Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Upcoming SlideShare
Loading in...5
×
 

Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt

on

  • 1,117 views

 

Statistics

Views

Total Views
1,117
Views on SlideShare
840
Embed Views
277

Actions

Likes
0
Downloads
60
Comments
0

3 Embeds 277

http://securitybootcamp.vn 271
http://www.securitybootcamp.vn 3
http://localhost 3

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt Presentation Transcript

    • Automated Malware Analysis Nguyễn Chấn Việt
    • Đơn vị tổ chức: Đơn vị tài trợ:
    • Malware Attacks Growing • • • • Office exploits PDF exploits Browser exploits … 10/29/2013 11:15 AM www.securitybootcamp.vn
    • Anatomy of the attack Stage 1 : Exploitation / Phishing / Social Engineer Stage 2 : The dropper execute & disable existing security control Stage 3 : “Real” malwares is downloaded and installed Stage 4 : Steal sensitive data Stage 5 : Communicate with external C&C servers, used for facilitate futher attacks 10/29/2013 11:15 AM www.securitybootcamp.vn
    • Why we need ? • • • • • Malwares in the wild are way too many Manual analysis takes a lot of time Static analysis requires strong skillsets Need to deal with packed, polymorphic, self-modifying code Performing dynamic analysis manually is a tedious work => How can we handle the large volume of malware samples collected each day ? 10/29/2013 11:15 AM www.securitybootcamp.vn
    • Method of malware analysis Signatures Heuristics Discrete Objects Analysis Contextual Analysis 10/29/2013 11:15 AM www.securitybootcamp.vn
    • Online AMAs • • • • VirusTotal : http://www.virustotal.com/ ThreatExpert : http://www.threatexpert.com/filescan.aspx Anubis : http://anubis.iseclab.org/ Joebox : – – – – http://www.file-analyzer.net/ http://www.apk-analyzer.net/ http://www.document-analyzer.net/ http://www.url-analyzer.net/ 10/29/2013 11:15 AM www.securitybootcamp.vn
    • Offline AMAs • CWSandbox : commercial • Cuckoo Sandbox : free and open source • Zerowine : a full-featured tool for dynamically analyzing the behavior of Windows malware by running it within the WINE emulator on Linux • Malheur 10/29/2013 11:15 AM www.securitybootcamp.vn
    • Cuckoo is my choice • Cuckoo Sandbox was started in 2010 Summer of Code Project • Now it consists of around 50000 lines of code written by Python and C • Sponsored by Rapid7 in a program called “Magnificent7” • Why we choose it ? – – – – Easy to use Easy to customize Nice Web-UI and Comprehensive reports Opensource 10/29/2013 11:15 AM www.securitybootcamp.vn
    • Cuckoo is my choice 10/29/2013 11:15 AM www.securitybootcamp.vn
    • Execution flow • • • • • • • Fetch a task Prepare the analysis Launch analyzer in virtual machine Execute an analysis package Complete the analysis Store the results Process and create reports 10/29/2013 11:15 AM www.securitybootcamp.vn
    • Your VM can be detected 10/29/2013 11:15 AM www.securitybootcamp.vn
    • Your sandbox can be detected 10/29/2013 11:15 AM www.securitybootcamp.vn
    • Hardening • Integrate with pafish (Paranoid Fish) • Update bypass vm methods • More info : – http://www.alienvault.com/open-threat-exchange/blog/hardening-cuckoosandbox-against-vm-aware-malware – http://kromer.pl/malware-analysis/installing-and-hardening-latest-cuckoosandbox-on-gentoo-linux/ – http://0xmalware.blogspot.com/2013/10/cuckoo-sandbox-hardeningvirtualbox.html 10/29/2013 11:15 AM www.securitybootcamp.vn
    • Others • CuckooMX: Automating Email Attachments Scanning with Cuckoo 10/29/2013 11:15 AM www.securitybootcamp.vn
    • How about post analysis ? • Cuckoo + Volatility + YARA 10/29/2013 11:15 AM www.securitybootcamp.vn
    • Volatility • • • • An advanced memory forensics framework Written by Python Opensource Active development – Month of Volatility Plugins (MoVP) – Annual Volatility Framework Plugin Contest • Large community 10/29/2013 11:15 AM www.securitybootcamp.vn
    • Volatility • There are many modules for : – – – – – – Detecting Windows GUI Hooking Detecting Usermode Hooks (IAT/Inline/…) Detect Kernelmode Hooks (SSDT/IRP/…) Detecting hidden processes Detecting hidden kernel module Detecting hidden connections 10/29/2013 11:15 AM www.securitybootcamp.vn
    • YARA • YARA is a tool aimed at helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families based on textual or binary patterns contained on samples of those families 10/29/2013 11:15 AM www.securitybootcamp.vn
    • YARA • Example : The rule below is telling YARA that any file containing one of the three strings must be reported as silent_banker. • rule silent_banker : banker { meta: description = "This is just an example" thread_level = 3 in_the_wild = true strings: $a = {6A 40 68 00 30 00 00 6A 14 8D 91} $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9} $c = "UVODFRYSIHLNWPEJXQZAKCBGMT" } condition: $a or $b or $c 10/29/2013 11:15 AM www.securitybootcamp.vn
    • Who’s using YARA • • • • • VirusTotal Intelligence (https://www.virustotal.com/intelligence/) jsunpack-n (http://jsunpack.jeek.org/) We Watch Your Website (http://www.wewatchyourwebsite.com/) FireEye, Inc. (http://www.fireeye.com) Fidelis XPS (http://www.fidelissecurity.com/network-securityappliance/Fidelis-XPS) 10/29/2013 11:15 AM www.securitybootcamp.vn
    • New Automated Malware Capability Detection System • CrowdSource: Applying machine learning to web technical documents toautomatically identify malware capabilities – – – – – – – – – – – detects debugger based reversing encrypts / decrypts data provides remote desktop capability steals or modifies cookies mines or steals bitcoins communicates over smtp has gui functionality communicates with database communicates via irc protocol logs keystrokes takes screenshots • Planning to release CrowdSource as an open source tool for November 10/29/2013 11:15 AM www.securitybootcamp.vn
    • Conclusion • The fight against malware is a cat-and-mouse game • We should : – Make use of Automated Malware Analysis – Update new techniques – Use simplest method for each scenario 10/29/2013 11:15 AM www.securitybootcamp.vn
    • Thank you ! 10/29/2013 11:15 AM www.securitybootcamp.vn