Greg Hoglund explained at BlackHat 2010 that the development environments that malware authors use leaves traces in the code which can be used to attribute malware to a individual or a group of individuals. Not with the precision of name, date of birth and address but with evidence that a arrested suspects computer can be analysed and compared with the "tool marks" on the collected malware sample.
2. Who am I?
• Michael Boman, M.A.R.T. project
• Have been “playing around” with malware
analysis “for a while”
• Working for FireEye
• This is a HOBBY project that I use my
SPARE TIME to work on
6. What am I trying to
do?
Move this way
Binary
Human
7. What am I trying to
do?
Blacklists
Binary
Net Recon
Command
and Control
Developer
Fingerprints
Tactics
Techniques
Procedures
Social
Cyberspace
DIGINT
Physical
Surveillance
HUMINT
Human
8. What am I trying to
do?
Blacklists
Binary
Net Recon
Command
and Control
Developer
Fingerprints
Tactics
Techniques
Procedures
Social
Cyberspace
DIGINT
Physical
Surveillance
HUMINT
Human
25. VXCage REST API
•
•
•
/malware/add
•
Add sample
/malware/get/<filehash>
•
Download sample. If no local sample, search other repos
/malware/find
•
Search for sample by md5, sha256, ssdeep, tag, date
• /tags/list
•
List tags
35. Challanges
• Party handshake problem:
• 707k samples analyzed and counting
(resulting in over 250 billion compares!)
• Need a better target (pre-)selection
36. What compilers /
packers are common?
1. "Borland Delphi 3.0 (???)", 54298
2. "Microsoft Visual C++ v6.0", 33364
3. "Microsoft Visual C++ 8", 28005
4. "Microsoft Visual Basic v5.0 - v6.0", 26573
5. "UPX v0.80 - v0.84", 22353
37. Are there any
unidentified packers?
• How to identify a packer
• PE Section is empty in binary, is writable
and executable
38. How common are antidebugging techniques?
• 31622 out of 531182 PE binaries uses
IsDebuggerPresent (6 %)
• Packed executable uncounted
41. What am I trying to do
in the future
Blacklists
Binary
Net Recon
Command
and Control
Developer
Fingerprints
Tactics
Techniques
Procedures
Social
Cyberspace
DIGINT
Physical
Surveillance
HUMINT
Human
Expand scope of analysis
+network +memory +os changes +behavior
42. What am I trying to do
in the future
• More automation
• More modular design
• Solve the “Big Data” issue I am getting
myself into (Hadoop?)
• More pretty graphs
43. Thank you
• Michael Boman
• michael@michaelboman.org
• @mboman
• http://blog.michaelboman.org
• Code available at https://github.com/
mboman/vxcage