Académique Documents
Professionnel Documents
Culture Documents
2009 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Thanx up front
AT&T CSO management
Ed Amoroso, AT&T Chief Security Officer Cynthia Cama Sanjay Macwan Bill OHern
Page 2
The Author
2009 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Jim Clausing, GCIA, GCFA, GREM, GCIH, GCFW, GSIP, GSOC, SSP-MPA, CISSP
GCIA (Gold) #64 2000 GCFA (Gold) #25 2002 GREM (Gold) #48 2005 And other certs along the way SANS Mentor, StaySharp/STAR instructor, CommunitySANS instructor, Internet Storm Center handler since 2002 Instrument-rated private pilot 2003/2004
Page 4
The Paper
2009 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
SANSFIRE 2008
Facilitating SEC 610 for Lenny GREM Gold paper wrote it in my head in one evening Share lessons learned
Share tools/scripts
Page 6
Page 7
2009 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
In the beginning
Twiki page
Unwieldy after a few hundred entries
No FTEs
Now, there is me (mostly)
Malware DB
Sandbox report(s)
Malware DB
The binary
Page 10
2009 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Forest? Trees?
Page 12
Page 13
Virtual machines
VMware VirtualBox*
For privacy reasons, we are conservative about what to share and with whom. So, what about the automated portals? Commercial copies?
Norman sandbox CW sandbox Anubis Threat Expert
Page 14
Page 15
Processing a Sample
2009 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Analysis Flow
Page 18
Submission
[jac@fltruman001 ~]$ for i in 090???-*.piz; do sudo submit.sh $i && mv $i oldmalware/; sleep 10; done Archive: 090529-rnd_jpg.piz inflating: rnd.jpg *****Processing rnd.jpg - ONEBOOT****** interface: eth1 (4.0.0.0/255.0.0.0) filter: (ip) and ( not port 45612 and not port 45611 and not tcp port 6987 and not udp port 32785 ) tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 1514 bytes Starting Faux FTP Server Emulation on port 21 Starting Faux MySQL Server Emulation on port 3306 Starting Faux SMTP Server Emulation on port 25 Starting Faux SMB Server Emulation on port 445 Starting Faux IRC Server Emulation on port 6667 Starting Faux DNS Server Emulation on port 53
Page 19
Monitoring
[jac@fltruman001 ~]$ alias status alias status='cat /tmp/current.txt && echo "" && cat /tmp/sandnet*.log | tr -c "[:print:][:blank:]\r\n" "." ; tcpdump -nnr /tmp/sandnet.pcap -w - "not broadcast and (not src net 4.5.6 or not dst net 4.5.6)" | ipaudit -CST -r -l 4.5.6.7 ; ngrep -I /tmp/sandnet.pcap "GET|POST|HEAD|OPTIONS|JOIN" "tcp port 80 and not host 4.5.6.1" | tr -c "[:print:][:blank:]\r\n" "."
Page 20
Monitoring, contd
[jac@fltruman001 ~]$ status Server.exe request: name=ftp.sickbassline.com, class=IN, type=A, peer=4.5.6.7 responseIP: 4.3.2.86 responseIP: 4.3.2.63 response: rcode=NOERROR, , auth=, add=, aa=1 request: name=time.windows.com, class=IN, type=A, peer=4.5.6.7 responseIP: 4.5.6.1 response: rcode=NOERROR, ans=, auth=, add=, aa=1 Connection from 4.5.6.7 USER 0wn@sickbassline.com PASS smokeweed TYPE A PORT 4,5,6,7,4,7 STOR User.mps reading from file /tmp/sandnet.pcap, link-type EN10MB (Ethernet) 4.5.6.7 4.3.2.86 6 1030 21 674 578 9 9 2009-06-04-11:24:02.2148 2009-06-0411:24:03.3459 1 1 4.5.6.7 224.0.0.22 2 0 0 0 108 0 2 2009-06-04-11:24:09.5569 2009-06-0411:24:10.4709 1 1 input: /tmp/sandnet.pcap filter: (ip) and ( tcp port 80 and not host 4.5.6.1 ) match: GET|POST|HEAD|OPTIONS|JOIN ##########exit
Page 21
dumphive
strings
pmodump.pl
Intelligence
tcpdump
Page 22
2009 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Identify the OS
Summary report for xxx.xxx-XPSP2-files created at OS info>>> kern - Determine OS from a Windows RAM Dump (v.0.1_20060914) Ex: kern <path_to_dump_file> File Description File Version Internal Name Product Name Product Version : NT Kernel & System : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) : ntoskrnl.exe : Microsoft Windows Operating System : 5.1.2600.2180
Page 25
Page 26
Page 27
Page 28
Page 29
4, 2004
10 packets seen, 10 TCP packets traced elapsed wallclock time: 0:00:00.002643, 3783 pkts/sec analyzed trace file elapsed time: 0:00:00.017257 Http module output: 4.5.6.7:1046 ==> 4.3.2.51:80 (a2b) Server Syn Time: Wed May 27 16:49:17.130145 2009 (1243457357.130) Client Syn Time: Wed May 27 16:49:17.130085 2009 (1243457357.130) Server Fin Time: Wed May 27 16:49:17.146947 2009 (1243457357.147) Client Fin Time: Wed May 27 16:49:17.147323 2009 (1243457357.147) GET /here2 HTTP/1.0 Response Code: 404 (Not Found) Request Length: 66 Reply Length: 468 Content Length: 289 Content Type : text/html; Time request sent: Wed May 27 16:49:17.130584 2009 () Time reply started: Wed May 27 16:49:17.146886 2009 () Time reply ACKed: Wed May 27 16:49:17.147077 2009 () Elapsed time: 16 ms (request to first byte sent) Elapsed time: 16 ms (request to content ACKed)
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
< 908 > 896 9,11c9,11 < 992 > 1484 avmont 14,15c14,16 < 992 < 908 > 1484 avmont > 0 System > 896
C:\WINDOWS\avmont.exe
C:\WINDOWS\avmont.exe
Page 37
768:ruBNNTLa973GMVkIZqqnO5FDvcTsvJesUJDSP+f4/cF1oGoiOWK:YVt4qqO5FjcSe9SP+JaiOW, "/data/forensics/abod.exe-XPSP2-files/0c596000-abod.exe
Page 38
Page 39
Packer info>>> [['Armadillo v1.71'], ['Microsoft Visual C++ v5.0/v6.0 (MFC)'], ['Microsoft Visual C++']]
Page 40
Page 41
Limitations
Point in time
Miss changes that dont persist, e.g., miss processes that dont have open connections at time of memory dump
Page 42
Future Work
Volatility plugins
Brendan Dolan-Gavitts in-memory registry stuff Michael Hale Lighs usermode_hooks
Other ideas?
Page 43
Correlation/Visualization
Afterglow Learn from A/V community
Page 44
Questions?
E-mail: jac@att.com or jclausing@isc.sans.org
Page 45
Page 46