Defining Behavior Patterns to Detect Rising Threats

17.05.17 Bezpečnost

During the last week, we witnessed unprecedented global outbreak of WannaCry infection. Come and check how you can detect WannaCry with user defined behavior pattern in Flowmon ADS and minimize its impact on your network.

WannaCry is on the attack these days... and it’s hitting hard! There have been 200 thousand reported victims across 150 countries according to Europol. The “ransomware” continues to infect many companies worldwide across all structures including National Health Service (UK), FedEx (US), Sberbank (Russia), Telefonica (Spain) and more.
 
This ransomware targets Windows 7 and Windows Server 2008 or earlier systems that are not patched with Microsoft Security Bulletin MS17-010. It generally uses social networks or e-mail to infect victims. However, it can also infect servers by sending specially crafted packets over SMBv1 to servers vulnerable to EternalBlue and DoublePulsar exploits.

What is interesting for the first version of WannaCry is, that after infection, the malware attempts an HTTP GET to specific domain (kill switch domain) and if it succeeds, it stops its activity. If it doesn’t succeed, it proceeds to encrypt files with specific file extensions (the most commonly used files, i.e. documents and user data). Malware also tries to spread itself by doing large scanning of Internet IPs on ports 138, 139 and 445 to find other vulnerable hosts. This activity is very easily detectable by Flowmon solution using flow monitoring and anomaly detection. Nonetheless, it is important to say that detection based on port scan is only reliable if the ransomware doesn’t stop its activity. After malware is inactive after communication with the kill switch domain there are no port scans to detect. However, such a sleeping infection still represents threat to your environment.

So from now on we will focus on using information from GET request which means basically layer 7 visibility into HTTP or even DNS traffic provided Flowmon Probe (or other supported vendor) and new feature of the Flowmon ADS 9.0 called 'User-defined behavior patterns'. With these capabilities, we are able to create a very specific detection method enabled to automatically detect such malicious activity in the network and recognize infected devices as soon as possible.

User-Defined Behavior Patterns in Flowmon ADS

User-defined behavior patterns is a new powerful feature which enables to customize detection capabilities of Flowmon ADS. Users can define their own detection-methods using SQL-like queries over flow data to detect various anomalies in form of standard events that are processed in common ADS pipeline similar to other events detected by inbuilt methods. So such a custom event gets prioritized and becomes part of alerts and reports. It is then passed to third party systems using syslogs or SNMP or even triggers a script or starts a packet capture.

This feature allows us to detect events such as various protocol anomalies, usage of unsupported operating systems, communication with defined websites or various attacks and security threats (e.g. SQL injections, path traversal attack).

How to detect WannaCry ransomware? To do so, we will take advantage of its attempts to communicate with kill switch domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com). To create a behaviour pattern go to “Processing - Custom Patterns” and click on the “plus” button. A dialog window will pop up where you can name the pattern code which is the unique identifier. Then you can define pattern description and pattern detail which is shown after clicking on event details and can help interpret the detected event. Finally, you define the pattern described by the expression ‘describing behaviour pattern’. It is possible to use various attributes of flow data like IP addresses, ports, and number of transferred bytes, packets for both requests and response. It is also possible to use variables, operators, regular expressions and even specific functions. For details and syntax please consult ADS user guide. Detection of WannaCry ransomware is based on following pattern with last 32 bytes (default truncate of HTTP host name field as attribute of flow data) of the kill switch domain::
http_host = ‘aposdfjhgosurijfaewrwergwea.com’

User defined behavior pattern editation.
Fig 1: Pattern definition to detect WannaCry ransomware infection.

WannaCry ransomware infection detected. Detail of detected event.
Fig 2: Detail of detected WannaCry ransomware infection.

And that’s it. Quite simple yet powerful! Don’t forget that you can create much complex expressions to define patterns which detects e.g. SQL injections, path traversal and other attacks. . The best part is, that we will keep adding new behaviour patterns to the Flowmon ADS system and distribute them to our customer via update services so they can (optionally) use it. It will allow customers to detect rising threats and strengthen their network security without the need of investigating their behaviour patterns. In case of this particular ransomware we have already included this domain into our reputation-databases so our customers are already covered. The main goal of this blog was to educate on the topic of ‘User-defined Behaviour patterns’ and the level of customization they can give you to detect and alert on specific traffic.

How to check if you were already infected

From now on, the Flowmon ADS module will detect WannaCry ransomware infection in your network. However, if you want to check whether the WannaCry ransomware was active in your network in the past, you can do it in Flowmon Monitoring Center - Analysis. Select time interval and list flows using this filter:
dns-qname “aposdfjhgosurijfaewrwergwea.com” or hhost “aposdfjhgosurijfaewrwergwea.com”

If you don’t have DNS or HTTP protocols visibility from Flowmon Probes or other supported vendors, you can simply check another symptom of the ransomware – the port scanning. Use following filter:
port 445 and tcpflags “S” and not tcpflags “PURFA”