Your SlideShare is downloading. ×
Malware Analysis as a Hobby
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Malware Analysis as a Hobby

2,378
views

Published on

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,378
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
28
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Malware Analysis as a Hobby Michael Boman - Security Consultant/Researcher, Father of 5 Siavosh Zarrasvand – Security Consultant/Researcher, Searching
  • 2. Why the strange hobby?
  • 3. The manual way
  • 4. Drawbacks Time consumingBoring in the long run (not all malware are created equal)
  • 5. Choose any two…. Cheap Good Fast
  • 6.  I can do it cheaply (hardware and license cost-wise). Human time notChoose any two? Why included.not all of them?  I can do it quickly (I spend up to 3 Cheap hours a day doing this, at average even less).  I get pretty good results (quality). Where the system lacks I can compensate for its shortcomings.Good Fast
  • 7. Automateeverything! Automate Engineer yourself out of the workflow
  • 8. Birth of theMART ProjectMalware Analyst Research Toolkit
  • 9. Components
  • 10. Sample Acquisition• Public & Private Collections• Exchange with other malware analysts• Finding and collecting malware yourself • Download files from the web • Grab attachments from email • Feed BrowserSpider with links from your SPAM-folder
  • 11. BrowserSpider Written in Python Using the Selenium framework to control REAL browsers  Flash, PDFs, Java applets etc. executes as per normal  All the browser bugs exists for real Spiders and follows all links seen
  • 12. Sample Analysis• Cuckoo Sandbox• VirusTotal
  • 13. A days work for a Cuckoo Fetch a task Process and Prepare the create reports analysis Lunch analyzer in Store the result virtual machine Complete the Execute an analysis analysis package
  • 14. DEMO: Submit sample for analysis
  • 15. Sample Reporting• Results are stored in MongoDB (optional, highly recommended)• Accessed using a analyst GUI
  • 16. Data Mining
  • 17. Where Virtual Machine analysis fails And what to do about it
  • 18. Problems Cuckoo is easly bypassed User-detection Sleeping malware
  • 19. Problems VM or Sandbox detection The guest OS might not be sufficient enough Any multistage attack
  • 20. Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples Known Known Bad Good Unknown
  • 21. Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples • Does not do anything • Detects environment • Encrypted segments • Failed execution
  • 22. Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples • Run longer • Envirnoment customization
  • 23. Budget Computer: €520 MSDN License: €800 (€590 renewal) Year 1: €1320 Year N: €590 Money saved from stopped smoking (yearly): €2040
  • 24. Next steps• Barebone on-the-iron malware analysis• Android platform support• OSX platform support• iOS patform support
  • 25. Questions? Michael Boman Siavosh Zarrasvandmichael@michaelboman.org siavosh.zarrasvand@gmail.com http://michaelboman.org @mboman @zarrasvand