Saturday, November 19, 2011

Finding Malware and APT activities

Updates and feedbacks will be posted as comments below (unless I chose otherwise)

There are two ways to find infected or breached systems that I know of:
First, looking for known (or suspicious) command and control (C&C) traffic on the network. Second, looking for known bad or suspicious indicators on the hosts.
Well, there's actually a third one, combining the two together.

Indicators of Compromise

Mandiant's Indicators of Compromise (IOC) provide a way to describe host and network based indicators of malicious activity or traits.
IOC Editor is free software to create IOC's. And there's even a free software, IOC Finder, to check hosts for signs of infection. However, IOC Finder has a limited capability of checking for network based indicators on hosts. The commercial product MIR should have much greater network based capabilities I assume.
For sharing IOCs I found these two sites, openIOC and Mandiant's forums about IOC Finder.
Thanks Mandiant for all your great free software and resources!

Network based indicators

Another solution that looks very promising is Damballa's Failsafe, which looks for known bad or suspicious network traffic (DNS, proxy, egress firewall).
There are some demo videos online available with free registration.

Something similar seems to be available from Trisul Networks Analytics. A limited version is available for free. The plugins Badfellas, GeoIP and URLFilter look interesting and promising.

If you have experience with on of these products or know other similar, I'd be interested to hear about.

Any network based solution I guess is only as good as the intelligence of known bad or suspicious patterns to look for.
For some IDS based open source solutions, you might find
Richard Bejtlich's blog post "Seven Cool Open Source Projects for Defenders" interesting.

Host based indicators

The host based approach is to look at the memory or disk (binaries, registry, services etc.) for known malware or suspicious patterns. There are certainly many ways to do this besides the already mentioned solutions from Mandiant (and HBGary in a previous post).
Other free tools from Mandiant to check out are Memoryze, Audit Viewer and Redline to inspect memory for malicious or suspicious signs.

David Hoelzer has some interesting screencasts and blog posts (inlucding scripts) about finding signs of infections.

# 19 : Detecting Signs of APT and Malware
# 18 : Detecting APT and Malware through Baseline Auditing

Detecting Malware & APT Like Threats - Domain Wide File Finder
Detecting APT and Other Zero Day Malware through Service Auditing

There are also some open source projects like MIR-ROR, Rapier and probably others I haven't looked at. The two mentioned above haven't been active for a while now.

Feedback welcome

If you have corrections, suggestions or other feedback, please contact me ( at gmail dot com).

If you found my blog other than from my Twitter profile, feel free to follow me there (@c_APT_ure)

1 comment:

  1. Thanks Chris for the feedback!

    "Great post, a couple of other tools I have used and think are worth a mention are NetWitness #volatility with #yara"

    Keep 'em coming :)