Intro to Malware Analysis

  • 550 views
Uploaded on

As given @ SecureAsia Manila 2013

As given @ SecureAsia Manila 2013

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
550
On Slideshare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
26
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Malware Analysis is somewhat regarded as a dark art … it’s also become one of the primary sources of focused security intelligence for security teams. Nowhere can you learn more about your attackersAnd how they leverage weaknesses in your infratstructure. Let alone learning about what they are interested in.

Transcript

  • 1. Intro to Malware Analysis Wim Remes – Managing Consultant @ IOActive
  • 2. 1977 - 2013 Barnaby Jack
  • 3. About me Wim Remes Managing Consultant @ IOActive Director @ (ISC)2 Organizer @ BruCON (September 26-27 !!) I don‟t teach, I share knowledge (I hope to learn more from you than you learn from me)
  • 4. Malware Analysis What ? Why? Toolchain? Tying it all together ? Tips & Tricks!
  • 5. What? “Taking malware apart to study it.” (it‟s that simple? Yes it is.) Unless you work for an AV vendor, in which case you are supporting a product and even they automate A LOT. 12,000,000 samples in Q4 2012(1) 35,000+ mobile samples in Q4 2012(1) (ain‟t nobody got time for that!) (1) http://www.mcafee.com/us/security-awareness/articles/state-of-malware-2013.aspx
  • 6. DO: Understand your adversary Gather intelligence Share information Protect BETTER! AUTOMATE-AUTOMATE-AUTOMATE DO NOT: Waste time on random samples Practice your reverse engineering fu (most of the time) Why?
  • 7. Why? “Attacker Profiling” Indicators of compromise! (IOCs) Command and Control Servers? Malware sources? Traffic Patterns? Registry Keys? Behavioral Characteristics? Know your enemy!
  • 8. Toolchain https://www.virustotal.com/en/#search Do NOT just upload unknown samples!
  • 9. Toolchain http://www.cuckoosandbox.org Automated Analysis
  • 10. Toolchain Reporting Cuckoo framework Oracle Virtualbox WinXP WinXP WinXP WinXP - Installation - System Changes - Network Traffic - …
  • 11. Toolchain Manual Analysis? (sure…) OllyDbg Immunity Debugger IDA Pro WinDbg Wireshark Windows SysInternals … Beware of evasion tricks !!
  • 12. Toolchain Mobile Malware? http://apkscan.nviso.be/
  • 13. Toolchain Indicators of compromise (IOCs)
  • 14. Toolchain http://www.malware.lu/ http://www.abuse.ch/ (Zeus tracker / SpyEye tracker) http://www.openioc.org/
  • 15. Tying it all together Manual analysis Automated Analysis External Sources IOCs Firewall Configuration IDS/IPS Configuration SIEM Configuration Industry/Peer Sharing
  • 16. Tips & Tricks Incubation (not for the faint of heart) a) You want to gather more intelligence b) You want to profile attackers Attackers introducing new techniques? Introducing „next level‟ attackers? Reselling of compromised machines? You can learn A LOT!
  • 17. Tips & Tricks Anti Reverse Engineering Exploiting weaknesses in RE Tools Anti Disassembly Anti Debugging Anti VM Techniques Packers “it takes one to know one.” Ref. “Practical Malware Analysis” By Michael Sikorski and Andrew Honig>
  • 18. By Example – ‘Magneto’ A malware that exploits a buffer overflow condition in Firefox 17. Believed to be used against users of „malicious‟ TOR .onion sites. https://code.google.com/p/caffsec-malware- analysis/source/browse/trunk/TorFreedomHosting/
  • 19. By Example – ‘Magneto’ Attacks the browser iframe attack + buffer overflow Sends hostname+mac address to remote server Analysis tools fail because „sessionStorage‟ and „ArrayBuffer‟ are not recognized.
  • 20. By Example – ‘Magneto’ Attack Browser Execute Shellcode Gather Information Exfiltrate Information Learn attacker techniques Correlate attacker behaviour Identify coders/ code sharing? Identify targeted assets Attribution? Correlation …
  • 21. Summary Goal = Protecting Better NOT “Trying to beat them” There are automation tools, use them. Know your tools and their limitations. Know the attacker‟s toolset too Share knowledge/intelligence
  • 22. Q & A Thank you ! wim.remes@ioactive.co.uk @wimremes on twitter