SlideShare una empresa de Scribd logo

Malware Analysis as a Hobby - 44CON 2012

Descargar como PPTX, PDF
44CON
44CON

Michael Boman and Siavosh Zarrasvand present Malware Analysis as a Hobby at 44CON 2012 in London, September 2012.

Tecnología
1 de 31
Malware Analysis as a Hobby Michael Boman - Security Consultant/Researcher, Father of 5 Siavosh Zarrasvand – Security Consultant/Researcher, Searching
Why the strange hobby?
The manual way
Drawbacks Time consuming Boring in the long run (not all malware are created equal)
Choose any two…. Cheap Good Fast
 I can do it cheaply (hardware and license cost-wise). Human time not Choose any two? Why included. not all of them?  I can do it quickly (I spend up to 3 Cheap hours a day doing this, at average even less).  I get pretty good results (quality). Where the system lacks I can compensate for its shortcomings. Good Fast
Automate everything! Automate Engineer yourself out of the workflow
Birth of the MART Project Malware Analyst Research Toolkit
Components
Sample Acquisition • Public & Private Collections • Exchange with other malware analysts • Finding and collecting malware yourself • Download files from the web • Grab attachments from email • Feed BrowserSpider with links from your SPAM-folder
BrowserSpider  Written in Python  Using the Selenium framework to control REAL browsers  Flash, PDFs, Java applets etc. executes as per normal  All the browser bugs exists for real  Spiders and follows all links seen
Sample Analysis • Cuckoo Sandbox • VirusTotal
A days work for a Cuckoo Fetch a task Process and Prepare the create reports analysis Lunch analyzer in Store the result virtual machine Complete the Execute an analysis analysis package
DEMO: Submit sample for analysis
Sample Reporting • Results are stored in MongoDB (optional, highly recommended) • Accessed using a analyst GUI
Data Mining
Where Virtual Machine analysis fails And what to do about it
Problems  Cuckoo is easly bypassed  User-detection  Sleeping malware
Problems  VM or Sandbox detection  The guest OS might not be sufficient enough  Any multistage attack
Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples Known Known Bad Good Unknown
Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples • Does not do anything • Detects environment • Encrypted segments • Failed execution
Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples • Run longer • Envirnoment customization
Budget  Computer: €520  MSDN License: €800 (€590 renewal)  Year 1: €1320  Year N: €590  Money saved from stopped smoking (yearly): €2040
Next steps • Barebone on-the-iron malware analysis • Android platform support • OSX platform support • iOS patform support
Questions? Michael Boman Siavosh Zarrasvand michael@michaelboman.org siavosh.zarrasvand@gmail.com http://michaelboman.org @mboman @zarrasvand

Recomendados

Malware analysis as a hobby (Owasp Göteborg)
Malware analysis as a hobby (Owasp Göteborg)Malware analysis as a hobby (Owasp Göteborg)
Malware analysis as a hobby (Owasp Göteborg)Michael Boman
 
Maintaining a Malware Collection
Maintaining a Malware CollectionMaintaining a Malware Collection
Maintaining a Malware Collectionfrisksoftware
 
The Difference between Track and Testing Performance
The Difference between Track and Testing PerformanceThe Difference between Track and Testing Performance
The Difference between Track and Testing Performancefrisksoftware
 
Alexey Ostapov: Distributed Video Management and Security Systems: Tips and T...
Alexey Ostapov: Distributed Video Management and Security Systems: Tips and T...Alexey Ostapov: Distributed Video Management and Security Systems: Tips and T...
Alexey Ostapov: Distributed Video Management and Security Systems: Tips and T...Andriy Krayniy
 
Malware analysis as a hobby - the short story (lightning talk)
Malware analysis as a hobby - the short story (lightning talk)Malware analysis as a hobby - the short story (lightning talk)
Malware analysis as a hobby - the short story (lightning talk)Michael Boman
 
Deep Dive Modern Apps Lifecycle with Visual Studio 2012: Software Testing wit...
Deep Dive Modern Apps Lifecycle with Visual Studio 2012: Software Testing wit...Deep Dive Modern Apps Lifecycle with Visual Studio 2012: Software Testing wit...
Deep Dive Modern Apps Lifecycle with Visual Studio 2012: Software Testing wit...Microsoft Developer Network (MSDN) - Belgium and Luxembourg
 
Effective debugging
Effective debuggingEffective debugging
Effective debuggingAndy Dawson
 
Testing Heuristic Detections
Testing Heuristic DetectionsTesting Heuristic Detections
Testing Heuristic Detectionsfrisksoftware
 

Recomendados

Malware analysis as a hobby (Owasp Göteborg)
Malware analysis as a hobby (Owasp Göteborg)Malware analysis as a hobby (Owasp Göteborg)
Malware analysis as a hobby (Owasp Göteborg)Michael Boman
 
Maintaining a Malware Collection
Maintaining a Malware CollectionMaintaining a Malware Collection
Maintaining a Malware Collectionfrisksoftware
 
The Difference between Track and Testing Performance
The Difference between Track and Testing PerformanceThe Difference between Track and Testing Performance
The Difference between Track and Testing Performancefrisksoftware
 
Alexey Ostapov: Distributed Video Management and Security Systems: Tips and T...
Alexey Ostapov: Distributed Video Management and Security Systems: Tips and T...Alexey Ostapov: Distributed Video Management and Security Systems: Tips and T...
Alexey Ostapov: Distributed Video Management and Security Systems: Tips and T...Andriy Krayniy
 
Malware analysis as a hobby - the short story (lightning talk)
Malware analysis as a hobby - the short story (lightning talk)Malware analysis as a hobby - the short story (lightning talk)
Malware analysis as a hobby - the short story (lightning talk)Michael Boman
 
Deep Dive Modern Apps Lifecycle with Visual Studio 2012: Software Testing wit...
Deep Dive Modern Apps Lifecycle with Visual Studio 2012: Software Testing wit...Deep Dive Modern Apps Lifecycle with Visual Studio 2012: Software Testing wit...
Deep Dive Modern Apps Lifecycle with Visual Studio 2012: Software Testing wit...Microsoft Developer Network (MSDN) - Belgium and Luxembourg
 
Effective debugging
Effective debuggingEffective debugging
Effective debuggingAndy Dawson
 
Testing Heuristic Detections
Testing Heuristic DetectionsTesting Heuristic Detections
Testing Heuristic Detectionsfrisksoftware
 
Configurable Video Coding
Configurable Video CodingConfigurable Video Coding
Configurable Video CodingIain Richardson
 
Cryptanalysis of the Engima - 44CON 2012
Cryptanalysis of the Engima - 44CON 2012Cryptanalysis of the Engima - 44CON 2012
Cryptanalysis of the Engima - 44CON 201244CON
 
Book Launch: The H.264 Advanced Video Compression Standard
Book Launch: The H.264 Advanced Video Compression StandardBook Launch: The H.264 Advanced Video Compression Standard
Book Launch: The H.264 Advanced Video Compression StandardIain Richardson
 
Getting the most out of H.264
Getting the most out of H.264Getting the most out of H.264
Getting the most out of H.264Iain Richardson
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON
 
Iain Richardson: An Introduction to Video Compression
Iain Richardson: An Introduction to Video CompressionIain Richardson: An Introduction to Video Compression
Iain Richardson: An Introduction to Video CompressionIain Richardson
 
Course 102: Lecture 24: Archiving and Compression of Files
Course 102: Lecture 24: Archiving and Compression of Files Course 102: Lecture 24: Archiving and Compression of Files
Course 102: Lecture 24: Archiving and Compression of Files Ahmed El-Arabawy
 
A short history of video coding
A short history of video codingA short history of video coding
A short history of video codingIain Richardson
 
Course 102: Lecture 18: Process Life Cycle
Course 102: Lecture 18: Process Life CycleCourse 102: Lecture 18: Process Life Cycle
Course 102: Lecture 18: Process Life CycleAhmed El-Arabawy
 
Data Compression Technique
Data Compression TechniqueData Compression Technique
Data Compression Techniquenayakslideshare
 
Introduction to H.264 Advanced Video Compression
Introduction to H.264 Advanced Video CompressionIntroduction to H.264 Advanced Video Compression
Introduction to H.264 Advanced Video CompressionIain Richardson
 
C 102 lec_29_what_s_next
C 102 lec_29_what_s_nextC 102 lec_29_what_s_next
C 102 lec_29_what_s_nextAhmed El-Arabawy
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON
 
image compression ppt
image compression pptimage compression ppt
image compression pptShivangi Saxena
 
Compression
CompressionCompression
CompressionAshish Kumar
 
Malware Analysis on a Shoestring Budget
Malware Analysis on a Shoestring BudgetMalware Analysis on a Shoestring Budget
Malware Analysis on a Shoestring BudgetMichael Boman
 
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...Sam Bowne
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisSam Bowne
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3Sam Bowne
 
Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016rajeshnikam
 
Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Quick Heal Technologies Ltd.
 
Reading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of ProcrastinationReading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of ProcrastinationMichael Rushanan
 

Más contenido relacionado

Destacado

Configurable Video Coding
Configurable Video CodingConfigurable Video Coding
Configurable Video CodingIain Richardson
 
Cryptanalysis of the Engima - 44CON 2012
Cryptanalysis of the Engima - 44CON 2012Cryptanalysis of the Engima - 44CON 2012
Cryptanalysis of the Engima - 44CON 201244CON
 
Book Launch: The H.264 Advanced Video Compression Standard
Book Launch: The H.264 Advanced Video Compression StandardBook Launch: The H.264 Advanced Video Compression Standard
Book Launch: The H.264 Advanced Video Compression StandardIain Richardson
 
Getting the most out of H.264
Getting the most out of H.264Getting the most out of H.264
Getting the most out of H.264Iain Richardson
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON
 
Iain Richardson: An Introduction to Video Compression
Iain Richardson: An Introduction to Video CompressionIain Richardson: An Introduction to Video Compression
Iain Richardson: An Introduction to Video CompressionIain Richardson
 
Course 102: Lecture 24: Archiving and Compression of Files
Course 102: Lecture 24: Archiving and Compression of Files Course 102: Lecture 24: Archiving and Compression of Files
Course 102: Lecture 24: Archiving and Compression of Files Ahmed El-Arabawy
 
A short history of video coding
A short history of video codingA short history of video coding
A short history of video codingIain Richardson
 
Course 102: Lecture 18: Process Life Cycle
Course 102: Lecture 18: Process Life CycleCourse 102: Lecture 18: Process Life Cycle
Course 102: Lecture 18: Process Life CycleAhmed El-Arabawy
 
Data Compression Technique
Data Compression TechniqueData Compression Technique
Data Compression Techniquenayakslideshare
 
Introduction to H.264 Advanced Video Compression
Introduction to H.264 Advanced Video CompressionIntroduction to H.264 Advanced Video Compression
Introduction to H.264 Advanced Video CompressionIain Richardson
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON
 

Destacado (15)

Configurable Video Coding
Configurable Video CodingConfigurable Video Coding
Configurable Video Coding
 
Cryptanalysis of the Engima - 44CON 2012
Cryptanalysis of the Engima - 44CON 2012Cryptanalysis of the Engima - 44CON 2012
Cryptanalysis of the Engima - 44CON 2012
 
Book Launch: The H.264 Advanced Video Compression Standard
Book Launch: The H.264 Advanced Video Compression StandardBook Launch: The H.264 Advanced Video Compression Standard
Book Launch: The H.264 Advanced Video Compression Standard
 
Getting the most out of H.264
Getting the most out of H.264Getting the most out of H.264
Getting the most out of H.264
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
 
Iain Richardson: An Introduction to Video Compression
Iain Richardson: An Introduction to Video CompressionIain Richardson: An Introduction to Video Compression
Iain Richardson: An Introduction to Video Compression
 
Course 102: Lecture 24: Archiving and Compression of Files
Course 102: Lecture 24: Archiving and Compression of Files Course 102: Lecture 24: Archiving and Compression of Files
Course 102: Lecture 24: Archiving and Compression of Files
 
A short history of video coding
A short history of video codingA short history of video coding
A short history of video coding
 
Course 102: Lecture 18: Process Life Cycle
Course 102: Lecture 18: Process Life CycleCourse 102: Lecture 18: Process Life Cycle
Course 102: Lecture 18: Process Life Cycle
 
Data Compression Technique
Data Compression TechniqueData Compression Technique
Data Compression Technique
 
Introduction to H.264 Advanced Video Compression
Introduction to H.264 Advanced Video CompressionIntroduction to H.264 Advanced Video Compression
Introduction to H.264 Advanced Video Compression
 
C 102 lec_29_what_s_next
C 102 lec_29_what_s_nextC 102 lec_29_what_s_next
C 102 lec_29_what_s_next
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
image compression ppt
image compression pptimage compression ppt
image compression ppt
 
Compression
CompressionCompression
Compression
 

Similar a Malware Analysis as a Hobby - 44CON 2012

Malware Analysis on a Shoestring Budget
Malware Analysis on a Shoestring BudgetMalware Analysis on a Shoestring Budget
Malware Analysis on a Shoestring BudgetMichael Boman
 
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...Sam Bowne
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisSam Bowne
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3Sam Bowne
 
Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016rajeshnikam
 
Reading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of ProcrastinationReading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of ProcrastinationMichael Rushanan
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Juniper Networks
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPLnitinscribd
 
Agile Testing at eBay
Agile Testing at eBayAgile Testing at eBay
Agile Testing at eBayDominik Dary
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...SegInfo
 
FUEL_USERS_GROUP
FUEL_USERS_GROUPFUEL_USERS_GROUP
FUEL_USERS_GROUPWill Pearce
 
Static analysis tools as the best friend of QA
Static analysis tools as the best friend of QAStatic analysis tools as the best friend of QA
Static analysis tools as the best friend of QAMikalai Alimenkou
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveChong-Kuan Chen
 
Justin Ison
Justin IsonJustin Ison
Justin IsonCodeFest
 
KidoZen Mastering Unit Testing in Xamarin
KidoZen Mastering Unit Testing in Xamarin KidoZen Mastering Unit Testing in Xamarin
KidoZen Mastering Unit Testing in Xamarin kidozen
 
PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkYashin Mehaboobe
 

Similar a Malware Analysis as a Hobby - 44CON 2012 (20)

Malware Analysis on a Shoestring Budget
Malware Analysis on a Shoestring BudgetMalware Analysis on a Shoestring Budget
Malware Analysis on a Shoestring Budget
 
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3
 
Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016
 
Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action
 
Reading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of ProcrastinationReading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of Procrastination
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]
 
Debugging
DebuggingDebugging
Debugging
 
Continuous integration at CartoDB March '16
Continuous integration at CartoDB March '16Continuous integration at CartoDB March '16
Continuous integration at CartoDB March '16
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 
Agile Testing at eBay
Agile Testing at eBayAgile Testing at eBay
Agile Testing at eBay
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
 
FUEL_USERS_GROUP
FUEL_USERS_GROUPFUEL_USERS_GROUP
FUEL_USERS_GROUP
 
Static analysis tools as the best friend of QA
Static analysis tools as the best friend of QAStatic analysis tools as the best friend of QA
Static analysis tools as the best friend of QA
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning Perspective
 
Justin Ison
Justin IsonJustin Ison
Justin Ison
 
KidoZen Mastering Unit Testing in Xamarin
KidoZen Mastering Unit Testing in Xamarin KidoZen Mastering Unit Testing in Xamarin
KidoZen Mastering Unit Testing in Xamarin
 
PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis framework
 

Más de 44CON

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...44CON
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...44CON
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...44CON
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...44CON
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...44CON
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...44CON
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...44CON
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank44CON
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...44CON
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON
 

Más de 44CON (20)

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
 

Último

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 

Último (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Malware Analysis as a Hobby - 44CON 2012

  • 1. Malware Analysis as a Hobby Michael Boman - Security Consultant/Researcher, Father of 5 Siavosh Zarrasvand – Security Consultant/Researcher, Searching
  • 4. Drawbacks Time consuming Boring in the long run (not all malware are created equal)
  • 5. Choose any two…. Cheap Good Fast
  • 6. I can do it cheaply (hardware and license cost-wise). Human time not Choose any two? Why included. not all of them?  I can do it quickly (I spend up to 3 Cheap hours a day doing this, at average even less).  I get pretty good results (quality). Where the system lacks I can compensate for its shortcomings. Good Fast
  • 7. Automate everything! Automate Engineer yourself out of the workflow
  • 8. Birth of the MART Project Malware Analyst Research Toolkit
  • 10.
  • 11. Sample Acquisition • Public & Private Collections • Exchange with other malware analysts • Finding and collecting malware yourself • Download files from the web • Grab attachments from email • Feed BrowserSpider with links from your SPAM-folder
  • 12. BrowserSpider  Written in Python  Using the Selenium framework to control REAL browsers  Flash, PDFs, Java applets etc. executes as per normal  All the browser bugs exists for real  Spiders and follows all links seen
  • 13. Sample Analysis • Cuckoo Sandbox • VirusTotal
  • 14. A days work for a Cuckoo Fetch a task Process and Prepare the create reports analysis Lunch analyzer in Store the result virtual machine Complete the Execute an analysis analysis package
  • 15. DEMO: Submit sample for analysis
  • 16.
  • 17. Sample Reporting • Results are stored in MongoDB (optional, highly recommended) • Accessed using a analyst GUI
  • 18.
  • 19.
  • 20.
  • 22. Where Virtual Machine analysis fails And what to do about it
  • 23. Problems  Cuckoo is easly bypassed  User-detection  Sleeping malware
  • 24. Problems  VM or Sandbox detection  The guest OS might not be sufficient enough  Any multistage attack
  • 25. Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples Known Known Bad Good Unknown
  • 26. Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples • Does not do anything • Detects environment • Encrypted segments • Failed execution
  • 27. Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples • Run longer • Envirnoment customization
  • 28.
  • 29. Budget  Computer: €520  MSDN License: €800 (€590 renewal)  Year 1: €1320  Year N: €590  Money saved from stopped smoking (yearly): €2040
  • 30. Next steps • Barebone on-the-iron malware analysis • Android platform support • OSX platform support • iOS patform support
  • 31. Questions? Michael Boman Siavosh Zarrasvand michael@michaelboman.org siavosh.zarrasvand@gmail.com http://michaelboman.org @mboman @zarrasvand