SlideShare ist ein Scribd-Unternehmen logo

Introduction to Malware Analysis

Als PPTX, PDF herunterladen
Andrew McNicol
Andrew McNicol

Quick 1000 foot introduction to Malware Analysis

Technologie
1 von 26
Introduction to Malware Analysis
Disclaimer • This stuff requires the analyst to dive extremely deep into technical details • This quick talk will attempt to give you a 1000 foot view of malware analysis • I put a careful distinction between Malware Analysis and Reverse Engineering
Malware Analysis Overview • Static Analysis: involves analyzing the code without actually running the code – File identification, header information, strings, etc. – Disassembler – IDA Pro • Dynamic Analysis: involves executing the code in a controlled manner and monitoring system changes – Sysinternals, memory forencis, etc. – Debuggers – Immunity Debugger OllyDbg
Coding Terms • Malware authors with code in High Level Programming Language: C/C++
Static Analysis: File Identification • Linux “file” utility • Python-magic module
Static Analysis: MD5 Hash • Linux “md5sum” utility: md5sum <fileName> • Python hashlib module:
Static Analysis: Strings • Can be a quick way to gain intelligence from the file: – Domains, Ips, URLs, Function names, hardcoded information
Static Analysis: Packers • Packers are used to obfuscate the code which leads to: Changes the file signature (MD5 Hash) – Obfuscates the file strings, and code – Compress file size (sometimes) • Packed code can be identified by: – Examining the PE sections, and Imports: If a PE file only has LoadLibrary/GetProcAddress normally packed – Strings: UPX0, UPX1, aspack, adata, NSP0, NSP1, WinRAR SFX, PEC2, PECompact2, Themida, Orean.sys, NTkrnl, Secure Suite • Tools like (PEiD, LordPE, and Python peutils module)
Static Analysis: Packers • Unpacked vs. Packed Strings:
Data Encoding • Malware uses encoding for a number of reasons, some are to disguise internal workings, hide C2 information, and data exfil – Some simple encoding algorithms are: – Character Substitution – XOR – uses a static key to XOR with the original value – Base64 – Can use default or custom character set – Default Base64 character set: A-Z, a-z, 0-9, +, / • We will examine two common data encoding techniques used in Malware XOR and Base64
Data Encoding: XOR • Strings are often required to be stored in a program in order to pass it as a parameter to a function • XOR once = encoded • XOR again with same key = plaintext
Data Encoding: Base64 • Storing base64 strings as HTML comments is how the APT group “Comment Crew” got their name. This technique is still leveraged today in malware • Base64 is a common encoding scheme because it is very easy to decode
Static Analysis: PE File Format • PE data structure contains all the information required for the Windows OS loader to manage executable code. .text – instructions the CPU executes – .rdata – Imports and Exports – .data – Global data – .rsrc – Resources (icons, images, strings, etc.) • Useful information in PE header: Imports and Exports – Gives an idea to malware functionality – Compilation Time, Language Settings, and strings – Section Names – Packed code can have non-standard section names • Tools to analyze PE header: pescanner.py, CFF Explorer, python pefile, Resource Hacker, Dependency Walker, LordPE, etc.
Windows API Calls: • When performing advanced static or dynamic analysis it’s important to have a good understanding of Windows API calls • By looking at the imported functions within the PE header you can see which Windows API functions the PE file wants to utilize • By recognizing API calls you can quickly get an idea of malware’s functionality by analyzing strings output, and during advanced static analysis using a disassembler • An excellent resource for Windows API calls is MSDN. Google search “API_Function MSDN”
Windows API: MSDN Example • The Parameters modify how the function will be used on the system. • The return type is what the function will return after it is called in a program
Windows API: Disassembly • Parameters are pushed to the stack in Last In First Out(LIFO) order, which is why they are in reverse order in the disassembly
Wake Up  • Okay, that was likely starting to bore some people – SORRY • Let’s move to Dynamic analysis which is more flashy
Getting Infected • Double clicking the executable doesn’t always work – Sometimes you need to register the malware as a service or load it as a DLL (regsvr32.exe and rundll32.exe ) • Install the malware as a service – Interact with the system like a normal user The malware may be waiting for a certain application to open to inject code into it (Ex: Internet Explorer) – It could require a CLI argument : One sample required <filename> /install in order to actually run the malware – Static analysis is normally required to determine CLI switches
SysInternals Tool Suite • If I could pick just one tool, id pick the 50+ in the Sysinternals tool suite  • Tools put out by Mark Russinovich – now works for Microsoft • Process Explorer, Process Monitor, Autoruns, etc.
Process Explorer
Process Monitor • Very verbose tool that generates a lot of events • Filtering is required to make sense of the data
Process Monitor Cont. • Press Ctrl+L to bring up the filtering dialog box – Quick filters are: Operation is WriteFile – Category is Write
Malware Persistence - Autoruns • Really is the key to identify malware – how does it gain persistence? • Autoruns can help enumerate persistence mechanisms:
Monitoring Network Activity • Some interesting network indicators of malware are: – SYNs out to an IP or domain – UDP traffic to IP or domain – HTTP GET/POST requests – DNS Queries – Connection attempt times are important. Every 1 min, 30mins, etc.
Automation? Sandboxes • So far the basic dynamic analysis we have talked about can be automated • Sandboxes are a good tool in any malware analyst toolbox – they have Pro’s and Con’s: – Pros: Speeds up analysis, fast, saves time – Cons: Misses details, can be fooled • Sandboxes can be open source or commercial: – Really good free option is Cuckoo sandbox: • Install Tutorial: http://www.primalsecurity.net/im-cuckoo-for-malware- with-a-spice-of-reverse-engineering/
Summary • Malware analysis requires both static and dynamic analysis techniques to accurately enumerate indicators of compromise • As with any automated tool an analyst will need to be able to validate findings manually

Empfohlen

Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
malware analysis
malware analysismalware analysis
malware analysis20CS201AkashR
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learningSecurity Bootcamp
 
penetration testing
penetration testingpenetration testing
penetration testingShitesh Sachan
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 

Empfohlen

Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
malware analysis
malware analysismalware analysis
malware analysis20CS201AkashR
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learningSecurity Bootcamp
 
penetration testing
penetration testingpenetration testing
penetration testingShitesh Sachan
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chainAnkita Ganguly
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Rishabh Upadhyay
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Incident response process
Incident response processIncident response process
Incident response processBhupeshkumar Nanhe
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Futurekaranwayne
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPSSantosh Khadsare
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Metasploit
MetasploitMetasploit
Metasploithenelpj
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Viruses andthreats@dharmesh
Viruses andthreats@dharmeshViruses andthreats@dharmesh
Viruses andthreats@dharmeshDharmesh Kumar Sharma
 
Introduction to Malware
Introduction to MalwareIntroduction to Malware
Introduction to Malwareamiable_indian
 

Weitere ähnliche Inhalte

Was ist angesagt?

Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Rishabh Upadhyay
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Futurekaranwayne
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Metasploit
MetasploitMetasploit
Metasploithenelpj
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 

Was ist angesagt? (20)

Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Incident response process
Incident response processIncident response process
Incident response process
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Future
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Metasploit
MetasploitMetasploit
Metasploit
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 

Andere mochten auch

Introduction to Malware
Introduction to MalwareIntroduction to Malware
Introduction to Malwareamiable_indian
 
Computer Malware
Computer MalwareComputer Malware
Computer Malwareaztechtchr
 

Andere mochten auch (7)

Viruses andthreats@dharmesh
Viruses andthreats@dharmeshViruses andthreats@dharmesh
Viruses andthreats@dharmesh
 
Introduction to Malware
Introduction to MalwareIntroduction to Malware
Introduction to Malware
 
Malware
MalwareMalware
Malware
 
Malware
Malware Malware
Malware
 
Computer Malware
Computer MalwareComputer Malware
Computer Malware
 
Malware ppt
Malware pptMalware ppt
Malware ppt
 
Malware
MalwareMalware
Malware
 

Ähnlich wie Introduction to Malware Analysis

CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesSam Bowne
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Monitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisMonitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisBrendan Gregg
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0Michael Gough
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment isc2-hellenic
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Michael Gough
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackersMichael Gough
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022MichaelM85042
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...RootedCON
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPriyanka Aash
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionveerababu penugonda(Mr-IoT)
 

Ähnlich wie Introduction to Malware Analysis (20)

Ch0 1
Ch0 1Ch0 1
Ch0 1
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Monitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisMonitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance Analysis
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackers
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigation
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd session
 

Mehr von Andrew McNicol

BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementAndrew McNicol
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointAndrew McNicol
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointAndrew McNicol
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingAndrew McNicol
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Andrew McNicol
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec CareerAndrew McNicol
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersAndrew McNicol
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 
Introduction to Python for Security Professionals
Introduction to Python for Security ProfessionalsIntroduction to Python for Security Professionals
Introduction to Python for Security ProfessionalsAndrew McNicol
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and DefenseAndrew McNicol
 

Mehr von Andrew McNicol (12)

BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPoint
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated Testing
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec Career
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
 
Introduction to Python for Security Professionals
Introduction to Python for Security ProfessionalsIntroduction to Python for Security Professionals
Introduction to Python for Security Professionals
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
 

Kürzlich hochgeladen

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 

Kürzlich hochgeladen (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 

Introduction to Malware Analysis

  • 2. Disclaimer • This stuff requires the analyst to dive extremely deep into technical details • This quick talk will attempt to give you a 1000 foot view of malware analysis • I put a careful distinction between Malware Analysis and Reverse Engineering
  • 3. Malware Analysis Overview • Static Analysis: involves analyzing the code without actually running the code – File identification, header information, strings, etc. – Disassembler – IDA Pro • Dynamic Analysis: involves executing the code in a controlled manner and monitoring system changes – Sysinternals, memory forencis, etc. – Debuggers – Immunity Debugger OllyDbg
  • 4. Coding Terms • Malware authors with code in High Level Programming Language: C/C++
  • 5. Static Analysis: File Identification • Linux “file” utility • Python-magic module
  • 6. Static Analysis: MD5 Hash • Linux “md5sum” utility: md5sum <fileName> • Python hashlib module:
  • 7. Static Analysis: Strings • Can be a quick way to gain intelligence from the file: – Domains, Ips, URLs, Function names, hardcoded information
  • 8. Static Analysis: Packers • Packers are used to obfuscate the code which leads to: Changes the file signature (MD5 Hash) – Obfuscates the file strings, and code – Compress file size (sometimes) • Packed code can be identified by: – Examining the PE sections, and Imports: If a PE file only has LoadLibrary/GetProcAddress normally packed – Strings: UPX0, UPX1, aspack, adata, NSP0, NSP1, WinRAR SFX, PEC2, PECompact2, Themida, Orean.sys, NTkrnl, Secure Suite • Tools like (PEiD, LordPE, and Python peutils module)
  • 9. Static Analysis: Packers • Unpacked vs. Packed Strings:
  • 10. Data Encoding • Malware uses encoding for a number of reasons, some are to disguise internal workings, hide C2 information, and data exfil – Some simple encoding algorithms are: – Character Substitution – XOR – uses a static key to XOR with the original value – Base64 – Can use default or custom character set – Default Base64 character set: A-Z, a-z, 0-9, +, / • We will examine two common data encoding techniques used in Malware XOR and Base64
  • 11. Data Encoding: XOR • Strings are often required to be stored in a program in order to pass it as a parameter to a function • XOR once = encoded • XOR again with same key = plaintext
  • 12. Data Encoding: Base64 • Storing base64 strings as HTML comments is how the APT group “Comment Crew” got their name. This technique is still leveraged today in malware • Base64 is a common encoding scheme because it is very easy to decode
  • 13. Static Analysis: PE File Format • PE data structure contains all the information required for the Windows OS loader to manage executable code. .text – instructions the CPU executes – .rdata – Imports and Exports – .data – Global data – .rsrc – Resources (icons, images, strings, etc.) • Useful information in PE header: Imports and Exports – Gives an idea to malware functionality – Compilation Time, Language Settings, and strings – Section Names – Packed code can have non-standard section names • Tools to analyze PE header: pescanner.py, CFF Explorer, python pefile, Resource Hacker, Dependency Walker, LordPE, etc.
  • 14. Windows API Calls: • When performing advanced static or dynamic analysis it’s important to have a good understanding of Windows API calls • By looking at the imported functions within the PE header you can see which Windows API functions the PE file wants to utilize • By recognizing API calls you can quickly get an idea of malware’s functionality by analyzing strings output, and during advanced static analysis using a disassembler • An excellent resource for Windows API calls is MSDN. Google search “API_Function MSDN”
  • 15. Windows API: MSDN Example • The Parameters modify how the function will be used on the system. • The return type is what the function will return after it is called in a program
  • 16. Windows API: Disassembly • Parameters are pushed to the stack in Last In First Out(LIFO) order, which is why they are in reverse order in the disassembly
  • 17. Wake Up  • Okay, that was likely starting to bore some people – SORRY • Let’s move to Dynamic analysis which is more flashy
  • 18. Getting Infected • Double clicking the executable doesn’t always work – Sometimes you need to register the malware as a service or load it as a DLL (regsvr32.exe and rundll32.exe ) • Install the malware as a service – Interact with the system like a normal user The malware may be waiting for a certain application to open to inject code into it (Ex: Internet Explorer) – It could require a CLI argument : One sample required <filename> /install in order to actually run the malware – Static analysis is normally required to determine CLI switches
  • 19. SysInternals Tool Suite • If I could pick just one tool, id pick the 50+ in the Sysinternals tool suite  • Tools put out by Mark Russinovich – now works for Microsoft • Process Explorer, Process Monitor, Autoruns, etc.
  • 21. Process Monitor • Very verbose tool that generates a lot of events • Filtering is required to make sense of the data
  • 22. Process Monitor Cont. • Press Ctrl+L to bring up the filtering dialog box – Quick filters are: Operation is WriteFile – Category is Write
  • 23. Malware Persistence - Autoruns • Really is the key to identify malware – how does it gain persistence? • Autoruns can help enumerate persistence mechanisms:
  • 24. Monitoring Network Activity • Some interesting network indicators of malware are: – SYNs out to an IP or domain – UDP traffic to IP or domain – HTTP GET/POST requests – DNS Queries – Connection attempt times are important. Every 1 min, 30mins, etc.
  • 25. Automation? Sandboxes • So far the basic dynamic analysis we have talked about can be automated • Sandboxes are a good tool in any malware analyst toolbox – they have Pro’s and Con’s: – Pros: Speeds up analysis, fast, saves time – Cons: Misses details, can be fooled • Sandboxes can be open source or commercial: – Really good free option is Cuckoo sandbox: • Install Tutorial: http://www.primalsecurity.net/im-cuckoo-for-malware- with-a-spice-of-reverse-engineering/
  • 26. Summary • Malware analysis requires both static and dynamic analysis techniques to accurately enumerate indicators of compromise • As with any automated tool an analyst will need to be able to validate findings manually