Virtual AppSec Indonesia 2020

As we are in the age of the computer, the complexity of computer threats has also increased. So it is necessary to identify the malware and hear come the Yara, it makes it possible for the malware researchers to hunt and classify malware and even APTs. Yara is the swiss-army knife that makes the work of malware researchers and threat intelligent researchers painless. It is the simple rule-based approach for hunting and classifies malware families/variants. Using Yara we can accurately detect malware threats. The capability of Yara can also extend to scan files and memory. The best part of Yara rules is that it provides both textual and binary patterns for creating an efficient signature for malware. The binary patterns help to hunt for hunting the code reuse among the malware families. Yara rules can last for decades. So Yara lubricates the process of hunting malware, The key to efficient YARA rules depends on simple and clear rule sets utilizing both.

I ran ssh honeypot on cloud environment for a week. I then dissected the result focusing on two things. The statistics, that is how many attacks happened, and other quantitative numbers. The second one is the qualitative sides, how the attackers behave and what kind of malware attacks. Most of the malware attacking are variants of mirai bots, the attack uses brute force of commonly used wordlist/ dictionary and some used default IoT logins. After gaining access, most of the malware do any or a combination of these activities, that is (1) fingerprint the OS, (2) download and run payload, and (3) contact C2 server, (4) persistance/ installing service (miner), (5) cleaning activities. Some malware failed miserably because of bad programming, but some are more sucessfull. Due to the limitation of the honeypot, not much payload activities can be seen. The paper then conclude by showing types of TTP's used, some funny fail script, and some tips on how to handle the types of malware this honeypot gets.