hunting malware using its fingerprints
play

Hunting malware using its fingerprints Piotr Biaczak About me - PowerPoint PPT Presentation

Sep 02, 2022 •536 likes •828 views

Hunting malware using its fingerprints Piotr Biaczak About me Piotr Biaczak Senior Researcher CERT Polska/NASK/ Warsaw University of Technology piotr.bialczak@cert.pl Twitter: @bialczakp 2 Malware hunting A mouse and cat game? 3

  1. Hunting malware using its fingerprints Piotr Białczak

  2. About me Piotr Białczak Senior Researcher CERT Polska/NASK/ Warsaw University of Technology piotr.bialczak@cert.pl Twitter: @bialczakp 2

  3. Malware hunting A mouse and cat game? 3

  4. Hunting malware ▷ Identification based on network infrastructure not effective as we wish to ▷ Constant change of IPs and domains ▷ Dedicated mechanisms for evasion (DGA, FastFlux) ▷ Problem with unknown threats 4

  5. What if we could identify something constant and distinguishable? 5

  6. Malware fingerprinting ▷ Provide mechanism to identify threats ▷ Pinpoint some rarely changed elements ▷ Make fingerprints unique ▷ Give good generalization ▷ Should be easy to share 6

  7. Different notions of malware fingerprinting ▷ Identification of malware families ○ Directly providing family name ○ More like multiclass malware detector ▷ Generic feature extractor ○ Providing representation of some features ○ It can be labeled with malware family name ▷ I will focus on the second group 7

  8. Network traffic fingerprints ▷ Mainly extraction of some protocol fields ▷ Choosing fields hard to change ▷ Presentation in two Source: https://commons.wikimedia.org/wiki/File:Ipv4_header.svg forms: full and concise 8

  9. Examples of usage scenarios ▷ Grouping activities ▷ Identification of malware families ▷ Identification of different operations in single family ▷ Correlation of similar behavior between families 9

  10. Popular Tools 10

  11. JA3 ▷ Fingerprinting TLS clients/servers ▷ Decimal values of chosen fields in Client Hello messages (then MD5 hash) ▷ Extensively supported ▷ Available: https://github.com/salesforce /ja3 Source: https://engineering.salesforce.com/open-sourcing-ja3-92c9e53c3c41 11

  12. HASSH ▷ Fingerprinting SSH clients/servers ▷ Decimal values of chosen fields in SSH_MSG_KEXINIT messages (then MD5 hash) ▷ Available here: https://github.com/salesforce /hassh 12

  13. FATT ▷ Fingerprint all the things ▷ Supports: JA3, HASSH ▷ Also: RDFP, gQUIC, HTTP header fingerprint ▷ Live network and pcap files via pyshark ▷ Available here: https://github.com/0x4D31/fatt/ 13

  14. Other great tools ▷ HTTP - https://lcamtuf.coredump.cx/p0f3/ ▷ TLS, DTLS, SSH, HTTP, TCP - https://github.com/cisco/mercury ▷ Identification framework, https://github.com/rapid7/recog 14

  15. SMTP fingerprinting ▷ More complex approach ▷ Fingerprinting SMTP implementation (dialect) ○ Exchanged messages (also their case) ○ SMTP extensions ○ IMF fields ▷ Detection of spambots ▷ Stringhini et al. B@bel: Leveraging Email Delivery for Spam Mitigation ▷ Also SISSDEN.eu 15

  16. SMTP dialects Source: https://sissden.eu/blog/analysis-of-smtp-dialects Unfortunately no open-sourced tool 16

  17. DEMO 17

  18. hfinger 18

  19. Problems of current HTTP fingerprinting ▷ Collisions between families ▷ Collisions with benign software ▷ Limited analysis of URL and payload 19

  20. hfinger URL Header structure Payload URL length request method length ● ● ● Number of directories, protocol version entropy ● ● ● variables header order presence of non-ASCII ● ● File extension popular headers' characters ● ● URL parts lengths values ● 20

  21. Fingerprint creation POST /dir1/dir2?var1=val1 HTTP/1.1 Host: 127.0.0.1:8000 Accept: */* User-Agent: My UA Content-Length: 9 Content-Type: application/x-www-form-urlencoded misc=test Direct representation of features - for easier interpretation 21

  22. Encoding "application/javascript":"ap-ja", "application/json":"ap-js", Analyzed popular headers "application/octet-stream":"ap-os", Connection ● "application/pdf":"ap-pd", Accept-Encoding ● "application/x-octet-stream":"ap-x-o-s", Content-Encoding ● "application/x-www-form-urlencoded":"ap-x-w-f-u", "audio/mpeg":"au-mp", Cache-Control ● "binary":"bi", TE ● "image/gif":"im-gi", Accept-Charset ● "multipart/form-data":"mu-f-d", Content-Type ● "octet/binary":"oc-bi", Accept "octet-stream":"oc-st", ● "text/csv":"te-cs", Accept-Language ● "text/html":"te-ht", User-Agent ● "text/plain":"te-pl", "text/xml":"te-xm" 22

  23. Different report modes ▷ Configurable report modes - depending on desired information level ▷ Default ○ Tries to optimize uniqueness vs generalization ▷ Informative ○ More features presented ▷ All features ○ Full information, but also more fingerprints 23

  24. More info ▷ https://github.com/CERT-Polska/hfinger ▷ Working prototype stage - there will be some changes ▷ Written in Python, uses Tshark for pcap parsing and HTTP reassembly ▷ Comments, issues, PRs are welcomed 24

  25. hfinger demo 25

  26. Conclusion Fingerprints are helpful in hunting malware ▷ Until malware developers start to evade fingerprinters ▷ Problem of generalization vs collisions ▷ Some popular protocols are already covered, but not all of ▷ them Give a try to hfinger :-) ▷ 26

  27. 27

  28. Presentation template - slidescarnival.com Hunting malware using its fingerprints Piotr Białczak

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis Qi Wang , Wajih Ul

You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis Qi Wang , Wajih Ul

You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis Qi Wang , Wajih Ul Hassan, Ding Li, Kangkook Jee, Xiao Yu, Kexuan Zou, Junghwan Rhee, Zhengzhang Chen, Wei Cheng, Carl A. Gunter, Haifeng Chen NDSS 2020 Feb 26 th , 2020,

915 views • 25 slides
Hunting For Memory Resident Malware Memhunter tool Marcos Oviedo | McAfee Endpoint Software

Hunting For Memory Resident Malware Memhunter tool Marcos Oviedo | McAfee Endpoint Software

Hunting For Memory Resident Malware Memhunter tool Marcos Oviedo | McAfee Endpoint Software Architect 1 Agenda Problem Description Fileless Attacks Overview Common Injection Techniques Current Challenges with memory

870 views • 22 slides
Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting PLC Global Footprint 2 2009 Corporate Highlights Completed three acquisitions 47.3m Sale of Hunting Energy France 11.1m Year end

857 views • 37 slides
Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and

Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and

Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and Stalk Hunting Techniques: Decoying Hunting Techniques: Pass Shooting Gauge Sizes Choke extracted from muzzle Choke lengths and wall diameters

783 views • 29 slides
Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018 C:>

Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018 C:>

Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018 C:> whoami /all Tom Ueltschi Swiss Post CERT / SOC / CSIRT since 2007 (over 11 years!) Focus & Interests: Malware Analysis, Threat Intel,

1.45k views • 115 slides
Fingerprints Learning a project presentation The

Fingerprints Learning a project presentation The

Fingerprints Learning a project presentation The project Fingerprints Learning was initiated by Foundation Gaudete in Katowice, Poland and is

304 views • 3 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

568 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Lehrstuhl fr Systemsicherheit Virtual Machine-based Fingerprints SPRING 9 Bochum, 31.07 -

Lehrstuhl fr Systemsicherheit Virtual Machine-based Fingerprints SPRING 9 Bochum, 31.07 -

Lehrstuhl fr Systemsicherheit Virtual Machine-based Fingerprints SPRING 9 Bochum, 31.07 - 01.08.2014 Table of Contents 1. Background 1. Fingerprinting 2. Virtual Machines 2. Implemented Schemes 1. Permutation-based Fingerprints 2. Dynamic

223 views • 18 slides
THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil

THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil

THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil the Lion, Hwange National Park, Zimbabwe, 2013 Yann Prisner-Levyne WILD FAUNA= NATURAL RESOURCES UNDER INTERNATIONAL LAW Principle of permanent

400 views • 21 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
Indigenous Hunting Rights in British Columbia By: Liam Robertson Broken Down Firearm

Indigenous Hunting Rights in British Columbia By: Liam Robertson Broken Down Firearm

Indigenous Hunting Rights in British Columbia By: Liam Robertson Broken Down Firearm Licensing (Briefly) Hunting on Traditional Territory Hunting off Traditional Territory Applying for a FWID and BCEID Metis Hunting in BC

377 views • 13 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Orientation Data: legal and ethical issues Last few lectures: distributional semantics (technical

Orientation Data: legal and ethical issues Last few lectures: distributional semantics (technical

Orientation Data: legal and ethical issues Last few lectures: distributional semantics (technical aspects). Your next assignment (out Friday) explores some of these ideas. Sharon Goldwater Work with data extracted from Twitter (co-occurrence

387 views • 10 slides
Exotic atoms by the DIRAC experiment Mikhail Zhabitsky for the DIRAC Collaboration (CERN PS-212)

Exotic atoms by the DIRAC experiment Mikhail Zhabitsky for the DIRAC Collaboration (CERN PS-212)

K atoms Long-lived + atoms Results and Outlook Exotic atoms by the DIRAC experiment Mikhail Zhabitsky for the DIRAC Collaboration (CERN PS-212) Joint Institute for Nuclear Research, Dubna CERN, the European Organization for

464 views • 25 slides
Classes (II) Ling-Chieh Kung Department of Information Management National Taiwan University

Classes (II) Ling-Chieh Kung Department of Information Management National Taiwan University

friend , this , and const Static members Objects and pointers Programming Design Classes (II) Ling-Chieh Kung Department of Information Management National Taiwan University Programming Design Classes (II) 1 / 38 Ling-Chieh Kung (NTU IM)

419 views • 38 slides
Telling The Time chris.anley@nccgroup.trust The Bug Server generates a time-based: -Password

Telling The Time chris.anley@nccgroup.trust The Bug Server generates a time-based: -Password

Telling The Time chris.anley@nccgroup.trust The Bug Server generates a time-based: -Password reset token -Session id -Random password -REST API Key ... For example: PHP uniqid() Gets a prefixed unique identifier based on the current

371 views • 14 slides
Continuous Integration in NOvA Alex Himmel FIFE Workshop June 21 st , 2017 1 How We Use CI

Continuous Integration in NOvA Alex Himmel FIFE Workshop June 21 st , 2017 1 How We Use CI

Continuous Integration in NOvA Alex Himmel FIFE Workshop June 21 st , 2017 1 How We Use CI Runs triggered by commits. 15 minute stand-off to pick up clusters of commits. Uses standard build system Runs 1 event in a variety of

176 views • 3 slides
Machine Learning Lecture 6 Note Compiled by Abhi Ashutosh, Daniel Chen, and Yijun Xiao February

Machine Learning Lecture 6 Note Compiled by Abhi Ashutosh, Daniel Chen, and Yijun Xiao February

Machine Learning Lecture 6 Note Compiled by Abhi Ashutosh, Daniel Chen, and Yijun Xiao February 16, 2016 1 Pegasos Algorithm The Pegasos Algorithm looks very similar to the Perceptron Algorithm. In fact, just by changing a few lines of code in

850 views • 5 slides
ESRI + NEARMAP COOKING WITH GIS Sponsored Hosted by content by MODERATOR GRACE RYBAK CONTENT

ESRI + NEARMAP COOKING WITH GIS Sponsored Hosted by content by MODERATOR GRACE RYBAK CONTENT

ESRI + NEARMAP COOKING WITH GIS Sponsored Hosted by content by MODERATOR GRACE RYBAK CONTENT MARKETING PRODUCER NORTH COAST MEDIA Sponsored content by BEFORE WE BEGIN Have questions? Type your question into the Q&A box at the

593 views • 25 slides
Presented by Sponsored by Presented by Sponsored by Audio instructions Select Computer

Presented by Sponsored by Presented by Sponsored by Audio instructions Select Computer

Disclaimer The information contained in this webinar is for educational purposes only. It is not intended to provide legal or other advice. ICBC, WorkSafeBC, the Justice Institute of British Columbia, and Road Safety at Work are not liable in any

825 views • 51 slides

More recommend