Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Automated Malware Analysis


Published on

My presentation at c0c0n-2011

Published in: Education, Technology
  • Login to see the comments

Automated Malware Analysis

  1. 1. Automated Malware Analysis - Setting up the Environment <ul><li>Username : Pushkar </li></ul><ul><li>Password : KV Prashant </li></ul>
  2. 2. Who we are???? <ul><li>Pushkar Pashupat(Push) </li></ul><ul><ul><li>Security Researcher, working as independent consultant </li></ul></ul><ul><ul><li>CEH, Member of Matriux and null community </li></ul></ul><ul><li>K.V Prashant(kvbhai) </li></ul><ul><ul><li>Security Consultant, working for IT services company </li></ul></ul><ul><ul><li>CISSP & CEH, member of null open security and hacking community </li></ul></ul>
  3. 3. Agenda <ul><li>What is Malware analysis </li></ul><ul><li>Automation </li></ul><ul><ul><ul><li>Virtualization </li></ul></ul></ul><ul><ul><ul><li>Sanboxing </li></ul></ul></ul><ul><li>Tools of Trade </li></ul><ul><li>Demo </li></ul><ul><li>References </li></ul>
  4. 4. Malware Analysis <ul><li>What is Malware Analysis </li></ul><ul><ul><li>Analysing executables for the purpose of determining its malacious behaviour </li></ul></ul><ul><li>Techniques of Malware Analysis </li></ul><ul><ul><li>Static code analysis </li></ul></ul><ul><ul><ul><li>Using debuggers and RE tools(w/o executing) </li></ul></ul></ul><ul><ul><li>Dynamic analysis </li></ul></ul><ul><ul><ul><li>Behavioural analysis(exectuing the malware) </li></ul></ul></ul>
  5. 5. Automation <ul><li>Virtualization </li></ul><ul><ul><li>Using virtual enviroment to execute the malwares and study the behaviour </li></ul></ul><ul><li>Sandboxing </li></ul><ul><ul><li>Executing malwares in controled and monitored environment </li></ul></ul>
  6. 6. Automation states Log Capture Start VM Malware Execution Create VM Revert to fresh Snapshot Next malware
  7. 7. Network Level Analysis Physical machine running Linux OS (Controller) Virtual Machine running Windows where malware samples will run Router / DSL Modem Internet traffic routed through Linux machine <ul><li>Applications running on Controller </li></ul><ul><li>Wireshark </li></ul><ul><li>Tshark </li></ul><ul><li>tcpdump </li></ul><ul><li>Snort </li></ul><ul><li>Burpsuite </li></ul>Internet <ul><li>Network Level analysis help in determining following: </li></ul><ul><li>Protocol used </li></ul><ul><li>Connections made to which IP </li></ul><ul><li>Post connection activities like if any further malwares are dropped </li></ul>
  8. 8. System Level Analysis Controller machine running 1. Custom scripts to invoke vm, start monitoring tools, execute malware and revert vm to clean snapshot <ul><li>Windows Target machine, running on target machine </li></ul><ul><li>Volatility </li></ul><ul><li>Sysinternal tools, procmon, regmon, filemon </li></ul><ul><li>System Level analysis help in determining following: </li></ul><ul><li>Registry edits </li></ul><ul><li>Process, Files created </li></ul><ul><li>Sockets created and ports used </li></ul>
  9. 9. Tools of Trade <ul><li>VirtualBox </li></ul><ul><li>Sysinternal Suite </li></ul><ul><li>Wireshark </li></ul><ul><li>Volatility </li></ul><ul><li>Inetsim </li></ul><ul><li>Sandboxes like Sandboxie </li></ul>
  10. 10. Virtualbox commands <ul><li>Vboxmanage </li></ul><ul><ul><li>startvm </li></ul></ul><ul><ul><li>guestcontrol -exec </li></ul></ul><ul><ul><li>snapshot </li></ul></ul><ul><ul><ul><li>take </li></ul></ul></ul><ul><ul><ul><li>revert </li></ul></ul></ul><ul><ul><li>controlvm </li></ul></ul><ul><ul><ul><li>savestate </li></ul></ul></ul><ul><ul><ul><li>resume </li></ul></ul></ul><ul><ul><ul><li>poweroff </li></ul></ul></ul>
  11. 11. Pre-Execution Analysis <ul><li>PEScanner </li></ul><ul><li>Strings </li></ul><ul><li>VirusTotal </li></ul><ul><li>Start procmon </li></ul><ul><li>Start tshark </li></ul>
  12. 12. Post Execution <ul><li>Memory Dump Analysis </li></ul><ul><li>Yara log analysis </li></ul>
  13. 13. Sandboxes <ul><li>Online Sandboxes </li></ul><ul><li>CWSandbox </li></ul><ul><li>ThreatExpert </li></ul><ul><li>Norman </li></ul><ul><li>Offline Sandboxes </li></ul><ul><li>Sandboxie </li></ul><ul><li>cuckoo </li></ul>
  14. 14. Sandboxie <ul><li>Executing programs without affecting actual system </li></ul><ul><li>Buster Sandboxie Analyser </li></ul><ul><li>Wrapper around Sandboxie </li></ul>
  15. 15. Demo
  16. 16. Thank You Special Thanks to Matriux community and Manu Sir Thanks For Tolerating us 