As given @ SecureAsia Manila 2013

1. Intro to Malware Analysis
Wim Remes – Managing Consultant @ IOActive

2. 1977 - 2013
Barnaby Jack

3. About me
Wim Remes
Managing Consultant @ IOActive
Director @ (ISC)2
Organizer @ BruCON
(September 26-27 !!)
I don‟t teach, I share knowledge
(I hope to learn more from you than you learn from me)

4. Malware Analysis
What ?
Why?
Toolchain?
Tying it all together ?
Tips & Tricks!

5. What?
“Taking malware apart to study it.”
(it‟s that simple? Yes it is.)
Unless you work for an AV vendor, in
which case you are supporting a product and even
they automate A LOT.
12,000,000 samples in Q4 2012(1)
35,000+ mobile samples in Q4 2012(1)
(ain‟t nobody got time for that!)
(1) http://www.mcafee.com/us/security-awareness/articles/state-of-malware-2013.aspx

6. DO:
Understand your adversary
Gather intelligence
Share information
Protect BETTER!
AUTOMATE-AUTOMATE-AUTOMATE
DO NOT:
Waste time on random samples
Practice your reverse engineering fu
(most of the time)
Why?

7. Why?
“Attacker Profiling”
Indicators of compromise!
(IOCs)
Command and Control Servers?
Malware sources?
Traffic Patterns?
Registry Keys?
Behavioral Characteristics?
Know your enemy!

8. Toolchain
https://www.virustotal.com/en/#search
Do NOT just upload unknown samples!

9. Toolchain
http://www.cuckoosandbox.org
Automated Analysis

10. Toolchain
Reporting
Cuckoo framework
Oracle Virtualbox
WinXP WinXP WinXP WinXP - Installation
- System Changes
- Network Traffic
- …

11. Toolchain
Manual Analysis?
(sure…)
OllyDbg
Immunity Debugger
IDA Pro
WinDbg
Wireshark
Windows SysInternals
…
Beware of evasion tricks !!

12. Toolchain
Mobile Malware?
http://apkscan.nviso.be/

13. Toolchain
Indicators of compromise (IOCs)

14. Toolchain
http://www.malware.lu/
http://www.abuse.ch/
(Zeus tracker / SpyEye tracker)
http://www.openioc.org/

15. Tying it all together
Manual
analysis
Automated
Analysis
External
Sources
IOCs
Firewall
Configuration
IDS/IPS
Configuration
SIEM
Configuration
Industry/Peer
Sharing

16. Tips & Tricks
Incubation
(not for the faint of heart)
a) You want to gather more intelligence
b) You want to profile attackers
Attackers introducing new techniques?
Introducing „next level‟ attackers?
Reselling of compromised machines?
You can learn A LOT!

17. Tips & Tricks
Anti Reverse Engineering
Exploiting weaknesses in RE Tools
Anti Disassembly
Anti Debugging
Anti VM Techniques
Packers
“it takes one to know one.”
Ref. “Practical Malware Analysis”
By Michael Sikorski and Andrew Honig>

18. By Example – ‘Magneto’
A malware that exploits a buffer overflow condition in
Firefox 17.
Believed to be used against users of „malicious‟ TOR
.onion sites.
https://code.google.com/p/caffsec-malware-
analysis/source/browse/trunk/TorFreedomHosting/

19. By Example – ‘Magneto’
Attacks the browser
iframe attack + buffer overflow
Sends hostname+mac address
to remote server
Analysis tools fail because „sessionStorage‟ and
„ArrayBuffer‟ are not recognized.

20. By Example – ‘Magneto’
Attack
Browser
Execute
Shellcode
Gather
Information
Exfiltrate
Information
Learn attacker techniques
Correlate attacker behaviour
Identify coders/ code sharing?
Identify targeted assets
Attribution?
Correlation
…

21. Summary
Goal = Protecting Better
NOT
“Trying to beat them”
There are automation tools, use them.
Know your tools and their limitations.
Know the attacker‟s toolset too
Share knowledge/intelligence

22. Q & A
Thank you !
wim.remes@ioactive.co.uk
@wimremes on twitter