Cedric PERNET - Forensics, Malware & Cybercrime

Aller au contenu | Aller au menu | Aller à la recherche

mercredi 11 septembre 2013

Malicious activity detection: AV killing

Two months ago, I released a YARA rule and an IOC rule to detect some generic folder dumps files. It has been proven useful in the real world, showing that it is possible to detect some attacks on a host with very easy rules.

Today I had another detection idea, as basic as the previous one. It is based on my experience in malware analysis and incident response, so I hope it will be helpful to other incident responders, especially when they work on APT attacks.

As you might know, some malware, in addition to every malicious activity they can provide, do deactivate the anti-virus running on the system. Usually, these malware are easily noticeable because (once depacked) they show strings which are known anti-virus processes names.

Some examples are:

  • drweb32.exe
  • avscan.exe
  • etc...

These malware do usually know between 10 and 40 processes names that they absolutely want to kill.

Therefore, the idea is to try to detect any binary which contains these processes names.

I looked a bit around and found that Jerome Athias had released a "killav.rb" script in Metasploit. He provides us with 579 different processes names, all related to security tools and anti-virus products.

I asked Jerome and he kindly allowed me to use that list to build the YARA rule I was thinking of (with a bit of Python, it would have taken too long by hand of course).

The rule is built so that it will be triggered if 4 or more strings are found.

Please feel free to tweet me (@cedricpernet) or e-mail me any missing process name (there must be plenty) and I will update the rule accordingly. Also, if it triggers false positives, do not hesitate to reach me.

The YARA rule is here.

vendredi 5 juillet 2013

All your folders belong to us / with a little help from my friends

It has been a long time since I last wrote in english on this blog. The main reason is that I think there are not enough french ressources on Internet regarding APT, malware, incident response, and cybercrime, which are my favorite topics, as you might already know.

I therefore decided to publish in english language only when I thought the post was worth being shared widely.

But let's get right to the point of this post. Working on quite a number of APT cases recently, I noticed that the attackers often dump huge folders to a text file.

From the attacker point of view, it is just executing the "dir /s" command in a cmd shell, which lists folders recursively. The attacker usually redirects the output of the command to a file, doing it this way:

dir /s > 1.txt

The file is stored temporarily until the attacker decides to collect it, and deleted afterwards. The attacker may also not care (or forget) about it and leave it on the file system.

Forensically speaking, the deletion of this file is not a problem, as long as it is not rewritten, it can always be found.

From a detection point of view, it is very interesting to try to find these "folder dumps" on systems, as a possible indicator of compromise.

One has to be careful (as usual in incident response) to check that no legitimate user has generated this dump.

Now, one problem is left to detect these files: the operating system language. If you do incident response only in one country, no problem: usually you only need to check for dump files in your language, and in english (some users, no matter in which country they live, do always use english). Now if you do international incident response, you need to detect more languages.

I created a YARA rule and an IOC rule to detect these dump files in english, french, and german (Hello and thanks to my friend Axel who provided me with german dumps).

These rules should work on english,french,german Windows2000,ME,NT,Server,XP,7,8 systems. I did not check dumps for older systems.

YARA rule:
---
rule folder_dumpfile
meta:
author="Cedric PERNET"
date="2013/07"
comment="a YARA rule to detect dump files created by APT attackers"

strings:
$eng1="Volume in drive" wide ascii nocase
$eng2="Volume serial number" wide ascii nocase
$eng3="Directory of" wide ascii nocase
$eng4="<DIR>" wide ascii nocase
$eng5="File" wide ascii nocase

$fr1="Le volume dans le lecteur" wide ascii nocase
$fr2="du volume est" wide ascii nocase
$fr3="pertoire de" wide ascii nocase
$fr4="<REP>" wide ascii nocase
$fr5="fichier" wide ascii nocase

$de1="Volumeseriennummer" wide ascii nocase
$de2="<DIR>" wide ascii nocase
$de3="verzeichnis von" wide ascii nocase
$de4="Datei" wide ascii nocase

condition:
(all of ($eng*)) or (all of ($fr*)) or (all of ($de*))
---

And here is a link to my IOC file.

And with a little help from my friends, I might be able to update these files with other languages. Please feel free to send me "dir /s" dumps in other languages, I'd gladly integrate it into these detection rules.