Transcript Company Overview

Botnet Detection and Mitigation with
Digital DNA
HBGary Background
• Founded in 2003
• Government R&D
• Solutions:
• Enterprise Malware Detection & Mitigation
• Live Windows Memory Forensics & Incident Response
• Automated Reverse Engineering
R&D Funding
Air Force Research Labs
Dept Homeland Security
(HSARPA)
• Next Generation Software Reverse Engineering Tools
• Kernel Virtual Machine Host Analyzer
• Virtual Machine Debugger
• Botnet Detection and Mitigation
• H/W Assisted System Security Monitor
• Subcontractor to AFCO Systems Development
# of New Malware Every Day!
60000
50000
40000
30000
20000
10000
0
2006
2007
2008
2009
Botnet Detection Shortcomings
Top 3 AV companies don’t detect 80% of new malware
Source: “Eighty percent of new malware defeats antivirus”, ZDNet Australia, July 19, 2006
Military Strategists agree…
A Successful defense begins with good
intelligence about the enemies tactics and
techniques
Cybercrime Evolution
• Cybercrime Authors have evolved over the last 30
years
– Continued improvement and innovation
– Capitalistic Shadow Economy - Competition
• Malware Authors
– Professional Software Development Lifecycle model
– Professional Quality Assurance
• Product doesn’t ship until code is undetected by
latest Antivirus products
Botnets use Memory Tricks
• Memory injection attacks never touch the disk
– Available for over 5 years
• Metasploit Framework
• Canvas - www.immunitysec.com
• Core Impact - www.coresecurity.com
• Hard to Detect these tricks without offline memory
analysis
– Remember: you cannot trust the operating system!
Memory Tricks
Drive-by Download – Legitimate website
Rootkit
Encrypted Covert Channel
Drive by
Download
Filesystem
No representation of what
is being stolen
Runtime Memory
Executable code is only
visible in RAM and
Pagefile
DISK FILE
IN MEMORY IMAGE
OS Loader
Public Attack-kits
have used memory
injection for
over 5 years
ATTACK VECTOR:
Internet Browsers,
PDF, Active X, Office
files, Video, etc…
Start Internet
Explorer - MD5
Checksum
is white listed
and it verifies…
White-listing on disk
doesn’t prevent
malware from being in
memory
Process is
trusted??
HBGary Approach
&
Core Technology
Core Technology
Physical
Memory
Forensics
Visibility
into Code
Phase 2
Code
Reverse
Engineering
Digital DNA
(Behavioral Analysis)
Detect Malware and
Identify Behaviors
with DDNA
Phase 3
Detect
Detect
Executable
Executable
Code
CodePhase
here 1
The Process
Offline
Physical
Memory
Analysis
This is The
Advantage!
Rootkit
Detection
Rebuilds underlying
undocumented data
structures
Automated
Malware
Analysis
Digital
DNA
Rebuilds running state of
machine “exposes all
objects ”
Alerting &
Reporting
Malware cannot hide
itself actively
The Process
Offline
Physical
Memory
Analysis
These tricks expose
themselves by interacting
with OS
Rootkit
Detection
Direct Kernel Object
Manipulation Detection
Automated
Malware
Analysis
Digital
Hook Detection
IDT/SSDT/Driver Chains
DNA
Alerting &
Reporting
Crossview Based
Analysis
The Process
Offline
Physical
Memory
Analysis
IP Addresses
URL’s
Rootkit
Detection
Installation
Routines
Automated
Malware
Analysis
What is being
Stolen?
Digital
DNA
Alerting &
Reporting
Who is it talking
to?
Why Perform Malware Analysis?
I have Anti-Virus….
Goes beyond anti-virus applications…
• Detection and remediation based on signatures for malware is
out dated
• Answer the following questions:
–
–
–
–
What happened? What is being stolen?
How did it happen? How do we clean it up?
When did the infection occur?
Possibly Who is behind it?
The Process
Offline
Physical
Memory
Analysis
Code Behavior
Identification
Rootkit
Detection
ALL Memory is
Scanned
Automated
Malware
Analysis
Digital
DNA
A Threat Score is
provided for all code
Alerting &
Reporting
White & Black List
Code /Behaviors
The Process
Offline
Physical
Memory
Analysis
Custom Reports in
XML, RTF, PDF, other
Rootkit
Detection
Reports can be sent to
Enterprise Console
Automated
Malware
Analysis
Digital
DNA
Behavioral Analysis Scan
and others
Alerting &
Reporting
Alert on Suspicious
Behaviors and coding
tricks
Advantages of our approach
1. Forensic Quality Approach
– Analysis is 100% offline
– Like Crash Dump Analysis – No Code Running!
2. Automated Reverse Engineering Engine
3. Digital DNA™ detects zero-day threats
– 5+ years of reverse engineering technology
– AUTOMATED!
– No Reverse Engineering expertise required
How DDNA Detects Bots
• Detect Malware that other approaches do not…
• Verify the “Run-Time” state of the system
Digital DNA
Ranking Software Modules by Threat Severity
0B 8A C2 05 0F 51 03 0F 64 27 27 7B ED 06 19 42 00 C2 02 21 3D 00 63 02 21
8A C2
0F 51
0F 64
Software Behavioral Traits
Design Goals of Digital DNA
• Rapidly predict and identify:
– Malicious behaviors inside of running applications in
memory and the pagefile
• Identify DNA (traits) of the malware
– There are 2500 traits currently
– Grouped into six behavioral categories
What’s in a Trait?
04 0F 51
Unique hash code
Weight / Control flags
B[00 24 73 ??]k ANDS[>004]
C”QueueAPC”{arg0:0A,arg}
The rule is a specified like a regular expression, it
matches against automatically reverse engineered
details and contains Boolean logic. These rules
are considered intellectual property and not
shown to the user.
The trait, description, and underlying
rule are held in a database
How Digital DNA goes beyond MD5 Checksums
• In memory, once executing, a file is
represented in a new way that cannot be
easily be back referenced to a file checksum
• Digital DNA™ does not change, even if the
underlying file does
– Digital DNA is calculated from what the software DOES (it’s
behavior), not how it was compiled or packaged
DISK FILE
IN MEMORY IMAGE
100% dynamic
Copied in full
OS Loader
Copied in part
In memory,
traditional
checksums
don’t work
MD5
Checksum
reliable
MD5
Checksum
is not
consistent
Digital DNA
remains
consistent
HBGary Products
Memory Forensics and
Incident Response
Products
Stand Alone Products
1 Analyst : 1 Machine
Responder Professional
• Comprehensive physical memory and malware investigation platform
• Host Intrusion Detection & Incident Response
• Live Windows Forensics
• Automated Malware Analysis
• Computer incident responders, malware analysts, security assessments
• Digital DNA
Responder Field Edition
• Comprehensive Memory Investigation platform.
• Geared towards Law Enforcement and computer forensic investigators
• Basic Malware Analysis
Digital DNA Screenshot
HBGary
Enterprise Malware
Detection
Enterprise Products
1 Analyst : N machines
Enterprise Digital DNA – McAfee EPO Solution
• Enterprise Malware/Rootkit Detection & Reporting
• Distributed Physical Memory Analysis with Digital DNA
• Rapid Response Policy Lockdown
Enterprise Responder – Guidance Software Encase Enterprise Solution
• Suspicious & Malicious Code Detection
Fuzzy Search
5,000 Malware is sequenced every 24 hours
Client Testimonials
Client Testimonial
• 1 of the Largest Pharmaceutical Co’s
• Under attack every day
• Uses Enterprise Anti Virus
– Sends malware to vendor
– Waits for signature 1-8 hours -
• Uses Responder Pro –
– Responder provides immediate critical intelligence to secure the
network and mitigate the threat to the data
Client Testimonial 2
• 1 of the largest Entertainment Co’s
• Under attack every day & Uses Enterprise Anti Virus
• When a machine is compromised, they perform various
levels of remediation with their antivirus vendor
signatures.
• Once the machine is determined clean by the AntiVirus
software, they use our technology to verify the machine is
no longer infected…
• Findings: about 50% of machines are still infected…
Conclusion
Dramatically Improve Enterprise Security
with
Enterprise Memory Forensics & Malware Analysis
• Memory Forensics can detect malicious code that nothing else can…
• Memory Forensics is not only for Incident Response
• Memory Forensics should be used during Security Assessments too
• Malware Analysis should be brought in house
• Malware Analysis can SAVE YOU PRECIOUS TIME
• minimize costs and impact.
• identify the “Scope of Breach”
• mitigate the threat while you wait for anti-virus signatures
Questions?
Thank you very much
[email protected]
DISK FILE
IN MEMORY IMAGE
OS Loader
Same
malware
compiled in
three
different
ways
MD5
Checksums
all different
Digital DNA
remains
consistent
IN MEMORY IMAGE
Packer #1
Packer #2
OS Loader
Decrypted
Original
Starting
Malware
Packed
Malware
Digital DNA
remains
consistent
Digital DNA
defeats
packers
OS Loader
IN MEMORY IMAGE
Malware
Tookit
Digital DNA
detects
toolkits
Different
Malware
Authors
Using
Same
Toolkit
Toolkit DNA
Detected
Packed