Archive for December, 2012

Malware Fighting Tools/Guides – Part 3 :Down and Dirty

Before we start – I just want to declare that the thing I publish here are Based on my experience only and in no means you should understand to buy or not to buy specific products.
After understanding the essentials of CISO’s work, I’ll expand on how I did the research work from part1 alongside with my incident response team from part 2.
Regarding the tools I have mentioned earlier , those needs to give you FULL view from the bottom up on every request \ connection to the internet starting from the users endpoint to firewall\proxy and DNS requests and cross dissect the findings to give you positive catch.
C&C life cycle:

1) Hostile Downloaded from “some” website or using exposed browser holes to get into a computer.
BTW – the hostile file can be an innocent legitimate skype.exe file that has been downloaded NOT from skype website…

2) If section 1 succeeded and no AV engine has stopped it , the hostile file is trying to “sniff” it’s way inside your organization , trying to elevate privileges and get as much as information as he can before going into phase II.

3) After getting some idea of how your organization “works” – the hostile file trying to get out and connect to the operator site , this phase usually known as domain fluxing and expressed by multiple burst random DNS searches to sites like [aabbccdd.your company domain extension ] or any other random sequence.
At this step – if you have implemented the right products, the hostile activity should be block at your gateway via IDS\IPS \FW \proxy\url filtering\DLP or any other PREVENTION product.
If it doesn’t and you need to look at step 4 – chances are you are in deep trouble…

4) Also known as Phase II, in which the hostile file –using it’s operator, are evolving into one unit that is fully aware of your organization methods and can exploit almost any aspect on your INTERNAL network.
This includes admin users, passwords, emails, internal ip’s ,DC’s, DNS ,AD and even firewall changing data.
This allows the attacker or shell we say “your commander” , to do whatever he likes in your data. 1-0 to the bad guys….
The first question you might ask is: if my AV vendor is not discovering the bad guys , what can I do?
Well – a good one…this brings me back to my friend original request once again. And the answer is:
No AV vendor is “the one” , enough to look at sites like Virus total or URL Query to see that even 10 AV engines together can miss…therefore you need special tools for this special jobs.
Or worst , if you trust your AV vendor as your sole solution for security – change your job…
It has got to be a BEST OF BREAD solutions that will answer your dynamic organization’s requests and whims..
They MUST be able to do the following in order to crossfire any hostile file in your environment.

Also make sure you IRT team are Using them and their results on a daily bases, in fact – base your security protocols and procedures on their output.

1) Security Event Management (SIEM): [ Such As Arcsight ,Symantec,RSA ]
Connect every available and relevant device to your SIEM and write basic rules .
Improve those rules as you go and remember, those devices can archive almost everything that happened on your network fairly easily, it is the correlation between those events that makes your life easier.


2) A cross stream line analyzer: [ Such As Damballa FailSafe , Fire Eye , websense Full Suite, advanced Proxy\URL filtering ]
This device sole purpose is to analyze the data from the endpoint to the DNS server \ Proxy \ FW and correlate them to one valid event.
As I explained in the C&C life cycle , it is essential to expose the hostile before phase II , meaning if you can catch one machine [or Asset] trying to contact hostile URL or doing a Domain fluxing –than phase II won’t be an issue for you.
Hell , you can even make these connections terminate automatically or have an event based action to your remediate device.


3) Investigating tool: [ Such As : Sillicium ECAT , HBGARY responder or even GMER or Comodo CCE ]
MUST HAVE The “cross platform approach” , meaning running in your whole enterprise as a natural endpoint agent , collecting ALL your computers\servers files into one place ,analyzing them and give you suspected or convicted files.
The methods should be as follow :

a) Compare your files through several MD5 signatures databases such as BIT9, NIST, MSDN, or any other Cloud based comparison engine(HITMAN\CCE)
This will bring UP all the files that has no valid or Root CA or No Company embedded in them -so only sealed authentic files can reside on your machines.
Any other result such as unknown files or broken CA – can imply that the file has been compromised by another hostile that may take additional steps, such as injecting DLL’s into other processes\Services and loading a rootkit, or connecting to additional C&C sites.

b) Use Several AV engines or upload your suspicious files from section A to sites like VirusTotal and similar. You can even upload the MD5 string to the web , you can consult with other findings on your specific hash.

c) Analyze Floating codes and memory Hash in live mode.

d) Create your OWN white list of files that has been created by your organization software developers – and direct them to work as methodically as they can.

e) Check your current network connection from the process and up.
Meaning if you can see EXCEL.exe reaching out to the internet – it is NOT looking to be updated from microsoft…
Even Simple NETSTAT –NAB can give you desired results.

f) Use a good URL filtering engine\Anti Bot – this actually should be the first DOT in the line of crossfire since you will most probably have an alert from your URL filtering device saying on machine tried to reach a hostile website. You can advise many other Online URL Checking tools.
a good tool in this section has to be one that updates as quickly as he can – since automated cleaning processes are happening on those websites almost whithin the hour – so before you block an access to it from your domain – make sure the danger hasn’t passed already…

From there you can start your query using all the tools and methods I have mentioned the more conclusive results on an evil residing on a machine you’ll get – the better.

this approach is the NOT bullet proof – but it will defiantly filter out above 95+% of your hostile files..therefore keep up with the technology and bring the human resource to the game.



Roy Coren

Security Specialist

Malware Fighting Tools/Guides – Part 2 , How to be an Ace CISO

If one of my customers would come today and ask me to design a full method to eliminate unwanted or dangerous files in his domain, I would say “No such thing”.

One of the reasons is that you can’t keep your sensitive enviroment clean enough without damaging the users freedom and productivity. Especially VP’s.

Most of the time CISO and IT managers come to me AFTER somebody has made a 207 or 207A on their domain (that’s the police code for Kidnapping) , in that case you have a legal and usually a very big Go! From the CTO\CEO to do everything you can to stop it from happening again.

Those are the good time for software vendors \integrators who can celebrate a 100% sell rate on those companies.

But – as you guessed, those time pressed CISO’s  are not always aware on which products to implement and most important which technology will give them the best results per dime for the longest time…having that said without the right consultant the will take Pain and turn it to Gain, they usually invest in the wrong methods.

Getting back to the original “bug free” request, on those special cases I would recommend a full revision in the company approach to data security, starting from bottom up.

Implementing a good solid, management backed, data security policy is not something that happened in a day, but it is worth putting a lot of effort and starts something good and harvest those applause later

Issues to consider:

–          Have every user to sign that the computer\software he gets from the company are NOT his own.

–          Publish a list of allowed software in your organization-saying that anything besides that list will cause issues with the HR department…

–          Start by classifying  and identifying your:

1)      Sensitive data – “Show me your data and I’ll tell you how to protect it”

In most cases you will find that they DO NO know the location and the amount of it…this step alone take several months to complete

2)      Weakest points in the LAN \WAN\DMZ

3)      Everyday use data flow – this is the stream that all problems are starting from.

4)      Gather and estimate your human resources, see if the team needs additional knowledge and if he can handle 911 calls and everyday tasks.

In most cases you will find 1 or 2 persons doing 5 persons jobs – this is not the kind of situation you would want to be when implementing a large DLP or SIEM project and realize your team can’t decrypt the results or lack of time to do it.

–          Harden security policies on Mobile users – have smartphones and laptops use hard rules and policies without losing the dynamic of work productivity.

–          Offer well known , dumb proof, productive solutions for the issues above, you can start by drilling down your AD GPO and dead users, continue with AV kill rate to start ,along with your main firewalls rules and block ratio.

–          Keep your software up to date – probably the best tip I can give , no holes ,no foxes…

–          Assign virtual “Data owners” – have them to take responsibility on their data in terms of backup and unwanted access.

–          Pick less tools and solutions as possible for all the scenarios you can imagine – if the 911 call will arrive , the first thing you need is to act as fast as possible and you would want the best results \outcomes\ logs\ products refined and stilled to your desktop.

Now you can start thinking on wide projects like DLP, Endpoint security, SIEM, virtual security, IDS\IPS and most important – a descent monitoring system Or any other solutions that your organization needs – just make sure it fits your gold rules above.

With the outcomes of those  products , you can assign an incident response team to be the task force for all kinds of alarms and events.

And since you will get tens of millions events per day, if this team can handle 10 REAL security events per day , you have scored it! Ace!

See you on part 3..

Roy Coren

Security Specialist

Malware Fighting Tools/Guides

I have done some massive research and long term deep investigations – and this Checkpoint AntiBot module has got a very high percentage of accuracy on live Malware and C&C communications residing on machines.
Those tools helped me along the way to deal and remove those evils in a haystack (besides the obvious Format c: /q ).
It has also a knowledge base containing everything you need to know about those evils and their families.
For more information on what was my methodology of my research and with what tools i used -you can write to my email


Roy Coren,
Security Specialist

Search This Blog