Upload File

christian wojner, cert - first · wh01am 02.04.2013 2 person christian wojner malware analysis,...

  • Home
  • Documents
  • Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis, Reverse Engineering, Computer Forensics CERT.at / GovCERT.gv.at Papers Mass Malware
13
Christian Wojner, CERT.at 1 02.04.2013

Upload: others

Post on 19-Jul-2020

1 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis, Reverse Engineering, Computer Forensics CERT.at / GovCERT.gv.at Papers Mass Malware

Christian Wojner, CERT.at

1 02.04.2013

Page 2: Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis, Reverse Engineering, Computer Forensics CERT.at / GovCERT.gv.at Papers Mass Malware

Wh01am

02.04.2013 2

Person

Christian Wojner

Malware Analysis, Reverse Engineering, Computer Forensics

CERT.at / GovCERT.gv.at

Papers Mass Malware Analysis: A DIY Kit An Analysis of the Skype IMBot Logic and

Functionality

The WOW-Effect

Articles

HITB Online Mag

The Art of DLL Injection

Automated Malware Analysis - An Introduction to Minibis

HAKIN9 Online Mag Minibis

Software

Minibis

Bytehist (REMnux)

Densityscout (REMnux)

ProcDOT (REMnux)

FIRST Symposium 2010

CertVerbund-DE 2010

Deepsec 2010

Teliasonera 2011

Joint FIRST/TF-CSIRT Technical Seminar 2012

CanSecWest 2012

CertVerbund-DE 2012

0ct0b3rf3st 2012

SANS Forensic Summit Prague 2012

Deepsec 2012

Publications Speaker

Page 3: Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis, Reverse Engineering, Computer Forensics CERT.at / GovCERT.gv.at Papers Mass Malware

I had a dream ...

Malware infections are complex

Humans are visually oriented

Pictures tell a 1000 words

Humans are top in understanding complex pictures

Goal: Put all aspects of a malware infection in one big picture using the most common of freely available tools

Goal: Distinguish between good/evil with a glance

Goal: Gut feeling for an entire situation within minutes

Goal: Freely available to everyone 02.04.2013 3

Page 4: Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis, Reverse Engineering, Computer Forensics CERT.at / GovCERT.gv.at Papers Mass Malware

Proof of concept

02.04.2013 4

GOOD EVIL

Page 5: Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis, Reverse Engineering, Computer Forensics CERT.at / GovCERT.gv.at Papers Mass Malware

Proof of concept

02.04.2013 5

GOOD

EVIL

Page 6: Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis, Reverse Engineering, Computer Forensics CERT.at / GovCERT.gv.at Papers Mass Malware

ProcDOT – The name

Proc ...

Process Monitor (Procmon) from Sysinternals

DOT ...

DOT module of the Graphviz Suite

02.04.2013 6

Page 7: Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis, Reverse Engineering, Computer Forensics CERT.at / GovCERT.gv.at Papers Mass Malware

Behavioral analysis

Monitoring activities

02.04.2013 7

Activity Procmon PCAP (Windump, Tcpdump, Wireshark)

Filesystem

Network

Windows Messages

Registry

Process-Management

Thread-Management

Page 8: Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis, Reverse Engineering, Computer Forensics CERT.at / GovCERT.gv.at Papers Mass Malware

Data-Correlation

02.04.2013 8

PROCMON Data

PCAP Data

PROCESSES

Page 9: Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis, Reverse Engineering, Computer Forensics CERT.at / GovCERT.gv.at Papers Mass Malware

Noise (-reduction)

Relevance: Smart-Following-Algorithms Paths Compression Registry Files Networktraffic

Filters Files Registrykeys Servers (Longnames/Shortnames)

Contents Nodes Edges

02.04.2013 9

Page 10: Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis, Reverse Engineering, Computer Forensics CERT.at / GovCERT.gv.at Papers Mass Malware

02.04.2013 10

Page 11: Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis, Reverse Engineering, Computer Forensics CERT.at / GovCERT.gv.at Papers Mass Malware

Questions

Feedback

Flowers

Presents

Kisses

Hugs

Hand-shakes Slaps

Smalltalks

Longtalks

Short-drinks

Longdrinks

Reactions?

02.04.2013 11

Page 12: Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis, Reverse Engineering, Computer Forensics CERT.at / GovCERT.gv.at Papers Mass Malware

02.04.2013 12

Page 13: Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis, Reverse Engineering, Computer Forensics CERT.at / GovCERT.gv.at Papers Mass Malware

02.04.2013 13


Metamorphic Malware 1 Metamorphic Malware Research

Computer Virology and Mobile Malware Detection · 2019-03-14 · Outline •Introduction •Computer Virology • Malware taxonomy • Encrypted malware •Malware Detection •Mobile

Malware Analysis and Antivirus Technologies: Kernel Malware & A Look at Malware … · 2011-08-16 · Malware Analysis and Antivirus Technologies: Kernel Malware & A Look at Malware

Download Slides - CERT.at

Android Malware Exposed-Evolution of Android Malware

Part 4: Malware Functionality Chapter 11: Malware Behavior Chapter 12: Covert Malware Launching Chapter 13: Data Encoding Chapter 14: Malware-focused Network

Tor Infrastruktur Betrieb Erfahrungsbericht · Erfahrungsaustausch im praktischen Betrieb und Umgang ... CERT.at Emails (37%) Kontakte mit Behörden (23.08.2018-30.04.2019) ... Gab

Intrusion Detection and Malware Analysis - Malware analysis · Intrusion Detection and Malware Analysis Malware analysis Pavel Laskov Wilhelm Schickard Institute for Computer Science

Malware Fails Best Bugs in Malware Felix Leder [Malware ... · 1 Malware Fails Best Bugs in Malware Felix Leder [Malware Detection Team] [email protected] 5. desember 2011 malware

Android Malware Development on Public Malware Scanning ...sxz16/papers/bigdata2016.pdf · Android Malware Development on Public Malware Scanning Platforms: A Large-scale Data-driven

Reversing malware analysis trainingpart9 advanced malware analysis

02.04.2013. farmis presentation

THE EVOLUTION OF MALWARE & FUTURE MALWARE MITIGATION

Malware Slums: Measurement and Analysis of Malware on ...homepage.cs.uiowa.edu/~mshafiq/files/malware... · Malware Slums: Measurement and Analysis of Malware on Traffic Exchanges

Malware Analysis Analysis.pdf · Definisi Malware Analysis • What is a malware? • Malware (malicious software) ... Malware Sinkronisasi Token • Pelaku: Zeus Banking Trojan •

Introduction to Mobile Malware. Outline ➢ Introduction ➢ Types of Malware ➢ Malware examples ➢ How Malware Spreads ➢ Prevention ➢ AndroRAT Hands-on Lab

Mobile Malware Network View - Black Hat · Mobile Malware Network View ... ... Windows Malware impacts mobile

CERT.at Technical Report - Warnungencert.at/static/downloads/papers/cert.at-an_analysis_of_the_skype... · CERT.at Technical Report Page 3/24 Introduction# Malware spreading over

Rs 02.04.2013

03. EPF 4707 - POWER [02.04.2013]

Malware Analysis Without Looking At Assembly Codegauss.ececs.uc.edu/Courses/c5155/pdf/malware-analysis.pdf · 2015. 11. 20. · Malware Analysis Malware typically employs encryption:

Advanced malware analysis training session6 malware sandbox analysis

Download - CERT.at

Improving accuracy of malware detection by …...FFRI, Inc. Background – malware and its detection 4 Increasing malware Targeted Attack (Unknown malware) Malware generators Obfuscators

Malware Detection with Malware Images using …cosc.canterbury.ac.nz/research/reports/HonsReps/2018/...Malware Detection with Malware Images using Deep Learning Techniques by Ke HE

Malware & Anti-Malware

Malware Analysis Workshop June 5, 2012 - CCDCOE · Malware Analysis Workshop June 5, 2012 ... •Malware Analysis methods ... •Some malware doesnt run in Norman Sandbox

The power of cyber protection fileCyBrave Certified Malware Analysis Investigator (CCMAI|CCMAIE) Malware Analysis Investigator Entry Level Malware Analysis Investigator Malware Analysis

HTA-T07R Malware Hunting with the Sysinternals Toolsindex-of.co.uk/Malware/hta-t07r-license-to-kill-malware-hunting-with... · malware Professional antimalware analysis requires years

Intrusion Detection and Malware Analysis - Malware collection134.2.173.140/lehre/ws10/ids-malware/12-malware-collection.pdf · Intrusion Detection and Malware Analysis Malware collection

Malware - Northern Kentucky University · Malware detection. 2. Theory of malware. 3. ... target backdoors and worm flaws. ... Malware factories . are software and processes to

Using optimization algorithms for malware deobfuscationsigurnost.zemris.fer.hr/ns/malware/2010_spasojevic/Diplomski_Spasojevic.pdf · Using optimization algorithms for malware deobfuscation

Malware and Anti-Malware Seminar by Benny Czarny

Threat Bulletin Fileless Malware The Stealth Attacker · Threat Bulletin See. Control. Secure. Fileless Malware - The Stealth Attacker Fileless malware (FM), aka “non-malware”,

Intrusion Detection and Malware Analysis - Malware collection