SlideShare a Scribd company logo

'Malware Analysis' by PP Singh

Bipin Upadhyay
Bipin Upadhyay

This is a presentation by PP Singh. It is first in the series of "Malware Analysis" talks for Null Mumbai Chapter. Link: http://null.co.in/

Technology
1 of 50
Download to read offline
AN OVERVIEW – PART I
OUR GAME PLAN  TODAY – A THEORETICAL OVERVIEW FOLLOWED BY A CASE STUDY  DETAILED PRESENTATIONS ABOUT EACH COMPONENT.  VIRTUALIZATION.  HONEYPOTS / HONEYNETS.  DEBUGGING  AND SO ON (HOPEFULLY)   
 CAPABILITY FOR ‘ABSTRACT MATHEMATICS’  ASSEMBLY LANGUAGE  LACK OF SOCIAL LIFE  ADEQUATE ‘BEHAVIOR MODIFICATION’ OR ‘TRANCE INDUCING’ MATERIALS.
 BASICS  SETTING UP A LAB ENVIRONMENT  ANALYSIS o NETWORK TRAFFIC o DISK IMAGE / FILE SYSTEM o MEMORY IMAGE o STATIC ANALYSIS
 TRADITIONALLY WE HAD – SOURCE CODE AUDITING – PRIME REQUIREMENT WAS SAFETY OF CODE.  THEN CAME PROPRIETARY CODE AND WITH IT ‘BLACK BOX TESTING’  ALONG CAME MODULAR COMPONENTS AND WE GRADUATED TO ‘REVERSE ENGINEERING’
 WITH COTS PRODUCT CAME ISSUES OF TRUST – MICROSOFT IS SAFE  BUT WHAT ABOUT THE GUYS WHO MADE THE DLL.  SUGGESTED READING ‘WYSINWYX’ GOGUL BALAKRISHNAN’s PHD THESIS.  METHOD TO REVERSE ENGINEERING ALONG WITH ALL ASSOCIATED LIBRARIES ‘HOLISTIC REVERSE ENGINEERING’
 A FOCUSED APPLICATION– MALWARE ANALYSIS.  WHY – TRADITIONAL SIGNATURE BASED ANALYSIS IS FUTILE GIVEN THE EVOLVING MALWARE.  SAME LOGIC HAS MULTIPLE ‘SIGNATURES’  HENCE ‘BEHAVIORAL ANALYSIS’
 PROS & CONS OF BOTH STATIC ANALYSIS & BEHAVIORAL ANALYSIS.  LARGER VOLUMES OF SAMPLES NECESSITATE ‘AUTOMATION’.  ENTER CWSANDBOX, NORMAN SANDBOX & OTHERS  BUT WE NEED ‘MORE’
 OVERLAPPED WITH FORENSICS.  PRIVACY & POLICY ISSUES.  WISH TO LEARN  ‘LIVE’ EXERCISE – PART OF GROWING UP  FIELD OF WORK  REQUIREMENT OF CUSTOMIZED DATA  COMPLEXITIES IN THE MALWARE WORLD
 BASICS  SETTING UP A LAB ENVIRONMENT  ANALYSIS o STATIC ANALYSIS o NETWORK TRAFFIC o DISK IMAGE / FILE SYSTEM o MEMORY IMAGE
 A CONTROLLED ENVIRONMENT. ▪ MALWARE COLLECTION. MALWARE COLLECTION THROUGH SPAM TRAPS, HONEY POTS AND SHARED DATA. NEPENTHES AS AN EXAMPLE. ▪ VICTIM MACHINES. VIRTUALISATION OR REAL. VIRTUAL MACHINES ARE EASIER TO MANAGE BUT MALWARE INCREASINGLY BECOMING MORE AWARE OF THEM. VIRTUAL MACHINES LIKE VMWARE, PARALLELS, QEMU AND BOCHS ARE AVAILABLE.
▪ SUPPORT TOOLS. ▪ NETWORK SIMULATION. INTERNET CONNECTION, DNS CONNECTION, IRC, WEB, SMTP, SERVER ▪ ANALYSIS TOOLS. SUPPORT OF ONLINE RESOURCES LIKE VIRUS TOTAL.  IT SHOULD BE ISOLATED.  IT SHOULD PROVIDE A FULL SIMULATION.
 FRIENDS  ONLINE RESOURCES  HONEYPOTS o AMUN o NEPENTHES o ….
 WINDOWS OS   START – WINDOW IMAGE USING LINUX  THE RE-USABLE MALWARE ANALYSIS NET ‘TRUMAN’  VIRTUAL MACHINES  NORTON GHOST / UDPCAST / ACRONIS  HARDWARE – CORE RESTORE  MICROSOFT – STEADY STATE
 THIS MINI LINUX IMPLEMENTATION CONTAINS TOOLS LIKE PARTIMAGE, NTFSRESIZE, AND FDISK AND IS BASED AROUND THE FANTASTIC BUSYBOX.  IT ENABLES YOU TO PXE BOOT A PC INTO A LINUX CLIENT WHICH CAN CREATE AN NTFS PARTITION, GRAB A WINDOWS DISK IMAGE FROM THE NETWORK, WRITE IT TO A LOCAL DISK AND THEN RESIZE THAT PARTATION.
 TWO MINIMUM MACHINES.  LINUX BASED SERVER  TRUMAN MACHINE AS CLIENT (XP WITHOUT PATCHES). INSTALLATION FAQ ON NSMWIKI.  VIRTUAL NETWORK SIMULATION
 MAVMM: LIGHTWEIGHT AND PURPOSE BUILT VMM FOR MALWARE ANALYSIS  AUTHORS - ANH M. NGUYEN, NABIL SCHEAR, HEEDONG JUNG, APEKSHA GODIYAL, SAMUEL T. KING, HAI D. NGUYEN  A SPECIAL PURPOSE VIRTUAL MACHINE FOR MALWARE ANALYSIS
 ACADEMIC VERSION OF XP AVAILABLE.  INSTRUMENTATION OF CODE FEASIBLE  CREATION OF ‘SPECIAL WINDOWS’ BOXES
 BASICS  SETTING UP A LAB ENVIRONMENT  ANALYSIS o STATIC ANALYSIS o NETWORK TRAFFIC o DISK IMAGE / FILE SYSTEM o MEMORY IMAGE
 CREATE A CONTROLLED ENVIRONMENT. VIRTUAL OR REAL.  BASELINE THE ENVIRONMENT:- ▪ VICTIM MACHINE. FILE SYSTEM, REGISTRY, RUNNING PROCESSES, OPEN PORTS, USERS, GROUPS, NETWORK SHARES, SERVICES ETC. ▪ NETWORK TRAFFIC. ▪ EXTERNAL VIEW.
 INFORMATION COLLECTION. ▪ STATIC. STRINGS, RESOURCES, SCRIPTS, FILE PROPERTIES ETC ▪ DYNAMIC.  INFORMATION ANALYSIS. INVOLVES INFORMATION COLLATION, INTERNET SEARCHES, STARTUP METHODS, COMMUNICATION PROTOCOLS, SPREADING MECHANISMS ETC  RECONSTRUCTING THE BIG PICTURE.  DOCUMENTATION.
 PSEXEC – PART OF SYSINTERNALS PSTOOLS KIT.  MS REMOTE DESKTOP   VIRTUAL NETWORK COMPUTING (VNC)  ULTRAVNC – SOURCEFORGE  IF YOU ARE COMFORTABLE WITH REMOTE COMMAND LINE – PSEXEC
 BASELINE INFORMATION o NETWORK TRAFFIC o FILE SYSTEM o REGISTRY o MEMORY IMAGE
 REMEMBER IT IS ‘MALWARE’  USE PKZIP TO HANDLE THE SAMPLE  COMMAND LINE METHOD  IF YOU ARE SUBMITTING SAMPLES ONLINE PASSWORD = ‘infected’
 DISK IMAGE ANALYSIS ADVANCED INTRUSION DETECTION ENVIRONMENT FOR COMPARING DISK IMAGES BEFORE AND AFTER.  NTFS-3G DRIVERS & GETFATTR FOR ADS STREAMS.  REGISTRY USING DUMPHIVE  COMPARE REGISTRY DUMP BEFORE AND AFTER USING LINUX DIFF –U COMMAND  MEMORY IMAGE ANALYSIS. PMODUMP.PL MODIFIED TO HANDLE PEB RANDOMISATIONS, VOLATILITY FRAMEWORK USED FOR ANALYSIS.  OUTPUTS OF MULTIPLE TOOLS USED TO COMPARE AND ANALYSE.
 FILE SYSTEM AND REGISTRY MONITORING: PROCESS MONITOR AND CAPTURE BAT  PROCESS MONITORING: PROCESS EXPLORER AND PROCESS HACKER  NETWORK MONITORING: WIRESHARK AND SMARTSNIFF  CHANGE DETECTION: REGSHOT
 A GOOD WAY TO SEE CHANGES TO THE NETWORK IS WITH A TOOL CALLED NDIFF.  NDIFF IS A TOOL THAT UTILIZES NMAP OUTPUT TO IDENTIFY THE DIFFERENCES, OR CHANGES THAT HAVE OCCURRED IN YOUR ENVIRONMENT.  NDIFF CAN BE DOWNLOADED FROM http://www.vinecorp.com/ndiff/.
 TCPDUMP – CONSOLE  WINDUMP – CONSOLE  WIRESHARK – GUI
 THE OPTIONS OFFERED IN NDIFF INCLUDE: ndiff [-b|-baseline <file-or-:tag>] [-o|-observed <file-or-:tag>] [-op|-output-ports <ocufx>] [-of|-output-hosts <nmc>] [-fmt|-format <terse | minimal | verbose | machine | html | htmle>]  NDIFF OUTPUT MAY BE REDIRECTED TO A WEB PAGE: ndiff –b base-line.txt –o tested.txt –fmt machine | ndiff2html > differences.html  THE OUTPUT FILE, “DIFFERENCES.HTML”, MAY BE DISPLAYED IN A WEB BROWSER. THIS WILL SEPARATE HOSTS INTO THREE MAIN CATEGORIES: o NEW HOSTS, o MISSING HOSTS, AND o CHANGED HOSTS.
 NETSTAT  FPORT  TCPVcon – CONSOLE  TCPView – GUI  HANDLE – CONSOLE  PROCESS EXPLORER – GUI USE PID TO CORRELATE OUTPUTS
 HASHING FUNCTIONS o MD5DEEP – JESSE KORNBLUM  FUZZY HASHING o SSDEEP – AGAIN JESSE  ONLINE HASHES OF GOOD FILES – NIST
 A GOOD START  VIRUSTOTAL  VIRUSSCAN  AND MANY MORE  HELP RETAIN FOCUS
 virus@ca.com  sample@nod32.com  samples@f-secure.com  newvirus@kaspersky.com  VIRUSTOTAL, JOTTI, VIRUS.ORG  MANY MORE
 PEID  POLYUNPACK RENOVO – PART OF BIT BLAZE BASED ON MEMORY UNPACKING  AND MANY MORE
 TOOLS:- o PEVIEW o DEPENDS o PE BROWSE PRO o OBJ DUMP o RESOURCE HACKER o STRINGS  DETERMINE THE DATE/ TIME OF COMPILATION, FUNCTIONS IMPORTED BY THE PROGRAM, ICONS, MENUS, VERSION, INFO AND STRINGS EMBEDDED IN THE RESOURCES.
 STRINGS  VIP UTILITY – www.freespaceinternetsecurity.com  InCtrl5  SANDBOXIE  FILEMON  REGMON  AUTORUNS  HIJACK THIS  ……..
 PE FORMAT  NEED I SAY MORE.  LORD PE  CAN ALSO DO MEMORY DUMPS  PETOOLS  PEID  TO FIND PACKER DETAILS
 WINDBG  OLLYDBG  IDA PRO  SYSRDBG – KERNEL LEVEL ?  KERNEL DEBUGGER FROM MS  KNOWLEDGE OF ASSEMBLY LANGUAGE CRITICAL  TRAP – API EMULATION
 JAVASCRIPT OBFUSCATION – SPIDER MONKEY.  TOOLS FOR MS OFFICE FORMATS:-  OFFICEMALSCANNER  OFFVIS  OFFICE BINARY TRANSLATOR (INCLUDES BIFFVIEW TOOL).  OFFICECAT.  FILEHEX AND FILEINSIGHT HEX EDITORS CAN PARSE AND EDIT OLE STRUCTURES.  SIMILARLY TOOLS FOR PDF, FLASH ETC
 EXTENSIVE FEATURES ≠ GOOD TOOL  REQUIREMENT TO SCRIPT & PARSE OUTPUTS INTO A ‘READABLE REPORT’  COMMAND LINE / GUI OPTIONS  COMPARISON OF MULTIPLE TOOLS AS VERIFICATION
 RAPID ASSESSMENT & POTENTIAL INCIDENT EXAMINATION REPORT  RAPIER IS A SECURITY TOOL BUILT TO FACILITATE FIRST RESPONSE PROCEDURES FOR INCIDENT HANDLING.  OVERLAP BETWEEN FORENSICS AND MALWARE ANALYSIS.  TO ILLUSTRATE THE REQUIREMENT TO ‘SCRIPT AROUND GUI TOOLS’
 AS PART OF ANALYSIS, TRY TO IDENTIFY THE SOURCE.  BLOCK LISTS OF SUSPECTED MALICIOUS IPS AND URLS  LOOKING UP POTENTIALLY MALICIOUS WEBSITES  INITIAL VECTOR – BROWSER HISTORY, EMAIL LOGS
 SIMILARITY STUDIES:-  http://code.google.com/p/yara-project/  GENOME BASED CLASSIFICATION  MALWARE SIMILARITY ANALYSIS – BLACK HAT 09 - DANIEL RAYGOZA  BLAST: BASIC LOCAL ALIGNMENT SEARCH TOOL BASED CLASSIFICATION  FUZZY CLARITY – DIGITAL NINJA
 RESEARCH IS ON FOR CLASSIFICATION ACCORDING TO:- o OPCODE DISTRIBUTION o API CALLS MADE o COMPILER PARAMETER o …… o WILL GIVE THE ‘HEURISTICS'
 ALWAYS CORRELATE THE ANALYSIS:- o ANUBIS (FORMERLY TTANALYSE) o BIT BLAZE ( COUSIN OF WEB BLAZE PROJECT) o COMODO o CWSANDBOX o EUREKA o JOEBOX o NORMAN SANDBOX o THREAT EXPERT o XANDORA
 SUGGESTED READING o WILDCAT: AN INTEGRATED STEALTH ENVIRONMENT FOR DYNAMIC MALWARE ANALYSIS – AMIT VASUDEVAN o ‘WYSINWYX’ WHAT YOU SEE IS NOT WHAT YOU EXECUTE - GOGUL BALAKRISHNAN o LARGE-SCALE DYNAMIC MALWARE ANALYSIS - ULRICH BAYER
'Malware Analysis' by PP Singh

Recommended

Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunterAndrew McNicol
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 

Recommended

Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunterAndrew McNicol
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sightRob Gillen
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS DefenseJames Dickenson
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysisChong-Kuan Chen
 
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan Knudsen[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan KnudsenTI Safe
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014grecsl
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementAndrew McNicol
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersAndrew McNicol
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware AnalysisAlbert Hui
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacPriyanka Aash
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointAndrew McNicol
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkYashin Mehaboobe
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisSam Bowne
 

More Related Content

What's hot

Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sightRob Gillen
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS DefenseJames Dickenson
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysisChong-Kuan Chen
 
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan Knudsen[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan KnudsenTI Safe
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014grecsl
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementAndrew McNicol
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersAndrew McNicol
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware AnalysisAlbert Hui
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacPriyanka Aash
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointAndrew McNicol
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 

What's hot (20)

Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sight
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS Defense
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
 
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan Knudsen[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 

Viewers also liked

PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkYashin Mehaboobe
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisSam Bowne
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesSam Bowne
 
CNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 DisassemblyCNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 DisassemblySam Bowne
 
CNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsCNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsSam Bowne
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsSam Bowne
 
CNIT 126 6: Recognizing C Code Constructs in Assembly
CNIT 126 6: Recognizing C Code Constructs in Assembly CNIT 126 6: Recognizing C Code Constructs in Assembly
CNIT 126 6: Recognizing C Code Constructs in Assembly Sam Bowne
 
CNIT 126 8: Debugging
CNIT 126 8: DebuggingCNIT 126 8: Debugging
CNIT 126 8: DebuggingSam Bowne
 
CNIT 126 5: IDA Pro
CNIT 126 5: IDA Pro CNIT 126 5: IDA Pro
CNIT 126 5: IDA Pro Sam Bowne
 
Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Sam Bowne
 
Ch 13: Network Protection Systems
Ch 13: Network Protection SystemsCh 13: Network Protection Systems
Ch 13: Network Protection SystemsSam Bowne
 
Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly
Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in AssemblyPractical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly
Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in AssemblySam Bowne
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorSam Bowne
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgSam Bowne
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblySam Bowne
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShellNikhil Mittal
 
CNIT 126 9: OllyDbg
CNIT 126 9: OllyDbgCNIT 126 9: OllyDbg
CNIT 126 9: OllyDbgSam Bowne
 

Viewers also liked (17)

PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis framework
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
 
CNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 DisassemblyCNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 Disassembly
 
CNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsCNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows Programs
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection Mechanisms
 
CNIT 126 6: Recognizing C Code Constructs in Assembly
CNIT 126 6: Recognizing C Code Constructs in Assembly CNIT 126 6: Recognizing C Code Constructs in Assembly
CNIT 126 6: Recognizing C Code Constructs in Assembly
 
CNIT 126 8: Debugging
CNIT 126 8: DebuggingCNIT 126 8: Debugging
CNIT 126 8: Debugging
 
CNIT 126 5: IDA Pro
CNIT 126 5: IDA Pro CNIT 126 5: IDA Pro
CNIT 126 5: IDA Pro
 
Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12
 
Ch 13: Network Protection Systems
Ch 13: Network Protection SystemsCh 13: Network Protection Systems
Ch 13: Network Protection Systems
 
Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly
Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in AssemblyPractical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly
Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware Behavior
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-Disassembly
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShell
 
CNIT 126 9: OllyDbg
CNIT 126 9: OllyDbgCNIT 126 9: OllyDbg
CNIT 126 9: OllyDbg
 

Similar to 'Malware Analysis' by PP Singh

Hadoop Tutorial, Usage, Evolution, Data Lake, Business Intelligence by Sunit...
Hadoop Tutorial, Usage, Evolution, Data Lake, Business Intelligence by Sunit...Hadoop Tutorial, Usage, Evolution, Data Lake, Business Intelligence by Sunit...
Hadoop Tutorial, Usage, Evolution, Data Lake, Business Intelligence by Sunit...Sunitha Flowerhill
 
Hadoop Overview by Sunitha Flowerhill
Hadoop Overview by Sunitha FlowerhillHadoop Overview by Sunitha Flowerhill
Hadoop Overview by Sunitha FlowerhillSunitha Flowerhill
 
Putting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps ToolchainPutting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps ToolchainJames Wickett
 
Anomaly Detection at Scale
Anomaly Detection at ScaleAnomaly Detection at Scale
Anomaly Detection at ScaleJeff Henrikson
 
Performance Benchmarking of Clouds Evaluating OpenStack
Performance Benchmarking of Clouds Evaluating OpenStackPerformance Benchmarking of Clouds Evaluating OpenStack
Performance Benchmarking of Clouds Evaluating OpenStackPradeep Kumar
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
TAMING THE INFRASTRUCTURE GONE WILD
TAMING THE INFRASTRUCTURE GONE WILDTAMING THE INFRASTRUCTURE GONE WILD
TAMING THE INFRASTRUCTURE GONE WILDColloquium
 
TAMING THE INFRASTRUCTURE GONE WILD
TAMING THE INFRASTRUCTURE GONE WILDTAMING THE INFRASTRUCTURE GONE WILD
TAMING THE INFRASTRUCTURE GONE WILDIsaac Christoffersen
 
5 Things about fastAPI I wish we had known beforehand
5 Things about fastAPI I wish we had known beforehand5 Things about fastAPI I wish we had known beforehand
5 Things about fastAPI I wish we had known beforehandAlexander Hendorf
 
Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libinlibinp
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunk
 
The Indicators of Compromise
The Indicators of CompromiseThe Indicators of Compromise
The Indicators of CompromiseTomasz Jakubowski
 
WPS Application Patterns
WPS Application PatternsWPS Application Patterns
WPS Application PatternsDaniel Nüst
 
breed_python_tx_redacted
breed_python_tx_redactedbreed_python_tx_redacted
breed_python_tx_redactedRyan Breed
 

Similar to 'Malware Analysis' by PP Singh (20)

Hadoop Tutorial, Usage, Evolution, Data Lake, Business Intelligence by Sunit...
Hadoop Tutorial, Usage, Evolution, Data Lake, Business Intelligence by Sunit...Hadoop Tutorial, Usage, Evolution, Data Lake, Business Intelligence by Sunit...
Hadoop Tutorial, Usage, Evolution, Data Lake, Business Intelligence by Sunit...
 
HARDENING IN APACHE WEB SERVER
HARDENING IN APACHE WEB SERVERHARDENING IN APACHE WEB SERVER
HARDENING IN APACHE WEB SERVER
 
Awalin-CapWIC
Awalin-CapWICAwalin-CapWIC
Awalin-CapWIC
 
Computer security
Computer securityComputer security
Computer security
 
Hadoop Overview by Sunitha Flowerhill
Hadoop Overview by Sunitha FlowerhillHadoop Overview by Sunitha Flowerhill
Hadoop Overview by Sunitha Flowerhill
 
Putting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps ToolchainPutting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps Toolchain
 
Anomaly Detection at Scale
Anomaly Detection at ScaleAnomaly Detection at Scale
Anomaly Detection at Scale
 
Performance Benchmarking of Clouds Evaluating OpenStack
Performance Benchmarking of Clouds Evaluating OpenStackPerformance Benchmarking of Clouds Evaluating OpenStack
Performance Benchmarking of Clouds Evaluating OpenStack
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
Digital Media Production
Digital Media ProductionDigital Media Production
Digital Media Production
 
TAMING THE INFRASTRUCTURE GONE WILD
TAMING THE INFRASTRUCTURE GONE WILDTAMING THE INFRASTRUCTURE GONE WILD
TAMING THE INFRASTRUCTURE GONE WILD
 
TAMING THE INFRASTRUCTURE GONE WILD
TAMING THE INFRASTRUCTURE GONE WILDTAMING THE INFRASTRUCTURE GONE WILD
TAMING THE INFRASTRUCTURE GONE WILD
 
5 Things about fastAPI I wish we had known beforehand
5 Things about fastAPI I wish we had known beforehand5 Things about fastAPI I wish we had known beforehand
5 Things about fastAPI I wish we had known beforehand
 
Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libin
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
 
The Indicators of Compromise
The Indicators of CompromiseThe Indicators of Compromise
The Indicators of Compromise
 
WPS Application Patterns
WPS Application PatternsWPS Application Patterns
WPS Application Patterns
 
breed_python_tx_redacted
breed_python_tx_redactedbreed_python_tx_redacted
breed_python_tx_redacted
 
Cloud applications
Cloud applicationsCloud applications
Cloud applications
 

More from Bipin Upadhyay

"Http protocol and other stuff" by Bipin Upadhyay
"Http protocol and other stuff" by Bipin Upadhyay"Http protocol and other stuff" by Bipin Upadhyay
"Http protocol and other stuff" by Bipin UpadhyayBipin Upadhyay
 
Attack Simulation And Threat Modeling -Olu Akindeinde
Attack Simulation And Threat Modeling -Olu AkindeindeAttack Simulation And Threat Modeling -Olu Akindeinde
Attack Simulation And Threat Modeling -Olu AkindeindeBipin Upadhyay
 
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+CsrfBipin Upadhyay
 
[Phpcamp]Shindig An OpenSocial container
[Phpcamp]Shindig An OpenSocial container[Phpcamp]Shindig An OpenSocial container
[Phpcamp]Shindig An OpenSocial containerBipin Upadhyay
 
"The Web Is Broken" by Bipin Upadhyay
"The Web Is Broken" by Bipin Upadhyay"The Web Is Broken" by Bipin Upadhyay
"The Web Is Broken" by Bipin UpadhyayBipin Upadhyay
 

More from Bipin Upadhyay (8)

"Http protocol and other stuff" by Bipin Upadhyay
"Http protocol and other stuff" by Bipin Upadhyay"Http protocol and other stuff" by Bipin Upadhyay
"Http protocol and other stuff" by Bipin Upadhyay
 
Attack Simulation And Threat Modeling -Olu Akindeinde
Attack Simulation And Threat Modeling -Olu AkindeindeAttack Simulation And Threat Modeling -Olu Akindeinde
Attack Simulation And Threat Modeling -Olu Akindeinde
 
Php Development Stack
Php Development StackPhp Development Stack
Php Development Stack
 
Php Camp Open Social
Php Camp Open SocialPhp Camp Open Social
Php Camp Open Social
 
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
 
[Phpcamp]Shindig An OpenSocial container
[Phpcamp]Shindig An OpenSocial container[Phpcamp]Shindig An OpenSocial container
[Phpcamp]Shindig An OpenSocial container
 
"The Web Is Broken" by Bipin Upadhyay
"The Web Is Broken" by Bipin Upadhyay"The Web Is Broken" by Bipin Upadhyay
"The Web Is Broken" by Bipin Upadhyay
 
Paradigm Created
Paradigm CreatedParadigm Created
Paradigm Created
 

Recently uploaded

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 

Recently uploaded (20)

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 

'Malware Analysis' by PP Singh

  • 2. OUR GAME PLAN  TODAY – A THEORETICAL OVERVIEW FOLLOWED BY A CASE STUDY  DETAILED PRESENTATIONS ABOUT EACH COMPONENT.  VIRTUALIZATION.  HONEYPOTS / HONEYNETS.  DEBUGGING  AND SO ON (HOPEFULLY)   
  • 3. CAPABILITY FOR ‘ABSTRACT MATHEMATICS’  ASSEMBLY LANGUAGE  LACK OF SOCIAL LIFE  ADEQUATE ‘BEHAVIOR MODIFICATION’ OR ‘TRANCE INDUCING’ MATERIALS.
  • 4. BASICS  SETTING UP A LAB ENVIRONMENT  ANALYSIS o NETWORK TRAFFIC o DISK IMAGE / FILE SYSTEM o MEMORY IMAGE o STATIC ANALYSIS
  • 5. TRADITIONALLY WE HAD – SOURCE CODE AUDITING – PRIME REQUIREMENT WAS SAFETY OF CODE.  THEN CAME PROPRIETARY CODE AND WITH IT ‘BLACK BOX TESTING’  ALONG CAME MODULAR COMPONENTS AND WE GRADUATED TO ‘REVERSE ENGINEERING’
  • 6. WITH COTS PRODUCT CAME ISSUES OF TRUST – MICROSOFT IS SAFE  BUT WHAT ABOUT THE GUYS WHO MADE THE DLL.  SUGGESTED READING ‘WYSINWYX’ GOGUL BALAKRISHNAN’s PHD THESIS.  METHOD TO REVERSE ENGINEERING ALONG WITH ALL ASSOCIATED LIBRARIES ‘HOLISTIC REVERSE ENGINEERING’
  • 7. A FOCUSED APPLICATION– MALWARE ANALYSIS.  WHY – TRADITIONAL SIGNATURE BASED ANALYSIS IS FUTILE GIVEN THE EVOLVING MALWARE.  SAME LOGIC HAS MULTIPLE ‘SIGNATURES’  HENCE ‘BEHAVIORAL ANALYSIS’
  • 8. PROS & CONS OF BOTH STATIC ANALYSIS & BEHAVIORAL ANALYSIS.  LARGER VOLUMES OF SAMPLES NECESSITATE ‘AUTOMATION’.  ENTER CWSANDBOX, NORMAN SANDBOX & OTHERS  BUT WE NEED ‘MORE’
  • 9. OVERLAPPED WITH FORENSICS.  PRIVACY & POLICY ISSUES.  WISH TO LEARN  ‘LIVE’ EXERCISE – PART OF GROWING UP  FIELD OF WORK  REQUIREMENT OF CUSTOMIZED DATA  COMPLEXITIES IN THE MALWARE WORLD
  • 10. BASICS  SETTING UP A LAB ENVIRONMENT  ANALYSIS o STATIC ANALYSIS o NETWORK TRAFFIC o DISK IMAGE / FILE SYSTEM o MEMORY IMAGE
  • 11.  A CONTROLLED ENVIRONMENT. ▪ MALWARE COLLECTION. MALWARE COLLECTION THROUGH SPAM TRAPS, HONEY POTS AND SHARED DATA. NEPENTHES AS AN EXAMPLE. ▪ VICTIM MACHINES. VIRTUALISATION OR REAL. VIRTUAL MACHINES ARE EASIER TO MANAGE BUT MALWARE INCREASINGLY BECOMING MORE AWARE OF THEM. VIRTUAL MACHINES LIKE VMWARE, PARALLELS, QEMU AND BOCHS ARE AVAILABLE.
  • 12. ▪ SUPPORT TOOLS. ▪ NETWORK SIMULATION. INTERNET CONNECTION, DNS CONNECTION, IRC, WEB, SMTP, SERVER ▪ ANALYSIS TOOLS. SUPPORT OF ONLINE RESOURCES LIKE VIRUS TOTAL.  IT SHOULD BE ISOLATED.  IT SHOULD PROVIDE A FULL SIMULATION.
  • 13. FRIENDS  ONLINE RESOURCES  HONEYPOTS o AMUN o NEPENTHES o ….
  • 14. WINDOWS OS   START – WINDOW IMAGE USING LINUX  THE RE-USABLE MALWARE ANALYSIS NET ‘TRUMAN’  VIRTUAL MACHINES  NORTON GHOST / UDPCAST / ACRONIS  HARDWARE – CORE RESTORE  MICROSOFT – STEADY STATE
  • 15. THIS MINI LINUX IMPLEMENTATION CONTAINS TOOLS LIKE PARTIMAGE, NTFSRESIZE, AND FDISK AND IS BASED AROUND THE FANTASTIC BUSYBOX.  IT ENABLES YOU TO PXE BOOT A PC INTO A LINUX CLIENT WHICH CAN CREATE AN NTFS PARTITION, GRAB A WINDOWS DISK IMAGE FROM THE NETWORK, WRITE IT TO A LOCAL DISK AND THEN RESIZE THAT PARTATION.
  • 16. TWO MINIMUM MACHINES.  LINUX BASED SERVER  TRUMAN MACHINE AS CLIENT (XP WITHOUT PATCHES). INSTALLATION FAQ ON NSMWIKI.  VIRTUAL NETWORK SIMULATION
  • 17.
  • 18.
  • 19. MAVMM: LIGHTWEIGHT AND PURPOSE BUILT VMM FOR MALWARE ANALYSIS  AUTHORS - ANH M. NGUYEN, NABIL SCHEAR, HEEDONG JUNG, APEKSHA GODIYAL, SAMUEL T. KING, HAI D. NGUYEN  A SPECIAL PURPOSE VIRTUAL MACHINE FOR MALWARE ANALYSIS
  • 20. ACADEMIC VERSION OF XP AVAILABLE.  INSTRUMENTATION OF CODE FEASIBLE  CREATION OF ‘SPECIAL WINDOWS’ BOXES
  • 21. BASICS  SETTING UP A LAB ENVIRONMENT  ANALYSIS o STATIC ANALYSIS o NETWORK TRAFFIC o DISK IMAGE / FILE SYSTEM o MEMORY IMAGE
  • 22.  CREATE A CONTROLLED ENVIRONMENT. VIRTUAL OR REAL.  BASELINE THE ENVIRONMENT:- ▪ VICTIM MACHINE. FILE SYSTEM, REGISTRY, RUNNING PROCESSES, OPEN PORTS, USERS, GROUPS, NETWORK SHARES, SERVICES ETC. ▪ NETWORK TRAFFIC. ▪ EXTERNAL VIEW.
  • 23.  INFORMATION COLLECTION. ▪ STATIC. STRINGS, RESOURCES, SCRIPTS, FILE PROPERTIES ETC ▪ DYNAMIC.  INFORMATION ANALYSIS. INVOLVES INFORMATION COLLATION, INTERNET SEARCHES, STARTUP METHODS, COMMUNICATION PROTOCOLS, SPREADING MECHANISMS ETC  RECONSTRUCTING THE BIG PICTURE.  DOCUMENTATION.
  • 24. PSEXEC – PART OF SYSINTERNALS PSTOOLS KIT.  MS REMOTE DESKTOP   VIRTUAL NETWORK COMPUTING (VNC)  ULTRAVNC – SOURCEFORGE  IF YOU ARE COMFORTABLE WITH REMOTE COMMAND LINE – PSEXEC
  • 25. BASELINE INFORMATION o NETWORK TRAFFIC o FILE SYSTEM o REGISTRY o MEMORY IMAGE
  • 26. REMEMBER IT IS ‘MALWARE’  USE PKZIP TO HANDLE THE SAMPLE  COMMAND LINE METHOD  IF YOU ARE SUBMITTING SAMPLES ONLINE PASSWORD = ‘infected’
  • 27.  DISK IMAGE ANALYSIS ADVANCED INTRUSION DETECTION ENVIRONMENT FOR COMPARING DISK IMAGES BEFORE AND AFTER.  NTFS-3G DRIVERS & GETFATTR FOR ADS STREAMS.  REGISTRY USING DUMPHIVE  COMPARE REGISTRY DUMP BEFORE AND AFTER USING LINUX DIFF –U COMMAND  MEMORY IMAGE ANALYSIS. PMODUMP.PL MODIFIED TO HANDLE PEB RANDOMISATIONS, VOLATILITY FRAMEWORK USED FOR ANALYSIS.  OUTPUTS OF MULTIPLE TOOLS USED TO COMPARE AND ANALYSE.
  • 28. FILE SYSTEM AND REGISTRY MONITORING: PROCESS MONITOR AND CAPTURE BAT  PROCESS MONITORING: PROCESS EXPLORER AND PROCESS HACKER  NETWORK MONITORING: WIRESHARK AND SMARTSNIFF  CHANGE DETECTION: REGSHOT
  • 29. A GOOD WAY TO SEE CHANGES TO THE NETWORK IS WITH A TOOL CALLED NDIFF.  NDIFF IS A TOOL THAT UTILIZES NMAP OUTPUT TO IDENTIFY THE DIFFERENCES, OR CHANGES THAT HAVE OCCURRED IN YOUR ENVIRONMENT.  NDIFF CAN BE DOWNLOADED FROM http://www.vinecorp.com/ndiff/.
  • 30. TCPDUMP – CONSOLE  WINDUMP – CONSOLE  WIRESHARK – GUI
  • 31.  THE OPTIONS OFFERED IN NDIFF INCLUDE: ndiff [-b|-baseline <file-or-:tag>] [-o|-observed <file-or-:tag>] [-op|-output-ports <ocufx>] [-of|-output-hosts <nmc>] [-fmt|-format <terse | minimal | verbose | machine | html | htmle>]  NDIFF OUTPUT MAY BE REDIRECTED TO A WEB PAGE: ndiff –b base-line.txt –o tested.txt –fmt machine | ndiff2html > differences.html  THE OUTPUT FILE, “DIFFERENCES.HTML”, MAY BE DISPLAYED IN A WEB BROWSER. THIS WILL SEPARATE HOSTS INTO THREE MAIN CATEGORIES: o NEW HOSTS, o MISSING HOSTS, AND o CHANGED HOSTS.
  • 32. NETSTAT  FPORT  TCPVcon – CONSOLE  TCPView – GUI  HANDLE – CONSOLE  PROCESS EXPLORER – GUI USE PID TO CORRELATE OUTPUTS
  • 33. HASHING FUNCTIONS o MD5DEEP – JESSE KORNBLUM  FUZZY HASHING o SSDEEP – AGAIN JESSE  ONLINE HASHES OF GOOD FILES – NIST
  • 34. A GOOD START  VIRUSTOTAL  VIRUSSCAN  AND MANY MORE  HELP RETAIN FOCUS
  • 35. virus@ca.com  sample@nod32.com  samples@f-secure.com  newvirus@kaspersky.com  VIRUSTOTAL, JOTTI, VIRUS.ORG  MANY MORE
  • 36. PEID  POLYUNPACK RENOVO – PART OF BIT BLAZE BASED ON MEMORY UNPACKING  AND MANY MORE
  • 37. TOOLS:- o PEVIEW o DEPENDS o PE BROWSE PRO o OBJ DUMP o RESOURCE HACKER o STRINGS  DETERMINE THE DATE/ TIME OF COMPILATION, FUNCTIONS IMPORTED BY THE PROGRAM, ICONS, MENUS, VERSION, INFO AND STRINGS EMBEDDED IN THE RESOURCES.
  • 38. STRINGS  VIP UTILITY – www.freespaceinternetsecurity.com  InCtrl5  SANDBOXIE  FILEMON  REGMON  AUTORUNS  HIJACK THIS  ……..
  • 39. PE FORMAT  NEED I SAY MORE.  LORD PE  CAN ALSO DO MEMORY DUMPS  PETOOLS  PEID  TO FIND PACKER DETAILS
  • 40. WINDBG  OLLYDBG  IDA PRO  SYSRDBG – KERNEL LEVEL ?  KERNEL DEBUGGER FROM MS  KNOWLEDGE OF ASSEMBLY LANGUAGE CRITICAL  TRAP – API EMULATION
  • 41. JAVASCRIPT OBFUSCATION – SPIDER MONKEY.  TOOLS FOR MS OFFICE FORMATS:-  OFFICEMALSCANNER  OFFVIS  OFFICE BINARY TRANSLATOR (INCLUDES BIFFVIEW TOOL).  OFFICECAT.  FILEHEX AND FILEINSIGHT HEX EDITORS CAN PARSE AND EDIT OLE STRUCTURES.  SIMILARLY TOOLS FOR PDF, FLASH ETC
  • 42. EXTENSIVE FEATURES ≠ GOOD TOOL  REQUIREMENT TO SCRIPT & PARSE OUTPUTS INTO A ‘READABLE REPORT’  COMMAND LINE / GUI OPTIONS  COMPARISON OF MULTIPLE TOOLS AS VERIFICATION
  • 43. RAPID ASSESSMENT & POTENTIAL INCIDENT EXAMINATION REPORT  RAPIER IS A SECURITY TOOL BUILT TO FACILITATE FIRST RESPONSE PROCEDURES FOR INCIDENT HANDLING.  OVERLAP BETWEEN FORENSICS AND MALWARE ANALYSIS.  TO ILLUSTRATE THE REQUIREMENT TO ‘SCRIPT AROUND GUI TOOLS’
  • 44. AS PART OF ANALYSIS, TRY TO IDENTIFY THE SOURCE.  BLOCK LISTS OF SUSPECTED MALICIOUS IPS AND URLS  LOOKING UP POTENTIALLY MALICIOUS WEBSITES  INITIAL VECTOR – BROWSER HISTORY, EMAIL LOGS
  • 45. SIMILARITY STUDIES:-  http://code.google.com/p/yara-project/  GENOME BASED CLASSIFICATION  MALWARE SIMILARITY ANALYSIS – BLACK HAT 09 - DANIEL RAYGOZA  BLAST: BASIC LOCAL ALIGNMENT SEARCH TOOL BASED CLASSIFICATION  FUZZY CLARITY – DIGITAL NINJA
  • 46. RESEARCH IS ON FOR CLASSIFICATION ACCORDING TO:- o OPCODE DISTRIBUTION o API CALLS MADE o COMPILER PARAMETER o …… o WILL GIVE THE ‘HEURISTICS'
  • 47. ALWAYS CORRELATE THE ANALYSIS:- o ANUBIS (FORMERLY TTANALYSE) o BIT BLAZE ( COUSIN OF WEB BLAZE PROJECT) o COMODO o CWSANDBOX o EUREKA o JOEBOX o NORMAN SANDBOX o THREAT EXPERT o XANDORA
  • 48.
  • 49. SUGGESTED READING o WILDCAT: AN INTEGRATED STEALTH ENVIRONMENT FOR DYNAMIC MALWARE ANALYSIS – AMIT VASUDEVAN o ‘WYSINWYX’ WHAT YOU SEE IS NOT WHAT YOU EXECUTE - GOGUL BALAKRISHNAN o LARGE-SCALE DYNAMIC MALWARE ANALYSIS - ULRICH BAYER