Your SlideShare is downloading. ×
Security and Privacy       Track        Session 1
Introduction toMalware Analysis     Vincent = Big O
What do they have in common?Lindsay LohanParis HiltonSnookiCharlie Sheen
Jail
Albert GonzalesHacked Wireless NetworkTJ Maxx90 Million Credit Cards20 Years in Jail
Hacking = Jail
Motivation?
Bad GuysMotivated by moneyNew school bad guys are after your electronic walletTake over payment systemsTake over the world...
About MeWork at Capilano UniversityHack wet paper bags for a livingI live in VancouverI commute by bikeI love 80’s musicI ...
I love my   mac
My Reading ListNISTWindows Forensics AnalysisReverse EngineeringThe Rootkit ArsenalSecurity Power ToolsGoogleYoutubeDFWS
My Favorite Hacker ConsDEFCONCanSecWestSecTorBlackhatCCC
Click Happy!   and proud of it.
What isMalware Analysis?
What is Malware Analysis?Like being in science class in high schoolFor example studying a wormUsed microscopeDraw picture ...
Introduction toMalware Analysis
PurposeTapasSmall taste of everythingFor malware analysis
What is Malware?
MalwareShort for malicious programProgram designed to alter the flow of theprogramDesigned with malicious intentGain acces...
When I was younger…Used to deliver malware via floppy disksMy favorite piece of malware was Sub7
Threat Report
Symantec Internet Security       Threat ReportReleased April 2011For the year of 2010Pdf downloadOutlines trends for malwa...
How do you get infected?Drive by DownloadPhishing scamsMalicious Email attachmentsBogus DownloadsSQL Injected Websites
Examples of Malware
Lisa MoonVisited Capilano UniversityOver 5 Million sites infectedSQL injection php webpagesRedirected to malware sites
Fake AVJava AppletActive XEXE download
Attack Toolkits
Zeus (Zbot)
ZeusThe most notorious and widely-spreadinformation stealing Trojans in existenceTargets financial data theftLead to the l...
Crimeware ToolkitZeus is a toolkit that provides a malwarecreator all of the tools required to buildand administer a botne...
Controllers of ZBOTCapture (banking) credentialsRemote controlKeystroke loggingScreen captureProxy servicesSpamming
Zeus BuilderThis page is where you create your bot executablesOnce created, you are responsible for distributionGo find so...
Zeus ConfigurationThe bot needs a configuration to tell itwhich address to send all the stolen dataWhat’s the use of misco...
Configuration Screens
CommunicationsCommunications pass between the botsand one or more serversCommand and Control Server is used todistribute b...
CommunicationsData is encrypted with RC4 encryptionA password is used to encrypt all datathat is passed through the botnet
Zeus Install Behavior
Zeus FlowCopy itself to another location, executethe copy, delete the originalLowers browser security settings bychanging ...
Zeus - FlowInjected code hooks APIs in each processSteals several different type of credentialfound on the system
Zeus - FlowDownloads config file and processes itUses API hooks to steal dataSends data back to C&C
http://zeustracker.abuse.ch
Typical TheftAttackers steal credentialsSet up bogus employee/vendor accountsAccounts are actually “mules”Transfers typica...
Wire MoneyEastern Europe
WANTED
Finding MulesRecruited job websitesReceive instructions via websiteProcess PaymentsLaundry via purchasesWrite proper phish...
Zeus characteristicsContinuously changing, software getsroutinely updatedStrong encryption used in program ofvarious funct...
Big Picture
Kung Fu SkillzCode breakingPuzzle solvingProgrammingLogical analysis
Kung FuBuild analysis workstationBehavior and Code AnalysisReverse EngineerVirus Total
Click Happy Fun ( )Fundamental aspects of malware analysisSetup an inexpensive and flexiblelaboratoryUse lab for exploring...
Build WorkstationInstall Base OSInstall vmwareInstall victim OSInstall monitoring tools
Build WorkstationInstall Base OSInstall vmwareInstall victim OSInstall monitoring tools
Build WorkstationInstall Base OSInstall vmwareInstall victim OSInstall monitoring tools
Build WorkstationInstall Base OSInstall vmwareInstall Victim OSInstall monitoring tools
Build WorkstationInstall Base OSInstall vmwareInstall victim OSInstall monitoring tools
ToolsPSTools from SysInternalsIDA ProWiresharkAnti-virus
Other ToolsFake DNS and shellcode2exeLordPE, and PEiDMalzilla, and SpiderMonkeyFirefox, No Script, BurpSuiteHoneyd, NetCat...
Kung FuBuild analysis workstationBehavior and Code AnalysisReverse EngineerVirus Total
Assumption
Getting evidenceGathering electronic evidenceEvidence processAccess Data FTK – Used to solve Lacie Peterson Case
RSA Hacked
TimelinePhishing – Zero Day AttackBackdoor installedLateral MovementData GatheringExfiltrate
How do you know you have a    virus or malware?
You can rely on…Your anti-virus vendorWeb or malware gatewayNetwork analysis tools
Rootkit RevealerRootkit detection utilityLists Registry and file system API discrepanciesHelps indicate the presence of a ...
Behavior and Code    Analysis     Two approaches
Answer these questions!Process countUser IDsLoaded ModulesFilesRegistry Keys
Answer this!DLL UsedAPI hookedMemory Space UsedNetwork ConnectionsServices UsedSockets Used
Temporal Reconstruction
Temporal ReconstructionForensic analysis to reconstruct events surrounding a hackingincident or malware infectionDead mach...
MACtime      forensic tool in your digital detective toolkitUnix and Linux mtime, atime, and ctimeWindows LastWriteTime, L...
Build a Timeline
Timeline AnalysisFile system metadataEvent Log entriesData from the RegistryUsers web browser historyTimestampsNetwork Sta...
TimestampsCreation DateLast Modified DateLast Accessed DateLast Modified Date for the files Master File Table (MFT)entry
File CarvingTool for recovering files and fragments of files whendirectory entries are corrupt or missingFor example – lis...
Finding Hidden exe
LordPE
Hiding ProcessBacktrack4 Linux DistributionRooted box with MetasploitMigrated process via meterpreter script
Extracting exe
Volatility Python Scripts
VolatilityDigital Forensics UtilityScript used to walk memory dumpsRebuild running processesRebuild executablesMalfind plu...
Malicious processhidden in PID 4968
VAD Walk identifies     offsets
Disassembly of    offsets
VAD WalkVirtual Address Descriptor (VAD) treestructure in Windows memory dumpsMethod to locate and parse the structureof p...
Using Foremost to get EXE
NetworkMiner
Using WiresharkCapture packs on network of malware contacting ZeusCommand and ControlBehavior based analysis of malware
Analysis with NetworkMiner Need pcap file Need download NetworkMiner Need search criteria
Network
Click Happy – Infect your            systemSet up your process viewersSnapshot your registry with RegshotConfigure FakeDNS...
NOTE MAKE SURE YOUDON’T CONNECT TO PROD
Kung FuBuild analysis workstationBehavior and Code AnalysisReverse EngineerVirus Total
What is reverse engineering?
Reverse engineering is theprocess of analyzing a subjectto create representations ofthe system at a higher level ofabstrac...
Understanding 1 and 0’sSoftware person programs in languageProgram gets compiled1’s and 0’s get “translated” from human re...
Compiling Source Code      Source Code       Compiler      Object File
Object       FileDLL            DLL      Linker
Assembly Language
Example AssemblyMOV AX, 47104MOV DS, AXMOV [3998], 36INT 32Each line is one CPU-level instruction
Example AssemblyMOV AX, 47104MOV DS, AXMOV [3998], 36INT 32Tells the computer to copy thenumber 47104 into the location AX
Human readable
Example Human Readable#include <stdio.h>int main(){ printf( “Click Happy.n" ); getchar(); return 0; }
Purpose of R.E.Manually follow flow of program visually using graphsManually follow flow of program reading the codeExecut...
Reverse-Engineering Benefits Sophisticated malware protects itself from discovery and analysis Malware will have passwords...
Wouldn’t it be nice to have the  login and password to theCommand and Control Server         of a BotNet?
Manual unpacking of protectedmalicious Windows executables
Understand anti-analysismechanisms built into malware
Analyzing protected malicious  browser scripts written in  JavaScript and VBScript
Other Benefits of R.E.Performing static and dynamic codeanalysis of malicious WindowsexecutablesStep through code using de...
OllyDbg32-bit assembler level debuggerBinary code analysis where source isunavailable
Using OllyDbgDrag executable onto OllyDbg“Step into” each instruction untilsomething fun happensIn the register section yo...
Reverse EngineeringPotentially gives you the “why”of the behaviorInsight into the inner workings ofthe program
BinTextSearches Binary or Executable for all TextOutputs “strings”Provides insight to structure or parts ofthe program
Searching stringsAnalyzing malware with IDA Pro andstrings
Kung FuBuild analysis workstationBehavior and Code AnalysisReverse EngineerVirus Total
Virus Total
CWSandbox
Final Thoughts
got root?
APT?Advanced Persistent ThreatThreat, such as a foreign nationstate government, with both thecapability and the intent top...
Coordinated human involvementNOT mindless and automated piece ofcodeSpecific objectiveSkilled and motivatedOrganized and w...
Photo Credits = Internet
Thank you!   </end>
Quiz
What are the two types of  malware analysis?
Behavioral AnalysisCode Analysis
What is APT?
Advanced Persistent      Threat
What is reverse engineering?
Reverse engineering is theprocess of analyzing a subjectsystem to createrepresentations of the systemat a higher level of ...
How many PC’s deployed     worldwide?
1.2 Billion
How many smartphones?What’s the future market?
5   Billion
What does hacking get you?
New friends
Place to stay. 3 meals.
Job Retraining
Hacking = Jail
Click Happy.Thank you!
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Intro2 malwareanalysisshort
Upcoming SlideShare
Loading in...5
×

Intro2 malwareanalysisshort

211

Published on

Presentation IT4BC 2011

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
211
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Intro2 malwareanalysisshort"

  1. 1. Security and Privacy Track Session 1
  2. 2. Introduction toMalware Analysis Vincent = Big O
  3. 3. What do they have in common?Lindsay LohanParis HiltonSnookiCharlie Sheen
  4. 4. Jail
  5. 5. Albert GonzalesHacked Wireless NetworkTJ Maxx90 Million Credit Cards20 Years in Jail
  6. 6. Hacking = Jail
  7. 7. Motivation?
  8. 8. Bad GuysMotivated by moneyNew school bad guys are after your electronic walletTake over payment systemsTake over the worldJust like Doctor Evil
  9. 9. About MeWork at Capilano UniversityHack wet paper bags for a livingI live in VancouverI commute by bikeI love 80’s musicI love Backtrack4
  10. 10. I love my mac
  11. 11. My Reading ListNISTWindows Forensics AnalysisReverse EngineeringThe Rootkit ArsenalSecurity Power ToolsGoogleYoutubeDFWS
  12. 12. My Favorite Hacker ConsDEFCONCanSecWestSecTorBlackhatCCC
  13. 13. Click Happy! and proud of it.
  14. 14. What isMalware Analysis?
  15. 15. What is Malware Analysis?Like being in science class in high schoolFor example studying a wormUsed microscopeDraw picture or diagram of wormObserved worm before dissection
  16. 16. Introduction toMalware Analysis
  17. 17. PurposeTapasSmall taste of everythingFor malware analysis
  18. 18. What is Malware?
  19. 19. MalwareShort for malicious programProgram designed to alter the flow of theprogramDesigned with malicious intentGain access to systemsUsed to gather information, usuallywithout permission of owner
  20. 20. When I was younger…Used to deliver malware via floppy disksMy favorite piece of malware was Sub7
  21. 21. Threat Report
  22. 22. Symantec Internet Security Threat ReportReleased April 2011For the year of 2010Pdf downloadOutlines trends for malware, virus and worms
  23. 23. How do you get infected?Drive by DownloadPhishing scamsMalicious Email attachmentsBogus DownloadsSQL Injected Websites
  24. 24. Examples of Malware
  25. 25. Lisa MoonVisited Capilano UniversityOver 5 Million sites infectedSQL injection php webpagesRedirected to malware sites
  26. 26. Fake AVJava AppletActive XEXE download
  27. 27. Attack Toolkits
  28. 28. Zeus (Zbot)
  29. 29. ZeusThe most notorious and widely-spreadinformation stealing Trojans in existenceTargets financial data theftLead to the loss of millions worldwide
  30. 30. Crimeware ToolkitZeus is a toolkit that provides a malwarecreator all of the tools required to buildand administer a botnetZeus tools are primarily designed forstealing banking informationZeus can easily be used for other types ofdata or identity theft
  31. 31. Controllers of ZBOTCapture (banking) credentialsRemote controlKeystroke loggingScreen captureProxy servicesSpamming
  32. 32. Zeus BuilderThis page is where you create your bot executablesOnce created, you are responsible for distributionGo find some victims
  33. 33. Zeus ConfigurationThe bot needs a configuration to tell itwhich address to send all the stolen dataWhat’s the use of misconfiguring a botnetthat can’t send you stolen data?
  34. 34. Configuration Screens
  35. 35. CommunicationsCommunications pass between the botsand one or more serversCommand and Control Server is used todistribute bot file updates
  36. 36. CommunicationsData is encrypted with RC4 encryptionA password is used to encrypt all datathat is passed through the botnet
  37. 37. Zeus Install Behavior
  38. 38. Zeus FlowCopy itself to another location, executethe copy, delete the originalLowers browser security settings bychanging IE registry entriesInjects code into other processes, mainprocess exits
  39. 39. Zeus - FlowInjected code hooks APIs in each processSteals several different type of credentialfound on the system
  40. 40. Zeus - FlowDownloads config file and processes itUses API hooks to steal dataSends data back to C&C
  41. 41. http://zeustracker.abuse.ch
  42. 42. Typical TheftAttackers steal credentialsSet up bogus employee/vendor accountsAccounts are actually “mules”Transfers typically kept under $10K
  43. 43. Wire MoneyEastern Europe
  44. 44. WANTED
  45. 45. Finding MulesRecruited job websitesReceive instructions via websiteProcess PaymentsLaundry via purchasesWrite proper phishing emails
  46. 46. Zeus characteristicsContinuously changing, software getsroutinely updatedStrong encryption used in program ofvarious functions to hide secretsSoftware uses packers and unpackersAnti-virus evasion techniques used
  47. 47. Big Picture
  48. 48. Kung Fu SkillzCode breakingPuzzle solvingProgrammingLogical analysis
  49. 49. Kung FuBuild analysis workstationBehavior and Code AnalysisReverse EngineerVirus Total
  50. 50. Click Happy Fun ( )Fundamental aspects of malware analysisSetup an inexpensive and flexiblelaboratoryUse lab for exploring characteristics ofreal-world malware
  51. 51. Build WorkstationInstall Base OSInstall vmwareInstall victim OSInstall monitoring tools
  52. 52. Build WorkstationInstall Base OSInstall vmwareInstall victim OSInstall monitoring tools
  53. 53. Build WorkstationInstall Base OSInstall vmwareInstall victim OSInstall monitoring tools
  54. 54. Build WorkstationInstall Base OSInstall vmwareInstall Victim OSInstall monitoring tools
  55. 55. Build WorkstationInstall Base OSInstall vmwareInstall victim OSInstall monitoring tools
  56. 56. ToolsPSTools from SysInternalsIDA ProWiresharkAnti-virus
  57. 57. Other ToolsFake DNS and shellcode2exeLordPE, and PEiDMalzilla, and SpiderMonkeyFirefox, No Script, BurpSuiteHoneyd, NetCat, curl, wget,Volatility Framework and plug-ins such as malfind2FTK Imager
  58. 58. Kung FuBuild analysis workstationBehavior and Code AnalysisReverse EngineerVirus Total
  59. 59. Assumption
  60. 60. Getting evidenceGathering electronic evidenceEvidence processAccess Data FTK – Used to solve Lacie Peterson Case
  61. 61. RSA Hacked
  62. 62. TimelinePhishing – Zero Day AttackBackdoor installedLateral MovementData GatheringExfiltrate
  63. 63. How do you know you have a virus or malware?
  64. 64. You can rely on…Your anti-virus vendorWeb or malware gatewayNetwork analysis tools
  65. 65. Rootkit RevealerRootkit detection utilityLists Registry and file system API discrepanciesHelps indicate the presence of a user-mode or kernel-moderootkits
  66. 66. Behavior and Code Analysis Two approaches
  67. 67. Answer these questions!Process countUser IDsLoaded ModulesFilesRegistry Keys
  68. 68. Answer this!DLL UsedAPI hookedMemory Space UsedNetwork ConnectionsServices UsedSockets Used
  69. 69. Temporal Reconstruction
  70. 70. Temporal ReconstructionForensic analysis to reconstruct events surrounding a hackingincident or malware infectionDead machine and Live System AnalysisAKA = Building a TimelineNOTE : Live Analysis means data is volatile
  71. 71. MACtime forensic tool in your digital detective toolkitUnix and Linux mtime, atime, and ctimeWindows LastWriteTime, LastAccessTime, and CreationTime
  72. 72. Build a Timeline
  73. 73. Timeline AnalysisFile system metadataEvent Log entriesData from the RegistryUsers web browser historyTimestampsNetwork StatisticsLogs
  74. 74. TimestampsCreation DateLast Modified DateLast Accessed DateLast Modified Date for the files Master File Table (MFT)entry
  75. 75. File CarvingTool for recovering files and fragments of files whendirectory entries are corrupt or missingFor example – listing directory of picturesPictures are all deleted in the catalogueFile Carving allows investigator to recover pictures withoutdirectory listings
  76. 76. Finding Hidden exe
  77. 77. LordPE
  78. 78. Hiding ProcessBacktrack4 Linux DistributionRooted box with MetasploitMigrated process via meterpreter script
  79. 79. Extracting exe
  80. 80. Volatility Python Scripts
  81. 81. VolatilityDigital Forensics UtilityScript used to walk memory dumpsRebuild running processesRebuild executablesMalfind plug-in finds suspicious files inmemory
  82. 82. Malicious processhidden in PID 4968
  83. 83. VAD Walk identifies offsets
  84. 84. Disassembly of offsets
  85. 85. VAD WalkVirtual Address Descriptor (VAD) treestructure in Windows memory dumpsMethod to locate and parse the structureof physical memoryMethod walks the tree for the “hacked”process
  86. 86. Using Foremost to get EXE
  87. 87. NetworkMiner
  88. 88. Using WiresharkCapture packs on network of malware contacting ZeusCommand and ControlBehavior based analysis of malware
  89. 89. Analysis with NetworkMiner Need pcap file Need download NetworkMiner Need search criteria
  90. 90. Network
  91. 91. Click Happy – Infect your systemSet up your process viewersSnapshot your registry with RegshotConfigure FakeDNSStart WiresharkDouble Click that ExecutableIntercept system and network-level activities in the analysislab
  92. 92. NOTE MAKE SURE YOUDON’T CONNECT TO PROD
  93. 93. Kung FuBuild analysis workstationBehavior and Code AnalysisReverse EngineerVirus Total
  94. 94. What is reverse engineering?
  95. 95. Reverse engineering is theprocess of analyzing a subjectto create representations ofthe system at a higher level ofabstraction
  96. 96. Understanding 1 and 0’sSoftware person programs in languageProgram gets compiled1’s and 0’s get “translated” from human readable code tomachine instructionReverse Engineering attempts to take machine instructionand create human readable code
  97. 97. Compiling Source Code Source Code Compiler Object File
  98. 98. Object FileDLL DLL Linker
  99. 99. Assembly Language
  100. 100. Example AssemblyMOV AX, 47104MOV DS, AXMOV [3998], 36INT 32Each line is one CPU-level instruction
  101. 101. Example AssemblyMOV AX, 47104MOV DS, AXMOV [3998], 36INT 32Tells the computer to copy thenumber 47104 into the location AX
  102. 102. Human readable
  103. 103. Example Human Readable#include <stdio.h>int main(){ printf( “Click Happy.n" ); getchar(); return 0; }
  104. 104. Purpose of R.E.Manually follow flow of program visually using graphsManually follow flow of program reading the codeExecute code with breakpoints to control the flow ofthe program during runtimeLook for hints or clues to origin, signatures, orprogramming styleLook for characteristics of program
  105. 105. Reverse-Engineering Benefits Sophisticated malware protects itself from discovery and analysis Malware will have passwords, backdoor, and secret methods to hide and protect information Allows analyst to discover great detail on the operations and flow control of the program
  106. 106. Wouldn’t it be nice to have the login and password to theCommand and Control Server of a BotNet?
  107. 107. Manual unpacking of protectedmalicious Windows executables
  108. 108. Understand anti-analysismechanisms built into malware
  109. 109. Analyzing protected malicious browser scripts written in JavaScript and VBScript
  110. 110. Other Benefits of R.E.Performing static and dynamic codeanalysis of malicious WindowsexecutablesStep through code using debuggers likeOllyDbg or SoftICE
  111. 111. OllyDbg32-bit assembler level debuggerBinary code analysis where source isunavailable
  112. 112. Using OllyDbgDrag executable onto OllyDbg“Step into” each instruction untilsomething fun happensIn the register section you can observewhat is being run in memory
  113. 113. Reverse EngineeringPotentially gives you the “why”of the behaviorInsight into the inner workings ofthe program
  114. 114. BinTextSearches Binary or Executable for all TextOutputs “strings”Provides insight to structure or parts ofthe program
  115. 115. Searching stringsAnalyzing malware with IDA Pro andstrings
  116. 116. Kung FuBuild analysis workstationBehavior and Code AnalysisReverse EngineerVirus Total
  117. 117. Virus Total
  118. 118. CWSandbox
  119. 119. Final Thoughts
  120. 120. got root?
  121. 121. APT?Advanced Persistent ThreatThreat, such as a foreign nationstate government, with both thecapability and the intent topersistently and effectively targeta specific entity
  122. 122. Coordinated human involvementNOT mindless and automated piece ofcodeSpecific objectiveSkilled and motivatedOrganized and well funded
  123. 123. Photo Credits = Internet
  124. 124. Thank you!  </end>
  125. 125. Quiz
  126. 126. What are the two types of malware analysis?
  127. 127. Behavioral AnalysisCode Analysis
  128. 128. What is APT?
  129. 129. Advanced Persistent Threat
  130. 130. What is reverse engineering?
  131. 131. Reverse engineering is theprocess of analyzing a subjectsystem to createrepresentations of the systemat a higher level of abstraction
  132. 132. How many PC’s deployed worldwide?
  133. 133. 1.2 Billion
  134. 134. How many smartphones?What’s the future market?
  135. 135. 5 Billion
  136. 136. What does hacking get you?
  137. 137. New friends
  138. 138. Place to stay. 3 meals.
  139. 139. Job Retraining
  140. 140. Hacking = Jail
  141. 141. Click Happy.Thank you!

×