Slide 1 - WikiLeaks
Download
Report
Transcript Slide 1 - WikiLeaks
Digital DNA Pocket Guide
Find High
Scores
Download
Livebins
Find
Actionable
Intelligence
Find High
Scores
Digital DNA sequences are weighted. The
higher the weight, the more likely the
program is malware or has malware-like
capabilities.
In practice, look for scores above 40.0, which should be marked
in RED. Scores marked in ORANGE or BLUE are not considered
suspicious.
Review Traits
When you find something
suspicious, or you aren’t sure,
you can review the traits. The
traits are color coded. Look
for RED and ORANGE traits
and read the corresponding
descriptions.
What to look for
IRC Network Protocol
Packing & Encryption
Program survives reboot (via registry key)
Module is not named (i.e., memory_mod)
Next Step:
Download the
Livebin
Download
Livebins
Livebins are memory snapshots of suspicious
processes. A livebin is only the part of
memory used by an individual program, so
it’s much smaller than a whole memory
snapshot.
Queue up Livebin Downloads
Livebins are not very large and downloading them won’t impact your network.
However, they can still take time to retrieve. Digital DNA for McAfee ePO, for
example, can take up to an hour to send the request to the endnode. For this reason,
it is best to queue up all your livebin downloads at once and then come back when
they have completed.
Importing into Responder
Once the livebin has been downloaded, it can be
opened in Responder Professional Edition.
Responder allows you to review the strings and
symbols, and graph the code and other data
within the suspicious binary. Be sure to run the
Malware Assessment Plugin and review the
automatically generated report.
What to Look For
Suspicious IP Addresses or DNS Names
Suspicious File Paths or Filenames
Web URL’s with suspicious filenames
What Next?
Unsure: Go to “How do I know its bad?”
Deeper look: Go to “Strings and Symbols”
Machine is infected: Go to “Remediation”
You have several choices for remediation. A solid
choice is to have the machine re-imaged. However,
re-imaging doesn’t mean the computer is immune
against re-infection. After re-imaging, most
computers can be re-infected. It is best to know
HOW the malware infected the machine and
attempt to block it from entering the network.
Remediation
DNS Names & IP Addresses
Where there is one malware infection, there will be more. One of the best ways to
detect multiple infections is at the network layer. Most malware will communicate
with a single command and control network or dropsite. For these, you can use DNS
names or IP addresses to find additional infections.
Network Protocols
If the malware communicates using a unique protocol such as IRC, you can detect this
port in use over the network and find additional infections. If the protocol is
common, such as HTTP, you can look inside the packets for specific queries, such as
URL paths, script names, and other factors that are unique to the malware
communication system. If the malware listens on a unique port (i.e., 31337) then you
can use a network port scanner to locate additional infections.
File & Registry Paths
If you administer a windows network, you can search endnodes for specific registry
keys or files using a batch script or administration tool. Many malware programs
leave specific registry keys in place, and these can be detected network-wide.
How to submit samples
to portal
How to submit samples
to your AV Vendor
Find
Actionable
Intelligence
Check the
HBGary Portal
Look for Toolkits
Look for Variants
Look for the Developer
How do I know
if it’s bad?
Packed
Certain Keywords
Keyloggers
Bank Info Stealers
Botnets
Rootkits
Identity Theft
Intellectual Property
Theft
Remediation
Network Ports, DNS Names, IP Addresses
Check your IDS logs
Search Niksun
Create firewall and IDS
rules
Network Protocols
Detect IRC
Detect unique URLs
File & Registry Paths
How to submit samples
to portal
How to submit samples
to your AV Vendor