Search This Blog

Friday, September 25, 2015

ANNOUNCING Log-MD, the latest tool to help you fight infection, malware infection

@HackerHurricane and @Boettcherpwned are releasing the Log Malicious Detection tool "Log-MD" for Windows based systems at DerbyCon 2015!

This FREE tool will assist you in Enabling and Configuring your Windows logs based on the recommendations of the "Windows Logging Cheat Sheet" (WLCS).

When first run, Log-MD will fail until, or unless all the needed auditing items are enabled and configured. You can either pipe out the console or read the "Audit Settings Report" giving you a measure of how your system compares to the Center for Internet Security (CIS) Benchmarks, or the recommended configuration of the "Windows Logging Cheat Sheet". This is a great report to add to your security assessments!

Once the system is properly configured, either through Group Policy or the Local Security Policy and some other system tweaks, Log-MD will produce Report.csv collecting all the security goodness we Active Defenders, Malware Hunters and InfoSec people want and need! The report is a simple to consume and parse CSV format for additional scripting or filtering using Microsoft Excel.

It does not stop there! There are three white lists that allow you to filter out the good, to help you find the bad and the ugly! So as you find obviously good conditions, you can use the white lists to filter out the items the next time Log-MD is run. The three white lists are:

1. By Process Command Line and/or Process Name
2. By Source IP and/or Destination IP and/or Destination Port, yup, no source port.
3. File Auditing (4663) and Registry Auditing (4657) locations

There are multiple use cases for Log-MD, whether or not you have a Log Management solution, aka SIEM, this tool can help you refine what to collect and improve your policies.

1. Audit your system against best practices - Compliance Auditors, IT professionals, consultants, InfoSec and Incident Responders can all use this tool to know how their environment stacks up log and audit wise against the CIS Benchmarks or WLCS recommendations.

2. Use the output to set and refine your File and a Registry Auditing to start monitoring key directories (e.g. \appdata) and auto run locations in the registry (e.g. Run and RunOnce keys). Start using auditing and have a way to refine your settings!

3. Malware Labs - Use Log-MD in your malware labs to find the key artifacts or IOC's needed to find other infected systems and the cleanup details to remediate. Speeds up basic malware analysis significantly!

4. Investigate a suspect system - Do you want to know if a system is clean or infected? Log-MD can help you analyze the data after boot up to see if anything odd has launched or communicated on the system.

5. Incidence Response - We don't always have fancy Log Management solutions or Endpoint solutions, so Log-MD can be run on systems to help get them configured to collect the needed data and then provide Incident Responders much needed information to focus their attention. Great for companies that are budget limited and lack some of Enterprise Security tools IR firms use.

A major goal of Log-MD is to help move organizations forward and enable and configure much needed logging details, even if it is only collected locally with or without a Log Management solution. Or to use this technique when doing malware analysis and while investigating a suspect system.

Take a look and download the tool and try it out! Send us your comments and suggestions. For security, we have posted the file hash on HackerHurricane to validate the download ;-).

You can get Log-MD at:

Happy Hunting!!!

#InfoSec #MalwareArchaeology

Thursday, September 24, 2015

Finding and Alerting on crypto events with your Cloud storage logs

This may be an actual compelling reason to use a business class Cloud Storage solution like those from DropBox, Box and others.

Normally to detect crypto events you have to enable the File Auditing policy in GPO or Local Security Policy and on set File Auditing for the Server Shares you want to monitor so the data is captured in your Security Event Log (Event ID 4663). This is an effective way to detect a Crypto event in process and also know what directories will need to be restored once the user is contained or disconnected.

Recently a user was hit with one of the many Crypto ransomware variants and needed to be cleaned up. Since a business class Cloud Storage was being used, the question was raised; can they roll back to last known good files since this occurred 2 weeks earlier? That got me thinking...

If you are one of the companies using Cloud Storage as an alternative to local file server storage, ease of sharing between partners, or using it for the encrypted storage, you may be in luck if you have a log management solution. You may be able to use their web portal to search for this condition, let me know I have not tried it.

If you upload or sync the cloud storage logs to your log management solution, say Splunk, Loggly or one of the many others, you could have what you need to answer the following questions:

1. When did the event happen
2. Who was the user(s) involved
3. What directories were involved (probably all)

The logs will have all this data and if you write a query to search for "HELP_DECRYPT" and say "stats count by username", you will have what you need to alert on a crypto event using your cloud storage logs!

Since users should not have any "HELP_DECRYPT" files, usually 2 per directory, the HTML file and Image file, monitoring for these is a great artifact to look for.

Just look for these files and say "where count > 5" as a trigger and send an email to the appropriate people.

Just another artifact that we can use to detect malwarious activities.

Also check out my new "Windows Splunk Logging Cheat Sheet" for some Windows Splunk logging goodness.

Happy Hunting!

#InfoSec #MalwareArchaeology

Sunday, September 20, 2015

POS Malware variant MWZLesson substantiates Malware Management should be practiced by retailers

Security experts at Doctor Web have discovered a new PoS Trojan dubbed MWZLesson that borrows code from other popular malicious software.

The DrWeb article states that "The new PoS Trojan, dubbed Trojan.MWZLesson, was designed reusing the code of other popular malware, including the Dexter PoS and the Neutrino backdoor.".

This Blog covers interesting malware and logging tips, but even the malware analysts are seeing what I have been saying for several years. Malware repeats patterns, artifacts, methods and clearly, code reuse.

If the retailers, IT and InfoSec staff would start practicing Malware Management, or any organization for that matter, they could be in a good position to detect any variants of similar malware or code reuse as the lesson to be learned from the latest MWZLesson POS malware shows us.

This concept is taught in my Malware Discovery and Basic a Malware Analysis training as it was pivotal in detecting APT I have dealt with in the past.

Seriously consider practicing Malware Management before the malwarians show you why you should have been doing it.

DrWeb article on MWZLesson POS malware

Various Malware Reports and Analysis

How to begin using the Malware Management Framework

#InfoSec #MalwareArchaeology

Sunday, September 6, 2015

New Banking malware 'Shifu' proves Malware Management works!

IBM's Security X-Force team has released an initial report on a new malware named 'Shifu' that uses methods in several other known malware currently compromising banks in Japan.

The lesson to learn here is that it uses similar traits or functions of other know malware. The report lists the following traits from known malware:

Shiz - Domain Generation Algorithm (DGA)
Corcows - Theft from Bank Apps
Gozi - Stealth hiding techniques
Zeus - Anti-Sec avoidance
Dridex - Config using XML
Conficker - Wipe system restore
Dyre - Self signed certs

This blog has stated that Malware Management should be practiced just like we practice Vulnerability Management. The benefits are that malware uses patterns over time that allows you to look in places or for artifacts and indicators that other malware have already used, thus making Malware Discovery easier each time you do it, improving results.

I look forward to the detailed report by the IBM Security X-Force team and HOPE they publish the artifact details we Active Defenders and Incident Responders need to discover this malware or similar types of malware in our own environments.

IBM Trusteer intro on Shifu malware

#InfoSec #MalwareArchaeology

Wednesday, September 2, 2015

Symantec just proved Malware Management works with Regin update

I have blogged about Malware Management and Regin before and how it can improve your Information Security program, Malware Discovery, Active Defense efforts and improve your Malware Analysis. Take reports published by AV companies, IR Firms, Bloggers like 'Malware Must Die' and here of course, read them, pull out the artifacts, or IOC's if you must and apply them to all the above.

Symantec is aware of two distinct versions of Regin. Version 1.0 appears to have been used from at least 2008 to 2011. Version 2.0 has been used from 2013 onwards, though it may have possibly been used earlier

In the Fall of 2013 Symantec and others published details behind the Regin malware, see links below. Thanks to Symantec publishing an update in August 2015, "Regin: Top-tier espionage tool enables stealthy surveillance", they just proved if you had read the first Regin malware reports, you would have been well on your way to detecting any updates or similar behaviors if you were unfortunate enough to contract the malware disease known as Regin or similarly crafted malware.

You would already be watching for things like:
* New files being added to \Windows, \Windows\Fonts, \Windows\Cursors and \Windows\IME
* New files being added to \System32, \System32\Config and \System32\Drivers
* Auditing certain Registry Keys
* Auditing for files that have NTFS Extended Attributes
* Filename extensions
* Large Registry blobs (Size does matter)
* Software\Classes Keys for new entries
* See the report Appendix for more details

Several of the locations and techniques found in Regin I have seen in other APT and even some in commodity malware. So if you start reading these reports and taking the data and acting on it, you are in essence practicing Malware Management and improving your Malware Discovery, Active Defense and Information Security program. Not to mention if you analyze malware, you have a better idea of what to look for and where.

Early reports and Symantec's update to Regin:

Symantec Report on Regin

The Intercept article on Regin

Kaspersky report on Regin

F-Secure report on Regin

Happy Hunting everyone, Malware Management ROCKS!

#InfoSec #MalwareArchaeology