Malware Analysis as a Hobby - 44CON 2012

Michael Boman and Siavosh Zarrasvand present Malware Analysis as a Hobby at 44CON 2012 in London, September 2012.

Technology

Malware Analysis as a Hobby
Michael Boman - Security Consultant/Researcher, Father of 5
Siavosh Zarrasvand – Security Consultant/Researcher, Searching

Drawbacks
Time consuming
Boring in the long run (not all malware are created equal)

 I can do it cheaply (hardware and
license cost-wise). Human time not
Choose any two? Why included.
not all of them?
 I can do it quickly (I spend up to 3
Cheap hours a day doing this, at average even
less).

 I get pretty good results (quality).
Where the system lacks I can
compensate for its shortcomings.

Good Fast

Automate
everything!
Automate
Engineer yourself out of the workflow

Birth of the
MART Project
Malware Analyst Research Toolkit

Sample Acquisition
• Public & Private Collections
• Exchange with other malware analysts
• Finding and collecting malware
yourself
• Download files from the web
• Grab attachments from email
• Feed BrowserSpider with links from your
SPAM-folder

BrowserSpider
 Written in Python

 Using the Selenium framework to control REAL browsers
 Flash, PDFs, Java applets etc. executes as per normal
 All the browser bugs exists for real

 Spiders and follows all links seen

Sample Analysis
• Cuckoo Sandbox
• VirusTotal

A days work for a Cuckoo
Fetch a task

Process and Prepare the
create reports analysis

Lunch analyzer in
Store the result
virtual machine

Complete the Execute an
analysis analysis package

Sample Reporting
• Results are stored in MongoDB
(optional, highly recommended)
• Accessed using a analyst GUI

Where Virtual Machine
analysis fails
And what to do about it

Problems
 Cuckoo is easly bypassed

 User-detection

 Sleeping malware

Problems
 VM or Sandbox detection

 The guest OS might not be sufficient enough

 Any multistage attack

Iterating automatiation

Sort out clearly
Devide the
non-malicious and Do brief static
samples into
obviosly malicious analysis
categories
samples

Known Known Bad
Good
Unknown

Budget
 Computer: €520

 MSDN License: €800 (€590 renewal)

 Year 1: €1320

 Year N: €590

 Money saved from stopped smoking (yearly): €2040

Next steps
• Barebone on-the-iron malware
analysis
• Android platform support
• OSX platform support
• iOS patform support

Questions?

Michael Boman Siavosh Zarrasvand
michael@michaelboman.org siavosh.zarrasvand@gmail.com
http://michaelboman.org
@mboman @zarrasvand

Oh dear, your application has suddenly stopped working as expected. What should you do now? Using techniques applicable to any php application, we'll go over what to look for and which problems to avoid when trying to determine where the problem lies. We'll show how to correctly identify and deal with problems including: * network connectivity * server config issues * php config * WSOD * common CakePHP application errors

Testing Heuristic Detections

frisksoftware

This lecture discusses the different commands and utilities used for archiving and compression of files and directories in Linux Video for this lecture on youtube: http://www.youtube.com/watch?v=R6ZQ6PJyy28 Check the other Lectures and courses in http://Linux4EnbeddedSystems.com or Follow our Facebook Group at - Facebook: @LinuxforEmbeddedSystems Lecturer Profile: Ahmed ElArabawy - https://www.linkedin.com/in/ahmedelarabawy

A short history of video coding

Video coding is an essential component of video streaming, digital TV, video chat and many other technologies. This presentation, an invited lecture to the US Patent and Trade Mark Office, describes some of the key developments in the history of video coding. Many of the components of present-day video codecs were originally developed before 1990. From 1990 onwards, developments in video coding were closely associated with industry standards such as MPEG-2, H.264 and H.265/HEVC. The presentation covers: - Basic concepts of video coding - Fundamental inventions prior to 1990 - Industry standards from 1990 to 2014 - Video coding patents and patent pools.

Course 102: Lecture 18: Process Life Cycle

This lecture addresses the internals of Linux processes, and its life cycle. This includes its creation, termination, and state transitions during its existence. It also addresses the difference between processes and threads in Linux Check the other Lectures and courses in http://Linux4EnbeddedSystems.com or Follow our Facebook Group at - Facebook: @LinuxforEmbeddedSystems Lecturer Profile: - https://www.linkedin.com/in/ahmedelarabawy

Data Compression Technique

nayakslideshare

Introduction to H.264 Advanced Video Compression

C 102 lec_29_what_s_next

This lecture covers the structure of the Linux filesystem layout and the concept of mounting different filesystems in the main filesystem Video for this Lecture on youtube: http://www.youtube.com/watch?v=6YL1qjqcR9M Check the other Lectures and courses in http://Linux4EnbeddedSystems.com or Follow our Facebook Group at - Facebook: @LinuxforEmbeddedSystems Lecturer Profile: - https://www.linkedin.com/in/ahmedelarabawy

44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images

image compression pptShivangi Saxena

CompressionAshish Kumar

Malware Analysis on a Shoestring Budget

Michael Boman

Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...

CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis

CNIT 126: Ch 2 & 3

Quick Heal Technologies Ltd.

Is av dead or just missing in action - avar2016

rajeshnikam

Is Antivirus (AV) Dead or Just Missing in Action

Reading Group Presentation: The Power of Procrastination

Michael Rushanan

Viewers also liked

Configurable Video Coding

Cryptanalysis of the Engima - 44CON 2012

Book Launch: The H.264 Advanced Video Compression Standard

Getting the most out of H.264

44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...

Iain Richardson: An Introduction to Video Compression

Course 102: Lecture 24: Archiving and Compression of Files

A short history of video coding

Course 102: Lecture 18: Process Life Cycle

Data Compression Technique

nayakslideshare

Introduction to H.264 Advanced Video Compression

C 102 lec_29_what_s_next

44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images

image compression pptShivangi Saxena

CompressionAshish Kumar

Viewers also liked (15)

Configurable Video Coding

Cryptanalysis of the Engima - 44CON 2012

Book Launch: The H.264 Advanced Video Compression Standard

Getting the most out of H.264

44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...

Iain Richardson: An Introduction to Video Compression

Course 102: Lecture 24: Archiving and Compression of Files

A short history of video coding

Course 102: Lecture 18: Process Life Cycle

Data Compression Technique

Introduction to H.264 Advanced Video Compression

C 102 lec_29_what_s_next

44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images

image compression ppt

Compression

Similar to Malware Analysis as a Hobby - 44CON 2012

Malware Analysis on a Shoestring Budget

Michael Boman

Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...

CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis

CNIT 126: Ch 2 & 3

Quick Heal Technologies Ltd.

Is av dead or just missing in action - avar2016

rajeshnikam

Is Antivirus (AV) Dead or Just Missing in Action

Reading Group Presentation: The Power of Procrastination

Michael Rushanan

Jason Kent - AppSec Without Additional Tools

centralohioissa

Thinking Outside the Sand[box]

Juniper Networks

Debugging

Jonathan Holloway

Continuous integration at CartoDB March '16

Juan Ignacio Sánchez Lara

how-to-bypass-AM-PPL

nitinscribd

Agile Testing at eBayDominik Dary

"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...

SegInfo

FUEL_USERS_GROUPWill Pearce

Static analysis tools as the best friend of QA

Mikalai Alimenkou

We have spent many years testing our applications and systems manually and with test automation tools. During this time many bug root causes have been classified and could be detected automatically with special static analysis tools. Most of them could be applied at the early stages of development even before code is integrated into the main development branch. In this talk, I will go through available solutions and demonstrate what kinds of issues may be detected automatically reducing the time and effort of traditional testing.

Malware Detection - A Machine Learning Perspective

Chong-Kuan Chen

Justin Ison

CodeFest

KidoZen Mastering Unit Testing in Xamarin

kidozen

PyTriage: A malware analysis framework

Yashin Mehaboobe

Similar to Malware Analysis as a Hobby - 44CON 2012 (20)

Malware Analysis on a Shoestring Budget

Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...

CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis

CNIT 126: Ch 2 & 3

Is av dead or just missing in action - avar2016

Is Antivirus (AV) Dead or Just Missing in Action

Reading Group Presentation: The Power of Procrastination

Jason Kent - AppSec Without Additional Tools

Thinking Outside the Sand[box]

Debugging

Continuous integration at CartoDB March '16

how-to-bypass-AM-PPL

Agile Testing at eBay

"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...

FUEL_USERS_GROUP

Static analysis tools as the best friend of QA

Malware Detection - A Machine Learning Perspective

Justin Ison

KidoZen Mastering Unit Testing in Xamarin

PyTriage: A malware analysis framework

More from 44CON

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...

Your job is to secure operations. But nobody listens to you. There’s no budget. Management keeps making bad security decisions that seem to sabotage your efforts. Do you flee or do you try harder? The security books, blogs, and tweeting pundits out there tell us we need to learn the language of business. We need to put risk in terms of money that management understands. We need to be like the management we’re trying to protect. And that’s where it all falls apart. The security to business relationship is often textbook abusive codependency. You do well and nobody notices. You fail and you get fired or worse- shamed by your peers over social media for whatever the company releases as the statement for the breach. So how do you do SecOps under those conditions? This talk will focus on new ways to approach SecOps to face the challenges you have today with business demands. We will look at new security research that will make a difference for how you do your job. Most of all we will show you technical security practices to help you sustain your new found stance.

How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...

One of the hottest topics in current crypto research is Post-Quantum Cryptography. This branch of cryptography addresses asymmetric crypto systems that are not prone to quantum computers. Virtually all asymmetric crypto systems currently in use (Diffie-Hellman, RSA, DSA, and Elliptic Curve Crypto Systems) are not Post-Quantum. They will be useless, once advanced quantum computers will be available. Quantum computer technology has made considerable progress in recent years, with major organisations, like Google, NSA, and NASA, investing in it. Post-Quantum Cryptography uses advanced mathematical concepts. Even if one knows the basics of current asymmetric cryptography (integer factorisation, discrete logarithms, …), Post-Quantum algorithms are hard to understand. The goal of this presentation is to explain Post-Quantum Cryptography in a way that is comprehensible for non-mathematicians. Five families of crypto systems (as good as all known Post-Quantum algorithms belong to these) will be introduced: Lattice-based systems: The concept of lattice-based asymmetric encryption will be explained with a two-dimensional grid (real-world implementations use 250 dimensions and more). Some lattice-based ciphers (e.g., New Hope) make use of the Learning with Error (LWE) concept. I will demonstrate LWE encryption in a way that is understandable to somebody who knows Gaussian elimination (this is taught at middle school). Other lattice-based systems (especially NTRU) use truncated polynomials, which I will also explain in a simple way. Code-based systems: McEliece and a few other asymmetric ciphers are based on error correction codes. While teaching the whole McEliece algorithm might be too complex for a 44CON presentation, it is certainly possible to explain error correction codes and the main McEliece fundamentals. Non-commutative systems: There are nice ways to explain non-commutative groups and the crypto systems based on these, using everyday-life examples. Especially, twisting a Rubik’s Cube and plaiting a braid are easy-to-understand group operations a crypto system can be built on. Multivariate systems: Multivariate crypto can be explained to somebody who knows Gaussian elimination. Hash-based signatures: If properly explained, Hash-based signatures are easier to understand than any other asymmetric crypto scheme. I will explain these systems with cartoons, drawings, photographs, a Rubik’s Cube and other items. In addition, I will give a short introduction to quantum computers and the current Post-Quantum Crypto Competition (organised by US authority NIST).

Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...

Data Center security has been forced to reinvent itself as software complexity increases, networking capabilities grow more agile, and attack complexity turns unmanageable. With this change, the need for security policy enforcement to be handled at the edge has pushed functionality onto host compute systems, resulting in inherent performance loss and security weakness due to consolidation of resources. In the first part of the talk we will be presenting a SmartNIC-based model for data-center security that solves both the performance problem and the security problems of edge-centric policy models. The model features a more robust isolation of responsibilities, superior offload capabilities, significantly better scaling of policy, and unique visibility opportunities. To illustrate this, we present a SmartNIC-based reference architecture for network layout, as well as examples of SmartNIC security controls and their resulting threat models. The second part of the talk will unveil a new innovative technique for tamper proof host introspection as SmartNICs are in a unique position to analyze and inspect the memory of the host to which they are attached. Normally, this functionality is reserved for a hypervisor, where it is known as ‘guest introspection’ or ‘virtual-machine introspection’. With host introspection, security controls no longer live in the hypervisor, but on the SmartNIC itself, on a separate trust domain. In this way, the visibility normally achieved with guest introspection can be performed for the entire host memory in an isolated and secure area. In order for host introspection to work in the same way as guest introspection, memory is DMA transferred in bursts over the PCI-e bus that attaches the SmartNIC to the host. As this method can be subverted to hide unwanted software, we will demonstrate a novel approach to tamper proof the acquisition of memory and for performing live introspection. Host introspection complements the network controls implemented using the SmartNIC by enabling the measurement of the integrity and the behavior of workloads (virtual machines, containers, bare metal servers) to identify possible indicators of compromise. The visibility and context gained also enhances the granularity of network controls, resulting in measurably better security for the data center compared to traditional software-only based controls.

JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...

Exploits, Backdoors, and Hacks: words we do not commonly hear when speaking of Machine Learning (ML). In this talk, I will present the relatively new field of hacking and manipulate machine learning systems and the potential these techniques pose for active offensive research. The study of Adversarial ML allows us to leverage the techniques used by these algorithms to find weak points and exploit them in order to achieve: Unexpected consequences (why did it decide this rifle is a banana?) Data leakage (how did they know Joe has diabetes) Memory corruption and other exploitation techniques (boom! RCE) Influence the output In other words, while ML is great at identifying and classifying patterns, an attacker can take advantage of this and take control of the system. This talk is an extension of research made by many people, including presenters at DefCon, CCC, and others – a live demo will be shown on stage! Garbage In, RCE Out :)

Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...

Numerous technical articles, presentations, and even books exists about reverse engineering the Windows Driver Model (WDM) for purposes that vary from simply understanding how a specific driver works, to malware analysis and bug hunting. On the other hand, Microsoft has been providing the Kernel Mode Driver Framework (KMDF) for quite a while and we now see more and more drivers shifting to this framework instead of interacting directly with the OS like in the old WDM times. Yet, there is close to no information on how to approach this model from a reverse engineering and offensive standpoint. In this presentation, I will first do a quick recap on WDM drivers, its common structures, and how to identify its entry points. Then I’ll introduce KMDF with all its relevant functions for reverse engineering through a set of case-studies. I’ll describe how to interact with a KMDF device object through SetupDI api and how to find and analyze the different IO queues dispatch routines. Does the framework actually enhances security? We’ll come to a conclusion after revealing some major vendor implementation problems. Armed with this knowledge, you will be able to run your own bug hunting session over any KMDF driver.

The UK's Code of Practice for Security in Consumer IoT Products and Services ...

In March 2018, the UK launched its Secure by Design report in order to help defend against security threats, especially for consumer Internet of Things products and services. Over the past few years, poorly secured IoT devices have been hijacked in both targeted as well as large-scale DDoS attacks such as Mirai. In addition to this, poor security can threaten both privacy and safety. The speaker, David Rogers authored the UK’s ‘Code of Practice for Security in Consumer IoT Products and Associated Services’, in collaboration with DCMS, NCSC, ICO and industry colleagues with extensive support from the security research community. David will discuss the guidelines within the Code of Practice, why these were prioritised and why the top three became dealing with the password problem, implementing vulnerability disclosure and acting on it and addressing software updates. David will also look at what’s next: what will the challenges be and will the Code of Practice succeed in its aims? How can IoT products possibly be certified and how will the threat landscape change in response to improving security?

Weak analogies make poor realities – are we sitting on a Security Debt Crisis...

Cyber Security is often framed in terms of ‘Risk’- the possibility of suffering harm or loss – and the ‘Management’ of Risk to reduce uncertainty. This is familiar territory for businesses. Cyber Security falls in neatly under Risk Management, is assigned a suitable place on the organigramme, tossed some spare budget and granted a few paragraphs in the board report. NIST defines Risk as a ‘function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organisation’. Key theme: This presentation explores the idea that making cyber security analogous to risk is holding us back. How about we talk about security ‘debt’ instead? Technical Debt is already a well understood concept in software development – the cost of additional rework caused by choosing an easy solution now instead of using a better approach that would take longer or cost more. Changing our language changes how we think and how we behave. This presentation argues that such a change could have a significant impact on software security. In this presentation we will comment on the power of ‘analogies’ and how they’ve shaped our industry. We’ll then consider the difference between the ‘security as risk’ and the ‘security as debt’ paradigms and explore how changing paradigms may change the way we think about, talk about and measure software security. We believe this could have a very empowering effect on development managers and other security professionals who are struggling to articulate the relative benefits of security (or a lack of security) to a software product.

Pwning the 44CON Nerf Tank

Con speakers fear the Nerf gun. Overrun your talk time at your peril; Steve will shoot your arse with extreme prejudice until you STFU. We had to find a way to pwn the gun and shoot him back. That’s when we found the Nerf Terrascout: a remote tank gun controlled over 2.4GHz, with a video feed to the remote, complete with crosshairs. At first, we thought this would be a trivial job: figure out the RF and take control. It turned in to a mammoth hardware, firmware and RF reversing project. This puppy is so over-specced it would drive you to tears. The talk will cover the fails, hair loss and eventual success. There won’t be any smart dildos in it, though some of the techniques used are equally suited to teledildonics exploitation, if that’s your thing. Reversing RF in a high frequency environment using SDRs is challenging. We’ll discuss how we worked around these issues using hardware reversing skills. We had to import hardware from China for this project, which we could then programme ourselves using SPI, impersonate the legitimate controller and ‘jack the tank gun. This talk will of course include a live demonstration of hijacking the tank gun and (possibly) shooting Steve.

Security module for php7 – Killing bugclasses and virtual-patching the rest! ...

Presented by: Julien Voisin and Thibault Koechlin Suhosin is a great PHP module, but unfortunately, it’s getting old, new ways have been found to compromise PHP applications, and some aren’t working anymore; and it doesn’t play well with the shiny new PHP 7. As a secure web-hosting company, we needed a reliable and future-proof solution to address the flow of new vulnerabilities that are published every day. This is why we developed Snuffleupagus, a new (and open-source!) PHP security module, that provides several features that we needed: passively killing several PHP-specific bug classes, but also implementing virtual-patching at the PHP level, allowing to patch vulnerabilities in a precise, false-positive-free, ultra-low overhead way, without even touching the applications’ code.

44CON London 2015 - Is there an EFI monster inside your apple?

44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...

44CON London 2015 - How to drive a malware analyst crazy

44CON London 2015 - 15-Minute Linux Incident Response Live Analysis

44CON London 2015 - Going AUTH the Rails on a Crazy Train

44CON London 2015 - Software Defined Networking (SDN) Security

44CON London 2015 - DDoS mitigation EPIC FAIL collection

44CON London 2015 - Hunting Asynchronous Vulnerabilities

44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root

44CON London 2015 - reverse reverse engineering

44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back