Your SlideShare is downloading. ×
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and Clustering
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and Clustering

3,144

Published on

This talk was given at DEF CON 2010 by Jeremy Chiu, Benson Wu, and Wayne Huang …

This talk was given at DEF CON 2010 by Jeremy Chiu, Benson Wu, and Wayne Huang

https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Huang

For antivirus vendors and malware researchers today, the challenge lies not in "obtaining" the malware samples - they have too many already. What's needed is automated tools to speed up the analysis process. Many sandboxes exist for behavior profiling, but it still remains a challenge to handle anti-analysis techniques and to generate useful reports.

The problem with current tools is the monitoring mechanism - there's always a "sandbox" or some type of monitoring mechanism that must be loaded BEFORE malware execution. This allows malware to detect whether such monitoring mechanisms exist, and to bail out thus avoiding detection and analysis.

Here we release 0box--an afterDark analyser that loads AFTER malware execution. No matter how well a piece of malware hides itself, there will be runtime forensics data that can be analyzed to identify "traces" of a process trying to hide itself. For example, evidences within the process module lists or discrepancies between kernel- and user-space datastructures. Since analysis is done post mortem, it is very hard for malware to detect the analysis.

By using runtime forensics to extract evidences, we turn a piece of malware from its original binary space into a feature space, with each feature representing the existence or non-existence of a certain behavior (ex, process table tampering, unpacking oneself, adding hooks, etc). By running clustering algorithms in this space, we show that this technique not only is very effective and very fast at detecting malware, but is also very accurate at clustering the malware into existing malware families. Such clustering is helpful for deciding whether a piece of malware is just a variation or repacking of an existing malware family, or is a brand new find.

Using three case studies, we will demo 0box, compare 0box with 0box with recent talks at BlackHat and other security conferences, and explain how 0box is different and why it is very effective. 0box will be released at the conference as a free tool.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
3,144
On Slideshare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
93
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

×