Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Andere mochten auch
Andere mochten auch (20)
Ähnlich wie Malware analysis
Ähnlich wie Malware analysis (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Malware analysis
- 2. Agenda Intro and Recent Malware Attack Make Your Own Malware Analysis toolkit Malware Analysis & Types
- 3. • Generally –Any code that perform evil… • Today –Executable content with unknown functionality that is resident on a system of investigative interest •Virus •Worms •Spyware •Adware •Rootkits Malware? HA HA HAHAH A..!
- 5. • Fame • Money $$ • It’s a Business (not a kiddie) • Antivirus Why build Malware ?
- 6. •Why Analyze Malware? •To assess damage •To discover indicators of compromise •To identify vulnerability •To catch the “Bad Guy” •To answer questions… Analyzing Malware
- 7. Attacks in Synerzip • 2007 – DNS hacked • 2008 – FTP Server Hacked • 2010 – DDOS on the DNY Network • 2011 – Dos attack on DNS Server – False Dos attack on Firewall due to Quickoffice Connect Application bug • 2013 – Router Hacked @ DNY, Botnet Zeroaccess • 2014 – Zibmra VLAN MITM • Note – No Network is 100% secured, but we can make things difficult for the hackers
- 9. What is Cryptolocker? • Began September 2013 • Encrypts victim’s files, asks for $300 ransom • Impossible to recover files without a key • Ransom increases after deadline • Goal is monetary via Bitcoin • 250,000+ victims worldwide (According to Secureworks)
- 11. Who pays the ransom? Police department paid $750 to decrypt images and word documents
- 12. NightHunter – Name explained NightHunter, because of its use of SMTP (email) for data exfiltration. Email is often overlooked, so it can be a more stealthy way of data theft, akin to hunting at night.
- 13. NightHunter Infections To Date There are at least 1,800 unique infections 3OWL Ieindia Drmike Hanco Gmail Comcast 1000 350 200 150 100* 60 Number of unique infections per email server
- 14. NightHunter Delivery Email subject /attachment names: • Jobs List • Inquiry • Order • PO • Purchase Order • Payment Slip • Reconfirm Pls • Remittance Payment Slip • WireSlip
- 15. NightHunter – How it works?
- 16. ZeroAccess Botnet • Also known as – 0Access – Sirefef – Maxplus – Smiscer
- 17. Spreads Via • Drive-by-Download sites • Keygen and crack programs(Games) • Fake game downloads
- 18. Capabilities • Download malware updates via Peer to Peer protocol (Ports – 16464, 16465, 16470 and 16471 ) • Deploy a rootkit to avoid detection • Disable Anti-Virus and Anti-Malware software
- 19. Money • Click fraud – Instruct bots to visit • Spam • Bitcoin Mining – Small number of varients
- 20. How it works?
- 21. • Static (Source Code) Analysis • Dynamic (Behavioral) Analysis • Sandboxing How To Analyze Malware
- 22. Static Analysis “The Dissection”
- 23. Index • File hashing • File type identification • Packer/Compiler Identification • Entropy Analysis • Strings • PE Header Analysis • Verify Signature • Disassemble • PDF Shell code analysis
- 25. Dynamic (Behavioral) Analysis • Static Analysis will reveal some immediate information • Exhaustive static analysis could theoretically answer any question, but it is slow and hard • Usually you care more about “what” malware is doing than “how” it is being accomplished • Dynamic analysis is conducted by observing and manipulating malware as it runs
- 26. System Monitoring • What we are after • Registry Activity • File Activity • Process Activity • Network Traffic
- 29. Anti Techiniques • Anti-virtualization • Anti-Debugging • Anti-Disassembling • Anti-Sandboxing
- 30. Make your own Malware Analysis Toolkit Using Free Tools
- 31. Step 1: Allocate physical or virtual systems for the analysis lab • Virtualization software options include – VMware Server – Windows Virtual PC – Microsoft Virtual Server – VirtualBox
- 32. Step 2: Isolate laboratory systems from the production environment • Separate the laboratory network from production using a firewall • Don't connect laboratory and production networks at all • Use removable media to bring tools and malware into the lab • Don't use the physical machine that's hosting your virtualized lab for any other purpose.
- 33. Step 3: Install behavioral analysis tools • File system and registry monitoring: – Process Monitor – Capture BAT • Process monitoring: – Process Explorer – Process Hacker • Network monitoring: – Wireshark – SmartSniff • Change detection : – Regshot
- 34. Step 4: Install code-analysis tools • Disassembler and debugger: – OllyDbg / Immunity Debugger – IDA Pro • Memory dumper: – LordPE – OllyDump
- 35. Utilize online analysis tools • Anubis • CWSandbox • Joebox • Norman SandBox • ThreatExpert • Malwr
- 36. Cuckoo Sandbox Automated Malware Analysis
Hinweis der Redaktion
- For those that aren’t aware of what encrypting ransomware is, its a cryptovirus that encrypts all your data from local hard drives, network shared drives, removable hard drives and USB. The encryption is done using an RSA -2048 asymmetric public key which makes decryption without the key impossible. Paying the ransom will net you the key which in turn leads to getting your data back. http://www.webroot.com/blog/2014/05/05/evolution-encrypting-ransomware/ Ransom Cryptolocker is ransomware that on execution locks the user's system thereby leaving the system in an unusable state. It also encrypts the list of file types present in the user’s system. The compromised user has to pay the attacker with ransom to unlock the system and to get the files decrypted. Malware first appeared September 2013 Encrypts computer files of its victims and forces them to pay hundreds of dollars to unlock. If the victim does not pay the ransom, it is impossible to recover the files, due to the key length of Cryptolocker To recover the files past the deadline, the price usually doubles or triples. More than 250,000+ victims, mostly in USA and UK
- Here are some examples of who actually paid. The department paid $750 for two Bitcoins - an online currency - to decrypt several images and word documents in its computer system, Swansea (Mass.) Police Lt. Gregory Ryan said.
- It belongs to rootkit family Win32/Sirefef and Win64/Sirefef. ZeroAccess has been installed on computers over 9 million times.
- Click fraud and Bitcoin mining can earn the botnet owners a potential $100,000 a day. It consume network bandwidth 1,227,300 bytes per hour, 29,455,200 per day and 895,929,000 bytes per month. 895 MB per month per bot means a botnet with 1 million nodes could be producing as much as 895,000,000 MB or 895 Terabytes of network traffic per month.