Presentation IT4BC 2011

1. Security and Privacy
Track
Session 1

2. Introduction to
Malware Analysis
Vincent = Big O

3. What do they have in common?
Lindsay Lohan
Paris Hilton
Snooki
Charlie Sheen

4. Jail

5. Albert Gonzales
Hacked Wireless Network
TJ Maxx
90 Million Credit Cards
20 Years in Jail

6. Hacking = Jail

8. Motivation?

9. Bad Guys
Motivated by money
New school bad guys are after your electronic wallet
Take over payment systems
Take over the world
Just like Doctor Evil

11. About Me
Work at Capilano University
Hack wet paper bags for a living
I live in Vancouver
I commute by bike
I love 80’s music
I love Backtrack4

14. I love my
mac

16. My Reading List
NIST
Windows Forensics Analysis
Reverse Engineering
The Rootkit Arsenal
Security Power Tools
Google
Youtube
DFWS

17. My Favorite Hacker Cons
DEFCON
CanSecWest
SecTor
Blackhat
CCC

18. Click Happy!
and proud of it.

19. What is
Malware Analysis?

20. What is Malware Analysis?
Like being in science class in high school
For example studying a worm
Used microscope
Draw picture or diagram of worm
Observed worm before dissection

21. Introduction to
Malware Analysis

22. Purpose
Tapas
Small taste of everything
For malware analysis

23. What is Malware?

24. Malware
Short for malicious program
Program designed to alter the flow of the
program
Designed with malicious intent
Gain access to systems
Used to gather information, usually
without permission of owner

26. When I was younger…
Used to deliver malware via floppy disks
My favorite piece of malware was Sub7

27. Threat Report

28. Symantec Internet Security
Threat Report
Released April 2011
For the year of 2010
Pdf download
Outlines trends for malware, virus and worms

29. How do you get infected?
Drive by Download
Phishing scams
Malicious Email attachments
Bogus Downloads
SQL Injected Websites

30. Examples of Malware

31. Lisa Moon
Visited Capilano University
Over 5 Million sites infected
SQL injection php webpages
Redirected to malware sites

32. Fake AV
Java Applet
Active X
EXE download

36. Attack Toolkits

37. Zeus (Zbot)

38. Zeus
The most notorious and widely-spread
information stealing Trojans in existence
Targets financial data theft
Lead to the loss of millions worldwide

39. Crimeware Toolkit
Zeus is a toolkit that provides a malware
creator all of the tools required to build
and administer a botnet
Zeus tools are primarily designed for
stealing banking information
Zeus can easily be used for other types of
data or identity theft

40. Controllers of ZBOT
Capture (banking) credentials
Remote control
Keystroke logging
Screen capture
Proxy services
Spamming

41. Zeus Builder
This page is where you create your bot executables
Once created, you are responsible for distribution
Go find some victims

42. Zeus Configuration
The bot needs a configuration to tell it
which address to send all the stolen data
What’s the use of misconfiguring a botnet
that can’t send you stolen data?

43. Configuration Screens

45. Communications
Communications pass between the bots
and one or more servers
Command and Control Server is used to
distribute bot file updates

46. Communications
Data is encrypted with RC4 encryption
A password is used to encrypt all data
that is passed through the botnet

48. Zeus Install Behavior

49. Zeus Flow
Copy itself to another location, execute
the copy, delete the original
Lowers browser security settings by
changing IE registry entries
Injects code into other processes, main
process exits

50. Zeus - Flow
Injected code hooks APIs in each process
Steals several different type of credential
found on the system

51. Zeus - Flow
Downloads config file and processes it
Uses API hooks to steal data
Sends data back to C&C

52. http://zeustracker.abuse.ch

53. Typical Theft
Attackers steal credentials
Set up bogus employee/vendor accounts
Accounts are actually “mules”
Transfers typically kept under $10K

54. Wire Money
Eastern Europe

55. WANTED

56. Finding Mules
Recruited job websites
Receive instructions via website
Process Payments
Laundry via purchases
Write proper phishing emails

57. Zeus characteristics
Continuously changing, software gets
routinely updated
Strong encryption used in program of
various functions to hide secrets
Software uses packers and unpackers
Anti-virus evasion techniques used

58. Big Picture

61. Kung Fu Skillz
Code breaking
Puzzle solving
Programming
Logical analysis

62. Kung Fu
Build analysis workstation
Behavior and Code Analysis
Reverse Engineer
Virus Total

63. Click Happy Fun ( )
Fundamental aspects of malware analysis
Setup an inexpensive and flexible
laboratory
Use lab for exploring characteristics of
real-world malware

64. Build Workstation
Install Base OS
Install vmware
Install victim OS
Install monitoring tools

65. Build Workstation
Install Base OS
Install vmware
Install victim OS
Install monitoring tools

67. Build Workstation
Install Base OS
Install vmware
Install victim OS
Install monitoring tools

69. Build Workstation
Install Base OS
Install vmware
Install Victim OS
Install monitoring tools

70. Build Workstation
Install Base OS
Install vmware
Install victim OS
Install monitoring tools

71. Tools
PSTools from SysInternals
IDA Pro
Wireshark
Anti-virus

72. Other Tools
Fake DNS and shellcode2exe
LordPE, and PEiD
Malzilla, and SpiderMonkey
Firefox, No Script, BurpSuite
Honeyd, NetCat, curl, wget,
Volatility Framework and plug-ins such as malfind2
FTK Imager

73. Kung Fu
Build analysis workstation
Behavior and Code Analysis
Reverse Engineer
Virus Total

74. Assumption

75. Getting evidence
Gathering electronic evidence
Evidence process
Access Data FTK – Used to solve Lacie Peterson Case

77. RSA Hacked

78. Timeline
Phishing – Zero Day Attack
Backdoor installed
Lateral Movement
Data Gathering
Exfiltrate

79. How do you know you have a
virus or malware?

80. You can rely on…
Your anti-virus vendor
Web or malware gateway
Network analysis tools

81. Rootkit Revealer
Rootkit detection utility
Lists Registry and file system API discrepancies
Helps indicate the presence of a user-mode or kernel-mode
rootkits

82. Behavior and Code
Analysis
Two approaches

83. Answer these questions!
Process count
User ID's
Loaded Modules
Files
Registry Keys

84. Answer this!
DLL Used
API hooked
Memory Space Used
Network Connections
Services Used
Sockets Used

85. Temporal Reconstruction

86. Temporal Reconstruction
Forensic analysis to reconstruct events surrounding a hacking
incident or malware infection
Dead machine and Live System Analysis
AKA = Building a Timeline
NOTE : Live Analysis means data is volatile

87. MACtime
forensic tool in your digital detective toolkit
Unix and Linux
mtime, atime, and ctime
Windows
LastWriteTime, LastAccessTime, and CreationTime

88. Build a Timeline

89. Timeline Analysis
File system metadata
Event Log entries
Data from the Registry
User's web browser history
Timestamps
Network Statistics
Logs

90. Timestamps
Creation Date
Last Modified Date
Last Accessed Date
Last Modified Date for the file's Master File Table (MFT)
entry

91. File Carving
Tool for recovering files and fragments of files when
directory entries are corrupt or missing
For example – listing directory of pictures
Pictures are all deleted in the catalogue
File Carving allows investigator to recover pictures without
directory listings

92. Finding Hidden exe

93. LordPE

97. Hiding Process
Backtrack4 Linux Distribution
Rooted box with Metasploit
Migrated process via meterpreter script

101. Extracting exe

102. Volatility Python Scripts

103. Volatility
Digital Forensics Utility
Script used to walk memory dumps
Rebuild running processes
Rebuild executables
Malfind plug-in finds suspicious files in
memory

105. Malicious process
hidden in PID 4968

106. VAD Walk identifies
offsets

107. Disassembly of
offsets

108. VAD Walk
Virtual Address Descriptor (VAD) tree
structure in Windows memory dumps
Method to locate and parse the structure
of physical memory
Method walks the tree for the “hacked”
process

109. Using Foremost to get EXE

111. NetworkMiner

112. Using Wireshark
Capture packs on network of malware contacting Zeus
Command and Control
Behavior based analysis of malware

113. Analysis with NetworkMiner
Need pcap file
Need download NetworkMiner
Need search criteria

114. Network

115. Click Happy – Infect your
system
Set up your process viewers
Snapshot your registry with Regshot
Configure FakeDNS
Start Wireshark
Double Click that Executable
Intercept system and network-level activities in the analysis
lab

116. NOTE MAKE SURE YOU
DON’T CONNECT TO PROD

117. Kung Fu
Build analysis workstation
Behavior and Code Analysis
Reverse Engineer
Virus Total

118. What is reverse
engineering?

119. Reverse engineering is the
process of analyzing a subject
to create representations of
the system at a higher level of
abstraction

120. Understanding 1 and 0’s
Software person programs in language
Program gets compiled
1’s and 0’s get “translated” from human readable code to
machine instruction
Reverse Engineering attempts to take machine instruction
and create human readable code

121. Compiling Source Code
Source Code
Compiler
Object File

122. Object
File
DLL DLL
Linker

123. Assembly Language

124. Example Assembly
MOV AX, 47104
MOV DS, AX
MOV [3998], 36
INT 32
Each line is one CPU-level instruction

125. Example Assembly
MOV AX, 47104
MOV DS, AX
MOV [3998], 36
INT 32
Tells the computer to copy the
number 47104 into the location AX

126. Human readable

127. Example Human Readable
#include <stdio.h>
int main()
{ printf( “Click Happy.n" );
getchar(); return 0; }

128. Purpose of R.E.
Manually follow flow of program visually using graphs
Manually follow flow of program reading the code
Execute code with breakpoints to control the flow of
the program during runtime
Look for hints or clues to origin, signatures, or
programming style
Look for characteristics of program

129. Reverse-Engineering Benefits
Sophisticated malware protects itself from
discovery and analysis
Malware will have passwords, backdoor, and
secret methods to hide and protect information
Allows analyst to discover great detail on the
operations and flow control of the program

130. Wouldn’t it be nice to have the
login and password to the
Command and Control Server
of a BotNet?

131. Manual unpacking of protected
malicious Windows executables

132. Understand anti-analysis
mechanisms built into malware

133. Analyzing protected malicious
browser scripts written in
JavaScript and VBScript

134. Other Benefits of R.E.
Performing static and dynamic code
analysis of malicious Windows
executables
Step through code using debuggers like
OllyDbg or SoftICE

135. OllyDbg
32-bit assembler level debugger
Binary code analysis where source is
unavailable

136. Using OllyDbg
Drag executable onto OllyDbg
“Step into” each instruction until
something fun happens
In the register section you can observe
what is being run in memory

137. Reverse Engineering
Potentially gives you the “why”
of the behavior
Insight into the inner workings of
the program

138. BinText
Searches Binary or Executable for all Text
Outputs “strings”
Provides insight to structure or parts of
the program

139. Searching strings
Analyzing malware with IDA Pro and
strings

140. Kung Fu
Build analysis workstation
Behavior and Code Analysis
Reverse Engineer
Virus Total

141. Virus Total

143. CWSandbox

145. Final Thoughts

146. got root?

147. APT?
Advanced Persistent Threat
Threat, such as a foreign nation
state government, with both the
capability and the intent to
persistently and effectively target
a specific entity

148. Coordinated human involvement
NOT mindless and automated piece of
code
Specific objective
Skilled and motivated
Organized and well funded

154. Photo Credits = Internet

155. Thank you! 
</end>

156. Quiz

157. What are the two types of
malware analysis?

158. Behavioral Analysis
Code Analysis

159. What is APT?

160. Advanced Persistent
Threat

161. What is reverse engineering?

162. Reverse engineering is the
process of analyzing a subject
system to create
representations of the system
at a higher level of abstraction

163. How many PC’s deployed
worldwide?

164. 1.2 Billion

165. How many smartphones?
What’s the future market?

166. 5 Billion

167. What does hacking get you?

168. New friends

169. Place to stay. 3 meals.

170. Job Retraining

171. Hacking = Jail

172. Click Happy.
Thank you!