The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Archive for the ‘Carbon Black’ Category

Scan-based Forensics Solutions Are for Cavemen

Posted by Xavier Ashe on January 21, 2015

This blog post I wrote for the Bit9 Blog and was published on January 15, 2015.

caveman

I had the opportunity to work with a global services firm that had some problems with malware on machines that were running Bit9. They were running Bit9 in “High Enforcement” mode, so the infection was being blocked, but they wanted to get to the source of the attack, since it was creating some noise in their SIEM.

At that point the customer only had a few clues. They knew there was something creating a task in:

c:\windows\system32\tasks, that was named with a GUID (e.g., {462BD9BA-4D27-EA09-F2AC-704C4DDA8D16}).

That task would then attempt to run regsvr32.exe to register a dll file in c:\windows\system32. The dll files they encountered were named using five to six alpha characters. In one example, the ssaxxo.dll file dropped into the c:\windows\system32 directory.

The files seemed to have unique hashes, but they were all detected as known malware. When the dll file got dropped into the C:\windows\system32 directory, another file with a different name appears in the c:\windows\syswow64 folder as well. Both of the dll files appear to have been generated by rundll32.exe.

It was confirmed that their antivirus of choice did not detect this threat, while Bit9 did.

However, without more context, all they knew was that they had a vulnerability somewhere. The question was: “Where?”

At this point, the customer sent us the logs to review and collaboratively find the source of the exploit. Our Bit9 Threat Research Team jumped in, and it didn’t take long to assess the issue.

Internet Explorer was being exploited.

An IE exploit was used to drop the first dll file, create the scheduled task, and then pass the dll file to rundll32.exe. Rundll32 then created the file they discovered, and the scheduled task attempts to register it via regsvr32.exe, which is blocked by Bit9. The scheduled task is set to keep trying every 10 minutes.

As we were going through this exercise, the customer wished they also were running Carbon Black.

That’s because he knew from a recent demo that Carbon Black can do this type of analysis in seconds. There is no need to review log files to connect the dots; Carbon Black assembles that data for you and is available with just a few clicks. Plus, with Carbon Black, the customer would have known which IP address was exploiting them.

This ability to connect the dots is because the Bit9 Security Platform and Carbon Black operate in real time at the kernel layer. Products that merely perform file scans cannot deliver this level of visibility.

I think back on my days doing forensics on disk images and it seems like caveman days. It still surprises me that organizations are still buying scan-based forensic software in what is very much a real-time threat landscape.

Advertisements

Posted in Bit9, Carbon Black | 1 Comment »

 
%d bloggers like this: