intro to malware analysis
DESCRIPTION
As given @ SecureAsia Manila 2013TRANSCRIPT
Intro to Malware AnalysisWim Remes – Managing Consultant @ IOActive
1977 - 2013
Barnaby Jack
About meWim Remes
Managing Consultant @ IOActive
Director @ (ISC)2
Organizer @ BruCON(September 26-27 !!)
I don’t teach, I share knowledge(I hope to learn more from you than you learn from me)
Malware AnalysisWhat ?
Why?Toolchain?
Tying it all together ?
Tips & Tricks!
What?
“Taking malware apart to study it.”(it’s that simple? Yes it is.)
Unless you work for an AV vendor, inwhich case you are supporting a
product and even they automate A LOT.
12,000,000 samples in Q4 2012(1)
35,000+ mobile samples in Q4 2012(1)
(ain’t nobody got time for that!)
(1) http://www.mcafee.com/us/security-awareness/articles/state-of-malware-2013.aspx
DO:Understand your adversary
Gather intelligenceShare informationProtect BETTER!
AUTOMATE-AUTOMATE-AUTOMATE
DO NOT:Waste time on random samples
Practice your reverse engineering fu
(most of the time)
Why?
Why?
“Attacker Profiling”Indicators of compromise!
(IOCs)
Command and Control Servers?Malware sources?Traffic Patterns?Registry Keys?
Behavioral Characteristics?
Know your enemy!
Toolchain
https://www.virustotal.com/en/#search
Do NOT just upload unknown samples!
Toolchain
http://www.cuckoosandbox.org
Automated Analysis
Toolchain
Reporting
Cuckoo framework
Oracle Virtualbox
WinXP WinXP WinXP WinXP - Installation- System Changes- Network Traffic- …
Toolchain
Manual Analysis?(sure…)
OllyDbgImmunity Debugger
IDA ProWinDbg
WiresharkWindows SysInternals
…
Beware of evasion tricks !!
Toolchain
Indicators of compromise (IOCs)
Toolchain
http://www.malware.lu/
http://www.abuse.ch/(Zeus tracker / SpyEye tracker)
http://www.openioc.org/
Tying it all together
Manualanalysis
AutomatedAnalysis
External Sources
IOCs
FirewallConfiguration
IDS/IPSConfiguration
SIEM Configuration
Industry/PeerSharing
Tips & Tricks
Incubation(not for the faint of heart)
a) You want to gather more intelligenceb) You want to profile attackers
Attackers introducing new techniques?Introducing ‘next level’ attackers?Reselling of compromised machines?
You can learn A LOT!
Tips & Tricks
Anti Reverse Engineering
Exploiting weaknesses in RE Tools
Anti DisassemblyAnti Debugging
Anti VM TechniquesPackers
“it takes one to know one.”
Ref. “Practical Malware Analysis” By Michael Sikorski and Andrew Honig>
By Example – ‘Magneto’
A malware that exploits a buffer overflow condition in Firefox 17.
Believed to be used against users of ‘malicious’ TOR .onion sites.
https://code.google.com/p/caffsec-malware-analysis/source/browse/trunk/TorFreedomHosting
/
By Example – ‘Magneto’
Attacks the browser iframe attack + buffer overflowSends hostname+mac address
to remote server
Analysis tools fail because ‘sessionStorage’ and ‘ArrayBuffer’ are
not recognized.
By Example – ‘Magneto’
AttackBrowser
Execute Shellcode
GatherInformation
ExfiltrateInformation
Learn attacker techniquesCorrelate attacker behaviourIdentify coders/ code sharing?
Identify targeted assets
Attribution?Correlation
…
Summary
Goal = Protecting BetterNOT
“Trying to beat them”
There are automation tools, use them.
Know your tools and their limitations.
Know the attacker’s toolset too
Share knowledge/intelligence