gummer brucon0x07
TRANSCRIPT
Gummer Advanced Malware Hunting
Le me
ERNESTO CORRAL Incident Response and Forensic Analyst
@xgusix xgusix.com securityinside.info
Introduction – Hunting Malware
• Hunt previously unknown malicious artifacts. – Anomalies
Hunting Malware != Detecting Malware
Deviation or departure from the normal or common behavior of a system or network.
Gummer – What is Gummer?
“Host for plug-ins”
FRAMEWORK for hunting Advanced Malware based on anomalies. Modular DB Query Engine. Python
Gummer – Goal
Gummer’s aim is not to hunt “normal” malware. Using the anomalies approach will give you hints on where to go during the investigation, not evidence. Using it for day-to-day detection: only if you are looking for APTs or state-sponsored malware (a lot of time may be wasted reviewing Gummer’s output).
Gummer – Structure
gummer.py
analyzers DB
connectors outputs collectors
Modules
Gummer – Modules
logs
db
analyzer
output
Gummer – Modules - Collector
Status: Working
Analyzers • Eric Cole’s APT book DB Connectors • MySQL • SQLite • Mongo
Outputs • Terminal
Collectors • Squid • pDNS
To Do
• Software engineering • Add more modules – DB Connectors – Outputs – Collectors
• Create community a la Yara Exchange • Spread the word
Questions? Ernesto Corral E-mail: [email protected] Twitter: @xgusix Project: github.com/xgusix/gummer