Search This Blog

Monday, September 22, 2014

Sunday, September 21, 2014

Challenging ALL InfoSec people, malware discovery is not as hard as you think

After being on the Security Weekly podcast and to address a response to an email on my previous blog I decided to post this challenge to all IT and InfoSec people to get them more familiar with how easy, or hard Malware Discovery can be.


To be any good at Malware Discovery or monitoring you MUST practice the Malware Management Framework which you can find here.

I used the Home Depot / Target BlackPoS malware and their variants as an example and after some comments on my blog entry I decided to challenge the readers (YOU) to actually DO the following so you can see and experience how Malware Management works and how a little understanding of Windows goes a long way for Malware Discovery.  I don't know, or it's "too hard" is not good enough, so step up and take the challenge!

I stated to look for NEW directories and files in key directories. In the case of BlackPoS and the variants the malwarians picked on %AppData% which is \Users\<username>\AppData\Roaming along with other directories.  CryptoLocker dropped its payload in the root of %AppData%, talk about lazy and the easiest to find.

In the PoS malware they dropped files and created a NEW directory attempting to hide as Java, or Adobe Flash Player. If you practiced Malware Management and understand where Windows installs user components of applications like Java and Flash, you would know that Adobe installs their products to %AppData%\Adobe and a sub-directory of \Flash Player. For Java, user components are installed in AppData\LocalLow\Oracle or AppData\LocalLow\Sun, NOT the \Roaming directory.

The fact files were dropped in the root and two sub-directories with executables in them created in %AppData%\AdobeFlashPlayer or %AppData%\OracleJava should be a Red Flag in the worst way. Also, any NEW executable files in the core Windows directories of \Windows, Windows\System32, or \Windows\System32\WBEM directories should also send IT and InfoSec peeps into research Incident Response mode. Not to mention a NEW service being installed from \Users anything is also a monumental red flag that should be investigated.

So how hard is it to monitor for malware in these directories? Again, understand we are focusing on NEW files, not changed/modified files. Patching a system modifies files, generally speaking. Installing an application, adding a role to a server or dropping malware will result in NEW files which is low noise. Change Management or Microsoft Patch Tuesday should alert you to the change coming or your own personal system will be patched, updated or a new application added that you can use for reference to compare to an alert.

If you are using products that can monitor these directories, and remember I am suggesting this is a starting point to monitor these directories based on the complete failure of retailer security teams to practice Malware Management. If you do practice Malware Management, which takes roughly 1 hour per week, reviews of malware reports will show you other directory, keys and services to monitor for executables and scripts. Executables are files starting with 'MZ' and of course look for scripts too, .CMD, .BAT, PS1, etc. You can always expand what you are looking for, but start with executable type files.

If you use products like Carbon Black, Tanium, BigFix, TripWire, etc. you will have to spend some effort setting up what to monitor. In Carbon Black's case you see everything by default (way to noisy to catch anything) and you will need to create LOTS of Watch Lists that would have 'AppData' in the path with file types you want to watch. Watch Lists have to be whittled down to exclude known executables or paths (dangerous to do it soley by path). This will take some effort as there are 25 dirs in AppData, 14 dirs in Roaming and 5 in LocalLow on one of my systems and will vary by the function of the system and what users are allowed to install.  If you are a wide open administrator allowed environment, or allow a lot of open source applications, this will be tougher for user based systems. Servers and PoS systems will, or better be very static and much easier to setup and monitor, but still will take some effort.  Plan some significant effort to tweak tools like Carbon Black to provide you actionable results that you can alert on.  Tweak results to exclude known good and eventually you will get there. It is difficult to filter out the good from Carbon Black and users will find it a challenge to initially setup.  Like any defensive monitoring tool, test, test and test again by placing files that fail your monitoring to trigger the alert. Carbon Black is also not real time, as in TripWire, it will take 10-15 mins for results to show up in the console.  Don't forget you are looking for signed and unsigned files, don't just look for unsigned. The malwarians know how to sign malware!

Now for the HackerHurricane Challenge! Focusing on your personal or work system!

First, clean up or delete any installer .EXE's from your desktop or downloads directory for your user. You may have an admin account that setup your system so clean up any installers they created as well. No sense seeing those in the results unless you want to.

Second, open a command window and navigate to \Users. Type the following command:

  • Dir /a /s *.exe *.dll > All_Executables.txt
You can do this to just your user or all users, it's up to you.

Third, run the same command changing the output filename, every day, couple days, once a week or once a month and compare the first scan to the current scan using some comparing tool like Notepad++.

What do you see?

Forth, start practicing Malware Management and look in locations the analysis, reports or descriptions state malware is found. I am convinced you will find the amount of NEW files that you don't know about is surprising small, if any. Imagine now a server or PoS that does not have a user doing any installs or updates. Keep the in mind the Target and Home Depot PoS systems had not been patching their XP based PoS'.

You can also use Sha1Deep, Sha256Deep or any other utility you want that has a built in compare option to speed up the comparisons.

  • Sha1Deep64 -r -z -o e * > Master_List.txt
  • To monitor for changes:
  • Sha1Deep64 -r -z -o e -x Master_List.txt >Changes.txt
After you do this challenge over a month or longer, I think you will find that Target and Home Depot completely failed to detect easily detectable malware. You can schedule this to run hourly, daily, monthly, use one of many tools or a fancy solution like Carbon Black, TripWire, Tanium or BigFix to name a few to automate this type of monitoring.

You all have been challenged, send me your comments.

* Get the Malware Management Framework HERE

#InfoSec #HackerHurricane

Wednesday, September 10, 2014

Malware Management Framework - Home Depot would have caught their breach.. easy

Here we go again with the 'Breach of the Week'... This time it is potentially larger than Target, which is the largest known retail breach to date with over 110 million affected accounts. It just happened a year ago ;-/.

So what does the Information Technology and Information Security community do about all these breaches?

We are at a crossroads in Information Security as an industry. Products are not helping you and clearly not a magic bullet and compliance efforts like PCI obviously are not saving you either.

What we have here is a people problem. The problem is simply the people and the lack of understanding how to do Information Security engineering. Some are better than others, but clearly management does not make security engineering a priority. It's a lack of leadership, vision and the obvious problem facing our industry with all the breaches in the past 12 months. Use the information already available and look for it in your environment. Why is this so hard?
Say hello to "The Malware Management Framework". It should be every CIO, ISO, CSO, CISO and InfoSec managers new mission statement.

Case in point. The Target breach was analyzed and a report published by iSight Partners with all the details needed to detect BlackPoS/Kaptoxa for any retail business, it was released... Jan 14, 2014. That was EIGHT months ago! So any retail business with IT and InfoSec people and good leadership surely would take this information and make it a priority to check their PoS systems for any sign of PoS P0wnage. Sadly, not.

Enter Home Depot, now a confirmed breach, the size and impact yet to be understood and by the very same malware that hit Target last year. Everything Home Depot needed was at their fingertips, published, available to their leadership to step up and avoid the cluster F$@! that hit Target... As BSides Austin shirts stated on the back, "Don't be a Target"!

So where did Home Depot, the 2nd largest retailer in the US go wrong? Where did every retailer with PoS systems large enough to have an IT and InfoSec staff go wrong? Where do most companies go wrong?

They were not practicing Malware Management. We are all familiar with Vulnerability Management, it's in compliance requirements, but Malware Management? Yes, it's basically the same thing, look at alerts, descriptions, reports and analysis from the vendors, researchers Blogs and Conferences on malware instead of vulnerabilities. The information you can glean is golden and will save your ASSets.

Below I have included many well known APT, PoS and even a NIX and Mac malware analysis that EVERY single InfoSec and IT team should use to start their very own Malware Management Program. Using the "Malware Management Framework" will help you to discover malware, or validate you're malware free. If you do find something new and unknown, like we did with the WinNTI malware in June 2012, 10 months prior to the Kaspersky report was published, you should publish, release or Blog your details about your malware artifacts that will benefit everyone.

Case Study:

The malware associated with a breach where I previously worked is proof Malware Management works. We used data from published malware reports and analysis to tweak our tools. Initially using a script tweaked to look for the malware artifacts in locations APT was know to reside, we found the malware artifacts. This allowed us to catch the intruder in the act and block them from getting any information. Looking at the logs for the affected systems we were able to see some items were not enabled or properly configured and then able to tweak our logging to better detect Malwarian behavior. This led us to produce the "Windows Logging Cheat Sheet" (link below), a direct result of our Malware Management efforts. We have made this information available to everyone for FREE so people may improve their People and Process components of their Information Security programs. It works, you just need management to allocate a few resources to actually 'Fix It' as a Wendy Nather's indicated we need more of in her recent Blog (Idoneous Security) and she is dead right.

The "Malware Reporting Standard" that we propose everyone adopt will become obvious as you read through the various vendor malware analysis reports. What lacks in these reports is a consistent way to report malware artifacts, also called Indicators of Compromise (IOC). If creators of malware analysis reports used the Malware Reporting Standard, we would have more consistent reports and easier time consuming and using the valuable artifacts. The best examples of this format is SecurelList Virus Description details and oddly, US-CERT BackOff malware alert:

If The Home Depot leadership had any clue how to do effective Information Security, they would have avoided this breach. Clearly Home Depot is lacking at security engineering and not using the information from the recent breaches to ask themselves "Are we a Target?, should we prepare ourselves for a similar incident?". They could have avoided what could be over (just guessing) 200 million lost accounts, only time will tell. But, we do know this is going to cost them a small fortune, MUCH more than improving their security engineering would have cost. Target has spent $146 million USD to date on their breach!

With the Malware Management Framework we found a previously unknown APT 10 months prior to being published by Kaspersky and Home Depot could have 100% avoided their breach using this same methodology. Only 6 log events were needed to catch the Target and Home Depot breaches from a Windows log events! If only they were any good at security engineering and practicing Malware Management could this have been avoided.

This is a teaching moment for Information Security professionals worldwide, not just those that are currently under attack with Point of Sale systems and credit Cards, but for whatever is next, whatever is already there in YOUR environment!

Start practicing Malware Management before it is too late and you are the next Target or Home Depot.

#InfoSec #HackerHurricane #MalwareManagement #Breach


Below are some items to help you start using the Malware Management Framework.

Thursday, September 4, 2014

InfoSec Industry partly responsible for huge breaches, InfoSec Cons another part, you and management the last part

You know what is worse than all these HUGE Credit Card breaches? The fact that it is ridiculously easy to detect! All BackOff malware uses the %AppData% variable directory. Translated - C:\Users\\AppData\Roaming. #InfoSecFailure

If you are not watching for NEW directories being created and/or executables being dropped here (like CryptoLocker did), then your doing SecOps all wrong. This is one of the Top 5 locations you should monitor for malware. Enabling auditing on this directory alone would have caught these HUGE breaches.

These failures in SecOps are partly our own InfoSec industries fault. InfoSec Cons do not prioritize talks for defense which 90% of us attending do, nor demand defensive content, nor set aside 10-25% for defensive talks to teach our industry stuff like I stated above. #InfoSecConFailure

Please ask and demand that your InfoSec Cons set aside more time to REAL Defense in their talk selection and promote the Con is and wants defensive talks to help our own industry catch up. Because we are WAY behind and falling further back each breach that happens.

The image below is how I felt at Vegas Con week... All focused at breaking the gate, not defending the obvious gaps.

Dan Geer at the BlackHat Keynote was dead on when he said if InfoSec were a soccer game it would be 464 to 452, all offense, no defense.

Help our industry by not attending exploitation, hackery and offensive talks if your job is to defend your company. We need to evolve quickly before it is too late for us and our companies.

And yes, I have submitted 2 talks to multiple Cons on the subject of logs and malware and turned down. There were 3 Logging vendors at BlackHat, ZERO talks on logging for APT/PoS type attacks... Sad... VERY sad.

Under the current black cloud we are all under, you would think Cons would be begging for defensive content.

Ohh... And the other 4 of the Top 5 locations to monitor...

2. C:\ProgramData
3. C:\Windows - Explorer injection
4. C:\Windows\System32 - NEW dropped files
5. C:\Windows\System32\WBEM - #1 on my list

If you practiced The Malware Management Framework then this information would be obvious. Read the Kaspersky report on BackOff that proves my point.

And yes, I monitor all the above and MUCH MUCH more and share in the presentations I give.

Kaspersky/Securelist Article on BackOff malware

#InfoSec #HackerHurricane #EducationOpportunity