fighting back malware with ioc & yara · 2012. 12. 11. · time + budget = plan • you don’t...
TRANSCRIPT
![Page 1: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/1.jpg)
Fighting Back Malware with IOC & YARA
OSSIR Paris, 2012.12.11
Saâd Kadhi, [email protected]
http://www.hapsis.fr/
![Page 2: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/2.jpg)
Speaker Bio
• Saâd Kadhi
• CTO at HAPSIS, GCIH, GCFA
• 14y+ of infosec experience, almost 5y in Digital Forensics & Incident Response
• Apt walker, apt swimmer & apt music fan :-)
• 0x0RGANICF00D
@_saadk
![Page 3: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/3.jpg)
Agenda
• The Threat Landscape
• Fighting Back
• YARA
• IOC
• Closing Thoughts
![Page 4: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/4.jpg)
The Threat Landscape
![Page 5: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/5.jpg)
We are APTWe are Legion
Source: http://attrition.org/security/conferences/2012-BruCON-CyberWar-v18-FINAL03.pptx
![Page 6: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/6.jpg)
A Quick Overview
• What we (old timers) used to call ‘targeted attacks’ is now dubbed APT
• Media circled over this new term like vultures on carrion
• Media attention is good, media attention is bad
![Page 7: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/7.jpg)
Caution!
• Media & others (over)sells APT for fun, profit but mainly for profit
• Instill fear or... overhype real security incidents
• Think different: who says what? For what purpose (vested interest)?
• It was, is & will still be a foggy mine field
![Page 8: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/8.jpg)
![Page 9: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/9.jpg)
![Page 10: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/10.jpg)
#IFDEF
![Page 11: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/11.jpg)
Some Examples
![Page 12: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/12.jpg)
![Page 13: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/13.jpg)
![Page 14: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/14.jpg)
![Page 15: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/15.jpg)
![Page 16: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/16.jpg)
![Page 17: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/17.jpg)
Source: http://governor.sc.gov/Documents/MANDIANT%20Public%20IR%20Report%20-%20Department%20of%20Revenue%20-%2011%2020%202012.pdf
![Page 18: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/18.jpg)
#IFDEF (reloaded)
OSINT
Spear Phishing
Removable Storage Malware
Remote Admin Tool (RAT)
Utilities
Vulnerabilities
![Page 19: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/19.jpg)
#IFDEF (reloaded)
OSINT
Spear Phishing
Removable Storage Malware
Remote Admin Tool (RAT)
Utilities
Vulnerabilities
APT
![Page 20: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/20.jpg)
More Caution!
• Attribution is difficult
• Things can get messy when we start tinkering with geopolitics
• We still have to defend
![Page 21: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/21.jpg)
![Page 22: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/22.jpg)
Fighting BackWhen the APT comes through your backdoor. Unless
you want some more, I think you better call ...
![Page 23: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/23.jpg)
Source: Thomas Chopitea (@tomchop_)
![Page 24: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/24.jpg)
How to Fight Back?
![Page 25: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/25.jpg)
How to Fight Back?
• The days of thinking in purely IT terms are long gone
![Page 26: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/26.jpg)
How to Fight Back?
• The days of thinking in purely IT terms are long gone
• Know your environment
![Page 27: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/27.jpg)
How to Fight Back?
• The days of thinking in purely IT terms are long gone
• Know your environment
• Know your business
![Page 28: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/28.jpg)
How to Fight Back?
• The days of thinking in purely IT terms are long gone
• Know your environment
• Know your business
• There’s no such thing as an Anti-APT™ Silver Bullet
![Page 29: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/29.jpg)
How to Fight Back?
• The days of thinking in purely IT terms are long gone
• Know your environment
• Know your business
• There’s no such thing as an Anti-APT™ Silver Bullet
Easier said than done
![Page 30: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/30.jpg)
Security Awareness?
• Users click but do not think
• How to fight spear phishing attacks in an era with so many digital footprints?
• Think of RSA, Coca-Cola, State of South Carolina & so many others...
• Here is a $1B question: how to measure effectiveness of security awareness?
![Page 31: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/31.jpg)
Buy More Stuff™?
• Suuuuure... Be my guest. You’ve been stacking security stuff forever
• checkmarks for checklists
• Any measurable results?
• Do you even use correctly all the security stuff you have?
![Page 32: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/32.jpg)
Do. It. Better
• Get a second look at your firewalls, DNS servers, system logs, DHCP logs, application logs and all the ‘stuff ’ you already have
• Think. (re)Design. Log. Feed. Correlate. Alert
![Page 33: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/33.jpg)
Best Practices?
• Put that in perspective
• Admittedly, risk assessment is hard to get right
• ... particularly if you don’t know your business
• Ex.: how changing a password every 60 days help you?
![Page 34: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/34.jpg)
The Inevitable AV Slide
![Page 35: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/35.jpg)
The Inevitable AV Slide
![Page 36: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/36.jpg)
The Inevitable AV Slide
![Page 37: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/37.jpg)
The Inevitable AV Slide
![Page 38: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/38.jpg)
The Inevitable AV Slide
![Page 39: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/39.jpg)
The Inevitable AV Slide
Generic Signature
Specific Signature
![Page 40: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/40.jpg)
The Inevitable AV Slide
![Page 41: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/41.jpg)
Another Example
![Page 42: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/42.jpg)
Another Example
![Page 43: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/43.jpg)
Another Example
![Page 44: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/44.jpg)
Another ExampleWS.Reputation.1???
![Page 45: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/45.jpg)
![Page 46: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/46.jpg)
Invest in Skills?
• Yes, mere but apt mortals
• Build a CSIRT/CERT-like capability or hire a reputable, trustworthy one (who knows your env/business)
• Let them make sense of your security ‘stuff ’ & bring it all together
• Leverage a toolset to fight back
![Page 47: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/47.jpg)
YARABuild your own AV (sort of)
![Page 48: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/48.jpg)
What is YARA?
• Open Source Project created by Víctor Manuel Álvarez in 2008
• https://code.google.com/p/yara-project/
• multi-platform malware identification and classification tool
• Leverages rules
![Page 49: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/49.jpg)
What is YARA?
• Open Source Project created by Víctor Manuel Álvarez in 2008
• https://code.google.com/p/yara-project/
• multi-platform malware identification and classification tool
• Leverages rules We only care about
detection
![Page 50: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/50.jpg)
What is YARA?
Or call yara-python from your own Python programs (look for yara-ruby if you worship gems)
![Page 51: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/51.jpg)
YARA Rules
![Page 52: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/52.jpg)
YARA Rules
• Set of strings, regular expressions and other binary patterns mixed with logic
![Page 53: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/53.jpg)
YARA Rules
• Set of strings, regular expressions and other binary patterns mixed with logic
• Applicable to files or memory artifacts
![Page 54: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/54.jpg)
YARA Rules
• Set of strings, regular expressions and other binary patterns mixed with logic
• Applicable to files or memory artifacts
• Fed to tools that will recursively scan files or analyze a memory image
![Page 55: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/55.jpg)
YARA Rules
• Set of strings, regular expressions and other binary patterns mixed with logic
• Applicable to files or memory artifacts
• Fed to tools that will recursively scan files or analyze a memory image
• Rich, fully documented syntax
![Page 56: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/56.jpg)
YARA Rules
• Set of strings, regular expressions and other binary patterns mixed with logic
• Applicable to files or memory artifacts
• Fed to tools that will recursively scan files or analyze a memory image
• Rich, fully documented syntax
Rules= Signatures
![Page 57: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/57.jpg)
Hello Rule!
![Page 58: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/58.jpg)
Hello Rule!Rulename
![Page 59: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/59.jpg)
Hello Rule!Document Your RuleRulename
![Page 60: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/60.jpg)
Hello Rule!Document Your Rule
Strings to Look For
Rulename
![Page 61: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/61.jpg)
Hello Rule!Document Your Rule
Strings to Look For
How/Where?
Rulename
![Page 62: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/62.jpg)
Writing Rules
• BYOD (Bring Your Own Daktulos) ... or δακτυλος (finger in Greek)
• i.e. use the editor of your choice
• or try Yara Editor by Ivan Fontarensky https://code.google.com/p/yara-editor/
• ...will hopefully mature fast enough :-)
![Page 63: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/63.jpg)
String Searching
• Simple way to learn or guess at the functionality of a program
• Windows function names, error messages...
• Rather basic static analysis technique that can be automated using YARA
• Strings may be stored as ASCII or Unicode
![Page 64: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/64.jpg)
Windows function names & DLLs can
be looked up in MSDN
Build a list of ‘indicators’ of suspiciousness
ex. LoadLibrary, GetProcAddress,
LdrLoadDll, ...
![Page 65: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/65.jpg)
Libraries & Functions
![Page 66: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/66.jpg)
Libraries & Functions
![Page 67: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/67.jpg)
Packed Binaries
• Malware can be packed/obfuscated
• A packed binary is compressed & cannot be fully analyzed without decompressing it first
• Contains very few strings usually
• Highly limits static analysis
![Page 68: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/68.jpg)
Packed Binaries
![Page 69: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/69.jpg)
Executable(visible strings +
other info)Packer
Packed Binaries
UPX, PECompact, FSG, ASPack, WinUPack, YodaCrypt, Themida
![Page 70: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/70.jpg)
Executable(visible strings +
other info)
Packed Executable
(gone are the strings & the other info)
Wrapper
Packer
Packed Binaries
UPX, PECompact, FSG, ASPack, WinUPack, YodaCrypt, Themida
![Page 71: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/71.jpg)
YARA vs. Packing
• Packed binaries is one sign of potential malware
• Wrapper program can be statically analyzed
• Use YARA rules to detect packers
• Build up on PeID rules
• Examples at https://code.google.com/p/yara-project/wiki/PackerRules
![Page 72: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/72.jpg)
In Memory We Trust
• Once executed, packed binaries are decompressed
• Strings & other info are visible if you grab volatile memory
• Caution: malware may be able to detect your attempts at ‘gaming’ it in a VM & throw stub/fake artifacts at you
![Page 73: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/73.jpg)
YARA & Volatility
![Page 74: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/74.jpg)
YARA & Volatility
Memory Image
![Page 75: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/75.jpg)
YARA & Volatility
Memory Image
Volatility Memory Analysis
Framework
‘yarascan’ plugin
YARA Rules
Potential Red Flags
$ python vol.py -f mem.img yarascan --yara-file=/path/to/rules.yara
![Page 76: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/76.jpg)
Use Cases
• Dissect RATs (Poison Ivy, Dark Comet, Ghost Rat, Extreme Rat...) & common utilities used by attackers
• Detect packed binaries, look for common passwords, bank domains, attempts at terminating AV services...
• Use in combination with Cuckoo sandbox, pehash, ssdeep, ...
![Page 77: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/77.jpg)
IOCEye... Oh! See!
(To See, Drink Some Coffee)
![Page 78: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/78.jpg)
What is IOC?
• A Mandiant initiative
• Indicator Of Compromise
• Collection of logically-grouped forensic artifacts from a wide array of sources
• registry, volatile memory, file system, binaries, application logs, firewall logs, hashes...
![Page 79: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/79.jpg)
Compromise
• You don’t build IOCs out of thin air
• Compromise leads to investigation leads to IOCs leads to better damage assessment leads to more IOCs leads to...
• You can also have IOCs handy to sweep your network & look for RATs & other shenanigans
![Page 80: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/80.jpg)
OpenIOC
![Page 82: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/82.jpg)
OpenIOC
• Extensible XML Framework to construct & ‘consume’ IOCs
http://openioc.org/
![Page 83: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/83.jpg)
OpenIOC
• Extensible XML Framework to construct & ‘consume’ IOCs
• Released in 2011 by Mandiant, no strings attached
http://openioc.org/
![Page 84: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/84.jpg)
OpenIOC
• Extensible XML Framework to construct & ‘consume’ IOCs
• Released in 2011 by Mandiant, no strings attached
• Field tested, backed by real-world experience
http://openioc.org/
![Page 85: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/85.jpg)
OpenIOC
• Extensible XML Framework to construct & ‘consume’ IOCs
• Released in 2011 by Mandiant, no strings attached
• Field tested, backed by real-world experience
• Extensively used in Mandiant Intelligent Response (commercial solution)
http://openioc.org/
![Page 86: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/86.jpg)
XML Schemas
• XML Schemas are at the heart of OpenIOC
• Available at http://schemas.mandiant.com
• Each OpenIOC schema defines a namespace
• A namespace is a set of items (or terms) related to a given artifact group
![Page 87: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/87.jpg)
XML Schemas
![Page 88: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/88.jpg)
XML Schemas
![Page 89: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/89.jpg)
Let’s Delve Into a Term
![Page 90: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/90.jpg)
Houston, we’ve got a problem
• There are hundreds of OpenIOC terms
• While most have explicit names, there is no detailed documentation for the meaning of each term
• Read the schema Luke!
![Page 91: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/91.jpg)
Houston, please reply...
• OpenIOC doesn’t tell you how to search or retrieve terms
• It’s up to tools built on top of OpenIOC to implement what they need to dig artifacts out
![Page 92: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/92.jpg)
Tools
• Mandiant provides two free tools for Microsoft Windows platforms
• IOC Editor to write & compare IOCs
• IOC Finder to ‘consume’ IOCs
• Redline, Mandiant’s free memory & file investigation tool can also ‘consume’ IOCs
![Page 93: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/93.jpg)
Tools
![Page 94: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/94.jpg)
IOC Editor
![Page 95: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/95.jpg)
IOC Editor
![Page 96: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/96.jpg)
IOC EditorSome namespaces (or categories) such as DnsEntryTerm
are not available by default
![Page 97: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/97.jpg)
IOC EditorSome namespaces (or categories) such as DnsEntryTerm
are not available by default Get them from http://openioc.org/terms/
IOCFinder.iocterms & drop into ‘C:\Program Files (x86)\Mandiant\Mandiant IOCe’
![Page 98: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/98.jpg)
![Page 99: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/99.jpg)
![Page 100: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/100.jpg)
IOC Finder
• CLI tool
• Two stages
• Collect forensic evidence from target(s) of interest
• Generate a report on the analyst’s machine
![Page 101: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/101.jpg)
IOC Finder
![Page 102: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/102.jpg)
pyioc
• Set of Python tools to check IOCs against targets of interest
• Written by Jeff Bryner & released under a GPL v3 license
• Agent-server model. Agents connect to server through SSL/SOAP, get IOCs, perform checks and send back the results
https://github.com/jeffbryner/pyioc
![Page 103: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/103.jpg)
A Few pyioc Issues
• Why do you think IOC Finder works in two stages?
• Hint: are the IOCs ever present on the targets of interest?
• Only 18 supported terms belonging to the FileItem, PortItem, ProcessItem & RegistryItem categories
• Still, pyioc is a laudable effort that must be supported
![Page 104: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/104.jpg)
Closing ThoughtsExcited about IOC & YARA?
Well... not so fast
![Page 105: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/105.jpg)
Sharing
• Sharing of IOCs & YARA rules is quite (if not very) rare
• Investment needed to build them
• Competitive edge they give you in the battle against malware and miscellaneous threat actors (treasure trove)
• & you don’t want to be giving away intel to the attackers
![Page 106: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/106.jpg)
Time + Budget = Plan
• You don’t want to dissect every malware variant out there and get overburned
• First, build IOCs & YARA rules to detect RATs and common utilities used by attackers once they gain a foothold on your network
• Then move to persistence, logs and other telltale signs of mischief
![Page 107: Fighting Back Malware with IOC & YARA · 2012. 12. 11. · Time + Budget = Plan • You don’t want to dissect every malware variant out there and get overburned • First, build](https://reader035.vdocuments.site/reader035/viewer/2022081614/5fd0482d86053f24455a1d3b/html5/thumbnails/107.jpg)
45 rue de la chaussée d’Antin75009 ParisFRANCE
Tél. : +33 (0)1 53 16 30 60 - Fax : +33 (0)1 53 16 30 [email protected]
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License