Carbon Black & VMware Announce Expanded Partnership to Secure the Software-Defined Data Center (SDDC) Learn more

Screenshot Demo: “Rewind the Tape” to Detect Ventir Dropper Malware on Mac OS X

Rewind the Tape to Detect Ventir Dropper Malware on Mac OS X
benweb
February 24, 2015 / Ben Johnson

Today’s screenshot demo is going to give you a quick glimpse into some of the visibility you get with Carbon Black on Mac OS X. This post touches on some key points to how quickly you can “rewind the tape” to detect Ventir.

In this example, the starting point is a typical one—take a strange IP address, 220.175.13.250, from my firewall logs and see what process actually made that connection.

I start by entering the IP address:

ventir1

I got one hit, a process named “update” running from /Users/test/Library/.local/update—a strange location to me.

So I go to do my analysis now to see the tree and other metadata and event activity. I can see the process is unsigned and it looks like several instances of the “update” process are being spawned by something called “updated.”

ventir2

I’ll scroll down to the events section and show you that this instance only has two events: a network connection (which matches what we searched for—220.175.13.250) and a file-modification.

ventir3

OK, so this is interesting but let me keep going. With just two clicks I go to “updated” and then its parent, “reweb,” to build out my tree instantly:

ventir4

Again, we’re seeing unsigned binaries running out of what appears to be a strange location (/Users/test/Library/.local/). But I want to see who wrote this, so I search for “filemod:reweb” (I could also be more specific or search for md5sums of binaries that were written out, or more).

ventir5

Interesting. I can see “ventir_dropper” wrote this out. A quick search for this results in a lot of hits. But what about “ventir_dropper?”

Let me look at the process tree:

ventir6

We can see that “ventir_dropper” was executed by bash (because I ran it as an example), and then it executed a lot of built-in utility commands such as “rm,” “chmod,” and “mkdir.” And, of course, we get the full command lines too. We can see what filemods “ventir_dropper” made by looking below at the event activity:

ventir7

So we see “reweb,” and we also see our friends “update” and “updated.”

But what wrote-out “ventir_dropper?”

Let’s have a look by searching for “filemod:ventir_dropper,” which brings us to the archive utility process. If I look at the process’s file modifications, sure enough, I see “ventir_dropper”:

ventir8

This makes sense because, for this example, I copied “ventir_dropper.zip” over to my VM to extract it for this analysis.

While this post isn’t necessarily exhaustive in its analysis of the Ventir malware, I hope you got a good glimpse into how quickly you can investigate, analyze and pivot within Carbon Black. Because Carbon Black is always recording, you can quickly get back to root analysis while following the activity to figure out everything that has been changed and is in-scope for remediation.

Furthermore, this is where response can drive detection. Take some of the behavior above, like anything running out of .local or writing to .local, and alert your team the next time it happens.

And, of course, it’s easy to be notified when any of those indicators of compromise, like the typical IP addresses and hashes, show up anywhere within your environment. Because Carbon Black records and stores data, you can go back even further in time from this example to see if Ventir (or anything similar) was in your environment for as far back as you have data for.

TAGS: bash / Ben Johnson / bit9 / Carbon Black / Dropper Malware / mac / Mac OSX / malware / Ventir

Related Posts