openioc_scan – IOC scanner for memory forensics

Transcript

1. openioc_scan Takahiro Haruyama (@cci_forensics) Internet Initiative Japan Inc. SECURE 2015

2. :CJ H .& • ,J IMD .IP MNDB NJ I

   SMN N .IN I N .IDND NDP / K I .I • .. .IN I N .IA MN O NO PD • CNNK DDE ? EK I JHK IS ? P JKH IN DD DI? R CNH • M IN NDJIM I? - I?M JI MM M • F - N D ADIBM O JK MD 2 ,. OHHDN , : . ,. N • S J ?M • IND AJ IMD M H HJ S AJ IMD M . N B N ? NN F OB • JB • CNNK N F CD JC OS H BDNCO DJ • K OBDIM M DKNM AJ J ND DNS , H J F . J .HHOIDNS OBB I? I M

3. 3 . • • . A • - . .

   • . . .3 • .

4.    
   

5. ) 5 • 5 ) ) ) ) 5 )11

   5 ( • specific indicators • e.g., URL, file hash Forensic Analysis • generic (function-based) indicators • e.g., used API, binary code Malware Analysis • define & improve • scan on live system, disk image, memory image IOC

6. 6 42C43 • ,6 I 6 C 4 ) C43

   6 6 6 65 3C 3 . 3 I 3 6 1 • C43 C )C 6 6 ) 3 • 43C6 C6 C F6 6CC 6 3 6 6CC 3 4 6C 4 5 3 3 6 6 C 1 • C C I 5 C . C 3 3 6 • I 34 3 6C 6 65 • 1 • 42 6 1 • 4 3 (1 (

7. 8 7 • 9 9 9 9 • C 8

   1 C 9 77 • 7 8 91 8 7 7 C 71 8 1 • 77 9 8 9 • 8 7 
    1 8  
   

8. , ) .8 • - . • ) -() -1

   = ) -() • . ) 1 = =C = = 1 • • 1 .C 8 1 . • • 8 1 = 1 ) PlugX detected

9. 88 9 95 • 3 9 9 5 9 95

   Term Category Term Examples ProcessItem name, command line, parent name, DLL path, process/DLL DKOM detection, code injection detection, imported/dynamic generated API table, string, handle name, network connection, IAT/EAT/inline hooked API name, enabled privilege name RegistryItem metadata of executables cached by OS (ShimCache) ServiceItem service name/description/command line DriverItem name, imported/dynamic generated API table, string, hooked IRP function table, callback function type, timer function detection HookItem hooked SSDT entry FileItem filename/size/path based on carved MFT entry

10. 1 0 0 1 1

11. , 2 C 2 2 • A 2 2 2

    • , 2 • 2 2 A / . 1.A. 12 2 2 2 • 2 2 • 2 2 A 22 12 2 A A . 2 21 21 / . . 2 • 2 2 2 2 2 121 2 2 A A .A specific IOC generic IOC advantage easy to define (low false positive rate) detect unknown malware with similar traits weakness detect the malware only hard to define (high false positive rate)

12. C *G 1 C A 1 G • ( *.

    H C • A A G A G G A • *A G • G A * )GGC1 A H G 2 G • AA G I H A G *A, . H , G Andromeda Tinba

13. ) 1 • # # 3 F 0 3 •

    , 3 F 3 1 3 3 1 3 # 3 1 1 F 3 F 1 # 3 3 1 13 F 1 F1 # 3 1 3 3 1 • • 1 F1 1 3 • . 1 2 1 • 1 F1 1 3 # # ( F1 3 hollowed process path from PEB

14. , . 2 4 . ) # • # #

    0 1 4 • • 4 2 ( A2 (44 4 2 2 0 1 Stuxnet Path from FileObject in VAD is null

15. -E: E - :I E • . E C :I

    E :EC : IEC I : N • $ $ I :I C I /5- , • /5- , , I II I F E E :A :ECF I IN I FF : I E • 5 E 1. ) /I 2 N, - /I I, - • E :: CE A CE I 1. • EF E: : : :A EI E N . 5 I E N C : N I 1. I ( ZeroAccess

16. , 1 1 1 • :1 ( :: 1 1

    1 1 ( 1 • 1 6 1 1 :6 6 1 . . 6 6 1 • 1 6 : 1 1 • ) 6 1 1 . 6 6 parameter: detail=on Dridex

17. H 1 B I • , >C 1 B I

    C> H C >I> C AA A I H 0-H 7 H C I= I I A >IH >CI A H ) • >C B I> C#HI A>C B A I I> C • . .II C 2 HI 1 H C C C C = >C B A C B I >C I> C (

18. EDI 2 E C8D: • :8DD D 8BB .1 I

    8 ED C I 2., • E P 8I .1 CI EL IBE ED I • 8I ( E: II D8C 8 D E A :EDD : ED • IBE ( I D D8 O I D: I EEA )2. D8C • )LE :EC D8 ED E C B B .1 C :8 E I • -I : 8BBO 2 E: II. C 8D , L . C 8 8L BO 8 • , D C I 8 8 BO E B C I:E O 8 D Q E: II C L E EDI • .D E C8 ED N 8: O E D E: I:8D I :8: • D C I:8D E I8C C I I B D B II C • I 8 : D :8: / 8 8 8I • D8 O I D: I E L 8 1 :8: • DI 8 I 8 : D D L 8B E: II L C CE O C I

19. . 1.

20. TM K DIH LI • L IL DH LI? ?

    2 M LME DH . ( 9 • M ? G F L M M DH F ?DH K DIH3 M L K DIH,L ,I F . H M LD F . H M . HH L .DM • 0,, ADLG L L LI L GGDH GI? F HFM ) ?FF! DM FI ? ? IH K DIH,L H? L .DM • 1 H L M D?? H ? L DH 0,, • M DFF RDM M DH AIL LIPD?DH 51 DH I L

21. D3 7 8 AC 1 2 • D3 7 6C8

    8D D D 8 6A 6 8 D -8 68.A A CA /. • .A A CA A78D D87 • 0 8 6A78 I - D D87 9AC C8 7 C 8 C8B 8D D A9 0 78 68 C8 D 8CD • 8C 8 8C 9 6 A 7 8D 8 C8B 8D D • 0 8 7 A C 8 D 8 87787 8 7 • 6A A A9 8 7 D C 6 C8 “IDENTIFY_DEVICE” command read/write of ATA device registers

22. 9 . 299 • 3 • 299 A 9 23

    2 A3 2 A A A 3 • 2 C3 A 9 23 2 23 3 3 3 A63 A A 3 • 3 3 • 2 C3 - 23C 3 2 3 39 A :3
23. None

24. C F 1 AC . F 2F I CA C

    4 5 • C C 1 C 4 (5 ) F AC A F F • 1 C FC F C C = I = ! C CF CA I F • I = = A ACF 1 .! C AC . FC C C A • I CA 1 . I C FCA F AC A = - + I 1 C + . - Examiner Target Machine 1. deploy F-Response agent 2. acquire RAM 3. identify the system profile from SOFTWARE registry 4. execute openioc_scan

25. 2C : • D A C D + CA C

    D • D BAB C AB F C ( - C B D BAB C - : D ( C -( • E ED D E : D B D : D A D • ( CE D D ( CE D D ( F BD AB F C B ( CE D D ( D B (( • ECD A D : D E • ( CE D D A BD D D 2 D E 5 B F D BE D D B: D ( • ( CE D D ( F BD EC ( CE D D ( F BD C I) B D ( D E

26. 3 C • CA F F C : : F:

    F CC • C 6 C F C 6 C C 6 CI I 6 : C 6 F IA CF : C 6 • C • F( ). EI C • ( EI C CF F • ( - ). : ,24) F F EI C • C C • - C : F CC :A F : • : C • A CF

27. 
     DEMO (EMC) -10 2 -10 7 : 10. .

    . 2 . .1 .0 2 10. . . 1 777 777 777

28. 2 O N • IDBDMD NP MON I O IGT

    )1 PDNDOD I PO GN I PDNDOD I DI GP DIB ADG N RDO PI GG O G O NO OPN • NTNM B PN MM B HAO M A O OS H E PMI G • - N IN -G S DNF )4 PN • )1 PDNDOD I H T A DG I DI ( S • - N IN PB I O ADS • 8N I GO MI O PDNDOD I OD I PNDIB PH O S D MND I • PO PH O GN H T PN 6 R I PNDIB M H O PDNDOD I OD I L I O ADS • A IT O M MM MN F U M P G 6 ODIB DI ,) 1, I .DO P (

29. 
     

30. / ? C? • ( G C A 3 A

    G A C A • ? 30A3 A 3 A ? A: A -)A • . A C • ? 30A3 3 A? 3 3 -) ? A • ?A C 3 . : CG ? 30A3 • A3 ? • ?A C 3 . : CG

31. 3 • 8 4 C A / C - FI

    FC 1 C O 4 . F • I OOO F O C I C C :MI I O I • 8 C C M C C C • I AC M F C C M C C C • 8 F C 1I /1-: • I AC M F F C 1I /1-: • 8 PF 2 2 A / P • I I IC I A I IC PF • 8 F C C :O C • I AC M F F C C :O C • 8 F 2 2 A / P • I I IC I A I IC F • 8 2 /1- • I AC M F 2 /1- • 8 . 0 O 5 C A 6 C A 1I C : 7 C C 2 MAC • I C M F AC M C A F O C A M C A I C C C I MAC

32. HIHUH FH 1R W • A-B 9SH 691 :DUDPHWHUV VH

    E[ 9SH LRFCVFD • WWS. WD D LUR DU [DPD LW E LR EOR ( ( RSH LRF SDUDPHWHUV VH E[ RSH LRF VFD • A B / DO[ L 8DO DUH 5ROOR :URFHVVHV • WWSV. WU VW D H FRP HVR UFHV SL HU7DEV 0OR / DO[ L 8DO DUH 5ROOR :URFHVVHV • A B ] H /UW RI 8HPRU[ 4RUH VLFV S • WWS. DV LOH[ FRP LOH[12/ LOH[ LWOH SUR FW1 ) - WPO • A B ]3T DWLR UR S. T HVWLR V D D V HUV • WWSV. VHF UHOLVW FRP ILOHV ) 3T DWLR C UR SCT HVWLR VCD CD V HUV S I • A B 6 WHU HW 6 IUDVWU FW UH H LH 66 RO • WWS. LLM D MS H FRPSD [ H HORSPH W LLU WPO • A (B HPRWH 8DO DUH ULD H / WRPDWLR • WWS. WD D LUR DU [DPD LW E LR EOR ) UHPRWH PDO DUH WULD H D WRPDWLR • A )B 4 HVSR VH • WWSV. I UHVSR VH FRP • A B 8RR ROV L R V 8HPRU[ RRO LW • WWS. PRR VROV FRP L R V PHPRU[ WRRO LW