(My) Brucon 2017 notes (1)

Here are my quick notes from the BruCON 2017 conference. All the slides can be found here.

Detecting malware when it is encrypted – machine learning for network https analysis

The goal is to find a way to detect malware using htps without decrypting the traffic.

Context:

  • 1/2 of the world wide Internet traffic is encrypted
  • 10%-40% of all malware traffic is encrypted
  • the encryption interferes with the efficacy of classical detection techniques

Some solutions to the problems:

  • TLS inspection; basically is the reverse proxy which is in the middle between the server and the client
    • advantage – can use the classical detection method
    • drawback – proxy server is expensive.
    • drawback – computationally demanding
  • try to find with no HTTPS decryption

Detect malware with no HTTPS decryption

Dataset used:

Used the pro ids product to capture different logs:

  • connection.log/s
  • ssl.log/s
  • x509.log/s

All this logs will be aggregated in order to create ssl aggregations and then generate a ssl-connect-units (each ssl-connect-unit represents a SSL connection). Each ssl-connect-unit have a source IP, destination IP, destination port, protocol and other 40 features (properties) like number of packages, number of bytes, number of different certificates, ratio of established and not established states .

A data set was created from all this ssl-connection-units and machine learning algorithms have been used against this dataset.

(ML) Algorithms used

  • XGBoost (Extreme Gradient Boosting)
  • Random forest
  • Neural network
  • svm

After using all this ML algorithms the features that have been identified as the most important ones to detect malware traffic:

  • certificate length of validity
  • inbound and outbound packets
  • number of domains in certificate
  • ssl/tls version
  •  periodicity

 

Knock Knock… Who’s there? admin admin and get in! An overview of the CMS brute-forcing malware landscape.

The talk was about malware brute force attacks of WordPress web sites which is the most used CMS product.

historical overview of the brute-force malware

2009 – first distributed brute force attack against WordPress
2013 – firstDisco also isntalled backdoors in the system
2014 – Mayhem
2015 – Aetra
2015 – CMS Catcher
2015- Troldeshkey
2017 – Stantinko

deep dive of SATHURBOT malware

modular botnet , 4 modules:

  • backdoor module
  • crawling module
  •  brute force module

Evading Microsoft ATA for Active Directory Domination

Microsoft ATA

  • Microsoft Advanced Threat Analytics
  • a product that detects attacks by reading traffic
  • how is deployed; an ATA gateway that intercepts the traffic

Threats detected by ATA:

  • recon
  • compromised credentials
  • lateral movement
  • domain dominance

Evading ATA :

  •  not poking the DC (Domain Controller) is the key
  • If you can’t bypass it then ovoid it by minimal talk with the DC

Atacking ATA deployment:

  • ATA console can be identified with basic banner grabbing.

Secure channels: Building real world crypto systems

What are secure channels – goal is to guarantee the confidentiality and integrity of data travelling over untrusted network.

objectives of a secure channel:

  • confidentiality
  • integrity establishment
  • authenticity

Constructing a secure channel:

  • need a way to exchange keys; keys establishment protocol
  • need a key derivation phase

Secure channel protocol design phases :

  • channel establishment
  • key establishment
  • secure data transfer
  • finish the protocol

How to build efficient security awareness programs

Some quotes from the talk:

  • Security problems are arising where more than one security technology are overlapping.
  • Stop trying to fix human behavior with tech only;maybe that are other ways to fix that.
  • Security isn’t always a business problem, but it’s always a human problem.
  • Tools to fix the human factor in security:
    • Fear
    • Incentives
    • Habits
      • trigger
      • routine
      • reward
      • repeat

Open Source Security Orchestration

Context:

  • multiple cloud severs, all using same Fail2ban jail.
  • How can make the different servers communicate.

In security operations most of the workflows are manual despite of multitude of solutions.
Different scenarios on which the automation could help a lot:

  • firewall role propagation scenario
  • drop propagation scenario
  • prevent known threats scenario
  • capture threat activity scenario

How to do the orchestration: using Adaptive Network Protocol (ANP)

  • developed so that nodes can share event information with each other
  • needed an ANP agent installed on each node.

(My) BruCON 2015 notes (4)

Here are my quick notes from the BruCON 2015 conference. All the slides can be found here.

The malware is just code so, as any other code it is possible (in theory) to analyze/reverse engineer it manually.

The triage is one of the functions of the incident response program and must answer the following three questions regarded to a specific input:

  • is the input malicious ?
  • if yes, what is exploiting ?
  • are we exposed ?

Triage is not malware analysis and should be quick and efficient. The triage workflow:

  • passive analysis.
  • first interaction and download.
    • some malware are crafted to be able to interact with the initial URL only limited number of times
    • some malware could profile your browser, check the browser version, platform, or use the user agent script to decide if the exploit can be executed or not.
    • some tools:useragentstring.com (to check your user agent), onlinecurl.com (on-line version of curl, copy paste a url and you get back the response), hurl.it (idem as previous one).
  • web component analysis.
    • once you have the web component (which is typically an html page + JavaScript) you could try to analyze it.
    • use jsBeautify.org to try to have something human readable in case the code is obfuscated.
    • try to use the browser debugger, eventually change JavaScript eval expressions.
  • exploit analysis.
    • can use showmycode.com to understand the exploit; it is capable to decompile Java, Flash, .Net, PHP
    • sometimes you can blindly search the metasploit exploit template library
  • payload extraction.
  • payload analysis.
    • can submit the file/s to VirusTotal or malwr (virtualized Cuckoo instances).
    • malwr can give you infos about the registry keys created, network traffic.
  • build IOCs (Indication Of Compromise).
    • collection of indicators which can be used to describe a compromised system.

This was an workshop, so the participants had to play with some of the tools. Here is the quick workflow that i followed:

start from a url -> use the onlinecurl.com to get the response (initial interaction) -> saved the response on a file and used to browser debugger to understand what the component is doing (web component analysis)-> get from the JavaScript another url that contains a link to a Java .class file -> use it showmycode.com to decompile the class file (exploit analysis)-> write some Java code to decode parts of the exploit and execute it on ideone.com (payload extraction)-> …time over :(.

Shlomi Zeltsinger

Blockchain made simple