SlideShare uma empresa Scribd logo

Malware Detection with OSSEC HIDS - OSSECCON 2014

S
Santiago Bassett

My presentation on how to use malware indicators of compromise to create rootcheck signatures for OSSEC. Explains different malware collection and analysis techniques.

Internet
1 de 32
Malware detection with OSSEC @santiagobassett
Setting up a malware lab Collection Analysis Detection @santiagobassett
MW collection techniques @santiagobassett Honeypots Web spiders - honeyclients Malware crawlers
Honeypot Dionaea: Low interaction honeypot that emulates vulnerable network services. https://github.com/rep/dionaea (written in C) @santiagobassett santiago@cuckoo:~$ nmap dionaea Starting Nmap 6.00 ( http://nmap.org ) at 2014-09-07 21:04 PDT Nmap scan report for dionaea (54.235.216.XXX) Host is up (0.070s latency). Not shown: 992 closed ports PORT STATE SERVICE 21/tcp open ftp 42/tcp open nameserver 80/tcp open http 135/tcp open msrpc 443/tcp open https 445/tcp open microsoft-ds 1433/tcp open ms-sql-s 3306/tcp open mysql Nmap done: 1 IP address (1 host up) scanned in 1.16 seconds
Honeypot results • Captured 126 unique binaries in 3 months • Highly detected by clamav (80%) @santiagobassett santiago@dionaea:/opt/dionaea/var/dionaea/binaries# clamscan * 022aeb126d2d80e683f7f2a3ee920874: Trojan.Spy-78857 FOUND 05800e1eb163994359e4c946d4a0fecb: Backdoor.Floder-3 FOUND 06267149140c0bc9ba51222c165f2d61: Worm.Autorun-7683 FOUND 0682f3dfbdab7c040ac9307c50792d0a: Trojan.Buzus-9369 FOUND 074b815d9ded01b516a62e3b739caa10: Win.Trojan.Agent-372503 FOUND 07fea379703307c5addc20e237cdd0f0: Win.Trojan.Jorik-1388 FOUND 09481313331ff5a8b8bfa4e25cbaa524: Worm.Autorun-7516 FOUND 0a9f1cd12f1b34ca71fa585e87e91c7d: OK 0b4c4078231ee36731080858187a49b8: Win.Trojan.Injector-8166 FOUND 0feae931ee71a495614f14f3c1d37246: Trojan.Mybot-5073 FOUND 10ec7cb47314a2c08decb25e53fedcfa: Trojan.Injector-558 FOUND 1205a52e42687c922aa4d3700d778398: Trojan.Kazy-1372 FOUND 12fb7332920a7797c2d02df29b57c640: Trojan.Spy-78857 FOUND 16b0357b804d9651d9057b61d78bee08: Win.Trojan.Agent-368816 FOUND 1a813b6ea08a47f2997e2e4215eba96b: WIN.Trojan.IRCBot-1225 FOUND … ----------- SCAN SUMMARY ----------- Known viruses: 3517573 Engine version: 0.98.1 Scanned directories: 0 Scanned files: 126 Infected files: 101 Data scanned: 17.65 MB Data read: 18.11 MB (ratio 0.97:1) Time: 56.447 sec (0 m 56 s)
Honeyclient Thug: Low interaction honeyclient, used to detect drive-by-download attacks. https://github.com/buffer/thug (Python) Thug emulates: • Core browser functionality • ActiveX controls • Browser plugins @santiagobassett
Drive by download attack @santiagobassett http://urlquery.net/report.php?id=1410227505197
Honeyclient results @santiagobassett santiago@mwcollector:~/thug/src$ ./thug.py webgalleriet.no/ [2014-09-11 22:58:31] [HTTP] URL: http://www.webgalleriet.no/wordpress/wp-includes/js/comment-reply. js?ver=20090102 (Status: 200, Referrer: http://www.webgalleriet.no/) [2014-09-11 22:58:31] [HTTP] URL: http://www.webgalleriet.no/wordpress/wp-includes/js/comment-reply. js?ver=20090102 (Content-type: application/javascript, MD5: d484fa08997df765852c6ad283ec52c6) [2014-09-11 22:58:31] <iframe align="center" frameborder="no" height="2" name="Twitter" scrolling="auto" src="http://168bet.com/cocs.html?j=1095012" width="2"></iframe> [2014-09-11 22:58:31] [iframe redirection] http://www.webgalleriet.no/ -> http://168bet.com/cocs.html?j=1095012 [2014-09-11 22:58:31] [URL Classifier] URL: http://168bet.com/cocs.html?j=1095012 (Rule: Redkit 1, Classification: Landing page, Exploit Kit)
Malware crawlers Retrieve files using malware tracking sites. https://github.com/technoskald/maltrieve (Python) https://code.google.com/p/malware-crawler/ (Python) http://malc0de.com/rss http://www.malwareblacklist.com/mbl.xml http://www.malwaredomainlist.com/hostslist/mdl.xml http://vxvault.siri-urz.net/URL_List.php http://urlquery.net/ http://support.clean-mx.de/clean-mx/xmlviruses.php @santiagobassett
Malware tracking site
Malware crawlers results • Captured 345 unique binaries in 15 minutes • Poorly detected by clamav (16%) @santiagobassett santiago@mwcollector:~/binaries/maltrieve$ clamscan * 02d36dff08b63b123d2d2a36089e3d97: OK 03a6ac145099cf77bf5c7af127696687: OK 03e49fb415aacf9d2c90821ff0596024: OK 0568a72d4c5a2eb510207ca45b8d8799: OK 06ddb91e1d5f056590dfeef71a2da264: JS.Iframe-2 FOUND 074fbceca8fe84bae582a7a114b2ce94: HTML.Iframe-63 FOUND 0889504acc370f2adec7869b9bc5bc5c: OK 08d53833d032d71c1e7ffd3cddcd2a5e: JS.Iframe-2 FOUND 0ac790c459a0ef9bb4959321918a2d57: OK 0cc1c5c2ef510bd9f587abbc402d04a3: OK 0e3c692048a35c06ffe81a473ffd1d41: OK 136264a09b94bf8f08278b0045a84905: OK 13e78b2bab4a0ae9a3c2003d3f004dd1: JS.Obfus-31 FOUND ----------- SCAN SUMMARY ---------- - Known viruses: 3517100 Engine version: 0.98.4 Scanned directories: 0 Scanned files: 235 Infected files: 38 Data scanned: 164.24 MB Data read: 143.86 MB (ratio 1.14:1) Time: 254.462 sec (4 m 14 s)
Malware database - Viper Binary analysis and management framework. https://github.com/botherder/viper (Python) @santiagobassett
Static Analysis - Yara Flexible, human-readable rules for identifying malicious streams. @santiagobassett Can be used to analyze: • files • memory (volatility) • network streams. private rule APT1_RARSilent_EXE_PDF { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $winrar1 = "WINRAR.SFX" wide ascii $winrar2 = ";The comment below contains SFX script commands" wide ascii $winrar3 = "Silent=1" wide ascii $str1 = /Setup=[sw"]+.(exe|pdf|doc)/ $str2 = "Steup="" wide ascii condition: all of ($winrar*) and 1 of ($str*) }
Static Analysis - Yara rule APT1_WEBC2_TABLE { viper > find name 3f2fda43121d888428b66717b984a7fb +---+----------------------------------+-----------------------+----------------------------------+------+ | # | Name | Mime | MD5 | Tags | +---+----------------------------------+-----------------------+----------------------------------+------+ | 1 | 3F2FDA43121D888428B66717B984A7FB | application/x-dosexec | 3f2fda43121d888428b66717b984a7fb | apt | +---+----------------------------------+-----------------------+----------------------------------+------+ viper > open -l 1 [*] Session opened on /home/santiago/viper/binaries/6/a/f/2/6af2116c4b59c69917e0e25efe4530a127830e2ed383ea91e0eebfa1cae4b78e viper 3F2FDA43121D888428B66717B984A7FB > yara scan [*] Scanning 3F2FDA43121D888428B66717B984A7FB (6af2116c4b59c69917e0e25efe4530a127830e2ed383ea91e0eebfa1cae4b78e) +------------------+--------+--------+----------------------------------+ | Rule | String | Offset | Content | +------------------+--------+--------+----------------------------------+ | APT1_WEBC2_TABLE | $msg1 | 440032 | Fail To Execute The Command | | APT1_WEBC2_TABLE | $msg2 | 440060 | Execute The Command Successfully | | APT1_WEBC2_TABLE | $gif1 | 440100 | sdwefa.gif | | APT1_WEBC2_TABLE | $gif1 | 440101 | dwefa.gif | | APT1_WEBC2_TABLE | $gif1 | 440102 | wefa.gif | | APT1_WEBC2_TABLE | $gif1 | 440103 | efa.gif | | APT1_WEBC2_TABLE | $gif1 | 440104 | fa.gif | | APT1_WEBC2_TABLE | $gif1 | 440105 | a.gif | | APT1_WEBC2_TABLE | $gif2 | 440112 | GIF89 | +------------------+--------+--------+----------------------------------+ @santiagobassett meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $msg1 = "Fail To Execute The Command" wide ascii $msg2 = "Execute The Command Successfully" wide ascii $gif1 = /w+.gif/ $gif2 = "GIF89" wide ascii condition: 3 of them } viper 3F2FDA43121D888428B66717B984A7FB > yara rules +----+-----------------------------------+ | # | Path | +----+-----------------------------------+ | 1 | data/yara/hangover.yara | | 2 | data/yara/citizenlab.yara | | 3 | data/yara/APT_NGO_wuaclt_PDF.yara | | 4 | data/yara/kins.yara | | 5 | data/yara/themask.yara | | 6 | data/yara/vmdetect.yara | | 7 | data/yara/index.yara | | 8 | data/yara/GeorBotBinary.yara | | 9 | data/yara/leverage.yar | | 10 | data/yara/apt1.yara | | 11 | data/yara/GeorBotMemory.yara | | 12 | data/yara/rats.yara | | 13 | data/yara/embedded.yara | | 14 | data/yara/urausy_skypedat.yar | | 15 | data/yara/fpu.yara | +----+-----------------------------------+
Static Analysis – Trojan Dropper viper 0A37D49E798F50C8F1010D5CFDE0E851 > virustotal [*] VirusTotal Report: +----------------------+---------------------------------------------- + | Antivirus | Signature | +----------------------+---------------------------------------------- + | nProtect | Trojan.Downloader.JKVR | | McAfee | Artemis!0A37D49E798F | | K7GW | Trojan-Downloader | | NANO-Antivirus | Trojan.Win32.Agent.hbmsz | | Symantec | Downloader | | TotalDefense | Win32/FakeDoc_i | | TrendMicro-HouseCall | TROJ_DLOADER.VTG | | Avast | Win32:Trojan-gen | | ClamAV | Trojan.Downloader-83571 | | Kaspersky | Trojan-Downloader.Win32.Agent.thb | | BitDefender | Trojan.Downloader.JKVR | | Agnitum | Trojan.DL.Agent!virRS0ijj7k | | Emsisoft | Trojan.Downloader.JKVR (B) | | Comodo | TrojWare.Win32.TrojanDownloader.Agent.thb_30 | | F-Secure | Trojan.Downloader.JKVR | | TrendMicro | TROJ_DLOADER.VTG | | McAfee-GW-Edition | Artemis!0A37D49E798F | | Sophos | Troj/DwnLdr-IYR | | Jiangmin | TrojanDownloader.Agent.boly | | Antiy-AVL | Trojan/Win32.Agent.gen | | Microsoft | TrojanDownloader:Win32/Pingbed.A | | Commtouch | W32/Downloader.NIHT-8726 | | AhnLab-V3 | Dropper/Malware.101512 @santiagobassett viper 0A37D49E798F50C8F1010D5CFDE0E851 > pe sections [*] PE Sections: +--------+---------+-------------+-------------+---------------+ | Name | RVA | VirtualSize | RawDataSize | Entropy | +--------+---------+-------------+-------------+---------------+ | .text | 0x1000 | 0xbe8f | 49152 | 6.52204488284 | | .rdata | 0xd000 | 0x1855 | 6656 | 5.17849300065 | | .data | 0xf000 | 0x19cb8 | 512 | 1.31023024266 | | .CRT | 0x29000 | 0x10 | 512 | 0.21310128451 | | .rsrc | 0x2a000 | 0x7fd8 | 32768 | 5.79943302325 | +--------+---------+-------------+-------------+---------------+ viper 0A37D49E798F50C8F1010D5CFDE0E851 > pe imports ... [*] DLL: ADVAPI32.dll - 0x40d000: RegCloseKey - 0x40d004: RegOpenKeyExA - 0x40d008: RegQueryValueExA - 0x40d00c: RegCreateKeyExA - 0x40d010: RegSetValueExA ... viper 0A37D49E798F50C8F1010D5CFDE0E851 > pe compiletime [*] Compile Time: 2010-03-14 23:27:58 viper 0A37D49E798F50C8F1010D5CFDE0E851 > yara scan [*] Scanning 0A37D49E798F50C8F1010D5CFDE0E851 (dbf0436908c9d900e69ea2a108f08061786d299b511265b78620a4401361084b) viper 0A37D49E798F50C8F1010D5CFDE0E851 > fuzzy [*] 1 relevant matches found +-------+----------------------------------+------------------------------------------------------------------+ | Score | Name | SHA256 | +-------+----------------------------------+------------------------------------------------------------------+ | 68% | 003EE3D21DF82975337AE976F8BA67CC | 2803fba5fbe908f6151597c2a387caef8f00a5f0f194bfc6b4d9f89026d53621 | +-------+----------------------------------+------------------------------------------------------------------+
Fuzzy hash match info @santiagobassett
Dynamic Analysis - Cuckoo Automated malware analysis. Runs binary files in virtual machines to study their behavior. @santiagobassett • Traces Win32 API calls • Files created, deleted and downloaded • Memory dumps of malicious processes • Network traffic pcaps Integrated with yara, virustotal and volatility among other tools. Supports Virtualbox KVM and Vmware.
Dynamic Analysis – Trojan Dropper @santiagobassett
Behavioral Analysis – Filesystem @santiagobassett
Behavioral Analysis - Filesystem @santiagobassett
Behavioral Analysis – Network @santiagobassett
Behavioral Analysis – Network @santiagobassett
Behavioral Analysis - Network santiago@cuckoo:~/Cuckoo/cuckoo/storage/analyses/34$ sudo tcpdump -s 0 -XX -AA -nn -r dump.pcap | grep -A 4 63.233.155.6 reading from file dump.pcap, link-type EN10MB (Ethernet) 23:32:20.655808 IP 8.8.8.8.53 > 192.168.56.103.63943: 53551 1/0/0 A 63.233.155.6 (50) @santiagobassett 0x0000: 0800 2723 f165 0a00 2700 0000 0800 4500 ..'#.e..'.....E. 0x0010: 004e eca8 0000 2d11 97d7 0808 0808 c0a8 .N....-......... 0x0020: 3867 0035 f9c7 003a ef52 d12f 8180 0001 8g.5...:.R./.... 0x0030: 0001 0000 0000 0377 7777 0867 6172 7968 .......www.garyh -- 23:32:20.662766 IP 192.168.56.103.49166 > 63.233.155.6.80: Flags [S], seq 2615622815, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 0x0000: 0a00 2700 0000 0800 2723 f165 0800 4500 ..'.....'#.e..E. 0x0010: 0034 10ab 4000 8006 161a c0a8 3867 3fe9 .4..@.......8g?. 0x0020: 9b06 c00e 0050 9be7 3c9f 0000 0000 8002 .....P..<....... 0x0030: 2000 e231 0000 0204 05b4 0103 0302 0101 ...1............ -- 23:32:23.663174 IP 192.168.56.103.49166 > 63.233.155.6.80: Flags [S], seq 2615622815, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 0x0000: 0a00 2700 0000 0800 2723 f165 0800 4500 ..'.....'#.e..E. 0x0010: 0034 10c2 4000 8006 1603 c0a8 3867 3fe9 .4..@.......8g?. 0x0020: 9b06 c00e 0050 9be7 3c9f 0000 0000 8002 .....P..<....... 0x0030: 2000 e231 0000 0204 05b4 0103 0302 0101 ...1............ -- 23:32:29.661778 IP 192.168.56.103.49166 > 63.233.155.6.80: Flags [S], seq 2615622815, win 8192, options [mss 1460,nop,nop,sackOK], length 0 0x0000: 0a00 2700 0000 0800 2723 f165 0800 4500 ..'.....'#.e..E. 0x0010: 0030 10dc 4000 8006 15ed c0a8 3867 3fe9 .0..@.......8g?. 0x0020: 9b06 c00e 0050 9be7 3c9f 0000 0000 7002 .....P..<.....p. 0x0030: 2000 f63a 0000 0204 05b4 0101 0402 ...:..........
Behavioral Analysis – Registry @santiagobassett
Memory Analysis - Volatility santiago@cuckoo:~/Cuckoo/cuckoo/storage/analyses/34$ vol.py psxview --profile=Win7SP1x86 -f memory.dmp Volatility Foundation Volatility Framework 2.4 Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- 0x7b6fa500 audiodg.exe 960 True False True True True True True 0x7b7afd40 sppsvc.exe 1780 True False True True True True True 0x779fb808 svchost.exe 724 True False True True True True True 0x7b7be710 svchost.exe 1892 True False True True True True True 0x7c4ea7d8 VBoxService.ex 624 True False True True True True True 0x7b6f4030 svchost.exe 900 True False True True True True True 0x7b7bb618 svchost.exe 3376 True False True True True True True 0x7cd99a58 AcroRD32.exe 3080 True False True True True True True 0x7b4fa030 SearchIndexer. 360 True False True True True True True 0x7b94a858 taskhost.exe 2920 True False True True True True True … santiago@cuckoo:~$ strings 3080.dmp | grep -i garyhart www.garyhart.com w.garyhart.com w.garyhart.com w.garyhart.com www.garyhart.com st: www.garyhart.com w.garyhart.com tp://www.garyhart.com/nfuse.htm tp://www.garyhart.com/nfuse.htm tp://www.garyhart.com/nfuse.htm tp://www.garyhart.com/nfuse.htm tp://www.garyhart.com/nfuse.htm tp://www.garyhart.com/nfuse.htm www.garyhart.com http://www.garyhart.com/nfuse.htm santiago@cuckoo:~/Cuckoo/cuckoo/storage/analyses/34$ vol.py memdump --profile=Win7SP1x86 -f memory.dmp -D ./ -p 3080 Volatility Foundation Volatility Framework 2.4 ************************************************************************ Writing AcroRD32.exe [ 3080] to 3080.dmp @santiagobassett
Memory Analysis - Yara santiago@cuckoo:~/Cuckoo/cuckoo/storage/analyses/34$ yara /home/santiago/viper/data/yara/apt1.yara 3080.dmp APT1_WEBC2_UGX 3080.dmp @santiagobassett rule APT1_WEBC2_UGX { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1” strings: $persis = "SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN" wide ascii $exe = "DefWatch.exe" wide ascii $html = "index1.html" wide ascii $cmd1 = "!@#tiuq#@!" wide ascii $cmd2 = "!@#dmc#@!" wide ascii $cmd3 = "!@#troppusnu#@!" wide ascii condition: 3 of them }
OSSEC - Rootcheck Used for rootkits and malware detection. It can be used to: • Look for suspicious files. • Inspect files and registry keys for common rootkits/malware entries. • Look for hidden processes and network ports. @santiagobassett
OSSEC – Rule for Trojan Dropper [Trojan Dropper] [all] [0A37D49E798F50C8F1010D5CFDE0E851] f:C:UsersIEUserAppDataLocalTempAcroRD32.exe; r:HKEY_USERSS-1-5-21-3463664321-2923530833-3546627382-1000 SoftwareMicrosoftWindowsCurrentVersionRun -> Acroread -> r:AcroRD32.exe; @santiagobassett p:r:AcroRD32.exe; /var/ossec/etc/shared/win_malware_rcl.txt
OSSEC – Alert for Trojan Dropper alienvault:/var/ossec/bin# ./rootcheck_control -L -i 001 Policy and auditing events for agent 'Windows7 (001) - 172.16.126.134': @santiagobassett Resolved events: ** No entries found. Last scan: 2014 Sep 12 18:54:24 Windows Audit: Null sessions allowed. Windows Malware: Trojan Dropper. File: C:UsersIEUserAppDataLocalTempAcroRD32.exe. Reference: 0A37D49E798F50C8F1010D5CFDE0E851 .
Demo – Alert for Trojan Dropper @santiagobassett
Future Work • Use/create Cuckoo signatures to identify different malware patterns (droppers, downloaders, trojans, rootkits, …) • Create Cuckoo reporting module to report (JSON) on those patterns that OSSEC can detect. • Python tool to parse module output and generate rootcheck rules. • Add/improve OSSEC malware detection capabilities. @santiagobassett
Thank you! santiago@alienvault.com @santiagobassett

Recomendados

Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanningleminhvuong
 
Linux and DNS Server
Linux and DNS ServerLinux and DNS Server
Linux and DNS ServerPrabhakar Thota
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanningVi Tính Hoàng Nam
 
Userspace networking
Userspace networkingUserspace networking
Userspace networkingStephen Hemminger
 
Suricata
SuricataSuricata
Suricatatex_morgan
 
LTM essentials
LTM essentialsLTM essentials
LTM essentialsbharadwajv
 
Network Monitoring Tools
Network Monitoring ToolsNetwork Monitoring Tools
Network Monitoring ToolsPrince JabaKumar
 

Recomendados

Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanningleminhvuong
 
Linux and DNS Server
Linux and DNS ServerLinux and DNS Server
Linux and DNS ServerPrabhakar Thota
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanningVi Tính Hoàng Nam
 
Userspace networking
Userspace networkingUserspace networking
Userspace networkingStephen Hemminger
 
Suricata
SuricataSuricata
Suricatatex_morgan
 
LTM essentials
LTM essentialsLTM essentials
LTM essentialsbharadwajv
 
Network Monitoring Tools
Network Monitoring ToolsNetwork Monitoring Tools
Network Monitoring ToolsPrince JabaKumar
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughThomas Graf
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsitmind4u
 
AAA Implementation
AAA ImplementationAAA Implementation
AAA ImplementationAhmad El Tawil
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancerxKinAnx
 
Simple Network Management Protocol
Simple Network Management ProtocolSimple Network Management Protocol
Simple Network Management ProtocolPrasenjit Gayen
 
Network Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using WiresharkNetwork Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using Wiresharkn|u - The Open Security Community
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumerationVi Tính Hoàng Nam
 
Networking basics and basic cisco commands
Networking basics and basic cisco commandsNetworking basics and basic cisco commands
Networking basics and basic cisco commandsKrishna Mohan
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
Cyber Kill Chain.pptx
Cyber Kill Chain.pptxCyber Kill Chain.pptx
Cyber Kill Chain.pptxVivek Chauhan
 
CISCO CCIE SPAN RSPAN ERSPAN
CISCO CCIE SPAN RSPAN ERSPANCISCO CCIE SPAN RSPAN ERSPAN
CISCO CCIE SPAN RSPAN ERSPANKhawar Nehal khawar.nehal@atrc.net.pk
 
Asterisk: the future is at REST
Asterisk: the future is at RESTAsterisk: the future is at REST
Asterisk: the future is at RESTPaloSanto Solutions
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Jason Williams
 
Dhcp ppt
Dhcp pptDhcp ppt
Dhcp pptHema Dhariwal
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Ciscoguestd05b31
 
Introduction to tcpdump
Introduction to tcpdumpIntroduction to tcpdump
Introduction to tcpdumpLev Walkin
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelDivye Kapoor
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic ControlSUSE Labs Taipei
 
و کشف بد افزار OSSEC
و کشف بد افزار OSSEC و کشف بد افزار OSSEC
و کشف بد افزار OSSECmilad saber
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeAndrea Cardinale
 

Mais conteúdo relacionado

Mais procurados

Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughThomas Graf
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsitmind4u
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancerxKinAnx
 
Simple Network Management Protocol
Simple Network Management ProtocolSimple Network Management Protocol
Simple Network Management ProtocolPrasenjit Gayen
 
Networking basics and basic cisco commands
Networking basics and basic cisco commandsNetworking basics and basic cisco commands
Networking basics and basic cisco commandsKrishna Mohan
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
Cyber Kill Chain.pptx
Cyber Kill Chain.pptxCyber Kill Chain.pptx
Cyber Kill Chain.pptxVivek Chauhan
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Jason Williams
 
Introduction to tcpdump
Introduction to tcpdumpIntroduction to tcpdump
Introduction to tcpdumpLev Walkin
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelDivye Kapoor
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic ControlSUSE Labs Taipei
 

Mais procurados (20)

Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking Walkthrough
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
AAA Implementation
AAA ImplementationAAA Implementation
AAA Implementation
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancer
 
Simple Network Management Protocol
Simple Network Management ProtocolSimple Network Management Protocol
Simple Network Management Protocol
 
Network Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using WiresharkNetwork Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using Wireshark
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
 
Networking basics and basic cisco commands
Networking basics and basic cisco commandsNetworking basics and basic cisco commands
Networking basics and basic cisco commands
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking Guide
 
Cyber Kill Chain.pptx
Cyber Kill Chain.pptxCyber Kill Chain.pptx
Cyber Kill Chain.pptx
 
CISCO CCIE SPAN RSPAN ERSPAN
CISCO CCIE SPAN RSPAN ERSPANCISCO CCIE SPAN RSPAN ERSPAN
CISCO CCIE SPAN RSPAN ERSPAN
 
Asterisk: the future is at REST
Asterisk: the future is at RESTAsterisk: the future is at REST
Asterisk: the future is at REST
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)
 
Dhcp ppt
Dhcp pptDhcp ppt
Dhcp ppt
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
Introduction to tcpdump
Introduction to tcpdumpIntroduction to tcpdump
Introduction to tcpdump
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux Kernel
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic Control
 

Semelhante a Malware Detection with OSSEC HIDS - OSSECCON 2014

و کشف بد افزار OSSEC
و کشف بد افزار OSSEC و کشف بد افزار OSSEC
و کشف بد افزار OSSECmilad saber
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeAndrea Cardinale
 
Best Practices in Handling Performance Issues
Best Practices in Handling Performance IssuesBest Practices in Handling Performance Issues
Best Practices in Handling Performance IssuesOdoo
 
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법Open Source Consulting
 
SecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPSecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPChris John Riley
 
New text document (2)
New text document (2)New text document (2)
New text document (2)Furqaan Aan
 
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin BačovskýOSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin BačovskýNETWAYS
 
SAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAPSAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAPChris John Riley
 
Operating CloudStack: the easy way (automation!)
Operating CloudStack: the easy way (automation!)Operating CloudStack: the easy way (automation!)
Operating CloudStack: the easy way (automation!)Remi Bergsma
 
Real Time Health Analytics With WebSockets Python 3 and Redis PubSub: Benjami...
Real Time Health Analytics With WebSockets Python 3 and Redis PubSub: Benjami...Real Time Health Analytics With WebSockets Python 3 and Redis PubSub: Benjami...
Real Time Health Analytics With WebSockets Python 3 and Redis PubSub: Benjami...Redis Labs
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?Sumedt Jitpukdebodin
 
MySQL 8.0.18 - New Features Summary
MySQL 8.0.18 - New Features SummaryMySQL 8.0.18 - New Features Summary
MySQL 8.0.18 - New Features SummaryOlivier DASINI
 
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...YuChianWu
 
Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)Security B-Sides
 
Presentation iv implementasi 802x eap tls peap mscha pv2
Presentation iv implementasi 802x eap tls peap mscha pv2Presentation iv implementasi 802x eap tls peap mscha pv2
Presentation iv implementasi 802x eap tls peap mscha pv2Hell19
 

Semelhante a Malware Detection with OSSEC HIDS - OSSECCON 2014 (20)

و کشف بد افزار OSSEC
و کشف بد افزار OSSEC و کشف بد افزار OSSEC
و کشف بد افزار OSSEC
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtime
 
Best Practices in Handling Performance Issues
Best Practices in Handling Performance IssuesBest Practices in Handling Performance Issues
Best Practices in Handling Performance Issues
 
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
 
The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box Attack
 
Real
RealReal
Real
 
Puppet Data Mining
Puppet Data MiningPuppet Data Mining
Puppet Data Mining
 
SecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPSecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAP
 
New text document (2)
New text document (2)New text document (2)
New text document (2)
 
Monkey man
Monkey manMonkey man
Monkey man
 
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin BačovskýOSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
 
SAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAPSAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAP
 
Operating CloudStack: the easy way (automation!)
Operating CloudStack: the easy way (automation!)Operating CloudStack: the easy way (automation!)
Operating CloudStack: the easy way (automation!)
 
Real Time Health Analytics With WebSockets Python 3 and Redis PubSub: Benjami...
Real Time Health Analytics With WebSockets Python 3 and Redis PubSub: Benjami...Real Time Health Analytics With WebSockets Python 3 and Redis PubSub: Benjami...
Real Time Health Analytics With WebSockets Python 3 and Redis PubSub: Benjami...
 
Operation outbreak
Operation outbreakOperation outbreak
Operation outbreak
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?
 
MySQL 8.0.18 - New Features Summary
MySQL 8.0.18 - New Features SummaryMySQL 8.0.18 - New Features Summary
MySQL 8.0.18 - New Features Summary
 
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
 
Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)
 
Presentation iv implementasi 802x eap tls peap mscha pv2
Presentation iv implementasi 802x eap tls peap mscha pv2Presentation iv implementasi 802x eap tls peap mscha pv2
Presentation iv implementasi 802x eap tls peap mscha pv2
 

Último

VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsstephieert
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 

Último (20)

VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girls
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 

Malware Detection with OSSEC HIDS - OSSECCON 2014

  • 1. Malware detection with OSSEC @santiagobassett
  • 2. Setting up a malware lab Collection Analysis Detection @santiagobassett
  • 3. MW collection techniques @santiagobassett Honeypots Web spiders - honeyclients Malware crawlers
  • 4. Honeypot Dionaea: Low interaction honeypot that emulates vulnerable network services. https://github.com/rep/dionaea (written in C) @santiagobassett santiago@cuckoo:~$ nmap dionaea Starting Nmap 6.00 ( http://nmap.org ) at 2014-09-07 21:04 PDT Nmap scan report for dionaea (54.235.216.XXX) Host is up (0.070s latency). Not shown: 992 closed ports PORT STATE SERVICE 21/tcp open ftp 42/tcp open nameserver 80/tcp open http 135/tcp open msrpc 443/tcp open https 445/tcp open microsoft-ds 1433/tcp open ms-sql-s 3306/tcp open mysql Nmap done: 1 IP address (1 host up) scanned in 1.16 seconds
  • 5. Honeypot results • Captured 126 unique binaries in 3 months • Highly detected by clamav (80%) @santiagobassett santiago@dionaea:/opt/dionaea/var/dionaea/binaries# clamscan * 022aeb126d2d80e683f7f2a3ee920874: Trojan.Spy-78857 FOUND 05800e1eb163994359e4c946d4a0fecb: Backdoor.Floder-3 FOUND 06267149140c0bc9ba51222c165f2d61: Worm.Autorun-7683 FOUND 0682f3dfbdab7c040ac9307c50792d0a: Trojan.Buzus-9369 FOUND 074b815d9ded01b516a62e3b739caa10: Win.Trojan.Agent-372503 FOUND 07fea379703307c5addc20e237cdd0f0: Win.Trojan.Jorik-1388 FOUND 09481313331ff5a8b8bfa4e25cbaa524: Worm.Autorun-7516 FOUND 0a9f1cd12f1b34ca71fa585e87e91c7d: OK 0b4c4078231ee36731080858187a49b8: Win.Trojan.Injector-8166 FOUND 0feae931ee71a495614f14f3c1d37246: Trojan.Mybot-5073 FOUND 10ec7cb47314a2c08decb25e53fedcfa: Trojan.Injector-558 FOUND 1205a52e42687c922aa4d3700d778398: Trojan.Kazy-1372 FOUND 12fb7332920a7797c2d02df29b57c640: Trojan.Spy-78857 FOUND 16b0357b804d9651d9057b61d78bee08: Win.Trojan.Agent-368816 FOUND 1a813b6ea08a47f2997e2e4215eba96b: WIN.Trojan.IRCBot-1225 FOUND … ----------- SCAN SUMMARY ----------- Known viruses: 3517573 Engine version: 0.98.1 Scanned directories: 0 Scanned files: 126 Infected files: 101 Data scanned: 17.65 MB Data read: 18.11 MB (ratio 0.97:1) Time: 56.447 sec (0 m 56 s)
  • 6. Honeyclient Thug: Low interaction honeyclient, used to detect drive-by-download attacks. https://github.com/buffer/thug (Python) Thug emulates: • Core browser functionality • ActiveX controls • Browser plugins @santiagobassett
  • 7. Drive by download attack @santiagobassett http://urlquery.net/report.php?id=1410227505197
  • 8. Honeyclient results @santiagobassett santiago@mwcollector:~/thug/src$ ./thug.py webgalleriet.no/ [2014-09-11 22:58:31] [HTTP] URL: http://www.webgalleriet.no/wordpress/wp-includes/js/comment-reply. js?ver=20090102 (Status: 200, Referrer: http://www.webgalleriet.no/) [2014-09-11 22:58:31] [HTTP] URL: http://www.webgalleriet.no/wordpress/wp-includes/js/comment-reply. js?ver=20090102 (Content-type: application/javascript, MD5: d484fa08997df765852c6ad283ec52c6) [2014-09-11 22:58:31] <iframe align="center" frameborder="no" height="2" name="Twitter" scrolling="auto" src="http://168bet.com/cocs.html?j=1095012" width="2"></iframe> [2014-09-11 22:58:31] [iframe redirection] http://www.webgalleriet.no/ -> http://168bet.com/cocs.html?j=1095012 [2014-09-11 22:58:31] [URL Classifier] URL: http://168bet.com/cocs.html?j=1095012 (Rule: Redkit 1, Classification: Landing page, Exploit Kit)
  • 9. Malware crawlers Retrieve files using malware tracking sites. https://github.com/technoskald/maltrieve (Python) https://code.google.com/p/malware-crawler/ (Python) http://malc0de.com/rss http://www.malwareblacklist.com/mbl.xml http://www.malwaredomainlist.com/hostslist/mdl.xml http://vxvault.siri-urz.net/URL_List.php http://urlquery.net/ http://support.clean-mx.de/clean-mx/xmlviruses.php @santiagobassett
  • 11. Malware crawlers results • Captured 345 unique binaries in 15 minutes • Poorly detected by clamav (16%) @santiagobassett santiago@mwcollector:~/binaries/maltrieve$ clamscan * 02d36dff08b63b123d2d2a36089e3d97: OK 03a6ac145099cf77bf5c7af127696687: OK 03e49fb415aacf9d2c90821ff0596024: OK 0568a72d4c5a2eb510207ca45b8d8799: OK 06ddb91e1d5f056590dfeef71a2da264: JS.Iframe-2 FOUND 074fbceca8fe84bae582a7a114b2ce94: HTML.Iframe-63 FOUND 0889504acc370f2adec7869b9bc5bc5c: OK 08d53833d032d71c1e7ffd3cddcd2a5e: JS.Iframe-2 FOUND 0ac790c459a0ef9bb4959321918a2d57: OK 0cc1c5c2ef510bd9f587abbc402d04a3: OK 0e3c692048a35c06ffe81a473ffd1d41: OK 136264a09b94bf8f08278b0045a84905: OK 13e78b2bab4a0ae9a3c2003d3f004dd1: JS.Obfus-31 FOUND ----------- SCAN SUMMARY ---------- - Known viruses: 3517100 Engine version: 0.98.4 Scanned directories: 0 Scanned files: 235 Infected files: 38 Data scanned: 164.24 MB Data read: 143.86 MB (ratio 1.14:1) Time: 254.462 sec (4 m 14 s)
  • 12. Malware database - Viper Binary analysis and management framework. https://github.com/botherder/viper (Python) @santiagobassett
  • 13. Static Analysis - Yara Flexible, human-readable rules for identifying malicious streams. @santiagobassett Can be used to analyze: • files • memory (volatility) • network streams. private rule APT1_RARSilent_EXE_PDF { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $winrar1 = "WINRAR.SFX" wide ascii $winrar2 = ";The comment below contains SFX script commands" wide ascii $winrar3 = "Silent=1" wide ascii $str1 = /Setup=[sw"]+.(exe|pdf|doc)/ $str2 = "Steup="" wide ascii condition: all of ($winrar*) and 1 of ($str*) }
  • 14. Static Analysis - Yara rule APT1_WEBC2_TABLE { viper > find name 3f2fda43121d888428b66717b984a7fb +---+----------------------------------+-----------------------+----------------------------------+------+ | # | Name | Mime | MD5 | Tags | +---+----------------------------------+-----------------------+----------------------------------+------+ | 1 | 3F2FDA43121D888428B66717B984A7FB | application/x-dosexec | 3f2fda43121d888428b66717b984a7fb | apt | +---+----------------------------------+-----------------------+----------------------------------+------+ viper > open -l 1 [*] Session opened on /home/santiago/viper/binaries/6/a/f/2/6af2116c4b59c69917e0e25efe4530a127830e2ed383ea91e0eebfa1cae4b78e viper 3F2FDA43121D888428B66717B984A7FB > yara scan [*] Scanning 3F2FDA43121D888428B66717B984A7FB (6af2116c4b59c69917e0e25efe4530a127830e2ed383ea91e0eebfa1cae4b78e) +------------------+--------+--------+----------------------------------+ | Rule | String | Offset | Content | +------------------+--------+--------+----------------------------------+ | APT1_WEBC2_TABLE | $msg1 | 440032 | Fail To Execute The Command | | APT1_WEBC2_TABLE | $msg2 | 440060 | Execute The Command Successfully | | APT1_WEBC2_TABLE | $gif1 | 440100 | sdwefa.gif | | APT1_WEBC2_TABLE | $gif1 | 440101 | dwefa.gif | | APT1_WEBC2_TABLE | $gif1 | 440102 | wefa.gif | | APT1_WEBC2_TABLE | $gif1 | 440103 | efa.gif | | APT1_WEBC2_TABLE | $gif1 | 440104 | fa.gif | | APT1_WEBC2_TABLE | $gif1 | 440105 | a.gif | | APT1_WEBC2_TABLE | $gif2 | 440112 | GIF89 | +------------------+--------+--------+----------------------------------+ @santiagobassett meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $msg1 = "Fail To Execute The Command" wide ascii $msg2 = "Execute The Command Successfully" wide ascii $gif1 = /w+.gif/ $gif2 = "GIF89" wide ascii condition: 3 of them } viper 3F2FDA43121D888428B66717B984A7FB > yara rules +----+-----------------------------------+ | # | Path | +----+-----------------------------------+ | 1 | data/yara/hangover.yara | | 2 | data/yara/citizenlab.yara | | 3 | data/yara/APT_NGO_wuaclt_PDF.yara | | 4 | data/yara/kins.yara | | 5 | data/yara/themask.yara | | 6 | data/yara/vmdetect.yara | | 7 | data/yara/index.yara | | 8 | data/yara/GeorBotBinary.yara | | 9 | data/yara/leverage.yar | | 10 | data/yara/apt1.yara | | 11 | data/yara/GeorBotMemory.yara | | 12 | data/yara/rats.yara | | 13 | data/yara/embedded.yara | | 14 | data/yara/urausy_skypedat.yar | | 15 | data/yara/fpu.yara | +----+-----------------------------------+
  • 15. Static Analysis – Trojan Dropper viper 0A37D49E798F50C8F1010D5CFDE0E851 > virustotal [*] VirusTotal Report: +----------------------+---------------------------------------------- + | Antivirus | Signature | +----------------------+---------------------------------------------- + | nProtect | Trojan.Downloader.JKVR | | McAfee | Artemis!0A37D49E798F | | K7GW | Trojan-Downloader | | NANO-Antivirus | Trojan.Win32.Agent.hbmsz | | Symantec | Downloader | | TotalDefense | Win32/FakeDoc_i | | TrendMicro-HouseCall | TROJ_DLOADER.VTG | | Avast | Win32:Trojan-gen | | ClamAV | Trojan.Downloader-83571 | | Kaspersky | Trojan-Downloader.Win32.Agent.thb | | BitDefender | Trojan.Downloader.JKVR | | Agnitum | Trojan.DL.Agent!virRS0ijj7k | | Emsisoft | Trojan.Downloader.JKVR (B) | | Comodo | TrojWare.Win32.TrojanDownloader.Agent.thb_30 | | F-Secure | Trojan.Downloader.JKVR | | TrendMicro | TROJ_DLOADER.VTG | | McAfee-GW-Edition | Artemis!0A37D49E798F | | Sophos | Troj/DwnLdr-IYR | | Jiangmin | TrojanDownloader.Agent.boly | | Antiy-AVL | Trojan/Win32.Agent.gen | | Microsoft | TrojanDownloader:Win32/Pingbed.A | | Commtouch | W32/Downloader.NIHT-8726 | | AhnLab-V3 | Dropper/Malware.101512 @santiagobassett viper 0A37D49E798F50C8F1010D5CFDE0E851 > pe sections [*] PE Sections: +--------+---------+-------------+-------------+---------------+ | Name | RVA | VirtualSize | RawDataSize | Entropy | +--------+---------+-------------+-------------+---------------+ | .text | 0x1000 | 0xbe8f | 49152 | 6.52204488284 | | .rdata | 0xd000 | 0x1855 | 6656 | 5.17849300065 | | .data | 0xf000 | 0x19cb8 | 512 | 1.31023024266 | | .CRT | 0x29000 | 0x10 | 512 | 0.21310128451 | | .rsrc | 0x2a000 | 0x7fd8 | 32768 | 5.79943302325 | +--------+---------+-------------+-------------+---------------+ viper 0A37D49E798F50C8F1010D5CFDE0E851 > pe imports ... [*] DLL: ADVAPI32.dll - 0x40d000: RegCloseKey - 0x40d004: RegOpenKeyExA - 0x40d008: RegQueryValueExA - 0x40d00c: RegCreateKeyExA - 0x40d010: RegSetValueExA ... viper 0A37D49E798F50C8F1010D5CFDE0E851 > pe compiletime [*] Compile Time: 2010-03-14 23:27:58 viper 0A37D49E798F50C8F1010D5CFDE0E851 > yara scan [*] Scanning 0A37D49E798F50C8F1010D5CFDE0E851 (dbf0436908c9d900e69ea2a108f08061786d299b511265b78620a4401361084b) viper 0A37D49E798F50C8F1010D5CFDE0E851 > fuzzy [*] 1 relevant matches found +-------+----------------------------------+------------------------------------------------------------------+ | Score | Name | SHA256 | +-------+----------------------------------+------------------------------------------------------------------+ | 68% | 003EE3D21DF82975337AE976F8BA67CC | 2803fba5fbe908f6151597c2a387caef8f00a5f0f194bfc6b4d9f89026d53621 | +-------+----------------------------------+------------------------------------------------------------------+
  • 16. Fuzzy hash match info @santiagobassett
  • 17. Dynamic Analysis - Cuckoo Automated malware analysis. Runs binary files in virtual machines to study their behavior. @santiagobassett • Traces Win32 API calls • Files created, deleted and downloaded • Memory dumps of malicious processes • Network traffic pcaps Integrated with yara, virustotal and volatility among other tools. Supports Virtualbox KVM and Vmware.
  • 18. Dynamic Analysis – Trojan Dropper @santiagobassett
  • 19. Behavioral Analysis – Filesystem @santiagobassett
  • 20. Behavioral Analysis - Filesystem @santiagobassett
  • 21. Behavioral Analysis – Network @santiagobassett
  • 22. Behavioral Analysis – Network @santiagobassett
  • 23. Behavioral Analysis - Network santiago@cuckoo:~/Cuckoo/cuckoo/storage/analyses/34$ sudo tcpdump -s 0 -XX -AA -nn -r dump.pcap | grep -A 4 63.233.155.6 reading from file dump.pcap, link-type EN10MB (Ethernet) 23:32:20.655808 IP 8.8.8.8.53 > 192.168.56.103.63943: 53551 1/0/0 A 63.233.155.6 (50) @santiagobassett 0x0000: 0800 2723 f165 0a00 2700 0000 0800 4500 ..'#.e..'.....E. 0x0010: 004e eca8 0000 2d11 97d7 0808 0808 c0a8 .N....-......... 0x0020: 3867 0035 f9c7 003a ef52 d12f 8180 0001 8g.5...:.R./.... 0x0030: 0001 0000 0000 0377 7777 0867 6172 7968 .......www.garyh -- 23:32:20.662766 IP 192.168.56.103.49166 > 63.233.155.6.80: Flags [S], seq 2615622815, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 0x0000: 0a00 2700 0000 0800 2723 f165 0800 4500 ..'.....'#.e..E. 0x0010: 0034 10ab 4000 8006 161a c0a8 3867 3fe9 .4..@.......8g?. 0x0020: 9b06 c00e 0050 9be7 3c9f 0000 0000 8002 .....P..<....... 0x0030: 2000 e231 0000 0204 05b4 0103 0302 0101 ...1............ -- 23:32:23.663174 IP 192.168.56.103.49166 > 63.233.155.6.80: Flags [S], seq 2615622815, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 0x0000: 0a00 2700 0000 0800 2723 f165 0800 4500 ..'.....'#.e..E. 0x0010: 0034 10c2 4000 8006 1603 c0a8 3867 3fe9 .4..@.......8g?. 0x0020: 9b06 c00e 0050 9be7 3c9f 0000 0000 8002 .....P..<....... 0x0030: 2000 e231 0000 0204 05b4 0103 0302 0101 ...1............ -- 23:32:29.661778 IP 192.168.56.103.49166 > 63.233.155.6.80: Flags [S], seq 2615622815, win 8192, options [mss 1460,nop,nop,sackOK], length 0 0x0000: 0a00 2700 0000 0800 2723 f165 0800 4500 ..'.....'#.e..E. 0x0010: 0030 10dc 4000 8006 15ed c0a8 3867 3fe9 .0..@.......8g?. 0x0020: 9b06 c00e 0050 9be7 3c9f 0000 0000 7002 .....P..<.....p. 0x0030: 2000 f63a 0000 0204 05b4 0101 0402 ...:..........
  • 24. Behavioral Analysis – Registry @santiagobassett
  • 25. Memory Analysis - Volatility santiago@cuckoo:~/Cuckoo/cuckoo/storage/analyses/34$ vol.py psxview --profile=Win7SP1x86 -f memory.dmp Volatility Foundation Volatility Framework 2.4 Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- 0x7b6fa500 audiodg.exe 960 True False True True True True True 0x7b7afd40 sppsvc.exe 1780 True False True True True True True 0x779fb808 svchost.exe 724 True False True True True True True 0x7b7be710 svchost.exe 1892 True False True True True True True 0x7c4ea7d8 VBoxService.ex 624 True False True True True True True 0x7b6f4030 svchost.exe 900 True False True True True True True 0x7b7bb618 svchost.exe 3376 True False True True True True True 0x7cd99a58 AcroRD32.exe 3080 True False True True True True True 0x7b4fa030 SearchIndexer. 360 True False True True True True True 0x7b94a858 taskhost.exe 2920 True False True True True True True … santiago@cuckoo:~$ strings 3080.dmp | grep -i garyhart www.garyhart.com w.garyhart.com w.garyhart.com w.garyhart.com www.garyhart.com st: www.garyhart.com w.garyhart.com tp://www.garyhart.com/nfuse.htm tp://www.garyhart.com/nfuse.htm tp://www.garyhart.com/nfuse.htm tp://www.garyhart.com/nfuse.htm tp://www.garyhart.com/nfuse.htm tp://www.garyhart.com/nfuse.htm www.garyhart.com http://www.garyhart.com/nfuse.htm santiago@cuckoo:~/Cuckoo/cuckoo/storage/analyses/34$ vol.py memdump --profile=Win7SP1x86 -f memory.dmp -D ./ -p 3080 Volatility Foundation Volatility Framework 2.4 ************************************************************************ Writing AcroRD32.exe [ 3080] to 3080.dmp @santiagobassett
  • 26. Memory Analysis - Yara santiago@cuckoo:~/Cuckoo/cuckoo/storage/analyses/34$ yara /home/santiago/viper/data/yara/apt1.yara 3080.dmp APT1_WEBC2_UGX 3080.dmp @santiagobassett rule APT1_WEBC2_UGX { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1” strings: $persis = "SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN" wide ascii $exe = "DefWatch.exe" wide ascii $html = "index1.html" wide ascii $cmd1 = "!@#tiuq#@!" wide ascii $cmd2 = "!@#dmc#@!" wide ascii $cmd3 = "!@#troppusnu#@!" wide ascii condition: 3 of them }
  • 27. OSSEC - Rootcheck Used for rootkits and malware detection. It can be used to: • Look for suspicious files. • Inspect files and registry keys for common rootkits/malware entries. • Look for hidden processes and network ports. @santiagobassett
  • 28. OSSEC – Rule for Trojan Dropper [Trojan Dropper] [all] [0A37D49E798F50C8F1010D5CFDE0E851] f:C:UsersIEUserAppDataLocalTempAcroRD32.exe; r:HKEY_USERSS-1-5-21-3463664321-2923530833-3546627382-1000 SoftwareMicrosoftWindowsCurrentVersionRun -> Acroread -> r:AcroRD32.exe; @santiagobassett p:r:AcroRD32.exe; /var/ossec/etc/shared/win_malware_rcl.txt
  • 29. OSSEC – Alert for Trojan Dropper alienvault:/var/ossec/bin# ./rootcheck_control -L -i 001 Policy and auditing events for agent 'Windows7 (001) - 172.16.126.134': @santiagobassett Resolved events: ** No entries found. Last scan: 2014 Sep 12 18:54:24 Windows Audit: Null sessions allowed. Windows Malware: Trojan Dropper. File: C:UsersIEUserAppDataLocalTempAcroRD32.exe. Reference: 0A37D49E798F50C8F1010D5CFDE0E851 .
  • 30. Demo – Alert for Trojan Dropper @santiagobassett
  • 31. Future Work • Use/create Cuckoo signatures to identify different malware patterns (droppers, downloaders, trojans, rootkits, …) • Create Cuckoo reporting module to report (JSON) on those patterns that OSSEC can detect. • Python tool to parse module output and generate rootcheck rules. • Add/improve OSSEC malware detection capabilities. @santiagobassett