Practicing Malware Management shows us there is so much to learn or validate that your defenses can indeed detect this type of attack. The Process also provides you with details to improve your defenses by adding or adjusting some checks.
PoSeidon uses typical malware vectors and seems to have nothing sophisticated, nor any improvements to hide or conceal the infection. If you have been practicing Malware Management or reading my other blog entries on the subject of malware, it will become apparent how typical and easy this malware variant is to detect. Let's take a look.
First off this is Windows malware so Eventcodes are key.
1. The loader is an odd .EXE that can be detected with EventCode 4688
2. The malware uses the Run Key for persistence to survive a reboot. Detectable by EventCode 4663 if you audit the Run Keys, which you should, it's Active Defense 101
3. The loader downloads and installs a file called FindStr.exe. We all know what the CMD FindStr does, so seeing this execute in a way that is not looking for a string in a file would be easy if you enabled command line logging (See below for the setting). Detectable by EventCode 4688.
4. If you look at the strings of the malware (after you found it), the project file name is a dead give away, "keylogger.pdb", hello McFly, really? They are not even trying to hide it. Detectable after you find the suspect file and use (strings -n 5 malware.exe | find /I ".pdb"). Not to mention the loader file also used "loader.pdb" as the project title, and even FindStr.pdb was found. Thank you malwarians for making it easy to see the project titles and that it's obviously malware.
5. Two file names were used, WinHost.exe and WinHost32.exe and saved in... You guessed it \Windows\Systems32. Detectable with EventCode 4663 if you enabled auditing for System32 for NEW files. Read the "Windows Logging Cheat Sheet" for more on this. Also detectable with EventCode 4688 as it will be an executable you have not seen before, thus suspicious.
6. There is mention the loader tries to install a service. Detectable by EventCode 7045, NEW Service installed, this too is Active Defense 101. Know your services!
7. Command lines, you gotta love them! To delete the loader the command "cmd.exe /c del
8. Of course there is the network traffic too, but that is another area of expertise and between "IPConfig /DisplayDNS" and "NetStat -abno" you can see what IP's and Domains are being used by the funky executables, IF you know what your systems normally run.
This malware is almost laughable in the effort to hide what they are doing. Clear readable .pdb project names clearly indicating the files are malware shows strings are a powerful step in malware analysis.I promote the SEXY Six Windows Event Codes and this malware is easily detectable using the SEXY Six.
Get my presentations HERE to learn more on Malware Discovery and Logging
Remember, the goal is to take this information, tweak your tools to look for and detect the behaviors discussed and to improve your Incident Response and Information Security Programs to detect and respond to these persistent attacks.
Cisco details on PoSeidon malware
#InfoSec #HackerHurricane #Malware #CommandLine_Logging
