SlideShare a Scribd company logo

Dark Side of Malware Analysis

Codemotion
Codemotion

Storicamente il reversing di eseguibili è sempre stata una pratica oscura associata alla pirateria o allo spionaggio industriale, ma oggi, con l'aumentare di malware targettizzati, quest'arte sta diventando un argomento molto discusso perchè necessita una forte capacità di analisi, intuizione ed inventiva. Ma perchè è così importante analizzare un malware? Quali strumenti utlizzare, ma soprattutto come approcciare il problema? Come gestire i meccanismi di protezione adottati? Niente di meglio per addentrarci nel mondo della malware analysis partendo proprio da alcuni casi reali

Technology
1 of 67
Download to read offline
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com THE DARK SIDE OF MALWARE ANALYSIS Andrea Pompili There are only 10 types of people in the world: Those who understand binary, and those who don't apompili@hotmail.com
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com 203.131.222.102:8080 217.96.33.164:8000 88.53.215.64:8000 IPSistemi Comando eControllo #>
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Malware Analysis? > Per capire i danni reali > Per scoprire gli Indicatori di Compromissione > Per stabilire il grado di preparazione/motivazione dell’attaccante (Sun Tzudocet) > Per ricostruire la vulnerabilità utilizzata (Magari uno0-day :-|) > Per catturare il cattivo > Per rispondere alle domande della vita…
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com La nobile arte del Reverse Engineering Ingegneriainversa def. «processodi analisidi un sistema softwareesistente, eseguitoalfinedi crearneunarappresentazione ad altolivello di astrazione» Altri scopi dell'ingegneria inversa comprendono: verifichedi vulnerabilità, rimozione di protezione da copia, l'aggiramento di restrizionid'accesso
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Ideal Reverse Engineering
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Full vs Adequate Analysis
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Launcher Dropper Downloader Module Command & Control Exploit Vector Module <01> Malware Architecture Infection Stage Malware Core Module <XX>
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Launcher Dropper Module Command & Control Vector Module <01> Malware Architecture > Infection Stage Malware Core Module <XX> Exploit Downloader Infection Stage
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Spear Phishing> Email contenenti link
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Spear Phishing> Email contenenti Allegati
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com POST su Forum // Blog // Social Network
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Che Bello! Ho trovato una pennetta USB
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Vector Malware Architecture > Downloader Infection Stage Downloader Exploit Command & Control
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com How is Encoded the Communication Channel? <#1> FixedByteXOR(evergreen) Identificabile (basta trovare unopcode xor nel binario) <#2> Base64 Encoding Identificabile eautomaticamente reversabile <#3> Librerie Crypto ingombranti e riconoscibili gestire lechiavi? <#4> G Channel Dipendedal tipo prova a farlo con unoShellcode!!!
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Communication Channel: Spazio alla fantasia
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Downloader Command & Control Vector Module <01> Malware Architecture > Persistenza Infection Stage Module <XX> Exploit Launcher Dropper Malware Core Module
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Downloader #1 Malware Component Command & Control #1 Vector Malware Architecture > Chained Modules Infection Stage Exploit Downloader #2 Command & Control#2
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Moduli e Plugin > Infostealer > Keylogging > Sniffer > Spyware > Data Exfiltration > Remote Control > Identity Theft > Ransomware > Spambot > Network Scanner > DDoS Agent > Targeted attacks > Data manipulation > Anonymous Proxy > DNS Attack > Warez Archive
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Static vs Dynamic Analysis? > Il codice non viene MAI eseguito (o almeno non dovrebbe) > L’analisi è effettuata trasformando o ri-organizzando il codice di un artefatto per stadi successivi > Uso di un numero importante di tool di analisi > Necessità di gestire strumenti di elaborazione ad-hoc > Attenzione ad eventuali exploit per i tool di analisi utilizzati! > Analisi limitata o molto lunga in caso di packer o offuscamenti complessi <#1>Analisi Statica
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com First of All
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com String Revealer
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Static Malware <#1>Formato Nativo (PE/Elf) <#2>Intermediate Language(Java/.NET/etc.) <#3>DocumentiAttivi (PDF/Office/etc.) Stessorisultato == Approcci MOLTOdiversi
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com La realtà dei fatti #1 <#1>Formato Nativo (PE/Elf)
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Interactive Disassembler
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Online Disassembler
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com How Malware Writers protect their
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com http://upx.sourceforge.net/ How Malware Writers protect their
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com How Malware Writers protect their
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com The way to Packers Sections DOS MZ Header PE Header Section Table .text .data .resrc Sections DOS MZ Header PE Header SectionTable Unpacker Stub TempSpace PackedData(orignalOEP) OEP OriginalProgram PackedProgram
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com FUD (Fully UnDetectable) Packers UPX, Aspack, PE Compact, eilresto http://it.wikipedia.org/wiki/Exe_Packer
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Static Resource Analyzer
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Internet helps
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com La realtà dei fatti #2 <#2>Intermediate Language(Java/.NET/etc.)
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com > Metadati devono essere espliciti (nomi Constant-Pool, variabili, metodi e classi) > Gli opcode sono molto vicini ai costrutti del codice sorgente (es. tableswitch) > Non si può usare self-modifying code > Non è possibile effettuare il branching su location arbitrarie, ma solo all‘inizio di un‘istruzione, con il limite dello scope del metodo corrente (controllato dal verifier) Why Decompilation is easier
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Stack is Everything THREAD #1 PC Register JVM Stack Native Method Stack Frame #n Local Variable Array Operand Stack RCP Reference Frame #1 Local Variable Array Operand Stack RCP Reference … THREAD #n PC Register JVM Stack Native Method Stack Frame #n Local Variable Array Operand Stack RCP Reference Frame #1 Local Variable Array Operand Stack RCP Reference … …
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com int addTwo(int a, int b) { b = a + b; return b; } iload_0 iload_1 iadd istore_1 iload_1 ireturn The way from Source to Bytecode Frame «addTwo» Local Variable Array Operand Stack RCP Reference
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com «Easy» way to Source JD-GUI http://jd.benow.ca/ JAD http://varaneckas.com/jad/
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com why not So Easy
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com http://set.ee/jbe/ ByteCode Analysis & Manipulation
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com https://github.com/contra/JMD
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com but sometimes Things work
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Get your own ZKM String Custom Tool java -jar ZKMTools.jar <CLASS_FILE>
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com What is Dynamic Analysis? <#2>Live ExecutionAnalysis <#3>Sandboxbased Analysis <#1>Debugging Non usare MAI il tuo PC per eseguire Malware!!!
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Snapshot is the Way
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Debugging Principles <#1>Debugging OllyDbgDebugger(x86 only) http://www.ollydbg.de/ x64Dbg(x86/x64) http://x64dbg.com
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Debugging World x86 Ring0 x86 Ring3 I Ringsono dei livellidi privilegio e/odi sicurezza fornitidal processore Usermode Kernel HyperDbg,WinDbg, SoftICE http://www.woodmann.com/collaborative/ tools/index.php/Category:Ring_0_Debuggers http://www.woodmann.com/collaborative/ tools/index.php/Category:Ring_3_Debuggers
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Two Assembler things you have to know Registri base x86/x64: EAX registro general purpose #1 RAX a 64bit EBX registro general purpose #2 RBX a 64bit ECX registro general purpose #3 RCX a 64bit EDX registro general purpose #4 RDX a 64bit ESI puntatore sorgente operazioni su stringhe RSI a 64bit EDI puntatore destinazione operazioni su stringhe RDI a 64bit ESP puntatore alla posizione attuale dello stack RSP a 64bit EBP puntatore alla base dello stack RBP a 64bit EIP (Extended Instruction Pointer) puntatore alla successiva istruzione da eseguire Registri generici 64-bit mode-only R8-R15
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Two Assembler things you have to know Stack x86/x64: » Struttura LIFO (Last In First Out) mappata sulla memoria » ESP punta alla posizione attuale in memoria » EBP viene utilizzato come «marcatore» per gestire il successivo stackframe » I dati possono essere caricati mediante istruzioni PUSH e POP » Automaticamente salva l’indirizzo di ritorno delle CALL
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com > Run-time stack (Stackframe) > Contiene le variabili locali > ESP punta al primo elemento dello stack > EBP punta alla base dello Stackframe > Ad ogni chiamata di procedura viene riservato un nuovo stackframe (scope della funzione) spostando ESP ed EBP Instructions (.text) global data(.data) run-time stack Device Registers x0200 xFFFF EPC R4 ESP EBP x0000 xFE00 Trap Vectors Op Sys x3000 Heap Intr Vectors x0100 Two Assembler things you have to know
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com » UsareilDebugger (es. x64Dbg o IDAProcon Bochs)attraverso le varieroutine di decryption impostando Breakpointalterminedi ogni ciclo » Effettuareil Dumpdellamemoria al terminedel processo(e.g. ScyllaPlugin) Defeat Packers using Dubuggers Best Practices: >Molti processi nonsono resilienti(si eseguonoed esconosubito) >Interrompereil processoal momento giusto > Step over istruzioneper istruzionefino
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com <#2>Live ExecutionAnalysis
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Start Debugging during Execution
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com How to Fake Servers during Execution
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com How to Monitor Traffic during Execution
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com <#3>Sandboxbased Analysis
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Detailed Artifact Execution
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Screenshots Available!!!
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com The Online Cuckoo Service
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com but be careful to fully Understand Objectives!
Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Domande? Italian ‫ة‬َّ‫ي‬َ‫أ‬ ‫ِب‬‫ل‬‫ا‬َ‫ط‬َ‫م‬ Arabic ¿Preguntas? Spanish Questions? English tupoQghachmey Klingon Sindarin Japanese Ερωτήσεις? Greek вопросы? Russian

Recommended

Continuous delivery @CD Summit Stockholm
Continuous delivery @CD Summit StockholmContinuous delivery @CD Summit Stockholm
Continuous delivery @CD Summit StockholmMichael Medin
 
世界標準ウェブツール WordPress と そのコミュニティーの魅力
世界標準ウェブツール WordPress と そのコミュニティーの魅力世界標準ウェブツール WordPress と そのコミュニティーの魅力
世界標準ウェブツール WordPress と そのコミュニティーの魅力Naoko Takano
 
Lis Pardi - In Defense of the Floppy Disk: The Vocabulary of the Interface
Lis Pardi - In Defense of the Floppy Disk: The Vocabulary of the InterfaceLis Pardi - In Defense of the Floppy Disk: The Vocabulary of the Interface
Lis Pardi - In Defense of the Floppy Disk: The Vocabulary of the InterfaceCodemotion
 
Giorgio Natili - The Little Shop of TDD Horrors
Giorgio Natili - The Little Shop of TDD Horrors Giorgio Natili - The Little Shop of TDD Horrors
Giorgio Natili - The Little Shop of TDD HorrorsCodemotion
 
Domenico Maracci, Stefano Sali - Secure Continuous Delivery - Sicurezza e Dev...
Domenico Maracci, Stefano Sali - Secure Continuous Delivery - Sicurezza e Dev...Domenico Maracci, Stefano Sali - Secure Continuous Delivery - Sicurezza e Dev...
Domenico Maracci, Stefano Sali - Secure Continuous Delivery - Sicurezza e Dev...Codemotion
 
Dove sono i tuoi vertici e di cosa stanno parlando?
Dove sono i tuoi vertici e di cosa stanno parlando?Dove sono i tuoi vertici e di cosa stanno parlando?
Dove sono i tuoi vertici e di cosa stanno parlando?Codemotion
 
TDD and mobile development: some forgotten techniques, illustrated with Android
TDD and mobile development: some forgotten techniques, illustrated with AndroidTDD and mobile development: some forgotten techniques, illustrated with Android
TDD and mobile development: some forgotten techniques, illustrated with AndroidCodemotion
 
Polymer is production ready, how about you?
Polymer is production ready, how about you?Polymer is production ready, how about you?
Polymer is production ready, how about you?Codemotion
 

Recommended

Continuous delivery @CD Summit Stockholm
Continuous delivery @CD Summit StockholmContinuous delivery @CD Summit Stockholm
Continuous delivery @CD Summit StockholmMichael Medin
 
世界標準ウェブツール WordPress と そのコミュニティーの魅力
世界標準ウェブツール WordPress と そのコミュニティーの魅力世界標準ウェブツール WordPress と そのコミュニティーの魅力
世界標準ウェブツール WordPress と そのコミュニティーの魅力Naoko Takano
 
Lis Pardi - In Defense of the Floppy Disk: The Vocabulary of the Interface
Lis Pardi - In Defense of the Floppy Disk: The Vocabulary of the InterfaceLis Pardi - In Defense of the Floppy Disk: The Vocabulary of the Interface
Lis Pardi - In Defense of the Floppy Disk: The Vocabulary of the InterfaceCodemotion
 
Giorgio Natili - The Little Shop of TDD Horrors
Giorgio Natili - The Little Shop of TDD Horrors Giorgio Natili - The Little Shop of TDD Horrors
Giorgio Natili - The Little Shop of TDD HorrorsCodemotion
 
Domenico Maracci, Stefano Sali - Secure Continuous Delivery - Sicurezza e Dev...
Domenico Maracci, Stefano Sali - Secure Continuous Delivery - Sicurezza e Dev...Domenico Maracci, Stefano Sali - Secure Continuous Delivery - Sicurezza e Dev...
Domenico Maracci, Stefano Sali - Secure Continuous Delivery - Sicurezza e Dev...Codemotion
 
Dove sono i tuoi vertici e di cosa stanno parlando?
Dove sono i tuoi vertici e di cosa stanno parlando?Dove sono i tuoi vertici e di cosa stanno parlando?
Dove sono i tuoi vertici e di cosa stanno parlando?Codemotion
 
TDD and mobile development: some forgotten techniques, illustrated with Android
TDD and mobile development: some forgotten techniques, illustrated with AndroidTDD and mobile development: some forgotten techniques, illustrated with Android
TDD and mobile development: some forgotten techniques, illustrated with AndroidCodemotion
 
Polymer is production ready, how about you?
Polymer is production ready, how about you?Polymer is production ready, how about you?
Polymer is production ready, how about you?Codemotion
 
JavaScript Power Tools 2015 - Marcello Teodori - Codemotion Rome 2015
JavaScript Power Tools 2015 - Marcello Teodori - Codemotion Rome 2015JavaScript Power Tools 2015 - Marcello Teodori - Codemotion Rome 2015
JavaScript Power Tools 2015 - Marcello Teodori - Codemotion Rome 2015Codemotion
 
Luca Sartoni - How I made a career in the Tech industry writing horrible code
Luca Sartoni - How I made a career in the Tech industry writing horrible codeLuca Sartoni - How I made a career in the Tech industry writing horrible code
Luca Sartoni - How I made a career in the Tech industry writing horrible codeCodemotion
 
Chi l'ha detto che i virus su Linux non esistono?
Chi l'ha detto che i virus su Linux non esistono?Chi l'ha detto che i virus su Linux non esistono?
Chi l'ha detto che i virus su Linux non esistono?Codemotion
 
Python Tips - Luca Lanziani - Codemotion Roma 2015
Python Tips - Luca Lanziani - Codemotion Roma 2015Python Tips - Luca Lanziani - Codemotion Roma 2015
Python Tips - Luca Lanziani - Codemotion Roma 2015Codemotion
 
Gianluca Varisco - Operating a global infrastructure | Codemotion Milan 2015
Gianluca Varisco - Operating a global infrastructure | Codemotion Milan 2015Gianluca Varisco - Operating a global infrastructure | Codemotion Milan 2015
Gianluca Varisco - Operating a global infrastructure | Codemotion Milan 2015Codemotion
 
Stefano Chiccarelli - L'ecosistema della scena Hacker
Stefano Chiccarelli - L'ecosistema della scena HackerStefano Chiccarelli - L'ecosistema della scena Hacker
Stefano Chiccarelli - L'ecosistema della scena HackerCodemotion
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Tobias Tom - The talents we have
Tobias Tom - The talents we haveTobias Tom - The talents we have
Tobias Tom - The talents we haveCodemotion
 
[Keynote] Joe Nash - The Operating System of Payments: UX and Security in Mod...
[Keynote] Joe Nash - The Operating System of Payments: UX and Security in Mod...[Keynote] Joe Nash - The Operating System of Payments: UX and Security in Mod...
[Keynote] Joe Nash - The Operating System of Payments: UX and Security in Mod...Codemotion
 
Simon Hohenadl - The AutoScout24 Technology Change - crazy or trendsetting?
Simon Hohenadl - The AutoScout24 Technology Change - crazy or trendsetting?Simon Hohenadl - The AutoScout24 Technology Change - crazy or trendsetting?
Simon Hohenadl - The AutoScout24 Technology Change - crazy or trendsetting?Codemotion
 
1 Year Product Development With A Distributed Team - Michele Franzin - Codemo...
1 Year Product Development With A Distributed Team - Michele Franzin - Codemo...1 Year Product Development With A Distributed Team - Michele Franzin - Codemo...
1 Year Product Development With A Distributed Team - Michele Franzin - Codemo...Codemotion
 
Marco Arena - Perché nel 2015 parliamo ancora di C++? | Codemotion Milan 2015
Marco Arena - Perché nel 2015 parliamo ancora di C++? | Codemotion Milan 2015Marco Arena - Perché nel 2015 parliamo ancora di C++? | Codemotion Milan 2015
Marco Arena - Perché nel 2015 parliamo ancora di C++? | Codemotion Milan 2015Codemotion
 
[Keynote] Birgitta Boeckeler - Track Motivational - A programmer is...
[Keynote] Birgitta Boeckeler - Track Motivational - A programmer is... [Keynote] Birgitta Boeckeler - Track Motivational - A programmer is...
[Keynote] Birgitta Boeckeler - Track Motivational - A programmer is... Codemotion
 
Andrea Iacono - Graphs are everywhere!
Andrea Iacono - Graphs are everywhere! Andrea Iacono - Graphs are everywhere!
Andrea Iacono - Graphs are everywhere!Codemotion
 
Adam Klein - JS tests like a PRO | Codemotion Milan 2015
Adam Klein - JS tests like a PRO | Codemotion Milan 2015Adam Klein - JS tests like a PRO | Codemotion Milan 2015
Adam Klein - JS tests like a PRO | Codemotion Milan 2015Codemotion
 
Kasia Mrowca - HOW TO DEFEAT FEATURE GLUTTONY | Codemotion Milan 2015
Kasia Mrowca - HOW TO DEFEAT FEATURE GLUTTONY | Codemotion Milan 2015Kasia Mrowca - HOW TO DEFEAT FEATURE GLUTTONY | Codemotion Milan 2015
Kasia Mrowca - HOW TO DEFEAT FEATURE GLUTTONY | Codemotion Milan 2015Codemotion
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Codemotion
 
Christiane Kurz - The new Mobile Challenge: Offline-Enablement for Web Applic...
Christiane Kurz - The new Mobile Challenge: Offline-Enablement for Web Applic...Christiane Kurz - The new Mobile Challenge: Offline-Enablement for Web Applic...
Christiane Kurz - The new Mobile Challenge: Offline-Enablement for Web Applic...Codemotion
 
Lorenzo Massacci, Jacopo Romei - Developers vs. Managers | Codemotion Milan 2015
Lorenzo Massacci, Jacopo Romei - Developers vs. Managers | Codemotion Milan 2015Lorenzo Massacci, Jacopo Romei - Developers vs. Managers | Codemotion Milan 2015
Lorenzo Massacci, Jacopo Romei - Developers vs. Managers | Codemotion Milan 2015Codemotion
 
Jeff Wolski - Explorations in Cooperative, Distributed Systems with Uber's Ri...
Jeff Wolski - Explorations in Cooperative, Distributed Systems with Uber's Ri...Jeff Wolski - Explorations in Cooperative, Distributed Systems with Uber's Ri...
Jeff Wolski - Explorations in Cooperative, Distributed Systems with Uber's Ri...Codemotion
 
The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015
The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015
The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015Codemotion
 
The magic world of Advanced Persistent Threat - Andrea Pompili - Codemotion M...
The magic world of Advanced Persistent Threat - Andrea Pompili - Codemotion M...The magic world of Advanced Persistent Threat - Andrea Pompili - Codemotion M...
The magic world of Advanced Persistent Threat - Andrea Pompili - Codemotion M...Codemotion
 

More Related Content

Viewers also liked

JavaScript Power Tools 2015 - Marcello Teodori - Codemotion Rome 2015
JavaScript Power Tools 2015 - Marcello Teodori - Codemotion Rome 2015JavaScript Power Tools 2015 - Marcello Teodori - Codemotion Rome 2015
JavaScript Power Tools 2015 - Marcello Teodori - Codemotion Rome 2015Codemotion
 
Luca Sartoni - How I made a career in the Tech industry writing horrible code
Luca Sartoni - How I made a career in the Tech industry writing horrible codeLuca Sartoni - How I made a career in the Tech industry writing horrible code
Luca Sartoni - How I made a career in the Tech industry writing horrible codeCodemotion
 
Chi l'ha detto che i virus su Linux non esistono?
Chi l'ha detto che i virus su Linux non esistono?Chi l'ha detto che i virus su Linux non esistono?
Chi l'ha detto che i virus su Linux non esistono?Codemotion
 
Python Tips - Luca Lanziani - Codemotion Roma 2015
Python Tips - Luca Lanziani - Codemotion Roma 2015Python Tips - Luca Lanziani - Codemotion Roma 2015
Python Tips - Luca Lanziani - Codemotion Roma 2015Codemotion
 
Gianluca Varisco - Operating a global infrastructure | Codemotion Milan 2015
Gianluca Varisco - Operating a global infrastructure | Codemotion Milan 2015Gianluca Varisco - Operating a global infrastructure | Codemotion Milan 2015
Gianluca Varisco - Operating a global infrastructure | Codemotion Milan 2015Codemotion
 
Stefano Chiccarelli - L'ecosistema della scena Hacker
Stefano Chiccarelli - L'ecosistema della scena HackerStefano Chiccarelli - L'ecosistema della scena Hacker
Stefano Chiccarelli - L'ecosistema della scena HackerCodemotion
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Tobias Tom - The talents we have
Tobias Tom - The talents we haveTobias Tom - The talents we have
Tobias Tom - The talents we haveCodemotion
 
[Keynote] Joe Nash - The Operating System of Payments: UX and Security in Mod...
[Keynote] Joe Nash - The Operating System of Payments: UX and Security in Mod...[Keynote] Joe Nash - The Operating System of Payments: UX and Security in Mod...
[Keynote] Joe Nash - The Operating System of Payments: UX and Security in Mod...Codemotion
 
Simon Hohenadl - The AutoScout24 Technology Change - crazy or trendsetting?
Simon Hohenadl - The AutoScout24 Technology Change - crazy or trendsetting?Simon Hohenadl - The AutoScout24 Technology Change - crazy or trendsetting?
Simon Hohenadl - The AutoScout24 Technology Change - crazy or trendsetting?Codemotion
 
1 Year Product Development With A Distributed Team - Michele Franzin - Codemo...
1 Year Product Development With A Distributed Team - Michele Franzin - Codemo...1 Year Product Development With A Distributed Team - Michele Franzin - Codemo...
1 Year Product Development With A Distributed Team - Michele Franzin - Codemo...Codemotion
 
Marco Arena - Perché nel 2015 parliamo ancora di C++? | Codemotion Milan 2015
Marco Arena - Perché nel 2015 parliamo ancora di C++? | Codemotion Milan 2015Marco Arena - Perché nel 2015 parliamo ancora di C++? | Codemotion Milan 2015
Marco Arena - Perché nel 2015 parliamo ancora di C++? | Codemotion Milan 2015Codemotion
 
[Keynote] Birgitta Boeckeler - Track Motivational - A programmer is...
[Keynote] Birgitta Boeckeler - Track Motivational - A programmer is... [Keynote] Birgitta Boeckeler - Track Motivational - A programmer is...
[Keynote] Birgitta Boeckeler - Track Motivational - A programmer is... Codemotion
 
Andrea Iacono - Graphs are everywhere!
Andrea Iacono - Graphs are everywhere! Andrea Iacono - Graphs are everywhere!
Andrea Iacono - Graphs are everywhere!Codemotion
 
Adam Klein - JS tests like a PRO | Codemotion Milan 2015
Adam Klein - JS tests like a PRO | Codemotion Milan 2015Adam Klein - JS tests like a PRO | Codemotion Milan 2015
Adam Klein - JS tests like a PRO | Codemotion Milan 2015Codemotion
 
Kasia Mrowca - HOW TO DEFEAT FEATURE GLUTTONY | Codemotion Milan 2015
Kasia Mrowca - HOW TO DEFEAT FEATURE GLUTTONY | Codemotion Milan 2015Kasia Mrowca - HOW TO DEFEAT FEATURE GLUTTONY | Codemotion Milan 2015
Kasia Mrowca - HOW TO DEFEAT FEATURE GLUTTONY | Codemotion Milan 2015Codemotion
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Codemotion
 
Christiane Kurz - The new Mobile Challenge: Offline-Enablement for Web Applic...
Christiane Kurz - The new Mobile Challenge: Offline-Enablement for Web Applic...Christiane Kurz - The new Mobile Challenge: Offline-Enablement for Web Applic...
Christiane Kurz - The new Mobile Challenge: Offline-Enablement for Web Applic...Codemotion
 
Lorenzo Massacci, Jacopo Romei - Developers vs. Managers | Codemotion Milan 2015
Lorenzo Massacci, Jacopo Romei - Developers vs. Managers | Codemotion Milan 2015Lorenzo Massacci, Jacopo Romei - Developers vs. Managers | Codemotion Milan 2015
Lorenzo Massacci, Jacopo Romei - Developers vs. Managers | Codemotion Milan 2015Codemotion
 
Jeff Wolski - Explorations in Cooperative, Distributed Systems with Uber's Ri...
Jeff Wolski - Explorations in Cooperative, Distributed Systems with Uber's Ri...Jeff Wolski - Explorations in Cooperative, Distributed Systems with Uber's Ri...
Jeff Wolski - Explorations in Cooperative, Distributed Systems with Uber's Ri...Codemotion
 

Viewers also liked (20)

JavaScript Power Tools 2015 - Marcello Teodori - Codemotion Rome 2015
JavaScript Power Tools 2015 - Marcello Teodori - Codemotion Rome 2015JavaScript Power Tools 2015 - Marcello Teodori - Codemotion Rome 2015
JavaScript Power Tools 2015 - Marcello Teodori - Codemotion Rome 2015
 
Luca Sartoni - How I made a career in the Tech industry writing horrible code
Luca Sartoni - How I made a career in the Tech industry writing horrible codeLuca Sartoni - How I made a career in the Tech industry writing horrible code
Luca Sartoni - How I made a career in the Tech industry writing horrible code
 
Chi l'ha detto che i virus su Linux non esistono?
Chi l'ha detto che i virus su Linux non esistono?Chi l'ha detto che i virus su Linux non esistono?
Chi l'ha detto che i virus su Linux non esistono?
 
Python Tips - Luca Lanziani - Codemotion Roma 2015
Python Tips - Luca Lanziani - Codemotion Roma 2015Python Tips - Luca Lanziani - Codemotion Roma 2015
Python Tips - Luca Lanziani - Codemotion Roma 2015
 
Gianluca Varisco - Operating a global infrastructure | Codemotion Milan 2015
Gianluca Varisco - Operating a global infrastructure | Codemotion Milan 2015Gianluca Varisco - Operating a global infrastructure | Codemotion Milan 2015
Gianluca Varisco - Operating a global infrastructure | Codemotion Milan 2015
 
Stefano Chiccarelli - L'ecosistema della scena Hacker
Stefano Chiccarelli - L'ecosistema della scena HackerStefano Chiccarelli - L'ecosistema della scena Hacker
Stefano Chiccarelli - L'ecosistema della scena Hacker
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Tobias Tom - The talents we have
Tobias Tom - The talents we haveTobias Tom - The talents we have
Tobias Tom - The talents we have
 
[Keynote] Joe Nash - The Operating System of Payments: UX and Security in Mod...
[Keynote] Joe Nash - The Operating System of Payments: UX and Security in Mod...[Keynote] Joe Nash - The Operating System of Payments: UX and Security in Mod...
[Keynote] Joe Nash - The Operating System of Payments: UX and Security in Mod...
 
Simon Hohenadl - The AutoScout24 Technology Change - crazy or trendsetting?
Simon Hohenadl - The AutoScout24 Technology Change - crazy or trendsetting?Simon Hohenadl - The AutoScout24 Technology Change - crazy or trendsetting?
Simon Hohenadl - The AutoScout24 Technology Change - crazy or trendsetting?
 
1 Year Product Development With A Distributed Team - Michele Franzin - Codemo...
1 Year Product Development With A Distributed Team - Michele Franzin - Codemo...1 Year Product Development With A Distributed Team - Michele Franzin - Codemo...
1 Year Product Development With A Distributed Team - Michele Franzin - Codemo...
 
Marco Arena - Perché nel 2015 parliamo ancora di C++? | Codemotion Milan 2015
Marco Arena - Perché nel 2015 parliamo ancora di C++? | Codemotion Milan 2015Marco Arena - Perché nel 2015 parliamo ancora di C++? | Codemotion Milan 2015
Marco Arena - Perché nel 2015 parliamo ancora di C++? | Codemotion Milan 2015
 
[Keynote] Birgitta Boeckeler - Track Motivational - A programmer is...
[Keynote] Birgitta Boeckeler - Track Motivational - A programmer is... [Keynote] Birgitta Boeckeler - Track Motivational - A programmer is...
[Keynote] Birgitta Boeckeler - Track Motivational - A programmer is...
 
Andrea Iacono - Graphs are everywhere!
Andrea Iacono - Graphs are everywhere! Andrea Iacono - Graphs are everywhere!
Andrea Iacono - Graphs are everywhere!
 
Adam Klein - JS tests like a PRO | Codemotion Milan 2015
Adam Klein - JS tests like a PRO | Codemotion Milan 2015Adam Klein - JS tests like a PRO | Codemotion Milan 2015
Adam Klein - JS tests like a PRO | Codemotion Milan 2015
 
Kasia Mrowca - HOW TO DEFEAT FEATURE GLUTTONY | Codemotion Milan 2015
Kasia Mrowca - HOW TO DEFEAT FEATURE GLUTTONY | Codemotion Milan 2015Kasia Mrowca - HOW TO DEFEAT FEATURE GLUTTONY | Codemotion Milan 2015
Kasia Mrowca - HOW TO DEFEAT FEATURE GLUTTONY | Codemotion Milan 2015
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
 
Christiane Kurz - The new Mobile Challenge: Offline-Enablement for Web Applic...
Christiane Kurz - The new Mobile Challenge: Offline-Enablement for Web Applic...Christiane Kurz - The new Mobile Challenge: Offline-Enablement for Web Applic...
Christiane Kurz - The new Mobile Challenge: Offline-Enablement for Web Applic...
 
Lorenzo Massacci, Jacopo Romei - Developers vs. Managers | Codemotion Milan 2015
Lorenzo Massacci, Jacopo Romei - Developers vs. Managers | Codemotion Milan 2015Lorenzo Massacci, Jacopo Romei - Developers vs. Managers | Codemotion Milan 2015
Lorenzo Massacci, Jacopo Romei - Developers vs. Managers | Codemotion Milan 2015
 
Jeff Wolski - Explorations in Cooperative, Distributed Systems with Uber's Ri...
Jeff Wolski - Explorations in Cooperative, Distributed Systems with Uber's Ri...Jeff Wolski - Explorations in Cooperative, Distributed Systems with Uber's Ri...
Jeff Wolski - Explorations in Cooperative, Distributed Systems with Uber's Ri...
 

Similar to Dark Side of Malware Analysis

The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015
The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015
The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015Codemotion
 
The magic world of Advanced Persistent Threat - Andrea Pompili - Codemotion M...
The magic world of Advanced Persistent Threat - Andrea Pompili - Codemotion M...The magic world of Advanced Persistent Threat - Andrea Pompili - Codemotion M...
The magic world of Advanced Persistent Threat - Andrea Pompili - Codemotion M...Codemotion
 
Wearable Botnets and Happy Hacked Drivers - Andrea Pompili - Codemotion Milan...
Wearable Botnets and Happy Hacked Drivers - Andrea Pompili - Codemotion Milan...Wearable Botnets and Happy Hacked Drivers - Andrea Pompili - Codemotion Milan...
Wearable Botnets and Happy Hacked Drivers - Andrea Pompili - Codemotion Milan...Codemotion
 
The magic world of APT 0.6 - Pompili
The magic world of APT 0.6 - Pompili The magic world of APT 0.6 - Pompili
The magic world of APT 0.6 - Pompili Codemotion
 
Attacchi, bugie e underground digitale by Andrea Pompili
Attacchi, bugie e underground digitale by Andrea PompiliAttacchi, bugie e underground digitale by Andrea Pompili
Attacchi, bugie e underground digitale by Andrea PompiliCodemotion
 
Cyber Wars in the Cyber Space - Andrea Pompili - Codemotion Rome 2017
Cyber Wars in the Cyber Space - Andrea Pompili - Codemotion Rome 2017Cyber Wars in the Cyber Space - Andrea Pompili - Codemotion Rome 2017
Cyber Wars in the Cyber Space - Andrea Pompili - Codemotion Rome 2017Codemotion
 
Pompili - The miracle of sprite multiplication (C64)
Pompili - The miracle of sprite multiplication (C64)Pompili - The miracle of sprite multiplication (C64)
Pompili - The miracle of sprite multiplication (C64)Codemotion
 
Attacks, Lies and the Underground World - Andrea Pompili - Codemotion Amsterd...
Attacks, Lies and the Underground World - Andrea Pompili - Codemotion Amsterd...Attacks, Lies and the Underground World - Andrea Pompili - Codemotion Amsterd...
Attacks, Lies and the Underground World - Andrea Pompili - Codemotion Amsterd...Codemotion
 
Pompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending storyPompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending storyCodemotion
 
Wearable botnets 201560319_v3
Wearable botnets 201560319_v3Wearable botnets 201560319_v3
Wearable botnets 201560319_v3Codemotion
 
Why I've to waste my time on cryptography? - Andrea Pompili - Codemotion Rome...
Why I've to waste my time on cryptography? - Andrea Pompili - Codemotion Rome...Why I've to waste my time on cryptography? - Andrea Pompili - Codemotion Rome...
Why I've to waste my time on cryptography? - Andrea Pompili - Codemotion Rome...Codemotion
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...sparkfabrik
 
Yegor Bugaenko - make customers trust you
Yegor Bugaenko - make customers trust youYegor Bugaenko - make customers trust you
Yegor Bugaenko - make customers trust youLviv Startup Club
 
Make Customers Trust You
Make Customers Trust YouMake Customers Trust You
Make Customers Trust YouYegor Bugayenko
 
Lattice: A Cloud-Native Platform for Your Spring Applications
Lattice: A Cloud-Native Platform for Your Spring ApplicationsLattice: A Cloud-Native Platform for Your Spring Applications
Lattice: A Cloud-Native Platform for Your Spring ApplicationsMatt Stine
 
State of Securing Restful APIs s12gx2015
State of Securing Restful APIs s12gx2015State of Securing Restful APIs s12gx2015
State of Securing Restful APIs s12gx2015robwinch
 
html/CSS Crash course
html/CSS Crash coursehtml/CSS Crash course
html/CSS Crash courseJustin Ezor
 
Spring Cloud Gateway - Stéphane Maldini
Spring Cloud Gateway - Stéphane MaldiniSpring Cloud Gateway - Stéphane Maldini
Spring Cloud Gateway - Stéphane MaldiniVMware Tanzu
 

Similar to Dark Side of Malware Analysis (20)

The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015
The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015
The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015
 
The magic world of Advanced Persistent Threat - Andrea Pompili - Codemotion M...
The magic world of Advanced Persistent Threat - Andrea Pompili - Codemotion M...The magic world of Advanced Persistent Threat - Andrea Pompili - Codemotion M...
The magic world of Advanced Persistent Threat - Andrea Pompili - Codemotion M...
 
Wearable Botnets and Happy Hacked Drivers - Andrea Pompili - Codemotion Milan...
Wearable Botnets and Happy Hacked Drivers - Andrea Pompili - Codemotion Milan...Wearable Botnets and Happy Hacked Drivers - Andrea Pompili - Codemotion Milan...
Wearable Botnets and Happy Hacked Drivers - Andrea Pompili - Codemotion Milan...
 
The magic world of APT 0.6 - Pompili
The magic world of APT 0.6 - Pompili The magic world of APT 0.6 - Pompili
The magic world of APT 0.6 - Pompili
 
Attacchi, bugie e underground digitale by Andrea Pompili
Attacchi, bugie e underground digitale by Andrea PompiliAttacchi, bugie e underground digitale by Andrea Pompili
Attacchi, bugie e underground digitale by Andrea Pompili
 
Cyber Wars in the Cyber Space - Andrea Pompili - Codemotion Rome 2017
Cyber Wars in the Cyber Space - Andrea Pompili - Codemotion Rome 2017Cyber Wars in the Cyber Space - Andrea Pompili - Codemotion Rome 2017
Cyber Wars in the Cyber Space - Andrea Pompili - Codemotion Rome 2017
 
Pompili - The miracle of sprite multiplication (C64)
Pompili - The miracle of sprite multiplication (C64)Pompili - The miracle of sprite multiplication (C64)
Pompili - The miracle of sprite multiplication (C64)
 
Attacks, Lies and the Underground World - Andrea Pompili - Codemotion Amsterd...
Attacks, Lies and the Underground World - Andrea Pompili - Codemotion Amsterd...Attacks, Lies and the Underground World - Andrea Pompili - Codemotion Amsterd...
Attacks, Lies and the Underground World - Andrea Pompili - Codemotion Amsterd...
 
Pompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending storyPompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending story
 
Wearable botnets 201560319_v3
Wearable botnets 201560319_v3Wearable botnets 201560319_v3
Wearable botnets 201560319_v3
 
Why I've to waste my time on cryptography? - Andrea Pompili - Codemotion Rome...
Why I've to waste my time on cryptography? - Andrea Pompili - Codemotion Rome...Why I've to waste my time on cryptography? - Andrea Pompili - Codemotion Rome...
Why I've to waste my time on cryptography? - Andrea Pompili - Codemotion Rome...
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
 
Yegor Bugaenko - make customers trust you
Yegor Bugaenko - make customers trust youYegor Bugaenko - make customers trust you
Yegor Bugaenko - make customers trust you
 
Make Customers Trust You
Make Customers Trust YouMake Customers Trust You
Make Customers Trust You
 
Lattice: A Cloud-Native Platform for Your Spring Applications
Lattice: A Cloud-Native Platform for Your Spring ApplicationsLattice: A Cloud-Native Platform for Your Spring Applications
Lattice: A Cloud-Native Platform for Your Spring Applications
 
From basement to global
From basement to globalFrom basement to global
From basement to global
 
State of Securing Restful APIs s12gx2015
State of Securing Restful APIs s12gx2015State of Securing Restful APIs s12gx2015
State of Securing Restful APIs s12gx2015
 
html/CSS Crash course
html/CSS Crash coursehtml/CSS Crash course
html/CSS Crash course
 
Spring Cloud Gateway
Spring Cloud GatewaySpring Cloud Gateway
Spring Cloud Gateway
 
Spring Cloud Gateway - Stéphane Maldini
Spring Cloud Gateway - Stéphane MaldiniSpring Cloud Gateway - Stéphane Maldini
Spring Cloud Gateway - Stéphane Maldini
 

More from Codemotion

Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...Codemotion
 
Pastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storiaPastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storiaCodemotion
 
Pennisi - Essere Richard Altwasser
Pennisi - Essere Richard AltwasserPennisi - Essere Richard Altwasser
Pennisi - Essere Richard AltwasserCodemotion
 
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...Codemotion
 
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019Codemotion
 
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019Codemotion
 
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 - Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 - Codemotion
 
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...Codemotion
 
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...Codemotion
 
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...Codemotion
 
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...Codemotion
 
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019Codemotion
 
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019Codemotion
 
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019Codemotion
 
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...Codemotion
 
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...Codemotion
 
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019Codemotion
 
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019Codemotion
 
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019Codemotion
 
Mike Kotsur - What can philosophy teach us about programming - Codemotion Ams...
Mike Kotsur - What can philosophy teach us about programming - Codemotion Ams...Mike Kotsur - What can philosophy teach us about programming - Codemotion Ams...
Mike Kotsur - What can philosophy teach us about programming - Codemotion Ams...Codemotion
 

More from Codemotion (20)

Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
 
Pastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storiaPastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storia
 
Pennisi - Essere Richard Altwasser
Pennisi - Essere Richard AltwasserPennisi - Essere Richard Altwasser
Pennisi - Essere Richard Altwasser
 
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
 
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
 
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
 
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 - Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
 
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
 
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
 
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
 
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
 
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
 
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
 
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
 
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
 
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
 
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
 
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
 
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
 
Mike Kotsur - What can philosophy teach us about programming - Codemotion Ams...
Mike Kotsur - What can philosophy teach us about programming - Codemotion Ams...Mike Kotsur - What can philosophy teach us about programming - Codemotion Ams...
Mike Kotsur - What can philosophy teach us about programming - Codemotion Ams...
 

Recently uploaded

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Recently uploaded (20)

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Dark Side of Malware Analysis

  • 1. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com THE DARK SIDE OF MALWARE ANALYSIS Andrea Pompili There are only 10 types of people in the world: Those who understand binary, and those who don't apompili@hotmail.com
  • 2. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com
  • 3. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com
  • 4. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com 203.131.222.102:8080 217.96.33.164:8000 88.53.215.64:8000 IPSistemi Comando eControllo #>
  • 5. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com
  • 6. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Malware Analysis? > Per capire i danni reali > Per scoprire gli Indicatori di Compromissione > Per stabilire il grado di preparazione/motivazione dell’attaccante (Sun Tzudocet) > Per ricostruire la vulnerabilità utilizzata (Magari uno0-day :-|) > Per catturare il cattivo > Per rispondere alle domande della vita…
  • 7. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com La nobile arte del Reverse Engineering Ingegneriainversa def. «processodi analisidi un sistema softwareesistente, eseguitoalfinedi crearneunarappresentazione ad altolivello di astrazione» Altri scopi dell'ingegneria inversa comprendono: verifichedi vulnerabilità, rimozione di protezione da copia, l'aggiramento di restrizionid'accesso
  • 8. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Ideal Reverse Engineering
  • 9. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Full vs Adequate Analysis
  • 10. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Launcher Dropper Downloader Module Command & Control Exploit Vector Module <01> Malware Architecture Infection Stage Malware Core Module <XX>
  • 11. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Launcher Dropper Module Command & Control Vector Module <01> Malware Architecture > Infection Stage Malware Core Module <XX> Exploit Downloader Infection Stage
  • 12. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Spear Phishing> Email contenenti link
  • 13. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Spear Phishing> Email contenenti Allegati
  • 14. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com POST su Forum // Blog // Social Network
  • 15. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Che Bello! Ho trovato una pennetta USB
  • 16. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Vector Malware Architecture > Downloader Infection Stage Downloader Exploit Command & Control
  • 17. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com How is Encoded the Communication Channel? <#1> FixedByteXOR(evergreen) Identificabile (basta trovare unopcode xor nel binario) <#2> Base64 Encoding Identificabile eautomaticamente reversabile <#3> Librerie Crypto ingombranti e riconoscibili gestire lechiavi? <#4> G Channel Dipendedal tipo prova a farlo con unoShellcode!!!
  • 18. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Communication Channel: Spazio alla fantasia
  • 19. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Downloader Command & Control Vector Module <01> Malware Architecture > Persistenza Infection Stage Module <XX> Exploit Launcher Dropper Malware Core Module
  • 20. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Downloader #1 Malware Component Command & Control #1 Vector Malware Architecture > Chained Modules Infection Stage Exploit Downloader #2 Command & Control#2
  • 21. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Moduli e Plugin > Infostealer > Keylogging > Sniffer > Spyware > Data Exfiltration > Remote Control > Identity Theft > Ransomware > Spambot > Network Scanner > DDoS Agent > Targeted attacks > Data manipulation > Anonymous Proxy > DNS Attack > Warez Archive
  • 22. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Static vs Dynamic Analysis? > Il codice non viene MAI eseguito (o almeno non dovrebbe) > L’analisi è effettuata trasformando o ri-organizzando il codice di un artefatto per stadi successivi > Uso di un numero importante di tool di analisi > Necessità di gestire strumenti di elaborazione ad-hoc > Attenzione ad eventuali exploit per i tool di analisi utilizzati! > Analisi limitata o molto lunga in caso di packer o offuscamenti complessi <#1>Analisi Statica
  • 23. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com First of All
  • 24. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com String Revealer
  • 25. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Static Malware <#1>Formato Nativo (PE/Elf) <#2>Intermediate Language(Java/.NET/etc.) <#3>DocumentiAttivi (PDF/Office/etc.) Stessorisultato == Approcci MOLTOdiversi
  • 26. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com La realtà dei fatti #1 <#1>Formato Nativo (PE/Elf)
  • 27. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Interactive Disassembler
  • 28. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Online Disassembler
  • 29. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com How Malware Writers protect their
  • 30. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com http://upx.sourceforge.net/ How Malware Writers protect their
  • 31. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com How Malware Writers protect their
  • 32. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com The way to Packers Sections DOS MZ Header PE Header Section Table .text .data .resrc Sections DOS MZ Header PE Header SectionTable Unpacker Stub TempSpace PackedData(orignalOEP) OEP OriginalProgram PackedProgram
  • 33. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com FUD (Fully UnDetectable) Packers UPX, Aspack, PE Compact, eilresto http://it.wikipedia.org/wiki/Exe_Packer
  • 34. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Static Resource Analyzer
  • 35. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Internet helps
  • 36. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com La realtà dei fatti #2 <#2>Intermediate Language(Java/.NET/etc.)
  • 37. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com > Metadati devono essere espliciti (nomi Constant-Pool, variabili, metodi e classi) > Gli opcode sono molto vicini ai costrutti del codice sorgente (es. tableswitch) > Non si può usare self-modifying code > Non è possibile effettuare il branching su location arbitrarie, ma solo all‘inizio di un‘istruzione, con il limite dello scope del metodo corrente (controllato dal verifier) Why Decompilation is easier
  • 38. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Stack is Everything THREAD #1 PC Register JVM Stack Native Method Stack Frame #n Local Variable Array Operand Stack RCP Reference Frame #1 Local Variable Array Operand Stack RCP Reference … THREAD #n PC Register JVM Stack Native Method Stack Frame #n Local Variable Array Operand Stack RCP Reference Frame #1 Local Variable Array Operand Stack RCP Reference … …
  • 39. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com int addTwo(int a, int b) { b = a + b; return b; } iload_0 iload_1 iadd istore_1 iload_1 ireturn The way from Source to Bytecode Frame «addTwo» Local Variable Array Operand Stack RCP Reference
  • 40. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com «Easy» way to Source JD-GUI http://jd.benow.ca/ JAD http://varaneckas.com/jad/
  • 41. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com why not So Easy
  • 42. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com
  • 43. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com http://set.ee/jbe/ ByteCode Analysis & Manipulation
  • 44. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com
  • 45. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com https://github.com/contra/JMD
  • 46. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com but sometimes Things work
  • 47. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com
  • 48. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Get your own ZKM String Custom Tool java -jar ZKMTools.jar <CLASS_FILE>
  • 49. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com What is Dynamic Analysis? <#2>Live ExecutionAnalysis <#3>Sandboxbased Analysis <#1>Debugging Non usare MAI il tuo PC per eseguire Malware!!!
  • 50. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Snapshot is the Way
  • 51. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Debugging Principles <#1>Debugging OllyDbgDebugger(x86 only) http://www.ollydbg.de/ x64Dbg(x86/x64) http://x64dbg.com
  • 52. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Debugging World x86 Ring0 x86 Ring3 I Ringsono dei livellidi privilegio e/odi sicurezza fornitidal processore Usermode Kernel HyperDbg,WinDbg, SoftICE http://www.woodmann.com/collaborative/ tools/index.php/Category:Ring_0_Debuggers http://www.woodmann.com/collaborative/ tools/index.php/Category:Ring_3_Debuggers
  • 53. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Two Assembler things you have to know Registri base x86/x64: EAX registro general purpose #1 RAX a 64bit EBX registro general purpose #2 RBX a 64bit ECX registro general purpose #3 RCX a 64bit EDX registro general purpose #4 RDX a 64bit ESI puntatore sorgente operazioni su stringhe RSI a 64bit EDI puntatore destinazione operazioni su stringhe RDI a 64bit ESP puntatore alla posizione attuale dello stack RSP a 64bit EBP puntatore alla base dello stack RBP a 64bit EIP (Extended Instruction Pointer) puntatore alla successiva istruzione da eseguire Registri generici 64-bit mode-only R8-R15
  • 54. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Two Assembler things you have to know Stack x86/x64: » Struttura LIFO (Last In First Out) mappata sulla memoria » ESP punta alla posizione attuale in memoria » EBP viene utilizzato come «marcatore» per gestire il successivo stackframe » I dati possono essere caricati mediante istruzioni PUSH e POP » Automaticamente salva l’indirizzo di ritorno delle CALL
  • 55. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com > Run-time stack (Stackframe) > Contiene le variabili locali > ESP punta al primo elemento dello stack > EBP punta alla base dello Stackframe > Ad ogni chiamata di procedura viene riservato un nuovo stackframe (scope della funzione) spostando ESP ed EBP Instructions (.text) global data(.data) run-time stack Device Registers x0200 xFFFF EPC R4 ESP EBP x0000 xFE00 Trap Vectors Op Sys x3000 Heap Intr Vectors x0100 Two Assembler things you have to know
  • 56. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com » UsareilDebugger (es. x64Dbg o IDAProcon Bochs)attraverso le varieroutine di decryption impostando Breakpointalterminedi ogni ciclo » Effettuareil Dumpdellamemoria al terminedel processo(e.g. ScyllaPlugin) Defeat Packers using Dubuggers Best Practices: >Molti processi nonsono resilienti(si eseguonoed esconosubito) >Interrompereil processoal momento giusto > Step over istruzioneper istruzionefino
  • 57. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com <#2>Live ExecutionAnalysis
  • 58. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Start Debugging during Execution
  • 59. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com How to Fake Servers during Execution
  • 60. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com How to Monitor Traffic during Execution
  • 61. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com <#3>Sandboxbased Analysis
  • 62. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Detailed Artifact Execution
  • 63. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Screenshots Available!!!
  • 64. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com The Online Cuckoo Service
  • 65. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com
  • 66. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com but be careful to fully Understand Objectives!
  • 67. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. MILAN 20-21.11.2015 www.codemotionworld.com Domande? Italian ‫ة‬َّ‫ي‬َ‫أ‬ ‫ِب‬‫ل‬‫ا‬َ‫ط‬َ‫م‬ Arabic ¿Preguntas? Spanish Questions? English tupoQghachmey Klingon Sindarin Japanese Ερωτήσεις? Greek вопросы? Russian