Chapter 15 Notes

to accompany Sikorski and Honig, Practical Malware Analysis, no starch press

Malware-Focused Network Signatures

How to develop countermeasures? In other words, how do you keep malware out?

Network Countermeasures

• Firewalls and routers can be used to restrict access to a network
• DNS servers can be configured to route malicious domains to a "sinkhole". But new malicious domains pop up all the time.
• Content-based countermeasures can include IDS, IPS, email and web proxies, through deeper
  inspection of traffic

Observing Malware in its Natural Habitat

• Take a look at the logs, alerts, and packet captures for context - from a real network
• May yield insight into malware's real behavior, as opposed to what it would do in a lab
• May see both ends of the communication
• Passive review of such information should give no information to the attacker
• Wireshark is good for this, of couse

Indications of Malicious Activity + OPSec

• Network indicators such as URLs or IP addresses can be investigated, but be discreet
• Because the attacker may notice the investigation!
• Visiting a URL, or even doing a DNS lookup, can give attacker information
• So use an anonymization service such as TOR
• Or work "from an ephemeral remote machine running in a cloud service, such as Amazon Elastic Compute Cloud (Amazon EC2)"
• When using search engines, don't specify a certain domain in the query, since that might prompt crawling
  • which in turn lets the bad guys know they've been noticed

Getting IP Address and Domain Information

• Various web sites provide information, with a degree of anonymity, if you want to check out an IP address or domain name you've spotted during analysis
  • http://www.domaintools.com
  • http://www.robtex.com
  • http://www.bfk.de/bfk_dnslogger_en.html

Content-Based Network Countermeasures

• Attackers are adept at moving to different addresses and domains
• "Indicators based on content, on the other hand, tend to be more valuable and longer lasting,
  since they identify malware using more fundamental characteristics."
• To describe content that is good, or bad, languages that resemble regular expressions are common
  • hence our interest in YARA
  • which goes well beyond standard regular languages in terms of power!

The World's Favorite IDS: Snort

• Rules based on content, or meta-data: contains "malware.com" or dsize:200
• Example:
  alert tcp $HOME_NET any -> $EXTERNAL_NET
  $HTTP_PORTS (msg:"TROJAN Malicious User-Agent";
  content:"|0d 0a|User-Agent\: Wefa7e";
  classtype:trojan-activity; sid:2000001; rev:1;)
• http://www.emergingthreats.net
  "Emerging Threats is a set of community-developed and freely available rules."

Leveraging Client-Initiated Beaconing

• When malware "phones home", it will pass a description of the victim machine
• Such descriptions can be used to find other victims
• How to find code where the malware sends out a beacon?
• How to find code where the malware gets commands?
• Start by finding networking code
• Hard-coded data from the malware can be helpful in constructing signatures! For Snort or whatever
• Analyzing the parsing code that deals with commands yields info on the command language!
• So maybe you can send your own commands!