.Today, criminals are using novel tecnhiques to bypass AV detecions. Manual debugging must be used to unpack malware (a hard work that is needed to reveal the original malware code). Dissecting malware allows us to understand criminals’ modus operandi, and manual analysis is always required to reveal FUD malware.
in presentation we will describe the difference between standalone wincollect & manages wincollect for IBM QRadar.
the information in this presentation can be used by anyone :)
This is an extract from ongoing research made available for comments and recommendations. All tools were tested in the same virtual configuration providing a consistent test platform.
** UPDATE ** As it is no longer possible to update a Slideshare presentation I will shortly be posting a more comprehensive set of results as a new presentation and on the www.xtremeforensics.com website.
Ransomware is a hot topic that isn't going away anytime soon. As more strains of this nasty malware are born, it's important to have a clear understanding about what this threat could mean for your business!
in presentation we will describe the difference between standalone wincollect & manages wincollect for IBM QRadar.
the information in this presentation can be used by anyone :)
This is an extract from ongoing research made available for comments and recommendations. All tools were tested in the same virtual configuration providing a consistent test platform.
** UPDATE ** As it is no longer possible to update a Slideshare presentation I will shortly be posting a more comprehensive set of results as a new presentation and on the www.xtremeforensics.com website.
Ransomware is a hot topic that isn't going away anytime soon. As more strains of this nasty malware are born, it's important to have a clear understanding about what this threat could mean for your business!
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
I'm Cuckoo for Malware provides an introductory overview to Cuckoo Sandbox and Malware Analysis. This talk walks through discussing different types of malware and what they do, to explaining how Cuckoo Sandbox works and how to get the best results from it. The talk will cover how to harden your sandbox against Malware authors attempts to avoid analysis and give ideas for listeners wanting to set up custom environments of their own. The goal of the talk is to allow listeners with enough information so that they can begin analyzing malware in their own Cuckoo-based sandbox environment.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
This presentation outlined how performing memory forensics on a single memory image broke open an extremely large intrusion in the non-profit space. Tools, techniques and procedures (TTP’s) of an advanced actor intrusion will be highlighted during a technical deep-dive of memory analysis and related workflow.
Insight is one of the best security operation center that influences all the necessary things that reduce the advanced threats and security risk all over your company and protects your network infrastructure across the organization. https://insightmsp.co.in/soc-as-service.php
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
View webinar: "Cyber Threat Hunting: Identify and Hunt Down Intruders": https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gwfd
View companion webinar:
"Red Team Operations: Attack and Think Like a Criminal": https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gw5q
Are you red team, blue team — or both? Get an inside look at the offensive and defensive sides of information security in our webinar series.
Senior Security Researcher and InfoSec Instructor Jeremy Martin discusses what it takes to be modern-day threat hunter during our webinar, Cyber Threat Hunting: Identify and Hunt Down Intruders.
The webinar covers:
- The job duties of a Cyber Threat Hunting professional
- Frameworks and strategies for Cyber Threat Hunting
- How to get started and progress your defensive security career
- And questions from live viewers!
Learn about InfoSec Institute's Cyber Threat Hunting couse here: https://www.infosecinstitute.com/courses/cyber-threat-hunting/
Esta apresentação é baseada em uma pesquisa que publiquei em 2015 que tratava de malware do tipo mach-o, e o aumento de visibilidade do macOS como novo alvo. Nesta nova pesquisa, a ideia é mostrar algumas dicas sobre internals, kernel e principais ameaças que o macOS vem enfrentando.
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
From ATT&CKcon 3.0
By Jonny Johnson, Red Canary and Olaf Hartong, FalconForce
As defenders, we often find ourselves wanting "more" data. But why? Will this new data provide a lot of value or is it for a very niche circumstance? How many attacks does it apply to? Are we leveraging previous data sources to their full capability? Within this talk, Olaf and Jonny will walk through different data sources they leverage more than most when analyzing data within environments, why they do, and what these data sources do and can provide in terms of value to a defender.
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
I'm Cuckoo for Malware provides an introductory overview to Cuckoo Sandbox and Malware Analysis. This talk walks through discussing different types of malware and what they do, to explaining how Cuckoo Sandbox works and how to get the best results from it. The talk will cover how to harden your sandbox against Malware authors attempts to avoid analysis and give ideas for listeners wanting to set up custom environments of their own. The goal of the talk is to allow listeners with enough information so that they can begin analyzing malware in their own Cuckoo-based sandbox environment.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
This presentation outlined how performing memory forensics on a single memory image broke open an extremely large intrusion in the non-profit space. Tools, techniques and procedures (TTP’s) of an advanced actor intrusion will be highlighted during a technical deep-dive of memory analysis and related workflow.
Insight is one of the best security operation center that influences all the necessary things that reduce the advanced threats and security risk all over your company and protects your network infrastructure across the organization. https://insightmsp.co.in/soc-as-service.php
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
View webinar: "Cyber Threat Hunting: Identify and Hunt Down Intruders": https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gwfd
View companion webinar:
"Red Team Operations: Attack and Think Like a Criminal": https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gw5q
Are you red team, blue team — or both? Get an inside look at the offensive and defensive sides of information security in our webinar series.
Senior Security Researcher and InfoSec Instructor Jeremy Martin discusses what it takes to be modern-day threat hunter during our webinar, Cyber Threat Hunting: Identify and Hunt Down Intruders.
The webinar covers:
- The job duties of a Cyber Threat Hunting professional
- Frameworks and strategies for Cyber Threat Hunting
- How to get started and progress your defensive security career
- And questions from live viewers!
Learn about InfoSec Institute's Cyber Threat Hunting couse here: https://www.infosecinstitute.com/courses/cyber-threat-hunting/
Esta apresentação é baseada em uma pesquisa que publiquei em 2015 que tratava de malware do tipo mach-o, e o aumento de visibilidade do macOS como novo alvo. Nesta nova pesquisa, a ideia é mostrar algumas dicas sobre internals, kernel e principais ameaças que o macOS vem enfrentando.
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
From ATT&CKcon 3.0
By Jonny Johnson, Red Canary and Olaf Hartong, FalconForce
As defenders, we often find ourselves wanting "more" data. But why? Will this new data provide a lot of value or is it for a very niche circumstance? How many attacks does it apply to? Are we leveraging previous data sources to their full capability? Within this talk, Olaf and Jonny will walk through different data sources they leverage more than most when analyzing data within environments, why they do, and what these data sources do and can provide in terms of value to a defender.
Part of this presentation is based on research published in 2015, which was demonstrated the increasing spread of malware binaries mach-o and how to analyze the type of these binary. In this presentation, we will explain with more detail the structure of Binary using debuggers tools and reverse engineering techniques.The knowledge gained will be useful from analysis of malware as also for challenges type crackmes on CTFs.
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
MacOS forensics and anti-forensics (DC Lviv 2019) presentation. Prepared specially for DC38032. Prepared by Oleh Levytskyi (https://twitter.com/LeOleg97)
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
Try to imagine the amount of time and effort it would take you to write a bug-free script or application that will accept a URL, port scan it, and for each HTTP service that it finds, it will create a new thread and perform a black box penetration testing while impersonating a Blackberry 9900 smartphone. While you’re thinking, Here’s how you would have done it in Hackersh:
“http://localhost” \
-> url \
-> nmap \
-> browse(ua=”Mozilla/5.0 (BlackBerry; U; BlackBerry 9900; en) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.1.0.346 Mobile Safari/534.11+”) \
-> w3af
Meet Hackersh (“Hacker Shell”) – A new, free and open source cross-platform shell (command interpreter) with built-in security commands and Pythonect-like syntax.
Aside from being interactive, Hackersh is also scriptable with Pythonect. Pythonect is a new, free, and open source general-purpose dataflow programming language based on Python, written in Python. Hackersh is inspired by Unix pipeline, but takes it a step forward by including built-in features like remote invocation and threads. This 120 minute lab session will introduce Hackersh, the automation gap it fills, and its features. Lots of demonstrations and scripts are included to showcase concepts and ideas.
When it comes to actual, real-world, active malware detection there are surprisingly few choices. Most companies invest in one anti-virus vendor and when they suspect a compromise they simply wait for them to issue signatures.
If a company thinks they may be compromised but there is no AV signature, then what?
What if we could use basic python scripting to identify malware based on signatures we produce in real time? There are plenty of python tools, scripts and frameworks for malware identification including yara, pefile, nsrl hash db, pyemu, hachoir, volatility and pyew.
What if we could integrate these together into a system for centrally issuing
indicators of compromise? What if hosts we suspect as being compromised used this system to check themselves for compromise? Lets find out...
I prepared it when i started learning linux at KBFS. It explains why linux is less prone to virus and what kind of viruses affect linux. (final edit pending)
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...SkillCertProExams
• For a full set of 760+ questions. Go to
https://skillcertpro.com/product/databricks-certified-data-engineer-associate-exam-questions/
• SkillCertPro offers detailed explanations to each question which helps to understand the concepts better.
• It is recommended to score above 85% in SkillCertPro exams before attempting a real exam.
• SkillCertPro updates exam questions every 2 weeks.
• You will get life time access and life time free updates
• SkillCertPro assures 100% pass guarantee in first attempt.
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...Suzanne Lagerweij
This is a workshop about communication and collaboration. We will experience how we can analyze the reasons for resistance to change (exercise 1) and practice how to improve our conversation style and be more in control and effective in the way we communicate (exercise 2).
This session will use Dave Gray’s Empathy Mapping, Argyris’ Ladder of Inference and The Four Rs from Agile Conversations (Squirrel and Fredrick).
Abstract:
Let’s talk about powerful conversations! We all know how to lead a constructive conversation, right? Then why is it so difficult to have those conversations with people at work, especially those in powerful positions that show resistance to change?
Learning to control and direct conversations takes understanding and practice.
We can combine our innate empathy with our analytical skills to gain a deeper understanding of complex situations at work. Join this session to learn how to prepare for difficult conversations and how to improve our agile conversations in order to be more influential without power. We will use Dave Gray’s Empathy Mapping, Argyris’ Ladder of Inference and The Four Rs from Agile Conversations (Squirrel and Fredrick).
In the session you will experience how preparing and reflecting on your conversation can help you be more influential at work. You will learn how to communicate more effectively with the people needed to achieve positive change. You will leave with a self-revised version of a difficult conversation and a practical model to use when you get back to work.
Come learn more on how to become a real influencer!
This presentation, created by Syed Faiz ul Hassan, explores the profound influence of media on public perception and behavior. It delves into the evolution of media from oral traditions to modern digital and social media platforms. Key topics include the role of media in information propagation, socialization, crisis awareness, globalization, and education. The presentation also examines media influence through agenda setting, propaganda, and manipulative techniques used by advertisers and marketers. Furthermore, it highlights the impact of surveillance enabled by media technologies on personal behavior and preferences. Through this comprehensive overview, the presentation aims to shed light on how media shapes collective consciousness and public opinion.
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie WellsRosie Wells
Insight: In a landscape where traditional narrative structures are giving way to fragmented and non-linear forms of storytelling, there lies immense potential for creativity and exploration.
'Collapsing Narratives: Exploring Non-Linearity' is a micro report from Rosie Wells.
Rosie Wells is an Arts & Cultural Strategist uniquely positioned at the intersection of grassroots and mainstream storytelling.
Their work is focused on developing meaningful and lasting connections that can drive social change.
Please download this presentation to enjoy the hyperlinks!
Presentatie 8. Joost van der Linde & Daniel Anderton - Eliq 28 mei 2024
Strategies to design FUD malware
1. Strategies to design FullyUnDetectable
malware
III Jornadas de InfoWeb - Universidade da Beira Interior
21 de março de 2019
Pedro Tavares <ptavares@dognaedis.com>
2. Pedro Tavares is a professional working as Malware
Researcher, Ethical Hacker and also Security
Evangelist. Pedro is also a founding member and
Pentester at CSIRT.UBI and Editor-in-Chief and
Creator of the security computer blog
seguranca-informatica.pt.
In recent years he has invested in the field of
information security, exploring and analyzing a wide
range of topics, such as pentesting (Kali Linux),
malware, hacking, cybersecurity, IoT and security in
computer networks. He is also Freelance Writer. LinkedIn
Twitter
<ptavares@dognaedis.com>
3. Dognaedis – A Prossegur Company
● Cyber Intelligence
● Managed Services
● Security Technologies
● Audit & Testing
● Consultancy
Service Lines
4. Required Software
- Virtual Machine (Windows 10, 8, 7 or XP)
Software:
● PeiD
● CFF Explorer
● UPX packer
● X64dbg
● Dev-C++ compiler
Recommended resources (to read):
“communicating
with the machine is
like communicating
with an alien”
● Intro to x86 Assembly Language
● How to use xdbg64 debugger
5. Agenda
0x01 What is a Malware?
0x02 Windows Internals 101
0x03 Portable Executable (PE) Files 101
0x04 Malware Protection 101
--0X041 Packers, Crypters and Protectors
--0X042 UPX Packer – How to Unpack UPX
--0X043 Creating a Simple XOR Crypter
0x05 Why Crypters can be Fully Undetectable (FUD)?
7. 0x01 What is a Malware?
Malware is a generic term that describes any program or malicious
code that is dangerous to systems.
"Malware attacks would not work without the most important
ingredient: the user."
Malwarebytes
8. 0x01 What is a Malware?
Adware
[designed to trigger ads]
Spyware
[observes user activities without
its knowledge/permission]
Virus
[malware attached to another program that
can replicate and spread after an frist execution]
Worms
[similar to viruses, but they don’t need
to be attached to spread]
Trojan (RAT)
[take control of users’ devices]
Ransonware
[encrypt users’ devices and
requests a ransom ]
Rootkit
[complex malware and hides its
activity and presence]
Reference: https://blog.malwarebytes.com/glossary/
Keylogger
[get all from users’ keyboard]
Cryptominer
[uses users’ CPU power to mine
cryptocurrency]
9. 0x01 What is a Malware?
A shell is opened!! :)
Malware No Malware
- Invoice received in my
inbox! (pdf)
- Hum, why is it an .exe file?
- Why does it executes a shell?
The program does what
it should do!
10. 0x01 What is a Malware?
● How it works
● What info is harvested
● How it collects info from victim
● Techniques used
Everything is object of analysis!
Manual Analysis
● Is it a malware?
● What kind of malware is it?
(trojan? ransomware?)
● What kind of data can it extract?
IOCs (IP, DNS, Windows registry keys
and files downloaded and droped).
Sandbox Analysis (automated)
Fast but limited analysis.
12. 0x02 Windows Internals 101
Stack
Heap
Code
Data
Main Memory
Low Memory Address
High Memory Address
The stack is used for local variables
and parameters for functions,
and to help control program flow.
We'll always look here! :D
It’s used for dynamic memory during
program execution, to allocate new
values and eliminate (free) values that
the program no longer needs.
Contains the executable code;
controls what the program does.
It contains values that are put in
place when a program is initially
loaded.
They not change while the program
is running.
13. 0x02 Windows Internals 101
User Application
Kernel32.dll
Ntdll.dll
Ntoskrnl.exe
Kernel Data Structures
User Mode (ring 3)
Kernel Mode (ring 0)
privileged mode
(rootkits run here)
17. 0x03 Portable Executable (PE) Files 101
Header
Sections
DOS Header
PE Header
Optional Header
Sections Table
Code
Imports
Data
PE File
.text
.data
.rsrc
...
Sections
File properties, nº sections, machine type,
time stamp, and etc.)
It summarizes each sections’s raw size, virtual size, section
name, etc.
OEP and code
Reference: https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format
Initialized data
Resource data
It’s not "optional" per se, because it is required in Executable
files. RVA of entry point is here!
File signature: MZ: Mark Zbikowski, who created the
first linker for DOS.
19. --0X041 Packers, Crypters and Protectors
Packers: Short for “runtime packers”. Packers unpack software in memory and are used to
make files smaller. Used by criminals to make reverse enginnering difficult.
Crypters: This technique is also known as obfuscation. Cryptographic algorithms are used
to make the hidden executable hard to detect by AV engines. This
technique is the ultimate goal to turn malware FUD (Fully Undetectable) for its
author.
Protectors: A protector in this context is software that is intended to prevent tampering
and reverse engineering of programs. The methods used can, and usually
will, include both packing and encrypting. That combination plus some
added features makes what is usually referred to as a protector.
Reference: https://blog.malwarebytes.com/cybercrime/malware/2017/03/explained-packer-crypter-and-protector/
21. --0X042 UPX Packer – How to Unpack UPX
Normal PE File Structure
Before Packing
UPX packed PE File Structure PE File after being unpacked
and loaded into memory
Fully unpacked PE File
1 2 3
4
Main Tasks
● Unpack the original executable into memory
● Resolve all the imports of the original executable
● Transfer execution to the original entry point (OEP)
22. --0X042 UPX Packer – How to Unpack UPX
Packed file
UPX
#include <stdio.h>
#include <stdlib.h>
int main()
{
// printf() displays the string inside quotation
printf("Hello, World!n");
system("PAUSE");
return 0;
}
32. --0X042 UPX Packer – How to Unpack UPX
1) Find the executable Import Address
Table (IAT).
2) Get Imports
3) Dump the executable (nonetheless, an
error is presented; in fact, IAT was not
included.
4) Fix Dump (final executable will be fixed
and saved with SCY extension appended
to the file name).
Main tasks:
34. --0X043 Creating a Simple XOR Crypter
A crypter is a program which is used to assist malware for
evading antivirus signature-based detection.
Dark Comet Dark Comet crypted
35. --0X043 Creating a Simple XOR Crypter
Types of Crypters:
Scantime
A ScanTime crypter encrypts the file to evade antiviruses before execution
(signature based detection). This is a malware detection on disk.
Runtime
Runtime crypters are able to do this with the Windows API using a function called
CreateProcess. There is a flag CREATE_SUSPENDED which allows the malware to
be decrypted and then loaded into memory as a process before being executed.
37. --0X043 Creating a Simple XOR Crypter
1) Run hello_world.exe in x64dbg
2) Identify .data VA
3) Identify .text code cave
4) Append XOR instructions
5) Set new EP
6) Run PE and generate a XORed file
7) Run PE again and change XOR
instructions to UNXOR .data section
8) Fix dump!
Menu
51. --0X043 Creating a Simple XOR Crypter
Result: Only PE File “strings” are hidden (obfuscated)! :-D
IOC: 1ef80e71e6d6d9415ffa65e655f473be IOC: 5dec959d88a999fb59e3995c34209a4a
VT crypterVT original
52. 0x05 Why Crypters can be Fully
Undetectable (FUD)?
FUD crypters can be used to encrypt viruses, RAT, keyloggers, spywares, etc.
to make them undetectable from antiviruses.
The crypter takes the original binary file and applies many encryption on it
and stores on the end of file (EOF).
So a new crypted executable file is created.
The new exe is not detected by antiviruses because its code is scrambled by
the crypter.
Nonetheless, many (homemade) crypters can be detected via
Heuristic and Behavior Analysis!
53. My recent findings
[SI-LAB] – February 18th, 2019
The Muncy malware is on the rise
[SI-LAB] – March 1th, 2019
FlawedAmmyy Leveraging Undetected XLM Macros as an Infection
Vehicle
[SI-LAB] – March 5th, 2019
The story of the JCry ransomware spread in #OpJerusalem2019 is
now infecting Windows users
[SI-LAB] – March 20th, 2019
LockerGoga is the most active ransomware that focuses on targeti
ng companies and bypass AV signature-based detection
54. Take Home Messages
- Today, criminals are using novel tecnhiques to bypass AV detecions
- Manual debugging must be used to unpack malware
- Dissecting malware allows us to understand criminals’
modus operandi
- Manual analysis is always required to reveal FUD malware