Fast and Generic Malware Triage Using openioc_scan Volatility Plugin

Transcript

1. Fast and Generic Malware Triage Using openioc_scan Volatility Plugin TAKAHIRO

   HARUYAMA (@CCI_FORENSICS) INTERNET INITIATIVE JAPAN INC. Digital Forensics Research Conference Europe 2015

2. Who am I?  Forensic Investigator & Malware Analyst at

   Internet Initiative Japan Inc.  For details, please check our technical reports (IIR: Internet Infrastructure Review)  http://www.iij.ad.jp/en/company/development/iir/index.html  Presentations and Hands-on classes  Black Hat Briefings USA/Europe/Asia  SANS Digital Forensics and Incident Response Summit  The Computer Enterprise and Investigations Conference  FIRST Technical Colloquium  etc...  Blog  http://takahiroharuyama.github.io/  plugins/scripts for Volatility Framework, IDA Pro, Immunity Debugger and EnCase  EnCase Certified Examiner since 2009 2

3. Overview  Motivation  “openioc_scan” Volatility Framework Plugin  Generic

   IOCs 3

4. Motivation 4

5. IOC (Indicator Of Compromise)  A piece of information that

   can be used to search for or identify potentially compromised systems*1  e.g., network-based IOC (IP/URL), host-based IOC (file hash)  Useful to detect known threats  Some implementations and standards  YARA*2  OpenIOC*3  Cybox*4  Stix*5  etc... 5

6. Why OpenIOC? 6 OpenIOC, 257, 77% YARA, 73, 22% Cybox,

   2, 1% Stix, 1, 0% Shared IOCs in IOC Bucket*6 (2015/3/3) openioc 1.0 YARA Cybox Stix

7. Existing OpenIOC tools  Free tools provided by Mandiant 

   IOC Finder*7  scan live systems  Redline*8  scan acquired memory images  safer and faster than live scan  I proposed “Volatile IOCs” for Redline at SANS DFIR Summit*9  Problem  closed-source  7

8. “openioc_scan” Volatility Framework Plugin 8

9. “openioc_scan” Volatility Framework Plugin  Volatility Framework*10  open-source memory

   forensic tool  list unallocated kernel objects (e.g., dead process, unloaded kernel module)  openioc_scan plugin  supports only Windows (Vista or later)  3 python packages required  lxml*11  ioc_writer*12  colorma*13 9

10. Generating IOCs for openioc_scan  openioc_scan accepts OpenIOC 1.1 format,

    not 1.0  case sensitiveness  regular expression (“matches” condition)  “parameters” (explain later)  PyIOCe*14 made by Sean Gillespie  support editing OpenIOC 1.1 format files  should import the latest “terms” and “parameters” for openioc_scan*15 10

11. Execution 11

12. Supported 36 IOC Terms  ProcessItem and DriverItem are evaluated

    per one process/driver  I recommend KISS (Keeping IOCs Simple and Short) 12 Term Category Term Examples ProcessItem name, command line, parent name, DLL path, DKOM detection, code injection detection, imported/dynamic generated API, string, handle name, network connection, IAT/EAT/inline hooked API, enabled privilege name RegistryItem metadata of executables cached by OS (ShimCache) ServiceItem service name/description/command line DriverItem name, imported/dynamic generated API, string, hooked IRP function table, callback function type, timer function detection HookItem hooked SSDT entry FileItem filename/size/path based on carved MFT entry

13. Parameters  metadata for each IOC term supported in OpenIOC

    1.1  openioc_scan supports 3 parameters*16  score  additionally evaluate IOCs based on integer values (>=100)  detail  display not only matched substring but also total one  note  comment about the term 13

14. Generic IOCs 14

15. Considering Generic IOCs  Currently, IOCs are applied to “known”

    threats  file hash and URL are mostly one-time and effective for only specific incidents  openioc_scan can detect unknown ones based on generic traits  unusual executable paths  web injection  position independent code (PIC)  code injection  bypassing UAC dialog  hiding data in NTFS $EA  lateral movement in targeted attack 15

16. Unusual Paths (“Iron Man” Method*17)  generated two kinds of

    IOCs  exec paths in running processes  exec paths in ShimCache  The former IOC caused less false positives than the latter one parameter: detail=on 16

17. Web Injection  The indicators  HttpSendRequest APIs are hooked

     The module name hooking APIs is unknown because of code injection  detect EAT/IAT/inline hooks based on apihooks implementation  Limitation  The inline hook detection checks only first 3 instructions and cheated by fake RET 17 fake RET by SpyEye

18. Position Independent Code (PIC)  considered 3 kinds of binary

    sequences to detect PIC  access to PEB (e.g., mov eax, fs:dword_30; mov eax, [eax+0Ch])  “GetPC” code (e.g., call $+5; pop)  False positives found  API Hash (e.g., rol13AddHash32 of CreateFileA = 0xCACA3B9B)  Scanning all API hash patters is wasteful  IOC of PEB access is better than others  Limitation is to detect only x86 codes 18

19. Code Injection  3 IOCs combined with malfind condition 1.

    commonly-used APIs  extended impscan to check dynamically-generated API tables and injected code sections  not work on wow64 process due to impscan limitation 2. unknown hooking module name 3. hex patterns of PIC  The 3rd one is much faster and accurate  Term “InjectedHexPattern” 19 parameter: score=integer value

20. Bypassing UAC Dialog  Two UAC bypassing techniques  DLL

    load-order hijacking*18  malicious SDB installation*21  defined the characteristic code sequence / strings / APIs  Limitation  There may be other methods bypassing UAC 20 COM method called by PlugX de-obfuscated string and API in Dridex

21. Hiding Data in NTFS $EA  Some malware hides its

    code/data in NTFS extended attribute ($EA)  ZeroAccess (user-mode), Regin (kernel-mode)*22, etc…  defined two IOCs (ProcessItem/DriverItem) based on APIs handling with $EA  Limitation  not work on wow64 process  Some false positives found in kernel-mode 21 NtQueryEaFile resolved and called by Regin

22. Lateral Movement in Targeted Attack  IOCs finding artifacts generated

    by specific tools (*19, *20 and thanks to Junichi Hatta)  Windows CUI tools (e.g., at.exe)  SysInternals tools (e.g., psexec.exe)  PTH tools (e.g., wce.exe)  two patterns  process-based  not useful  file/registry-based  heavily dependent on metadata  difficult to define generic ones 22

23. Wrap-up 23

24. Wrap-up  openioc_scan plugin for Volatility Framework  generic IOCs

    to detect unknown threats  Zero false positive is difficult, but useful for first triage  Some limitations due to the implementation of Volatility Framework  but we can improve them thanks to open-source ☺  The tool and generic IOCs are available on my blog  http://takahiroharuyama.github.io/  Share your own IOCs in the world! 24

25. Reference  [1] Sharing Indicators of Compromise: An Overview of

    Standards and Formats  https://www.rsaconference.com/writable/presentations/file_upload/dsp-w25a.pdf  [2] YARA - The pattern matching swiss knife for malware researchers  https://plusvic.github.io/yara/  [3] The OpenIOC Framework  http://www.openioc.org/  [4] CybOX - Cyber Observable Expression  https://cybox.mitre.org/  [5] STIX - Structured Threat Information Expression  https://stix.mitre.org/  [6] IOC Bucket  https://www.iocbucket.com/  [7] IOC Finder  http://www.mandiant.com/resources/download/ioc-finder/  [8] Redline  https://www.mandiant.com/resources/download/redline 25

26. Reference (Cont.)  [9] Volatile IOCs for Fast Incident Response

     https://digital-forensics.sans.org/summit-archives/DFIR_Summit/Volatile-IOCs-for-Fast-Incident-Response- Haruyama.pdf  [10] volatilityfoundation/volatility  https://github.com/volatilityfoundation/volatility  [11] lxml 3.2.1 : Python Package Index  https://pypi.python.org/pypi/lxml/3.2.1  [12] mandiant/ioc_writer  https://github.com/mandiant/ioc_writer  [13] colorama 0.3.3 : Python Package Index  https://pypi.python.org/pypi/colorama  [14] yahoo/PyIOCe  https://github.com/yahoo/PyIOCe  [15] Fast Malware Triage Using Openioc_scan Volatility Plugin  http://takahiroharuyama.github.io/blog/2014/08/15/fast-malware-triage-using-openioc-scan-volatility-plugin/  [16] OpenIOC Parameters Used by Openioc_scan  http://takahiroharuyama.github.io/blog/2014/10/24/openioc-parameters-used-by-openioc-scan/ 26

27. Reference (Cont.)  [17] Finding Malware Like Iron Man Slide

    Decks  http://journeyintoir.blogspot.jp/2013/07/finding-malware-like-iron-man-slide.html  [18] Bypassing Windows User Account Control (UAC) and ways of mitigation  http://www.greyhathacker.net/?p=796  [19] Do not fumble the lateral movement  https://sysforensics.org/2014/01/lateral-movement.html  [20] Pass-The-Hash: Gaining Root Access to Your Network  http://first.org/resources/papers/conference2014/first_2014_-_slaybaugh-_tim_- _pass_the_hash_20140623.pptx  [21] A New UAC Bypass Method that Dridex Uses  http://blog.jpcert.or.jp/2015/02/a-new-uac-bypass-method-that-dridex-uses.html  [22] THE REGIN PLATFORM - NATION-STATE OWNAGE OF GSM NETWORKS  https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng. pdf 27