• Save
Automated Malware Analysis
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Automated Malware Analysis

  • 1,910 views
Uploaded on

My presentation at c0c0n-2011

My presentation at c0c0n-2011

More in: Education , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • ok
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
1,910
On Slideshare
1,651
From Embeds
259
Number of Embeds
2

Actions

Shares
Downloads
0
Comments
1
Likes
3

Embeds 259

http://thepush.info 257
http://www.linkedin.com 2

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Automated Malware Analysis - Setting up the Environment
    • Username : Pushkar
    • Password : KV Prashant
  • 2. Who we are????
    • Pushkar Pashupat(Push)
      • Security Researcher, working as independent consultant
      • CEH, Member of Matriux and null community
    • K.V Prashant(kvbhai)
      • Security Consultant, working for IT services company
      • CISSP & CEH, member of null open security and hacking community
  • 3. Agenda
    • What is Malware analysis
    • Automation
        • Virtualization
        • Sanboxing
    • Tools of Trade
    • Demo
    • References
  • 4. Malware Analysis
    • What is Malware Analysis
      • Analysing executables for the purpose of determining its malacious behaviour
    • Techniques of Malware Analysis
      • Static code analysis
        • Using debuggers and RE tools(w/o executing)
      • Dynamic analysis
        • Behavioural analysis(exectuing the malware)
  • 5. Automation
    • Virtualization
      • Using virtual enviroment to execute the malwares and study the behaviour
    • Sandboxing
      • Executing malwares in controled and monitored environment
  • 6. Automation states Log Capture Start VM Malware Execution Create VM Revert to fresh Snapshot Next malware
  • 7. Network Level Analysis Physical machine running Linux OS (Controller) Virtual Machine running Windows where malware samples will run Router / DSL Modem Internet traffic routed through Linux machine
    • Applications running on Controller
    • Wireshark
    • Tshark
    • tcpdump
    • Snort
    • Burpsuite
    Internet
    • Network Level analysis help in determining following:
    • Protocol used
    • Connections made to which IP
    • Post connection activities like if any further malwares are dropped
  • 8. System Level Analysis Controller machine running 1. Custom scripts to invoke vm, start monitoring tools, execute malware and revert vm to clean snapshot
    • Windows Target machine, running on target machine
    • Volatility
    • Sysinternal tools, procmon, regmon, filemon
    • System Level analysis help in determining following:
    • Registry edits
    • Process, Files created
    • Sockets created and ports used
  • 9. Tools of Trade
    • VirtualBox
    • Sysinternal Suite
    • Wireshark
    • Volatility
    • Inetsim
    • Sandboxes like Sandboxie
  • 10. Virtualbox commands
    • Vboxmanage
      • startvm
      • guestcontrol -exec
      • snapshot
        • take
        • revert
      • controlvm
        • savestate
        • resume
        • poweroff
  • 11. Pre-Execution Analysis
    • PEScanner
    • Strings
    • VirusTotal
    • Start procmon
    • Start tshark
  • 12. Post Execution
    • Memory Dump Analysis
    • Yara log analysis
  • 13. Sandboxes
    • Online Sandboxes
    • CWSandbox
    • ThreatExpert
    • Norman
    • Offline Sandboxes
    • Sandboxie
    • cuckoo
  • 14. Sandboxie
    • Executing programs without affecting actual system
    • Buster Sandboxie Analyser
    • Wrapper around Sandboxie
  • 15. Demo
  • 16. Thank You Special Thanks to Matriux community and Manu Sir Thanks For Tolerating us 