Más contenido relacionado La actualidad más candente (20) Similar a Zero Day Malware Detection/Prevention Using Open Source Software (20) Zero Day Malware Detection/Prevention Using Open Source Software1. Copyright © 2015 CyberSecurity MalaysiaCopyright © 2015 CyberSecurity Malaysia
ZERO DAY MALWARE
DETECTION/PREVENTION USING
OPEN SOURCE SOFTWARE
PROOF OF CONCEPT
Malware Research
Center
MyCERT
2. Copyright © 2015 CyberSecurity Malaysia
Outline
• Introduction
• Motivations
• Objective
• Process Flow
• The Open Source components
• Moving Forward
2
3. Copyright © 2015 CyberSecurity Malaysia
Introduction
• Fathi Kamil Bin Mohad Zainuddin.
• Senior Analyst in Malware Research
Centre, MyCERT.
3
4. Copyright © 2015 CyberSecurity Malaysia
Introduction
• Computer security issues have emerged ever since the
Internet was introduced. Organizations and security
researchers have increased the efforts in ensuring that
security threats are detected and mitigated in a timely
manner. Today, as computer attacks tend to be malware-
centric, the cyber criminals have introduced
sophistication in their attack techniques that makes the
traditional way of protecting the enterprise with firewalls,
intrusion detection systems and antivirus software at the
network perimeter ineffective.
4
5. Copyright © 2015 CyberSecurity Malaysia
Introduction
• To produce tools or capability on 0-day malware
detection / prevention using open source software.
• There are many Open Source network security
components doing their purpose very well in the market.
• Known Open Source network security product such as
Snort, Suricata, Dionaea, Kippo, Glastopf, Ntop, Xplico,
Wireshark, etc.
• All we need is to glue them to achieve our purpose.
5
6. Copyright © 2015 CyberSecurity Malaysia
Motivations
• We have deployed LebahNet (Honeynet) previously, but
later we found out that:
– Dionaea plugins are difficult to maintain in order to follow
the vulnerability trends to get new malware binaries.
– We need an expert to maintain the plugins.
– We have done some attack simulation using Metasploit but
produced poor results. Not all vulnerability attacks
captured by Dionaea.
• Network packets contains many information which might
also include malicious documents, binaries and web
communication which are not extracted from the
network.
6
7. Copyright © 2015 CyberSecurity Malaysia
Objective
• Capture & identify the malicious documents,
binaries, and web accesses from the network
through packet capturing.
• Simulating the malicious files / webs in sandbox
environment.
• Collect known malicious information provided by
sandbox into a central database.
• Generate callback signature from sandbox result to
detect/prevent further malicious activities.
• Distribute malicious information among sensors.
7
8. Copyright © 2015 CyberSecurity Malaysia
Components – Network IDS / IPS
8
• Suricata is a high performance Network IDS, IPS and
Network Security Monitoring engine.
• Top 3 reasons:
– Highly Scalable.
– Protocol Identification.
– File Identification, MD5 Checksums, and File Extraction.
• For the purpose, Suricata can produce:
– Alert log.
– File extraction based on signature within HTTP & SMTP.
http://blog.inliniac.net/2011/11/29/file-extraction-in-suricata/
http://blog.inliniac.net/2014/11/11/smtp-file-extraction-in-suricata/
– HTTP log.
9. Copyright © 2015 CyberSecurity Malaysia
Components – Network IDS / IPS
• Enabling file extraction - /etc/suricata/suricata.yml
9
10. Copyright © 2015 CyberSecurity Malaysia
Components – Network IDS / IPS
• Suricata file extraction rules -
/etc/suricata/rules/files.rules
10
11. Copyright © 2015 CyberSecurity Malaysia
Components – Network IDS / IPS
• File extraction output - /var/log/suricata/files/
11
12. Copyright © 2015 CyberSecurity Malaysia
Components – Network IDS / IPS
• HTTP Logs
12
13. Copyright © 2015 CyberSecurity Malaysia
Components – Network IDS / IPS
• Drawback - High CPU processing
• Suricata is a high performance NIDS/NIPS and utilizing all
CPU cores compared to Snort NIDS/NIPS. It will utilizing
GPU cores.
• PF_RING can be used to bypass Linux OS TCP/IP stack.
Suricata running in userspace will get direct access to the
network buffer from the network card (kernelspace) without
going through most of OS layers.
• You might want to read an article in 2012 “Suricata, to
10Gbps and beyond”
https://home.regit.org/2012/07/suricata-to-10gbps-and-
beyond/
13
14. Copyright © 2015 CyberSecurity Malaysia
Components – Sandboxing
14
• Cuckoo Sandbox is a malware analysis system.
• It produces native functions and Windows API calls
traces, copies of files created and deleted from the file
system, dump of the memory of the selected process,
full memory dump of the analysis machine, screenshots
of the desktop during the execution of the malware
analysis, network dump generated by the machine used
for the analysis.
• For the purpose, extracted files / web access from the
Suricata will be tested in simulation environment using
Cuckoo Sandbox.
15. Copyright © 2015 CyberSecurity Malaysia
Components – Sandboxing (Anti-
VM)
• Nowadays malware equipped with anti-VM code to
detect if it is running inside sandbox environment
through registry, CPU flags, BIOS, file system, etc.
• Bypassing Sandboxes For Fun
https://www.botconf.eu/bypassing-sandboxes-for-fun/
• Defeat anti-VM malware, refer VMCloak,
VBoxAntiVMDetectHardened, etc.
• You can try using Pafish to detect whether you are
running inside virtualization / sandbox environment.
https://github.com/a0rtega/pafish
15
16. Copyright © 2015 CyberSecurity Malaysia
Components – Sandboxing (Anti-
VM)
• Hardened Anti-VM Detection
16
17. Copyright © 2015 CyberSecurity Malaysia
Components – Sandboxing (Anti-
VM)
• Sandbox detection using Pafish
17
18. Copyright © 2015 CyberSecurity Malaysia
Components – SSL Decryption
• viewssld - SSL Decryption for Network Monitoring.
• Nowadays malware exploiting SSL encryption to bypass
network security detection.
• IT security admin can enforce HTTPS / SSL interception
by registering Firewall / Proxy root certificate for every
PC inside an organization.
• By providing private key to viewssld, it can decrypt every
HTTPS communication and send to Network IDS for
malware collection & intrusion alert.
18
20. Copyright © 2015 CyberSecurity Malaysia
Moving Forward
• Enhancing Cuckoo sandbox environment
• Defeating Anti-VM / Sandbox Hardening
• Exploitation detection (Buffer/Heap Overflow,
Payload)
• Produce more valuable information
• Improve the process flow
20
21. Copyright © 2015 CyberSecurity Malaysia
Malware Research Lab (Tools)
• Our team has also developed tools for our daily operation:
– BotNet Checker: Botnet detection based on IP address.
– LebahNet: Distributed Honeynet.
– MyKotakPasir: Virtualization sandboxing.
– AndBox: Android sandboxing.
– ESPot: ElasticSearch Honeypot.
– DontExploitMe: Browser Based IPS.
– DontPhishMe: Phishing Site Blocker for Browser (Firefox,
Chrome, Internet Explorer).
– MyLipas: Web Defacement Crawler.
– Many others.
21
22. Copyright © 2015 CyberSecurity Malaysia
Malware Research Lab (Tools)
• BotNet Checker –
http://botnet.honeynet.org.my/
22
23. Copyright © 2015 CyberSecurity Malaysia
Malware Research Lab (Tools)
• DontPhishMe & Antiphishing.My –
https://www.antiphishing.my/
23
24. Copyright © 2015 CyberSecurity Malaysia
• Coordinated Malware Eradication And Remediation Project
(CMERP) & CyberDEF (Detection, Eradication & Forensics)
What is it?
• A comprehensive solution for
detection, eradication and forensic
of malware in cyberspace
What are the benefits?
• Helps organization to strengthen
and defend their organisation by
preparing the CSIRT team with
required skill, policy and procedure
in place
• The capability of the team will be
strengthen by participating in
cyber exercise activity tailored for
the organization
• With the necessary resources and
skills in place, steps and measures
can be taken to eradicate threat
24
25. Copyright © 2015 CyberSecurity Malaysia
Contacts
• Web: http://www.cybersecurity.my
• Web: http://www.mycert.org.my
• Web: www.cybersafe.my
• Report Incident:
cyber999@cybersecurity.my
25
27. Copyright © 2015 CyberSecurity MalaysiaCopyright © 2015 CyberSecurity Malaysia