Chapter 15 Notes
to accompany Sikorski and Honig, Practical Malware Analysis, no starch press
Malware-Focused Network Signatures
How to develop countermeasures? In other words, how do you keep malware out?
Network Countermeasures
- Firewalls and routers can be used to restrict access to a network
- DNS servers can be configured to route malicious domains to a "sinkhole". But new malicious domains pop up all the time.
- Content-based countermeasures can include IDS, IPS, email and web proxies, through deeper
inspection of traffic
Observing Malware in its Natural Habitat
- Take a look at the logs, alerts, and packet captures for context - from a real network
- May yield insight into malware's real behavior, as opposed to what it would do in a lab
- May see both ends of the communication
- Passive review of such information should give no information to the attacker
- Wireshark is good for this, of couse
Indications of Malicious Activity + OPSec
- Network indicators such as URLs or IP addresses can be investigated, but be discreet
- Because the attacker may notice the investigation!
- Visiting a URL, or even doing a DNS lookup, can give attacker information
- So use an anonymization service such as TOR
- Or work "from an ephemeral remote machine running in a cloud service, such as Amazon Elastic Compute Cloud (Amazon EC2)"
- When using search engines, don't specify a certain domain in the query, since that might prompt crawling
- which in turn lets the bad guys know they've been noticed
Getting IP Address and Domain Information
- Various web sites provide information, with a degree of anonymity, if you want to check out an IP address or domain name you've spotted during analysis
Content-Based Network Countermeasures
- Attackers are adept at moving to different addresses and domains
- "Indicators based on content, on the other hand, tend to be more valuable and longer lasting,
since they identify malware using more fundamental characteristics."
- To describe content that is good, or bad, languages that resemble regular expressions are common
- hence our interest in YARA
- which goes well beyond standard regular languages in terms of power!
The World's Favorite IDS: Snort
- Rules based on content, or meta-data: contains "malware.com" or dsize:200
- Example:
alert tcp $HOME_NET any -> $EXTERNAL_NET
$HTTP_PORTS (msg:"TROJAN Malicious User-Agent";
content:"|0d 0a|User-Agent\: Wefa7e";
classtype:trojan-activity; sid:2000001; rev:1;)
- http://www.emergingthreats.net
"Emerging Threats is a set of community-developed and freely available rules."
Leveraging Client-Initiated Beaconing
- When malware "phones home", it will pass a description of the victim machine
- Such descriptions can be used to find other victims
- How to find code where the malware sends out a beacon?
- How to find code where the malware gets commands?
- Start by finding networking code
- Hard-coded data from the malware can be helpful in constructing signatures! For Snort or whatever
- Analyzing the parsing code that deals with commands yields info on the command language!
- So maybe you can send your own commands!