3. About me
Wim Remes
Managing Consultant @ IOActive
Director @ (ISC)2
Organizer @ BruCON
(September 26-27 !!)
I don‟t teach, I share knowledge
(I hope to learn more from you than you learn from me)
5. What?
“Taking malware apart to study it.”
(it‟s that simple? Yes it is.)
Unless you work for an AV vendor, in
which case you are supporting a product and even
they automate A LOT.
12,000,000 samples in Q4 2012(1)
35,000+ mobile samples in Q4 2012(1)
(ain‟t nobody got time for that!)
(1) http://www.mcafee.com/us/security-awareness/articles/state-of-malware-2013.aspx
6. DO:
Understand your adversary
Gather intelligence
Share information
Protect BETTER!
AUTOMATE-AUTOMATE-AUTOMATE
DO NOT:
Waste time on random samples
Practice your reverse engineering fu
(most of the time)
Why?
7. Why?
“Attacker Profiling”
Indicators of compromise!
(IOCs)
Command and Control Servers?
Malware sources?
Traffic Patterns?
Registry Keys?
Behavioral Characteristics?
Know your enemy!
15. Tying it all together
Manual
analysis
Automated
Analysis
External
Sources
IOCs
Firewall
Configuration
IDS/IPS
Configuration
SIEM
Configuration
Industry/Peer
Sharing
16. Tips & Tricks
Incubation
(not for the faint of heart)
a) You want to gather more intelligence
b) You want to profile attackers
Attackers introducing new techniques?
Introducing „next level‟ attackers?
Reselling of compromised machines?
You can learn A LOT!
17. Tips & Tricks
Anti Reverse Engineering
Exploiting weaknesses in RE Tools
Anti Disassembly
Anti Debugging
Anti VM Techniques
Packers
“it takes one to know one.”
Ref. “Practical Malware Analysis”
By Michael Sikorski and Andrew Honig>
18. By Example – ‘Magneto’
A malware that exploits a buffer overflow condition in
Firefox 17.
Believed to be used against users of „malicious‟ TOR
.onion sites.
https://code.google.com/p/caffsec-malware-
analysis/source/browse/trunk/TorFreedomHosting/
19. By Example – ‘Magneto’
Attacks the browser
iframe attack + buffer overflow
Sends hostname+mac address
to remote server
Analysis tools fail because „sessionStorage‟ and
„ArrayBuffer‟ are not recognized.
20. By Example – ‘Magneto’
Attack
Browser
Execute
Shellcode
Gather
Information
Exfiltrate
Information
Learn attacker techniques
Correlate attacker behaviour
Identify coders/ code sharing?
Identify targeted assets
Attribution?
Correlation
…
21. Summary
Goal = Protecting Better
NOT
“Trying to beat them”
There are automation tools, use them.
Know your tools and their limitations.
Know the attacker‟s toolset too
Share knowledge/intelligence
22. Q & A
Thank you !
wim.remes@ioactive.co.uk
@wimremes on twitter
Hinweis der Redaktion
Malware Analysis is somewhat regarded as a dark art … it’s also become one of the primary sources of focused security intelligence for security teams. Nowhere can you learn more about your attackersAnd how they leverage weaknesses in your infratstructure. Let alone learning about what they are interested in.