intro to malware analysis

22
Intro to Malware Analysis Wim Remes – Managing Consultant @ IOActive

Upload: wremes

Post on 26-May-2015

677 views

Category:

Technology


2 download

DESCRIPTION

As given @ SecureAsia Manila 2013

TRANSCRIPT

Page 1: Intro to Malware Analysis

Intro to Malware AnalysisWim Remes – Managing Consultant @ IOActive

Page 2: Intro to Malware Analysis

1977 - 2013

Barnaby Jack

Page 3: Intro to Malware Analysis

About meWim Remes

Managing Consultant @ IOActive

Director @ (ISC)2

Organizer @ BruCON(September 26-27 !!)

I don’t teach, I share knowledge(I hope to learn more from you than you learn from me)

Page 4: Intro to Malware Analysis

Malware AnalysisWhat ?

Why?Toolchain?

Tying it all together ?

Tips & Tricks!

Page 5: Intro to Malware Analysis

What?

“Taking malware apart to study it.”(it’s that simple? Yes it is.)

Unless you work for an AV vendor, inwhich case you are supporting a

product and even they automate A LOT.

12,000,000 samples in Q4 2012(1)

35,000+ mobile samples in Q4 2012(1)

(ain’t nobody got time for that!)

(1) http://www.mcafee.com/us/security-awareness/articles/state-of-malware-2013.aspx

Page 6: Intro to Malware Analysis

DO:Understand your adversary

Gather intelligenceShare informationProtect BETTER!

AUTOMATE-AUTOMATE-AUTOMATE

DO NOT:Waste time on random samples

Practice your reverse engineering fu

(most of the time)

Why?

Page 7: Intro to Malware Analysis

Why?

“Attacker Profiling”Indicators of compromise!

(IOCs)

Command and Control Servers?Malware sources?Traffic Patterns?Registry Keys?

Behavioral Characteristics?

Know your enemy!

Page 8: Intro to Malware Analysis

Toolchain

https://www.virustotal.com/en/#search

Do NOT just upload unknown samples!

Page 9: Intro to Malware Analysis

Toolchain

http://www.cuckoosandbox.org

Automated Analysis

Page 10: Intro to Malware Analysis

Toolchain

Reporting

Cuckoo framework

Oracle Virtualbox

WinXP WinXP WinXP WinXP - Installation- System Changes- Network Traffic- …

Page 11: Intro to Malware Analysis

Toolchain

Manual Analysis?(sure…)

OllyDbgImmunity Debugger

IDA ProWinDbg

WiresharkWindows SysInternals

Beware of evasion tricks !!

Page 12: Intro to Malware Analysis

Toolchain

Mobile Malware?http://apkscan.nviso.be/

Page 13: Intro to Malware Analysis

Toolchain

Indicators of compromise (IOCs)

Page 14: Intro to Malware Analysis

Toolchain

http://www.malware.lu/

http://www.abuse.ch/(Zeus tracker / SpyEye tracker)

http://www.openioc.org/

Page 15: Intro to Malware Analysis

Tying it all together

Manualanalysis

AutomatedAnalysis

External Sources

IOCs

FirewallConfiguration

IDS/IPSConfiguration

SIEM Configuration

Industry/PeerSharing

Page 16: Intro to Malware Analysis

Tips & Tricks

Incubation(not for the faint of heart)

a) You want to gather more intelligenceb) You want to profile attackers

Attackers introducing new techniques?Introducing ‘next level’ attackers?Reselling of compromised machines?

You can learn A LOT!

Page 17: Intro to Malware Analysis

Tips & Tricks

Anti Reverse Engineering

Exploiting weaknesses in RE Tools

Anti DisassemblyAnti Debugging

Anti VM TechniquesPackers

“it takes one to know one.”

Ref. “Practical Malware Analysis” By Michael Sikorski and Andrew Honig>

Page 18: Intro to Malware Analysis

By Example – ‘Magneto’

A malware that exploits a buffer overflow condition in Firefox 17.

Believed to be used against users of ‘malicious’ TOR .onion sites.

https://code.google.com/p/caffsec-malware-analysis/source/browse/trunk/TorFreedomHosting

/

Page 19: Intro to Malware Analysis

By Example – ‘Magneto’

Attacks the browser iframe attack + buffer overflowSends hostname+mac address

to remote server

Analysis tools fail because ‘sessionStorage’ and ‘ArrayBuffer’ are

not recognized.

Page 20: Intro to Malware Analysis

By Example – ‘Magneto’

AttackBrowser

Execute Shellcode

GatherInformation

ExfiltrateInformation

Learn attacker techniquesCorrelate attacker behaviourIdentify coders/ code sharing?

Identify targeted assets

Attribution?Correlation

Page 21: Intro to Malware Analysis

Summary

Goal = Protecting BetterNOT

“Trying to beat them”

There are automation tools, use them.

Know your tools and their limitations.

Know the attacker’s toolset too

Share knowledge/intelligence

Page 22: Intro to Malware Analysis

Q & A

Thank you !

[email protected]@wimremes on twitter