Intro2 malwareanalysisshort


Published on

Presentation IT4BC 2011

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Intro2 malwareanalysisshort

  1. 1. Security and Privacy Track Session 1
  2. 2. Introduction toMalware Analysis Vincent = Big O
  3. 3. What do they have in common?Lindsay LohanParis HiltonSnookiCharlie Sheen
  4. 4. Jail
  5. 5. Albert GonzalesHacked Wireless NetworkTJ Maxx90 Million Credit Cards20 Years in Jail
  6. 6. Hacking = Jail
  7. 7. Motivation?
  8. 8. Bad GuysMotivated by moneyNew school bad guys are after your electronic walletTake over payment systemsTake over the worldJust like Doctor Evil
  9. 9. About MeWork at Capilano UniversityHack wet paper bags for a livingI live in VancouverI commute by bikeI love 80’s musicI love Backtrack4
  10. 10. I love my mac
  11. 11. My Reading ListNISTWindows Forensics AnalysisReverse EngineeringThe Rootkit ArsenalSecurity Power ToolsGoogleYoutubeDFWS
  12. 12. My Favorite Hacker ConsDEFCONCanSecWestSecTorBlackhatCCC
  13. 13. Click Happy! and proud of it.
  14. 14. What isMalware Analysis?
  15. 15. What is Malware Analysis?Like being in science class in high schoolFor example studying a wormUsed microscopeDraw picture or diagram of wormObserved worm before dissection
  16. 16. Introduction toMalware Analysis
  17. 17. PurposeTapasSmall taste of everythingFor malware analysis
  18. 18. What is Malware?
  19. 19. MalwareShort for malicious programProgram designed to alter the flow of theprogramDesigned with malicious intentGain access to systemsUsed to gather information, usuallywithout permission of owner
  20. 20. When I was younger…Used to deliver malware via floppy disksMy favorite piece of malware was Sub7
  21. 21. Threat Report
  22. 22. Symantec Internet Security Threat ReportReleased April 2011For the year of 2010Pdf downloadOutlines trends for malware, virus and worms
  23. 23. How do you get infected?Drive by DownloadPhishing scamsMalicious Email attachmentsBogus DownloadsSQL Injected Websites
  24. 24. Examples of Malware
  25. 25. Lisa MoonVisited Capilano UniversityOver 5 Million sites infectedSQL injection php webpagesRedirected to malware sites
  26. 26. Fake AVJava AppletActive XEXE download
  27. 27. Attack Toolkits
  28. 28. Zeus (Zbot)
  29. 29. ZeusThe most notorious and widely-spreadinformation stealing Trojans in existenceTargets financial data theftLead to the loss of millions worldwide
  30. 30. Crimeware ToolkitZeus is a toolkit that provides a malwarecreator all of the tools required to buildand administer a botnetZeus tools are primarily designed forstealing banking informationZeus can easily be used for other types ofdata or identity theft
  31. 31. Controllers of ZBOTCapture (banking) credentialsRemote controlKeystroke loggingScreen captureProxy servicesSpamming
  32. 32. Zeus BuilderThis page is where you create your bot executablesOnce created, you are responsible for distributionGo find some victims
  33. 33. Zeus ConfigurationThe bot needs a configuration to tell itwhich address to send all the stolen dataWhat’s the use of misconfiguring a botnetthat can’t send you stolen data?
  34. 34. Configuration Screens
  35. 35. CommunicationsCommunications pass between the botsand one or more serversCommand and Control Server is used todistribute bot file updates
  36. 36. CommunicationsData is encrypted with RC4 encryptionA password is used to encrypt all datathat is passed through the botnet
  37. 37. Zeus Install Behavior
  38. 38. Zeus FlowCopy itself to another location, executethe copy, delete the originalLowers browser security settings bychanging IE registry entriesInjects code into other processes, mainprocess exits
  39. 39. Zeus - FlowInjected code hooks APIs in each processSteals several different type of credentialfound on the system
  40. 40. Zeus - FlowDownloads config file and processes itUses API hooks to steal dataSends data back to C&C
  41. 41.
  42. 42. Typical TheftAttackers steal credentialsSet up bogus employee/vendor accountsAccounts are actually “mules”Transfers typically kept under $10K
  43. 43. Wire MoneyEastern Europe
  44. 44. WANTED
  45. 45. Finding MulesRecruited job websitesReceive instructions via websiteProcess PaymentsLaundry via purchasesWrite proper phishing emails
  46. 46. Zeus characteristicsContinuously changing, software getsroutinely updatedStrong encryption used in program ofvarious functions to hide secretsSoftware uses packers and unpackersAnti-virus evasion techniques used
  47. 47. Big Picture
  48. 48. Kung Fu SkillzCode breakingPuzzle solvingProgrammingLogical analysis
  49. 49. Kung FuBuild analysis workstationBehavior and Code AnalysisReverse EngineerVirus Total
  50. 50. Click Happy Fun ( )Fundamental aspects of malware analysisSetup an inexpensive and flexiblelaboratoryUse lab for exploring characteristics ofreal-world malware
  51. 51. Build WorkstationInstall Base OSInstall vmwareInstall victim OSInstall monitoring tools
  52. 52. Build WorkstationInstall Base OSInstall vmwareInstall victim OSInstall monitoring tools
  53. 53. Build WorkstationInstall Base OSInstall vmwareInstall victim OSInstall monitoring tools
  54. 54. Build WorkstationInstall Base OSInstall vmwareInstall Victim OSInstall monitoring tools
  55. 55. Build WorkstationInstall Base OSInstall vmwareInstall victim OSInstall monitoring tools
  56. 56. ToolsPSTools from SysInternalsIDA ProWiresharkAnti-virus
  57. 57. Other ToolsFake DNS and shellcode2exeLordPE, and PEiDMalzilla, and SpiderMonkeyFirefox, No Script, BurpSuiteHoneyd, NetCat, curl, wget,Volatility Framework and plug-ins such as malfind2FTK Imager
  58. 58. Kung FuBuild analysis workstationBehavior and Code AnalysisReverse EngineerVirus Total
  59. 59. Assumption
  60. 60. Getting evidenceGathering electronic evidenceEvidence processAccess Data FTK – Used to solve Lacie Peterson Case
  61. 61. RSA Hacked
  62. 62. TimelinePhishing – Zero Day AttackBackdoor installedLateral MovementData GatheringExfiltrate
  63. 63. How do you know you have a virus or malware?
  64. 64. You can rely on…Your anti-virus vendorWeb or malware gatewayNetwork analysis tools
  65. 65. Rootkit RevealerRootkit detection utilityLists Registry and file system API discrepanciesHelps indicate the presence of a user-mode or kernel-moderootkits
  66. 66. Behavior and Code Analysis Two approaches
  67. 67. Answer these questions!Process countUser IDsLoaded ModulesFilesRegistry Keys
  68. 68. Answer this!DLL UsedAPI hookedMemory Space UsedNetwork ConnectionsServices UsedSockets Used
  69. 69. Temporal Reconstruction
  70. 70. Temporal ReconstructionForensic analysis to reconstruct events surrounding a hackingincident or malware infectionDead machine and Live System AnalysisAKA = Building a TimelineNOTE : Live Analysis means data is volatile
  71. 71. MACtime forensic tool in your digital detective toolkitUnix and Linux mtime, atime, and ctimeWindows LastWriteTime, LastAccessTime, and CreationTime
  72. 72. Build a Timeline
  73. 73. Timeline AnalysisFile system metadataEvent Log entriesData from the RegistryUsers web browser historyTimestampsNetwork StatisticsLogs
  74. 74. TimestampsCreation DateLast Modified DateLast Accessed DateLast Modified Date for the files Master File Table (MFT)entry
  75. 75. File CarvingTool for recovering files and fragments of files whendirectory entries are corrupt or missingFor example – listing directory of picturesPictures are all deleted in the catalogueFile Carving allows investigator to recover pictures withoutdirectory listings
  76. 76. Finding Hidden exe
  77. 77. LordPE
  78. 78. Hiding ProcessBacktrack4 Linux DistributionRooted box with MetasploitMigrated process via meterpreter script
  79. 79. Extracting exe
  80. 80. Volatility Python Scripts
  81. 81. VolatilityDigital Forensics UtilityScript used to walk memory dumpsRebuild running processesRebuild executablesMalfind plug-in finds suspicious files inmemory
  82. 82. Malicious processhidden in PID 4968
  83. 83. VAD Walk identifies offsets
  84. 84. Disassembly of offsets
  85. 85. VAD WalkVirtual Address Descriptor (VAD) treestructure in Windows memory dumpsMethod to locate and parse the structureof physical memoryMethod walks the tree for the “hacked”process
  86. 86. Using Foremost to get EXE
  87. 87. NetworkMiner
  88. 88. Using WiresharkCapture packs on network of malware contacting ZeusCommand and ControlBehavior based analysis of malware
  89. 89. Analysis with NetworkMiner Need pcap file Need download NetworkMiner Need search criteria
  90. 90. Network
  91. 91. Click Happy – Infect your systemSet up your process viewersSnapshot your registry with RegshotConfigure FakeDNSStart WiresharkDouble Click that ExecutableIntercept system and network-level activities in the analysislab
  93. 93. Kung FuBuild analysis workstationBehavior and Code AnalysisReverse EngineerVirus Total
  94. 94. What is reverse engineering?
  95. 95. Reverse engineering is theprocess of analyzing a subjectto create representations ofthe system at a higher level ofabstraction
  96. 96. Understanding 1 and 0’sSoftware person programs in languageProgram gets compiled1’s and 0’s get “translated” from human readable code tomachine instructionReverse Engineering attempts to take machine instructionand create human readable code
  97. 97. Compiling Source Code Source Code Compiler Object File
  98. 98. Object FileDLL DLL Linker
  99. 99. Assembly Language
  100. 100. Example AssemblyMOV AX, 47104MOV DS, AXMOV [3998], 36INT 32Each line is one CPU-level instruction
  101. 101. Example AssemblyMOV AX, 47104MOV DS, AXMOV [3998], 36INT 32Tells the computer to copy thenumber 47104 into the location AX
  102. 102. Human readable
  103. 103. Example Human Readable#include <stdio.h>int main(){ printf( “Click Happy.n" ); getchar(); return 0; }
  104. 104. Purpose of R.E.Manually follow flow of program visually using graphsManually follow flow of program reading the codeExecute code with breakpoints to control the flow ofthe program during runtimeLook for hints or clues to origin, signatures, orprogramming styleLook for characteristics of program
  105. 105. Reverse-Engineering Benefits Sophisticated malware protects itself from discovery and analysis Malware will have passwords, backdoor, and secret methods to hide and protect information Allows analyst to discover great detail on the operations and flow control of the program
  106. 106. Wouldn’t it be nice to have the login and password to theCommand and Control Server of a BotNet?
  107. 107. Manual unpacking of protectedmalicious Windows executables
  108. 108. Understand anti-analysismechanisms built into malware
  109. 109. Analyzing protected malicious browser scripts written in JavaScript and VBScript
  110. 110. Other Benefits of R.E.Performing static and dynamic codeanalysis of malicious WindowsexecutablesStep through code using debuggers likeOllyDbg or SoftICE
  111. 111. OllyDbg32-bit assembler level debuggerBinary code analysis where source isunavailable
  112. 112. Using OllyDbgDrag executable onto OllyDbg“Step into” each instruction untilsomething fun happensIn the register section you can observewhat is being run in memory
  113. 113. Reverse EngineeringPotentially gives you the “why”of the behaviorInsight into the inner workings ofthe program
  114. 114. BinTextSearches Binary or Executable for all TextOutputs “strings”Provides insight to structure or parts ofthe program
  115. 115. Searching stringsAnalyzing malware with IDA Pro andstrings
  116. 116. Kung FuBuild analysis workstationBehavior and Code AnalysisReverse EngineerVirus Total
  117. 117. Virus Total
  118. 118. CWSandbox
  119. 119. Final Thoughts
  120. 120. got root?
  121. 121. APT?Advanced Persistent ThreatThreat, such as a foreign nationstate government, with both thecapability and the intent topersistently and effectively targeta specific entity
  122. 122. Coordinated human involvementNOT mindless and automated piece ofcodeSpecific objectiveSkilled and motivatedOrganized and well funded
  123. 123. Photo Credits = Internet
  124. 124. Thank you!  </end>
  125. 125. Quiz
  126. 126. What are the two types of malware analysis?
  127. 127. Behavioral AnalysisCode Analysis
  128. 128. What is APT?
  129. 129. Advanced Persistent Threat
  130. 130. What is reverse engineering?
  131. 131. Reverse engineering is theprocess of analyzing a subjectsystem to createrepresentations of the systemat a higher level of abstraction
  132. 132. How many PC’s deployed worldwide?
  133. 133. 1.2 Billion
  134. 134. How many smartphones?What’s the future market?
  135. 135. 5 Billion
  136. 136. What does hacking get you?
  137. 137. New friends
  138. 138. Place to stay. 3 meals.
  139. 139. Job Retraining
  140. 140. Hacking = Jail
  141. 141. Click Happy.Thank you!