SlideShare ist ein Scribd-Unternehmen logo

Malware Analysis - N00b to Ninja in 60 Minutes at HackMiami on May 17, 2015

grecsl
grecsl

Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environments, three quick steps, and integrated distros that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a “ninja” per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.

Technologie
1 von 48
Malware Analysis N00b to Ninja in 60 Minutes* @grecs NovaInfosec.com * Most listeners do not become Ninjas in under 60 minutes.
Disclaimer • Opinions expressed do not express the views or opinions of my – my employers – my customers, – my wife, – my kids, – my parents – my in-laws – my high school girlfriend from Canada Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
20 Yrs Industry 16 Yrs Infosec 5 Yrs SOC
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
NovaInfosec Consulting • 20 Years Industry/Infosec Experience • Security Engineering/ Architecture • SOC 2.0/Transformation • Security Training datamation.com/cnews/article.php/3851071/Tech-Comics-Cloud-Computing-Consultants.htm
Agenda • Introduction • Environment • Methodology • Where to Learn More • Conclusion Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs, INTRODUCTION Why Definitions
Introduction WARNING!!! DO NOT ANALYZE MALWARE ON PRODUCTION SYSTEMS Security Analysts Looking to Expand Skills beyond Event Monitoring & Basic Analysis General Security Practitioners Interested in Getting Started in Malware Analysis
Introduction What Is Malware Analysis • The Analysis of Malware ;) • Reverse Engineering Malware to Understand How It Works and What It Does • Types – Triage – Dynamic Analysis – Static Analysis “Mastering 4 Stages of Malware Analysis” – Lenny Zeltser
Introduction What Is Triage? • Definition – Quickie Analysis To Understand as Much as Possible about the Malware • Goals – Gain Gist of What Malware Is & What Could Do What How Determine Basic Running Properties Automated Analysis See If Others Found Hash Search Analyze File Props (type, imports) PE Examination Find Textual Clues of Activity (if packed) Strings
Introduction Triage Is That Enough? Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Introduction What Is Dynamic Analysis? • Definition – Execute Malware & Watch What It Does • Goals – Acquire Understanding of How Malware Acts What How Sense Host Changes Registry, File, Log, … Monitoring Uncover Runtime Properties Process Monitoring, Memory Analysis* Reveal Network Activity TCP/UDP Monitoring (DNS, HTTP, HTTPS) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Introduction Dynamic Analysis • Process – Establish Baseline of Environment – Start Monitoring Applications & Execute Malware – Monitor Activities & Stop Monitoring Applications – Analyze Differences & Activity Recorded Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Introduction Dynamic Analysis Is That Enough? Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Introduction What Is Static Analysis? • Definition – Disassemble Malware Down to Computer Instructions • Goals – Reverse Engineer to Understand Exactly What It Does Easy Hard
ENVIRONMENT Platform Automated Single Box – Analysis Dual Box – Fake Gateway Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Environment
Environment Platform • Virtual – Efficient & Easy to Setup – Snap-Shots to Revert Back To – Malware Detecting VM & Terminating – Note: Use Non-Host Connected Interface (host- only doesn’t count) • Physical – VM Detection Not Possible – Resource Intensive Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Environment Configurations • Automated – Triage Analysis Performed in Automated Environment – Emulates User Execution of & Interaction with Malware – Collects Artifacts on Malware Activity • Single Box – Triage and/or Dynamic Analysis Performed on One Machine – Potential Risk of Malware Sabotaging • Dual Box – Mitigates Some Sabotage Risk – Gateway to Simulate a Network – Realistic External View (ports open, network traffic) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Environment Automated Analysis • Online – Malwr.com – Norman Sandbox – GFI Sandbox – Anubis – ThreatExpert.com • In-House – Commercial Products – e.g., Companies Above – Open Source – e.g., Cuckoo Sandbox – Minimum: Machine Loaded with Several AV Products Pic here showing one online form Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Environment Automated Analysis • Cuckoo Sandbox – Automated Dynamic Analysis of Malware – Data Captured • API Calls: Trace of Relevant Win32 API Calls Performed • Network Traffic: Dump of Traffic Generated During Analysis • Screenshots: Taken During Analysis • Files: Created, Deleted, and Downloaded by Malware • Assembly Instructions: Trace of Assembly Instructions Executed – Setup • Can Be Frustrating CuckooBox: http://cuckoobox.org/
Environment Automated Analysis
Environment Single Box • Start with Base Unpatched Win XP SP2 Box in VMware – Similar to First Set of Post-Install Instructions for Metasploit Unleashed – Turn Off Automatic Updates – Disable Alerts • Where to Get – eBay, NewEgg, etc. – Windows Evals • Current Eval: http://technet.microsoft.com/en-us/evalcenter/default • Previous Vs: http://technet.microsoft.com/en-us/evalcenter/dn407368 • Modern IE: http://www.modern.ie/ (even Windows XP) – AWS (servers only) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Environment Single Box • Install Triage Analysis Tools – Strings • Strings from Sysinternals (also strings2) • BinText from McAfee – PeStudio – PE Explorer – FileInsight • Hex Editor & Analysis Tool by McAfee
Environment Single Box • Install Dynamic Analysis Tools – Process Monitor • Exposes File System, Registry & Process Activity that Started During Malware Execution – Process Explorer • Advanced Task Manager Replacement • Reveals Info about Handles/DLLs Processes Opened/Loaded – WireShark (along with WinPCAP) • Sniffer to Capture Malware-Initiated Network Traffic – RegShot • View Changes Malware Makes in the Registry/File System Process Monitor: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653 WireShark: https://www.wireshark.org/ RegShot: http://sourceforge.net/projects/regshot/
Environment Single Box • Install Dynamic Analysis Tools (cont) – TCPView • Allows Detection of Malware Initiated Network Connections – FakeNet • Aids Dynamic Analysis of Malicious Software • Simulates Network so Malware Thinks Its Interacting with Remote Hosts • DNS, HTTP, SSL, Dummy Listener TCPView: http://technet.microsoft.com/en-us/sysinternals/bb897437 FakeNet: http://practicalmalwareanalysis.com/fakenet/
Environment Single Box • Install Static Analysis Tools – OllyDbg with OllyDump Plugin • General Disassembler/Debugger for Windows Used to Analyze Malware in Assembly • Plugin to View Encrypted Malware When In Memory – Specialized Tools • PDFs: Didier Stevens’s PDFiD & PDF-Parser • Office: OfficeMalScanner • Flash: SWFTtools • Others: Java, JavaScript OllyDbg: http://www.ollydbg.de/ OllyDump: http://www.openrce.org/downloads/details/108/OllyDump Didier Stevens PDF Tools: http://blog.didierstevens.com/programs/pdf-tools/
Environment Single Box - Others • Other Ideas for Base Install or On-the-Fly – Several AV Products – Users of Various Permissions – Malware Analysis Pack (FakeDNS, Right-Click Opts – MD5, strings, VT) – CaptureBAT • File Analysis Tools – WinHex (restrictions under eval version; priced high for hobbyist) – 010 Editor (30 day eval; priced high for hobbyist) – FileAlyzer (similar to PeStudio but different capabilities) • Forensics – FTK Imager Lite – Autopsy/The Sleuth Kit – DumpIt – Volatility Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Environment Single Box • Baseline – Configure VM to "Host-Only” Mode Secluded Network • Temporarily Change to NAT to Download Malware • Write-Once Media (e.g., CDs) • USB Key with Physical Write-Protect Switch – Imation USB 2.0 Clip Flash Drive – Kanguru Flashblu 2 – Snapshot VM • Rinse & Repeat – Library of Different OSs at Various SPs (XP SP1, 2, & 3) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Environment Dual Box – Fake Gateway Server • Second Machine for Target to Connect To – Additional Advantage of Examining Network Traffic without Possible Malware Sabotage – Implement Linux Server in VMware & Configure to Be Default Route on Victim Machine – Should Have Fixed IP Addresses • Enable or Install Software that Provides Needed Services – DNS: Configured to Return Fake Servers IP for All Queries – HTTP – IRC – Others: DHCP, FTP, SSH – Other Services Depending on Goal of Analysis Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Environment Dual Box – Fake Gateway Server • Install Network Analysis Tools – WireShark: Records Network Traffic from Victim – Netcat: Start Needed Ad-Hoc Services – Nmap: Scan for Open Ports External to Victim • Snapshot Fake Server Revert Back To Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Environment Dual Box – Fake Gateway Server • REMnux – Created by Lenny Zeltser – ISO or Virtual Appliance – Triage • Load Malware on & Analyze • Web-Based Malware (e.g., Malicious JavaScript, Java Programs, & Flash Files) • Malicious Documents (e.g., Microsoft Office & Adobe PDF files) • Utilities for Reversing Malware through Memory Forensics – Dynamic Analysis • Emulate Network Services Used as Fake Gateway Server • Emulate Services in Isolated Lab Environment • Infects Another Laboratory System with Malware Sample • Directs Potentially-Malicious Connections to REMnux that's Listening on Appropriate Ports REMnux: http://zeltser.com/remnux/ v4
Environment Dual Box – Fake Gateway Server
Environment Malware Sources – To Learn With+ • PracticalMalwareAnalysis.com/labs • ContagioDump.blogspot.com • VirusShare.com • Malwr.com (if select share) • Malware-Traffic-Analysis.net Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs, METHODOLOGY Triage Dynamic Analysis Static Analysis
Methodology 1. Triage 2. Dynamic Analysis 3. Static Analysis Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Methodology 1. Triage
Methodology 1. Triage Checklist  Run through External/Internal Sandbox Services for QnD Results • Goals: Rough Understanding of Malware Activities • Tools: Cuckcoo, Malwr.com, Norman, GFI Sandbox, Anubis, ThreatExpert.com  b. MD5 Hash Comparison (can run live is possible) • Goals: When Compiled, Packed or Obfuscated) • Tools: VirusTotal.com, PeStudio, Google Hash  c. Determine Real File Type • UNIX “file” Command and/or TrID • Open in FileInsight & Look for Magic Numbers: Win Exe (MZ), PDF (%PDF), ZIP (PK), … (more at Wikipedia)  Analyze Imports • Goals: Discovery Interesting Libs Malware May Be Importing (networking APIs for non-networking app) • Tools: PeStudio, PEView  Extract Readable Strings • Goals: Discover Interesting Data Points like Host Name & IP Addresses • Tools: strings, strings2  Unpack If Needed • Tools: OllyDump, PE Explorer (UPX built- in)  Specialized Tools • PDF: PDFiD, PDF-Parser • Office: OfficeMalScanner • Flash: SWFTtools a. b. c. d. e. f. e. MASTIFF: Open Source Linux Tool Automates Much of Above (on REMnux & online version Bit.ly/mastiffonline) v4
Methodology 2. Dynamic Analysis Checklist  Establish Baseline of Environment • Add Target Software: Reader, Java, Flash, browsers (OldVersion.com / OldApps.com) • Disable Windows Firewall • Create Snapshot if Testing Multiple Times  Start Monitoring Apps & Execute Malware • Take RegShot & Start WireShark, Process Monitor, Process Explorer, FakeNet & TCPView • Monitors File and Registry Access, Network Traffic, Process Creation, etc. • Execute Malware & Let it Run for 15 Minutes or Until Activity Dies Down  Monitor Activities & Stop Monitoring Applications • Watching WireShark, Process Monitor, & TCPView for Anything Interesting • Take Second RegShot & Stop WireShark, Process Monitor, FakeNet  Analyze Differences & Activity Recorded • Compare Initial & Final RegShots • Review All Monitoring Tool Logs a. b. c. d. RegShot: Set Scan dir1 option to c:
Methodology 3. Static Analysis • Use OllyDbg or IDA Pro to Disassemble & Analyze Deobfuscated Malware  Just Stare at It  ...  Stare Some More  ...  And Some More Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs, a. b. c. d. e.
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs, WHERE TO LEARN MORE OpenSecurityTraining.info NovaInfosec/Hacker Academy Zeltser.com
Where to Learn More OpenSecurityTraining.info
Where to Learn More • OpenSecurityTraining.info – “Intro x86” • http://opensecuritytraining.info/IntroX86.html – “Reverse Engineering” • http://opensecuritytraining.info/IntroductionToR everseEngineering.html – “Malware Dynamic Analysis • http://opensecuritytraining.info/MalwareDynami cAnalysis.html – “Malware Static Analysis” • http://opensecuritytraining.info/ReverseEngineer ingMalware.html • Matt Briggs & Frank Poz • “Practical Malware Analysis” by M. Sikorski/A. Honig
Where to Learn More • Hacker Academy – “Reverse Engineering” • Foundation RE Material & Concepts • Covers Many Malware Analysis Tech & Tools – PE File Format – Packers & Unpackers – Ollydbg – Digital Forensics – Other Classes • “Ethical Hacking” • “Penetration Testing” • “Cutting Edge” Annual Pro Enrollment: $699 NovaInfosec.com Discount: $599 Free 30-Day Trial http://bit.ly/grecshackerdeal
Where to Learn More • Zeltser.com – Malware Analysis Toolkit: http://zeltser.com/malware-analysis- toolkit/ – Intro to Malware Analysis: http://zeltser.com/reverse- malware/intro-to-malware-analysis.pdf • Certifications: SANS GREM, EC-Council CHFI • NIST: 800-94, 800-83, 800-61 • NovaInfosec – Workshop Style? – Follow @grecs for Announcement
Conclusion • Introduction – Why – Definitions • Environment – Platform – Automated – Single Box - Analysis – Dual Box – Fake Gateway • Methodology – Triage – Dynamic Analysis – Static Analysis • Where to Learn More – OpenSecurityTraining.info – NovaInfosec/Hacker Academy – Zeltser.com • Conclusion Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Questions? • Twitter @grecs • Website NovaInfosec.com, @novainfosec • Contact http://bit.ly/nispcontact o Questions/Consulting

Empfohlen

Undersink water purifier [호환 모드]
Undersink water purifier [호환 모드]Undersink water purifier [호환 모드]
Undersink water purifier [호환 모드]J2smartceo
 
презентация оборудования Via
презентация оборудования Viaпрезентация оборудования Via
презентация оборудования ViaАлександр Шаповалов
 
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015grecsl
 
UVa Protocol
UVa ProtocolUVa Protocol
UVa ProtocolUVA Slideshare
 
презентация компании Via
презентация компании Viaпрезентация компании Via
презентация компании ViaАлександр Шаповалов
 
Filter part list
Filter part listFilter part list
Filter part listJ2smartceo
 
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016grecsl
 
Rain water harvesting
Rain water harvestingRain water harvesting
Rain water harvestingMiqdad Tharammal
 

Empfohlen

Undersink water purifier [호환 모드]
Undersink water purifier [호환 모드]Undersink water purifier [호환 모드]
Undersink water purifier [호환 모드]J2smartceo
 
презентация оборудования Via
презентация оборудования Viaпрезентация оборудования Via
презентация оборудования ViaАлександр Шаповалов
 
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015grecsl
 
UVa Protocol
UVa ProtocolUVa Protocol
UVa ProtocolUVA Slideshare
 
презентация компании Via
презентация компании Viaпрезентация компании Via
презентация компании ViaАлександр Шаповалов
 
Filter part list
Filter part listFilter part list
Filter part listJ2smartceo
 
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016grecsl
 
Rain water harvesting
Rain water harvestingRain water harvesting
Rain water harvestingMiqdad Tharammal
 
Dog 10 commandments
Dog 10 commandmentsDog 10 commandments
Dog 10 commandmentsChayanid Eiamsathaporn
 
Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...grecsl
 
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...grecsl
 
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...grecsl
 
Green rich shower
Green rich showerGreen rich shower
Green rich showerJ2smartceo
 
Apache Multiview Vulnerability
Apache Multiview VulnerabilityApache Multiview Vulnerability
Apache Multiview VulnerabilityRonan Dunne, CEH, SSCP
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 
Bridges
BridgesBridges
BridgesDeewas Kharka
 
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016grecsl
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016grecsl
 
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...grecsl
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014grecsl
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

Weitere ähnliche Inhalte

Andere mochten auch

Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...grecsl
 
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...grecsl
 
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...grecsl
 
Green rich shower
Green rich showerGreen rich shower
Green rich showerJ2smartceo
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 

Andere mochten auch (8)

Dog 10 commandments
Dog 10 commandmentsDog 10 commandments
Dog 10 commandments
 
Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...
 
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
 
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
 
Green rich shower
Green rich showerGreen rich shower
Green rich shower
 
Apache Multiview Vulnerability
Apache Multiview VulnerabilityApache Multiview Vulnerability
Apache Multiview Vulnerability
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
 
Bridges
BridgesBridges
Bridges
 

Mehr von grecsl

Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016grecsl
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016grecsl
 
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...grecsl
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014grecsl
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 

Mehr von grecsl (6)

Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
 
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 

Kürzlich hochgeladen

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Kürzlich hochgeladen (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

Malware Analysis - N00b to Ninja in 60 Minutes at HackMiami on May 17, 2015

  • 1. Malware Analysis N00b to Ninja in 60 Minutes* @grecs NovaInfosec.com * Most listeners do not become Ninjas in under 60 minutes.
  • 2. Disclaimer • Opinions expressed do not express the views or opinions of my – my employers – my customers, – my wife, – my kids, – my parents – my in-laws – my high school girlfriend from Canada Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 3. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 4. 20 Yrs Industry 16 Yrs Infosec 5 Yrs SOC
  • 5. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 6. NovaInfosec Consulting • 20 Years Industry/Infosec Experience • Security Engineering/ Architecture • SOC 2.0/Transformation • Security Training datamation.com/cnews/article.php/3851071/Tech-Comics-Cloud-Computing-Consultants.htm
  • 7. Agenda • Introduction • Environment • Methodology • Where to Learn More • Conclusion Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 8. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs, INTRODUCTION Why Definitions
  • 9. Introduction WARNING!!! DO NOT ANALYZE MALWARE ON PRODUCTION SYSTEMS Security Analysts Looking to Expand Skills beyond Event Monitoring & Basic Analysis General Security Practitioners Interested in Getting Started in Malware Analysis
  • 10. Introduction What Is Malware Analysis • The Analysis of Malware ;) • Reverse Engineering Malware to Understand How It Works and What It Does • Types – Triage – Dynamic Analysis – Static Analysis “Mastering 4 Stages of Malware Analysis” – Lenny Zeltser
  • 11. Introduction What Is Triage? • Definition – Quickie Analysis To Understand as Much as Possible about the Malware • Goals – Gain Gist of What Malware Is & What Could Do What How Determine Basic Running Properties Automated Analysis See If Others Found Hash Search Analyze File Props (type, imports) PE Examination Find Textual Clues of Activity (if packed) Strings
  • 12. Introduction Triage Is That Enough? Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 13. Introduction What Is Dynamic Analysis? • Definition – Execute Malware & Watch What It Does • Goals – Acquire Understanding of How Malware Acts What How Sense Host Changes Registry, File, Log, … Monitoring Uncover Runtime Properties Process Monitoring, Memory Analysis* Reveal Network Activity TCP/UDP Monitoring (DNS, HTTP, HTTPS) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 14. Introduction Dynamic Analysis • Process – Establish Baseline of Environment – Start Monitoring Applications & Execute Malware – Monitor Activities & Stop Monitoring Applications – Analyze Differences & Activity Recorded Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 15. Introduction Dynamic Analysis Is That Enough? Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 16. Introduction What Is Static Analysis? • Definition – Disassemble Malware Down to Computer Instructions • Goals – Reverse Engineer to Understand Exactly What It Does Easy Hard
  • 17. ENVIRONMENT Platform Automated Single Box – Analysis Dual Box – Fake Gateway Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 19. Environment Platform • Virtual – Efficient & Easy to Setup – Snap-Shots to Revert Back To – Malware Detecting VM & Terminating – Note: Use Non-Host Connected Interface (host- only doesn’t count) • Physical – VM Detection Not Possible – Resource Intensive Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 20. Environment Configurations • Automated – Triage Analysis Performed in Automated Environment – Emulates User Execution of & Interaction with Malware – Collects Artifacts on Malware Activity • Single Box – Triage and/or Dynamic Analysis Performed on One Machine – Potential Risk of Malware Sabotaging • Dual Box – Mitigates Some Sabotage Risk – Gateway to Simulate a Network – Realistic External View (ports open, network traffic) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 21. Environment Automated Analysis • Online – Malwr.com – Norman Sandbox – GFI Sandbox – Anubis – ThreatExpert.com • In-House – Commercial Products – e.g., Companies Above – Open Source – e.g., Cuckoo Sandbox – Minimum: Machine Loaded with Several AV Products Pic here showing one online form Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 22. Environment Automated Analysis • Cuckoo Sandbox – Automated Dynamic Analysis of Malware – Data Captured • API Calls: Trace of Relevant Win32 API Calls Performed • Network Traffic: Dump of Traffic Generated During Analysis • Screenshots: Taken During Analysis • Files: Created, Deleted, and Downloaded by Malware • Assembly Instructions: Trace of Assembly Instructions Executed – Setup • Can Be Frustrating CuckooBox: http://cuckoobox.org/
  • 24. Environment Single Box • Start with Base Unpatched Win XP SP2 Box in VMware – Similar to First Set of Post-Install Instructions for Metasploit Unleashed – Turn Off Automatic Updates – Disable Alerts • Where to Get – eBay, NewEgg, etc. – Windows Evals • Current Eval: http://technet.microsoft.com/en-us/evalcenter/default • Previous Vs: http://technet.microsoft.com/en-us/evalcenter/dn407368 • Modern IE: http://www.modern.ie/ (even Windows XP) – AWS (servers only) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 25. Environment Single Box • Install Triage Analysis Tools – Strings • Strings from Sysinternals (also strings2) • BinText from McAfee – PeStudio – PE Explorer – FileInsight • Hex Editor & Analysis Tool by McAfee
  • 26. Environment Single Box • Install Dynamic Analysis Tools – Process Monitor • Exposes File System, Registry & Process Activity that Started During Malware Execution – Process Explorer • Advanced Task Manager Replacement • Reveals Info about Handles/DLLs Processes Opened/Loaded – WireShark (along with WinPCAP) • Sniffer to Capture Malware-Initiated Network Traffic – RegShot • View Changes Malware Makes in the Registry/File System Process Monitor: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653 WireShark: https://www.wireshark.org/ RegShot: http://sourceforge.net/projects/regshot/
  • 27. Environment Single Box • Install Dynamic Analysis Tools (cont) – TCPView • Allows Detection of Malware Initiated Network Connections – FakeNet • Aids Dynamic Analysis of Malicious Software • Simulates Network so Malware Thinks Its Interacting with Remote Hosts • DNS, HTTP, SSL, Dummy Listener TCPView: http://technet.microsoft.com/en-us/sysinternals/bb897437 FakeNet: http://practicalmalwareanalysis.com/fakenet/
  • 28. Environment Single Box • Install Static Analysis Tools – OllyDbg with OllyDump Plugin • General Disassembler/Debugger for Windows Used to Analyze Malware in Assembly • Plugin to View Encrypted Malware When In Memory – Specialized Tools • PDFs: Didier Stevens’s PDFiD & PDF-Parser • Office: OfficeMalScanner • Flash: SWFTtools • Others: Java, JavaScript OllyDbg: http://www.ollydbg.de/ OllyDump: http://www.openrce.org/downloads/details/108/OllyDump Didier Stevens PDF Tools: http://blog.didierstevens.com/programs/pdf-tools/
  • 29. Environment Single Box - Others • Other Ideas for Base Install or On-the-Fly – Several AV Products – Users of Various Permissions – Malware Analysis Pack (FakeDNS, Right-Click Opts – MD5, strings, VT) – CaptureBAT • File Analysis Tools – WinHex (restrictions under eval version; priced high for hobbyist) – 010 Editor (30 day eval; priced high for hobbyist) – FileAlyzer (similar to PeStudio but different capabilities) • Forensics – FTK Imager Lite – Autopsy/The Sleuth Kit – DumpIt – Volatility Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 30. Environment Single Box • Baseline – Configure VM to "Host-Only” Mode Secluded Network • Temporarily Change to NAT to Download Malware • Write-Once Media (e.g., CDs) • USB Key with Physical Write-Protect Switch – Imation USB 2.0 Clip Flash Drive – Kanguru Flashblu 2 – Snapshot VM • Rinse & Repeat – Library of Different OSs at Various SPs (XP SP1, 2, & 3) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 31. Environment Dual Box – Fake Gateway Server • Second Machine for Target to Connect To – Additional Advantage of Examining Network Traffic without Possible Malware Sabotage – Implement Linux Server in VMware & Configure to Be Default Route on Victim Machine – Should Have Fixed IP Addresses • Enable or Install Software that Provides Needed Services – DNS: Configured to Return Fake Servers IP for All Queries – HTTP – IRC – Others: DHCP, FTP, SSH – Other Services Depending on Goal of Analysis Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 32. Environment Dual Box – Fake Gateway Server • Install Network Analysis Tools – WireShark: Records Network Traffic from Victim – Netcat: Start Needed Ad-Hoc Services – Nmap: Scan for Open Ports External to Victim • Snapshot Fake Server Revert Back To Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 33. Environment Dual Box – Fake Gateway Server • REMnux – Created by Lenny Zeltser – ISO or Virtual Appliance – Triage • Load Malware on & Analyze • Web-Based Malware (e.g., Malicious JavaScript, Java Programs, & Flash Files) • Malicious Documents (e.g., Microsoft Office & Adobe PDF files) • Utilities for Reversing Malware through Memory Forensics – Dynamic Analysis • Emulate Network Services Used as Fake Gateway Server • Emulate Services in Isolated Lab Environment • Infects Another Laboratory System with Malware Sample • Directs Potentially-Malicious Connections to REMnux that's Listening on Appropriate Ports REMnux: http://zeltser.com/remnux/ v4
  • 34. Environment Dual Box – Fake Gateway Server
  • 35. Environment Malware Sources – To Learn With+ • PracticalMalwareAnalysis.com/labs • ContagioDump.blogspot.com • VirusShare.com • Malwr.com (if select share) • Malware-Traffic-Analysis.net Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 36. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs, METHODOLOGY Triage Dynamic Analysis Static Analysis
  • 37. Methodology 1. Triage 2. Dynamic Analysis 3. Static Analysis Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 39. Methodology 1. Triage Checklist  Run through External/Internal Sandbox Services for QnD Results • Goals: Rough Understanding of Malware Activities • Tools: Cuckcoo, Malwr.com, Norman, GFI Sandbox, Anubis, ThreatExpert.com  b. MD5 Hash Comparison (can run live is possible) • Goals: When Compiled, Packed or Obfuscated) • Tools: VirusTotal.com, PeStudio, Google Hash  c. Determine Real File Type • UNIX “file” Command and/or TrID • Open in FileInsight & Look for Magic Numbers: Win Exe (MZ), PDF (%PDF), ZIP (PK), … (more at Wikipedia)  Analyze Imports • Goals: Discovery Interesting Libs Malware May Be Importing (networking APIs for non-networking app) • Tools: PeStudio, PEView  Extract Readable Strings • Goals: Discover Interesting Data Points like Host Name & IP Addresses • Tools: strings, strings2  Unpack If Needed • Tools: OllyDump, PE Explorer (UPX built- in)  Specialized Tools • PDF: PDFiD, PDF-Parser • Office: OfficeMalScanner • Flash: SWFTtools a. b. c. d. e. f. e. MASTIFF: Open Source Linux Tool Automates Much of Above (on REMnux & online version Bit.ly/mastiffonline) v4
  • 40. Methodology 2. Dynamic Analysis Checklist  Establish Baseline of Environment • Add Target Software: Reader, Java, Flash, browsers (OldVersion.com / OldApps.com) • Disable Windows Firewall • Create Snapshot if Testing Multiple Times  Start Monitoring Apps & Execute Malware • Take RegShot & Start WireShark, Process Monitor, Process Explorer, FakeNet & TCPView • Monitors File and Registry Access, Network Traffic, Process Creation, etc. • Execute Malware & Let it Run for 15 Minutes or Until Activity Dies Down  Monitor Activities & Stop Monitoring Applications • Watching WireShark, Process Monitor, & TCPView for Anything Interesting • Take Second RegShot & Stop WireShark, Process Monitor, FakeNet  Analyze Differences & Activity Recorded • Compare Initial & Final RegShots • Review All Monitoring Tool Logs a. b. c. d. RegShot: Set Scan dir1 option to c:
  • 41. Methodology 3. Static Analysis • Use OllyDbg or IDA Pro to Disassemble & Analyze Deobfuscated Malware  Just Stare at It  ...  Stare Some More  ...  And Some More Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs, a. b. c. d. e.
  • 42. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs, WHERE TO LEARN MORE OpenSecurityTraining.info NovaInfosec/Hacker Academy Zeltser.com
  • 43. Where to Learn More OpenSecurityTraining.info
  • 44. Where to Learn More • OpenSecurityTraining.info – “Intro x86” • http://opensecuritytraining.info/IntroX86.html – “Reverse Engineering” • http://opensecuritytraining.info/IntroductionToR everseEngineering.html – “Malware Dynamic Analysis • http://opensecuritytraining.info/MalwareDynami cAnalysis.html – “Malware Static Analysis” • http://opensecuritytraining.info/ReverseEngineer ingMalware.html • Matt Briggs & Frank Poz • “Practical Malware Analysis” by M. Sikorski/A. Honig
  • 45. Where to Learn More • Hacker Academy – “Reverse Engineering” • Foundation RE Material & Concepts • Covers Many Malware Analysis Tech & Tools – PE File Format – Packers & Unpackers – Ollydbg – Digital Forensics – Other Classes • “Ethical Hacking” • “Penetration Testing” • “Cutting Edge” Annual Pro Enrollment: $699 NovaInfosec.com Discount: $599 Free 30-Day Trial http://bit.ly/grecshackerdeal
  • 46. Where to Learn More • Zeltser.com – Malware Analysis Toolkit: http://zeltser.com/malware-analysis- toolkit/ – Intro to Malware Analysis: http://zeltser.com/reverse- malware/intro-to-malware-analysis.pdf • Certifications: SANS GREM, EC-Council CHFI • NIST: 800-94, 800-83, 800-61 • NovaInfosec – Workshop Style? – Follow @grecs for Announcement
  • 47. Conclusion • Introduction – Why – Definitions • Environment – Platform – Automated – Single Box - Analysis – Dual Box – Fake Gateway • Methodology – Triage – Dynamic Analysis – Static Analysis • Where to Learn More – OpenSecurityTraining.info – NovaInfosec/Hacker Academy – Zeltser.com • Conclusion Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 48. Questions? • Twitter @grecs • Website NovaInfosec.com, @novainfosec • Contact http://bit.ly/nispcontact o Questions/Consulting