Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Malware Analysis as a Hobby   Michael Boman - Security Consultant/Researcher, Father of 5  Siavosh Zarrasvand – Security C...
Why the strange hobby?
The manual way
Drawbacks                                          Time consumingBoring in the long run (not all malware are created equal)
Choose any two….               Cheap   Good                Fast
   I can do it cheaply (hardware and                            license cost-wise). Human time notChoose any two? Why    ...
Automateeverything!                 Automate      Engineer yourself out of the workflow
Birth of theMART ProjectMalware Analyst Research Toolkit
Components
Sample Acquisition•   Public & Private Collections•   Exchange with other malware analysts•   Finding and collecting malwa...
BrowserSpider   Written in Python   Using the Selenium framework to control REAL browsers       Flash, PDFs, Java apple...
Sample Analysis•   Cuckoo Sandbox•   VirusTotal
A days work for a Cuckoo                                    Fetch a task                 Process and                      ...
DEMO: Submit sample for               analysis
Sample Reporting•   Results are stored in MongoDB    (optional, highly recommended)•   Accessed using a analyst GUI
Data Mining
Where Virtual Machine          analysis fails              And what to do about it
Problems   Cuckoo is easly bypassed   User-detection   Sleeping malware
Problems   VM or Sandbox detection   The guest OS might not be sufficient enough   Any multistage attack
Iterating automatiation     Sort out clearly                          Devide the    non-malicious and                   Do...
Iterating automatiation    Sort out clearly                                  Devide the   non-malicious and               ...
Iterating automatiation    Sort out clearly                         Devide the   non-malicious and                        ...
Budget   Computer: €520   MSDN License: €800 (€590 renewal)   Year 1: €1320   Year N: €590   Money saved from stopped...
Next steps•   Barebone on-the-iron malware    analysis•   Android platform support•   OSX platform support•   iOS patform ...
Questions?       Michael Boman              Siavosh Zarrasvandmichael@michaelboman.org    siavosh.zarrasvand@gmail.com  ht...
Malware Analysis as a Hobby
Malware Analysis as a Hobby
Malware Analysis as a Hobby
Malware Analysis as a Hobby
Malware Analysis as a Hobby
Malware Analysis as a Hobby
Upcoming SlideShare
Loading in …5
×

Malware Analysis as a Hobby

2,837 views

Published on

Published in: Technology
  • Be the first to comment

Malware Analysis as a Hobby

  1. 1. Malware Analysis as a Hobby Michael Boman - Security Consultant/Researcher, Father of 5 Siavosh Zarrasvand – Security Consultant/Researcher, Searching
  2. 2. Why the strange hobby?
  3. 3. The manual way
  4. 4. Drawbacks Time consumingBoring in the long run (not all malware are created equal)
  5. 5. Choose any two…. Cheap Good Fast
  6. 6.  I can do it cheaply (hardware and license cost-wise). Human time notChoose any two? Why included.not all of them?  I can do it quickly (I spend up to 3 Cheap hours a day doing this, at average even less).  I get pretty good results (quality). Where the system lacks I can compensate for its shortcomings.Good Fast
  7. 7. Automateeverything! Automate Engineer yourself out of the workflow
  8. 8. Birth of theMART ProjectMalware Analyst Research Toolkit
  9. 9. Components
  10. 10. Sample Acquisition• Public & Private Collections• Exchange with other malware analysts• Finding and collecting malware yourself • Download files from the web • Grab attachments from email • Feed BrowserSpider with links from your SPAM-folder
  11. 11. BrowserSpider Written in Python Using the Selenium framework to control REAL browsers  Flash, PDFs, Java applets etc. executes as per normal  All the browser bugs exists for real Spiders and follows all links seen
  12. 12. Sample Analysis• Cuckoo Sandbox• VirusTotal
  13. 13. A days work for a Cuckoo Fetch a task Process and Prepare the create reports analysis Lunch analyzer in Store the result virtual machine Complete the Execute an analysis analysis package
  14. 14. DEMO: Submit sample for analysis
  15. 15. Sample Reporting• Results are stored in MongoDB (optional, highly recommended)• Accessed using a analyst GUI
  16. 16. Data Mining
  17. 17. Where Virtual Machine analysis fails And what to do about it
  18. 18. Problems Cuckoo is easly bypassed User-detection Sleeping malware
  19. 19. Problems VM or Sandbox detection The guest OS might not be sufficient enough Any multistage attack
  20. 20. Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples Known Known Bad Good Unknown
  21. 21. Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples • Does not do anything • Detects environment • Encrypted segments • Failed execution
  22. 22. Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples • Run longer • Envirnoment customization
  23. 23. Budget Computer: €520 MSDN License: €800 (€590 renewal) Year 1: €1320 Year N: €590 Money saved from stopped smoking (yearly): €2040
  24. 24. Next steps• Barebone on-the-iron malware analysis• Android platform support• OSX platform support• iOS patform support
  25. 25. Questions? Michael Boman Siavosh Zarrasvandmichael@michaelboman.org siavosh.zarrasvand@gmail.com http://michaelboman.org @mboman @zarrasvand

×