Volatile IOCs for Fast Incident Response

Transcript

1. Takahiro Haruyama Internet Initiative Japan Inc. 1

2. ◆ Background ◆ Volatile IOCs ◆ Discussion ◆ Wrap-up 2

3. 3

4. ◆ Malware makes advance for persistence ◆ Evading AV detection

   ◆ e.g., SpyEye web panel provides AV tester for generated bots ◆ Reliable installation ◆ e.g., ZeroAccess suspends (and disables if possible) OS security functions before its installation ◆ We can’t avoid malware infection ◆ If infected once, forensic investigation and malware analysis are needed 4

5. Several Hours Several Days 5

6. 6 Important for fast triage Several Hours Several Days

7. 7 Experts Identify the kind of malware -> figure out

   malware behavior early Intermediate analysts Find suspicious process/driver/connection -> useful, but not sure Experience/knowledge required

8. Technical characteristics •file system •registry hive •network, etc... IOC XML

   formatted information describing known threats 8 ◆ Technical characteristics of known threats from an expert point of view ◆ OpenIOC [1] ◆ An extensible XML schema for defining IOC ◆ It enables to share expert knowledge easily

9. ◆ Malware identification on memory forensics phase is effective for

   fast triage ◆ OpenIOC fills the gap between experts and ordinary analysts ◆ Problems of existing IOCs ◆ Most IOCs depend on non-volatile evidence ◆ Difficult to reuse for identifying variants ◆ e.g., filename, hash value, IP, URL 9

10. 10

11. 11 Extract indicators from analysis result Define IOC using IOC

    Editor [2] Analyze RAM using Redline [3] Check the IOC report Find the cause of false positive/negative

12. 12

13. 13

14. 14

15. 15

16. 16

17. ◆ What kind of indicators can be defined? ◆ ProcessItem

    ◆ DriverItem ◆ HookItem ◆ ModuleItem (not sure) ◆ Useful indicators ◆ sign of code injection ◆ imported/exported functions ◆ strings ◆ header signature of data structure ◆ function/protocol related string ◆ de-obfuscated string ◆ process arguments ◆ etc... 17

18. ◆ Generated volatile IOCs for famous malware ◆ ZeuS ◆

    SpyEye ◆ PoisonIvy ◆ ZeroAccess ◆ Used several samples per single-species malware for the IOC generation ◆ Memory images were acquired on Windows XP / 7 18

19. ◆ ZeuS is a crimeware kit that was first discovered

    around 2007 ◆ It steals IDs like online banking accounts by using web injection ◆ 2.0.8.9 source code was leaked in 2011 ◆ Several variants are discovered ◆ In more detail, see our report [4] 19

20. ◆ ZeuS generates install information called PESETTINGS ◆ PESETTINGS is

    encrypted and saved with header as “overlay” ◆ The header signature “DAVE” used Signature “DAVE” 20

21. ◆ ZeuS injects itself into other processes ◆ Code-injected memory

    region has two differences in memory management information (VAD: Virtual Address Descriptor) Usual exe/dll includes a pointer to File Object (memory mapped file) VAD has “protection flag” about read/write/execute 21

22. ◆ File Object information = null ◆ protection flag =

    EXECUTE_READ_WRITE 22 File Object information protection flag Injected True or False

23. ◆ Imported functions indicate functions of the malware ◆ Collecting

    information of infected machines (e.g., GetLengthSid) ◆ Anti-Forensics (e.g., SetFileTime) ◆ code injection (e.g., CreateToolhelp32Snapshot) ◆ web injection (e.g., HttpSendRequest*) 23

24. ◆ ZeuS obfuscates important strings ◆ The strings are decoded

    on the execution ◆ De-obfuscated strings are good indicators 24

25. ◆ “imodule” variant [5] ◆ Many obfuscated strings are added

    ◆ e.g., New command downloads DLLs and execute their functions ◆ Citadel variant ◆ Not infect Russian/Ukrainian PCs (GetKeyboardLayoutList) ◆ Detect sandboxes for anti analysis 25

26. code injection sign imported functions de-obfuscated strings indicators for “imodule”

    variant 26 “overlay” signature indicators for Citadel variant

27. ◆ 3 variants used ◆ 2.0.8 (source-code leaked version) ◆

    “imodule” variant ◆ Citadel All variants “imodule” specific “citadel” specific 27

28. ◆ Another Crimeware Kit after ZeuS ◆ 1.3.45 builder cracked

    in 2011 ◆ IIJ analyzed and reported its behavior [6] ◆ No update since 1.3.48? ◆ But the botnet is still active 28

29. ◆ “C*” includes data ◆ C1: install configuration ◆ C2:

    config.bin ◆ C3: password for decrypting config.bin ◆ “SC*” includes code ◆ SC1: code for injection ◆ SC2: code for collecting C1 data 29

30. ◆ SC2 uses C1 signature “!EYE” 30

31. ◆ SpyEye uses 4-byte hash value for calling APIs ◆

    Imported functions are not useful for IOC 31

32. ◆ SpyEye includes plugin DLLs in config.bin ◆ The exported

    functions are unique 32 Most SpyEye variants include this function exported by the plugin

33. ◆ De-obfuscated strings on execution are good indicators 33

34. ◆ Fixed format with characteristic strings 34

35. C1 signature exported functions of plugin DLL code injection sign

    characteristic strings included in stolen data de-obfuscated strings 35

36. ◆ 3 versions used ◆ 1.3.10 ◆ 1.3.45 (compiled using

    builder) ◆ 1.3.48 1.3.10 / 1.3.48 1.3.45 36

37. ◆ RAT (Remote Access Tool) used for targeted attack ◆

    Everyone can download it at the web site ◆ The distributed version is 2.3.2 ◆ It cannot run on Windows 7 ◆ Some hackers patched to work well ◆ Some custom-built versions also exists 37

38. ◆ PoisonIvy doesn’t inject its entire image [7] ◆ Redline

    cannot detect the injection ◆ Specify the description of protection flag directly ◆ Caution: Redline 1.9.1 cannot display the memory regions of fragmented code injection  38

39. ◆ Most PoisonIvy specimens injects twice ◆ explorer.exe ◆ create

    iexplore.exe process and inject code to it ◆ iexplore.exe (with “-nohome” argument) ◆ connect to Poison Ivy GUI client ◆ Rare specimens are stand-alone 39

40. ◆ PIC (Position-Independent Code) ◆ Imported functions cannot be used

    ◆ Codes for most functions are sent from client ◆ There are few strings related to functions in the installed binary ◆ For identifying rare stand-alone specimens, use some strings in RAM based on heuristics ◆ Not logical, but useful to some degree 40

41. 41 the 2nd injection the 1st injection heuristic strings

42. ◆ 10 specimens used (1 stand-alone specimen) ◆ 2.3.2 (distributed

    version) ◆ 3 specimens used for targeted attacks ◆ 6 samples collected from Malware.lu code injection 1st code injection 2nd stand alone variant 42

43. ◆ Shift of ZeroAccess ◆ Communication ◆ from server-type botnet

    to P2P botnet ◆ Implementation ◆ from kernel-mode to user-mode ◆ Instructed to carry out click fraud and Bitcoin mining, but not limited 43

44. ◆ Dropper behavior ◆ extract main DLL from inline CAB

    and install it ◆ inject code twice to explorer.exe ◆ old user-mode version patches services.exe ◆ bypass UAC misusing DLL load order in Windows ◆ execute itself again as DLL with privilege ◆ Many indicators, but not useful ◆ The installed DLL is different binary ◆ After reboot, the dropper IOC vanishes 44

45. ◆ P2P communication ◆ UDP ◆ send/receive bot commands ◆

    All commands are encoded by rotation XOR ◆ TCP ◆ upload/download plugin files ◆ The callback functions differentiate socket status by checking dword tags 45

46. ◆ Low level APIs ◆ Zw* (e.g., ZwQueryEaFile) ◆ Ldr*

    (e.g., LdrGetProcedureAddress) ◆ Rtl* (e.g., RtlImageNtHeader) ◆ Crypt APIs ◆ e.g., CryptVerifySignatureW 46

47. ◆ Imported functions in kernel driver ◆ e.g., KeInsertQueueApc ◆

    Hidden volume accessed from user process ◆ “ACPI#PNP0303#2&da1a3ff&0” ◆ The name seems to be unchanged ◆ Later user-mode ZeroAccess still checks it in installation 47

48. 48 hidden volume name user-mode: XOR initial key user-mode: socket

    status tags user-mode: UDP bot commands user-mode: imported functions

49. 49 kernel-mode: imported functions in driver

50. ◆ 4 specimens used ◆ 2 samples of latest user-mode

    version ◆ old user-mode version (services.exe patched) ◆ kernel-mode version latest/old user-mode kernel-mode 50

51. 51

52. ◆ ZeuS > SpyEye > ZeroAccess > PoisonIvy ◆ The

    more functions malware has, the more indicators can be defined ◆ Detection of an entire image injection is a significant indicator (ZeuS/SpyEye) ◆ Calling APIs based on hash values reduces indicators (SpyEye/PoisonIvy) ◆ Variants identification ◆ Small change can be identified (ZeuS/SpyEye) ◆ Drastic change needs to be defined separately (ZeroAccess) 52

53. ◆ Not useful for detecting droppers/downloaders (e.g., Pony) ◆ OpenIOC

    tools are great, but.. ◆ cannot define binary patterns like YARA ◆ e.g., PIC in PoisonIvy ◆ cannot define “AND” combination of each item ◆ .e.g., ProcessItem and DriverItem in ZeroAccess ◆ cannot define regular expression ◆ cannot automate examinations [8] ◆ closed-source  53

54. 54

55. ◆ Volatile IOCs are effective for fast malware triage ◆

    Function-related indicators in memory can identify most variants ◆ Volatile IOC definitions require knowledge about malware ◆ But everyone can use defined IOCs thanks to OpenIOC ◆ There are some limitations in OpenIOC tools ◆ I expect Mandiant to improve them or disclose the sources ◆ Mandiant will be releasing a set of open source tools? [9] ◆ Future work ◆ Automation for scheduled tasks ◆ Open-source (Volatility + YARA + pyioc [10] + ?) ◆ Other specifications (CybOX [11] or IODEF [12] ) 55

56. [1] The OpenIOC Framework (http://www.openioc.org/) [2] IOC Editor (http://www.mandiant.com/resources/download/ioc-editor/) [3]

    Redline (http://www.mandiant.com/resources/download/redline) [4] Internet Infrastructure Review (IIR) Vol.16, 1.4.3 ZeuS and its Variants (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol16_infra_EN. pdf) [5] Polite Variant of ZeuS (http://www.f-secure.com/weblog/archives/00002292.html) [6] Internet Infrastructure Review (IIR) Vol.13, 1.4.2 SpyEye (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol13_infra_EN. pdf) [7] Reverse Engineering Poison Ivy's Injected Code Fragments (http://volatility-labs.blogspot.jp/2012/10/reverse-engineering-poison- ivys.html) [8] Can Redline be automated? Can the tool be scripted? (https://forums.mandiant.com/topic/can-redline-be-automated-can-the- tool-be-scripted) [9] IOCWRITER_11 (https://www.blackhat.com/us-13/arsenal.html#Gibb) [10] pyioc (https://github.com/jeffbryner/pyioc) [11] Cyber Observable eXpression (http://cybox.mitre.org/) [12] The Incident Object Description Exchange Format (http://www.ietf.org/rfc/rfc5070.txt) 56