadata – Signed – Behavior MalwareArchaeology.com Yes Yes No Yes Some Yes Some Yes No Yes No Yes Yes Yes Yes Yes No Yes Cloud Manual
  46. 46. Sandbox or Manual? • Paid solutions work better than Free ones • Many samples failed to execute due to VM aware • Not as much detail as you can get yourself (IMHO) • You CAN do as good a job as sandbox solutions • Sandbox solutions are good for multiple samples after you have evaluated one using manual analysis so you can compare results MalwareArchaeology.com
  47. 47. So what do we use for manual analysis? MalwareArchaeology.com
  48. 48. MalwareArchaeology.com • Log and Malicious Discovery tool • When you run the tool, it tells you what auditing and settings to configure that it requires. LOG-MD won’t harvest anything until you configure the system! • So answers How to check for the What to set I already told you about
  49. 49. Functions MalwareArchaeology.com • Audit Report of log settings compared to: – The “Windows Logging Cheat Sheet” – Center for Internet Security (CIS) Benchmarks – Also USGCB and AU ACSC • White lists to filter out the known good – By IP Address – By Process Command Line and/or Process Name – By File and Registry locations (requires File and Registry auditing to be set) • Report.csv - data from logs specific to security
  50. 50. Audit Settings Report MalwareArchaeology.com
  51. 51. Summary of Reports MalwareArchaeology.com
  52. 52. Purpose MalwareArchaeology.com • Malware Analysis Lab – Why we initially developed it • Investigate a suspect system • Audit the Windows - Advanced Audit Policy settings • Help MOVE or PUSH security forward • Give the IR folks what they need and the Feds too • Take a full system (File and Reg) snapshot to compare to another system and report the differences • Discover tricky malware artifacts (Large Keys, Null Byte, AutoRuns) • SPEED ! • Deploy with anything you want, SCCM, LanDesk, PSExec, PS, etc… • Replace several tools we use today with one easy to use utility that does much more • Replace several older tools and GUI tools • To answer the question: Is this system infected or clean? • And do it quickly !
  53. 53. Free Edition MalwareArchaeology.com • Audit your settings – Do you comply? • Harvest security relevant log data • Whitelist log events by IP, Cmd Line, Process and File / Registry audit locations • Perform a full File Baseline of a system • Compare a suspect system to a Baseline or Dir • Perform a full Registry snapshot of a system • Compare a suspect system to a Reg Baseline • Look for Large Registry Keys for hidden payloads
  54. 54. MalwareArchaeology.com • Everything the Free Edition does and… • More reports, breakdown of things to look for • Specify the Output directory • Harvest Sysmon logs • Whitelist Hash compare results • Whitelist Registry compare results • Create a Master-Digest to exclude unique files • Free updates for 1 year, expect a new release every quarter • Manual – How to use LOG-MD Professional
  55. 55. MalwareArchaeology.com Future Versions – In the works! • PowerShell details • WhoIs lookups of IP Addresses called • VirusTotal lookups of discovered files • Find parent-less processes • Assess all processes and create a Whitelist • Assess all services and create a Whitelist • VirusTotal lookups of unknown or new processes and services • Other API calls to security vendors
  56. 56. MalwareArchaeology.com NEW Feature! • WhoIs lookups of IP’s VawTrak
  57. 57. So what do we get? MalwareArchaeology.com • WHAT Processes executed • WHERE it executed from • IP’s to enter into Log Management to see WHO else opened the malware • Details needed to remediate infection • Details to improve your Active Defense! • I did this in… 15 Minutes!
  58. 58. Resources MalwareArchaeology.com • Websites – Log-MD.com The tool • The “Windows Logging Cheat Sheet” – MalwareArchaeology.com • Malware Analysis Report links too – To start your Malware Management program • This presentation is on SlideShare and website – Search for MalwareArchaeology or LOG-MD
  59. 59. Questions? MalwareArchaeology.com You can find us at: • Log-MD.com • @HackerHurricane • @Boettcherpwned • MalwareArchaeology.com • HackerHurricane.com (blog) • MalwareManagementFramework.Org • http://www.slideshare.net – LinkedIn now

×