Brian Bell - Detection of malicious capabilities using YARA

hi folks AR here unfortunately the microphone was not turned on so we have no audio until about the 8 Minute 35 second Mark sorry for the

inconvenience

e

e

e

e

e

e

e

e

e

e

e

e

e

for

e e

okay okay fair enough who was the last speaker cuz I think maybe they have the microphone he took it off but I know how many microphones you got on you two or one one all right continue at least look recording ambient fair enough I'm going to look around for that microphone it's got to be found so as I was saying we can calculate Shannon entropy as a pretty reliable heris for detecting packed or encrypted executables even if they don't fire against a peid or Y signature uh in that case we've gone another layer into being able to detect malicious capability so if we find something that's ped or encrypted

two microphones now yeah we have to sorry I didn't know yeah I just knew it didn't look good I'm just going to pretend that makes me twice as important which is still not very okay I think now we're recording properly awesome so in in the case that an executable has been seen to be packed or or crypted we might even uh choose to adjust the suspicion score a little higher arbitrarily just because uh while Packers cryptors aren't malicious and and of themselves they are most often used for malicious software right I think we all know that and I'm sure you were hoping for more technical talk I'm hoping for a little bit more discussion uh because

simply put uh as I said before I am possibly the world's worst programmer so I'm hoping to draw a lot of other people into this effort um trying to make it kind of an open- Source heris sixs engine really so I want to draw other people into this I want to get people talking about it and I want to get people on board with uh helping code some of this so I've written uh quite a few signatures uh Ben nolles over here who I work with has written a few I think some of our signatures are getting packaged in with rimn so that's kind of cool our fault it wasn't our fault I didn't ask him to do

that so uh I'm I'm slotted for an hour up here are there any questions uh critiques criticisms have I missed something really obvious in this yes have you your signatures identified any uh new hour that hasn't been known to to upate uh so far we have not written enough signatures to be useful for that um I'm definitely getting suspicious capabilities from known malicious software that has uh very low antivirus detection rates and that's obviously not the same but it's about as close as I've gotten so far anyone else this will be a very short discussion if there's no questions you looked at uh you looked at mtor it's in the schol basically it's specific to

office you know document stuff and it'll come out full that are Comm right and it's it's a very similar idea it's part of where I got the idea for this actually uh the other part was uh from RSA security analytics uh specifically its malware analysis component um so I used to work for one of their msps don't hold that against me I won't name the company please don't hold it against me um but one of the really cool things about that module and I'm sure other tools can do it that's just the one I know but it has the ability to detect files on the wire and apply Yara signatures to them um and then in the

investigation screen you can navigate and carve out based on metadata that's applied arbitrarily by these rules so at that point uh I first discovered that almost none of our customers were using the malware analysis module um which made it not very useful but it it kind of ingrained this idea in my head that rather than just looking for known malicious files I could be looking for known malicious capabilities instead so uh I know some of the some of the signatures you see in security analytics will be things like a PDF with a bad xrf SE uh section and it can detect that using built-in Yara rules but we never had any way to combine Bine those rules into something

that would be High Fidelity and that's what I'm trying to do with this project any uh anything else yes just speak to you run into this the aggregation of the um suspicion rating so you got 20 rules um each of them have a dedicated suspicion rating for each rule of whatever number um have you run into any cases where a given file hits on I don't know seven of those rules and because it was those specific seven the aggregation of those together in your mind would quick to a much higher or lower suspicion raate so not not paying attention just the suspicion rating in each po but aggregations of those and did that influence your either tuning of the

rules or how you analyze the data coming out of your yhe heads so I uh I've run into that in one very specific case uh in my current job you know the file I'm talking about it is it is a daily update I won't speak to uh all that much but the the heuristics on it and the capabilities it has look like the most malicious piece of software ever written and we wrote it on purpose and it's completely non-malicious so I'm definitely still trying to use uh that and and similar similar cases to tune down the rule set possibly write some exceptions for specific combinations of

capabilities yes um so I blinked and missed exactly how the was pulling the keystroke I assume you were looking for like the system function call right in this case I was looking for the windows API call okay have you experimented at all with looking at um more behaviors of evasion for highly invasive malware like doing CPU stalls or checking if the windows frequently used documents is populated and things like that so I am working on some heuristics for those I definitely don't have anything I would consider uh production ready um trying to kind of write those on a case-by casee basis as I see samples actively using them and unfortunately I don't have enough time

these days to go out and hunt for samples so I'm largely limited to just what crosses my desk at work uh but yes absolutely I am uh making an effort and would welcome all the help in the world if you uh if you're into malware research with uh Gathering more useful heris for that

it's like giv a brown bag at work it's hard to draw questions out of people I know you have questions you want to tell me why I'm wrong why this won't work come on do it no all right well this may be the shortest talk in the history of bsides then uh maybe not I don't know somebody may have given like a 10-minute presentation uh do you have anything no I can talk you're you're involved in this effort too thing on oh God it is so I think an interesting aspect about what uh Ryan's trying to do uh with this and and that I'm trying to help with is is the pivot from using Nara to identify files or pieces of

files or even binary images in memory on the network but try to look more back towards these capabilities what do these software modules do or what can they do um and I think that's a good match for Yara most of the time um because we can use in all kinds of interesting places that we can't use other tools um one of the things that I end up doing a lot at uh at work as well as in my L3 time is memory analysis and uh it may surprise some folks to know that you can actually run your rules against raw memory uh so being able to use these rules that we're trying to write it please help to

evaluate the capabilities of these modules um in memory as well as on the network uh to to Brian's Point um I think it's a really great way to do it uh they're extremely vulnerable because uh it's already unpacked and decrypted and and possibly already done something malicious so the stream's advice which is all we can look for in Yara uh are there for us to find and then it's just a case of us you know signaturez the stuff uh writing rules and and figuring out how to score it so I think there's a lot of AI approach um I think that the rules writing is part of it that the community can really help out with that

the massive machine for processing all of these that we're trying to do is going to be specific to an environment so if you don't want to do that or if you don't see how you can help with that that's be great but if you have even a single idea for uh a a malicious or interesting software capability uh and possibly one or more strings or or runs of bites that would indicate that it's available um throw it at us I have some of the stuff in a GitHub um I can get a logo you know we can we can thing going in a hurry if uh if we get a few more people to help and I I really think that

it will be a useful tool um for a lot of folks in a lot of different ways as a supplement to some of the other detection methods that we already have um because using Yara as a substitute or as an additional AV scanner that you might have a little more control over it's it's not the best use of it it can do so much more um and it's it's so compared to some of the other stuff that that we can work with um just Fe better rules will make you get better results and I on that note I would like to make the point uh I'm not presenting this as the be all and end all that's

going to end the antivirus business by any stretch the imagination uh it's just another tool in the toolbox I hope that we can build it into a really really useful tool um and I I'm going to keep reiterating I will consider criticism every bit as valuable as any input you may have so please let me know if I'm doing this all wrong see he's going to let me know no criticism here um so I I really like this idea so I'm just going to spit all uh like a signature that my mind as you were describing this uh one would be for like a really easy method of detecting uh privilege escalation so like scan for all uh all

user mode PS so how would you scan for that I guess going off the the Pall format so to differentiate like a driver versus a user mode PE i' probably look at the subsystem field in the optional header so it would be Mark as most likely as a driver right note and then any Imports uh like the Imports that I would certainly be interested in in any binary usary would be uh like anti query system information and anti queryable profile two of the most common uh Primitives out there yeah absolutely my be pretty high yeah absolutely um and that's I hadn't actually thought of that so awesome you taking notes on

this okay yes can I get like 20 30 minutes of your time after everybody else you sure yes okay fair enough um any uh any other questions commentary

yes all right um can you show us or describe operational deployment of Y I've never I've never seen it I've heard of it read of it I've never seen it where you lared it with you know your ab Solutions and it provided additional U um I guess data to a reacton so that is a a huge part of what I'm uh unsuccessfully trying to write and why I'm trying to draw other coders in uh it's easily possible through Yura python uh so if you didn't know uh there is a a python module specifically for interacting with Yara um you just need to be a good enough programmer to do it and for anything beyond assembly I'm fairly

ignorant um as nearly as I can tell I'm I'm the only person below the age of 50 who learned assembly and think C++ is confusing so yes is your goal with this then to have repos you have repo of rules that y rules that are shared in the community or you looking to build an application that other people would install that also runs all these yard rules and the reason I'm dropping that question is I'm curious how you would compare or contrast this to other Frameworks like the locky Martin like AOSS which sounds possibly familiar to this so I uh admittedly I've heard of likeaboss I have not uh haven't so much as uh get cloned it um I keep telling

myself I need to but there's never enough time um that said uh both so I definitely want to do the community rules repo and then whatever code ends up being finalized for a framework I want to host that open source as well uh so it's it's definitely there for anybody who wants to download and use it but it is also there for anybody who wants to modify it or make it better please do uh and if nobody else contributes I'll eventually post my code but I don't recommend using it I'm a very very bad programmer I can't reiterate that

enough all right if there are no more questions um that's all I had I will be hanging around for a little while if anybody wants to find me and talk offline or uh up here is my email and my Twitter so you can certainly find me thank you [Applause]