Your SlideShare is downloading. ×
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, 2013
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, 2013

2,037
views

Published on

Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples …

Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,037
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Malware Analysis N00b to Ninja in 60 Minutes* @grecs * Most listeners do not become Ninjas in under 60 minutes.
  • 2. Pic of hacked sites; news articles of breaches, mid-2000s
  • 3. Infosec COTS
  • 4. Thanks @BulbSecurity @PenTestTraining Tweet/Post: Thanks … for sponsoring @grecs & @novainfosec…
  • 5. Looking for Bloggers Pay in Beer or $$$ http://bit.ly/nispsubarticle
  • 6. Agenda • • • • Introduction Environment Methodology Where to Learn More • Conclusion
  • 7. Introduction General Security Practitioners Interested in Getting Started in Malware Analysis SOC Analysts Looking to Expand Skills beyond Event Monitoring & Basic Analysis WARNING!!! DO NOT ANALYZE MALWARE ON PRODUCTION SYSTEMS
  • 8. Environment • Setup – Virtual – Physical • Options – Single Box – Dual+ Box
  • 9. Environment Setup • Virtual – Efficient & Easy to Setup – Snap-Shots to Revert Back To – Malware Detecting VM & Terminating • Physical – VM Detection Not Possible – Resource Intensive
  • 10. Environment Setup – Virtual • Network: Use Non-Host Connected Interface Be Careful
  • 11. Environment Options • Single Box – All Analysis Performed on One Machine – Risk of Potential Malware Sabotage • Dual+ Box – Mitigates Some Potential Sabotage – Gateway to Simulate More Real Network – Realistic External View (port sopen, network traffic)
  • 12. Environment Options – Single Box • Start with Base Unpatched Windows XP SP2 Box in VMware – Similar to First Set of Post-Install Instructions for Metasploit Unleashed – Switch to Classic View – Disable Windows Firewall – Turn Off Automatic Updates – Disable Alerts – Uncheck Simple File Sharing • Add Target Software – Older Versions If Needed • Starting with: OldVersion.com / OldApps.com • Google for Others • • • • Where to Get eBay, NewEgg, etc. Win Eval OSs (prev vs) Modern.ie AWS (servers only)
  • 13. Environment Options – Single Box • Install Dynamic Analysis Tools – Process Monitor • Shows File System, Registry & Process Activity that Started During Malware Execution – Process Explorer • Shows Info about Handles/DLLs Processes Opened/Loaded by Malware – WireShark • Sniffer to Capture Network the Malware May Make – RegShot • View Changes Malware May Make in the Registry Process Monitor: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653 WireShark: https://www.wireshark.org/ RegShot: http://sourceforge.net/projects/regshot/
  • 14. Environment Options – Single Box • Install Dynamic Analysis Tools (cont) – TCPView • Allows Detection of Malware Initiated Network Connections – Malware Analysis Pack • MAP FakeDNS • MAP Right-Click (MD5 Hash, Strings, VirusTotal) – FakeNet • Aids Dynamic Analysis of Malicious Software • Simulates Network so Malware Thinks Its Interacting with Remote Hosts • DNS, HTTP, SSL, Dummy Listener TCPView: http://technet.microsoft.com/en-us/sysinternals/bb897437 MAP: http://www.woodmann.com/collaborative/tools/index.php/Malcode_Analysis_Pack FakeNet: http://practicalmalwareanalysis.com/fakenet/
  • 15. Environment Options – Single Box • Install Static Analysis Tools – OllyDbg with OllyDump Plugin • General Disassembler/Debugger for Windows Used to Analyze Malware in Assembly; Plugin to View Encrypted Malware – IDA Pro • Windows Disassembler/Debugger with Freeware Alternative – 010 Editor • Standard Hex Editor – Specialized Tools • PDFs: Didier Stevens’s pdfid.py & pdf-parser.py • Flash: SWFTtools • Others: Java, JavaScript OllyDbg: http://www.ollydbg.de/ OllyDump: http://www.openrce.org/downloads/details/108/OllyDump IDA Pro Freeware: http://www.hex-rays.com/products/ida/support/download_freeware.shtml Didier Stevens PDF Tools: http://blog.didierstevens.com/programs/pdf-tools/
  • 16. Environment Options – Single Box • Baseline – Configure VM to "Host-Only” Mode Secluded Network • Temporarily Change to NAT to Download Malware • Write-Once Media (e.g., CDs) • USB Key with Physical Write-Protect Switch – Imation USB 2.0 Clip Flash Drive – Kanguru Flashblu 2 – Snapshot VM
  • 17. Environment Dual+ Box – Fake Gateway Server • Second Machine for Target to Connect To – Additional Advantage of Examining Network Traffic without Possible Malware Sabotage – Implement Linux Server in VMware & Configure to Be Default Route on Victim Machine – Should Have Fixed IP Addresses • Enable or Install Software that Provides Needed Services – – – – – DNS: Configured to Return Fake Servers IP for All Queries HTTP IRC Others: DHCP, FTP, SSH Other Services Depending on Goal of Analysis
  • 18. Environment Dual+ Box – Fake Gateway Server • Install Network Analysis Tools – WireShark: Records Network Traffic from Victim – Netcat: Start Needed Ad-Hoc Services – Nmap: Scan for Open Ports External to Victim • Snapshot Fake Server Revert Back To
  • 19. Environment Preconfigured • REMnux – Created by Lenny Zeltser – ISO or Virtual Appliance – Static Analysis v4 • Load Malware on & Analyze • Web-Based Malware (e.g., Malicious JavaScript, Java Programs, & Flash Files) • Malicious Documents (e.g., Microsoft Office & Adobe PDF files) • Utilities for Reversing Malware through Memory Forensics – Dynamic Analysis • • • • Emulate Network Services Used as Fake Gateway Server Emulate Services in Isolated Lab Environment Infects Another Laboratory System with Malware Sample Directs Potentially-Malicious Connections to REMnux that's Listening on Appropriate Ports REMnux: http://zeltser.com/remnux/
  • 20. Environment Preconfigured
  • 21. Environment Preconfigured • CuckooBox – Automated Dynamic Analysis of Malware – Data Captured • • • • Trace of Performed Relevant Win32 API Calls Dump of Network Traffic Generated During Analysis Creation of Screenshots Taken During Analysis Dump of Files Created, Deleted and Downloaded by the Malware During Analysis • Trace of Assembly Instructions Executed by Malware Process CuckooBox: http://cuckoobox.org/
  • 22. Environment Preconfigured
  • 23. Methodology 1. Triage 2. Dynamic Analysis 3. Static Analysis
  • 24. Methodology 1. Triage a.  Run through External/Internal Sandbox Services for QnD Results • • b.  b. MD5 Hash Comparison (can run live is possible) • c. Goals: Establish Rough Idea of Malware Activities Tools: Norman Sandbox, GFI Sandbox, Anubis, Malwr.com, ThreatExpert.com, … • Goals: When Compiled, Packed or Obfuscated) Tools: VirusTotal.com, MAP, FileAlyzer, Google Hash  c. Determine Real File Type • • UNIX “file” Command and/or TrID Open in 010 & Look for Magic Numbers: Win Exe (MZ), PDF (%PDF), ZIP (PK), … (more at Wikipedia) d.  e.  f.  Unpack If Needed • Analyze Imports • • Goals: Discovery Interesting Things Malware May Be Importing (networking APIs for non-networking app) Tools: FileAlyzer (PD Imports), PEView f. Extract Readable Strings • e.  Tools: OllyDump, PE Explorer (UPX builtin) • Goals: Discover Interesting Data Points like Host Name & IP Addresses Tools: MAP Specialized Tools • E.g., pdfid.py, pdf-parser.py, SWFTtools, … MASTIFF: Open Source Linux Tool Automates Much of Above (on REMnux) v4
  • 25. Methodology 2. Dynamic Analysis a. • Take RegShot & Start WireShark, Process Monitor, Process Explorer, FakeNet & TCPView – Monitors File and Registry Access, Network Traffic, Process Creation, etc. b. • Execute Malware & Let it Run for 15 Minutes or Until Activity Dies Down – Watching WireShark, Process Monitor, & TCPView for Anything Interesting c. • Take Second RegShot & Stop WireShark, Process Monitor, FakeNet d. • Compare Initial & Final RegShots & Review All Monitoring Tool Logs
  • 26. Methodology 2. Dynamic Analysis (Regshot & Wireshark) a-1. a-2. a-3.
  • 27. Methodology 2. Dynamic Analysis (Process Monitor) a-4. a-5. a-6.
  • 28. Methodology 2. Dynamic Analysis (Process Explorer) a-7. Just Start
  • 29. Methodology 2. Dynamic Analysis (FakeNet) a-8. Just Start
  • 30. Methodology 2. Dynamic Analysis (TCPView) a-9. Just Start
  • 31. Methodology 2. Dynamic Analysis (Execute Malware) • Double-Click EXE • Rundll32.exe DLLName, Export arguments – PE Explorer to Discover Export arguments – E.g., rundll32.exe rip.dll, Install • Watch All Monitoring Tools & Stop When Activity Dies Down b. Just Monitor
  • 32. Methodology 2. Dynamic Analysis (Spin Down) c-3. c-1. c-2.
  • 33. Methodology 2. Dynamic Analysis (Spin Down) c-4.
  • 34. Methodology 2. Dynamic Analysis (Spin Down) c-5.
  • 35. Methodology 2. Dynamic Analysis (Analysis) c-6.• Save Logs for Future Reference c-7.• Analyze
  • 36. Methodology 3. Static Analysis d. • Use OllyDbg or IDA Pro to Disassemble & Analyze Deobfuscated Malware – Just Stare at It – ... – Stare Some More – ... – And Some More
  • 37. Where to Learn More OpenSecurityTraining.info
  • 38. Where to Learn More • OpenSecurityTraining.info – “Reverse Engineering Malware” • Matt Briggs & Frank Poz • “Practical Malware Analysis” by M. Sikorski/A. Honig • http://opensecuritytraining.info/ReverseEngineeringM alware.html
  • 39. Where to Learn More • Malware Analysis Toolkit: http://zeltser.com/malware-analysis-toolkit/ • OpenRCE: http://www.openrce.org/ • Certifications – TrainACE AMA – GREM, CHFI • NIST: 800-94, 800-83, 800-61 • Books: Practical Malware Analysis • NoVA Infosec: Workshop Style?
  • 40. Conclusion • Introduction • Environment – – – – Setup Single Box - Victim Dual+ Box – Fake Server Preconfigured • Methodology – Triage – Dynamic Analysis – Static Analysis • Where to Learn More – OpenSecurityTraining.info – Zeltser.com – OpenRCE.org • Conclusion
  • 41. Questions? • Twitter • Website • Contact @grecs NovaInfosec.com http://bit.ly/nispcontact

×