Transcript Responder, Active Defense, and Digital DNA

Responder, Active Defense, and
Digital DNA™
The technology
• Physical memory parsing reconstructs the
operating system state
– Support for all versions and service packs of windows,
both 32 and 64 bit
– “Windows without windows”
• Memory acquisition
– uses signed driver
– works on machines with > 4GB ram
• Can be operated as an agent
– Stand alone, EPO plugin, etc.
Advantages
• Because the computer is analyzed offline,
malware cannot hide itself actively
• All code and data that is in use MUST exist in
physical memory, therefore we have access to
it
• The OS points us to the running rootkit or
malware by virtue that the malware interacts
with the OS
Malware analysis
• Any binary executable can be ‘extracted’ from
the memory image
• Full x86 disassembly, code and data
identification
• Graphing of control and data flow
• This extraction and analysis is the basis of
digital DNA (see later slides on this)
“Flypaper”
• Runtime analysis
• Device driver
– Logs program behaviors in realtime
– Filesystem, Network, Registry
– Process launching, memory access, etc.
– Injected DLL, threads, etc.
– Prevents memory from being freed
– Prevents process & thread exit
Digital DNA
• The disassembled malware has code and data
that reveals behavior
• Digital DNA is an abbreviated code for
detected behaviors
• Behaviors can be “good” or “bad”
• Each behavior has a weight and when
combined into a DDNA sequence, a sequence
has a weight
Traits
• Trait codes are like this:
04 0F 51
Weight / Control flags
Description is held in a database
Unique hash code
Trait code rules
• A language similar to regular expressions is
used to specify a trait. The rule has 3 parts:
N
eggdrop.exe
Rule type
Rule Body
iu
Rule Restrictions
N"eggdrop.exe"iu
Trait rules
• The trait rules can be combinatoric
– (A and B) or C
• For example,
– Program references the name of a bank
– AND
– Program can send email
– Equals: suspicious
Sequences
02 82 78 02 D6 F7 07 CD E3 05 51 87 05 A8 F1 02 FB 99 02 45 5B 02 7C 9A 02 AC CF 00 9F…
This is a series of 3 octet trait codes
Each trait can have a weight from -15 to +15. + means suspicious. – means trusted.
The entire sequence is weighted by summing the weights of each trait.
The summing of weights is performed using an algorithm known as the
“discrete weight decay algorithm”. This algorithm will decay the effects of a repeated
weight value over time.
A malicious binary will usually score +40 points or more in weight.
Digital DNA with EPO
• The EPO integration is our first step into the
enterprise
• DDNA results are collected for each node on a
periodic basis
• Results are fed upstream to the EPO server
• This allows us to test our agent and DDNA
before we bring our own AD product to
market
Active Defense
• This is HBGary’s enterprise product, scheduled
for release Q2 2009
• DDNA scan, periodic
• Ability to archive entire memory snapshot
• Ability to archive individual extracted binaries