openioc_scan Takahiro Haruyama (@cci_forensics) Internet Initiative Japan Inc. SECURE 2015

:CJ H .& • ,J IMD .IP MNDB NJ I SMN N .IN I N .IDND NDP / K I .I • .. .IN I N .IA MN O NO PD • CNNK DDE ? EK I JHK IS ? P JKH IN DD DI? R CNH • M IN NDJIM I? - I?M JI MM M • F - N D ADIBM O JK MD 2 ,. OHHDN , : . ,. N • S J ?M • IND AJ IMD M H HJ S AJ IMD M . N B N ? NN F OB • JB • CNNK N F CD JC OS H BDNCO DJ • K OBDIM M DKNM AJ J ND DNS , H J F . J .HHOIDNS OBB I? I M

3 . • • . A • - . . • . . .3 • .

) 5 • 5 ) ) ) ) 5 )11 5 ( • specific indicators • e.g., URL, file hash Forensic Analysis • generic (function-based) indicators • e.g., used API, binary code Malware Analysis • define & improve • scan on live system, disk image, memory image IOC

6 42C43 • ,6 I 6 C 4 ) C43 6 6 6 65 3C 3 . 3 I 3 6 1 • C43 C )C 6 6 ) 3 • 43C6 C6 C F6 6CC 6 3 6 6CC 3 4 6C 4 5 3 3 6 6 C 1 • C C I 5 C . C 3 3 6 • I 34 3 6C 6 65 • 1 • 42 6 1 • 4 3 (1 (

8 7 • 9 9 9 9 • C 8 1 C 9 77 • 7 8 91 8 7 7 C 71 8 1 • 77 9 8 9 • 8 7 1 8

, ) .8 • - . • ) -() -1 = ) -() • . ) 1 = =C = = 1 • • 1 .C 8 1 . • • 8 1 = 1 ) PlugX detected

88 9 95 • 3 9 9 5 9 95 Term Category Term Examples ProcessItem name, command line, parent name, DLL path, process/DLL DKOM detection, code injection detection, imported/dynamic generated API table, string, handle name, network connection, IAT/EAT/inline hooked API name, enabled privilege name RegistryItem metadata of executables cached by OS (ShimCache) ServiceItem service name/description/command line DriverItem name, imported/dynamic generated API table, string, hooked IRP function table, callback function type, timer function detection HookItem hooked SSDT entry FileItem filename/size/path based on carved MFT entry

1 0 0 1 1

, 2 C 2 2 • A 2 2 2 • , 2 • 2 2 A / . 1.A. 12 2 2 2 • 2 2 • 2 2 A 22 12 2 A A . 2 21 21 / . . 2 • 2 2 2 2 2 121 2 2 A A .A specific IOC generic IOC advantage easy to define (low false positive rate) detect unknown malware with similar traits weakness detect the malware only hard to define (high false positive rate)

C *G 1 C A 1 G • ( *. H C • A A G A G G A • *A G • G A * )GGC1 A H G 2 G • AA G I H A G *A, . H , G Andromeda Tinba

) 1 • # # 3 F 0 3 • , 3 F 3 1 3 3 1 3 # 3 1 1 F 3 F 1 # 3 3 1 13 F 1 F1 # 3 1 3 3 1 • • 1 F1 1 3 • . 1 2 1 • 1 F1 1 3 # # ( F1 3 hollowed process path from PEB

, . 2 4 . ) # • # # 0 1 4 • • 4 2 ( A2 (44 4 2 2 0 1 Stuxnet Path from FileObject in VAD is null

-E: E - :I E • . E C :I E :EC : IEC I : N • $ $ I :I C I /5- , • /5- , , I II I F E E :A :ECF I IN I FF : I E • 5 E 1. ) /I 2 N, - /I I, - • E :: CE A CE I 1. • EF E: : : :A EI E N . 5 I E N C : N I 1. I ( ZeroAccess

, 1 1 1 • :1 ( :: 1 1 1 1 ( 1 • 1 6 1 1 :6 6 1 . . 6 6 1 • 1 6 : 1 1 • ) 6 1 1 . 6 6 parameter: detail=on Dridex

H 1 B I • , >C 1 B I C> H C >I> C AA A I H 0-H 7 H C I= I I A >IH >CI A H ) • >C B I> C#HI A>C B A I I> C • . .II C 2 HI 1 H C C C C = >C B A C B I >C I> C (

EDI 2 E C8D: • :8DD D 8BB .1 I 8 ED C I 2., • E P 8I .1 CI EL IBE ED I • 8I ( E: II D8C 8 D E A :EDD : ED • IBE ( I D D8 O I D: I EEA )2. D8C • )LE :EC D8 ED E C B B .1 C :8 E I • -I : 8BBO 2 E: II. C 8D , L . C 8 8L BO 8 • , D C I 8 8 BO E B C I:E O 8 D Q E: II C L E EDI • .D E C8 ED N 8: O E D E: I:8D I :8: • D C I:8D E I8C C I I B D B II C • I 8 : D :8: / 8 8 8I • D8 O I D: I E L 8 1 :8: • DI 8 I 8 : D D L 8B E: II L C CE O C I

. 1.

TM K DIH LI • L IL DH LI? ? 2 M LME DH . ( 9 • M ? G F L M M DH F ?DH K DIH3 M L K DIH,L ,I F . H M LD F . H M . HH L .DM • 0,, ADLG L L LI L GGDH GI? F HFM ) ?FF! DM FI ? ? IH K DIH,L H? L .DM • 1 H L M D?? H ? L DH 0,, • M DFF RDM M DH AIL LIPD?DH 51 DH I L

D3 7 8 AC 1 2 • D3 7 6C8 8D D D 8 6A 6 8 D -8 68.A A CA /. • .A A CA A78D D87 • 0 8 6A78 I - D D87 9AC C8 7 C 8 C8B 8D D A9 0 78 68 C8 D 8CD • 8C 8 8C 9 6 A 7 8D 8 C8B 8D D • 0 8 7 A C 8 D 8 87787 8 7 • 6A A A9 8 7 D C 6 C8 “IDENTIFY_DEVICE” command read/write of ATA device registers

9 . 299 • 3 • 299 A 9 23 2 A3 2 A A A 3 • 2 C3 A 9 23 2 23 3 3 3 A63 A A 3 • 3 3 • 2 C3 - 23C 3 2 3 39 A :3

No content

C F 1 AC . F 2F I CA C 4 5 • C C 1 C 4 (5 ) F AC A F F • 1 C FC F C C = I = ! C CF CA I F • I = = A ACF 1 .! C AC . FC C C A • I CA 1 . I C FCA F AC A = - + I 1 C + . - Examiner Target Machine 1. deploy F-Response agent 2. acquire RAM 3. identify the system profile from SOFTWARE registry 4. execute openioc_scan

2C : • D A C D + CA C D • D BAB C AB F C ( - C B D BAB C - : D ( C -( • E ED D E : D B D : D A D • ( CE D D ( CE D D ( F BD AB F C B ( CE D D ( D B (( • ECD A D : D E • ( CE D D A BD D D 2 D E 5 B F D BE D D B: D ( • ( CE D D ( F BD EC ( CE D D ( F BD C I) B D ( D E

3 C • CA F F C : : F: F CC • C 6 C F C 6 C C 6 CI I 6 : C 6 F IA CF : C 6 • C • F( ). EI C • ( EI C CF F • ( - ). : ,24) F F EI C • C C • - C : F CC :A F : • : C • A CF

DEMO (EMC) -10 2 -10 7 : 10. . . 2 . .1 .0 2 10. . . 1 777 777 777

2 O N • IDBDMD NP MON I O IGT )1 PDNDOD I PO GN I PDNDOD I DI GP DIB ADG N RDO PI GG O G O NO OPN • NTNM B PN MM B HAO M A O OS H E PMI G • - N IN -G S DNF )4 PN • )1 PDNDOD I H T A DG I DI ( S • - N IN PB I O ADS • 8N I GO MI O PDNDOD I OD I PNDIB PH O S D MND I • PO PH O GN H T PN 6 R I PNDIB M H O PDNDOD I OD I L I O ADS • A IT O M MM MN F U M P G 6 ODIB DI ,) 1, I .DO P (

/ ? C? • ( G C A 3 A G A C A • ? 30A3 A 3 A ? A: A -)A • . A C • ? 30A3 3 A? 3 3 -) ? A • ?A C 3 . : CG ? 30A3 • A3 ? • ?A C 3 . : CG

3 • 8 4 C A / C - FI FC 1 C O 4 . F • I OOO F O C I C C :MI I O I • 8 C C M C C C • I AC M F C C M C C C • 8 F C 1I /1-: • I AC M F F C 1I /1-: • 8 PF 2 2 A / P • I I IC I A I IC PF • 8 F C C :O C • I AC M F F C C :O C • 8 F 2 2 A / P • I I IC I A I IC F • 8 2 /1- • I AC M F 2 /1- • 8 . 0 O 5 C A 6 C A 1I C : 7 C C 2 MAC • I C M F AC M C A F O C A M C A I C C C I MAC

HIHUH FH 1R W • A-B 9SH 691 :DUDPHWHUV VH E[ 9SH LRFCVFD • WWS. WD D LUR DU [DPD LW E LR EOR ( ( RSH LRF SDUDPHWHUV VH E[ RSH LRF VFD • A B / DO[ L 8DO DUH 5ROOR :URFHVVHV • WWSV. WU VW D H FRP HVR UFHV SL HU7DEV 0OR / DO[ L 8DO DUH 5ROOR :URFHVVHV • A B ] H /UW RI 8HPRU[ 4RUH VLFV S • WWS. DV LOH[ FRP LOH[12/ LOH[ LWOH SUR FW1 ) - WPO • A B ]3T DWLR UR S. T HVWLR V D D V HUV • WWSV. VHF UHOLVW FRP ILOHV ) 3T DWLR C UR SCT HVWLR VCD CD V HUV S I • A B 6 WHU HW 6 IUDVWU FW UH H LH 66 RO • WWS. LLM D MS H FRPSD [ H HORSPH W LLU WPO • A (B HPRWH 8DO DUH ULD H / WRPDWLR • WWS. WD D LUR DU [DPD LW E LR EOR ) UHPRWH PDO DUH WULD H D WRPDWLR • A )B 4 HVSR VH • WWSV. I UHVSR VH FRP • A B 8RR ROV L R V 8HPRU[ RRO LW • WWS. PRR VROV FRP L R V PHPRU[ WRRO LW