Identifying and Removing Malwares

Identifying and
Removing
Malwares
FOR BEGINNERS
n|uNullMeetDharamsala
1
July2014

Agenda
 @me
 Light
 Operating System
 User Mode
 Kernel Mode
 Camera
 Malware
 History
 Types
 Properties
 &Action
 Take
n|u Null Meet Dharamsala
2
July 2014

@me
 Malware Analyst
 Can protect my Web Applications.
 Know of: C, C++, Java, Ruby, Python
 I “google” a lot.
 badboy16a@gmail.com
 @_badbot
 *PC Gamer*
3
July 2014

Light, Camera, Action
 Light
 Relevant Information about OS
 Some historical information
 Camera
 Statistics
 Predictions
 Action
 Finding and acting on clues
 Take
 Recommendations
July 2014n|u Null Meet Dharamsala
4

“Ware”
5
July 2014

Malware
A software that
performs
unintended actions
without user
consent.
6
July 2014

Operating System
7
July 2014

Operating System
Hardware
Operating
System
Application
User
Command
8
July 2014

Operating System
Hardware
Device
Driver
Kernel
Programs
9
July 2014

Memory Model
Real Memory
 Exact amount of installed
H/W RAM.
 Fixed size.
 Shared among everything
running in system.
 Backed by H/W
 Protected by OS
Virtual Memory
 Amount of RAM perceived
by every process.
 Variable size.
 Owned exclusively.
 Backed by OS Memory
Management.
 Mixed Protection.
10

Memory Model
User Mode
 Unprotected
 Program code/data
 Un-privileged
 Exclusive for process
 Swappable
 Libraries(.dll, .so, …)
Kernel Mode
 Protected
 Kernel code/data
 Privileged
 Shared in real space
 Mostly not-swappable
 Drivers(.drv, .sys, .ko,…)
11
0x00000000-0x7FFFFFFF 0X80000000 – 0xFFFFFFFF

Windows Access Levels
12
•Own Processes
•Other User’s Processes
User
•User Access
•Other User’s Processes
•Unrestricted Access
Administrator
•Administrative Access.
•Unrestricted Access to Local System.
NT_AUTHORITY
SYSTEM

Windows Registry
 Configuration Database.
 Key  [Key] Value[or Default] = [Data]
 Permanent and Transient Keys
 Derived Keys
 Root Keys:
 CLASSES_ROOT
 LOCAL_MACHINE
 USERS
 CURRENT_USER
 CURRENT_CONFIG
13

Windows Executables
 PE (based on COFF) file format.
 File starts with “MZ”
 Entry point defined in header.
 Typically used extensions
 EXE: Normal Executable
 DLL: Dynamic link library
 LIB: Static Library
 SYS: Driver
 OCX: ActiveX Controls (special purpose DLL)
14

Malware
 Software programs designed to damage or do
unwanted actions on a computer system. In
Spanish, "mal" is a prefix that means "bad," making
the term "badware“.
15
Malware
Malicious Software

Malware Evolution
1948
Self-
Reproducing
Automata
-John Von Neumann
1970Creeper
-PDP-10
-Bob Thomas
-Reaper
1975
The
Shockwave
Rider
-Xerox
- John Shock & John
Hepps
16

Malware Evolution
1981
Elk-
Cloner
•Apple DOS 3.3
• 15 year old
1986
Brain
•PC-DOS
• Alvi Brothers
1988
Morris
• UNIX Finger
service
• Robert Morris
1995
Concept
• MS Word
• Macro Virus
17

Malware Evolution
2000
I LOVE
YOU
•VBScript
• Reomel
Lamores
2004
Cabir
•Symbian OS
2007-2008
Zeus
Conficker
2010
Stuxnet
• SCADA
Systems
18

Malware Evolution
2011
Duqu,
Anti
Spyware
2011
2012
Flame
2013
Cyptolocker
BlackPOS
Dexter
vSkimmer
2014
Dragonfly
19

Malware Statistics
 Categories that Delivered Malicious Code, 2013 : Symantec
20

Malware Statistics
21

Malware Statistics
22

Malware Predictions
 More attack binaries will use stolen or valid code
signature.
 Browser vulnerabilities may be more common.
 Cybercrime gets personal.
 More targeted attacks.
 More stealthier techniques for C&C.
 Expect more malicious code in BIOS and firmware
updates.
 64bit Malwares.
 Malware Diversifies and Specializes.
 Sandbox Evasion.
23

Malware Classification
 Worm
 Propagates by itself on different machine.
 Virus
 Attaches itself to targets. Infects other systems when target moves.
 Trojan
 Masquerades itself as legitimate/useful software.
 Spyware
 Spies on your data and send it to controller.
 Adware
 Displays unwanted/unsolicited advertisements.
24

Malware Classification
 Ransomware
 Locks access to your systems or files and demands ransom for
further access.
 Backdoor(Remote Administration Toolkit):
 Allows unauthorized remote user connect to and control your
system.
 Downloader
 Primary payload for exploits. Download/Installs other malwares.
 Rootkit
 Interferes with kernel to hide itself from user and security tools.
25

Malware Lifecycle
 Infection
 It has to infect the target. First run.
 Persistence
 It has to persist. Cannot be downloaded every time.
 Run
 It has to run. Preferably without user action e.g. Boot,
Timed…
 Hide
 Hide itself from naked eye.
26

&Action
 Almost at every stage malwares leave clues.
 Identify Clues.
 Identify Malware.
 Remove Malware.
27

Infection
 Exploitation:
 Using vulnerabilities to achieve code execution.
 Vulnerable program crashes/restarts most of the time.
 External Media
 Carried to the target system using external media e.g. USB
Stick.
 Un-mounting the media usually fails.
 E-mail Attachments
 Sent via email attachment.
 Grammatical/Spelling mistakes. Duplicate e-mail.
Attachments with double extension, wrong extension.
28

Persistence
 Files
 Stored as files.
 Cryptic file names.
 Known file names in unexpected locations.
 Misspelled file name.
 Streams
 Data is stored as NTFS alternate stream.
 Pathname containing ‘:’ character.
29

Run & Hide
 Hiding in plain sight.
 An entry in process list.
 Unknown process name.
 Unexpected Process.
 Process binary at unusual location.
 Process with unexpected user account/privilege.
 Hiding deep inside
 No entry in process list.
 Unexpected library.
 Unusual usage of system resources.
 Re-appearance of some files after deletion.
30

Detection Difficulty
Hardware
Kernel
Device Driver
User Programs
31

Sysinternal Tools
 Sysinternal Suite
 Autoruns
 ListDll
 Handle
 Process Explorer
 Process Monitor
 RootkitRevealer
 Strings
32

Autoruns
33

ListDLLs
34

Handle
35

Process Explorer
36

Process Monitor
37

Rootkit Revealer
38

Strings
39

Other Tools
 GMER
 Redline
 Kaspersky Virus Fighting Utilities
 TDSS Killer
 McAfee Stinger
 Sophos Anti-Rootkit
 Norton Power Eraser
 Trend Micro House Call
40

GMER
 By default downloads
with random file name.
 Similar to Rootkit Revealer
 More signature and
parameters to look into.
41

Redline
 Separate data
collection and
analysis system.
 Collector can run
from removable
media.
 Verifies against
hashes of known
good modules.
 Reporting
42

Take
 Antivirus Not Enough
 Understand
 Be Updated
 Be Paranoid
 Don’t Trust
 Protect
 Backup
43

The END
 All the images, statistics, data belong to their respective owners (including me).
44

Identifying and Removing Malwares

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie Identifying and Removing Malwares

Ähnlich wie Identifying and Removing Malwares (20)

Mehr von n|u - The Open Security Community

Mehr von n|u - The Open Security Community (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Identifying and Removing Malwares