Monday, September 1, 2014

Beginning Malware Analysis using what we learnt during the static and dynamic analysis to improve our security

In the previous 2 posts, we spent the time to learn about a suspicious file. How we then use this knowledge is extremely important in defending our network. We can use the information to develop rules for our antivirus, IDS/IPS, SIEM, etc.

In this post we will write a signature for snort to detect this traffic on our sensors.

If we look back at the previous post we can see there are two types of packets. The first is the DNS and second is HTTP. In both cases, this traffic is leaving our network.

Let's first create a signature for the DNS Packet.
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"Lab06-02.exe DNS Traffic detected"; content:"practicalmalwareanalysis"; nocase; priority: 1; classtype:misc-attack; sid:1000000)


Now let's create a signature based on the HTTP packet
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Lab06-02.exe HTTP Traffic detected"; content:"cc.htm"; content:"User-Agent|3A 20|Internet|20|Explorer|20|7|2E|5/pma"; nocase;  priority: 1; classtype:misc-attack; sid:1000001)

Now that we have these two rules, the next time this traffic passes through our IDS/IPS, we can be notified with messages similar to below.

root@securitynik:~# snort -c /etc/snort/snort.conf -A console -q 
08/13-16:03:27.602476  [**] [1:1000000:0] Lab06-02.exe DNS Traffic detected [**] [Classification: Misc Attack] [Priority: 1] {UDP} 10.0.0.101:53050 -> 10.0.0.102:53
08/13-16:03:27.613147  [**] [1:1000001:0] Lab06-02.exe HTTP Traffic detected [**] [Classification: Misc Attack] [Priority: 1] {TCP} 10.0.0.101:1192 -> 10.0.0.102:80

Being able to draw conclusions on any suspect file or known malicious file is extremely important. Obviously there is a lot more which can be done to learn about the suspect executable. In this case we were just trying to do some basic analysis to allow us to draw a conclusion.


Reference:
http://www.snort.org

No comments:

Post a Comment