Intro to Malware Analysis


Published on

As given @ SecureAsia Manila 2013

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Malware Analysis is somewhat regarded as a dark art … it’s also become one of the primary sources of focused security intelligence for security teams. Nowhere can you learn more about your attackersAnd how they leverage weaknesses in your infratstructure. Let alone learning about what they are interested in.
  • Intro to Malware Analysis

    1. 1. Intro to Malware Analysis Wim Remes – Managing Consultant @ IOActive
    2. 2. 1977 - 2013 Barnaby Jack
    3. 3. About me Wim Remes Managing Consultant @ IOActive Director @ (ISC)2 Organizer @ BruCON (September 26-27 !!) I don‟t teach, I share knowledge (I hope to learn more from you than you learn from me)
    4. 4. Malware Analysis What ? Why? Toolchain? Tying it all together ? Tips & Tricks!
    5. 5. What? “Taking malware apart to study it.” (it‟s that simple? Yes it is.) Unless you work for an AV vendor, in which case you are supporting a product and even they automate A LOT. 12,000,000 samples in Q4 2012(1) 35,000+ mobile samples in Q4 2012(1) (ain‟t nobody got time for that!) (1)
    6. 6. DO: Understand your adversary Gather intelligence Share information Protect BETTER! AUTOMATE-AUTOMATE-AUTOMATE DO NOT: Waste time on random samples Practice your reverse engineering fu (most of the time) Why?
    7. 7. Why? “Attacker Profiling” Indicators of compromise! (IOCs) Command and Control Servers? Malware sources? Traffic Patterns? Registry Keys? Behavioral Characteristics? Know your enemy!
    8. 8. Toolchain Do NOT just upload unknown samples!
    9. 9. Toolchain Automated Analysis
    10. 10. Toolchain Reporting Cuckoo framework Oracle Virtualbox WinXP WinXP WinXP WinXP - Installation - System Changes - Network Traffic - …
    11. 11. Toolchain Manual Analysis? (sure…) OllyDbg Immunity Debugger IDA Pro WinDbg Wireshark Windows SysInternals … Beware of evasion tricks !!
    12. 12. Toolchain Mobile Malware?
    13. 13. Toolchain Indicators of compromise (IOCs)
    14. 14. Toolchain (Zeus tracker / SpyEye tracker)
    15. 15. Tying it all together Manual analysis Automated Analysis External Sources IOCs Firewall Configuration IDS/IPS Configuration SIEM Configuration Industry/Peer Sharing
    16. 16. Tips & Tricks Incubation (not for the faint of heart) a) You want to gather more intelligence b) You want to profile attackers Attackers introducing new techniques? Introducing „next level‟ attackers? Reselling of compromised machines? You can learn A LOT!
    17. 17. Tips & Tricks Anti Reverse Engineering Exploiting weaknesses in RE Tools Anti Disassembly Anti Debugging Anti VM Techniques Packers “it takes one to know one.” Ref. “Practical Malware Analysis” By Michael Sikorski and Andrew Honig>
    18. 18. By Example – ‘Magneto’ A malware that exploits a buffer overflow condition in Firefox 17. Believed to be used against users of „malicious‟ TOR .onion sites. analysis/source/browse/trunk/TorFreedomHosting/
    19. 19. By Example – ‘Magneto’ Attacks the browser iframe attack + buffer overflow Sends hostname+mac address to remote server Analysis tools fail because „sessionStorage‟ and „ArrayBuffer‟ are not recognized.
    20. 20. By Example – ‘Magneto’ Attack Browser Execute Shellcode Gather Information Exfiltrate Information Learn attacker techniques Correlate attacker behaviour Identify coders/ code sharing? Identify targeted assets Attribution? Correlation …
    21. 21. Summary Goal = Protecting Better NOT “Trying to beat them” There are automation tools, use them. Know your tools and their limitations. Know the attacker‟s toolset too Share knowledge/intelligence
    22. 22. Q & A Thank you ! @wimremes on twitter