Upgrade to Pro — share decks privately, control downloads, hide ads and more …

openioc_scan – IOC scanner for memory forensics

openioc_scan – IOC scanner for memory forensics

Black Hat USA 2015 Arsenal, SECURE 2015
https://www.blackhat.com/us-15/arsenal.html#takahiro-haruyama

Indicator of Compromise (IOC) is a piece of information that can be used to search for or identify potentially compromised systems. openioc_scan is an open-source IOC scanner for memory forensics and implemented as a plugin of Volatility Framework. By checking IOCs in RAM images (e.g., code injection sign, used/hooked API functions, unpacked code sequences), we can detect malware faster and deeper than disk-based traditional IOCs. In this presentation, I explain how to define and improve IOCs for openioc_scan, introduce IOC examples including not only IOCs for specific malware but also ones focusing on generic traits of malware. I also show remote malware triage automation combining with F-Response.

Takahiro Haruyama

October 01, 2015
Tweet

More Decks by Takahiro Haruyama

Other Decks in Technology

Transcript

  1. :CJ H .& • ,J IMD .IP MNDB NJ I

    SMN N .IN I N .IDND NDP / K I .I • .. .IN I N .IA MN O NO PD • CNNK DDE ? EK I JHK IS ? P JKH IN DD DI? R CNH • M IN NDJIM I? - I?M JI MM M • F - N D ADIBM O JK MD 2 ,. OHHDN , : . ,. N • S J ?M • IND AJ IMD M H HJ S AJ IMD M . N B N ? NN F OB • JB • CNNK N F CD JC OS H BDNCO DJ • K OBDIM M DKNM AJ J ND DNS , H J F . J .HHOIDNS OBB I? I M
  2. 3 . • • . A • - . .

    • . . .3 • .
  3. ) 5 • 5 ) ) ) ) 5 )11

    5 ( • specific indicators • e.g., URL, file hash Forensic Analysis • generic (function-based) indicators • e.g., used API, binary code Malware Analysis • define & improve • scan on live system, disk image, memory image IOC
  4. 6 42C43 • ,6 I 6 C 4 ) C43

    6 6 6 65 3C 3 . 3 I 3 6 1 • C43 C )C 6 6 ) 3 • 43C6 C6 C F6 6CC 6 3 6 6CC 3 4 6C 4 5 3 3 6 6 C 1 • C C I 5 C . C 3 3 6 • I 34 3 6C 6 65 • 1 • 42 6 1 • 4 3 (1 (
  5. 8 7 • 9 9 9 9 • C 8

    1 C 9 77 • 7 8 91 8 7 7 C 71 8 1 • 77 9 8 9 • 8 7   1 8  
  6. , ) .8 • - . • ) -() -1

    = ) -() • . ) 1 = =C = = 1 • • 1 .C 8 1 . • • 8 1 = 1 ) PlugX detected
  7. 88 9 95 • 3 9 9 5 9 95

    Term Category Term Examples ProcessItem name, command line, parent name, DLL path, process/DLL DKOM detection, code injection detection, imported/dynamic generated API table, string, handle name, network connection, IAT/EAT/inline hooked API name, enabled privilege name RegistryItem metadata of executables cached by OS (ShimCache) ServiceItem service name/description/command line DriverItem name, imported/dynamic generated API table, string, hooked IRP function table, callback function type, timer function detection HookItem hooked SSDT entry FileItem filename/size/path based on carved MFT entry
  8. , 2 C 2 2 • A 2 2 2

    • , 2 • 2 2 A / . 1.A. 12 2 2 2 • 2 2 • 2 2 A 22 12 2 A A . 2 21 21 / . . 2 • 2 2 2 2 2 121 2 2 A A .A specific IOC generic IOC advantage easy to define (low false positive rate) detect unknown malware with similar traits weakness detect the malware only hard to define (high false positive rate)
  9. C *G 1 C A 1 G • ( *.

    H C • A A G A G G A • *A G • G A * )GGC1 A H G 2 G • AA G I H A G *A, . H , G Andromeda Tinba
  10. ) 1 • # # 3 F 0 3 •

    , 3 F 3 1 3 3 1 3 # 3 1 1 F 3 F 1 # 3 3 1 13 F 1 F1 # 3 1 3 3 1 • • 1 F1 1 3 • . 1 2 1 • 1 F1 1 3 # # ( F1 3 hollowed process path from PEB
  11. , . 2 4 . ) # • # #

    0 1 4 • • 4 2 ( A2 (44 4 2 2 0 1 Stuxnet Path from FileObject in VAD is null
  12. -E: E - :I E • . E C :I

    E :EC : IEC I : N • $ $ I :I C I /5- , • /5- , , I II I F E E :A :ECF I IN I FF : I E • 5 E 1. ) /I 2 N, - /I I, - • E :: CE A CE I 1. • EF E: : : :A EI E N . 5 I E N C : N I 1. I ( ZeroAccess
  13. , 1 1 1 • :1 ( :: 1 1

    1 1 ( 1 • 1 6 1 1 :6 6 1 . . 6 6 1 • 1 6 : 1 1 • ) 6 1 1 . 6 6 parameter: detail=on Dridex
  14. H 1 B I • , >C 1 B I

    C> H C >I> C AA A I H 0-H 7 H C I= I I A >IH >CI A H ) • >C B I> C#HI A>C B A I I> C • . .II C 2 HI 1 H C C C C = >C B A C B I >C I> C (
  15. EDI 2 E C8D: • :8DD D 8BB .1 I

    8 ED C I 2., • E P 8I .1 CI EL IBE ED I • 8I ( E: II D8C 8 D E A :EDD : ED • IBE ( I D D8 O I D: I EEA )2. D8C • )LE :EC D8 ED E C B B .1 C :8 E I • -I : 8BBO 2 E: II. C 8D , L . C 8 8L BO 8 • , D C I 8 8 BO E B C I:E O 8 D Q E: II C L E EDI • .D E C8 ED N 8: O E D E: I:8D I :8: • D C I:8D E I8C C I I B D B II C • I 8 : D :8: / 8 8 8I • D8 O I D: I E L 8 1 :8: • DI 8 I 8 : D D L 8B E: II L C CE O C I
  16. TM K DIH LI • L IL DH LI? ?

    2 M LME DH . ( 9 • M ? G F L M M DH F ?DH K DIH3 M L K DIH,L ,I F . H M LD F . H M . HH L .DM • 0,, ADLG L L LI L GGDH GI? F HFM ) ?FF! DM FI ? ? IH K DIH,L H? L .DM • 1 H L M D?? H ? L DH 0,, • M DFF RDM M DH AIL LIPD?DH 51 DH I L
  17. D3 7 8 AC 1 2 • D3 7 6C8

    8D D D 8 6A 6 8 D -8 68.A A CA /. • .A A CA A78D D87 • 0 8 6A78 I - D D87 9AC C8 7 C 8 C8B 8D D A9 0 78 68 C8 D 8CD • 8C 8 8C 9 6 A 7 8D 8 C8B 8D D • 0 8 7 A C 8 D 8 87787 8 7 • 6A A A9 8 7 D C 6 C8 “IDENTIFY_DEVICE” command read/write of ATA device registers
  18. 9 . 299 • 3 • 299 A 9 23

    2 A3 2 A A A 3 • 2 C3 A 9 23 2 23 3 3 3 A63 A A 3 • 3 3 • 2 C3 - 23C 3 2 3 39 A :3
  19. C F 1 AC . F 2F I CA C

    4 5 • C C 1 C 4 (5 ) F AC A F F • 1 C FC F C C = I = ! C CF CA I F • I = = A ACF 1 .! C AC . FC C C A • I CA 1 . I C FCA F AC A = - + I 1 C + . - Examiner Target Machine 1. deploy F-Response agent 2. acquire RAM 3. identify the system profile from SOFTWARE registry 4. execute openioc_scan
  20. 2C : • D A C D + CA C

    D • D BAB C AB F C ( - C B D BAB C - : D ( C -( • E ED D E : D B D : D A D • ( CE D D ( CE D D ( F BD AB F C B ( CE D D ( D B (( • ECD A D : D E • ( CE D D A BD D D 2 D E 5 B F D BE D D B: D ( • ( CE D D ( F BD EC ( CE D D ( F BD C I) B D ( D E
  21. 3 C • CA F F C : : F:

    F CC • C 6 C F C 6 C C 6 CI I 6 : C 6 F IA CF : C 6 • C • F( ). EI C • ( EI C CF F • ( - ). : ,24) F F EI C • C C • - C : F CC :A F : • : C • A CF
  22.  DEMO (EMC) -10 2 -10 7 : 10. .

    . 2 . .1 .0 2 10. . . 1 777 777 777
  23. 2 O N • IDBDMD NP MON I O IGT

    )1 PDNDOD I PO GN I PDNDOD I DI GP DIB ADG N RDO PI GG O G O NO OPN • NTNM B PN MM B HAO M A O OS H E PMI G • - N IN -G S DNF )4 PN • )1 PDNDOD I H T A DG I DI ( S • - N IN PB I O ADS • 8N I GO MI O PDNDOD I OD I PNDIB PH O S D MND I • PO PH O GN H T PN 6 R I PNDIB M H O PDNDOD I OD I L I O ADS • A IT O M MM MN F U M P G 6 ODIB DI ,) 1, I .DO P (
  24. / ? C? • ( G C A 3 A

    G A C A • ? 30A3 A 3 A ? A: A -)A • . A C • ? 30A3 3 A? 3 3 -) ? A • ?A C 3 . : CG ? 30A3 • A3 ? • ?A C 3 . : CG
  25. 3 • 8 4 C A / C - FI

    FC 1 C O 4 . F • I OOO F O C I C C :MI I O I • 8 C C M C C C • I AC M F C C M C C C • 8 F C 1I /1-: • I AC M F F C 1I /1-: • 8 PF 2 2 A / P • I I IC I A I IC PF • 8 F C C :O C • I AC M F F C C :O C • 8 F 2 2 A / P • I I IC I A I IC F • 8 2 /1- • I AC M F 2 /1- • 8 . 0 O 5 C A 6 C A 1I C : 7 C C 2 MAC • I C M F AC M C A F O C A M C A I C C C I MAC
  26. HIHUH FH 1R W • A-B 9SH 691 :DUDPHWHUV VH

    E[ 9SH LRFCVFD • WWS. WD D LUR DU [DPD LW E LR EOR ( ( RSH LRF SDUDPHWHUV VH E[ RSH LRF VFD • A B / DO[ L 8DO DUH 5ROOR :URFHVVHV • WWSV. WU VW D H FRP HVR UFHV SL HU7DEV 0OR / DO[ L 8DO DUH 5ROOR :URFHVVHV • A B ] H /UW RI 8HPRU[ 4RUH VLFV S • WWS. DV LOH[ FRP LOH[12/ LOH[ LWOH SUR FW1 ) - WPO • A B ]3T DWLR UR S. T HVWLR V D D V HUV • WWSV. VHF UHOLVW FRP ILOHV ) 3T DWLR C UR SCT HVWLR VCD CD V HUV S I • A B 6 WHU HW 6 IUDVWU FW UH H LH 66 RO • WWS. LLM D MS H FRPSD [ H HORSPH W LLU WPO • A (B HPRWH 8DO DUH ULD H / WRPDWLR • WWS. WD D LUR DU [DPD LW E LR EOR ) UHPRWH PDO DUH WULD H D WRPDWLR • A )B 4 HVSR VH • WWSV. I UHVSR VH FRP • A B 8RR ROV L R V 8HPRU[ RRO LW • WWS. PRR VROV FRP L R V PHPRU[ WRRO LW