SlideShare a Scribd company logo

Cutting out Malware

Download as DOC, PDF
luigi capuzzello
luigi capuzzello

Day by day, we store more and more confidential information on our computers, from sites account credentials to our bank account. Every day, malware becomes more and more silent, they don’t want you to be suspicious, they just want to stay into your device to do something …that you don’t really want.

1 of 12
LUIGI CAPUZZELLO Cutting out Malware Integrated malware analysis. Versione: 1.0 Luigi Capuzzello 11/01/2014 http://www.linkedin.com/pub/luigi-capuzzello/7/561/12a http://www.slideshare.net/luigicapuzzello @FisherKasparov luigi.capuzzello A good introduction to malware analysis, offering detailed coverage of all the essential skills required to understand the specific challenges presented by modern malware.
Introduction.2 Sommario Introduction..........................................................................................................................................3 What you will learn..........................................................................................................................3 What you should know.....................................................................................................................3 Basic Static Analysis............................................................................................................................3 Hashing: [winMD5free]...................................................................................................................3 String: [strings].................................................................................................................................3 Packed software [PEiD / exeinfope].................................................................................................4 PE Header [Dependency Walker / PEView / Resource Hacker Tool].............................................5 Basic Dynamic Analysis......................................................................................................................7 Monitor malware activity [procmon / regshot / Process Explorer]..................................................7 Go deep into network traffic.............................................................................................................9 So what the hell can we do ?..............................................................................................................11 Summary............................................................................................................................................11 On the Web.........................................................................................................................................11 About the author.................................................................................................................................12 Other Specification.............................................................................................................................12 Luigi Capuzzello
Introduction.3 Introduction. An email arrives in your inbox; it’s your girlfriend Ann. She invites you to see her in a very funny picture. -Click !“But! What? This picture is not really funny, and …she is not Ann”. Day by day we store more and more confidential information on our computers, from sites account credentials to our bank account. Day by day malware becomes more and more silent, they don’t want you to be suspicious, they just want to stay into your device to do something …that you don’t want. What you will learn... - Configuring a malware analysis lab Assembling a really toolkit for malware forensics Performing behavioral analysis of malicious Windows executables Performing static and dynamic code analysis of malicious Windows executables - What is a PE Header Knowledge about network protocol Basic knowledge about windows registry and processes What you should know... Basic Static Analysis. Static Analysis describes the process of analyzing the code and the structure of a program to determine its main feautures. In this phase of your analysis the program itself is not running; we are just analyzing a file, a sequence of bytes. We have to find as many information as possible. All the information, even the ones apparently trivial, are actually extremely important, above all when you go deep into the malware analysis You can find several tools to implement static analysis but just a few of them are really interesting. In the next section I will describe all the most juicy tools and I show to you how you can use them. Hashing: [winMD5free]. First of all it could be a good idea to get the a fingerprint of the malware. Hashing is a common method used to uniquely identify malware; the Message Digest Algorithm 5 (MD5) and Secure Hash Algorithm (SHA-1) are the method most commonly used. For example we can use winMD5Free to get the hash and then we can search for it online. If the malware is a well known one you will find all about it; if you know what malware is able to do then it can not hurt you anymore. This is an example of winMD5Tool; it can calculate MD5 Hash of a particular program Once you have the identity card of the malware you can use it on google to discover all about it. String: [strings]. Another method to find some usefull hints about a malware is to get all the strings from the malware Luigi Capuzzello
Introduction.4 Strings program can anlyze a file to extract both ASCII and UNICODE (indeed the windows implementation of unicode string also well-known as wide character string); this program ignore the context and formatting, it just analyze all the bytes one by one. Because of this mechanism it could be find characters or strings when they are not. You can use strings from command line: E:>strings.exe Lab01-01.exe Strings v2.51 Copyright (C) 1999-2013 Mark Russinovich Sysinternals - www.sysinternals.com !This program cannot be run in DOS mode. Richm .text `.rdata @.data _^[ UVWj @jjj D$0 _controlfp _stricmp kerne132.dll Kernel32. Lab01-01.dll C:WindowsSystem32Kernel32.dll WARNING_THIS_WILL_DESTROY_YOUR_MACHINE Error Messages and IP addresses are the most interesting information we can found on a file. In the above example I have highlighted some important strings Packed software [PEiD / exeinfope] Sometime the malware we are analyzing could be packed. This is a problem because the packer hide us a lot of information, so that static analysis becomes almost useless. There are many software that could help us to find the packer used. For example: PEiD: it is a detector for PE (Portable Executable - Exe/Dll) files, similar to an anti-virus except it detects what a file is, not what it does. Mostly it detects packer and protector programs like UPX, PECompact, Armadillo etc but has a customisable database to add your own detections Be careful because of this has been disconnected from April 2011 and because many PEiD plugins will run the executable without warning. Despite of this, it is the best tool available for packer detection. - exeinfope is another good tool. Here is an example of PEiD interface Luigi Capuzzello
Introduction.5 PE Header [Dependency Walker / PEView / Resource Hacker Tool] PE Header can give us many information about executable behaviuor. Using Dependency Walker program we can find information about: dinamically linked functions; imported dll; For example in the above image, at pane 3, we can find all the imported function of the kernl32.dll. If we know which function are used, we can deduce the malware behavior. There is also a way to import function ‘on the fly’, using some important function: LoadLibrary GetProcAddress LdrGetProcAddress LdrLoadDll So if you find this functions, it means that the malware is going to hide you what is its intention. If you want to understand more in details its behavior you have to debug it (but this is a story that will relate you another time). As just said, we can find information about the all dll imported into the executable file and each of them can tell us something. Dll Description Advapi32.dll This DLL provides access to the Service Manager and Registry. User32.dll This DLL contains all the user-interface components, such as buttons, scrollbars, and components for controlling and responding to user actions. Gdi32.dll This DLL contains functions for displaying and manipulating graphics Kernel32.dll This is a very common DLL that contains core functionality, such as access and manipulation of memory, files, and hardware. Shell32.dll Tell us that the program can launch other program. Ntdll.dll This DLL is the interface to the Windows kernel. Executables generally do not import this file directly, although it is always imported indirectly by Kernel32.dll. If an executable imports this file, it means that the author intended to use functionality not normally available to Windows programs. Some tasks, such as hiding functionality or manipulating processes, will use this interface. WSock32.dll - Ws2_32.dll These are networking DLLs. A program that accesses either of these most likely connects to a network or performs network-related tasks. Wininet.dll This DLL contains higher-level networking functions that implement protocols such as FTP, HTTP, and NTP. Luigi Capuzzello
Introduction.6 We can also get information about PE header using PEView tool. Sections are very important because we can see if there are only standard section (as listed below) or also custom sections, in this case we are dealing with a packer. Section Description .text Contains the executable code .rdata Holds read-only global data that is accessible within the program .data Stores global data accessed throughout the program .idata Sometimes present and stores the import function information; if this section is not present, the import function information is stored in the .rdata section .edata Sometimes present and stores the export function information; if this section is not present, the export function information is stored in the .rdata section .pdata Present only in 64-bit executables and stores exception-handling information .rsrc Stores resources needed by the executable .reloc Contains information for relocation of library files We can also look at .rsrc section (looking for interesting string) using the free Resource Hacker tool. Luigi Capuzzello
Introduction.7 Basic Dynamic Analysis. Dynamic analysis techniques are the second step in the malware analysis process. Dynamic analysis is typically performed after basic static analysis has reached a dead end, whether due to obfuscation, packing, or the analyst having exhausted the available static analysis techniques. Monitor malware activity [procmon / regshot / Process Explorer] Process Monitor, or procmon, is an advanced monitoring tool for Windows that provides a way to monitor certain registry, file system, network, process, and thread activity. It combines and enhances the functionality of two legacy tools: FileMon and RegMon. If you want to filter the activity of a particoular file you have to choose the “Filter  Filter” Menu option and you have to spacify the filename you are looking for. There are also four important filter on the menu side bar that allow to filter: Registry File system Process activity Network: attention this logging not work consistently across Microsoft Windows version. It is very usefull to use promon because it is very usefull to know what our target is doing with the external environment (registry, file system and network). Sometime our target generates many operation especially on registry. So it could be very usefull to have a tool that compare two snapshots and give us just the differences between them. Regshot is an open source registry comparison tool that allows you to take and compare two registry snapshots. It is very simple to use regshot. There are only three operation you have to do: Click on ‘1st shot’ button; Execute malware ; Click on ‘2nd shot’ button when you think malware has finished its activity Click on ‘cOmpare’ button At the end the software will give you a list of the operations the malware has implemented on the registry. This type of information could be very usefull because it is not a simple log, it is an elaborated one. Here is an example of the regshot output: ==================================================================== Regshot 1.9.0 x86 ANSI Comments: Datetime: 2014/2/1 21:12:14 , 2014/2/1 21:13:07 Computer: TESTXP , TESTXP Username: admin , admin ---------------------------------Keys added: 1 ---------------------------------HKUS-1-5-21-725345543-73586283-682003330-1003SoftwareMicrosoftMultimediaWaveOwner ---------------------------------Values added: 19 Luigi Capuzzello
Introduction.8 ---------------------------------HKUS-1-5-21-725345543-73586283-682003330-1003SoftwareMicrosoftWindowsShellBags1DesktopScrollPos1313x932(1).x: 0x00000000 HKUS-1-5-21-725345543-73586283-682003330-1003SoftwareMicrosoftWindowsShellBags1DesktopScrollPos1313x932(1).y: 0x00000000 HKUS-1-5-21-725345543-73586283-682003330-1003SoftwareMicrosoftWindowsShellNoRoamBags381ShellMinPos1313x932(1).x :… HKUS-1-5-21-725345543-73586283-682003330-1003SoftwareMicrosoftWindowsShellNoRoamMUICache@shell32.dll,-31237: "Crea una nuova cartella, vuota, nella cartella aperta." ---------------------------------Values modified: 18 ---------------------------------HKLMSYSTEMControlSet001ControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Left: 0xFFFFF729 HKLMSYSTEMControlSet001ControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Left: 0xFFFFF566 HKLMSYSTEMControlSet001ControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Right: 0xFFFFF729 HKLMSYSTEMControlSet001ControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Right: 0xFFFFF566 HKLMSYSTEMControlSet001ControlDeviceClasses{6994AD04-93EF-11D0-A3CC-00A0C9223196}##? #PCI#VEN_1274&DEV_1371&SUBSYS_13711274&REV_02#4&47B7341&0&0888#{6994ad04-93ef-11d0-a3cc … HKLMSYSTEMCurrentControlSetControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Left: 0xFFFFF729 HKLMSYSTEMCurrentControlSetControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Left: 0xFFFFF566 HKLMSYSTEMCurrentControlSetControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Right: 0xFFFFF729 HKLMSYSTEMCurrentControlSetControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Right: 0xFFFFF566 ==================================================================== Another important tool is Process Explorer. This tool monitors the processes running on a system and shows them in a tree structure that displays child and parent relationships. Process Explorer could also be usefull in detecting if a file is Microsoft signed. You can achive this task in many way: - Click on verify button to verify that the image on disk is, in fact, the Microsoft signed binary. Because Microsoft uses digital signatures for most of its core executables, when Process Explorer verifies that a signature is valid, you can be sure that the file is actually the executable from Microsoft. - Comparing in memory string and string in the disk executable image. Luigi Capuzzello
Introduction.9 Go deep into network traffic. Malware, often, needs to connect to a remote server for many reasons. For example it needs to provide information to that remote host or it need to get commands from that remote host. So it is very important to understand which sort of traffic is generated from and to the malware. To achive this hint we have to implement a sort of MITM (Man In The Middle) attack against the malware. First of all we have to use ApateDNS (a free tool from Mandiant) to see the DNS request made by malware. To use ApateDNS you have to set: DNS Reply IP: the IP address ypu want sent in DNS response; # of NXDOMAIN’s: this is an option that can help us to find all the domain the malware will loop through; Selected interface: the ethernet interface we want to use We can set ‘DNS Reply IP’ to localhost (as in the above example) or we can set it to redirect all the traffic to another machine, for example a linux machine, or better, a virtual linux machine. On the linux machine we can install INetSim, a free, Linux-based software suite for simulating common Internet services. INetSim does its best to look like a real server. And because INetSim is built with malware analysis in mind, it offers many unique features, such as its Dummy service, a feature that logs all data received from the client, regardless of the port. The Dummy service is most useful for capturing all traffic sent from the client to ports not bound to any other service module. You can use it to record all ports to which the malware connects and the corresponding data that is sent. Here is an example of all the port the tool is going to start up. * * * * * * * * * * * dns 53/udp/tcp - started (PID 9992) http 80/tcp - started (PID 9993) https 443/tcp - started (PID 9994) smtp 25/tcp - started (PID 9995) irc 6667/tcp - started (PID 10002) smtps 465/tcp - started (PID 9996) ntp 123/udp - started (PID 10003) pop3 110/tcp - started (PID 9997) finger 79/tcp - started (PID 10004) syslog 514/udp - started (PID 10006) tftp 69/udp - started (PID 10001) Luigi Capuzzello
Introduction.10 * * * * * * * * * * * * * * * * * * pop3s 995/tcp - started (PID 9998) time 37/tcp - started (PID 10007) ftp 21/tcp - started (PID 9999) ident 113/tcp - started (PID 10005) time 37/udp - started (PID 10008) ftps 990/tcp - started (PID 10000) daytime 13/tcp - started (PID 10009) daytime 13/udp - started (PID 10010) echo 7/tcp - started (PID 10011) echo 7/udp - started (PID 10012) discard 9/udp - started (PID 10014) discard 9/tcp - started (PID 10013) quotd 17/tcp - started (PID 10015) quotd 17/udp - started (PID 10016) chargen 19/tcp - started (PID 10017) dummy 1/udp - started (PID 10020) chargen 19/udp - started (PID 10018) dummy 1/tcp - started (PID 10019) There is another very interesting tool we must use to monitor the network traffic: wireshark. Wireshark is a network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It has a reach and powerful feauture set.The most common and useful one is the possibility to let you view the contents of a TCP session; you have just to right-click any TCP packet and select ‘Follow TCP Stream’. Attention: wireshark is known to have many security vulnerabilities, so be sure to run it in a safe envronment. Luigi Capuzzello
Introduction.11 So what the hell can we do ? We have analyze all the principal tool we need to performe a dynamic analysis; so how can we put all these software together to maximize our analysis ? We have a windows machine and we have to make some things on it: 1. We have to start procmon, making a filter on the malware name 2. We have to start the Process Explorer 3. We have to get the first snapshot with regshot 4. We have to configure our virtual network (ApateDNS – INetSim) 5. We have to start wireshark to get all the network traffic. We also have a linux machine with INetSim installed on it. So this is the situation: Windows Virtual Machine IP: 192.168.110.1 Tool: ApateDNS Procmon regShot process Explorer wireshark Linux Virtual Machine IP: 192.168.110.2 Target Malware DNS 53: ApateDNS redirect 192.168.110.2 Tool: INetSim HTTP: 80 HTTPS: 443 FTP: 21 SMTP: 25 ecc.. At this point we can run the malware and we can look at our tool to find as many information as we need. 1. 2. 3. 4. 5. We can analyzed ApateDNS to see which DNS request were performed; We can look at procmon to find which file and folder our malwere has modified or created; We can compare the snapshots of regshot to see what malware has done on our registry We can see on Process Explorer to see if the malware has generated threads We can also see the wireshark traffic according to the information we have obtained from ApateDNS and INetSim. Summary Static and dynamic malware analysis help us to understand in detail what behavior was implemented into malware. If we know which register keys/values it has modified, which file it has created, if we know what the malware has notified to a remote server and which command it has recived from that host, thenwe can safely think that it is possible, and not so tricky, to cut out the malware from our pc. However sometimes it is necessary to go mach more deeper; for example, what can we do if the malware comunicate to the remote host using a cripted custom comunication ? In this case, and in some others, we need to make a reverse engineering of the malware code. This will be the subject of next episode ‘Inside Windows Malicious Software’. On the Web ● ● ● ● ● ● ● http://bit.ly/ic4plL - strings tool http://woodmann.com/BobSoft/Pages/Programs/PEiD - PEiD tool http://www.woodmann.com/collaborative/tools/index.php/ExeInfo_PE - exeinfope tool http://www.dependencywalker.com/ - Dependency Walker tool http://peview.sourceforge.net/ - PEView tool http://www.angusj.com/resourcehacker/ - Resource Hacker tool http://download.sysinternals.com/files/ProcessMonitor.zip - procmon tool Luigi Capuzzello
Introduction.12 ● ● ● ● ● http://sourceforge.net/projects/regshot/ - regshot tool http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx - Process Explorer tool https://www.mandiant.com/resources/download/research-tool-mandiant-apatedns - ApateDNS tool http://www.inetsim.org/downloads.html - INetSim tool http://www.wireshark.org/download.html - wireshark tool About the author Luigi Capuzzello has started with informatics in late 1986 (with a beautiful Apple IIe) when he was thirteen years old. After taking a degree in robotics he has working for more than fifteen years in several areas of IT, but now he is strong focused on IT security. His main tasks are related to test applications safety (especially web application) and in reverse engineering techniques. Specialties: Project Managment, Information Security, Vulnerability Analysis, Penetration Testing, Ethical Hacking, Web Application Security You can find him on http://www.linkedin.com/pub/luigi-capuzzello/7/561/12a Other Specification - Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code [Paperback] - The Hands-On Guide to Dissecting Malicious Software by Michael Sikorski and Andrew Honig Luigi Capuzzello

Recommended

penetration testing - black box type.
penetration testing - black box type.penetration testing - black box type.
penetration testing - black box type.
luigi capuzzello
 
Sicurezza informatica
Sicurezza informaticaSicurezza informatica
Sicurezza informatica
luigi capuzzello
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
Cyber Security Alliance
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradication
Michael Boman
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
idsecconf
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)
Patricia Aas
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAP
Positive Hack Days
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOps
Pichaya Morimoto
 

Recommended

penetration testing - black box type.
penetration testing - black box type.penetration testing - black box type.
penetration testing - black box type.
luigi capuzzello
 
Sicurezza informatica
Sicurezza informaticaSicurezza informatica
Sicurezza informatica
luigi capuzzello
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
Cyber Security Alliance
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradication
Michael Boman
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
idsecconf
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)
Patricia Aas
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAP
Positive Hack Days
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOps
Pichaya Morimoto
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
Michael Boman
 
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Positive Hack Days
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year later
Giovanni Bechis
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
PROIDEA
 
Pen-Testing with Metasploit
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with Metasploit
Mohammed Danish Amber
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
IOSR Journals
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON
 
Control hypervisor via libvirt
Control hypervisor via libvirtControl hypervisor via libvirt
Control hypervisor via libvirt
Sean Chang
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
Patricia Aas
 
mimikatz @ rmll
mimikatz @ rmllmimikatz @ rmll
mimikatz @ rmll
Benjamin Delpy
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
CODE BLUE
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Linux
LinuxLinux
Linuxafzal pa
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safe
Giovanni Bechis
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...RootedCON
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriageЭкспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Positive Hack Days
 
Buffer Overflow - Shellcode - Shatter Attack
Buffer Overflow - Shellcode - Shatter AttackBuffer Overflow - Shellcode - Shatter Attack
Buffer Overflow - Shellcode - Shatter Attack
luigi capuzzello
 
Regular expression
Regular expressionRegular expression
Regular expression
luigi capuzzello
 

More Related Content

What's hot

How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
Michael Boman
 
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Positive Hack Days
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year later
Giovanni Bechis
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
PROIDEA
 
Pen-Testing with Metasploit
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with Metasploit
Mohammed Danish Amber
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
IOSR Journals
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON
 
Control hypervisor via libvirt
Control hypervisor via libvirtControl hypervisor via libvirt
Control hypervisor via libvirt
Sean Chang
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
Patricia Aas
 
mimikatz @ rmll
mimikatz @ rmllmimikatz @ rmll
mimikatz @ rmll
Benjamin Delpy
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
CODE BLUE
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safe
Giovanni Bechis
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...RootedCON
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriageЭкспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Positive Hack Days
 

What's hot (20)

How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
 
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year later
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
 
Pen-Testing with Metasploit
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with Metasploit
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
 
Control hypervisor via libvirt
Control hypervisor via libvirtControl hypervisor via libvirt
Control hypervisor via libvirt
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
 
mimikatz @ rmll
mimikatz @ rmllmimikatz @ rmll
mimikatz @ rmll
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
Linux
LinuxLinux
Linux
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safe
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
 
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriageЭкспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
 

Viewers also liked

Buffer Overflow - Shellcode - Shatter Attack
Buffer Overflow - Shellcode - Shatter AttackBuffer Overflow - Shellcode - Shatter Attack
Buffer Overflow - Shellcode - Shatter Attack
luigi capuzzello
 
Regular expression
Regular expressionRegular expression
Regular expression
luigi capuzzello
 
Perl
PerlPerl
Perl
luigi capuzzello
 
Pronoms cd.ci
Pronoms cd.ciPronoms cd.ci
Pronoms cd.ci
francesdesecundaria
 
Scacchi: tattiche di base.
Scacchi: tattiche di base.Scacchi: tattiche di base.
Scacchi: tattiche di base.
luigi capuzzello
 
Assembly and Reverse Engineering
Assembly and Reverse EngineeringAssembly and Reverse Engineering
Assembly and Reverse Engineering
luigi capuzzello
 
Copyright vs. Freedom of expression
Copyright vs. Freedom of expressionCopyright vs. Freedom of expression
Copyright vs. Freedom of expression
marco scialdone
 

Viewers also liked (8)

Buffer Overflow - Shellcode - Shatter Attack
Buffer Overflow - Shellcode - Shatter AttackBuffer Overflow - Shellcode - Shatter Attack
Buffer Overflow - Shellcode - Shatter Attack
 
Regular expression
Regular expressionRegular expression
Regular expression
 
Perl
PerlPerl
Perl
 
Pronoms cd.ci
Pronoms cd.ciPronoms cd.ci
Pronoms cd.ci
 
Scacchi: tattiche di base.
Scacchi: tattiche di base.Scacchi: tattiche di base.
Scacchi: tattiche di base.
 
Assembly and Reverse Engineering
Assembly and Reverse EngineeringAssembly and Reverse Engineering
Assembly and Reverse Engineering
 
Copyright vs. Freedom of expression
Copyright vs. Freedom of expressionCopyright vs. Freedom of expression
Copyright vs. Freedom of expression
 
Les pronoms cod
Les pronoms codLes pronoms cod
Les pronoms cod
 

Similar to Cutting out Malware

Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Sandeep Kumar Seeram
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
ManjuAppukuttan2
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malwareYury Chemerkin
 
Rootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise DetectionRootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise Detection
amiable_indian
 
File inflection techniques
File inflection techniquesFile inflection techniques
File inflection techniques
Sandun Perera
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
Antonio Parata
 
Report on forensics tools
Report on forensics toolsReport on forensics tools
Report on forensics tools
VishnuPratap7
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudhary
Saurav Chaudhary
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
Nikhil Mittal
 
CHAPTER 2 BASIC ANALYSIS.ppt
CHAPTER 2 BASIC ANALYSIS.pptCHAPTER 2 BASIC ANALYSIS.ppt
CHAPTER 2 BASIC ANALYSIS.ppt
ManjuAppukuttan2
 
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
IJERA Editor
 
Malware-Reverse-Engineering-BeginnerToAdvanced-By-Abhijit-Mohanta-1.pdf
Malware-Reverse-Engineering-BeginnerToAdvanced-By-Abhijit-Mohanta-1.pdfMalware-Reverse-Engineering-BeginnerToAdvanced-By-Abhijit-Mohanta-1.pdf
Malware-Reverse-Engineering-BeginnerToAdvanced-By-Abhijit-Mohanta-1.pdf
Abhijit Mohanta
 
Rootkit case
Rootkit caseRootkit case
Rootkit case
Artem I. Baranov
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploitdevilback
 
Eng present Malware BSI
Eng present Malware BSIEng present Malware BSI
Eng present Malware BSI
Ira Setyarini
 
CHAPTER 2 BASIC ANALYSIS.pdf
CHAPTER 2 BASIC ANALYSIS.pdfCHAPTER 2 BASIC ANALYSIS.pdf
CHAPTER 2 BASIC ANALYSIS.pdf
ManjuAppukuttan2
 
Malware analysis and detection using reverse Engineering, Available at: www....
Malware analysis and detection using reverse Engineering, Available at: www....Malware analysis and detection using reverse Engineering, Available at: www....
Malware analysis and detection using reverse Engineering, Available at: www....
Research Publish Journals (Publisher)
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
shreyng
 

Similar to Cutting out Malware (20)

Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malware
 
Rootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise DetectionRootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise Detection
 
File inflection techniques
File inflection techniquesFile inflection techniques
File inflection techniques
 
App locker
App lockerApp locker
App locker
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
Report on forensics tools
Report on forensics toolsReport on forensics tools
Report on forensics tools
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudhary
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
CHAPTER 2 BASIC ANALYSIS.ppt
CHAPTER 2 BASIC ANALYSIS.pptCHAPTER 2 BASIC ANALYSIS.ppt
CHAPTER 2 BASIC ANALYSIS.ppt
 
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
 
Malware-Reverse-Engineering-BeginnerToAdvanced-By-Abhijit-Mohanta-1.pdf
Malware-Reverse-Engineering-BeginnerToAdvanced-By-Abhijit-Mohanta-1.pdfMalware-Reverse-Engineering-BeginnerToAdvanced-By-Abhijit-Mohanta-1.pdf
Malware-Reverse-Engineering-BeginnerToAdvanced-By-Abhijit-Mohanta-1.pdf
 
Rootkit case
Rootkit caseRootkit case
Rootkit case
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
 
Eng present Malware BSI
Eng present Malware BSIEng present Malware BSI
Eng present Malware BSI
 
CHAPTER 2 BASIC ANALYSIS.pdf
CHAPTER 2 BASIC ANALYSIS.pdfCHAPTER 2 BASIC ANALYSIS.pdf
CHAPTER 2 BASIC ANALYSIS.pdf
 
Malware analysis and detection using reverse Engineering, Available at: www....
Malware analysis and detection using reverse Engineering, Available at: www....Malware analysis and detection using reverse Engineering, Available at: www....
Malware analysis and detection using reverse Engineering, Available at: www....
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
 

Recently uploaded

Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 

Recently uploaded (20)

Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 

Cutting out Malware

  • 1. LUIGI CAPUZZELLO Cutting out Malware Integrated malware analysis. Versione: 1.0 Luigi Capuzzello 11/01/2014 http://www.linkedin.com/pub/luigi-capuzzello/7/561/12a http://www.slideshare.net/luigicapuzzello @FisherKasparov luigi.capuzzello A good introduction to malware analysis, offering detailed coverage of all the essential skills required to understand the specific challenges presented by modern malware.
  • 2. Introduction.2 Sommario Introduction..........................................................................................................................................3 What you will learn..........................................................................................................................3 What you should know.....................................................................................................................3 Basic Static Analysis............................................................................................................................3 Hashing: [winMD5free]...................................................................................................................3 String: [strings].................................................................................................................................3 Packed software [PEiD / exeinfope].................................................................................................4 PE Header [Dependency Walker / PEView / Resource Hacker Tool].............................................5 Basic Dynamic Analysis......................................................................................................................7 Monitor malware activity [procmon / regshot / Process Explorer]..................................................7 Go deep into network traffic.............................................................................................................9 So what the hell can we do ?..............................................................................................................11 Summary............................................................................................................................................11 On the Web.........................................................................................................................................11 About the author.................................................................................................................................12 Other Specification.............................................................................................................................12 Luigi Capuzzello
  • 3. Introduction.3 Introduction. An email arrives in your inbox; it’s your girlfriend Ann. She invites you to see her in a very funny picture. -Click !“But! What? This picture is not really funny, and …she is not Ann”. Day by day we store more and more confidential information on our computers, from sites account credentials to our bank account. Day by day malware becomes more and more silent, they don’t want you to be suspicious, they just want to stay into your device to do something …that you don’t want. What you will learn... - Configuring a malware analysis lab Assembling a really toolkit for malware forensics Performing behavioral analysis of malicious Windows executables Performing static and dynamic code analysis of malicious Windows executables - What is a PE Header Knowledge about network protocol Basic knowledge about windows registry and processes What you should know... Basic Static Analysis. Static Analysis describes the process of analyzing the code and the structure of a program to determine its main feautures. In this phase of your analysis the program itself is not running; we are just analyzing a file, a sequence of bytes. We have to find as many information as possible. All the information, even the ones apparently trivial, are actually extremely important, above all when you go deep into the malware analysis You can find several tools to implement static analysis but just a few of them are really interesting. In the next section I will describe all the most juicy tools and I show to you how you can use them. Hashing: [winMD5free]. First of all it could be a good idea to get the a fingerprint of the malware. Hashing is a common method used to uniquely identify malware; the Message Digest Algorithm 5 (MD5) and Secure Hash Algorithm (SHA-1) are the method most commonly used. For example we can use winMD5Free to get the hash and then we can search for it online. If the malware is a well known one you will find all about it; if you know what malware is able to do then it can not hurt you anymore. This is an example of winMD5Tool; it can calculate MD5 Hash of a particular program Once you have the identity card of the malware you can use it on google to discover all about it. String: [strings]. Another method to find some usefull hints about a malware is to get all the strings from the malware Luigi Capuzzello
  • 4. Introduction.4 Strings program can anlyze a file to extract both ASCII and UNICODE (indeed the windows implementation of unicode string also well-known as wide character string); this program ignore the context and formatting, it just analyze all the bytes one by one. Because of this mechanism it could be find characters or strings when they are not. You can use strings from command line: E:>strings.exe Lab01-01.exe Strings v2.51 Copyright (C) 1999-2013 Mark Russinovich Sysinternals - www.sysinternals.com !This program cannot be run in DOS mode. Richm .text `.rdata @.data _^[ UVWj @jjj D$0 _controlfp _stricmp kerne132.dll Kernel32. Lab01-01.dll C:WindowsSystem32Kernel32.dll WARNING_THIS_WILL_DESTROY_YOUR_MACHINE Error Messages and IP addresses are the most interesting information we can found on a file. In the above example I have highlighted some important strings Packed software [PEiD / exeinfope] Sometime the malware we are analyzing could be packed. This is a problem because the packer hide us a lot of information, so that static analysis becomes almost useless. There are many software that could help us to find the packer used. For example: PEiD: it is a detector for PE (Portable Executable - Exe/Dll) files, similar to an anti-virus except it detects what a file is, not what it does. Mostly it detects packer and protector programs like UPX, PECompact, Armadillo etc but has a customisable database to add your own detections Be careful because of this has been disconnected from April 2011 and because many PEiD plugins will run the executable without warning. Despite of this, it is the best tool available for packer detection. - exeinfope is another good tool. Here is an example of PEiD interface Luigi Capuzzello
  • 5. Introduction.5 PE Header [Dependency Walker / PEView / Resource Hacker Tool] PE Header can give us many information about executable behaviuor. Using Dependency Walker program we can find information about: dinamically linked functions; imported dll; For example in the above image, at pane 3, we can find all the imported function of the kernl32.dll. If we know which function are used, we can deduce the malware behavior. There is also a way to import function ‘on the fly’, using some important function: LoadLibrary GetProcAddress LdrGetProcAddress LdrLoadDll So if you find this functions, it means that the malware is going to hide you what is its intention. If you want to understand more in details its behavior you have to debug it (but this is a story that will relate you another time). As just said, we can find information about the all dll imported into the executable file and each of them can tell us something. Dll Description Advapi32.dll This DLL provides access to the Service Manager and Registry. User32.dll This DLL contains all the user-interface components, such as buttons, scrollbars, and components for controlling and responding to user actions. Gdi32.dll This DLL contains functions for displaying and manipulating graphics Kernel32.dll This is a very common DLL that contains core functionality, such as access and manipulation of memory, files, and hardware. Shell32.dll Tell us that the program can launch other program. Ntdll.dll This DLL is the interface to the Windows kernel. Executables generally do not import this file directly, although it is always imported indirectly by Kernel32.dll. If an executable imports this file, it means that the author intended to use functionality not normally available to Windows programs. Some tasks, such as hiding functionality or manipulating processes, will use this interface. WSock32.dll - Ws2_32.dll These are networking DLLs. A program that accesses either of these most likely connects to a network or performs network-related tasks. Wininet.dll This DLL contains higher-level networking functions that implement protocols such as FTP, HTTP, and NTP. Luigi Capuzzello
  • 6. Introduction.6 We can also get information about PE header using PEView tool. Sections are very important because we can see if there are only standard section (as listed below) or also custom sections, in this case we are dealing with a packer. Section Description .text Contains the executable code .rdata Holds read-only global data that is accessible within the program .data Stores global data accessed throughout the program .idata Sometimes present and stores the import function information; if this section is not present, the import function information is stored in the .rdata section .edata Sometimes present and stores the export function information; if this section is not present, the export function information is stored in the .rdata section .pdata Present only in 64-bit executables and stores exception-handling information .rsrc Stores resources needed by the executable .reloc Contains information for relocation of library files We can also look at .rsrc section (looking for interesting string) using the free Resource Hacker tool. Luigi Capuzzello
  • 7. Introduction.7 Basic Dynamic Analysis. Dynamic analysis techniques are the second step in the malware analysis process. Dynamic analysis is typically performed after basic static analysis has reached a dead end, whether due to obfuscation, packing, or the analyst having exhausted the available static analysis techniques. Monitor malware activity [procmon / regshot / Process Explorer] Process Monitor, or procmon, is an advanced monitoring tool for Windows that provides a way to monitor certain registry, file system, network, process, and thread activity. It combines and enhances the functionality of two legacy tools: FileMon and RegMon. If you want to filter the activity of a particoular file you have to choose the “Filter  Filter” Menu option and you have to spacify the filename you are looking for. There are also four important filter on the menu side bar that allow to filter: Registry File system Process activity Network: attention this logging not work consistently across Microsoft Windows version. It is very usefull to use promon because it is very usefull to know what our target is doing with the external environment (registry, file system and network). Sometime our target generates many operation especially on registry. So it could be very usefull to have a tool that compare two snapshots and give us just the differences between them. Regshot is an open source registry comparison tool that allows you to take and compare two registry snapshots. It is very simple to use regshot. There are only three operation you have to do: Click on ‘1st shot’ button; Execute malware ; Click on ‘2nd shot’ button when you think malware has finished its activity Click on ‘cOmpare’ button At the end the software will give you a list of the operations the malware has implemented on the registry. This type of information could be very usefull because it is not a simple log, it is an elaborated one. Here is an example of the regshot output: ==================================================================== Regshot 1.9.0 x86 ANSI Comments: Datetime: 2014/2/1 21:12:14 , 2014/2/1 21:13:07 Computer: TESTXP , TESTXP Username: admin , admin ---------------------------------Keys added: 1 ---------------------------------HKUS-1-5-21-725345543-73586283-682003330-1003SoftwareMicrosoftMultimediaWaveOwner ---------------------------------Values added: 19 Luigi Capuzzello
  • 8. Introduction.8 ---------------------------------HKUS-1-5-21-725345543-73586283-682003330-1003SoftwareMicrosoftWindowsShellBags1DesktopScrollPos1313x932(1).x: 0x00000000 HKUS-1-5-21-725345543-73586283-682003330-1003SoftwareMicrosoftWindowsShellBags1DesktopScrollPos1313x932(1).y: 0x00000000 HKUS-1-5-21-725345543-73586283-682003330-1003SoftwareMicrosoftWindowsShellNoRoamBags381ShellMinPos1313x932(1).x :… HKUS-1-5-21-725345543-73586283-682003330-1003SoftwareMicrosoftWindowsShellNoRoamMUICache@shell32.dll,-31237: "Crea una nuova cartella, vuota, nella cartella aperta." ---------------------------------Values modified: 18 ---------------------------------HKLMSYSTEMControlSet001ControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Left: 0xFFFFF729 HKLMSYSTEMControlSet001ControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Left: 0xFFFFF566 HKLMSYSTEMControlSet001ControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Right: 0xFFFFF729 HKLMSYSTEMControlSet001ControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Right: 0xFFFFF566 HKLMSYSTEMControlSet001ControlDeviceClasses{6994AD04-93EF-11D0-A3CC-00A0C9223196}##? #PCI#VEN_1274&DEV_1371&SUBSYS_13711274&REV_02#4&47B7341&0&0888#{6994ad04-93ef-11d0-a3cc … HKLMSYSTEMCurrentControlSetControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Left: 0xFFFFF729 HKLMSYSTEMCurrentControlSetControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Left: 0xFFFFF566 HKLMSYSTEMCurrentControlSetControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Right: 0xFFFFF729 HKLMSYSTEMCurrentControlSetControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Right: 0xFFFFF566 ==================================================================== Another important tool is Process Explorer. This tool monitors the processes running on a system and shows them in a tree structure that displays child and parent relationships. Process Explorer could also be usefull in detecting if a file is Microsoft signed. You can achive this task in many way: - Click on verify button to verify that the image on disk is, in fact, the Microsoft signed binary. Because Microsoft uses digital signatures for most of its core executables, when Process Explorer verifies that a signature is valid, you can be sure that the file is actually the executable from Microsoft. - Comparing in memory string and string in the disk executable image. Luigi Capuzzello
  • 9. Introduction.9 Go deep into network traffic. Malware, often, needs to connect to a remote server for many reasons. For example it needs to provide information to that remote host or it need to get commands from that remote host. So it is very important to understand which sort of traffic is generated from and to the malware. To achive this hint we have to implement a sort of MITM (Man In The Middle) attack against the malware. First of all we have to use ApateDNS (a free tool from Mandiant) to see the DNS request made by malware. To use ApateDNS you have to set: DNS Reply IP: the IP address ypu want sent in DNS response; # of NXDOMAIN’s: this is an option that can help us to find all the domain the malware will loop through; Selected interface: the ethernet interface we want to use We can set ‘DNS Reply IP’ to localhost (as in the above example) or we can set it to redirect all the traffic to another machine, for example a linux machine, or better, a virtual linux machine. On the linux machine we can install INetSim, a free, Linux-based software suite for simulating common Internet services. INetSim does its best to look like a real server. And because INetSim is built with malware analysis in mind, it offers many unique features, such as its Dummy service, a feature that logs all data received from the client, regardless of the port. The Dummy service is most useful for capturing all traffic sent from the client to ports not bound to any other service module. You can use it to record all ports to which the malware connects and the corresponding data that is sent. Here is an example of all the port the tool is going to start up. * * * * * * * * * * * dns 53/udp/tcp - started (PID 9992) http 80/tcp - started (PID 9993) https 443/tcp - started (PID 9994) smtp 25/tcp - started (PID 9995) irc 6667/tcp - started (PID 10002) smtps 465/tcp - started (PID 9996) ntp 123/udp - started (PID 10003) pop3 110/tcp - started (PID 9997) finger 79/tcp - started (PID 10004) syslog 514/udp - started (PID 10006) tftp 69/udp - started (PID 10001) Luigi Capuzzello
  • 10. Introduction.10 * * * * * * * * * * * * * * * * * * pop3s 995/tcp - started (PID 9998) time 37/tcp - started (PID 10007) ftp 21/tcp - started (PID 9999) ident 113/tcp - started (PID 10005) time 37/udp - started (PID 10008) ftps 990/tcp - started (PID 10000) daytime 13/tcp - started (PID 10009) daytime 13/udp - started (PID 10010) echo 7/tcp - started (PID 10011) echo 7/udp - started (PID 10012) discard 9/udp - started (PID 10014) discard 9/tcp - started (PID 10013) quotd 17/tcp - started (PID 10015) quotd 17/udp - started (PID 10016) chargen 19/tcp - started (PID 10017) dummy 1/udp - started (PID 10020) chargen 19/udp - started (PID 10018) dummy 1/tcp - started (PID 10019) There is another very interesting tool we must use to monitor the network traffic: wireshark. Wireshark is a network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It has a reach and powerful feauture set.The most common and useful one is the possibility to let you view the contents of a TCP session; you have just to right-click any TCP packet and select ‘Follow TCP Stream’. Attention: wireshark is known to have many security vulnerabilities, so be sure to run it in a safe envronment. Luigi Capuzzello
  • 11. Introduction.11 So what the hell can we do ? We have analyze all the principal tool we need to performe a dynamic analysis; so how can we put all these software together to maximize our analysis ? We have a windows machine and we have to make some things on it: 1. We have to start procmon, making a filter on the malware name 2. We have to start the Process Explorer 3. We have to get the first snapshot with regshot 4. We have to configure our virtual network (ApateDNS – INetSim) 5. We have to start wireshark to get all the network traffic. We also have a linux machine with INetSim installed on it. So this is the situation: Windows Virtual Machine IP: 192.168.110.1 Tool: ApateDNS Procmon regShot process Explorer wireshark Linux Virtual Machine IP: 192.168.110.2 Target Malware DNS 53: ApateDNS redirect 192.168.110.2 Tool: INetSim HTTP: 80 HTTPS: 443 FTP: 21 SMTP: 25 ecc.. At this point we can run the malware and we can look at our tool to find as many information as we need. 1. 2. 3. 4. 5. We can analyzed ApateDNS to see which DNS request were performed; We can look at procmon to find which file and folder our malwere has modified or created; We can compare the snapshots of regshot to see what malware has done on our registry We can see on Process Explorer to see if the malware has generated threads We can also see the wireshark traffic according to the information we have obtained from ApateDNS and INetSim. Summary Static and dynamic malware analysis help us to understand in detail what behavior was implemented into malware. If we know which register keys/values it has modified, which file it has created, if we know what the malware has notified to a remote server and which command it has recived from that host, thenwe can safely think that it is possible, and not so tricky, to cut out the malware from our pc. However sometimes it is necessary to go mach more deeper; for example, what can we do if the malware comunicate to the remote host using a cripted custom comunication ? In this case, and in some others, we need to make a reverse engineering of the malware code. This will be the subject of next episode ‘Inside Windows Malicious Software’. On the Web ● ● ● ● ● ● ● http://bit.ly/ic4plL - strings tool http://woodmann.com/BobSoft/Pages/Programs/PEiD - PEiD tool http://www.woodmann.com/collaborative/tools/index.php/ExeInfo_PE - exeinfope tool http://www.dependencywalker.com/ - Dependency Walker tool http://peview.sourceforge.net/ - PEView tool http://www.angusj.com/resourcehacker/ - Resource Hacker tool http://download.sysinternals.com/files/ProcessMonitor.zip - procmon tool Luigi Capuzzello
  • 12. Introduction.12 ● ● ● ● ● http://sourceforge.net/projects/regshot/ - regshot tool http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx - Process Explorer tool https://www.mandiant.com/resources/download/research-tool-mandiant-apatedns - ApateDNS tool http://www.inetsim.org/downloads.html - INetSim tool http://www.wireshark.org/download.html - wireshark tool About the author Luigi Capuzzello has started with informatics in late 1986 (with a beautiful Apple IIe) when he was thirteen years old. After taking a degree in robotics he has working for more than fifteen years in several areas of IT, but now he is strong focused on IT security. His main tasks are related to test applications safety (especially web application) and in reverse engineering techniques. Specialties: Project Managment, Information Security, Vulnerability Analysis, Penetration Testing, Ethical Hacking, Web Application Security You can find him on http://www.linkedin.com/pub/luigi-capuzzello/7/561/12a Other Specification - Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code [Paperback] - The Hands-On Guide to Dissecting Malicious Software by Michael Sikorski and Andrew Honig Luigi Capuzzello