christian wojner, cert - first · wh01am 02.04.2013 2 person christian wojner malware analysis,...

Report

Post on 19-Jul-2020

1 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

Christian Wojner, CERT.at

1 02.04.2013

Wh01am

02.04.2013 2

Person

Christian Wojner

Malware Analysis, Reverse Engineering, Computer Forensics

CERT.at / GovCERT.gv.at

Papers Mass Malware Analysis: A DIY Kit An Analysis of the Skype IMBot Logic and

Functionality

The WOW-Effect

Articles

HITB Online Mag

The Art of DLL Injection

Automated Malware Analysis - An Introduction to Minibis

HAKIN9 Online Mag Minibis

Software

Minibis

Bytehist (REMnux)

Densityscout (REMnux)

ProcDOT (REMnux)

FIRST Symposium 2010

CertVerbund-DE 2010

Deepsec 2010

Teliasonera 2011

Joint FIRST/TF-CSIRT Technical Seminar 2012

CanSecWest 2012

CertVerbund-DE 2012

0ct0b3rf3st 2012

SANS Forensic Summit Prague 2012

Deepsec 2012

Publications Speaker

I had a dream ...

Malware infections are complex

Humans are visually oriented

Pictures tell a 1000 words

Humans are top in understanding complex pictures

Goal: Put all aspects of a malware infection in one big picture using the most common of freely available tools

Goal: Distinguish between good/evil with a glance

Goal: Gut feeling for an entire situation within minutes

Goal: Freely available to everyone 02.04.2013 3

Proof of concept

02.04.2013 4

GOOD EVIL

Proof of concept

02.04.2013 5

GOOD

EVIL

ProcDOT – The name

Proc ...

Process Monitor (Procmon) from Sysinternals

DOT ...

DOT module of the Graphviz Suite

02.04.2013 6

Behavioral analysis

Monitoring activities

02.04.2013 7

Activity Procmon PCAP (Windump, Tcpdump, Wireshark)

Filesystem

Network

Windows Messages

Registry

Process-Management

Thread-Management

Data-Correlation

02.04.2013 8

PROCMON Data

PCAP Data

PROCESSES

Noise (-reduction)

Relevance: Smart-Following-Algorithms Paths Compression Registry Files Networktraffic

Filters Files Registrykeys Servers (Longnames/Shortnames)

Contents Nodes Edges

02.04.2013 9

02.04.2013 10

Questions

Feedback

Flowers

Presents

Kisses

Hugs

Hand-shakes Slaps

Smalltalks

Longtalks

Short-drinks

Longdrinks

Reactions?

02.04.2013 11

02.04.2013 12

02.04.2013 13

top related

hta-t07r malware hunting with the sysinternals...
Documents
malware and anti-malware seminar by benny czarny
Technology
advanced malware analysis training session6 malware sandbox...
Technology
malware analysis without looking at assembly...
Documents
using optimization algorithms for malware...
Documents
open source malware lab - 0x7e0.bsidesljubljana.si · 3 all...
Documents
03. epf 4707 - power [02.04.2013]
Documents
malware - northern kentucky university · malware...
Documents
an introduction to keyloggers, rats and malware€¦ ·...
Documents
ch 12: covert malware launching - samsclass.info ·...
Documents
introduction to mobile malware. outline ➢ introduction ➢...
Documents
intrusion detection and malware analysis - malware...
Documents
the power of cyber protection filecybrave certified malware...
Documents
cert.at technical report · cert.at technical report page...
Documents
malware - courses.cs.washington.edu · 2015. 5. 15. ·...
Documents
malwares malware reviewed ise de malware reviewed ·...
Documents
malware campaign targeting latam and spanish banks ·...
Documents
malware analysis and antivirus technologies: kernel malware...
Documents
part 4: malware functionality chapter 11: malware behavior...
Documents
intrusion detection and malware analysis - malware...
Documents