Zero Day Malware Detection/Prevention Using Open Source Software
-
Upload
malaysia-network-operators-group -
Category
Internet
-
view
1.543 -
download
4
Transcript of Zero Day Malware Detection/Prevention Using Open Source Software
![Page 1: Zero Day Malware Detection/Prevention Using Open Source Software](https://reader034.fdocuments.us/reader034/viewer/2022042907/587bff9f1a28ab7c668b647f/html5/thumbnails/1.jpg)
Copyright © 2015 CyberSecurity Malaysia Copyright © 2015 CyberSecurity Malaysia
ZERO DAY MALWARE DETECTION/PREVENTION USING
OPEN SOURCE SOFTWARE PROOF OF CONCEPT
Malware Research
Center
MyCERT
![Page 2: Zero Day Malware Detection/Prevention Using Open Source Software](https://reader034.fdocuments.us/reader034/viewer/2022042907/587bff9f1a28ab7c668b647f/html5/thumbnails/2.jpg)
Copyright © 2015 CyberSecurity Malaysia
Outline
• Introduction
• Motivations
• Objective
• Process Flow
• The Open Source components
• Moving Forward
2
![Page 3: Zero Day Malware Detection/Prevention Using Open Source Software](https://reader034.fdocuments.us/reader034/viewer/2022042907/587bff9f1a28ab7c668b647f/html5/thumbnails/3.jpg)
Copyright © 2015 CyberSecurity Malaysia
Introduction
• Fathi Kamil Bin Mohad Zainuddin.
• Senior Analyst in Malware Research
Centre, MyCERT.
3
![Page 4: Zero Day Malware Detection/Prevention Using Open Source Software](https://reader034.fdocuments.us/reader034/viewer/2022042907/587bff9f1a28ab7c668b647f/html5/thumbnails/4.jpg)
Copyright © 2015 CyberSecurity Malaysia
Introduction
• Computer security issues have emerged ever since the
Internet was introduced. Organizations and security
researchers have increased the efforts in ensuring that
security threats are detected and mitigated in a timely
manner. Today, as computer attacks tend to be malware-
centric, the cyber criminals have introduced
sophistication in their attack techniques that makes the
traditional way of protecting the enterprise with firewalls,
intrusion detection systems and antivirus software at the
network perimeter ineffective.
4
![Page 5: Zero Day Malware Detection/Prevention Using Open Source Software](https://reader034.fdocuments.us/reader034/viewer/2022042907/587bff9f1a28ab7c668b647f/html5/thumbnails/5.jpg)
Copyright © 2015 CyberSecurity Malaysia
Introduction
• To produce tools or capability on 0-day malware
detection / prevention using open source software.
• There are many Open Source network security
components doing their purpose very well in the market.
• Known Open Source network security product such as
Snort, Suricata, Dionaea, Kippo, Glastopf, Ntop, Xplico,
Wireshark, etc.
• All we need is to glue them to achieve our purpose.
5
![Page 6: Zero Day Malware Detection/Prevention Using Open Source Software](https://reader034.fdocuments.us/reader034/viewer/2022042907/587bff9f1a28ab7c668b647f/html5/thumbnails/6.jpg)
Copyright © 2015 CyberSecurity Malaysia
Motivations
• We have deployed LebahNet (Honeynet) previously, but
later we found out that:
– Dionaea plugins are difficult to maintain in order to follow
the vulnerability trends to get new malware binaries.
– We need an expert to maintain the plugins.
– We have done some attack simulation using Metasploit but
produced poor results. Not all vulnerability attacks
captured by Dionaea.
• Network packets contains many information which might
also include malicious documents, binaries and web
communication which are not extracted from the
network.
6
![Page 7: Zero Day Malware Detection/Prevention Using Open Source Software](https://reader034.fdocuments.us/reader034/viewer/2022042907/587bff9f1a28ab7c668b647f/html5/thumbnails/7.jpg)
Copyright © 2015 CyberSecurity Malaysia
Objective
• Capture & identify the malicious documents,
binaries, and web accesses from the network
through packet capturing.
• Simulating the malicious files / webs in sandbox
environment.
• Collect known malicious information provided by
sandbox into a central database.
• Generate callback signature from sandbox result to
detect/prevent further malicious activities.
• Distribute malicious information among sensors.
7
![Page 8: Zero Day Malware Detection/Prevention Using Open Source Software](https://reader034.fdocuments.us/reader034/viewer/2022042907/587bff9f1a28ab7c668b647f/html5/thumbnails/8.jpg)
Copyright © 2015 CyberSecurity Malaysia
Components – Network IDS / IPS
8
• Suricata is a high performance Network IDS, IPS and
Network Security Monitoring engine.
• Top 3 reasons:
– Highly Scalable.
– Protocol Identification.
– File Identification, MD5 Checksums, and File Extraction.
• For the purpose, Suricata can produce:
– Alert log.
– File extraction based on signature within HTTP & SMTP.
http://blog.inliniac.net/2011/11/29/file-extraction-in-suricata/
http://blog.inliniac.net/2014/11/11/smtp-file-extraction-in-suricata/
– HTTP log.
![Page 9: Zero Day Malware Detection/Prevention Using Open Source Software](https://reader034.fdocuments.us/reader034/viewer/2022042907/587bff9f1a28ab7c668b647f/html5/thumbnails/9.jpg)
Copyright © 2015 CyberSecurity Malaysia
Components – Network IDS / IPS
• Enabling file extraction - /etc/suricata/suricata.yml
9
![Page 10: Zero Day Malware Detection/Prevention Using Open Source Software](https://reader034.fdocuments.us/reader034/viewer/2022042907/587bff9f1a28ab7c668b647f/html5/thumbnails/10.jpg)
Copyright © 2015 CyberSecurity Malaysia
Components – Network IDS / IPS
• Suricata file extraction rules -
/etc/suricata/rules/files.rules
10
![Page 11: Zero Day Malware Detection/Prevention Using Open Source Software](https://reader034.fdocuments.us/reader034/viewer/2022042907/587bff9f1a28ab7c668b647f/html5/thumbnails/11.jpg)
Copyright © 2015 CyberSecurity Malaysia
Components – Network IDS / IPS
• File extraction output - /var/log/suricata/files/
11
![Page 12: Zero Day Malware Detection/Prevention Using Open Source Software](https://reader034.fdocuments.us/reader034/viewer/2022042907/587bff9f1a28ab7c668b647f/html5/thumbnails/12.jpg)
Copyright © 2015 CyberSecurity Malaysia
Components – Network IDS / IPS
• HTTP Logs
12
![Page 13: Zero Day Malware Detection/Prevention Using Open Source Software](https://reader034.fdocuments.us/reader034/viewer/2022042907/587bff9f1a28ab7c668b647f/html5/thumbnails/13.jpg)
Copyright © 2015 CyberSecurity Malaysia
Components – Network IDS / IPS
• Drawback - High CPU processing
• Suricata is a high performance NIDS/NIPS and utilizing all
CPU cores compared to Snort NIDS/NIPS. It will utilizing
GPU cores.
• PF_RING can be used to bypass Linux OS TCP/IP stack.
Suricata running in userspace will get direct access to the
network buffer from the network card (kernelspace) without
going through most of OS layers.
• You might want to read an article in 2012 “Suricata, to
10Gbps and beyond”
https://home.regit.org/2012/07/suricata-to-10gbps-and-
beyond/
13
![Page 14: Zero Day Malware Detection/Prevention Using Open Source Software](https://reader034.fdocuments.us/reader034/viewer/2022042907/587bff9f1a28ab7c668b647f/html5/thumbnails/14.jpg)
Copyright © 2015 CyberSecurity Malaysia
Components – Sandboxing
14
• Cuckoo Sandbox is a malware analysis system.
• It produces native functions and Windows API calls
traces, copies of files created and deleted from the file
system, dump of the memory of the selected process,
full memory dump of the analysis machine, screenshots
of the desktop during the execution of the malware
analysis, network dump generated by the machine used
for the analysis.
• For the purpose, extracted files / web access from the
Suricata will be tested in simulation environment using
Cuckoo Sandbox.
![Page 15: Zero Day Malware Detection/Prevention Using Open Source Software](https://reader034.fdocuments.us/reader034/viewer/2022042907/587bff9f1a28ab7c668b647f/html5/thumbnails/15.jpg)
Copyright © 2015 CyberSecurity Malaysia
Components – Sandboxing (Anti-VM) • Nowadays malware equipped with anti-VM code to
detect if it is running inside sandbox environment
through registry, CPU flags, BIOS, file system, etc.
• Bypassing Sandboxes For Fun
https://www.botconf.eu/bypassing-sandboxes-for-fun/
• Defeat anti-VM malware, refer VMCloak,
VBoxAntiVMDetectHardened, etc.
• You can try using Pafish to detect whether you are
running inside virtualization / sandbox environment.
https://github.com/a0rtega/pafish
15
![Page 16: Zero Day Malware Detection/Prevention Using Open Source Software](https://reader034.fdocuments.us/reader034/viewer/2022042907/587bff9f1a28ab7c668b647f/html5/thumbnails/16.jpg)
Copyright © 2015 CyberSecurity Malaysia
Components – Sandboxing (Anti-VM) • Hardened Anti-VM Detection
16
![Page 17: Zero Day Malware Detection/Prevention Using Open Source Software](https://reader034.fdocuments.us/reader034/viewer/2022042907/587bff9f1a28ab7c668b647f/html5/thumbnails/17.jpg)
Copyright © 2015 CyberSecurity Malaysia
Components – Sandboxing (Anti-VM) • Sandbox detection using Pafish
17
![Page 18: Zero Day Malware Detection/Prevention Using Open Source Software](https://reader034.fdocuments.us/reader034/viewer/2022042907/587bff9f1a28ab7c668b647f/html5/thumbnails/18.jpg)
Copyright © 2015 CyberSecurity Malaysia
Components – SSL Decryption
• viewssld - SSL Decryption for Network Monitoring.
• Nowadays malware exploiting SSL encryption to bypass
network security detection.
• IT security admin can enforce HTTPS / SSL interception
by registering Firewall / Proxy root certificate for every
PC inside an organization.
• By providing private key to viewssld, it can decrypt every
HTTPS communication and send to Network IDS for
malware collection & intrusion alert.
18
![Page 19: Zero Day Malware Detection/Prevention Using Open Source Software](https://reader034.fdocuments.us/reader034/viewer/2022042907/587bff9f1a28ab7c668b647f/html5/thumbnails/19.jpg)
Copyright © 2015 CyberSecurity Malaysia
Process Flow
19
![Page 20: Zero Day Malware Detection/Prevention Using Open Source Software](https://reader034.fdocuments.us/reader034/viewer/2022042907/587bff9f1a28ab7c668b647f/html5/thumbnails/20.jpg)
Copyright © 2015 CyberSecurity Malaysia
Moving Forward
• Enhancing Cuckoo sandbox environment
• Defeating Anti-VM / Sandbox Hardening
• Exploitation detection (Buffer/Heap Overflow,
Payload)
• Produce more valuable information
• Improve the process flow
20
![Page 21: Zero Day Malware Detection/Prevention Using Open Source Software](https://reader034.fdocuments.us/reader034/viewer/2022042907/587bff9f1a28ab7c668b647f/html5/thumbnails/21.jpg)
Copyright © 2015 CyberSecurity Malaysia
Malware Research Lab (Tools)
• Our team has also developed tools for our daily operation:
– BotNet Checker: Botnet detection based on IP address.
– LebahNet: Distributed Honeynet.
– MyKotakPasir: Virtualization sandboxing.
– AndBox: Android sandboxing.
– ESPot: ElasticSearch Honeypot.
– DontExploitMe: Browser Based IPS.
– DontPhishMe: Phishing Site Blocker for Browser (Firefox,
Chrome, Internet Explorer).
– MyLipas: Web Defacement Crawler.
– Many others.
21
![Page 22: Zero Day Malware Detection/Prevention Using Open Source Software](https://reader034.fdocuments.us/reader034/viewer/2022042907/587bff9f1a28ab7c668b647f/html5/thumbnails/22.jpg)
Copyright © 2015 CyberSecurity Malaysia
Malware Research Lab (Tools)
• BotNet Checker –
http://botnet.honeynet.org.my/
22
![Page 23: Zero Day Malware Detection/Prevention Using Open Source Software](https://reader034.fdocuments.us/reader034/viewer/2022042907/587bff9f1a28ab7c668b647f/html5/thumbnails/23.jpg)
Copyright © 2015 CyberSecurity Malaysia
Malware Research Lab (Tools)
• DontPhishMe & Antiphishing.My –
https://www.antiphishing.my/
23
![Page 24: Zero Day Malware Detection/Prevention Using Open Source Software](https://reader034.fdocuments.us/reader034/viewer/2022042907/587bff9f1a28ab7c668b647f/html5/thumbnails/24.jpg)
Copyright © 2015 CyberSecurity Malaysia
• Coordinated Malware Eradication And Remediation Project
(CMERP) & CyberDEF (Detection, Eradication & Forensics)
What is it? • A comprehensive solution for
detection, eradication and forensic of malware in cyberspace
What are the benefits? • Helps organization to strengthen
and defend their organisation by preparing the CSIRT team with required skill, policy and procedure in place
• The capability of the team will be strengthen by participating in cyber exercise activity tailored for the organization
• With the necessary resources and skills in place, steps and measures can be taken to eradicate threat
24
![Page 25: Zero Day Malware Detection/Prevention Using Open Source Software](https://reader034.fdocuments.us/reader034/viewer/2022042907/587bff9f1a28ab7c668b647f/html5/thumbnails/25.jpg)
Copyright © 2015 CyberSecurity Malaysia
Contacts
• Web: http://www.cybersecurity.my
• Web: http://www.mycert.org.my
• Web: www.cybersafe.my
• Report Incident:
25
![Page 26: Zero Day Malware Detection/Prevention Using Open Source Software](https://reader034.fdocuments.us/reader034/viewer/2022042907/587bff9f1a28ab7c668b647f/html5/thumbnails/26.jpg)
Copyright © 2015 CyberSecurity Malaysia 26
Q&A
![Page 27: Zero Day Malware Detection/Prevention Using Open Source Software](https://reader034.fdocuments.us/reader034/viewer/2022042907/587bff9f1a28ab7c668b647f/html5/thumbnails/27.jpg)
Copyright © 2015 CyberSecurity Malaysia Copyright © 2015 CyberSecurity Malaysia