Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Fast and Generic Malware Triage Using openioc_scan Volatility Plugin

Fast and Generic Malware Triage Using openioc_scan Volatility Plugin

Mar 2015, Digital Forensics Research Conference Europe 2015

Indicator of Compromise (IOC) is a set of technical characteristics to detect threats. Forensic investigators can define and share IOC files according to some standards or rules such as OpenIOC and YARA. Currently, many IOCs are available on the Internet, but most of the IOCs cannot be used for memory forensics because they are composed of indicators dependent on disk or live response data.

Two years ago, I introduced "volatile IOCs" based on RAM evidence only at SANS DFIR Summit 2013. We can detect malware in memory images using them faster than using disk-based traditional IOCs. Besides, we can define indicators based on not only metadata like file paths but also malware functions such as code injection sign, imported functions, unpacked codes, and so on. However, in order to scan threats using volatile IOCs, we needed to use a closed-source tool based on OpenIOC standard. I could not improve it even if there were some limitations in the tool.

That's why I implemented "openioc_scan" as a plugin for Volatility Framework which is an open-source memory forensic tool. In this presentation, I explain how to use it and details of the implementation. Furthermore, I also show the results of considerations about IOCs to detect unknown malware in RAM by focusing on generic traits of malware.

Takahiro Haruyama

March 01, 2015

More Decks by Takahiro Haruyama

Other Decks in Technology


  1. Fast and Generic Malware Triage Using openioc_scan Volatility Plugin TAKAHIRO

    HARUYAMA (@CCI_FORENSICS) INTERNET INITIATIVE JAPAN INC. Digital Forensics Research Conference Europe 2015
  2. Who am I?  Forensic Investigator & Malware Analyst at

    Internet Initiative Japan Inc.  For details, please check our technical reports (IIR: Internet Infrastructure Review)  http://www.iij.ad.jp/en/company/development/iir/index.html  Presentations and Hands-on classes  Black Hat Briefings USA/Europe/Asia  SANS Digital Forensics and Incident Response Summit  The Computer Enterprise and Investigations Conference  FIRST Technical Colloquium  etc...  Blog  http://takahiroharuyama.github.io/  plugins/scripts for Volatility Framework, IDA Pro, Immunity Debugger and EnCase  EnCase Certified Examiner since 2009 2
  3. IOC (Indicator Of Compromise)  A piece of information that

    can be used to search for or identify potentially compromised systems*1  e.g., network-based IOC (IP/URL), host-based IOC (file hash)  Useful to detect known threats  Some implementations and standards  YARA*2  OpenIOC*3  Cybox*4  Stix*5  etc... 5
  4. Why OpenIOC? 6 OpenIOC, 257, 77% YARA, 73, 22% Cybox,

    2, 1% Stix, 1, 0% Shared IOCs in IOC Bucket*6 (2015/3/3) openioc 1.0 YARA Cybox Stix
  5. Existing OpenIOC tools  Free tools provided by Mandiant 

    IOC Finder*7  scan live systems  Redline*8  scan acquired memory images  safer and faster than live scan  I proposed “Volatile IOCs” for Redline at SANS DFIR Summit*9  Problem  closed-source  7
  6. “openioc_scan” Volatility Framework Plugin  Volatility Framework*10  open-source memory

    forensic tool  list unallocated kernel objects (e.g., dead process, unloaded kernel module)  openioc_scan plugin  supports only Windows (Vista or later)  3 python packages required  lxml*11  ioc_writer*12  colorma*13 9
  7. Generating IOCs for openioc_scan  openioc_scan accepts OpenIOC 1.1 format,

    not 1.0  case sensitiveness  regular expression (“matches” condition)  “parameters” (explain later)  PyIOCe*14 made by Sean Gillespie  support editing OpenIOC 1.1 format files  should import the latest “terms” and “parameters” for openioc_scan*15 10
  8. Supported 36 IOC Terms  ProcessItem and DriverItem are evaluated

    per one process/driver  I recommend KISS (Keeping IOCs Simple and Short) 12 Term Category Term Examples ProcessItem name, command line, parent name, DLL path, DKOM detection, code injection detection, imported/dynamic generated API, string, handle name, network connection, IAT/EAT/inline hooked API, enabled privilege name RegistryItem metadata of executables cached by OS (ShimCache) ServiceItem service name/description/command line DriverItem name, imported/dynamic generated API, string, hooked IRP function table, callback function type, timer function detection HookItem hooked SSDT entry FileItem filename/size/path based on carved MFT entry
  9. Parameters  metadata for each IOC term supported in OpenIOC

    1.1  openioc_scan supports 3 parameters*16  score  additionally evaluate IOCs based on integer values (>=100)  detail  display not only matched substring but also total one  note  comment about the term 13
  10. Considering Generic IOCs  Currently, IOCs are applied to “known”

    threats  file hash and URL are mostly one-time and effective for only specific incidents  openioc_scan can detect unknown ones based on generic traits  unusual executable paths  web injection  position independent code (PIC)  code injection  bypassing UAC dialog  hiding data in NTFS $EA  lateral movement in targeted attack 15
  11. Unusual Paths (“Iron Man” Method*17)  generated two kinds of

    IOCs  exec paths in running processes  exec paths in ShimCache  The former IOC caused less false positives than the latter one parameter: detail=on 16
  12. Web Injection  The indicators  HttpSendRequest APIs are hooked

     The module name hooking APIs is unknown because of code injection  detect EAT/IAT/inline hooks based on apihooks implementation  Limitation  The inline hook detection checks only first 3 instructions and cheated by fake RET 17 fake RET by SpyEye
  13. Position Independent Code (PIC)  considered 3 kinds of binary

    sequences to detect PIC  access to PEB (e.g., mov eax, fs:dword_30; mov eax, [eax+0Ch])  “GetPC” code (e.g., call $+5; pop)  False positives found  API Hash (e.g., rol13AddHash32 of CreateFileA = 0xCACA3B9B)  Scanning all API hash patters is wasteful  IOC of PEB access is better than others  Limitation is to detect only x86 codes 18
  14. Code Injection  3 IOCs combined with malfind condition 1.

    commonly-used APIs  extended impscan to check dynamically-generated API tables and injected code sections  not work on wow64 process due to impscan limitation 2. unknown hooking module name 3. hex patterns of PIC  The 3rd one is much faster and accurate  Term “InjectedHexPattern” 19 parameter: score=integer value
  15. Bypassing UAC Dialog  Two UAC bypassing techniques  DLL

    load-order hijacking*18  malicious SDB installation*21  defined the characteristic code sequence / strings / APIs  Limitation  There may be other methods bypassing UAC 20 COM method called by PlugX de-obfuscated string and API in Dridex
  16. Hiding Data in NTFS $EA  Some malware hides its

    code/data in NTFS extended attribute ($EA)  ZeroAccess (user-mode), Regin (kernel-mode)*22, etc…  defined two IOCs (ProcessItem/DriverItem) based on APIs handling with $EA  Limitation  not work on wow64 process  Some false positives found in kernel-mode 21 NtQueryEaFile resolved and called by Regin
  17. Lateral Movement in Targeted Attack  IOCs finding artifacts generated

    by specific tools (*19, *20 and thanks to Junichi Hatta)  Windows CUI tools (e.g., at.exe)  SysInternals tools (e.g., psexec.exe)  PTH tools (e.g., wce.exe)  two patterns  process-based  not useful  file/registry-based  heavily dependent on metadata  difficult to define generic ones 22
  18. Wrap-up  openioc_scan plugin for Volatility Framework  generic IOCs

    to detect unknown threats  Zero false positive is difficult, but useful for first triage  Some limitations due to the implementation of Volatility Framework  but we can improve them thanks to open-source ☺  The tool and generic IOCs are available on my blog  http://takahiroharuyama.github.io/  Share your own IOCs in the world! 24
  19. Reference  [1] Sharing Indicators of Compromise: An Overview of

    Standards and Formats  https://www.rsaconference.com/writable/presentations/file_upload/dsp-w25a.pdf  [2] YARA - The pattern matching swiss knife for malware researchers  https://plusvic.github.io/yara/  [3] The OpenIOC Framework  http://www.openioc.org/  [4] CybOX - Cyber Observable Expression  https://cybox.mitre.org/  [5] STIX - Structured Threat Information Expression  https://stix.mitre.org/  [6] IOC Bucket  https://www.iocbucket.com/  [7] IOC Finder  http://www.mandiant.com/resources/download/ioc-finder/  [8] Redline  https://www.mandiant.com/resources/download/redline 25
  20. Reference (Cont.)  [9] Volatile IOCs for Fast Incident Response

     https://digital-forensics.sans.org/summit-archives/DFIR_Summit/Volatile-IOCs-for-Fast-Incident-Response- Haruyama.pdf  [10] volatilityfoundation/volatility  https://github.com/volatilityfoundation/volatility  [11] lxml 3.2.1 : Python Package Index  https://pypi.python.org/pypi/lxml/3.2.1  [12] mandiant/ioc_writer  https://github.com/mandiant/ioc_writer  [13] colorama 0.3.3 : Python Package Index  https://pypi.python.org/pypi/colorama  [14] yahoo/PyIOCe  https://github.com/yahoo/PyIOCe  [15] Fast Malware Triage Using Openioc_scan Volatility Plugin  http://takahiroharuyama.github.io/blog/2014/08/15/fast-malware-triage-using-openioc-scan-volatility-plugin/  [16] OpenIOC Parameters Used by Openioc_scan  http://takahiroharuyama.github.io/blog/2014/10/24/openioc-parameters-used-by-openioc-scan/ 26
  21. Reference (Cont.)  [17] Finding Malware Like Iron Man Slide

    Decks  http://journeyintoir.blogspot.jp/2013/07/finding-malware-like-iron-man-slide.html  [18] Bypassing Windows User Account Control (UAC) and ways of mitigation  http://www.greyhathacker.net/?p=796  [19] Do not fumble the lateral movement  https://sysforensics.org/2014/01/lateral-movement.html  [20] Pass-The-Hash: Gaining Root Access to Your Network  http://first.org/resources/papers/conference2014/first_2014_-_slaybaugh-_tim_- _pass_the_hash_20140623.pptx  [21] A New UAC Bypass Method that Dridex Uses  http://blog.jpcert.or.jp/2015/02/a-new-uac-bypass-method-that-dridex-uses.html  [22] THE REGIN PLATFORM - NATION-STATE OWNAGE OF GSM NETWORKS  https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng. pdf 27