Saturday, November 19, 2011

Finding Malware and APT activities

Updates and feedbacks will be posted as comments below (unless I chose otherwise)

There are two ways to find infected or breached systems that I know of:
First, looking for known (or suspicious) command and control (C&C) traffic on the network. Second, looking for known bad or suspicious indicators on the hosts.
Well, there's actually a third one, combining the two together.

Indicators of Compromise

Mandiant's Indicators of Compromise (IOC) provide a way to describe host and network based indicators of malicious activity or traits.
IOC Editor is free software to create IOC's. And there's even a free software, IOC Finder, to check hosts for signs of infection. However, IOC Finder has a limited capability of checking for network based indicators on hosts. The commercial product MIR should have much greater network based capabilities I assume.
For sharing IOCs I found these two sites, openIOC and Mandiant's forums about IOC Finder.
Thanks Mandiant for all your great free software and resources!

Network based indicators

Another solution that looks very promising is Damballa's Failsafe, which looks for known bad or suspicious network traffic (DNS, proxy, egress firewall).
There are some demo videos online available with free registration.

Something similar seems to be available from Trisul Networks Analytics. A limited version is available for free. The plugins Badfellas, GeoIP and URLFilter look interesting and promising.

If you have experience with on of these products or know other similar, I'd be interested to hear about.

Any network based solution I guess is only as good as the intelligence of known bad or suspicious patterns to look for.
For some IDS based open source solutions, you might find
Richard Bejtlich's blog post "Seven Cool Open Source Projects for Defenders" interesting.

Host based indicators

The host based approach is to look at the memory or disk (binaries, registry, services etc.) for known malware or suspicious patterns. There are certainly many ways to do this besides the already mentioned solutions from Mandiant (and HBGary in a previous post).
Other free tools from Mandiant to check out are Memoryze, Audit Viewer and Redline to inspect memory for malicious or suspicious signs.

David Hoelzer has some interesting screencasts and blog posts (inlucding scripts) about finding signs of infections.

# 19 : Detecting Signs of APT and Malware
# 18 : Detecting APT and Malware through Baseline Auditing

Detecting Malware & APT Like Threats - Domain Wide File Finder
Detecting APT and Other Zero Day Malware through Service Auditing

There are also some open source projects like MIR-ROR, Rapier and probably others I haven't looked at. The two mentioned above haven't been active for a while now.

Feedback welcome

If you have corrections, suggestions or other feedback, please contact me ( at gmail dot com).

If you found my blog other than from my Twitter profile, feel free to follow me there (@c_APT_ure)

Saturday, August 13, 2011

Lots has hAP(T)ened since... Kill those Shady RATs...

Well, it's been a long time since my last post and lots has happened since. Where should I start...

Earlier this year there were details released about Operation Night Dragon.

Mandiant released its second M-Trends report ("when prevention fails"), also mentioned on Businesswire. There were also some new, interesting "State of the Hack" and "Fresh Prints of Malware" presentations.

And most recently, there was lots of news about the "Operation Shady RAT".
Read Ira Winkler's article about it and make your own opinion.
I'd like to cite one paragraph of it:
"This is the root of the problem with how security vendors are dealing with the chronic issue of APT. They treat their customers' misery as their own intellectual property. Companies that investigate APT-related attacks rarely share their findings. They don't exchange information about the most recent malware obfuscation techniques, the best methods to identify compromised systems, the newest malware signatures, etc. Instead, they keep most of the information to themselves and treat it as a competitive advantage. What sharing there is falls far short of what would be required to encourage a robust response capability."
So what are Indicators of Compromise (IOCs) good for? Well, if they only get used by one security company, they can't reach the full potential.
Or are IOCs widely used and shared and I just don't know about it? Please let me know.

And then there's yet another interesting paper linked in there, which I've previously found, but haven't fully read yet.
"Far more information about this sort of thing came out in 2009, when The US-China Economic and Security Review Commission released a Northrop Grumman-prepared report called "Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation". That paper is infinitely more informative than anything that any security company has been willing to disclose."
Well, now it's time to read it. (before it gets too outdated)