Articles & Presentations

Sunday, September 21, 2014

Challenging ALL InfoSec people, malware discovery is not as hard as you think


After being on the Security Weekly podcast and to address a response to an email on my previous blog I decided to post this challenge to all IT and InfoSec people to get them more familiar with how easy, or hard Malware Discovery can be.

I CHALLENGE YOU TO PROVE WHAT I PREACH TO YOURSELF!

To be any good at Malware Discovery or monitoring you MUST practice the Malware Management Framework which you can find here.

I used the Home Depot / Target BlackPoS malware and their variants as an example and after some comments on my blog entry I decided to challenge the readers (YOU) to actually DO the following so you can see and experience how Malware Management works and how a little understanding of Windows goes a long way for Malware Discovery.  I don't know, or it's "too hard" is not good enough, so step up and take the challenge!

I stated to look for NEW directories and files in key directories. In the case of BlackPoS and the variants the malwarians picked on %AppData% which is \Users\<username>\AppData\Roaming along with other directories.  CryptoLocker dropped its payload in the root of %AppData%, talk about lazy and the easiest to find.

In the PoS malware they dropped files and created a NEW directory attempting to hide as Java, or Adobe Flash Player. If you practiced Malware Management and understand where Windows installs user components of applications like Java and Flash, you would know that Adobe installs their products to %AppData%\Adobe and a sub-directory of \Flash Player. For Java, user components are installed in AppData\LocalLow\Oracle or AppData\LocalLow\Sun, NOT the \Roaming directory.

The fact files were dropped in the root and two sub-directories with executables in them created in %AppData%\AdobeFlashPlayer or %AppData%\OracleJava should be a Red Flag in the worst way. Also, any NEW executable files in the core Windows directories of \Windows, Windows\System32, or \Windows\System32\WBEM directories should also send IT and InfoSec peeps into research Incident Response mode. Not to mention a NEW service being installed from \Users anything is also a monumental red flag that should be investigated.

So how hard is it to monitor for malware in these directories? Again, understand we are focusing on NEW files, not changed/modified files. Patching a system modifies files, generally speaking. Installing an application, adding a role to a server or dropping malware will result in NEW files which is low noise. Change Management or Microsoft Patch Tuesday should alert you to the change coming or your own personal system will be patched, updated or a new application added that you can use for reference to compare to an alert.

If you are using products that can monitor these directories, and remember I am suggesting this is a starting point to monitor these directories based on the complete failure of retailer security teams to practice Malware Management. If you do practice Malware Management, which takes roughly 1 hour per week, reviews of malware reports will show you other directory, keys and services to monitor for executables and scripts. Executables are files starting with 'MZ' and of course look for scripts too, .CMD, .BAT, PS1, etc. You can always expand what you are looking for, but start with executable type files.

If you use products like Carbon Black, Tanium, BigFix, TripWire, etc. you will have to spend some effort setting up what to monitor. In Carbon Black's case you see everything by default (way to noisy to catch anything) and you will need to create LOTS of Watch Lists that would have 'AppData' in the path with file types you want to watch. Watch Lists have to be whittled down to exclude known executables or paths (dangerous to do it soley by path). This will take some effort as there are 25 dirs in AppData, 14 dirs in Roaming and 5 in LocalLow on one of my systems and will vary by the function of the system and what users are allowed to install.  If you are a wide open administrator allowed environment, or allow a lot of open source applications, this will be tougher for user based systems. Servers and PoS systems will, or better be very static and much easier to setup and monitor, but still will take some effort.  Plan some significant effort to tweak tools like Carbon Black to provide you actionable results that you can alert on.  Tweak results to exclude known good and eventually you will get there. It is difficult to filter out the good from Carbon Black and users will find it a challenge to initially setup.  Like any defensive monitoring tool, test, test and test again by placing files that fail your monitoring to trigger the alert. Carbon Black is also not real time, as in TripWire, it will take 10-15 mins for results to show up in the console.  Don't forget you are looking for signed and unsigned files, don't just look for unsigned. The malwarians know how to sign malware!

Now for the HackerHurricane Challenge! Focusing on your personal or work system!

First, clean up or delete any installer .EXE's from your desktop or downloads directory for your user. You may have an admin account that setup your system so clean up any installers they created as well. No sense seeing those in the results unless you want to.

Second, open a command window and navigate to \Users. Type the following command:


  • Dir /a /s *.exe *.dll > All_Executables.txt
You can do this to just your user or all users, it's up to you.

Third, run the same command changing the output filename, every day, couple days, once a week or once a month and compare the first scan to the current scan using some comparing tool like Notepad++.

What do you see?

Forth, start practicing Malware Management and look in locations the analysis, reports or descriptions state malware is found. I am convinced you will find the amount of NEW files that you don't know about is surprising small, if any. Imagine now a server or PoS that does not have a user doing any installs or updates. Keep the in mind the Target and Home Depot PoS systems had not been patching their XP based PoS'.

You can also use Sha1Deep, Sha256Deep or any other utility you want that has a built in compare option to speed up the comparisons.

  • Sha1Deep64 -r -z -o e * > Master_List.txt
  • To monitor for changes:
  • Sha1Deep64 -r -z -o e -x Master_List.txt >Changes.txt
After you do this challenge over a month or longer, I think you will find that Target and Home Depot completely failed to detect easily detectable malware. You can schedule this to run hourly, daily, monthly, use one of many tools or a fancy solution like Carbon Black, TripWire, Tanium or BigFix to name a few to automate this type of monitoring.

You all have been challenged, send me your comments.

* Get the Malware Management Framework HERE

#InfoSec #HackerHurricane