Malware Analysis as a Hobby - 44CON 2012

814 views

Published on

Michael Boman and Siavosh Zarrasvand present Malware Analysis as a Hobby at 44CON 2012 in London, September 2012.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
814
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
18
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Malware Analysis as a Hobby - 44CON 2012

  1. 1. Malware Analysis as a Hobby Michael Boman - Security Consultant/Researcher, Father of 5 Siavosh Zarrasvand – Security Consultant/Researcher, Searching
  2. 2. Why the strange hobby?
  3. 3. The manual way
  4. 4. Drawbacks Time consumingBoring in the long run (not all malware are created equal)
  5. 5. Choose any two…. Cheap Good Fast
  6. 6.  I can do it cheaply (hardware and license cost-wise). Human time notChoose any two? Why included.not all of them?  I can do it quickly (I spend up to 3 Cheap hours a day doing this, at average even less).  I get pretty good results (quality). Where the system lacks I can compensate for its shortcomings.Good Fast
  7. 7. Automateeverything! Automate Engineer yourself out of the workflow
  8. 8. Birth of theMART ProjectMalware Analyst Research Toolkit
  9. 9. Components
  10. 10. Sample Acquisition• Public & Private Collections• Exchange with other malware analysts• Finding and collecting malware yourself • Download files from the web • Grab attachments from email • Feed BrowserSpider with links from your SPAM-folder
  11. 11. BrowserSpider Written in Python Using the Selenium framework to control REAL browsers  Flash, PDFs, Java applets etc. executes as per normal  All the browser bugs exists for real Spiders and follows all links seen
  12. 12. Sample Analysis• Cuckoo Sandbox• VirusTotal
  13. 13. A days work for a Cuckoo Fetch a task Process and Prepare the create reports analysis Lunch analyzer in Store the result virtual machine Complete the Execute an analysis analysis package
  14. 14. DEMO: Submit sample for analysis
  15. 15. Sample Reporting• Results are stored in MongoDB (optional, highly recommended)• Accessed using a analyst GUI
  16. 16. Data Mining
  17. 17. Where Virtual Machine analysis fails And what to do about it
  18. 18. Problems Cuckoo is easly bypassed User-detection Sleeping malware
  19. 19. Problems VM or Sandbox detection The guest OS might not be sufficient enough Any multistage attack
  20. 20. Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples Known Known Bad Good Unknown
  21. 21. Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples • Does not do anything • Detects environment • Encrypted segments • Failed execution
  22. 22. Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples • Run longer • Envirnoment customization
  23. 23. Budget Computer: €520 MSDN License: €800 (€590 renewal) Year 1: €1320 Year N: €590 Money saved from stopped smoking (yearly): €2040
  24. 24. Next steps• Barebone on-the-iron malware analysis• Android platform support• OSX platform support• iOS patform support
  25. 25. Questions? Michael Boman Siavosh Zarrasvandmichael@michaelboman.org siavosh.zarrasvand@gmail.com http://michaelboman.org @mboman @zarrasvand

×