Malware L b S    M l     Lab Setup             25 Mei 2011,      Workshop Ac cademy CERT                          CERT,Ins...
Agenda                             A   Background   The Search for Malwar Samples                       re   SGU Malware R...
Bac                            ckground   It all began with …       Students wants to learn about analyzing malware       ...
The search for malware samples   After discussing with several experts, the   best ways to collect m                      ...
SGU M                              Malware Lab   We began with our goals:       To be able to obtain mal                  ...
SGU M                              Malware Lab   Our Methodology                             Static                       ...
SGU M                              Malware Lab   Our Methodology (in d                       detail)SWISS GERMAN UNIVERSIT...
SGU M                              Malware Lab   We began with the Room BlueprintSWISS GERMAN UNIVERSITY     Malware Setup...
SGU M                              Malware Lab   We simulate using 3D images of the roomSWISS GERMAN UNIVERSITY     Malwar...
SGU M                              Malware Lab   SGU Malware LabSWISS GERMAN UNIVERSITY     Malware Setup Workshop        ...
SGU M                              Malware Lab   We design the isolated network                        dSWISS GERMAN UNIVE...
SGU M                              Malware Lab   Our Hardware Spec                   cification       Processor: Dual Core...
SGU Malware Re                       esearch Publications   Firdausi I., Lim C., Erwin A., Nugroh A. S., “Analysis of Mach...
SGU Curr                                 rent Research   Indonesia Malware Profiling   Forensic Research on Remnant Data  ...
Agenda                             A   Background   The Search for Malwar Samples                       re   SGU Malware R...
Ho                            oneypotSWISS GERMAN UNIVERSITY   Malware Setup Workshop                                e    ...
Why Using Honeypo in Malware Analysis Lab                              ot   Used to capture Autono                        ...
Introductio to Honeypot                                on“Is a decoy that is used to lu                             ured m...
Honeypot Bas on Interaction                           sed   Two kinds of honeypo :                      ot       Low Inter...
Low Interaction Honeypot   Do not implements actual service   Disguise as a real s                      system   Good for ...
High Intera                               action Honeypot   It is a “real” system usually with                       m   d...
Table of Comparison                                  f                             Low-inte                               ...
Choosin Honeypot                                ng   Must know the pu                  urpose :       Detecting attacker ?...
SWISS GERMA UNIVERSITY                  AN       HONEYPOT 2010 - NEPENTHESSWISS GERMAN UNIVERSITY   Malware Setup Workshop...
Nep                            penthes   Low interaction Hon                     neypot       Resource needed :           ...
SGU Honeyne Physical Design                         etSWISS GERMAN UNIVERSITY   Malware Setup Workshop                    ...
SGU Honeyn Logical Design                          netSWISS GERMAN UNIVERSITY   Malware Setup Workshop                    ...
Malware Capture ( 3.06.10 – 24.07.10)                           ed     427 Malwares and 111 Uniqu Malwares                ...
Dynamic Ana                            alysis Using AVG           Type                        Na                          ...
Dynamic Analys Using Kaspersky                          sis             Type                        Na                    ...
Agenda                             A   Background   The Search for Malwar Samples                       re   SGU Malware R...
DionaeaSWISS GERMAN UNIVERSITY   Malware Setup Workshop                                e                  32
Dionaea   Dionaea is Nephe entes predecessor.   Dionaea is lo int              low teraction hone pot                     ...
How Dio                                onaea works   Dionaea works like Nephentes.   Dionaea intentison is to trap malware...
How Diona Work(Cont.)                             aea   Dionaea using SMB protocol as the                   B   p   protoc...
ollected in a day                   Malwares co 70 60                          64 50              62 40                   ...
Attack in a week (List every one hour)                                  k160014001200                                     ...
Agenda                             A   Background   The Search for Malwar Samples                       re   SGU Malware R...
Malware Map in IndonesiaSWISS GERMAN UNIVERSITY     Malware Setup Workshop                                  e             ...
Future Malwar Map in Indonesia                          re                          Indonesia Honeynet                    ...
The call for In                             ndonesia Honeynet   Malware collected from all universities in   Indonesia   A...
Agenda                             A   Background   The Search for Malwar Samples                       re   SGU Malware R...
La Time                            ab                     Setup D                           Dionaea                     (s...
Setup InformationRequirement:   Ubuntu 9.10 or 10 10          9 10    10.1   Honeypot ( Dionaea)       y            a)   I...
Question & Answers                                 nsSWISS GERMAN UNIVERSITY       Malware Setup Workshop                 ...
Upcoming SlideShare
Loading in …5
×

Workshop on Setting up Malware Lab

3,147 views

Published on

This slide is presented during the Academy CSIRT 2 in ITS Surab

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,147
On SlideShare
0
From Embeds
0
Number of Embeds
17
Actions
Shares
0
Downloads
203
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Workshop on Setting up Malware Lab

  1. 1. Malware L b S M l Lab Setup 25 Mei 2011, Workshop Ac cademy CERT CERT,Institut Teknologi Sepuluh Nopember Surabaya, Indonesia y , Charles Lim, Msc., ECSA ECSP, ECIH, CEH, CEI A, Dipl-inf. Randy Annthony, S.Kom, CEH Mich l Michael Willia Ang am
  2. 2. Agenda A Background The Search for Malwar Samples re SGU Malware Researc & Malware Lab ch Honeypot – Randy An nthony Dionaea – Michael & W William Ang Malware Sample Resu ults The call for Indonesia Honeynet Dionaea – Setting up ( (step by step) (step-by-step) Questions & AnswersSWISS GERMAN UNIVERSITY Malware Setup Workshop e 2
  3. 3. Bac ckground It all began with … Students wants to learn about analyzing malware using data mining techniques We contacted Thorsten Holz (U of Mannheim), he gave us their malware sa amples But we need Indonesian (local) samples n( ) p We invited Aat Shadew (virologi.info) to wa share his experience He had several local s samples that we can use to t analyze l But, we need more sam mples …SWISS GERMAN UNIVERSITY Malware Setup Workshop e 3
  4. 4. The search for malware samples After discussing with several experts, the best ways to collect m malware is the following: User submitting malware (e.g. e http://anubis.iseclab.org, http://virustotal.com) Collect from public sites (Copy Center, Warnet, People Flash Disk) Purchase email account on several ISP and begin ts get malware from SPAM email etc. M Catch your own malware using honeypot (more about e this later)SWISS GERMAN UNIVERSITY Malware Setup Workshop e 4
  5. 5. SGU M Malware Lab We began with our goals: To be able to obtain mal lware samples To be able to analyze malware using static analysis To be able to analyze malware using behavior analysis Our Research focuses on using Data Mining s techniques to classify Local Malware. y The results have been p published in IEEE International Conference in Decembe 2010. erSWISS GERMAN UNIVERSITY Malware Setup Workshop e 5
  6. 6. SGU M Malware Lab Our Methodology Static Analysis Malware Reporting Capture Dyna amic AnalysisSWISS GERMAN UNIVERSITY Malware Setup Workshop e 6
  7. 7. SGU M Malware Lab Our Methodology (in d detail)SWISS GERMAN UNIVERSITY Malware Setup Workshop e 7
  8. 8. SGU M Malware Lab We began with the Room BlueprintSWISS GERMAN UNIVERSITY Malware Setup Workshop e 8
  9. 9. SGU M Malware Lab We simulate using 3D images of the roomSWISS GERMAN UNIVERSITY Malware Setup Workshop e 9
  10. 10. SGU M Malware Lab SGU Malware LabSWISS GERMAN UNIVERSITY Malware Setup Workshop e 10
  11. 11. SGU M Malware Lab We design the isolated network dSWISS GERMAN UNIVERSITY Malware Setup Workshop e 11
  12. 12. SGU M Malware Lab Our Hardware Spec cification Processor: Dual Core 2 5 Ghz e 2.5 RAM 2GB DDRII Hard Disk 160GB The tools for analys that used: sis Debugger : OllyDBG Packer Detector : PEiD Monitoring tools ( g stry, network, process): g (regi y, ,p ) Regshot, Wireshark, Process MonitorSWISS GERMAN UNIVERSITY Malware Setup Workshop e 12
  13. 13. SGU Malware Re esearch Publications Firdausi I., Lim C., Erwin A., Nugroh A. S., “Analysis of Machine learning ho Techniques Used in Behavior-Base Malware Detection,” 2010 Second ed International Conference on Advances in Computing, Control, and Telecommunication Technologies, J k t 2 D T l i ti T h l i Jakarta, December 2010 b 2010. Simanjuntak D. A., Ipung H. P., Lim C., Nugroho A. S., “Text Classification Techniques Used to Faciliate Cyber Terrorism Investigation,” 2010 r Second International Conference on Advances in Computing, Control, and Telecommunication Technolog gies, Jakarta, 2 December 2010. Christian R., Lim C., Nugroho A. S., Kisworo M., “Integrating Dynamic , Integrating Analysis Using Clustering Techniqu for local Malware in Indonesia,” ues 2010 Second International Conferen on Advances in Computing, nce Control, and Telecommunication Te echnologies, Jakarta, 2 December 2010. Endy, Lim C., Eng K.I., Nugroho A.S “Implementation of Intelligent S., Searching Using Self Organizing M for Webmining Used in Document Self-Organizing Map Containing Information in Relation to Cyber Terrorism,” 2010 Second International Conference on Advances in Computing, Control, and Telecommunication Technologies, Jakarta, 2 December 2010.SWISS GERMAN UNIVERSITY Malware Setup Workshop e 13
  14. 14. SGU Curr rent Research Indonesia Malware Profiling Forensic Research on Remnant Data Cloud Security ySWISS GERMAN UNIVERSITY Malware Setup Workshop e 14
  15. 15. Agenda A Background The Search for Malwar Samples re SGU Malware Researc & Malware Lab ch Honeypot – Randy An nthony Dionaea – Michael & W William Ang Malware Sample Resu ults The call for Indonesia Honeynet Dionaea – Setting up ( (step by step) (step-by-step) Questions & AnswersSWISS GERMAN UNIVERSITY Malware Setup Workshop e 15
  16. 16. Ho oneypotSWISS GERMAN UNIVERSITY Malware Setup Workshop e 16
  17. 17. Why Using Honeypo in Malware Analysis Lab ot Used to capture Autono omous Spreading Malware / Worm. We as a CERT ( Compu Emergency uter Response Team) must find a way to stop the spreading and the counter measure. Late response on Worm infection can cause m massive damage. Example : Conficker Wo (2008 – 2009) orm Caused around 9.1 Billion USD / 78 triliun RupiahSWISS GERMAN UNIVERSITY Malware Setup Workshop e 17
  18. 18. Introductio to Honeypot on“Is a decoy that is used to lu ured malware or attacker(hacker).”“It is a computer that have n production value, so if it is nocompromised or destroyed sh hould not affect the activitiesof the companies.”SWISS GERMAN UNIVERSITY Malware Setup Workshop e 18
  19. 19. Honeypot Bas on Interaction sed Two kinds of honeypo : ot Low Interaction Honeypo ot High Interaction Honeyp potSWISS GERMAN UNIVERSITY Malware Setup Workshop e 19
  20. 20. Low Interaction Honeypot Do not implements actual service Disguise as a real s system Good for finding known attack and g expected behavior Usually automated Lower cost needed Example : Nepenthe Amun, Dionaea es,SWISS GERMAN UNIVERSITY Malware Setup Workshop e 20
  21. 21. High Intera action Honeypot It is a “real” system usually with m different configuration than the real g system. Riskier than Low-Interacti it d e to Lo Interactivity due “Allow all” configur ration Difficult to maintain and manually n configure Higher cost needed Example : Physical HIH, Virtual HIHSWISS GERMAN UNIVERSITY Malware Setup Workshop e 21
  22. 22. Table of Comparison f Low-inte eraction High-interaction Degree of interaction Lo ow High Real operating system No N Yes Risk Lo ow High Knowledge gain Connectio on/Request Everything Can be conquered No N Yes Maintenance time Lo ow HighSWISS GERMAN UNIVERSITY Malware Setup Workshop e 22
  23. 23. Choosin Honeypot ng Must know the pu urpose : Detecting attacker ? Risk Identification ? Risk Mitigation & AAnalysis ? Identifying Id tif i new thre t ? th eats Research ?SWISS GERMAN UNIVERSITY Malware Setup Workshop e 23
  24. 24. SWISS GERMA UNIVERSITY AN HONEYPOT 2010 - NEPENTHESSWISS GERMAN UNIVERSITY Malware Setup Workshop e 24
  25. 25. Nep penthes Low interaction Hon neypot Resource needed : Low New Vulnerabilities : No New Exploits : Yes Maintenance Time : Low Risk : Low Installed I t ll d on VMW re VMWar Windows -> Ubuntu - Nepenthes -> pSWISS GERMAN UNIVERSITY Malware Setup Workshop e 25
  26. 26. SGU Honeyne Physical Design etSWISS GERMAN UNIVERSITY Malware Setup Workshop e 26
  27. 27. SGU Honeyn Logical Design netSWISS GERMAN UNIVERSITY Malware Setup Workshop e 27
  28. 28. Malware Capture ( 3.06.10 – 24.07.10) ed 427 Malwares and 111 Uniqu Malwares ueSWISS GERMAN UNIVERSITY Malware Setup Workshop e 28
  29. 29. Dynamic Ana alysis Using AVG Type Na ame TotalTrojan Horse Backdoor Rbot.IN 1Trojan Horse Generic15.EHT 1Trojan Horse Generic17.ASMD D 1Trojan Horse Generic2_c.AGVVC 1Trojan Horse IRC/Backdoor SdBot2.HHB 7Trojan Horse IRC/Backdoor SdBot2.KWD 4Trojan Horse IRC/Backdoor SdBot2.RJW 19Trojan Horse SpamTool.EZW 1VirusVi BackDoor.Rbot B kD Rb t 1Win32 Virus Heur 2Win32 Virus Virut 7Win32 Virus Virut.AA Virut AA 3Worm Allaple.A 9Worm Allaple.B 30Worm Allaple.C 7Worm Allaple.D 11Worm Allaple.E 3Worm Allaple.L p 1Unknown Unknown 2SWISS GERMAN UNIVERSITY Malware Setup Workshop e 29
  30. 30. Dynamic Analys Using Kaspersky sis Type Na ame TotalBackdoor FlyAgent.k 1Backdoor Nepoe.mk Nepoe mk 1Backdoor Nepoe.tv 1Backdoor Rbot.adqd 7Backdoor Rbot.advj 1Backdoor Rbot.aftu 21Backdoor Rbot.bni 4Backdoor Rbot.bqj 6Net-Worm Allaple.b 39Net-WormN tW Allaple.d All l d 2Net-Worm Allaple.e 17Trojan-PSW Kukudva.ad 1Trojan Agent.ayuc 1Trojan VB.ahzy 1Virus Virut.av Virut av 3Unknown Unknown 5SWISS GERMAN UNIVERSITY Malware Setup Workshop e 30
  31. 31. Agenda A Background The Search for Malwar Samples re SGU Malware Researc & Malware Lab ch Honeypot – Randy An nthony Dionaea – Michael & W William Ang Malware Sample Resu ults The call for Indonesia Honeynet Dionaea – Setting up ( (step by step) (step-by-step) Questions & AnswersSWISS GERMAN UNIVERSITY Malware Setup Workshop e 31
  32. 32. DionaeaSWISS GERMAN UNIVERSITY Malware Setup Workshop e 32
  33. 33. Dionaea Dionaea is Nephe entes predecessor. Dionaea is lo int low teraction hone pot honeypot Dionaea has many new functions, y such as using libeemu, support TLS and IPv6. IPv6 Dionaea using Py yhton as scripting languageSWISS GERMAN UNIVERSITY Malware Setup Workshop e 33
  34. 34. How Dio onaea works Dionaea works like Nephentes. Dionaea intentison is to trap malware exposed by services offered by a network. net ork In order to minimize the possible of e p bugs, dionaea can ddrop privileges and chroot. Dionaea using SMB protocol as the main B protocol t lSWISS GERMAN UNIVERSITY Malware Setup Workshop e 34
  35. 35. How Diona Work(Cont.) aea Dionaea using SMB protocol as the B p protocol. Dionaea using libem to detect and mu evaluate e al ate the pa load. payloa Once dionaea gaine the location of the g ed file, the attacker wants it to downloads from the shellcode, dionaea will try download the file.SWISS GERMAN UNIVERSITY Malware Setup Workshop e 35
  36. 36. ollected in a day Malwares co 70 60 64 50 62 40 56 53 30 20 10 10 1 0 1 12/5/2011 13/5/2011 14/5/2011 18/5/2011 19/5/2011 20/5/2011SWISS GERMAN UNIVERSITY Malware Setup Workshop e 36
  37. 37. Attack in a week (List every one hour) k160014001200 Attack in a week (List every one hour) w1000800600400200 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 SWISS GERMAN UNIVERSITY Malware Setup Workshop e 37
  38. 38. Agenda A Background The Search for Malwar Samples re SGU Malware Researc & Malware Lab ch Honeypot – Randy An nthony Dionaea – Michael & W William Ang Malware Sample Resu ults The call for Indonesia Honeynet Dionaea – Setting up ( (step by step) (step-by-step) Questions & AnswersSWISS GERMAN UNIVERSITY Malware Setup Workshop e 38
  39. 39. Malware Map in IndonesiaSWISS GERMAN UNIVERSITY Malware Setup Workshop e 39
  40. 40. Future Malwar Map in Indonesia re Indonesia Honeynet Malwar Repository reSWISS GERMAN UNIVERSITY Malware Setup Workshop e 40
  41. 41. The call for In ndonesia Honeynet Malware collected from all universities in Indonesia All malware sample sent to IDSIRTII for es Malware repository p y Lots of research can be performed on these malware samples pSWISS GERMAN UNIVERSITY Malware Setup Workshop e 41
  42. 42. Agenda A Background The Search for Malwar Samples re SGU Malware Researc & Malware Lab ch Honeypot – Randy An nthony Dionaea – Michael & W William Ang Malware Sample Resu ults The call for Indonesia Honeynet Dionaea – Setting up ( (step by step) (step-by-step) Questions & AnswersSWISS GERMAN UNIVERSITY Malware Setup Workshop e 42
  43. 43. La Time ab Setup D Dionaea (step-b by-step)SWISS GERMAN UNIVERSITY Malware Setup Workshop e 43
  44. 44. Setup InformationRequirement: Ubuntu 9.10 or 10 10 9 10 10.1 Honeypot ( Dionaea) y a) Internet Connection (IP Public) n Software download from:SWISS GERMAN UNIVERSITY Malware Setup Workshop e 44
  45. 45. Question & Answers nsSWISS GERMAN UNIVERSITY Malware Setup Workshop e 45

×