MyNOG, profile picture
Uploaded byMyNOG
PDF, PPTX3,779 views

Zero Day Malware Detection/Prevention Using Open Source Software

The document outlines a proof of concept for zero-day malware detection and prevention using open-source software by the Cybersecurity Malaysia team. It discusses the need for advanced security measures due to the increasing sophistication of malware-centric cyber attacks, introduces various open-source components and tools, and details the process for capturing and analyzing malicious content in a network environment. Furthermore, it emphasizes the importance of collaboration and continuous improvement in detection and remediation strategies against cyber threats.

Download as PDF, PPTX
Copyright © 2015 CyberSecurity MalaysiaCopyright © 2015 CyberSecurity Malaysia ZERO DAY MALWARE DETECTION/PREVENTION USING OPEN SOURCE SOFTWARE PROOF OF CONCEPT Malware Research Center MyCERT
Copyright © 2015 CyberSecurity Malaysia Outline • Introduction • Motivations • Objective • Process Flow • The Open Source components • Moving Forward 2
Copyright © 2015 CyberSecurity Malaysia Introduction • Fathi Kamil Bin Mohad Zainuddin. • Senior Analyst in Malware Research Centre, MyCERT. 3
Copyright © 2015 CyberSecurity Malaysia Introduction • Computer security issues have emerged ever since the Internet was introduced. Organizations and security researchers have increased the efforts in ensuring that security threats are detected and mitigated in a timely manner. Today, as computer attacks tend to be malware- centric, the cyber criminals have introduced sophistication in their attack techniques that makes the traditional way of protecting the enterprise with firewalls, intrusion detection systems and antivirus software at the network perimeter ineffective. 4
Copyright © 2015 CyberSecurity Malaysia Introduction • To produce tools or capability on 0-day malware detection / prevention using open source software. • There are many Open Source network security components doing their purpose very well in the market. • Known Open Source network security product such as Snort, Suricata, Dionaea, Kippo, Glastopf, Ntop, Xplico, Wireshark, etc. • All we need is to glue them to achieve our purpose. 5
Copyright © 2015 CyberSecurity Malaysia Motivations • We have deployed LebahNet (Honeynet) previously, but later we found out that: – Dionaea plugins are difficult to maintain in order to follow the vulnerability trends to get new malware binaries. – We need an expert to maintain the plugins. – We have done some attack simulation using Metasploit but produced poor results. Not all vulnerability attacks captured by Dionaea. • Network packets contains many information which might also include malicious documents, binaries and web communication which are not extracted from the network. 6
Copyright © 2015 CyberSecurity Malaysia Objective • Capture & identify the malicious documents, binaries, and web accesses from the network through packet capturing. • Simulating the malicious files / webs in sandbox environment. • Collect known malicious information provided by sandbox into a central database. • Generate callback signature from sandbox result to detect/prevent further malicious activities. • Distribute malicious information among sensors. 7
Copyright © 2015 CyberSecurity Malaysia Components – Network IDS / IPS 8 • Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. • Top 3 reasons: – Highly Scalable. – Protocol Identification. – File Identification, MD5 Checksums, and File Extraction. • For the purpose, Suricata can produce: – Alert log. – File extraction based on signature within HTTP & SMTP. http://blog.inliniac.net/2011/11/29/file-extraction-in-suricata/ http://blog.inliniac.net/2014/11/11/smtp-file-extraction-in-suricata/ – HTTP log.
Copyright © 2015 CyberSecurity Malaysia Components – Network IDS / IPS • Enabling file extraction - /etc/suricata/suricata.yml 9
Copyright © 2015 CyberSecurity Malaysia Components – Network IDS / IPS • Suricata file extraction rules - /etc/suricata/rules/files.rules 10
Copyright © 2015 CyberSecurity Malaysia Components – Network IDS / IPS • File extraction output - /var/log/suricata/files/ 11
Copyright © 2015 CyberSecurity Malaysia Components – Network IDS / IPS • HTTP Logs 12
Copyright © 2015 CyberSecurity Malaysia Components – Network IDS / IPS • Drawback - High CPU processing • Suricata is a high performance NIDS/NIPS and utilizing all CPU cores compared to Snort NIDS/NIPS. It will utilizing GPU cores. • PF_RING can be used to bypass Linux OS TCP/IP stack. Suricata running in userspace will get direct access to the network buffer from the network card (kernelspace) without going through most of OS layers. • You might want to read an article in 2012 “Suricata, to 10Gbps and beyond” https://home.regit.org/2012/07/suricata-to-10gbps-and- beyond/ 13
Copyright © 2015 CyberSecurity Malaysia Components – Sandboxing 14 • Cuckoo Sandbox is a malware analysis system. • It produces native functions and Windows API calls traces, copies of files created and deleted from the file system, dump of the memory of the selected process, full memory dump of the analysis machine, screenshots of the desktop during the execution of the malware analysis, network dump generated by the machine used for the analysis. • For the purpose, extracted files / web access from the Suricata will be tested in simulation environment using Cuckoo Sandbox.
Copyright © 2015 CyberSecurity Malaysia Components – Sandboxing (Anti- VM) • Nowadays malware equipped with anti-VM code to detect if it is running inside sandbox environment through registry, CPU flags, BIOS, file system, etc. • Bypassing Sandboxes For Fun https://www.botconf.eu/bypassing-sandboxes-for-fun/ • Defeat anti-VM malware, refer VMCloak, VBoxAntiVMDetectHardened, etc. • You can try using Pafish to detect whether you are running inside virtualization / sandbox environment. https://github.com/a0rtega/pafish 15
Copyright © 2015 CyberSecurity Malaysia Components – Sandboxing (Anti- VM) • Hardened Anti-VM Detection 16
Copyright © 2015 CyberSecurity Malaysia Components – Sandboxing (Anti- VM) • Sandbox detection using Pafish 17
Copyright © 2015 CyberSecurity Malaysia Components – SSL Decryption • viewssld - SSL Decryption for Network Monitoring. • Nowadays malware exploiting SSL encryption to bypass network security detection. • IT security admin can enforce HTTPS / SSL interception by registering Firewall / Proxy root certificate for every PC inside an organization. • By providing private key to viewssld, it can decrypt every HTTPS communication and send to Network IDS for malware collection & intrusion alert. 18
Copyright © 2015 CyberSecurity Malaysia Process Flow 19
Copyright © 2015 CyberSecurity Malaysia Moving Forward • Enhancing Cuckoo sandbox environment • Defeating Anti-VM / Sandbox Hardening • Exploitation detection (Buffer/Heap Overflow, Payload) • Produce more valuable information • Improve the process flow 20
Copyright © 2015 CyberSecurity Malaysia Malware Research Lab (Tools) • Our team has also developed tools for our daily operation: – BotNet Checker: Botnet detection based on IP address. – LebahNet: Distributed Honeynet. – MyKotakPasir: Virtualization sandboxing. – AndBox: Android sandboxing. – ESPot: ElasticSearch Honeypot. – DontExploitMe: Browser Based IPS. – DontPhishMe: Phishing Site Blocker for Browser (Firefox, Chrome, Internet Explorer). – MyLipas: Web Defacement Crawler. – Many others. 21
Copyright © 2015 CyberSecurity Malaysia Malware Research Lab (Tools) • BotNet Checker – http://botnet.honeynet.org.my/ 22
Copyright © 2015 CyberSecurity Malaysia Malware Research Lab (Tools) • DontPhishMe & Antiphishing.My – https://www.antiphishing.my/ 23
Copyright © 2015 CyberSecurity Malaysia • Coordinated Malware Eradication And Remediation Project (CMERP) & CyberDEF (Detection, Eradication & Forensics) What is it? • A comprehensive solution for detection, eradication and forensic of malware in cyberspace What are the benefits? • Helps organization to strengthen and defend their organisation by preparing the CSIRT team with required skill, policy and procedure in place • The capability of the team will be strengthen by participating in cyber exercise activity tailored for the organization • With the necessary resources and skills in place, steps and measures can be taken to eradicate threat 24
Copyright © 2015 CyberSecurity Malaysia Contacts • Web: http://www.cybersecurity.my • Web: http://www.mycert.org.my • Web: www.cybersafe.my • Report Incident: cyber999@cybersecurity.my 25
Copyright © 2015 CyberSecurity Malaysia26 Q&A
Copyright © 2015 CyberSecurity MalaysiaCopyright © 2015 CyberSecurity Malaysia

More Related Content

PPTX
Kali linux
byAadhithyanPandian
 
PDF
GitOps A/B testing with Istio and Helm
byWeaveworks
 
PPSX
Desktop and Server Security
byAbhinit Kumar Sharma
 
PPTX
Kali Linux
byChanchal Dabriya
 
PDF
Open Vulnerability Assesment System (OpenVAS)
byInformation Technology Inistitute
 
PPTX
kali linux Presentaion
byDev Gandhi
 
PPTX
Unbreakable SharePoint 2016 with SQL Server 2016 Always On Availability groups
byserge luca
 
PPTX
OpenVAS: Vulnerability Assessment Scanner
byChandrak Trivedi
 
Kali linux
byAadhithyanPandian
 
GitOps A/B testing with Istio and Helm
byWeaveworks
 
Desktop and Server Security
byAbhinit Kumar Sharma
 
Kali Linux
byChanchal Dabriya
 
Open Vulnerability Assesment System (OpenVAS)
byInformation Technology Inistitute
 
kali linux Presentaion
byDev Gandhi
 
Unbreakable SharePoint 2016 with SQL Server 2016 Always On Availability groups
byserge luca
 
OpenVAS: Vulnerability Assessment Scanner
byChandrak Trivedi
 

What's hot

PPTX
FreeIPA - Attacking the Active Directory of Linux
byJulian Catrambone
 
PPTX
kali linux
byDarshan Dalwadi
 
PPTX
Keyloggers
bykdore
 
PPTX
Container Orchestration using kubernetes
byPuneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
PDF
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
byAbhinav Mishra
 
PDF
What is Jenkins | Jenkins Tutorial for Beginners | Edureka
byEdureka!
 
PPTX
John the ripper & hydra password cracking tool
byMd. Raquibul Hoque
 
PPTX
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
byRhydham Joshi
 
PPT
presentation on Docker
byVirendra Ruhela
 
PPTX
Netcat - A Swiss Army Tool
byChandrapal Badshah
 
PDF
Ethical Hacking & Penetration Testing
bySurachai Chatchalermpun
 
PPTX
What Is Docker? | What Is Docker And How It Works? | Docker Tutorial For Begi...
bySimplilearn
 
PDF
Tools kali
byketban0702
 
PPTX
Wireshark
byKasun Madusanke
 
PPTX
Terminal Commands (Linux - ubuntu) (part-1)
byraj upadhyay
 
PDF
Kubernetes Deployment Strategies
byAbdennour TM
 
PPTX
Introduction of netty
byBing Luo
 
PDF
7 linux fdisk command examples to manage hard disk partition
bychinkshady
 
PPTX
Bash Shell Scripting
byRaghu nath
 
PPTX
AWS CloudFormation Session
byKamal Maiti
 
FreeIPA - Attacking the Active Directory of Linux
byJulian Catrambone
 
kali linux
byDarshan Dalwadi
 
Keyloggers
bykdore
 
Container Orchestration using kubernetes
byPuneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
byAbhinav Mishra
 
What is Jenkins | Jenkins Tutorial for Beginners | Edureka
byEdureka!
 
John the ripper & hydra password cracking tool
byMd. Raquibul Hoque
 
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
byRhydham Joshi
 
presentation on Docker
byVirendra Ruhela
 
Netcat - A Swiss Army Tool
byChandrapal Badshah
 
Ethical Hacking & Penetration Testing
bySurachai Chatchalermpun
 
What Is Docker? | What Is Docker And How It Works? | Docker Tutorial For Begi...
bySimplilearn
 
Tools kali
byketban0702
 
Wireshark
byKasun Madusanke
 
Terminal Commands (Linux - ubuntu) (part-1)
byraj upadhyay
 
Kubernetes Deployment Strategies
byAbdennour TM
 
Introduction of netty
byBing Luo
 
7 linux fdisk command examples to manage hard disk partition
bychinkshady
 
Bash Shell Scripting
byRaghu nath
 
AWS CloudFormation Session
byKamal Maiti
 

Similar to Zero Day Malware Detection/Prevention Using Open Source Software

PDF
Suricata: A Decade Under the Influence (of packet sniffing)
byJason Williams
 
PPTX
Malware analysis
byPrakashchand Suthar
 
PDF
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
bySam Bowne
 
PDF
Project in malware analysis:C2C
byFabrizio Farinacci
 
PPT
Bulletproof IT Security
byLondon School of Cyber Security
 
PDF
H@dfex 2015 malware analysis
byCharles Lim
 
PDF
PHDays 2018 Threat Hunting Hands-On Lab
byTeymur Kheirkhabarov
 
PPTX
Honeypots and honeynets
byRasool Irfan
 
PDF
Modern Malware and Threats
byMarketingArrowECS_CZ
 
PDF
Watchtowers of the Internet - Source Boston 2012
byStephan Chenette
 
PDF
Modern malware and threats
byMartin Holovský
 
PPTX
Threat Hunting with Splunk
bySplunk
 
PPTX
Hands on Security - Disrupting the Kill Chain Breakout Session
bySplunk
 
PDF
Malware Analysis -an overview by PP Singh
byn|u - The Open Security Community
 
PPTX
Advanced Threats In The Enterprise
byPriyanka Aash
 
PPTX
Malware Analysis For The Enterprise
byJason Ross
 
PDF
NIC2012 - System Center Endpoint Protection 2012
byNicolai Henriksen
 
PDF
Needlesand haystacks i360-dublin
byDerek King
 
PPTX
Hands-On Security - Disrupting the Kill Chain
bySplunk
 
PDF
'Malware Analysis' by PP Singh
byBipin Upadhyay
 
Suricata: A Decade Under the Influence (of packet sniffing)
byJason Williams
 
Malware analysis
byPrakashchand Suthar
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
bySam Bowne
 
Project in malware analysis:C2C
byFabrizio Farinacci
 
Bulletproof IT Security
byLondon School of Cyber Security
 
H@dfex 2015 malware analysis
byCharles Lim
 
PHDays 2018 Threat Hunting Hands-On Lab
byTeymur Kheirkhabarov
 
Honeypots and honeynets
byRasool Irfan
 
Modern Malware and Threats
byMarketingArrowECS_CZ
 
Watchtowers of the Internet - Source Boston 2012
byStephan Chenette
 
Modern malware and threats
byMartin Holovský
 
Threat Hunting with Splunk
bySplunk
 
Hands on Security - Disrupting the Kill Chain Breakout Session
bySplunk
 
Malware Analysis -an overview by PP Singh
byn|u - The Open Security Community
 
Advanced Threats In The Enterprise
byPriyanka Aash
 
Malware Analysis For The Enterprise
byJason Ross
 
NIC2012 - System Center Endpoint Protection 2012
byNicolai Henriksen
 
Needlesand haystacks i360-dublin
byDerek King
 
Hands-On Security - Disrupting the Kill Chain
bySplunk
 
'Malware Analysis' by PP Singh
byBipin Upadhyay
 

More from MyNOG

PDF
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
byMyNOG
 
PDF
Load balancing and Service in Kubernetes
byMyNOG
 
PDF
Embedded CDNs in 2023
byMyNOG
 
PDF
SHADOWSERVER: INTERNET CRITICAL SECURITY AS A PUBLIC SERVICE
byMyNOG
 
PDF
Edge virtualisation for Carrier Networks
byMyNOG
 
PDF
Securing the Onion: 5G Cloud Native Infrastructure
byMyNOG
 
PDF
Equinix: New Markets, New Frontiers
byMyNOG
 
PDF
Hierarchical Network Controller
byMyNOG
 
PDF
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
byMyNOG
 
PDF
Peering Personal MyNOG-10
byMyNOG
 
PDF
Introducing Peering LAN 2.0 at DE-CIX
byMyNOG
 
PDF
Building a Connected Future: The Power of Interconnection
byMyNOG
 
PDF
SRv6: DEPLOYMENT & USECASES by Aditya Kaul
byMyNOG
 
PDF
Cloud SDN: BGP Peering and RPKI
byMyNOG
 
PDF
Cleaning up your RPKI invalids
byMyNOG
 
PDF
Malaysia’s Emerging Trends in Data Center: Identifying Tomorrow’s Hotspots
byMyNOG
 
PDF
SDM – A New (Subsea) Cable Paradigm
byMyNOG
 
PDF
COHERENT OPTICAL TRANSCEIVERS – CURRENT CAPABILITIES AND FUTURE POSSIBILITIES
byMyNOG
 
PDF
Strategies for Seamless Recovery in a Dynamic Data Landscape
byMyNOG
 
PDF
MEASURING THE HEALTH AND RESILIENCE OF THE INTERNET: MALAYSIA
byMyNOG
 
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
byMyNOG
 
Load balancing and Service in Kubernetes
byMyNOG
 
Embedded CDNs in 2023
byMyNOG
 
SHADOWSERVER: INTERNET CRITICAL SECURITY AS A PUBLIC SERVICE
byMyNOG
 
Edge virtualisation for Carrier Networks
byMyNOG
 
Securing the Onion: 5G Cloud Native Infrastructure
byMyNOG
 
Equinix: New Markets, New Frontiers
byMyNOG
 
Hierarchical Network Controller
byMyNOG
 
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
byMyNOG
 
Peering Personal MyNOG-10
byMyNOG
 
Introducing Peering LAN 2.0 at DE-CIX
byMyNOG
 
Building a Connected Future: The Power of Interconnection
byMyNOG
 
SRv6: DEPLOYMENT & USECASES by Aditya Kaul
byMyNOG
 
Cloud SDN: BGP Peering and RPKI
byMyNOG
 
Cleaning up your RPKI invalids
byMyNOG
 
Malaysia’s Emerging Trends in Data Center: Identifying Tomorrow’s Hotspots
byMyNOG
 
SDM – A New (Subsea) Cable Paradigm
byMyNOG
 
COHERENT OPTICAL TRANSCEIVERS – CURRENT CAPABILITIES AND FUTURE POSSIBILITIES
byMyNOG
 
Strategies for Seamless Recovery in a Dynamic Data Landscape
byMyNOG
 
MEASURING THE HEALTH AND RESILIENCE OF THE INTERNET: MALAYSIA
byMyNOG
 

Recently uploaded

PDF
How-to-Plan-a-Reliable-Wireless-Network-Installation-in-Dubai-for-Your-Office
byInstallations Experts - UAE
 
PPT
Web Service Security note for teaching.ppt
byfirehiwot8
 
PPT
dsafsadfsafsacsadfsdafsdafsdaf cyber security DOS Attacks.ppt
bycacabelosmonchette
 
PPT
CHAPTER 2 RISK MANAGEMENT and security.ppt
byfirehiwot8
 
PPTX
Information comiunication technology HNDIT1212 Lecture 01.pptx
bynmziyard
 
PDF
Unit 1 Introduction To Computer Networks.pdf
byaida818570
 
PPT
Tools in communication technologies - CT
byswisssom2025
 
PDF
Paper: World Game (s) Great Redesign.pdf
bySteven McGee
 
PPTX
Information Assurance and Security chapter two-part 1.pptx
byfirehiwot8
 
PPTX
Python Oops concepts of power point presentation
bySwapnitaKendre
 
PDF
Empower Your Brand with YouRefresh’s Online Hub Builder
byyourefreshdm
 
PDF
New-Genetec-SC-OTC-001-5.13-Certificate.pdf
byMatheusPaulista1
 
PPTX
C++ Chapter about pointers in programming
byfirehiwot8
 
PPTX
Week 7.1 - Software Defined Network - SDN.pptx
byOmar Fernandez
 
PDF
Tamagui: Bridging Web and Mobile Development
byEugene Zharkov
 
PDF
New-Genetec-SC-STC-001-5.13-Certificate.pdf
byMatheusPaulista1
 
PPTX
Intellectual Property Code of the Philippines_20251030_085011_0000.pptx
byronthefourth
 
PDF
Slides: The World Game (s) Great Redesign: Eco Economic Epochs pdf
bySteven McGee
 
PDF
Top 10 Countries to Hire Remote Developers in 2025 copy.pdf
byOuranos Technologies Pvt Ltd
 
PPT
C++ Chapter 6-pointers about pointers in programming
byfirehiwot8
 
How-to-Plan-a-Reliable-Wireless-Network-Installation-in-Dubai-for-Your-Office
byInstallations Experts - UAE
 
Web Service Security note for teaching.ppt
byfirehiwot8
 
dsafsadfsafsacsadfsdafsdafsdaf cyber security DOS Attacks.ppt
bycacabelosmonchette
 
CHAPTER 2 RISK MANAGEMENT and security.ppt
byfirehiwot8
 
Information comiunication technology HNDIT1212 Lecture 01.pptx
bynmziyard
 
Unit 1 Introduction To Computer Networks.pdf
byaida818570
 
Tools in communication technologies - CT
byswisssom2025
 
Paper: World Game (s) Great Redesign.pdf
bySteven McGee
 
Information Assurance and Security chapter two-part 1.pptx
byfirehiwot8
 
Python Oops concepts of power point presentation
bySwapnitaKendre
 
Empower Your Brand with YouRefresh’s Online Hub Builder
byyourefreshdm
 
New-Genetec-SC-OTC-001-5.13-Certificate.pdf
byMatheusPaulista1
 
C++ Chapter about pointers in programming
byfirehiwot8
 
Week 7.1 - Software Defined Network - SDN.pptx
byOmar Fernandez
 
Tamagui: Bridging Web and Mobile Development
byEugene Zharkov
 
New-Genetec-SC-STC-001-5.13-Certificate.pdf
byMatheusPaulista1
 
Intellectual Property Code of the Philippines_20251030_085011_0000.pptx
byronthefourth
 
Slides: The World Game (s) Great Redesign: Eco Economic Epochs pdf
bySteven McGee
 
Top 10 Countries to Hire Remote Developers in 2025 copy.pdf
byOuranos Technologies Pvt Ltd
 
C++ Chapter 6-pointers about pointers in programming
byfirehiwot8
 

Zero Day Malware Detection/Prevention Using Open Source Software

  • 1.
    Copyright © 2015CyberSecurity MalaysiaCopyright © 2015 CyberSecurity Malaysia ZERO DAY MALWARE DETECTION/PREVENTION USING OPEN SOURCE SOFTWARE PROOF OF CONCEPT Malware Research Center MyCERT
  • 2.
    Copyright © 2015CyberSecurity Malaysia Outline • Introduction • Motivations • Objective • Process Flow • The Open Source components • Moving Forward 2
  • 3.
    Copyright © 2015CyberSecurity Malaysia Introduction • Fathi Kamil Bin Mohad Zainuddin. • Senior Analyst in Malware Research Centre, MyCERT. 3
  • 4.
    Copyright © 2015CyberSecurity Malaysia Introduction • Computer security issues have emerged ever since the Internet was introduced. Organizations and security researchers have increased the efforts in ensuring that security threats are detected and mitigated in a timely manner. Today, as computer attacks tend to be malware- centric, the cyber criminals have introduced sophistication in their attack techniques that makes the traditional way of protecting the enterprise with firewalls, intrusion detection systems and antivirus software at the network perimeter ineffective. 4
  • 5.
    Copyright © 2015CyberSecurity Malaysia Introduction • To produce tools or capability on 0-day malware detection / prevention using open source software. • There are many Open Source network security components doing their purpose very well in the market. • Known Open Source network security product such as Snort, Suricata, Dionaea, Kippo, Glastopf, Ntop, Xplico, Wireshark, etc. • All we need is to glue them to achieve our purpose. 5
  • 6.
    Copyright © 2015CyberSecurity Malaysia Motivations • We have deployed LebahNet (Honeynet) previously, but later we found out that: – Dionaea plugins are difficult to maintain in order to follow the vulnerability trends to get new malware binaries. – We need an expert to maintain the plugins. – We have done some attack simulation using Metasploit but produced poor results. Not all vulnerability attacks captured by Dionaea. • Network packets contains many information which might also include malicious documents, binaries and web communication which are not extracted from the network. 6
  • 7.
    Copyright © 2015CyberSecurity Malaysia Objective • Capture & identify the malicious documents, binaries, and web accesses from the network through packet capturing. • Simulating the malicious files / webs in sandbox environment. • Collect known malicious information provided by sandbox into a central database. • Generate callback signature from sandbox result to detect/prevent further malicious activities. • Distribute malicious information among sensors. 7
  • 8.
    Copyright © 2015CyberSecurity Malaysia Components – Network IDS / IPS 8 • Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. • Top 3 reasons: – Highly Scalable. – Protocol Identification. – File Identification, MD5 Checksums, and File Extraction. • For the purpose, Suricata can produce: – Alert log. – File extraction based on signature within HTTP & SMTP. http://blog.inliniac.net/2011/11/29/file-extraction-in-suricata/ http://blog.inliniac.net/2014/11/11/smtp-file-extraction-in-suricata/ – HTTP log.
  • 9.
    Copyright © 2015CyberSecurity Malaysia Components – Network IDS / IPS • Enabling file extraction - /etc/suricata/suricata.yml 9
  • 10.
    Copyright © 2015CyberSecurity Malaysia Components – Network IDS / IPS • Suricata file extraction rules - /etc/suricata/rules/files.rules 10
  • 11.
    Copyright © 2015CyberSecurity Malaysia Components – Network IDS / IPS • File extraction output - /var/log/suricata/files/ 11
  • 12.
    Copyright © 2015CyberSecurity Malaysia Components – Network IDS / IPS • HTTP Logs 12
  • 13.
    Copyright © 2015CyberSecurity Malaysia Components – Network IDS / IPS • Drawback - High CPU processing • Suricata is a high performance NIDS/NIPS and utilizing all CPU cores compared to Snort NIDS/NIPS. It will utilizing GPU cores. • PF_RING can be used to bypass Linux OS TCP/IP stack. Suricata running in userspace will get direct access to the network buffer from the network card (kernelspace) without going through most of OS layers. • You might want to read an article in 2012 “Suricata, to 10Gbps and beyond” https://home.regit.org/2012/07/suricata-to-10gbps-and- beyond/ 13
  • 14.
    Copyright © 2015CyberSecurity Malaysia Components – Sandboxing 14 • Cuckoo Sandbox is a malware analysis system. • It produces native functions and Windows API calls traces, copies of files created and deleted from the file system, dump of the memory of the selected process, full memory dump of the analysis machine, screenshots of the desktop during the execution of the malware analysis, network dump generated by the machine used for the analysis. • For the purpose, extracted files / web access from the Suricata will be tested in simulation environment using Cuckoo Sandbox.
  • 15.
    Copyright © 2015CyberSecurity Malaysia Components – Sandboxing (Anti- VM) • Nowadays malware equipped with anti-VM code to detect if it is running inside sandbox environment through registry, CPU flags, BIOS, file system, etc. • Bypassing Sandboxes For Fun https://www.botconf.eu/bypassing-sandboxes-for-fun/ • Defeat anti-VM malware, refer VMCloak, VBoxAntiVMDetectHardened, etc. • You can try using Pafish to detect whether you are running inside virtualization / sandbox environment. https://github.com/a0rtega/pafish 15
  • 16.
    Copyright © 2015CyberSecurity Malaysia Components – Sandboxing (Anti- VM) • Hardened Anti-VM Detection 16
  • 17.
    Copyright © 2015CyberSecurity Malaysia Components – Sandboxing (Anti- VM) • Sandbox detection using Pafish 17
  • 18.
    Copyright © 2015CyberSecurity Malaysia Components – SSL Decryption • viewssld - SSL Decryption for Network Monitoring. • Nowadays malware exploiting SSL encryption to bypass network security detection. • IT security admin can enforce HTTPS / SSL interception by registering Firewall / Proxy root certificate for every PC inside an organization. • By providing private key to viewssld, it can decrypt every HTTPS communication and send to Network IDS for malware collection & intrusion alert. 18
  • 19.
    Copyright © 2015CyberSecurity Malaysia Process Flow 19
  • 20.
    Copyright © 2015CyberSecurity Malaysia Moving Forward • Enhancing Cuckoo sandbox environment • Defeating Anti-VM / Sandbox Hardening • Exploitation detection (Buffer/Heap Overflow, Payload) • Produce more valuable information • Improve the process flow 20
  • 21.
    Copyright © 2015CyberSecurity Malaysia Malware Research Lab (Tools) • Our team has also developed tools for our daily operation: – BotNet Checker: Botnet detection based on IP address. – LebahNet: Distributed Honeynet. – MyKotakPasir: Virtualization sandboxing. – AndBox: Android sandboxing. – ESPot: ElasticSearch Honeypot. – DontExploitMe: Browser Based IPS. – DontPhishMe: Phishing Site Blocker for Browser (Firefox, Chrome, Internet Explorer). – MyLipas: Web Defacement Crawler. – Many others. 21
  • 22.
    Copyright © 2015CyberSecurity Malaysia Malware Research Lab (Tools) • BotNet Checker – http://botnet.honeynet.org.my/ 22
  • 23.
    Copyright © 2015CyberSecurity Malaysia Malware Research Lab (Tools) • DontPhishMe & Antiphishing.My – https://www.antiphishing.my/ 23
  • 24.
    Copyright © 2015CyberSecurity Malaysia • Coordinated Malware Eradication And Remediation Project (CMERP) & CyberDEF (Detection, Eradication & Forensics) What is it? • A comprehensive solution for detection, eradication and forensic of malware in cyberspace What are the benefits? • Helps organization to strengthen and defend their organisation by preparing the CSIRT team with required skill, policy and procedure in place • The capability of the team will be strengthen by participating in cyber exercise activity tailored for the organization • With the necessary resources and skills in place, steps and measures can be taken to eradicate threat 24
  • 25.
    Copyright © 2015CyberSecurity Malaysia Contacts • Web: http://www.cybersecurity.my • Web: http://www.mycert.org.my • Web: www.cybersafe.my • Report Incident: cyber999@cybersecurity.my 25
  • 26.
    Copyright © 2015CyberSecurity Malaysia26 Q&A
  • 27.
    Copyright © 2015CyberSecurity MalaysiaCopyright © 2015 CyberSecurity Malaysia