Monday, May 30, 2016

Recovering Luddite?

Growing up Mennonite in Lancaster County with no computer, and no television, only to become a Digital Forensic Analyst and Incident Response Specialist living in New York City, has been quite a journey. My friends tell me the uniqueness of my life requires a blog, but I tell them, I haven't changed much, really.

Personal blog, nothing on here represents my employer.

Memorial Day Blessings

This past weekend I had the privilege of participating in a memorial service for a loved one in San Diego. Our beloved grandfather (through marriage, and great-grandfather to our children) passed away last week, and we all scrambled to fly to San Diego and celebrate his life.

Being a Mennonite, I had not previously had an opportunity to be exposed to a ceremony which included military honors. However, I have always adopted the philosophy that although our Mennonite theology is one of pacifism, we would not be able to have the choice to worship freely if those liberties hadn't been defended, fought for, and if many hadn't sacrificed their lives for them. So my belief on that matter has always been a very thoughtful one, and quite frankly with the threats our nation now faces, well, it's complicated,,,but I digress.

While poring over many photographs and memories of our dear grandfather, I learned about the Murmansk Run and how dangerous that passage was during World War II. So dangerous in fact that our grandfather, who was a Gunner in the Navy, had earned a Bronze Star and a Purple Heart.


The graveside message that the Reverend left us with will stick with me for a very long time. He opened by saying, "No matter what your political beliefs are in this heated election year, there's nothing that unifies us greater than the loss of someone who has served our country."

And that, my friends, is why I have had many conversations over the course of this Memorial Day weekend, to stop, pause, and make sure my 6 year-old and my 2 year-old, understand why they have the day off school, and how important Memorial Day is, not just today, but every single day.  Blessings to all the families who have lost a loved one who has made the ultimate sacrifice, and to all who are serving and have served our great country.

Friday, April 29, 2016

I Heart Malware!


I love malware, I really do.  And let’s face it, malware gets a really bad rap!  After all, it’s evil, it’s vicious, and no one wants it, right?  Hmmm…that’s funny, cuz I download as much of it as I can!  It fascinates me, almost to the point of getting me in trouble with one of my Supervisors.  Yup.  As it was so delicately explained to me, “Mary Ellen, malware to you is like a needle to an addict.  I can remove the drug but the needle is still stuck in your vein.”  There’s a back-story to that which I won’t bore you with, but it was all in good fun mind you, he was absolutely right-on with his assessment and here's why.  I was way too focused on commodity malware, meanwhile behavioral hunt-work such as lateral movement and looking for good-tools (#Goodware) being used for bad was taking too much of a backseat.  But, I digress.

So why do I enjoy looking at malware so much anyway?  Well, it’s smart enough to sneak through a ton of sensors (like a good pen-tester), and occasionally it’s very well written.  OK, so where am I going with all of this?

I was recently discussing a custom piece of “malware” that a co-worker had written, and as he was describing it to me, my mind was racing to a million different places.  What a cool piece of code!  Most of the a/v engines were calling it malware, but it was really just a cleverly crafted program that wasn’t evil at all. Yes, it stopped a process to inject something then started it back up again, but it didn't do anything malicious per se.

OK, OK, so the hardcore malware entomologists amongst the group could argue that in fact that’s actually not malware to begin with, it’s #goodware…but the end-point solutions are all whacking it due to its “malcode”, so doesn’t that make it malware?  If malware was strictly defined by heuristics, maybe, but that could lead to too many false positives.

What’s my point?  Whatever you want it to be.  If your take-away is simply to think about “good code” vs. “malcode” then maybe that’s beneficial to you.  If you’re now wondering about or reevaluating your current security controls and why those solutions are allowing grayware or adware into your enterprise, then maybe that’s helpful also.  And BTW, what files does your organization currently allow or block?  Do you allow zips?  If so, do you block zips if they're encrypted?  Or, maybe you filter zips by file-type content, like .exe, .js or .scr inside of a zip (of course one could manually change the file extensions to bypass)?  Additionally, are there files that you block as attachments straight-up such as .doc, .docm, .rtf or .xls?

I wrote the above blurb earlier in the week but didn't have a chance to post it, and just today a friend sent me a link to a FAR BETTER post, so check that one out too!

Friday, April 22, 2016

What Language Does Malware Dream In?

PREFACE: I am not an expert on any of the following, I'm merely sharing my ideas and questions, almost stream of conscious style, cuz sometimes when you ask wacky questions, you glean actionable intel. The following is a learn-as-I-go exercise and not definitive data or even perhaps 100% correct, it's simply a work-in-progress that seemed to make sense to release in the wild, all names removed.

The other day a friend hit me up with a link to a video. That friend is someone I completely admire and he's one of the smartest guys I've ever met. I had a ton of meetings that day, so I couldn't immediately put on my Beats and check it out. A few hours later, he IM's me: "Check out that video yet?" "No, but I will." "Best presentation I've ever seen, I'm going to buy every single one of his books!" That was coming from someone who recommends at least one article or video a week, so for him to come back like that, I knew I had to stop what I was doing and make it a top priority. The video ended up being one of the best I’ve seen as well. Right up there with my two long-time favorites: "Lateral Movement" by Harlan Carvey and "Finding Unknown Malware" by Alissa Torres of "Malware can hide but it must run" fame - the audio on "Finding..." has some issues, but I've watched it so many times I've lost track, it's worth putting up with the less than perfect audio. Alissa actually did another presentation that's similar: "Detecting Persistence Mechanisms" but I digress. So, after watching the video that my friend recommended, I had a conversation with him. After our discussion, I began to think about some things... If organizations are only “watching” their netflow for the English language, could they miss something? In other words, if the Chinese, for example, have infiltrated your network, or are attempting to, they may be writing code or binaries that are in Mandarin and using UTF-16 encoded in 16-bits, which would be 2 bytes and currently not easily or (out of the box) detectable by most sensors.

So then I started to think about all the hundreds of malware samples I’ve looked at in the past year-and-a-half, and I can count on one hand the number of them that had a Chinese signature.

I've also seen artifacts of chats from unwanted guests already on networks, in English. So would it also make sense to hunt for very specific Chinese language characters or strings of characters?

Not having all of the answers, and again not being an authority on any of this, I “phoned a friend” and ended up sitting down with two of my favorite Mandarin character experts, which of course led to even more questions :( ...

 

(1) Speaking only about binaries (not isolated strings or chats), if the binaries are undetected wouldn't they eventually still need (in the end) to convert to Assembly to run, and if so, you'd see them then?
 

(2) Based on (1) above, should one perhaps just be filtering on binary headers and looking at just the signatures?

(3) Would another approach be to search the binary source code for Chinese language characters?

What I learned was that the language of the binary is “usually” defined by the resource section. You have the locale ID and/or language identifier which tells you the language. For example Locale 0x0409 is English, 0x0X04 is Chinese (as well 0x0004, 0x07C04, 0x0404, 0x0804). Or, for example, Lang ID 0x09 is English, 0x0A is Spanish etc. For YARA it would be something like pe.language(0x09) for English.
Other codes: https://msdn.microsoft.com/en-us/library/windows/desktop/dd318693(v=vs.85).aspx

One challenge could be if you have employees who are Chinese, or offices in China, unless your searches are very specific, they could result in multiple false positives. And of course my inquiry isn't really just about China, that's merely one example. From there you could expand your character searches to Arabic, French, Korean, Portuguese, Russian etc.

Yet another one of my trusted contacts with whom I often bounce things off of had previously advised me that using a language scheme as an IOC is not going to generate meaningful data, period. So next I sat down with one more person to discuss all of the above, and quite frankly for a sanity check. My takeaways from that meeting were (a) I wasn't crazy, and (b) there's one more possible angle and it's regional based. For example, malware written in VB may be seen as elementary, and frowned upon by a high caliber of threat actor such as Russian, and that generally the more difficult programming languages are more respected among those circles. That doesn't mean that malware written in VB isn't from Russia, for example, but maybe it could help narrow your initial search.


Lastly, a little bird told me that if you're going to find any of the above proactively, before the headlines hit, your answer may lie in hunting for behavioral anomalies, machine learning,,,and a whole heck of a lot of luck! Because, I was reminded, we have to be lucky all the time, they only have to be lucky once.

Monday, April 11, 2016

Gone Phishing!

Is it just me, or has there been a recent uptick in articles on Phishing?  The following is a presentation I submitted about a year-and-a-half-ago in an attempt to be a speaker for one of my favorite consI wasn't picked :(  BUT, in the spirit of "turning lemons into lemonade", I'm going to put the paper out there in the off-chance that others might benefit.  The information is a bit dated, but for someone just learning how to triage a phishing campaign, perhaps it could help.  Enjoy!  http://bit.ly/PhreshPhishTuesday

Updating this post, cleaning it up a bit, and adding the paper in PDF format: http://bit.ly/MalwareLab - Also it's got a malware lab section that may be helpful if you are building your own.

Sunday, February 14, 2016

Got Tools?

I was recently approached about what tools might be good for use in a malware lab, so I created a directory listing of my "Tools" hard drive and then just added a little formatting.  Afterward, I decided that the list I had might be helpful to others who may be building a virtual lab analysis environment for the first time (malware or otherwise), so just in case it's useful to others, I figured I would post it.  The list is by no means exhaustive, and by its nature includes some duplicates, but it does (in my humble opinion) seem to represent a nice blend of both malware analysis and digital forensics tools. Enjoy!

Update: I had a long plane ride after I wrote the above post, and I wanted to address a follow-up question my friend had about building a malware lab.  I may devote an entire post to that down the road, however for now a couple of quick updatesI was asked which flavor of OS to use, and there are a couple thoughts I have about that... 

(1) If you're building the lab for your work environment, and most of your users have a standard image, there is an argument toward using that exact configuration.  That way, when testing a piece of malware, you may have a better sense of how it may behave in your environment.

(2) No matter which OS you choose, if you are using VMWare to detonate malware, make sure you turn OFF memory sharing...just to be safe!

Tuesday, March 11, 2014

Some Links I Follow

Update: I had a request to update my lists below to include links to malware sample repositories.  Just a word of caution to be very careful with any of the links in red.  I also think that one of Lenny Zelter's pages about malware research samples says it all, and would advise reading his page before using any of the links in red.  I have also added a few more sites to the list, and can continue to do that as I come across additional pages.  Lastly, the OPML file has also been updated, but doesn't include many of the malware sample sites because most of them didn't seem to offer a feed option.

I've been meaning to share the list of links that I follow for a while now.  Below is a link to a spreadsheet that I created which lists separately the HTML URL's from the RSS URL's for sites which I follow.  I also added a link to my Feedly OPML dump.  I figured it would be a nice update to the blog since I don't have very much time to post these days.  Feel free to download and import into your readers, bookmarks, etc.  I have quite a few more that I didn't add because they were links to online sandboxes and/or malware repositories, so they really weren't RSS type links, and I also was a little hesitant about posting links to malware.  I think for the most part the list has been de-duped, so if it looks like there are doubles, you might find that a site simply has more than one feed that it offers, but send me a heads-up if you believe otherwise.  Also, if you would like the full list, contact me and I can send it out or post it.  Enjoy!

XLSX:
https://docs.google.com/spreadsheets/d/1OVpy7waqz5oY_CD8uYG0hayTRDLLd7zIgEZCtjsWy-k/edit?usp=sharing

Feedly OPML:
https://drive.google.com/open?id=0B0CinYp-Pe4-VFN3UXl6ZkMwZ2c