Articles & Presentations

Wednesday, October 29, 2014

(I) Another fine example of Malware Management working - Listen up Banking folks it's Dyre!




Thanks again to US-Cert for producing a perfect example of The Malware Reporting Standard output!

Another teaching moment to demonstrate how financial organizations can use Malware Management to check their systems to the possible exposure of a Phishing campaign targeting Banking folks with the Dyre Malware.

US-Cert points out exactly what us defenders, incident responders, and yes, the IT public needs to know about the Dyre malware. Read this notice! What do you see are the take aways?


1. Affects Windows based systems




2. Dyre is using the Windows directory for the file drop, Not the AppData user structure, but worse if it gains a foothold. In this case dropping an executable in \Windows is odd... and random named too. How many programs do you know that use a random funky name.exe like this?

Ninja Tip - There are only a few executables normally found in \Windows... Explorer, HelpPane, HH, notepad, regedit, splwow64, sttray64, twunk_16, twunk_32, winhlp32, write.exe and maybe some AV client files. There are only two twain Dll's as well, and maybe a support files for your AV or other agents. Any additional .EXE or .DLL found here has a high probability of being malware!

File Auditing enabled on this directory for Create files and Create folders will allow you to look for EventID 4663 to detect a NEW file drop!


3. Dyre installs a service called "Google Update Service". Clever little malwarians... Googles Update Service is actually called "gpudate and gpudatem" with a generic description of 'Google Update Service'. Sneaky, but easy to spot.

4. Remember your 'Windows Logging Cheat Sheet' and look for EventID 7045 for a New Service Installed and you catch service based malware like Dyre!

5. The keys are in the Services Key in the registry. You can manually look for them as enabling auditing under this key requires setting it for all subkeys and then you filtering out of your logs all the noisy keys to be effective, not hard, but it takes a little time.

There you have it, another educational moment on how to detect malware

#InfoSec #HackerHurricane

Wednesday, October 8, 2014

(I) Further proof the Malware Management Framework WORKS! The Tyupkin ATM Malware




Practicing Malware Management as a part of any 'good' Information Security program, you would have caught the Tyupkin malware if you managed ATM's!

The locations this malware used are known places to monitor in a Malware Management program. The following is right from the Securelist report:

1. Drops payload in \Windows\System32 (Auditing enabled, Event Code 4663)
2. Shortcut added to %AllUsersProfile%\Start Menu\Programs\Startup (ProgramData) (Auditing enabled, EventID 4663)
3. Uses the Run Key to persist (Auditing enabled, EventID 4657)
4. For net flow folks, connections on Sunday and Monday night

You can use CMD scripts, PowerShell, Python or fancy InfoSec tools to look at these locations manually; but this malware is nothing new and far from sophisticated to detect. Enable some Windows Auditing on key locations and your Security Tools and Event Logs will capture the data and alert you!

Works for Linux too, just take a look at the Mayhem Malware Analysis from VirusTotal:

Mayhem – a hidden threat for *nix web servers

Want to know more about Malware Management and actionable Detection techniques? Come see my talks at HouSecCon Thurs Oct 16th and BSidesHouston Sat Oct 18th.










Tyupkin: Manipulating ATM Machines with Malware - Securelist

#InfoSec #HackerHurricane