Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
2 likes2,286 views
This document discusses techniques for analyzing malware network signatures and developing effective network countermeasures. It describes using firewalls, proxies, and intrusion detection systems to filter malicious traffic. Deep packet inspection can detect malware beacons hidden in layers like HTTP user-agents. The document advises passively monitoring real infected networks to understand malware without tipping off attackers. It also provides methods for safely investigating attackers online anonymously. Analyzing how malware generates domain names and URLs can reveal signatures to detect similar strains. The goal is to create general signatures that still work if the malware evolves while avoiding false positives.
Ad
More Related Content
What's hot (20)
Viewers also liked (20)
Ad
Similar to Practical Malware Analysis Ch 14: Malware-Focused Network Signatures (20)
Ad
More from Sam Bowne (20)
Recently uploaded (20)
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
- 1. Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
- 3. Common Network Countermeasures ā¢ Filtering with firewalls and routers ā By IP address, TCP and UDP ports ā¢ DNS Servers ā Resolve malicious domain names to an internal host (a sinkhole ) ā¢ Proxy servers ā Can detect or prevent access to specific domains
- 4. Content-Based Countermeasures ā¢ These devices can look at layer 7 data (deep packet inspection) ā¢ IDS (Intrusion Detection System) ā¢ IPS (Intrusion Prevention System) ā¢ Email proxy ā¢ Web proxy
- 5. Observing the Malware in Its Natural Habitat ā¢ Before static or dynamic analysis ā¢ Mine logs, alerts, and packet captures generated by malware in its original location
- 6. Advantages of Real Networks ā¢ Live-captured data is the most accurate ā Some malware detects lab environments ā¢ Real traffic contains information about both ends, infected host and C&C server ā¢ Passively monitoring traffic cannot be detected by the attacker ā OPSEC (Operational Security)
- 7. Indications of Malicious Activity
- 8. OPSEC ā¢ Preventing adversaries from obtaining sensitive information ā¢ Running malware at home may alert attackers ā Who expected it to be run in a company
- 9. Ways an Attacker Can Identify Investigative Activity ā¢ Send spear-phishing email with a link to a specific individual ā Watch for access attempts outside the expected geographic area ā¢ Design an exploit that logs infections ā In a blog comment, Twitter, Pastebin, etc. ā¢ Embed an unused domain in malware ā Watch for attempts to resolve the domain
- 10. Safely Investigate an Attacker Online
- 11. Indirection Tactics ā¢ Proxy server, Tor, Web-based anonymizer ā Not subtleāit's obvious that you are hiding ā¢ Use a dedicated VM for research ā Hide its location with a cellular or VPN connection ā¢ Use an ephemeral cloud machine ā Such as an Amazon E2C virtual machine
- 12. Search Engines ā¢ Usually safe ā¢ If the domain was previously unknown to the search engine, it may be crawled ā¢ Clicking results still activates secondary links on the site ā Even opening cached resources
- 13. Getting IP Address and Domain Information
- 14. Command-Line v.Web-Based Lookups ā¢ whois and dig can be used, but they will expose your IP address ā¢ Websites that do the query for you provide anonymity ā May give more information
- 15. DomainTools ā¢ Historical DNS records ā¢ Reverse IP lookups ā¢ Reverse whois (lookup based on contact information metadata)
- 16. RobTex ā¢ Finds multiple domain names that point to a single IP address ā¢ Checks blacklists
- 18. BFK DNS Logger ā¢ Gathers data with passive DNS monitoring ā¢ Stealthy
- 20. Intrusion Detection with Snort ā¢ Rule-based detection, can use: ā TCP or IP headers ā Size of payload ā Connection state (such as ESTABLISHED) ā Layer 7 payload data
- 21. Snort Rule to Block HTTP Traffic by User-Agent
- 22. Taking a Deeper Look ā¢ Running the malware several times shows these User-Agent strings ā¢ Rules can be fine-tuned to capture the malware without false positives
- 23. Combining Dynamic and Static Analysis Techniques
- 24. Two Objectives of Deeper Analysis ā¢ Full coverage of functionality ā Provide new inputs to drive the malware down unused paths ā Using iNetSim or custom scripts ā¢ Understanding functionality, including inputs and outputs ā Static analysis finds where and how content is generated ā Dynamic analysis confirms the expected behavior
- 26. Hiding in Plain Sight ā¢ Attackers mimic existing protocols ā Often HTTP, HTTPS, and DNS ā HTTP for beaconing (request for instructions) ā HTTPS hides the nature and intent of communications ā Information can be transmitted in DNS requests ā¢ For example, in long domain names
- 27. GETs ā¢ Used to send a command prompt followed by a directory listing
- 28. User Agents ā¢ Early malware used strange User-Agent strings ā¢ This made it easy to block ā¢ Valid user agent:
- 29. 3 Possible User Agents ā¢ Malware alternates between these to defeat detection
- 30. Attackers Use Existing Infrastructure ā¢ Botnet commands concealed in source code of a Web page
- 31. Leveraging Client-initiated Beaconing ā¢ Hosts behind NATs or proxy servers have a concealed IP address ā¢ Makes it difficult for attackers to know which bot is phoning home ā¢ Beacon identifies host with an unique identifier ā Such as an encoded string with basic information about the host
- 32. Understanding Surrounding Code ā¢ Malware beacon ā¢ URIs
- 34. Example Malware ā¢ Uses InternetOpen and HTTPOpenRequest ā¢ URI is generated from calls to ā GetTickCount, Random, gethostbyname
- 35. Sources of Network Content ā¢ Random data ā¢ Data from networking libraries ā Such as the GET created from a call to HTTPSendRequest ā¢ Hard-coded data ā¢ Data about the host and its configuration ā Hostname, current time, CPU speed ā¢ Data received from other sources ā Remote server, file system, keystrokes
- 36. Hard-Coded vs. Ephemeral Data ā¢ Malware using lower-level networking APIs such as Winsock ā Requires more manually-generated content to mimic common traffic ā More hard-coded data ā Likely the author makes a mistake that leaves a signature in the network traffic ā May misspell a word like Mozilla
- 37. How URI is Generated
- 38. Identifying and Leveraging the Encoding Steps
- 39. Creating a Signature ā¢ Avoid excessive complexity ā Slows down the IDS ā¢ Include enough detail to eliminate false positives
- 40. Analyzing the Parsing Routines ā¢ Malware strings and the Web page comments both include the string adsrv?
- 41. ā¢ Parser looks for 3 elements ā¢ <!ā ā¢ text ā¢ -->
- 43. Possible Signatures ā¢ The five possible commands ā¢ These will work, but any change in the malware will evade them
- 44. Targeting Multiple Elements ā¢ These are more general ā¢ The first one accepts any Base64 in a comment with the adsrv prefix
- 45. Making General Signatures ā¢ Demo: capture GET in Wireshark ā¢ User-Agent and Accept always appear together for normal browser traffic
- 47. Rules of Thumb ā¢ Focus on elements of the protocol that are part of both end points ā Look for elements that use code on both the client and server ā It will be hard for the attacker to change them both
- 48. Rules of Thumb ā¢ Focus on elements of the protocol known to be part of a key ā Such as a User-Agent that identifies bot traffic ā Again, it would require updating both ends to change ā¢ Identify elements of the protocol that are not immediately apparent in traffic ā This will be less likely to be used by other, sloppy, defenders who leak info to the attacker