SlideShare a Scribd company logo
1 of 39
Download to read offline
introducing
Malware Analysis
Agenda
Intro and
Recent
Malware
Attack
Make Your
Own Malware
Analysis
toolkit
Malware
Analysis &
Types
• Generally
–Any code that perform evil…
• Today
–Executable content with unknown functionality that
is resident on a system of investigative interest
•Virus
•Worms
•Spyware
•Adware
•Rootkits
Malware?
HA HA
HAHAH
A..!
Family of Malware
• Fame
• Money $$
• It’s a Business (not a kiddie)
• Antivirus
Why build Malware ?
•Why Analyze Malware?
•To assess damage
•To discover indicators of compromise
•To identify vulnerability
•To catch the “Bad Guy”
•To answer questions…
Analyzing Malware
Attacks in Synerzip
• 2007
– DNS hacked
• 2008
– FTP Server Hacked
• 2010
– DDOS on the DNY Network
• 2011
– Dos attack on DNS Server
– False Dos attack on Firewall due to Quickoffice Connect Application bug
• 2013
– Router Hacked @ DNY, Botnet Zeroaccess
• 2014
– Zibmra VLAN MITM
• Note – No Network is 100% secured, but we can make things difficult
for the hackers
Recent malware attacks
What is Cryptolocker?
• Began September 2013
• Encrypts victim’s files, asks for $300
ransom
• Impossible to recover files without a key
• Ransom increases after deadline
• Goal is monetary via Bitcoin
• 250,000+ victims worldwide
(According to Secureworks)
Malware analysis
Who pays the ransom?
Police department paid $750 to decrypt images and word documents
NightHunter – Name explained
NightHunter, because of its use of SMTP (email) for data
exfiltration. Email is often overlooked, so it can be a more
stealthy way of data theft, akin to hunting at night.
NightHunter Infections To Date
There are at least 1,800 unique infections
3OWL
Ieindia
Drmike
Hanco
Gmail
Comcast
1000
350
200
150
100*
60
Number of unique
infections per
email server
NightHunter Delivery
Email subject
/attachment names:
• Jobs List
• Inquiry
• Order
• PO
• Purchase Order
• Payment Slip
• Reconfirm Pls
• Remittance Payment
Slip
• WireSlip
NightHunter – How it works?
ZeroAccess Botnet
• Also known as
– 0Access
– Sirefef
– Maxplus
– Smiscer
Spreads Via
• Drive-by-Download sites
• Keygen and crack programs(Games)
• Fake game downloads
Capabilities
• Download malware updates via Peer to Peer
protocol (Ports – 16464, 16465, 16470 and
16471 )
• Deploy a rootkit to avoid detection
• Disable Anti-Virus and Anti-Malware software
Money
• Click fraud – Instruct bots to visit
• Spam
• Bitcoin Mining – Small number of varients
How it works?
• Static (Source Code) Analysis
• Dynamic (Behavioral) Analysis
• Sandboxing
How To Analyze Malware
Static Analysis “The Dissection”
Index
• File hashing
• File type identification
• Packer/Compiler Identification
• Entropy Analysis
• Strings
• PE Header Analysis
• Verify Signature
• Disassemble
• PDF Shell code analysis
DYNAMIC (BEHAVIORAL) ANALYSIS
Dynamic (Behavioral) Analysis
• Static Analysis will reveal some immediate
information
• Exhaustive static analysis could theoretically answer
any question, but it is slow and hard
• Usually you care more about “what” malware is
doing than “how” it is being accomplished
• Dynamic analysis is conducted by observing and
manipulating malware as it runs
System Monitoring
• What we are after
• Registry Activity
• File Activity
• Process Activity
• Network Traffic
Malware analysis
Malware analysis
Anti Techiniques
• Anti-virtualization
• Anti-Debugging
• Anti-Disassembling
• Anti-Sandboxing
Make your own Malware Analysis Toolkit Using Free Tools
Step 1: Allocate physical or virtual systems for the
analysis lab
• Virtualization software options include
– VMware Server
– Windows Virtual PC
– Microsoft Virtual Server
– VirtualBox
Step 2: Isolate laboratory systems from the
production environment
• Separate the laboratory network from production
using a firewall
• Don't connect laboratory and production networks
at all
• Use removable media to bring tools and malware
into the lab
• Don't use the physical machine that's hosting your
virtualized lab
for any other purpose.
Step 3: Install behavioral analysis tools
• File system and registry monitoring:
– Process Monitor
– Capture BAT
• Process monitoring:
– Process Explorer
– Process Hacker
• Network monitoring:
– Wireshark
– SmartSniff
• Change detection :
– Regshot
Step 4: Install code-analysis tools
• Disassembler and debugger:
– OllyDbg / Immunity Debugger
– IDA Pro
• Memory dumper:
– LordPE
– OllyDump
Utilize online analysis tools
• Anubis
• CWSandbox
• Joebox
• Norman SandBox
• ThreatExpert
• Malwr
Cuckoo Sandbox Automated Malware Analysis
Malware Analysis Video
Questions????
Thank You
Malware analysis

More Related Content

What's hot

Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)Umesh Mahawar
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Futurekaranwayne
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAparna Bhadran
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9koolkampus
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems  and Intrusion Prevention Systems Intrusion Detection Systems  and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
 

What's hot (20)

Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)
 
malware analysis
malware  analysismalware  analysis
malware analysis
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
 
Malware and security
Malware and securityMalware and security
Malware and security
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Future
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9
 
PPT on Phishing
PPT on PhishingPPT on Phishing
PPT on Phishing
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems  and Intrusion Prevention Systems Intrusion Detection Systems  and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
 

Viewers also liked

Advanced Threat protection – Digital Era - Ajit Pillai, Director Sales – Indi...
Advanced Threat protection – Digital Era - Ajit Pillai, Director Sales – Indi...Advanced Threat protection – Digital Era - Ajit Pillai, Director Sales – Indi...
Advanced Threat protection – Digital Era - Ajit Pillai, Director Sales – Indi...eGov Magazine
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6  - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6  - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysissecurityxploded
 
Practical Malware Analysis: Ch 5: IDA Pro
Practical Malware Analysis: Ch 5: IDA ProPractical Malware Analysis: Ch 5: IDA Pro
Practical Malware Analysis: Ch 5: IDA ProSam Bowne
 
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs Sam Bowne
 
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly Sam Bowne
 
Check point presentation june 2014
Check point presentation june 2014Check point presentation june 2014
Check point presentation june 2014David Berkelmans
 
Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Sam Bowne
 
Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly
Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in AssemblyPractical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly
Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in AssemblySam Bowne
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorSam Bowne
 
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...Sam Bowne
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblySam Bowne
 

Viewers also liked (20)

Check point response to Cisco NGFW competitive
Check point response to Cisco NGFW competitiveCheck point response to Cisco NGFW competitive
Check point response to Cisco NGFW competitive
 
Advanced Threat protection – Digital Era - Ajit Pillai, Director Sales – Indi...
Advanced Threat protection – Digital Era - Ajit Pillai, Director Sales – Indi...Advanced Threat protection – Digital Era - Ajit Pillai, Director Sales – Indi...
Advanced Threat protection – Digital Era - Ajit Pillai, Director Sales – Indi...
 
Check Point Threat emulation 2013
Check Point Threat emulation 2013Check Point Threat emulation 2013
Check Point Threat emulation 2013
 
Check Point mission statement
Check Point mission statementCheck Point mission statement
Check Point mission statement
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6  - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6  - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
 
How to Choose a SandBox - Gartner
How to Choose a SandBox - GartnerHow to Choose a SandBox - Gartner
How to Choose a SandBox - Gartner
 
Check Point designing a security
Check Point designing a securityCheck Point designing a security
Check Point designing a security
 
Check Point sizing security
Check Point sizing securityCheck Point sizing security
Check Point sizing security
 
Check Point Virtual Systems
Check Point Virtual SystemsCheck Point Virtual Systems
Check Point Virtual Systems
 
How to expose shortcuts in competitive poc
How to expose shortcuts in competitive pocHow to expose shortcuts in competitive poc
How to expose shortcuts in competitive poc
 
Practical Malware Analysis: Ch 5: IDA Pro
Practical Malware Analysis: Ch 5: IDA ProPractical Malware Analysis: Ch 5: IDA Pro
Practical Malware Analysis: Ch 5: IDA Pro
 
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
 
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
 
Check point presentation june 2014
Check point presentation june 2014Check point presentation june 2014
Check point presentation june 2014
 
Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12
 
Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly
Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in AssemblyPractical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly
Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware Behavior
 
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-Disassembly
 

Similar to Malware analysis

Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 
Surfing with Sharks KS ED TECH 2012
Surfing with Sharks   KS ED TECH 2012Surfing with Sharks   KS ED TECH 2012
Surfing with Sharks KS ED TECH 2012inf8nity
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 
How i'm going to own your organization v2
How i'm going to own your organization v2How i'm going to own your organization v2
How i'm going to own your organization v2RazorEQX
 
Computer Security and Ethics
Computer Security and EthicsComputer Security and Ethics
Computer Security and EthicsMohsin Riaz
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOUMichael Gough
 
The Personal and Website Security Mindset
The Personal and Website Security MindsetThe Personal and Website Security Mindset
The Personal and Website Security MindsetAdam W. Warner
 
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Distil Networks
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 -  N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 -  N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 
Malware ppt final.pptx
Malware ppt final.pptxMalware ppt final.pptx
Malware ppt final.pptxLakshayNRReddy
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataInderjeet Singh
 
CH1- Introduction to malware analysis-v2.pdf
CH1- Introduction to malware analysis-v2.pdfCH1- Introduction to malware analysis-v2.pdf
CH1- Introduction to malware analysis-v2.pdfWajdiElhamzi3
 
Discover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiDiscover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiJeremy Li
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedFalgun Rathod
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 

Similar to Malware analysis (20)

Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
Surfing with Sharks KS ED TECH 2012
Surfing with Sharks   KS ED TECH 2012Surfing with Sharks   KS ED TECH 2012
Surfing with Sharks KS ED TECH 2012
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
 
How i'm going to own your organization v2
How i'm going to own your organization v2How i'm going to own your organization v2
How i'm going to own your organization v2
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
Computer Security and Ethics
Computer Security and EthicsComputer Security and Ethics
Computer Security and Ethics
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
 
The Personal and Website Security Mindset
The Personal and Website Security MindsetThe Personal and Website Security Mindset
The Personal and Website Security Mindset
 
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 -  N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 -  N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
 
Malware ppt final.pptx
Malware ppt final.pptxMalware ppt final.pptx
Malware ppt final.pptx
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your Data
 
CH1- Introduction to malware analysis-v2.pdf
CH1- Introduction to malware analysis-v2.pdfCH1- Introduction to malware analysis-v2.pdf
CH1- Introduction to malware analysis-v2.pdf
 
BOTNET
BOTNETBOTNET
BOTNET
 
Discover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiDiscover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy Li
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
 

Recently uploaded

Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxDr. Asif Anas
 
General views of Histopathology and step
General views of Histopathology and stepGeneral views of Histopathology and step
General views of Histopathology and stepobaje godwin sunday
 
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxPractical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxKatherine Villaluna
 
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRADUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRATanmoy Mishra
 
How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17Celine George
 
How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17Celine George
 
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptxClinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptxraviapr7
 
CapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapitolTechU
 
NOTES OF DRUGS ACTING ON NERVOUS SYSTEM .pdf
NOTES OF DRUGS ACTING ON NERVOUS SYSTEM .pdfNOTES OF DRUGS ACTING ON NERVOUS SYSTEM .pdf
NOTES OF DRUGS ACTING ON NERVOUS SYSTEM .pdfSumit Tiwari
 
Latin American Revolutions, c. 1789-1830
Latin American Revolutions, c. 1789-1830Latin American Revolutions, c. 1789-1830
Latin American Revolutions, c. 1789-1830Dave Phillips
 
Quality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICEQuality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICESayali Powar
 
3.19.24 Urban Uprisings and the Chicago Freedom Movement.pptx
3.19.24 Urban Uprisings and the Chicago Freedom Movement.pptx3.19.24 Urban Uprisings and the Chicago Freedom Movement.pptx
3.19.24 Urban Uprisings and the Chicago Freedom Movement.pptxmary850239
 
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxPISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxEduSkills OECD
 
3.21.24 The Origins of Black Power.pptx
3.21.24  The Origins of Black Power.pptx3.21.24  The Origins of Black Power.pptx
3.21.24 The Origins of Black Power.pptxmary850239
 
In - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxIn - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxAditiChauhan701637
 
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfMaximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfTechSoup
 
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptxSandy Millin
 
Presentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphPresentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphNetziValdelomar1
 

Recently uploaded (20)

Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptx
 
General views of Histopathology and step
General views of Histopathology and stepGeneral views of Histopathology and step
General views of Histopathology and step
 
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxPractical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
 
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRADUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
 
How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17
 
How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17
 
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptxClinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
 
CapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptx
 
NOTES OF DRUGS ACTING ON NERVOUS SYSTEM .pdf
NOTES OF DRUGS ACTING ON NERVOUS SYSTEM .pdfNOTES OF DRUGS ACTING ON NERVOUS SYSTEM .pdf
NOTES OF DRUGS ACTING ON NERVOUS SYSTEM .pdf
 
Latin American Revolutions, c. 1789-1830
Latin American Revolutions, c. 1789-1830Latin American Revolutions, c. 1789-1830
Latin American Revolutions, c. 1789-1830
 
Finals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quizFinals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quiz
 
Quality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICEQuality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICE
 
3.19.24 Urban Uprisings and the Chicago Freedom Movement.pptx
3.19.24 Urban Uprisings and the Chicago Freedom Movement.pptx3.19.24 Urban Uprisings and the Chicago Freedom Movement.pptx
3.19.24 Urban Uprisings and the Chicago Freedom Movement.pptx
 
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxPISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
 
3.21.24 The Origins of Black Power.pptx
3.21.24  The Origins of Black Power.pptx3.21.24  The Origins of Black Power.pptx
3.21.24 The Origins of Black Power.pptx
 
In - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxIn - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptx
 
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfMaximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
 
Personal Resilience in Project Management 2 - TV Edit 1a.pdf
Personal Resilience in Project Management 2 - TV Edit 1a.pdfPersonal Resilience in Project Management 2 - TV Edit 1a.pdf
Personal Resilience in Project Management 2 - TV Edit 1a.pdf
 
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
 
Presentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphPresentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a Paragraph
 

Malware analysis

  • 2. Agenda Intro and Recent Malware Attack Make Your Own Malware Analysis toolkit Malware Analysis & Types
  • 3. • Generally –Any code that perform evil… • Today –Executable content with unknown functionality that is resident on a system of investigative interest •Virus •Worms •Spyware •Adware •Rootkits Malware? HA HA HAHAH A..!
  • 5. • Fame • Money $$ • It’s a Business (not a kiddie) • Antivirus Why build Malware ?
  • 6. •Why Analyze Malware? •To assess damage •To discover indicators of compromise •To identify vulnerability •To catch the “Bad Guy” •To answer questions… Analyzing Malware
  • 7. Attacks in Synerzip • 2007 – DNS hacked • 2008 – FTP Server Hacked • 2010 – DDOS on the DNY Network • 2011 – Dos attack on DNS Server – False Dos attack on Firewall due to Quickoffice Connect Application bug • 2013 – Router Hacked @ DNY, Botnet Zeroaccess • 2014 – Zibmra VLAN MITM • Note – No Network is 100% secured, but we can make things difficult for the hackers
  • 9. What is Cryptolocker? • Began September 2013 • Encrypts victim’s files, asks for $300 ransom • Impossible to recover files without a key • Ransom increases after deadline • Goal is monetary via Bitcoin • 250,000+ victims worldwide (According to Secureworks)
  • 11. Who pays the ransom? Police department paid $750 to decrypt images and word documents
  • 12. NightHunter – Name explained NightHunter, because of its use of SMTP (email) for data exfiltration. Email is often overlooked, so it can be a more stealthy way of data theft, akin to hunting at night.
  • 13. NightHunter Infections To Date There are at least 1,800 unique infections 3OWL Ieindia Drmike Hanco Gmail Comcast 1000 350 200 150 100* 60 Number of unique infections per email server
  • 14. NightHunter Delivery Email subject /attachment names: • Jobs List • Inquiry • Order • PO • Purchase Order • Payment Slip • Reconfirm Pls • Remittance Payment Slip • WireSlip
  • 15. NightHunter – How it works?
  • 16. ZeroAccess Botnet • Also known as – 0Access – Sirefef – Maxplus – Smiscer
  • 17. Spreads Via • Drive-by-Download sites • Keygen and crack programs(Games) • Fake game downloads
  • 18. Capabilities • Download malware updates via Peer to Peer protocol (Ports – 16464, 16465, 16470 and 16471 ) • Deploy a rootkit to avoid detection • Disable Anti-Virus and Anti-Malware software
  • 19. Money • Click fraud – Instruct bots to visit • Spam • Bitcoin Mining – Small number of varients
  • 21. • Static (Source Code) Analysis • Dynamic (Behavioral) Analysis • Sandboxing How To Analyze Malware
  • 22. Static Analysis “The Dissection”
  • 23. Index • File hashing • File type identification • Packer/Compiler Identification • Entropy Analysis • Strings • PE Header Analysis • Verify Signature • Disassemble • PDF Shell code analysis
  • 25. Dynamic (Behavioral) Analysis • Static Analysis will reveal some immediate information • Exhaustive static analysis could theoretically answer any question, but it is slow and hard • Usually you care more about “what” malware is doing than “how” it is being accomplished • Dynamic analysis is conducted by observing and manipulating malware as it runs
  • 26. System Monitoring • What we are after • Registry Activity • File Activity • Process Activity • Network Traffic
  • 29. Anti Techiniques • Anti-virtualization • Anti-Debugging • Anti-Disassembling • Anti-Sandboxing
  • 30. Make your own Malware Analysis Toolkit Using Free Tools
  • 31. Step 1: Allocate physical or virtual systems for the analysis lab • Virtualization software options include – VMware Server – Windows Virtual PC – Microsoft Virtual Server – VirtualBox
  • 32. Step 2: Isolate laboratory systems from the production environment • Separate the laboratory network from production using a firewall • Don't connect laboratory and production networks at all • Use removable media to bring tools and malware into the lab • Don't use the physical machine that's hosting your virtualized lab for any other purpose.
  • 33. Step 3: Install behavioral analysis tools • File system and registry monitoring: – Process Monitor – Capture BAT • Process monitoring: – Process Explorer – Process Hacker • Network monitoring: – Wireshark – SmartSniff • Change detection : – Regshot
  • 34. Step 4: Install code-analysis tools • Disassembler and debugger: – OllyDbg / Immunity Debugger – IDA Pro • Memory dumper: – LordPE – OllyDump
  • 35. Utilize online analysis tools • Anubis • CWSandbox • Joebox • Norman SandBox • ThreatExpert • Malwr
  • 36. Cuckoo Sandbox Automated Malware Analysis

Editor's Notes

  1.  For those that aren’t aware of what encrypting ransomware is, its a cryptovirus that encrypts all your data from local hard drives, network shared drives, removable hard drives and USB. The encryption is done using an RSA -2048 asymmetric public key which makes decryption without the key impossible. Paying the ransom will net you the key which in turn leads to getting your data back. http://www.webroot.com/blog/2014/05/05/evolution-encrypting-ransomware/ Ransom Cryptolocker is ransomware that on execution locks the user's system thereby leaving the system in an unusable state. It also encrypts the list of file types present in the user’s system. The compromised user has to pay the attacker with ransom to unlock the system and to get the files decrypted. Malware first appeared September 2013 Encrypts computer files of its victims and forces them to pay hundreds of dollars to unlock. If the victim does not pay the ransom, it is impossible to recover the files, due to the key length of Cryptolocker To recover the files past the deadline, the price usually doubles or triples. More than 250,000+ victims, mostly in USA and UK
  2. Here are some examples of who actually paid. The department paid $750 for two Bitcoins - an online currency - to decrypt several images and word documents in its computer system, Swansea (Mass.) Police Lt. Gregory Ryan said.
  3. It belongs to rootkit family Win32/Sirefef and Win64/Sirefef. ZeroAccess has been installed on computers over 9 million times.
  4. Click fraud and Bitcoin mining can earn the botnet owners a potential $100,000 a day. It consume network bandwidth 1,227,300 bytes per hour, 29,455,200 per day and 895,929,000 bytes per month. 895 MB per month per bot means a botnet with 1 million nodes could be producing as much as 895,000,000 MB or 895 Terabytes of network traffic per month.