SESSION ID:AIR-R12 THE BOTTOM OF THE BARREL: … · 4. Security Analyst with Cisco Umbrella for a...

SESSION ID:

#RSAC

Patrick Colford

THE BOTTOM OF THE BARREL:SCRAPING PASTEBIN FOR OBFUSCATED MALWARE

AIR-R12

Security AnalystCisco Umbrella (formerly OpenDNS)Twitter: @kaoticrequiem

#RSAC

Session Outline

2

Introductions - Who’s this Guy and What’s Pastebin?

Problems - Obfuscated Malware a-Plenty

Solutions - Fiercecroissant, a scrappy Pastebin scraper

Findings & Applications - What to look for, some interesting users, and what you might do with it all.

#RSAC

INTRODUCTIONS

#RSAC

Who’s This Guy? - About the Speaker

4

Security Analyst with Cisco Umbrella for a year and a half, employee with ODNS for 5 years.

Love of teaching, dancing, gaming, musical theater, and traveling.

Born on April 19th! Time for a birthday selfie, if you don’t mind.

#RSAC

The Barrel that is Pastebin

5

#RSAC

PROBLEMS

#RSAC

Obfuscated Malware on Pastebin

12

#RSAC

Malware in the Wild

13

#RSAC

Malware in the Wild

14

#RSAC

Malware in the Wild

15

#RSAC

Obfuscated Malware on Pastebin…5 Years Ago!

16

#RSAC

SOLUTIONS

#RSAC

Fiercecroissant: a Scrappy Scraper

18

Three parts to blocking bad stuff from Pastebin:Python scraper to detect it; python because it’s easy to use and we’re looking for non-word patterns.Decoding of commonly used obfuscation techniques to turn pastes into executables. Python is also good at this!Throwing of said executables into a sandbox environment: Threat Grid

#RSAC


19

Step One: Scrape that bin!

#RSAC


20


#RSAC


21


#RSAC


22


#RSAC


23


#RSAC


24


#RSAC


25


#RSAC


26

Step Two: Decode that paste!

#RSAC


27


#RSAC


28


#RSAC


29


#RSAC

30

#RSAC

But I can’t read assembly! D:

#RSAC


32

Step Three: Run that malware!

#RSAC


33

Step Three: Run that malware!

#RSAC


34

Step Three: Run that malware!Delicious DNS information:

#RSAC

FINDINGS AND APPLICATIONS

#RSAC

Lessons and interesting stats!

36

2,230+ domains found through Fiercecroissant through May with 799 blocks as of November 2017. 29,229 pastes have been collected since its beginning. Most blocks (50%+) are DDNS domains.Malware comes in two forms:

Raw encoded text, usually in Base64 or binary, but which also has been observed as ASCII or hex values.Wrapped within another language as an encoded value.

Common wrappers are PHP and Java, but Visual Basic has also been observed.There’s a lot of malicious stuff on Pastebin to find: c99 shells, defacement kits, hacking guides, and images likely used for phishing.

#RSAC


37




#RSAC


38




#RSAC


39




#RSAC

Examples: Base64 (Clear)

40

#RSAC

Examples: Base64 (Reversed)

41

#RSAC

Examples: Base64 (Substitution)

42

#RSAC

Examples: Base64 (Wrapped)

43

#RSAC

Examples: Binary

44

#RSAC

Examples: Hexadecimal (unstructured)

45

#RSAC

Examples: Hexadecimal (byte structure)

46

#RSAC

Examples: ASCII

47

#RSAC

Examples: PHP (c99 shells)

48

#RSAC


49

#RSAC


50

#RSAC

Examples: Images! (Phishing)

51

#RSAC

Examples: Images! (Phishing)

52

#RSAC

Examples: Images! (Hidden Information?)

53

#RSAC

THREE PEOPLE WALK INTO A BIN

The Scriptkiddie, the “Whitehat”, and the Wildcard

#RSAC

Examples: Routine Bad Actors - Ribang

55

PB user for 4 years. Most active since ‘17.

Lots of shells and defacement scripts.

Part of the IndoXploit team.

#RSAC


56




#RSAC

Baby’s First Defacer

57

#RSAC


58




#RSAC

Examples: Routine Good(?) Actors (PELITABANGSA)

59

PB user for 1 year.

“Whitehat” (?) researcher.

Uses PB to disclose shells, defacement scripts, teach techniques, and maybe also apologize for hacking people.

#RSAC


60

PB user for 1 year.



#RSAC


61

#RSAC


62

PB user for 1 year.



#RSAC


63


#RSAC

This isn’t responsible disclosure at all! D:

64


#RSAC

Examples: Routine Bad Actors (Breaker9691)

65

PB user for 3 years.

History of questionable pastes.

May have deleted prior malicious submissions.

#RSAC


66




#RSAC


67


#RSAC


68

#RSAC


70

#RSAC


71

#RSAC


72




#RSAC


73

#RSAC

“Apply” Slide

77

There is a ton of malicious stuff on Pastebin that you may not be aware of, either as a security professional or as a corporate entity. Start scraping it! Find the malware before it finds you!

Pastebin is still regularly used by malicious actors for different kinds of things. Just because it’s ancient in internet terms doesn’t mean it’s ignorable.

Consider blocking Pastebin if you have no need for it. As a vector for attacks and misleading information, it can quickly become a security concern.

Malicious actors will keep adapting. It’s important to review information from peers in the security community to adapt your defenses as well. ASCII detection was added in large part thanks to @ScumBots

#RSAC

Sources:

78

1. https://twitter.com/pastebin/status/5419121872838615042. https://blog.sucuri.net/2015/01/website-backdoors-leverage-the-pastebin-service.html

About Me! Twitter: @kaoticrequiem email: [email protected] or [email protected]

About FC:https://github.com/kaoticrequiem/fiercecroissant/

SESSION ID:AIR-R12 THE BOTTOM OF THE BARREL: … · 4. Security Analyst with Cisco Umbrella for a...

Documents

Transcript of SESSION ID:AIR-R12 THE BOTTOM OF THE BARREL: … · 4. Security Analyst with Cisco Umbrella for a...