SI
Uploaded bySetia Juli Irzal Ismail
PDF, PPTX842 views

Malware cryptomining uploadv3

This document summarizes a presentation on malware analysis techniques. It discusses how malware spreads, common types of malware like ransomware and cryptomining malware, and approaches to analyzing malware both statically and dynamically. Static analysis techniques examined include scanning files, searching for strings, and analyzing file headers and dynamic linking. Dynamic analysis involves running malware in a controlled environment to observe its behaviors and network activity. Cryptomining malware is described as using victims' computers to mine cryptocurrency without permission.

Embed presentation

Download as PDF, PPTX
Malware, Cryptominer & other Threat Setia Juli Irzal Ismail Malware Analyst ID-CERT Telkom University
Introduction Malware Analysis Technique Cryptomining Malware Other Threat Discussion
Introduction • Setia Juli Irzal Ismail • Jul Ismail • Malware Analyst – ID-CERT • Lecturer – Telkom University www.cert.or.id/
ID-CERT • Indonesia Computer Emergency Response Team • 1998 – Dr. Budi Rahardjo • Community based • Incident Handling • Malware Lab • Research & Training about Malware • Tools: Malware Scanner • Founder AP-CERT: JP-CERT & AusCERT www.cert.or.id/
Malware
Wannacry www.cert.or.id/
Wannacry www.cert.or.id/ Eternal Blue exploit à SMBv1 Double Pulsar Backdoor Hospital 1 Million victim Lazarus? May 2017 March : Microsoft patch
Stuxnet
ATM - Malware www.cert.or.id/
Malware • Malicious Software
Classification • Virus l Worm l Trojan l Backdoor l Adware l Rootkit l Ransomware www.cert.or.id/
How does it Spread • Email • Flash Disk • File Sharing • Website • Pirated Software • Malicious apps
Why do people write malware Back then • Experiment • Fun • Alone Now • Money • Spionage • Steal Information • Cyberweapon • Cybercriminal group • government www.cert.or.id/
Malware Statistic l 250.000 new sample/day – Sophos l 800 million malware sample – AV Test l 52% Indonesia – Kaspersky l 17th l 86% Pirated Software– ESET l 97% Android malware
Malware Detection Technology l Signature based l Heuristik www.cert.or.id/
Malware Analysis
Why Analyze Malware To: • assess damage • discover indicator of compromise • identify Vulnerability • Catch the bad guy • Answer questions
Indicator of compromise? • Unusual Outbound Network Traffic • Anomalies in Privileged User Account Activity • Geographical Irregularities • Increases in Database Read Volume • HTML Response Sizes • Large Numbers of Requests for the Same File • Suspicious Registry or System File Changes • Unusual DNS Requests • Unexpected Patching of Systems • Mobile Device Profile Changes • Unusual Web Traffic • Signs of DDoS Activity www.cert.or.id/
IoC • Improve the IDS, Firewall, Antivirus
Basic Questions • What is the purpose of malware? • How did it get here? • Who are they and how good are they? • How to remove it? • What did they get? • How long has it been here? • Does it spread to other machine? • How do I prevent this from happening again? www.cert.or.id/
Technical Questions • Network Indicator? • Host Based Indicator? • Persistence Mechanism? • Date of compilation & installation? • What language was it written in? • Is it Packed? • Obfuscation technique? • Rootkit Functionality?
Safe Environment • Do not run Malware on your computer • Dedicated Malware Lab • Use Virtualization • Vmware, Vbox etc • Using different OS than your malware target (static Analysis) www.cert.or.id/
Safe Environment?? • The malware behaviour might change • Network, Conect to a C&C server? • Facing real battle • Our IP can become the target: consider using • Accidentally attack other people
Fake Network • Host Only networking feature on VM • Fake DNS tool • Listening ports and network activity • Build custom C&C Server www.cert.or.id/
Virtualization? • Reduce risk • Snapshot • Video recording, • Setup no network or host-only network • sharing functionality? • VM is not perfect • Malware can detect VM • Sometimes it can escape the sandbox (0 day worm)
Malware Analysis • Static Analysis • Dynamic Analysis www.cert.or.id/
Static • Code is not excuted • Reverse engineering • „Autopsy“ the code
Dynamic Analysis • Running the code on Controlled environment www.cert.or.id/
Static Analysis • Safer • But... • Sometimes it is not easy • Require good understanding programming • Packer • encrypt • Insert junk code • Anti analysis technique
Static Analysis
Steps • Fingerprinting (hash) • Scan with virus scanner; virustotal ; documentation • PEiD: signature about compiler and packer • Find Strings: strings, IDA Pro • Web research; be carefull www.cert.or.id/
Strings • Message, • URL address, IP • email • ASCII or Unicode format
Strings Example • Malware Sample send a message (probably through email). file mail system .dll • Check email log, find suspect traffic, find mail system dll • DLL: file yang berisi executable code yang sering dishare antara berbagai aplikasi. • DLL sendiri bukan malware. Namun sering dimanfaatkan oleh malware
No Strings? • Packer • Obfuscation www.cert.or.id/
Packed & obfuscated • Technique to make life hard for a malware analyst • Packed, source code program compressed à packer • Obfuscated, hiding function of a program • Packed & obfuscated will make the static analysis difficult à no string • Functions LoadLibrary dan GetProcAddress
Packed & obfuscated- packing Wrapper used to decompress running packed Only wrapper could be read www.cert.or.id/
Packed & obfuscated- Detection PEiD http:// upx.sourceforge.net/ upx -d PackedProgram.exe
Executables • Windows : PE (Portable Executable) • Linux: ELF (Executable and Linking Format) • MacOS: Mach-O www.cert.or.id/
PE • Import • Export • Metadata • Resources
PE Header • Imports: Funtion from other library used bymalware • Exports: function from malware that could be used by other program • Time Date Stamp: compile time • Sections : which section are there on the sample • Subsystem: are the sample GUI or command line? • Resources: String, icon, menu dll www.cert.or.id/
Dynamic Analysis
Dynamic Analysis • run the malware à observe its actions Monitor the interaction with the • file system • Registry • other processes • network www.cert.or.id/
Tools • Process Monitor • Process explorer • Regshot • Wireshark • ApateDNS • Netcat • Monitor whole system • filter out
Sandbox • Automated malware analysis tool • Special environment • Cuckoo Sandbox www.cert.or.id/
www.cert.or.id/
Cryptomining malware
Cryptocurrency • Digital currency generated by computer • Decentralized, no regulatory body; anonym • Produced by solving complex mathematical algorithm à mining • Miner process transaction –> recording blockchain; digital ledger • Miner rewarded in the form of digital coin www.cert.or.id/
Cryptomining Malware • Use victim computer to run mining application • Webste: use CPU power from visitor to mine coin • Code run in the background
Bitcoin (BTC) • 2009 • Market 700 Billion USD • Mining 1 bitcoin: require 215 kilowatt hours of electricity for each transaction • 1390 new cryptocurrency • Ethereum (ETH) , Monero (XMR), Litecoin (LTC), Ripple (XRP), Bitcoin Cash (BCH) www.cert.or.id/
Abuse • 2017: 7000 website compromised à mining (Sucuri) • Monero • algorithm does not favor GPU’s • can be mined by web browsers and normal computers • privacy features that make transactions and wallets more difficult to trace,
CoinHive • cryptocurrency mining service: javascript • small computer code designed to be installed on Web sites: API • Web site owners to earn an income without running intrusive or annoying advertisements • some or all of the computing power of any browser that visits • 32000 websites (publicwww.com) www.cert.or.id/
Coinhive case • Installed on hacked web sites • December: embedded in Wifi Hotspot at Starbuck in Buenos Aires • January: hidden inside Youtube advertisement • February: Browsealoud (service for visually impaired) • The Pirate Bay • IOC: 100% CPU Load • Conhive earn 30% • Kasperksy report stop 70 million web miner (2017)
• All major CMS platform • WordPress, Magento, Drupal and Joomla www.cert.or.id/
Hiding tactic • Encrypted • Packed • fake jQuery script name • non-dotted decimal notation for the host name • mimic Google Analytics parameters • Public repo: GitHub • distributing Javascript cryptominers • placing the script in hidden iframes
Wannamine Case • Mine Monero • PowerShell and Windows Management Instrumentation • EternalBlue exploit to spread www.cert.or.id/
Digmine Case • video file • Facebook Messenger • coded in AutoIt (a Windows scripting language) • only runs on Facebook Messenger’s desktop/web browser • send the fake video link out to all of their Facebook contacts • downloading from C&C server • installing an autostart mechanism in the registry • launches Chrome loaded with a malicious extension • CPU power to mining Monero.
Smominru & Adylkuzz • Botnet • Targeting Server • EternalBlue Exploit (CVE-2017-0144) • 24 Monero/day • Oracle’s WebLogic Server (CVE-2017-10271) www.cert.or.id/
Radiflow Water Treatment Facility www.cert.or.id/
Trickbot • Existing malware family • Add a coin miner module • Spam attachment • Steal credential from userà ewallet RIG EK • Exploit kits • Distributing miner
Mobile and Mac Android • Fake apps • Repackaging technique • Alternative market; not on Google Play • com.coinhiveminer.CoinHive Mac • MacUpdate hack • Modified OnyX, Firefox and Deeper • Embed shell script on the file • Launch miner www.cert.or.id/
Other Threat
Ransomware • 2017 Ransomware year • 400 varians • Wannacry - May • ExPetr - July • BadRabbit - Oktober www.cert.or.id
Wannacry • Eternal Blue exploit à SMB • Double Pulsar Backdoor • Hospital • 1 million victim • Lazarus? • Mei • Maret : microsoft patch
ExPetr • Ukraina, Russia • 5000 victim • Eternal Blue exploit • DoublePulsar backdoor • MeDoc – Update • News Website in Ukraine • 2 level encryption : victim file and MFT • BlackEnergy’s KillDisk? • July www.cert.or.id
Ransomware as a service • Malware kits : tools to make your own ransomware • Darkweb • Cerber, Satan, Philadelphia • Ransomware Android, Mac, Linux • Bitcoin à Monero • Target: Health Industry, Government, Critical Infrastructure, Education, Small & Medium Enterprises (SME)
Malware defense technique • Anti security : AV, Firewall • Anti sandbox : sandbox • Anti analyst : packer, obfuscation, RE • Machine learning evasion • Hardware based evasion www.cert.or.id
Timeline • 1980: Encryption: cascade virus • 1990: Polymorphic: Chameleon (encrypt,junk) • 1998: Metamorphism (instruction diacak) • 1999: Packer • 1999: Rootkit: • 2008: DGA: conficker worm • 2011: Darknet Market: Silkroad • 2015: Firmware : Equation Group, Hacking Team: IoT • 2015: Dridex: obfuscation: powershell, sandbox evasion • 2016: Fileless Malware • 2017: Machine learning detection: Cerber
Darknet Market • Cryptservice: $53 - FUD • Lazercrypter: free packer • Macro Exploit Crypt Service: Macro for spreading malware $53 • Crypter Source Code: $1,99 • Arctic Miner:cryptocurrency Miner: $3,2 • Betacrypt: Code mutation: $239 • BHGroup: crypter ASM & C: $35 • Tutorial FUD backdoor: $0,94 www.cert.or.id
Stegano Malware • Steganography? • 2011 Duqu: collecting information • Enkrip data-> Embed File-> server CnC • 2014: ZeusVM (Varian): image stegano, hide command • 2016: Lurk: Encrypted Url->BMP file->download payload • 2016: Stegoloader
Sundown Exploit Kit-case 1. User browsing: compromised web or malware ads 2. Redirected to exploit server 3. Download picture (PNG) -> blank image 4. Encoded exploit à URL for download the payload 5. Exploit vulnerability on IE www.cert.or.id
Stegano Malware - 2 • Cerber: Macro wordàdrop .vbs à download jpg • Vawtrak: download favicon.ico • Magento case: malware send the payment card information with image stegano • Network stegano: hiding the traffic to CnC server DNStraffic or Http Request à teslacrypt
Android • 2017: 10 million sampel malware android • Rootnik • Dloadr-ECZ • Axent-ED www.cert.or.id
King of Glory • Game China • Fake app – Ransomware • Lock screen & Crypto ransom • Lock Screen • Judy: 36 million victim • Xavir: 800 android apps • WireX botnet: 140000 victim à Ddos
Ghostclicker • 300 apps • Disguise google play service library • Facebook ads library • adware www.cert.or.id
Mac Malware
Mac Malware -2 • PUA • Optimizer: MacKeeper, Advanced Mac Cleaner , TuneUpMyMac, dll • MacRansom • MacSpy. www.cert.or.id
Microsoft - Malware • Office • Powershell • Zero Day Vulnerability
Botnet • Botnet? • IoT : Ip camera • Mirai Botnet à Tsunami Ddos • IP Camera and router • 620 Gbit/s : krebson security • 1 Tbit/s OVH www.cert.or.id
Other trend • Distribusi Software: CC-Cleaner, ExPetr • UEFI & BIOS attacks: hacking team • Wiper: Shamoon à aramco • Espionage malware & APT • Social media: fake akun & bot à hoax • Router & Modem hack
Beginner • Practical malware analysis- Honig & Sikorski • awesome malware analysis tools and resources • Open Courseware by RPISEC • Blog Lenny Zeltser • The SANS Digital Forensics Blog • Crackmes.de www.cert.or.id
Terima Kasih jul [at] tass.telkomuniversity.ac.id jul_ismail Blog: julismail.staff.telkomuniversity.ac.id www.cert.or.id/

More Related Content

PDF
Aes jul-upload
bySetia Juli Irzal Ismail
 
PDF
Pa or die
bySetia Juli Irzal Ismail
 
PDF
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
byShakacon
 
PPTX
Weekend Malware Research 2012
byAndrew Morris
 
PDF
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
byAndrew Morris
 
PDF
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
byveerababu penugonda(Mr-IoT)
 
PPTX
Firmware analysis 101
byveerababu penugonda(Mr-IoT)
 
PPTX
Path of Cyber Security
bySatria Ady Pradana
 
Aes jul-upload
bySetia Juli Irzal Ismail
 
Pa or die
bySetia Juli Irzal Ismail
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
byShakacon
 
Weekend Malware Research 2012
byAndrew Morris
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
byAndrew Morris
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
byveerababu penugonda(Mr-IoT)
 
Firmware analysis 101
byveerababu penugonda(Mr-IoT)
 
Path of Cyber Security
bySatria Ady Pradana
 

What's hot

PPTX
2014: Mid-Year Threat Review
byESET
 
PDF
Infosecurity.be 2019: What are relevant open source security tools you should...
byB.A.
 
PPTX
2016 TTL Security Gap Analysis with Kali Linux
byJason Murray
 
PPTX
Ransomware - what is it, how to protect against it
byZoltan Balazs
 
PDF
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...
byEdureka!
 
PPTX
Hacker bootcamp
byGregory Hanis
 
PDF
Hack Attack! An Introduction to Penetration Testing
bySteve Phillips
 
PDF
Top 10 Threats to Cloud Security
bySBWebinars
 
PDF
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
byCanSecWest
 
PPTX
Kali presentation
byZain Ul abadin
 
PDF
Socially Acceptable Methods to Walk in the Front Door
byMike Felch
 
PPT
Anton Chuvakin on Honeypots
byAnton Chuvakin
 
PDF
Kasza smashing the_jars
byPacSecJP
 
PPT
[ENG] IPv6 shipworm + My little Windows domain pwnie
byZoltan Balazs
 
PDF
TeelTech - Advancing Mobile Device Forensics (online version)
byMike Felch
 
PPTX
Kali Linux - Falconer
byTony Godfrey
 
PPT
Attacking Automatic Wireless Network Selection
byamiable_indian
 
PPTX
Kali Linux
byChanchal Dabriya
 
PDF
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
byAditya K Sood
 
PDF
penetration test using Kali linux ppt
byAbhayNaik8
 
2014: Mid-Year Threat Review
byESET
 
Infosecurity.be 2019: What are relevant open source security tools you should...
byB.A.
 
2016 TTL Security Gap Analysis with Kali Linux
byJason Murray
 
Ransomware - what is it, how to protect against it
byZoltan Balazs
 
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...
byEdureka!
 
Hacker bootcamp
byGregory Hanis
 
Hack Attack! An Introduction to Penetration Testing
bySteve Phillips
 
Top 10 Threats to Cloud Security
bySBWebinars
 
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
byCanSecWest
 
Kali presentation
byZain Ul abadin
 
Socially Acceptable Methods to Walk in the Front Door
byMike Felch
 
Anton Chuvakin on Honeypots
byAnton Chuvakin
 
Kasza smashing the_jars
byPacSecJP
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
byZoltan Balazs
 
TeelTech - Advancing Mobile Device Forensics (online version)
byMike Felch
 
Kali Linux - Falconer
byTony Godfrey
 
Attacking Automatic Wireless Network Selection
byamiable_indian
 
Kali Linux
byChanchal Dabriya
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
byAditya K Sood
 
penetration test using Kali linux ppt
byAbhayNaik8
 

Similar to Malware cryptomining uploadv3

PDF
Keith J. Jones, Ph.D. - Crash Course malware analysis
byKeith Jones, PhD
 
PDF
Exploits in the Cryptocurrency Craze: What You Must Know to Protect Your Orga...
byDigital Transformation EXPO Event Series
 
PPTX
Crypto-Jacking, Ransomware & Worming Malware's Frightening Future (Keynote an...
byJay Beale
 
PPTX
News bytes Sept-2011
byAshwin Patil, GCIH, GCIA, GCFE
 
PDF
Scaling Web 2.0 Malware Infection
byWayne Huang
 
PDF
TRISC 2010 - Grapevine , Texas
byAditya K Sood
 
PPTX
cyber attacks in May , breaches in May
bySathish Kumar K
 
PPTX
Securing your Cloud Environment v2
byShapeBlue
 
PDF
Declaration of malWARe
byScott Sutherland
 
PDF
Malware analysis _ Threat Intelligence Morocco
byTouhami Kasbaoui
 
PPTX
I haz you and pwn your maal
byHarsimran Walia
 
PDF
INSECURE Magazine - 37
byFelipe Prado
 
PPTX
(Training) Malware - To the Realm of Malicious Code
bySatria Ady Pradana
 
PPTX
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
byEric Kolb
 
PDF
Ransomware ly
byLisa Young
 
PDF
I haz you and pwn your maal
byc0c0n - International Cyber Security and Policing Conference
 
PPTX
Malware ppt final.pptx
byLakshayNRReddy
 
PPTX
Malware
byAnoushka Srivastava
 
PDF
Practical Incident Response - Work Guide
byEduardo Chavarro
 
PPT
Lumension Security - Adjusting our defenses for 2012
byAndris Soroka
 
Keith J. Jones, Ph.D. - Crash Course malware analysis
byKeith Jones, PhD
 
Exploits in the Cryptocurrency Craze: What You Must Know to Protect Your Orga...
byDigital Transformation EXPO Event Series
 
Crypto-Jacking, Ransomware & Worming Malware's Frightening Future (Keynote an...
byJay Beale
 
News bytes Sept-2011
byAshwin Patil, GCIH, GCIA, GCFE
 
Scaling Web 2.0 Malware Infection
byWayne Huang
 
TRISC 2010 - Grapevine , Texas
byAditya K Sood
 
cyber attacks in May , breaches in May
bySathish Kumar K
 
Securing your Cloud Environment v2
byShapeBlue
 
Declaration of malWARe
byScott Sutherland
 
Malware analysis _ Threat Intelligence Morocco
byTouhami Kasbaoui
 
I haz you and pwn your maal
byHarsimran Walia
 
INSECURE Magazine - 37
byFelipe Prado
 
(Training) Malware - To the Realm of Malicious Code
bySatria Ady Pradana
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
byEric Kolb
 
Ransomware ly
byLisa Young
 
I haz you and pwn your maal
byc0c0n - International Cyber Security and Policing Conference
 
Malware ppt final.pptx
byLakshayNRReddy
 
Malware
byAnoushka Srivastava
 
Practical Incident Response - Work Guide
byEduardo Chavarro
 
Lumension Security - Adjusting our defenses for 2012
byAndris Soroka
 

More from Setia Juli Irzal Ismail

PDF
Petunjuk assessmen Kajian 3 - Attack defense
bySetia Juli Irzal Ismail
 
PDF
Minggu 2-2 Praktikum Instalasi RouterOS pada Virtualisasi-2.pdf
bySetia Juli Irzal Ismail
 
PDF
Introduction to self-Supervised learning - kuliah machine learning STEI ITB
bySetia Juli Irzal Ismail
 
PDF
Materi lanjutan Deep Learning S1 Telekomunikasi - STEI ITB
bySetia Juli Irzal Ismail
 
PDF
Slide materi pengantar kuliah Deep Learning STEI ITB
bySetia Juli Irzal Ismail
 
PDF
slide-share.pdf
bySetia Juli Irzal Ismail
 
PDF
slide-lp3i-final.pdf
bySetia Juli Irzal Ismail
 
PDF
society50-jul-share.pdf
bySetia Juli Irzal Ismail
 
PDF
57 slide presentation
bySetia Juli Irzal Ismail
 
PDF
Panduan Proyek Akhir D3 Teknologi Komputer Telkom University
bySetia Juli Irzal Ismail
 
PDF
Sosialisasi kurikulum2020
bySetia Juli Irzal Ismail
 
PDF
Welcoming maba 2020
bySetia Juli Irzal Ismail
 
PDF
Slide jul apcert agm 2016
bySetia Juli Irzal Ismail
 
PDF
Tugas besar MK Keamanan Jaringan
bySetia Juli Irzal Ismail
 
PDF
05 wireless
bySetia Juli Irzal Ismail
 
PDF
04 sniffing
bySetia Juli Irzal Ismail
 
PDF
03 keamanan password
bySetia Juli Irzal Ismail
 
PDF
02 teknik penyerangan
bySetia Juli Irzal Ismail
 
PDF
01a pengenalan keamanan jaringan upload
bySetia Juli Irzal Ismail
 
PDF
Kajian3 upload
bySetia Juli Irzal Ismail
 
Petunjuk assessmen Kajian 3 - Attack defense
bySetia Juli Irzal Ismail
 
Minggu 2-2 Praktikum Instalasi RouterOS pada Virtualisasi-2.pdf
bySetia Juli Irzal Ismail
 
Introduction to self-Supervised learning - kuliah machine learning STEI ITB
bySetia Juli Irzal Ismail
 
Materi lanjutan Deep Learning S1 Telekomunikasi - STEI ITB
bySetia Juli Irzal Ismail
 
Slide materi pengantar kuliah Deep Learning STEI ITB
bySetia Juli Irzal Ismail
 
slide-share.pdf
bySetia Juli Irzal Ismail
 
slide-lp3i-final.pdf
bySetia Juli Irzal Ismail
 
society50-jul-share.pdf
bySetia Juli Irzal Ismail
 
57 slide presentation
bySetia Juli Irzal Ismail
 
Panduan Proyek Akhir D3 Teknologi Komputer Telkom University
bySetia Juli Irzal Ismail
 
Sosialisasi kurikulum2020
bySetia Juli Irzal Ismail
 
Welcoming maba 2020
bySetia Juli Irzal Ismail
 
Slide jul apcert agm 2016
bySetia Juli Irzal Ismail
 
Tugas besar MK Keamanan Jaringan
bySetia Juli Irzal Ismail
 
05 wireless
bySetia Juli Irzal Ismail
 
04 sniffing
bySetia Juli Irzal Ismail
 
03 keamanan password
bySetia Juli Irzal Ismail
 
02 teknik penyerangan
bySetia Juli Irzal Ismail
 
01a pengenalan keamanan jaringan upload
bySetia Juli Irzal Ismail
 
Kajian3 upload
bySetia Juli Irzal Ismail
 

Recently uploaded

PPTX
Appreciations - Jan 26 01.pptxkkkmmkmkmkmkm
bypreetheshparmar
 
PDF
ĐỀ MINH HỌA KỲ THI TỐT NGHIỆP TRUNG HỌC PHỔ THÔNG NĂM 2026 MÔN TIẾNG ANH 2026...
byNguyen Thanh Tu Collection
 
PPTX
Statistical Data Analysis using R Programming.pptx
byVETRISELVIP1
 
PDF
U.S. Departments of Education and Treasury fact sheet
byMebane Rash
 
PPTX
Maja Videnovik - Transforming Cybersecurity Learning into an Adventure
bybvtricks
 
PPTX
Metabolism ( BIOCHEMISTRY & CLINICAL PATHOLOGY )
byBushraDeshpande
 
PPTX
Ultrasound .pptx by Nagmani ojha (paramedical department)(Radiation technolog...
bynagmaniojha8
 
PPTX
LEGAL AND RIGHTS ASPECTS OF FAMILY PLANNING.pptx
bysonia
 
PPTX
" Jaya : Silence as Resistance " - That long silence
bydharabhandari35
 
PPTX
Drugs modulating serotonergic system.pptx
byNorman Arockiaraj G
 
PPTX
PREVENTIVE PEDIATRICS.pptx
byBANDITA PATRA
 
PPTX
HABIT. Cognitive process. I Semester Shilpa Hotakar pptx
bySHILPA HOTAKAR
 
PDF
VIVA or SHORT ANSWER QUESTIONS or 2 MARKS QUESTIONS CHILD HEALTH NURSING.pdf
byPRADEEP ABOTHU
 
PPTX
Setting Up and Processing Down Payments in Odoo 18 Sales
byCeline George
 
PPTX
How to Create & Manage Wizard in Odoo 18
byCeline George
 
PDF
Problem Solving Agents in Artificial Intelligence with Examples and Water Jug...
byARTHIDEVARANIP
 
PDF
Take This Quirky Quiz! - QGI 1st Anniversary .pdf
byNiyati Jois
 
PPTX
OCCULTISM IN JEHOVAH'S WITNESSES' ARTWORK
byDaniel Barnea
 
PPTX
Toba Tek Singh - Visualising Partition through Manto's Lens
byMiral Joshi
 
PPTX
ALL London Event, January 17th 2026, at the British Film Institite, South Bank.
bySteve Smith
 
Appreciations - Jan 26 01.pptxkkkmmkmkmkmkm
bypreetheshparmar
 
ĐỀ MINH HỌA KỲ THI TỐT NGHIỆP TRUNG HỌC PHỔ THÔNG NĂM 2026 MÔN TIẾNG ANH 2026...
byNguyen Thanh Tu Collection
 
Statistical Data Analysis using R Programming.pptx
byVETRISELVIP1
 
U.S. Departments of Education and Treasury fact sheet
byMebane Rash
 
Maja Videnovik - Transforming Cybersecurity Learning into an Adventure
bybvtricks
 
Metabolism ( BIOCHEMISTRY & CLINICAL PATHOLOGY )
byBushraDeshpande
 
Ultrasound .pptx by Nagmani ojha (paramedical department)(Radiation technolog...
bynagmaniojha8
 
LEGAL AND RIGHTS ASPECTS OF FAMILY PLANNING.pptx
bysonia
 
" Jaya : Silence as Resistance " - That long silence
bydharabhandari35
 
Drugs modulating serotonergic system.pptx
byNorman Arockiaraj G
 
PREVENTIVE PEDIATRICS.pptx
byBANDITA PATRA
 
HABIT. Cognitive process. I Semester Shilpa Hotakar pptx
bySHILPA HOTAKAR
 
VIVA or SHORT ANSWER QUESTIONS or 2 MARKS QUESTIONS CHILD HEALTH NURSING.pdf
byPRADEEP ABOTHU
 
Setting Up and Processing Down Payments in Odoo 18 Sales
byCeline George
 
How to Create & Manage Wizard in Odoo 18
byCeline George
 
Problem Solving Agents in Artificial Intelligence with Examples and Water Jug...
byARTHIDEVARANIP
 
Take This Quirky Quiz! - QGI 1st Anniversary .pdf
byNiyati Jois
 
OCCULTISM IN JEHOVAH'S WITNESSES' ARTWORK
byDaniel Barnea
 
Toba Tek Singh - Visualising Partition through Manto's Lens
byMiral Joshi
 
ALL London Event, January 17th 2026, at the British Film Institite, South Bank.
bySteve Smith
 

Malware cryptomining uploadv3

  • 1.
    Malware, Cryptominer & otherThreat Setia Juli Irzal Ismail Malware Analyst ID-CERT Telkom University
  • 2.
  • 3.
    Introduction • Setia JuliIrzal Ismail • Jul Ismail • Malware Analyst – ID-CERT • Lecturer – Telkom University www.cert.or.id/
  • 4.
    ID-CERT • Indonesia ComputerEmergency Response Team • 1998 – Dr. Budi Rahardjo • Community based • Incident Handling • Malware Lab • Research & Training about Malware • Tools: Malware Scanner • Founder AP-CERT: JP-CERT & AusCERT www.cert.or.id/
  • 5.
  • 6.
  • 7.
    Wannacry www.cert.or.id/ Eternal Blue exploità SMBv1 Double Pulsar Backdoor Hospital 1 Million victim Lazarus? May 2017 March : Microsoft patch
  • 8.
  • 9.
  • 10.
  • 11.
    Classification • Virus l Worm lTrojan l Backdoor l Adware l Rootkit l Ransomware www.cert.or.id/
  • 12.
    How does itSpread • Email • Flash Disk • File Sharing • Website • Pirated Software • Malicious apps
  • 13.
    Why do peoplewrite malware Back then • Experiment • Fun • Alone Now • Money • Spionage • Steal Information • Cyberweapon • Cybercriminal group • government www.cert.or.id/
  • 14.
    Malware Statistic l 250.000new sample/day – Sophos l 800 million malware sample – AV Test l 52% Indonesia – Kaspersky l 17th l 86% Pirated Software– ESET l 97% Android malware
  • 15.
    Malware Detection Technology lSignature based l Heuristik www.cert.or.id/
  • 16.
  • 17.
    Why Analyze Malware To: •assess damage • discover indicator of compromise • identify Vulnerability • Catch the bad guy • Answer questions
  • 18.
    Indicator of compromise? •Unusual Outbound Network Traffic • Anomalies in Privileged User Account Activity • Geographical Irregularities • Increases in Database Read Volume • HTML Response Sizes • Large Numbers of Requests for the Same File • Suspicious Registry or System File Changes • Unusual DNS Requests • Unexpected Patching of Systems • Mobile Device Profile Changes • Unusual Web Traffic • Signs of DDoS Activity www.cert.or.id/
  • 19.
    IoC • Improve theIDS, Firewall, Antivirus
  • 20.
    Basic Questions • Whatis the purpose of malware? • How did it get here? • Who are they and how good are they? • How to remove it? • What did they get? • How long has it been here? • Does it spread to other machine? • How do I prevent this from happening again? www.cert.or.id/
  • 21.
    Technical Questions • NetworkIndicator? • Host Based Indicator? • Persistence Mechanism? • Date of compilation & installation? • What language was it written in? • Is it Packed? • Obfuscation technique? • Rootkit Functionality?
  • 22.
    Safe Environment • Donot run Malware on your computer • Dedicated Malware Lab • Use Virtualization • Vmware, Vbox etc • Using different OS than your malware target (static Analysis) www.cert.or.id/
  • 23.
    Safe Environment?? • Themalware behaviour might change • Network, Conect to a C&C server? • Facing real battle • Our IP can become the target: consider using • Accidentally attack other people
  • 24.
    Fake Network • HostOnly networking feature on VM • Fake DNS tool • Listening ports and network activity • Build custom C&C Server www.cert.or.id/
  • 25.
    Virtualization? • Reduce risk •Snapshot • Video recording, • Setup no network or host-only network • sharing functionality? • VM is not perfect • Malware can detect VM • Sometimes it can escape the sandbox (0 day worm)
  • 26.
    Malware Analysis • StaticAnalysis • Dynamic Analysis www.cert.or.id/
  • 27.
    Static • Code isnot excuted • Reverse engineering • „Autopsy“ the code
  • 28.
    Dynamic Analysis • Runningthe code on Controlled environment www.cert.or.id/
  • 29.
    Static Analysis • Safer •But... • Sometimes it is not easy • Require good understanding programming • Packer • encrypt • Insert junk code • Anti analysis technique
  • 30.
  • 31.
    Steps • Fingerprinting (hash) •Scan with virus scanner; virustotal ; documentation • PEiD: signature about compiler and packer • Find Strings: strings, IDA Pro • Web research; be carefull www.cert.or.id/
  • 32.
    Strings • Message, • URLaddress, IP • email • ASCII or Unicode format
  • 33.
    Strings Example • MalwareSample send a message (probably through email). file mail system .dll • Check email log, find suspect traffic, find mail system dll • DLL: file yang berisi executable code yang sering dishare antara berbagai aplikasi. • DLL sendiri bukan malware. Namun sering dimanfaatkan oleh malware
  • 34.
    No Strings? • Packer •Obfuscation www.cert.or.id/
  • 35.
    Packed & obfuscated •Technique to make life hard for a malware analyst • Packed, source code program compressed à packer • Obfuscated, hiding function of a program • Packed & obfuscated will make the static analysis difficult à no string • Functions LoadLibrary dan GetProcAddress
  • 36.
    Packed & obfuscated-packing Wrapper used to decompress running packed Only wrapper could be read www.cert.or.id/
  • 37.
    Packed & obfuscated-Detection PEiD http:// upx.sourceforge.net/ upx -d PackedProgram.exe
  • 38.
    Executables • Windows :PE (Portable Executable) • Linux: ELF (Executable and Linking Format) • MacOS: Mach-O www.cert.or.id/
  • 39.
    PE • Import • Export •Metadata • Resources
  • 40.
    PE Header • Imports:Funtion from other library used bymalware • Exports: function from malware that could be used by other program • Time Date Stamp: compile time • Sections : which section are there on the sample • Subsystem: are the sample GUI or command line? • Resources: String, icon, menu dll www.cert.or.id/
  • 41.
  • 42.
    Dynamic Analysis • runthe malware à observe its actions Monitor the interaction with the • file system • Registry • other processes • network www.cert.or.id/
  • 43.
    Tools • Process Monitor •Process explorer • Regshot • Wireshark • ApateDNS • Netcat • Monitor whole system • filter out
  • 44.
    Sandbox • Automated malwareanalysis tool • Special environment • Cuckoo Sandbox www.cert.or.id/
  • 46.
  • 47.
  • 48.
    Cryptocurrency • Digital currencygenerated by computer • Decentralized, no regulatory body; anonym • Produced by solving complex mathematical algorithm à mining • Miner process transaction –> recording blockchain; digital ledger • Miner rewarded in the form of digital coin www.cert.or.id/
  • 49.
    Cryptomining Malware • Usevictim computer to run mining application • Webste: use CPU power from visitor to mine coin • Code run in the background
  • 50.
    Bitcoin (BTC) • 2009 •Market 700 Billion USD • Mining 1 bitcoin: require 215 kilowatt hours of electricity for each transaction • 1390 new cryptocurrency • Ethereum (ETH) , Monero (XMR), Litecoin (LTC), Ripple (XRP), Bitcoin Cash (BCH) www.cert.or.id/
  • 51.
    Abuse • 2017: 7000website compromised à mining (Sucuri) • Monero • algorithm does not favor GPU’s • can be mined by web browsers and normal computers • privacy features that make transactions and wallets more difficult to trace,
  • 52.
    CoinHive • cryptocurrency miningservice: javascript • small computer code designed to be installed on Web sites: API • Web site owners to earn an income without running intrusive or annoying advertisements • some or all of the computing power of any browser that visits • 32000 websites (publicwww.com) www.cert.or.id/
  • 53.
    Coinhive case • Installedon hacked web sites • December: embedded in Wifi Hotspot at Starbuck in Buenos Aires • January: hidden inside Youtube advertisement • February: Browsealoud (service for visually impaired) • The Pirate Bay • IOC: 100% CPU Load • Conhive earn 30% • Kasperksy report stop 70 million web miner (2017)
  • 54.
    • All majorCMS platform • WordPress, Magento, Drupal and Joomla www.cert.or.id/
  • 55.
    Hiding tactic • Encrypted •Packed • fake jQuery script name • non-dotted decimal notation for the host name • mimic Google Analytics parameters • Public repo: GitHub • distributing Javascript cryptominers • placing the script in hidden iframes
  • 56.
    Wannamine Case • MineMonero • PowerShell and Windows Management Instrumentation • EternalBlue exploit to spread www.cert.or.id/
  • 57.
    Digmine Case • videofile • Facebook Messenger • coded in AutoIt (a Windows scripting language) • only runs on Facebook Messenger’s desktop/web browser • send the fake video link out to all of their Facebook contacts • downloading from C&C server • installing an autostart mechanism in the registry • launches Chrome loaded with a malicious extension • CPU power to mining Monero.
  • 58.
    Smominru & Adylkuzz •Botnet • Targeting Server • EternalBlue Exploit (CVE-2017-0144) • 24 Monero/day • Oracle’s WebLogic Server (CVE-2017-10271) www.cert.or.id/
  • 60.
  • 61.
    Trickbot • Existing malwarefamily • Add a coin miner module • Spam attachment • Steal credential from userà ewallet RIG EK • Exploit kits • Distributing miner
  • 62.
    Mobile and Mac Android •Fake apps • Repackaging technique • Alternative market; not on Google Play • com.coinhiveminer.CoinHive Mac • MacUpdate hack • Modified OnyX, Firefox and Deeper • Embed shell script on the file • Launch miner www.cert.or.id/
  • 63.
  • 64.
    Ransomware • 2017 Ransomwareyear • 400 varians • Wannacry - May • ExPetr - July • BadRabbit - Oktober www.cert.or.id
  • 65.
    Wannacry • Eternal Blueexploit à SMB • Double Pulsar Backdoor • Hospital • 1 million victim • Lazarus? • Mei • Maret : microsoft patch
  • 66.
    ExPetr • Ukraina, Russia •5000 victim • Eternal Blue exploit • DoublePulsar backdoor • MeDoc – Update • News Website in Ukraine • 2 level encryption : victim file and MFT • BlackEnergy’s KillDisk? • July www.cert.or.id
  • 67.
    Ransomware as aservice • Malware kits : tools to make your own ransomware • Darkweb • Cerber, Satan, Philadelphia • Ransomware Android, Mac, Linux • Bitcoin à Monero • Target: Health Industry, Government, Critical Infrastructure, Education, Small & Medium Enterprises (SME)
  • 68.
    Malware defense technique •Anti security : AV, Firewall • Anti sandbox : sandbox • Anti analyst : packer, obfuscation, RE • Machine learning evasion • Hardware based evasion www.cert.or.id
  • 69.
    Timeline • 1980: Encryption:cascade virus • 1990: Polymorphic: Chameleon (encrypt,junk) • 1998: Metamorphism (instruction diacak) • 1999: Packer • 1999: Rootkit: • 2008: DGA: conficker worm • 2011: Darknet Market: Silkroad • 2015: Firmware : Equation Group, Hacking Team: IoT • 2015: Dridex: obfuscation: powershell, sandbox evasion • 2016: Fileless Malware • 2017: Machine learning detection: Cerber
  • 70.
    Darknet Market • Cryptservice:$53 - FUD • Lazercrypter: free packer • Macro Exploit Crypt Service: Macro for spreading malware $53 • Crypter Source Code: $1,99 • Arctic Miner:cryptocurrency Miner: $3,2 • Betacrypt: Code mutation: $239 • BHGroup: crypter ASM & C: $35 • Tutorial FUD backdoor: $0,94 www.cert.or.id
  • 71.
    Stegano Malware • Steganography? •2011 Duqu: collecting information • Enkrip data-> Embed File-> server CnC • 2014: ZeusVM (Varian): image stegano, hide command • 2016: Lurk: Encrypted Url->BMP file->download payload • 2016: Stegoloader
  • 72.
    Sundown Exploit Kit-case 1.User browsing: compromised web or malware ads 2. Redirected to exploit server 3. Download picture (PNG) -> blank image 4. Encoded exploit à URL for download the payload 5. Exploit vulnerability on IE www.cert.or.id
  • 73.
    Stegano Malware -2 • Cerber: Macro wordàdrop .vbs à download jpg • Vawtrak: download favicon.ico • Magento case: malware send the payment card information with image stegano • Network stegano: hiding the traffic to CnC server DNStraffic or Http Request à teslacrypt
  • 74.
    Android • 2017: 10million sampel malware android • Rootnik • Dloadr-ECZ • Axent-ED www.cert.or.id
  • 75.
    King of Glory •Game China • Fake app – Ransomware • Lock screen & Crypto ransom • Lock Screen • Judy: 36 million victim • Xavir: 800 android apps • WireX botnet: 140000 victim à Ddos
  • 76.
    Ghostclicker • 300 apps •Disguise google play service library • Facebook ads library • adware www.cert.or.id
  • 77.
  • 78.
    Mac Malware -2 •PUA • Optimizer: MacKeeper, Advanced Mac Cleaner , TuneUpMyMac, dll • MacRansom • MacSpy. www.cert.or.id
  • 79.
    Microsoft - Malware •Office • Powershell • Zero Day Vulnerability
  • 80.
    Botnet • Botnet? • IoT: Ip camera • Mirai Botnet à Tsunami Ddos • IP Camera and router • 620 Gbit/s : krebson security • 1 Tbit/s OVH www.cert.or.id
  • 81.
    Other trend • DistribusiSoftware: CC-Cleaner, ExPetr • UEFI & BIOS attacks: hacking team • Wiper: Shamoon à aramco • Espionage malware & APT • Social media: fake akun & bot à hoax • Router & Modem hack
  • 82.
    Beginner • Practical malwareanalysis- Honig & Sikorski • awesome malware analysis tools and resources • Open Courseware by RPISEC • Blog Lenny Zeltser • The SANS Digital Forensics Blog • Crackmes.de www.cert.or.id
  • 83.
    Terima Kasih jul [at]tass.telkomuniversity.ac.id jul_ismail Blog: julismail.staff.telkomuniversity.ac.id www.cert.or.id/