Malware analysis as a hobby (Owasp Göteborg)

724 views

Published on

"Malware analysis as a hobby" presentation performed at OWASP Göteborg (SWEDEN) 2012-11-22

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
724
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Malware analysis as a hobby (Owasp Göteborg)

  1. 1. Malware Analysis as a Hobby Michael Boman - Security Consultant/Researcher, Father of 5
  2. 2. Why the strange hobby?
  3. 3. The manual way1.Start virtual environment2.Copy sample3.Start logging facilities4.Execute sample5.Stop logging facilities6.Analyze logs
  4. 4. Drawbacks• Time consuming• Boring in the long run (not all malware are created equal)
  5. 5. Choose any two…. Cheap Good Fast
  6. 6. I can do it cheaply (hardware and license cost-wise). Human time not Choose any two? included. Why not all of them? I can do it quickly (I spend up to 3 Cheap hours a day doing this, at average even less). I get pretty good results (quality). Where the system lacks I can compensate for its shortcomings.Good Fast
  7. 7. Automateeverything! Automate Engineer yourself out of the workflow
  8. 8. Birth of theMART ProjectMalware Analyst Research Toolkit
  9. 9. Components
  10. 10. Sample Acquisition• Public & Private Collections• Exchange with other malware analysts• Finding and collecting malware yourself • Download files from the web • Grab attachments from email • Feed BrowserSpider with links from your SPAM-folder
  11. 11. BrowserSpider• Written in Python• Using the Selenium framework to control REAL browsers • Flash, PDFs, Java applets etc. executes as per normal • All the browser bugs exists for real• Spiders and follows all links seen
  12. 12. Sample Analysis • Cuckoo Sandbox • VirusTotal
  13. 13. A days work for a Cuckoo Fetch a task Process and Prepare the create reports analysis Launch Store the result analyzer in virtual machine Execute an Complete the analysis analysis package
  14. 14. DEMO: Submit sample for analysis
  15. 15. Sample ReportingResults are stored in MongoDB(optional, highly recommended)Accessed using a analyst GUI
  16. 16. Data Mining
  17. 17. Where Virtual Machine analysis fails And what to do about it
  18. 18. Problems• Cuckoo is easly bypassed• User-detection• Sleeping malware
  19. 19. Problems• VM or Sandbox detection• The guest OS might not be sufficient enough• Any multistage attack
  20. 20. Iterating automatiation Sort out clearly non-malicious Devide the Do brief static and obviosly samples into analysis malicious categories samplesKnown KnownGood Bad Unknown
  21. 21. Iterating automatiation Sort out clearly non-malicious Devide the Do brief static and obviosly samples into analysis malicious categories samples • Does not do anything • Detects environment • Encrypted segments • Failed execution
  22. 22. Iterating automatiation Sort out clearly non-malicious Devide the Do brief static and obviosly samples into analysis malicious categories samples • Run longer • Envirnoment customization
  23. 23. Budget• Computer: €520• MSDN License: €800 (€590 renewal)• Year 1: €1320• Year N: €590• Money saved from stopped smoking (yearly): €2040
  24. 24. Malware Lab
  25. 25. MART Hardware (overview)
  26. 26. MART Hardware (mounts)
  27. 27. MART Hardware (HDD)
  28. 28. MART Hardware (SSD)
  29. 29. Next steps• Barebone on-the-iron malware analysis• Android platform support• OSX platform support• iOS patform support
  30. 30. Proof of Concept hardwarePrototype Shield Arduino 4-Channel Relay Shield Arduino Ethernet ShieldDuemilanove
  31. 31. Questions?Michael Boman Michael Bomanmichael.boman@2secure.se michael@michaelboman.org http://michaelboman.orghttp://www.2secure.se @mboman

×