Intro to Malware Analysis
Wim Remes – Managing Consultant @ IOActive
1977 - 2013
Barnaby Jack
About me
Wim Remes
Managing Consultant @ IOActive
Director @ (ISC)2
Organizer @ BruCON
(September 26-27 !!)
I don‟t teach,...
Malware Analysis
What ?
Why?
Toolchain?
Tying it all together ?
Tips & Tricks!
What?
“Taking malware apart to study it.”
(it‟s that simple? Yes it is.)
Unless you work for an AV vendor, in
which case y...
DO:
Understand your adversary
Gather intelligence
Share information
Protect BETTER!
AUTOMATE-AUTOMATE-AUTOMATE
DO NOT:
Was...
Why?
“Attacker Profiling”
Indicators of compromise!
(IOCs)
Command and Control Servers?
Malware sources?
Traffic Patterns?...
Toolchain
https://www.virustotal.com/en/#search
Do NOT just upload unknown samples!
Toolchain
http://www.cuckoosandbox.org
Automated Analysis
Toolchain
Reporting
Cuckoo framework
Oracle Virtualbox
WinXP WinXP WinXP WinXP - Installation
- System Changes
- Network T...
Toolchain
Manual Analysis?
(sure…)
OllyDbg
Immunity Debugger
IDA Pro
WinDbg
Wireshark
Windows SysInternals
…
Beware of eva...
Toolchain
Mobile Malware?
http://apkscan.nviso.be/
Toolchain
Indicators of compromise (IOCs)
Toolchain
http://www.malware.lu/
http://www.abuse.ch/
(Zeus tracker / SpyEye tracker)
http://www.openioc.org/
Tying it all together
Manual
analysis
Automated
Analysis
External
Sources
IOCs
Firewall
Configuration
IDS/IPS
Configuratio...
Tips & Tricks
Incubation
(not for the faint of heart)
a) You want to gather more intelligence
b) You want to profile attac...
Tips & Tricks
Anti Reverse Engineering
Exploiting weaknesses in RE Tools
Anti Disassembly
Anti Debugging
Anti VM Technique...
By Example – ‘Magneto’
A malware that exploits a buffer overflow condition in
Firefox 17.
Believed to be used against user...
By Example – ‘Magneto’
Attacks the browser
iframe attack + buffer overflow
Sends hostname+mac address
to remote server
Ana...
By Example – ‘Magneto’
Attack
Browser
Execute
Shellcode
Gather
Information
Exfiltrate
Information
Learn attacker technique...
Summary
Goal = Protecting Better
NOT
“Trying to beat them”
There are automation tools, use them.
Know your tools and their...
Q & A
Thank you !
wim.remes@ioactive.co.uk
@wimremes on twitter
Upcoming SlideShare
Loading in...5
×

Intro to Malware Analysis

714

Published on

As given @ SecureAsia Manila 2013

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
714
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
33
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Malware Analysis is somewhat regarded as a dark art … it’s also become one of the primary sources of focused security intelligence for security teams. Nowhere can you learn more about your attackersAnd how they leverage weaknesses in your infratstructure. Let alone learning about what they are interested in.
  • Intro to Malware Analysis

    1. 1. Intro to Malware Analysis Wim Remes – Managing Consultant @ IOActive
    2. 2. 1977 - 2013 Barnaby Jack
    3. 3. About me Wim Remes Managing Consultant @ IOActive Director @ (ISC)2 Organizer @ BruCON (September 26-27 !!) I don‟t teach, I share knowledge (I hope to learn more from you than you learn from me)
    4. 4. Malware Analysis What ? Why? Toolchain? Tying it all together ? Tips & Tricks!
    5. 5. What? “Taking malware apart to study it.” (it‟s that simple? Yes it is.) Unless you work for an AV vendor, in which case you are supporting a product and even they automate A LOT. 12,000,000 samples in Q4 2012(1) 35,000+ mobile samples in Q4 2012(1) (ain‟t nobody got time for that!) (1) http://www.mcafee.com/us/security-awareness/articles/state-of-malware-2013.aspx
    6. 6. DO: Understand your adversary Gather intelligence Share information Protect BETTER! AUTOMATE-AUTOMATE-AUTOMATE DO NOT: Waste time on random samples Practice your reverse engineering fu (most of the time) Why?
    7. 7. Why? “Attacker Profiling” Indicators of compromise! (IOCs) Command and Control Servers? Malware sources? Traffic Patterns? Registry Keys? Behavioral Characteristics? Know your enemy!
    8. 8. Toolchain https://www.virustotal.com/en/#search Do NOT just upload unknown samples!
    9. 9. Toolchain http://www.cuckoosandbox.org Automated Analysis
    10. 10. Toolchain Reporting Cuckoo framework Oracle Virtualbox WinXP WinXP WinXP WinXP - Installation - System Changes - Network Traffic - …
    11. 11. Toolchain Manual Analysis? (sure…) OllyDbg Immunity Debugger IDA Pro WinDbg Wireshark Windows SysInternals … Beware of evasion tricks !!
    12. 12. Toolchain Mobile Malware? http://apkscan.nviso.be/
    13. 13. Toolchain Indicators of compromise (IOCs)
    14. 14. Toolchain http://www.malware.lu/ http://www.abuse.ch/ (Zeus tracker / SpyEye tracker) http://www.openioc.org/
    15. 15. Tying it all together Manual analysis Automated Analysis External Sources IOCs Firewall Configuration IDS/IPS Configuration SIEM Configuration Industry/Peer Sharing
    16. 16. Tips & Tricks Incubation (not for the faint of heart) a) You want to gather more intelligence b) You want to profile attackers Attackers introducing new techniques? Introducing „next level‟ attackers? Reselling of compromised machines? You can learn A LOT!
    17. 17. Tips & Tricks Anti Reverse Engineering Exploiting weaknesses in RE Tools Anti Disassembly Anti Debugging Anti VM Techniques Packers “it takes one to know one.” Ref. “Practical Malware Analysis” By Michael Sikorski and Andrew Honig>
    18. 18. By Example – ‘Magneto’ A malware that exploits a buffer overflow condition in Firefox 17. Believed to be used against users of „malicious‟ TOR .onion sites. https://code.google.com/p/caffsec-malware- analysis/source/browse/trunk/TorFreedomHosting/
    19. 19. By Example – ‘Magneto’ Attacks the browser iframe attack + buffer overflow Sends hostname+mac address to remote server Analysis tools fail because „sessionStorage‟ and „ArrayBuffer‟ are not recognized.
    20. 20. By Example – ‘Magneto’ Attack Browser Execute Shellcode Gather Information Exfiltrate Information Learn attacker techniques Correlate attacker behaviour Identify coders/ code sharing? Identify targeted assets Attribution? Correlation …
    21. 21. Summary Goal = Protecting Better NOT “Trying to beat them” There are automation tools, use them. Know your tools and their limitations. Know the attacker‟s toolset too Share knowledge/intelligence
    22. 22. Q & A Thank you ! wim.remes@ioactive.co.uk @wimremes on twitter
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×