Following the Clues With DcyFS: A File System for Forensics

This article concludes our three-part series on Decoy File System (DcyFS) with a concrete example of how a cyber deception platform can also be a powerful tool for extracting forensic summaries. Using that data can expedite postmortem investigations, reveal attributing features of malware, and characterize the impact of attackers’ actions. Be sure to read part 1 and part 2 for the full story.

File System Overlays as Blank Canvases

When using Decoy File System (DcyFS), each subject’s view contains a stackable file system with an overlay layer. This layer helps protect files on the base file system, providing data integrity and confidentiality. The overlay also acts as a blank canvas, recording all created, modified and deleted files during suspicious user activity or the execution of an untrusted process.

These records are essential to piecing together what happens during a cyberattack as the overlay provides evidence of key indicators of compromise (IoCs) that investigators can use. To demonstrate the forensic capabilities of our approach, we created a module that analyzes overlays for IoCs and tested it with five different types of malware. The IoCs were sourced from the ATT&CK for Enterprise threat model.

DcyFS and the Forensics of Malware

Let’s take a closer look at the five malware types we identified with DcyFS’s analysis module and the IoCs collected through the file system overlays. We’ll also discuss how the file system actively helped protect critical systems from malware in our tests.

Persistence

Most malware is designed to persist on an infected endpoint and relaunch after a system reboot. The exact mechanism for persistence is dependent on whether the malware gains access to administrator privileges on the endpoint. If it does not, then the malware will typically modify user profile files that are run on startup.

Malware running with escalated privileges can modify systemwide configurations in order to persist. This is achieved by dropping initialization scripts into the system run-level directories. In certain cases, malware will create reoccurring tasks that ensure the malware is run on a schedule, persisting across reboots.

Each time a piece of malware modifies a system file, the changes are recorded on DcyFS’s overlay, enabling the forensic analyzer to easily identify malicious activity. Furthermore, since DcyFS provides per-process views to the malware, no file changes by the malware persist across the global file system view. This also means the malware is not restarted on a reboot.

Dynamic Link Library (DLL) Injection

Some malware, such as Umbreon and Jynx2, are not executables, but rather libraries designed to be preloaded by system processes. The libraries replace important system application programming interface (API) calls to change the functionality of a running application. In this way, an Apache web server can be turned into a backdoor, or a Bash shell can be hijacked to mine bitcoins in the background.

In Umbreon’s case, the malware replaces C API calls such as “accept,” “access” and “open” to hide its presence on the file system from an antivirus system or the system user. Umbreon also creates a user, and hides its presence using injected API calls. Such file system changes are identified by DcyFS, as is the injected malicious library. Furthermore, since the library is only loaded in its own view, it cannot be injected into any process running on the system.

Binary Downloaders (Modifiers)

Cybercrime is a mercurial commodity business, where large criminal syndicates rent access to extensive botnets to other attackers. These bots are designed to send malicious spam or download various pieces of malware, such as banking Trojans, bitcoin miners and keyloggers, to collect stolen data that can be monetized by the syndicate.

With administrative access to an infected endpoint, bots will try to download malware into many system directories, creating redundancy in hopes that the defender will miss one when detected. As a result, newly installed binary downloads on a file system are a key IoC.

Aside from downloading new binaries, malware can also alter existing system binaries to make them secretly engage in nefarious activities. While running on DcyFS, these binary modifiers only appear to modify the overlay they can access — they are unable to modify the applications in the global view of the base file system. Consequently, they are never truly executed, but the modified binary appears prominently on the overlay, where it can be extracted and analyzed by a forensics team.

Backdoors

Typically, skilled attackers will try to cover their tracks to evade detection. One way of doing this is by saving malware into hidden files, such as any file starting with a period, or modifying programs such as “ls” or “dir” so that malware files are ignored when the contents of a directory are displayed to a user.

Another technique for hiding one’s presence is to remove entries from a user’s history profile or deleting task entries that conduct antivirus scans. Finally, killing or deleting antivirus software is another mechanism for ensuring that malicious activities are not uncovered. With DcyFS, each step used to cover one’s tracks is highlighted on the file system’s overlay.

Ransomware and Beyond

Ransomware has become a prominent part of the attack ecosystem, wreaking havoc on individuals and companies alike. The Erebus ransomware, for example, cost South Korean companies millions of dollars in ransom payments to rescue their own and their customers’ data.

Recent ransomware attacks have capitalized on strong, asymmetrical encryption as the main technique to hold victims’ data for ransom. However, other malware, such as KillDisk and Shamoon, simply destroys important files and cripples system infrastructure without the option to undo the destruction.

When dealing with ransomware on the endpoint, the malware attempts to run through directories and locate preconfigured file extensions to encrypt. When that process begins, our forensic analysis looks for indication of encryption in the overlay file system, such as file MIME type, to find evidence of a ransomware attack. It can also characterize attacks by measuring their information footprint in the file system. The DcyFS forensics analyzer generates three indicators that estimate the impact of the following file system changes introduced by programs:

  • Binary differences — Average percentage of modified bytes across copied files.
  • Information gain — Average information gain across copied files measured as the difference between the entropies of base and overlay files.
  • Write entropy — Average write entropy across overlay files.

DcyFS also actively protects files from ransomware using the overlay. This allows the ransomware to “believe” it has succeeded, but enables the user to subvert the attack without any damage to critical infrastructure.

Humanize Your Security Problems With DcyFS

DcyFS is a security Swiss army knife. On one hand, the file system is a passive sensor, monitoring access to one of the most important commodities companies have: their data. It is also a forensic tool, allowing security practitioners to collect key evidence when an attack occurs. On the other hand, DcyFS is an active security control that can hide and help protect data while baiting attackers into revealing themselves.

Our research team believes that tools like DcyFS will be a big part of the next generation of cyberdefense. Agile and versatile tools of this kind not only identify attacks as they occur, but actively engage and react to the attacker. They turn security from a technical problem, as it is often cast, into a human problem, where adversaries and defenders engage like they do on any battlefield.

Teryl Taylor

Research Staff Member, IBM Research

Teryl Taylor is a Research Staff Member in the Cognitive Cybersecurity Intelligence group with IBM Research. He has ten...