Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014

100 %
0 %
Information about Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April...
Technology

Published on April 4, 2014

Author: grecsl

Source: slideshare.net

Description

Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.

Malware Analysis N00b to Ninja in 60 Minutes* @grecs NovaInfosec.com * Most listeners do not become Ninjas in under 60 minutes.

Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Pic of hacked sites; news articles of breaches, mid-2000s Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Infosec COTS Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Agenda • Introduction • Environment • Methodology • Where to Learn More • Conclusion Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Introduction WARNING!!! DO NOT ANALYZE MALWARE ON PRODUCTION SYSTEMS Security Analysts Looking to Expand Skills beyond Event Monitoring & Basic Analysis General Security Practitioners Interested in Getting Started in Malware Analysis

Introduction What Is Malware Analysis • The Analysis of Malware ;) • Reverse Engineering Malware to Understand How It Works and What It Does • Types – Triage – Dynamic Analysis – Static Analysis “Mastering 4 Stages of Malware Analysis” – Lenny Zeltser

Introduction Triage • Definition – Quickie Analysis To Understand as Much as Possible about the Malware • Goals – Gain Gist of What Malware Is & What Could Do What How Determine Basic Running Properties Automated Analysis See If Others Found Hash Search Analyze File Props (type, imports) PE Examination Find Textual Clues of Activity (if packed) Strings

Introduction Triage Is That Enough?

Introduction Dynamic Analysis • Definition – Execute Malware & Watch What It Does • Goals – Acquire Understanding of How Malware Acts What How Sense Host Changes Registry, File, Log, … Monitoring Uncover Runtime Properties Process Monitoring, Memory Analysis* Reveal Network Activity TCP/UDP Monitoring (DNS, HTTP, HTTPS)

Introduction Dynamic Analysis • Process – Establish Baseline of Environment – Start Monitoring Applications & Execute Malware – Monitor Activities & Stop Monitoring Applications – Analyze Differences & Activity Recorded

Introduction Dynamic Analysis Is That Enough?

Introduction Dynamic Analysis

Introduction Static Analysis • Definition – Disassemble Malware Down to Computer Instructions • Goals – Reverse Engineer to Understand Exactly What It Does Easy Hard

Environment • Platform – Virtual – Physical • Options – Automated – Single Box – Dual Box

Environment Platform • Virtual – Efficient & Easy to Setup – Snap-Shots to Revert Back To – Malware Detecting VM & Terminating – Note: Use Non-Host Connected Interface (host- only doesn’t count) • Physical – VM Detection Not Possible – Resource Intensive Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Environment Options • Automated – Triage Analysis Performed in Automated Environment – Emulates User Execution of & Interaction with Malware – Collects Artifacts on Malware Activity • Single Box – Triage and/or Dynamic Analysis Performed on One Machine – Potential Risk of Malware Sabotaging • Dual Box – Mitigates Some Sabotage Risk – Gateway to Simulate a Network – Realistic External View (ports open, network traffic) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Environment Automated Analysis • Online – Malwr.com – Norman Sandbox – GFI Sandbox – Anubis – ThreatExpert.com • In-House – Commercial Products – e.g., Companies Above, FireEye – Open Source – e.g., Cuckoo Sandbox, ZeroWine – Minimum: Machine Loaded with Several AV Products Pic here showing one online form

Environment Automated Analysis • Cuckoo Sandbox – Automated Dynamic Analysis of Malware – Data Captured • API Calls: Trace of Relevant Win32 API Calls Performed • Network Traffic: Dump of Traffic Generated During Analysis • Screenshots: Taken During Analysis • Files: Created, Deleted, and Downloaded by Malware • Assembly Instructions: Trace of Assembly Instructions Executed – Setup • Can Be Frustrating CuckooBox: http://cuckoobox.org/

Environment Automated Analysis

Environment Single Box • Start with Base Unpatched Win XP SP2 Box in VMware – Similar to First Set of Post-Install Instructions for Metasploit Unleashed – Turn Off Automatic Updates – Disable Alerts • Where to Get – eBay, NewEgg, etc. – Win Eval OSs (prev vs) – AWS (servers only)

Environment Single Box • Install Triage Analysis Tools – Strings • Strings from Sysinternals (also strings2) • BinText from McAfee – PeStudio – FileInsight • Hex Editor & Analysis Tool by McAfee

Environment Single Box • Install Dynamic Analysis Tools – Process Monitor • Exposes File System, Registry & Process Activity that Started During Malware Execution – Process Explorer • Advanced Task Manager Replacement • Reveals Info about Handles/DLLs Processes Opened/Loaded – WireShark (along with WinPCAP) • Sniffer to Capture Malware-Initiated Network Traffic – RegShot • View Changes Malware Makes in the Registry/File System Process Monitor: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653 WireShark: https://www.wireshark.org/ RegShot: http://sourceforge.net/projects/regshot/

Environment Single Box • Install Dynamic Analysis Tools (cont) – TCPView • Allows Detection of Malware Initiated Network Connections – FakeNet • Aids Dynamic Analysis of Malicious Software • Simulates Network so Malware Thinks Its Interacting with Remote Hosts • DNS, HTTP, SSL, Dummy Listener TCPView: http://technet.microsoft.com/en-us/sysinternals/bb897437 FakeNet: http://practicalmalwareanalysis.com/fakenet/

Environment Single Box • Install Static Analysis Tools – OllyDbg with OllyDump Plugin • General Disassembler/Debugger for Windows Used to Analyze Malware in Assembly • Plugin to View Encrypted Malware When In Memory – Specialized Tools • PDFs: Didier Stevens’s pdfid.py & pdf-parser.py • Flash: SWFTtools • Others: Office, Java, JavaScript OllyDbg: http://www.ollydbg.de/ OllyDump: http://www.openrce.org/downloads/details/108/OllyDump Didier Stevens PDF Tools: http://blog.didierstevens.com/programs/pdf-tools/

Environment Single Box - Others • Other Ideas for Base Install or On-the-Fly – Several AV Products – Users of Various Permissions – Malware Analysis Pack (FakeDNS, Right-Click Opts – MD5, strings, VT) – CaptureBAT • File Analysis Tools – WinHex (restrictions under eval vs; priced high for hobbiest) – 010 Editor (30 day eval; priced high for hobbiest) – FileAlyzer (similar to PeStudio but different capabilities) • Forensics – FTK Imager Lite – Autopsy/The Sleuth Kit – DumpIt – Volatility

Environment Single Box • Baseline – Configure VM to "Host-Only” Mode Secluded Network • Temporarily Change to NAT to Download Malware • Write-Once Media (e.g., CDs) • USB Key with Physical Write-Protect Switch – Imation USB 2.0 Clip Flash Drive – Kanguru Flashblu 2 – Snapshot VM • Rinse & Repeat – Library of Different OSs at Various SPs (XP SP1, 2, & 3) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Environment Dual Box – Fake Gateway Server • Second Machine for Target to Connect To – Additional Advantage of Examining Network Traffic without Possible Malware Sabotage – Implement Linux Server in VMware & Configure to Be Default Route on Victim Machine – Should Have Fixed IP Addresses • Enable or Install Software that Provides Needed Services – DNS: Configured to Return Fake Servers IP for All Queries – HTTP – IRC – Others: DHCP, FTP, SSH – Other Services Depending on Goal of Analysis Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Environment Dual Box – Fake Gateway Server • Install Network Analysis Tools – WireShark: Records Network Traffic from Victim – Netcat: Start Needed Ad-Hoc Services – Nmap: Scan for Open Ports External to Victim • Snapshot Fake Server Revert Back To Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Environment Dual Box – Fake Gateway Server • REMnux – Created by Lenny Zeltser – ISO or Virtual Appliance – Triage • Load Malware on & Analyze • Web-Based Malware (e.g., Malicious JavaScript, Java Programs, & Flash Files) • Malicious Documents (e.g., Microsoft Office & Adobe PDF files) • Utilities for Reversing Malware through Memory Forensics – Dynamic Analysis • Emulate Network Services Used as Fake Gateway Server • Emulate Services in Isolated Lab Environment • Infects Another Laboratory System with Malware Sample • Directs Potentially-Malicious Connections to REMnux that's Listening on Appropriate Ports REMnux: http://zeltser.com/remnux/ v4

Environment Dual Box – Fake Gateway Server

Methodology 1. Triage 2. Dynamic Analysis 3. Static Analysis

Methodology 1. Triage Checklist  Run through External/Internal Sandbox Services for QnD Results • Goals: Rough Understanding of Malware Activities • Tools: Cuckcoo, Malwr.com, Norman, GFI Sandbox, Anubis, ThreatExpert.com  b. MD5 Hash Comparison (can run live is possible) • Goals: When Compiled, Packed or Obfuscated) • Tools: VirusTotal.com, PeStudio, Google Hash  c. Determine Real File Type • UNIX “file” Command and/or TrID • Open in FileInsight & Look for Magic Numbers: Win Exe (MZ), PDF (%PDF), ZIP (PK), … (more at Wikipedia)  Analyze Imports • Goals: Discovery Interesting Libs Malware May Be Importing (networking APIs for non-networking app) • Tools: PeStudio, PEView  Extract Readable Strings • Goals: Discover Interesting Data Points like Host Name & IP Addresses • Tools: strings, strings2  Unpack If Needed • Tools: OllyDump, PE Explorer (UPX built- in)  Specialized Tools • E.g., pdfid.py, pdf-parser.py, SWFTtools a. b. c. d. e. f. e. MASTIFF: Open Source Linux Tool Automates Much of Above (on REMnux) v4

Methodology 2. Dynamic Analysis Checklist  Establish Baseline of Environment • Add Target Software: Reader, Java, Flash, browsers (OldVersion.com / OldApps.com) • Disable Windows Firewall • Create Snapshot if Testing Multiple Times  Start Monitoring Apps & Execute Malware • Take RegShot & Start WireShark, Process Monitor, Process Explorer, FakeNet & TCPView • Monitors File and Registry Access, Network Traffic, Process Creation, etc. • Execute Malware & Let it Run for 15 Minutes or Until Activity Dies Down  Monitor Activities & Stop Monitoring Applications • Watching WireShark, Process Monitor, & TCPView for Anything Interesting • Take Second RegShot & Stop WireShark, Process Monitor, FakeNet  Analyze Differences & Activity Recorded • Compare Initial & Final RegShots • Review All Monitoring Tool Logs a. b. c. d. RegShot: Set Scan dir1 option to c:

Methodology 2. Dynamic Analysis (Setup) Be Careful Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Methodology 2. Dynamic Analysis (Regshot & Wireshark) b-1. b-3. b-2.

Methodology 2. Dynamic Analysis (Process Monitor) b-4. b-5. b-6.

Methodology 2. Dynamic Analysis (Process Explorer) b-7. Just Start

Methodology 2. Dynamic Analysis (FakeNet) b-8. Just Start

Methodology 2. Dynamic Analysis (TCPView) b-9. Just Start

Methodology 2. Dynamic Analysis (Execute Malware) • Double-Click EXE • Rundll32.exe DLLName, Export arguments – PE Explorer to Discover Export arguments – E.g., rundll32.exe rip.dll, Install • Visit Website • Watch All Monitoring Tools & Stop When Activity Dies Down b-10. Execute Malware c-1. Just Monitor

Methodology 2. Dynamic Analysis (Spin Down) c-2. c-4. c-3.

Methodology 2. Dynamic Analysis (Spin Down) c-5.

Methodology 2. Dynamic Analysis (Spin Down) c-6.

Methodology 2. Dynamic Analysis (Analysis) • Save Logs for Future Reference • Compare Initial & Final RegShots & Review All Monitoring Tool Logs c-7. d. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Methodology 3. Static Analysis • Use OllyDbg or IDA Pro to Disassemble & Analyze Deobfuscated Malware  Just Stare at It  ...  Stare Some More  ...  And Some More Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs, a. b. c. d. e.

Where to Learn More OpenSecurityTraining.info

Where to Learn More • OpenSecurityTraining.info – “Reverse Engineering Malware” • Matt Briggs & Frank Poz • “Practical Malware Analysis” by M. Sikorski/A. Honig • http://opensecuritytraining.info/ReverseEngineeringM alware.html

Where to Learn More • Hacker Academy – “Reverse Engineering” • Foundation RE Material & Concepts • Covers Many Malware Analysis Tech & Tools – PE File Format – Packers & Unpackers – Ollydbg – Digital Forensics – Other Classes • “Ethical Hacking” • “Penetration Testing” • “Cutting Edge” Annual Enrollment for All: $1499 NovaInfosec.com Discount: $499 Free 30-Day Trial http://bit.ly/grecshackerdeal

Where to Learn More • Zeltser.com – Malware Analysis Toolkit: http://zeltser.com/malware-analysis- toolkit/ – Intro to Malware Analysis: http://zeltser.com/reverse- malware/intro-to-malware-analysis.pdf • Certifications: SANS GREM, EC-Council CHFI • NIST: 800-94, 800-83, 800-61 • NovaInfosec – Workshop Style? Tomorrow at ??? @ 10:00am? – Follow @grecs for location info once determine

Conclusion • Introduction • Environment – Platform – Automated – Single Box - Analysis – Dual Box – Fake Gateway • Methodology – Triage – Dynamic Analysis – Static Analysis • Where to Learn More – OpenSecurityTraining.info – NovaInfosec/Hacker Academy – Zeltser.com • Conclusion

Questions? • Twitter @grecs • Website NovaInfosec.com • Contact http://bit.ly/nispcontact • Hacker Academy http://bit.ly/grecshackerdeal

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Malware Analysis 101 - N00b to Ninja in 60 Minutes

Malware Analysis 101 - N00b to Ninja in 60 Minutes by grecs. Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do ...
Read more

Bsides Las Vegas 2014 - Malware Analysis 101 - N00b To ...

Bsides Las Vegas 2014 - Malware Analysis 101 - N00b To Ninja In 60 Minutes
Read more

Who is @grecs? | NovaInfosec

... GA, “Malware Analysis 101 – N00b to Ninja in 60 Minutes ... Cactuscon, April 4, 2014 in ... “Malware Analysis 101 – N00b to Ninja in 60 ...
Read more

Notacon 11 - Smalware Analysis 101 – N00b To Ninja In 60 ...

Week 4; September. Week 1; ... Smalware Analysis 101 – N00b To Ninja In 60 Minutes ... Synopsis Knowing how to perform basic malware analysis can go a ...
Read more

ISSW 2016: Monitoring & Analysis 101: N00b to Ninja...

... April 9 • 11:00am ... Monitoring & Analysis 101: N00b to Ninja in 60 Minutes ... with a general technical background to go from n00b to ninja ...
Read more

Monitoring & Analysis 101: N00b to Ninja in 60 Minutes ...

Monitoring & Analysis 101: N00b to Ninja in 60 Minutes Grecs . ... including incident response, malware analysis, and threat intelligence. ...
Read more

Nolacon | Facebook

... Monitoring & Analysis 101: N00b to Ninja in 60 Minutes, ... NolaCon 2014 is June ... Mobile exploitation & Malware 101 https://nolacon.com/2016 ...
Read more

BSidesLV: Malware Analysis 101 - N00b to Ninja in...

Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize ...
Read more

Video: 101 Monitoring Analysis 101 N00b to Ninja in 60 ...

101 Monitoring Analysis 101 N00b to Ninja in 60 Minutes Grecs. ... Instagram video by Brandon "Ninja" Jackson • Jun 30, 2016 at 6:04pm UTC. ninjas 6h ago.
Read more