Articles & Presentations

Wednesday, March 25, 2015

PoSeideon malware is incredibly easy to detect

Here we go again. A new PoS Malware variant dubbed PoSeidon has been analyzed by Cisco and the details made public. When I read this I said out loud, "This is stupid easy malware to detect".

Practicing Malware Management shows us there is so much to learn or validate that your defenses can indeed detect this type of attack. The Process also provides you with details to improve your defenses by adding or adjusting some checks.

PoSeidon uses typical malware vectors and seems to have nothing sophisticated, nor any improvements to hide or conceal the infection. If you have been practicing Malware Management or reading my other blog entries on the subject of malware, it will become apparent how typical and easy this malware variant is to detect. Let's take a look.

First off this is Windows malware so Eventcodes are key.

1. The loader is an odd .EXE that can be detected with EventCode 4688
2. The malware uses the Run Key for persistence to survive a reboot. Detectable by EventCode 4663 if you audit the Run Keys, which you should, it's Active Defense 101
3. The loader downloads and installs a file called FindStr.exe. We all know what the CMD FindStr does, so seeing this execute in a way that is not looking for a string in a file would be easy if you enabled command line logging (See below for the setting). Detectable by EventCode 4688.
4. If you look at the strings of the malware (after you found it), the project file name is a dead give away, "keylogger.pdb", hello McFly, really? They are not even trying to hide it. Detectable after you find the suspect file and use (strings -n 5 malware.exe | find /I ".pdb"). Not to mention the loader file also used "loader.pdb" as the project title, and even FindStr.pdb was found. Thank you malwarians for making it easy to see the project titles and that it's obviously malware.
5. Two file names were used, WinHost.exe and WinHost32.exe and saved in... You guessed it \Windows\Systems32. Detectable with EventCode 4663 if you enabled auditing for System32 for NEW files. Read the "Windows Logging Cheat Sheet" for more on this. Also detectable with EventCode 4688 as it will be an executable you have not seen before, thus suspicious.
6. There is mention the loader tries to install a service. Detectable by EventCode 7045, NEW Service installed, this too is Active Defense 101. Know your services!
7. Command lines, you gotta love them! To delete the loader the command "cmd.exe /c del >> NUL" was executed. If you are not watching what command line parameters are being called with ALL CMD.exe executions, you are missing the Goose that laid the Golden Egg! Detectable with the command line logging Reg Mod and Event Code 4688, focused on executions of CMD.exe
8. Of course there is the network traffic too, but that is another area of expertise and between "IPConfig /DisplayDNS" and "NetStat -abno" you can see what IP's and Domains are being used by the funky executables, IF you know what your systems normally run.
This malware is almost laughable in the effort to hide what they are doing. Clear readable .pdb project names clearly indicating the files are malware shows strings are a powerful step in malware analysis.

I promote the SEXY Six Windows Event Codes and this malware is easily detectable using the SEXY Six.
Read more about how to log Windows with my recent BSides presentations.

Get my presentations HERE to learn more on Malware Discovery and Logging

Remember, the goal is to take this information, tweak your tools to look for and detect the behaviors discussed and to improve your Incident Response and Information Security Programs to detect and respond to these persistent attacks.



And...  Enable Command Line logging on ALL Windows systems!  And Audit this key and alert to ANY and ALL changes.  Win 7 and Server 2008 R2 and later with patch KB3004375 installed (Feb 2015), Win 8.1 and Server 2012 already have it by design.


reg add "hklm\software\microsoft\windows\currentversion\policies\system\audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1
 

Happy Hunting !

Cisco details on PoSeidon malware

#InfoSec #HackerHurricane #Malware #CommandLine_Logging