Upload File

gummer brucon0x07

11
Gummer Advanced Malware Hunting

Upload: xgusix

Post on 07-Jan-2017

266 views

Category:

Technology


0 download

Report

TRANSCRIPT

Page 1: Gummer BruCON0x07

Gummer Advanced Malware Hunting

Page 2: Gummer BruCON0x07

Le me

ERNESTO CORRAL Incident Response and Forensic Analyst

@xgusix xgusix.com securityinside.info

Page 3: Gummer BruCON0x07

Introduction – Hunting Malware  

•  Hunt previously unknown malicious artifacts. – Anomalies

Hunting Malware != Detecting Malware

Deviation or departure from the normal or common behavior of a system or network.

Page 4: Gummer BruCON0x07

Gummer – What is Gummer?  

“Host for plug-ins”

FRAMEWORK for hunting Advanced Malware based on anomalies. Modular DB Query Engine. Python

Page 5: Gummer BruCON0x07

Gummer – Goal  

Gummer’s aim is not to hunt “normal” malware. Using the anomalies approach will give you hints on where to go during the investigation, not evidence. Using it for day-to-day detection: only if you are looking for APTs or state-sponsored malware (a lot of time may be wasted reviewing Gummer’s output).

Page 6: Gummer BruCON0x07

Gummer – Structure  

gummer.py

analyzers DB

connectors outputs collectors

Modules

Page 7: Gummer BruCON0x07

Gummer – Modules  

logs

db

analyzer

output

Page 8: Gummer BruCON0x07

Gummer – Modules - Collector  

Page 9: Gummer BruCON0x07

Status: Working

Analyzers •  Eric Cole’s APT book DB Connectors •  MySQL •  SQLite •  Mongo

Outputs •  Terminal

Collectors •  Squid •  pDNS

Page 10: Gummer BruCON0x07

To Do

•  Software engineering •  Add more modules – DB Connectors – Outputs –  Collectors

•  Create community a la Yara Exchange •  Spread the word

Page 11: Gummer BruCON0x07

Questions? Ernesto Corral E-mail: [email protected] Twitter: @xgusix Project: github.com/xgusix/gummer


Guelph Business College, M Guelph Herald, H Gummer Prop

Gummer, Tobias; Blumenberg, Manuela S.; Vilgis, Constanze ... · Computing weights for the German Longitudinal Election Study (GLES) 2009-2013 Gummer, Tobias; Blumenberg, Manuela

Parents Behaving Badly by Scott Gummer

Inquiry Cycle: Data Literacy for Teachers From Mandinach ... · From Mandinach & Gummer, 2016 . HANDOUT 1: INQUIRY CYCLE: DATA LITERACY FOR TEACHERS 2. HANDOUT 1: INQUIRY CYCLE: DATA

Gummer StringTrio - tobias-broeker.de€¦ · Suite for string trio (1941/42) I - Prelude Phyllis Gummer (1919-2005) 7 13 Violin Viola Violoncello

General Election 2017 The Election Results Guide...• Several Ministers: Ben Gummer (Tory manifesto author), Gavin Barwell, Rob Wilson, Nicola Blackwood, David Mowat, Jane Ellison,

7f11a30961219bd1a71e …7f11a30961219bd1a71e... · ^fSecretary, Treasury Mr John Gummer MP Paymaster General SECRETARIAT Sir Robert Armstrong ... est to proceed with all the KSl^^^ates

Grimbeg Gummer Cultural Points of Intersection

Volume 2,Number 9 Cold Weather Issue Nov/Decepicureancalgary.com/yahoo_site_admin/assets/docs/Vol2_Iss9... · Nazarec, Dave Neilly and Corey Clayton. ... Gummer. We got to taste the

IFSCC Congress - scconline.org · Gordon Guay, Ph.D. Chris Gummer, D.Phil. Steve Herman Jane Hollenberg Eric Johnson, Ph.D. Rupali Kulkarni ... Pola Chemical Industries, Inc. 8:40

RECALIBRATION OF THE GRLWEAP LRFD …...RECALIBRATION OF THE GRLWEAP LRFD RESISTANCE FACTOR FOR OREGON DOT Final Report SPR 683 by Trevor Smith, Ph.D., P.E., Andrew Banas, Max Gummer,

The Women's Issue · 2019-12-28 · Natalie Sicher ‘21 Andrew Haimovici ‘21 Jose Espinel ‘20 Elizabeth Gummer ‘21 Claire Park ‘20 Malcolm Reid ‘21 Mimi Tarrant ‘21 Daniel

IN THE LAB - Cloudinary...Once again, Jen Gummer, MT (ASCP) CLS (NCA) of Boze-man Deaconess Laboratory Services has issued a challenge to fellow laboratorians and phlebotomy employees

gUMMER CHILDRENg WORKS)HOP gpanigh Folk Dance by …flamencodelsolaz.com/Cannedy Summer Childrens Workshop 2012.pdf · - cagtanotg, zapateado, rhythmg un folk dancegl Canriedg Performing

Eggs Benedict · 2020-06-23 · 2 Egg Omelet Sandwich-choose either a ham and American cheese or a Sweet Western Omelet on a steamy-soft 6” steak r Gummer- A breakfast hoagie delicious

Pterodroma axillaris), Cook’s petrels ) and Pycroft’s petrels · • Chatham petrel chick translocation guidelines (Gummer 2011a) (for Chatham petrel translocations) It is one

Defining Data Literacy for Educators Ellen Mandinach, WestEd Edith Gummer, Education Northwest and NSF A Collaborative Project of WestEd and Education

Progress Report to Parliament · 2020. 10. 6. · 6 2020 Progress Report to S cottish Parliament | Committee on Climate Change. The Committee . The Rt. Hon John Gummer, Lord Deben,

n ra e M / o n ra e M / a t s o n e l V a V u a g h c s n ... · Bozen Bolzano Bruneck Brunico Sulden Solda Gummer San Valentino in Campo Schlanders Silandro Glurns Glorenza Innichen

There is health without Mental Health! From The Executive ...mhalc.org/wp-content/uploads/2016/10/Fall-Newsletter-2016.pdf · Gummer Wholesale OSU/COTC Rusty Riders Tee Sponsors Mr

SILVER LININGS - Luther Memorial Home · Karen Levang Ole & Marilyn Aarsvold Kent & Patty Gronlie Marvin & Ardis Callahan Donald Cannon Delbert & Marlys Hlavinka Kazia Gummer John

Ben Gummer Member of Parliament for Ipswich Annual Reportbengummer.com/wp-content/uploads/2014/09/Ben-Gummer-MP... · But the work in Westminster is as varied and heavy as before

Best practice techniques for the translocation of grey ... · petrel and shearwater translocations (Gummer et al. 2014b). It is one of a series of documents outlining best practice

BEN GUMMER MP - ORR

DR. CHRIS GUMMER (Orcid ID : 0000-0002-0068-6917) Articleualresearchonline.arts.ac.uk/13297/1/New_et_al-2018-International... · * Fashion Business School London College of Fashion,

> T ltlS DOCUMENT IS THE PROPERTY OF HER B R IT A N N IC M …... · 2014. 12. 29. · Mr John Gummer MP Paymaster General Mr John Cope MP Treasurer of the Household SECRETARIAT Sir

TEMs Links - savanna.org.au March 04.pdfTEMS Links—March 2004 1 CC’s Corner ... and Simon Gummer from the UK, ... Makoto Hasebe, who, together with his project