Training on July 16, 2017. This training is the compressed version of Malware Engineering & Crafting. In this training, we will talk about malware as well as crafting the simple working malware. The goal of this session is to understanding malware internal so one can have tactics to combat it.

1. Malware
To the Realm of Malicious
Code

2. #Whoami?
Satria Ady Pradana #xathrya
o Indonesian Cyber Security Consultant at Mitra
Integrasi Informatika (MII)
o Red Team
o Security Risk Assessment
o Incident Response
o Threat Intelligence
o Education
o Researcher and Developer at dracOs (Linux
Distro)
o Coordinator of Reversing.ID
o Member of Indonesia Honeynet Project
fb.me/xathrya.sabertooth

3. Today’s Agenda
 Learn malware classes, characteristics, and potential threats.
 Learn how malware works
 attacking and infecting
 common propagation technique
 Common concealment and self-defense technique
 Learn how Anti Virus works.
 Learn common protection from malware attacks.
 Profit??

4. Our Activity

5. Introduction
o Malware threat is (really) increasing, become more advanced and more contagious.
o Malwares are new weapons used by lot of actors, for examples:
o Governments
o Spies
o Hacktivist
o Criminals
o What motivate them?
o Malwares are interesting, both for creator and analyst.
o Ever wonder how malware works?

6. Statistic: New Malware in Last 5 Years
Copyright © AV-TEST GmbH, www.av-test.org

7. Why Crafting A Malware?
 To win the battle we must know what enemy capabilities are.
 Learn the enemy’s tactics to build our own tactics for combating them.
 For education. For fun and profit!

8. Disclaimer: Do at your own risk!
• Pasal 33 UU ITE tahun 2008
“Setiap orang dengan sengaja dan tanpa hak atau melawan hukum
melakukan tindakan apa pun yang berakibat terganggunya sistem
elektronik dan/atau mengakibatkan system elektronik menjadi tidak
bekerja sebagaimana mestinya”.
• Pasal 49 UU ITE tahun 2008
“Setiap orang yang memenuhi unsur sebagaimana dimaksud dalam pasal
33, dipidana dengan pidana penjara paling lama 10 (sepuluh) tahun
dan/atau denda paling banyak Rp 10.000.000.000,00 (sepuluh miliar
rupiah).”

9. Lab Activity: Setup
 You are provided with a VM for developing simple malwares
 Make sure everything is working.

10. The Virus Outbreak
What? How? Why?

11. Malware? What’s That?
 MALicious softWARE
 Software that is built for hostile or intrusive purpose, infiltrating other system and might
damaging it without user consent.

12. Malware Roles
 Mostly used by cybercriminal for financial gain.
 Stealing resource: money, bank account, credit card, cryptocurrency.
 Used by government and agencies for “protecting” national security.
 As a surveillance to citizen.
 Sabotage other country.
 Used by some corporation for protecting its own interest.
 Copy protection / digital right management.
 As espionage to competitor.
 etc

13. Malware Classes
 Viruses
 Worms
 Trojans
 Rootkit
 Adware
 Spyware
 Ransomware
However, current malware is a combination of traits from several classes

14. Viruses
Malicious software which can infect files, software, and data
carriers.
 Replicates by embedding itself or inserting its code
(infect) into other.
 The host (carrier) is modified.
 Host can be: program, boot sectors, etc.

15. Worms
Spreads independently, reproduce and spread as quickly as
possible.
 Stand alone, no need of host.
 Use network and removable media as propagation
vector.

16. Trojans
Misleading users of its true intent by pretending as useful
program, in order to carry out unnoticed additional
malicious functions.
 Working in background
 Connected and controlled by malicious actors.

17. Timeline
 In earlier day, malware typically vandalized PC and destroyed files for fun.
 Began with a theory of self-reproducing automata in 1949. Since then scientists are creating self-
reproducing software as a game, wargame, conquering the other faction.
 The term computer viruses was (formally) coined in 1983, while some science fictions had used it
before.
 Brain boot sector virus appeared in 1986, more coming.
 AIDS Trojan, the first ransomware, appeared in 1989.
 Morris worm, appeared in 1988 and spread extensively in the wild

18. Timeline (cont’d)
 First Polymorphic virus, Chameleon, was developed in 1990.
 Concept, the first macro virus appeared and attacking Microsoft Word documents.
 Malwares began incorporating zero-day exploit. In 2003 SQL Slammer worm attacked Microsoft
SQL Server and MSDE, regarded as fastest spreading worm.
 Malware began being used as cyber weapon. Stuxnet worm, first identified in 2010 but thought
to be in development since at least 2005, targets industrial computer systems especially Iran’s
nuclear program.

19. How Can You Get Infected?
 Spam or phishing emails containing attached files.
 Infected removable drives
 Bundled with other software
 Visiting any compromised or infected websites.***
 Old and unpatched systems
 Downloading and running software, especially illegal one, from untrusted source.
 You had been hacked and the malware is planted inside the system.

20. Exploit Kit
 Modern malware campaign rarely rely on malware’s own capability to spread.
 Exploit Kit is a software kit designed to run on web servers, with the purpose of identifying
software vulnerabilities in client machines communicating with it, and discovering and exploiting
vulnerabilities to upload and execute malicious code on the client.
 Silent drive-by download, drop malware to victim.

21. General Symptoms of Infections
In short, any anomaly that might happen on your systems
 Program start to load slower
 System become less responsive
 Unusual files appears on hard drive, or files disappear from system
 Browsers, word processing application, or other software exhibit unusual operating
characteristics.
 Unusual network traffic
 Unexpected error message during startup

22. Potential Damage
 Corrupting data files (as well as encrypting)
 Destroy or removing files
 Steal sensitive information
 Take control the system
 Use as stepping stone for further exploitation

23. Outbreak Case: WannaCry
 Ransomware
 Exploiting vulnerability in SMBv1, known as Eternal Blue or MS17-010 in Microsoft Security Bulletin.
Also spreading via e-mail.
 More than 400,000 machines infected.
 Fast-rate infection. Why?
 Timing and speed: 1-2 months after public disclosure of the exploit
 Coverage: SMBv1 is pretty much widely used, both in workstation and server.
 First version a kill-switch (go to dormant state when certain condition met)

24. Outbreak Case: (Not) Petya
 A Wiper. Believed as cyber weapon. Pretending as ransomware.
 Also use Eternal Blue.
 Seeded through update mechanism built into M.E.Doc (accounting program) used in Ukrainian
government.

25. Malware Internals
Spread, Infect, Survive, Profit !

26. Malware Components
 Propagation
 Payload
 Self-Defense (Survival)

27. Propagation
 Spreading itself.
 Infecting other system.
 The possibility:
 Embed to other.
 Just copy itself.
 Force to download

28. Payload
 Any code designed to do other than spreading and self-defense is referred as payload.
 Yes, anything from prank to steal information.
 Some payloads that need to be a concern.
 Persistence
 Communication

29. Example Payload
Not an exhaustive list:
 Log key strokes.
 Encrypting file or partition.
 Clone self to startup directory.
 Modify some registry values.
 Remove files.
 Updating self to new version.
 Steal cookies from browsers.

30. Self-Defense
 Malware existence is essential, need to be as long as possible.
 Detected quickly means less campaign gained.
 Malware is investment
 Generally, two categories:
 Concealment, making malware action unnoticed
 Anti-Analysis, making malware analysis difficult.

31. Anti Analysis
 Type of Analysis
 Static Analysis
 Dynamic Analysis
 Implying, we should thwart those analysis attempts.

32. Anti Static Analysis
 Runtime packer
 Techniques to compress the actual code and decompress it in runtime when needed.
 Anti Disassembly
 Techniques to compromise disassemblers and/or disassembling process
 Obfuscation
 Techniques to make the signatures creation more difficult and the disassembled code harder to be
analyzed by a professional.

33. Anti Dynamic Analysis
 Anti Debugging
 Techniques to detect and/or compromise debuggers and/or the debugging process.
 Anti VM
 Techniques to detect and/or compromise virtual machine
 Anti Fake DNS
 Techniques to detect the existence of Fake DNS.

34. Supporting Actor
 C&C server
 Relay server

35. Lab Activity: Malware Crafting

36. Anti-Virus Internals
Not so deep

37. Anti Virus?
 Myth busting: viruses are not the only malware that AV combating.
 Protecting from malware, scanning viruses, worms, and Trojan horses.

38. How Anti Virus Detect Malware?
Uses various strategy to reveal malware.
 Signatures
 Heuristic
 Sandbox

39. Signature?
 The first known approach to detect viruses.
 Some viruses have special markers.
 Comparing viruses to known viruses marks in database.
 Unique byte array usually used to mark whether target has been infected or not.
 Mutexes

40. Heuristic
 Detect malware by learning its traits.
 Detect unknown (no-signature) viruses and its variant.
 Expert-based analysis that determines the susceptibility of system towards particular threat.
 The decision based on various decision rules or weighting methods.

41. Sandbox
 Isolated environment for running malware in safe manner.
 “Simulate” the malware and collect/record the behavior, such as:
 Connection attempt.
 File access.
 API calls.
 Host modification.
 Classify as malware or not based on the known behavior.

42. Defense Against Malware
Protect, avoid, and mitigate malware outbreak

43. Technical Aspects
This software must be installed on your computers
 Anti Virus
 Firewall
 Ad Blocker

44. Technical Aspects (cont’d)
You might consider this in your network
 Anti Virus Gateway
 Sandbox appliance
 IPS (Intrusion Prevention System) & Next Gen IPS
 Next Gen Firewall

45. Technical Aspects (cont’d)
 Implement patch management.
 Regularly update the system especially for known vulnerability.

46. Personal Aspects
All about awareness of you and other people
 Have a healthy skepticism to anything that will entering your PC, especially from untrusted
source.
 Email attachment
 Removable drives
 Look carefully the link / URL in address bar or in email. If anything suspicious, leave it.
 Download software from trusted sources only.
 Ignore urgent installation prompts on the web
 If possible, do not log on to the system with administrator rights for normal work.
 Update regularly.

47. Back Up
Last but not least, perform backups regularly.
Distinguish between a complete system backup and backup of working files.

48. Specific Case: Ransomware
 How exploit leaks could lead to global endemic
 Rising of malwares: WannaCry, (Not) Petya

49. Conclusion
 Malwares are just program, with special purpose.
 Malwares are composed of code for propagation, payload, and self-defense.
 To defend yourself, you must rely on three things: technology, security awareness, good policy