SlideShare una empresa de Scribd logo

Malware collection and analysis

Chong-Kuan Chen
Chong-Kuan Chen
IngenieríaTecnología
1 de 26
Descargar para leer sin conexión
Malware  Collec+on  and  Analysis C.K.Chen  @  DSNSLab,  NCTU   2014/05/20  
DSNS   •  Boss   –  謝續平教授   •  IEEE  Fellow   •  ACM  Dis+nguished  Scien+st     •  國立交通大學資訊工程系特聘教授   •  資通安全研究與教學中心主任   •  法務部調查局顧問   •  實驗室研究方向   –  惡意程式分析   –  虛擬機器   –  數位鑑識   –  網路安全  
Outline •  Rapid  Increasing  of  Malware   •  Secmap   –  Automa+c  Malware  Analysis  Cycle   –  High  Performance  and  Fault  Tolerance   –  Modula+on   •  Malware  Collec+on     –  Disk  Forensics   –  Email  ASachment   –  Web  Crawler   –  Malware  Sharing  Repository   –  Honey  Pot   •  Malware  ASributes     u  Note:  Some  part  of  this  slide  is  removed  due  to  research  is  under   processing.    
Rapid  Increasing  of  Malware •  Malware  increasing McAfee  Labs  Threat  Report  in  Fourth  Quarter  2013
Malware  Life  Cycle •  Malware  Life  Cycle  and  Response  Window hSp://www.fireeye.com/blog/corporate/2014/05/ghost-­‐hun+ng-­‐with-­‐ an+-­‐virus.html
Malware  Analysis  Ecosystem     Internet •  Machine  Learning   •  System  Level  Virtual  Machine   •  Taint     •  Symbolic   •  Complex  Analysis •  Signature-­‐based  Detec+on   •  Classifier   •  Informa+on  Collec+on  &   Feedback Back-­‐end  Cloud Front-­‐end  Device 4.  Feedback  Info 3.  Update  Signature/Model 1.  Gathering  Sample 2.  Analysis
SECMAP •  Scalable  sEcurity  Cloud-­‐compu+ng  for  Malware  Analysis   Pla_orm(SECMAP)   –  Aim  to  automa+c  whole  analysis  procedure   •  Malware  Collec+on   •  Malware  Storage   •  Malware  Analysis   •  Large  Scale  Data  Mining   –  Increase  throughput  with  high  performance  compu+ng   –  Decrease  overall  process  +me  to  shorten  response  window  
Clustering  with  Mahout
Analyzers •  Malware  Behavior  Analyzer   •  Forensor   •  Malware  Func+on  Call  Trcer   •  Malware  Code  Block   Retriver   •  Instruc+on  Trace   •  Rootkit  Detec+on   •  ……..   •  ClamAV   •  Avira   •  Trend  Micro   •  Kaspaskey   •  VirusTotal
System  Screenshot
Malware  Collec+on •  Malware  samples  can  help  to  construct  detec+on   model,  design  signature   •  Therefore,  we  use  following  way  to  collect   samples   –  HoneyPot   –  Web  Crawler   –  Shared  Repository   –  Email   –  Disk  Forensics   –  User  Upload
Disk  Forensics •  When  host  are  infected,  disk  forensics  is  needed  to   discover  malware   –  Delete   –  Hidden   •  Dele+ng  file  is  one  of  important  behavior  of  malware   –  About  half  of  malware  delete  some  files  when  execu+on   –  Malware  oden  delete  log  files  ,  binary  created  or  remove   itself    to  prevent  from  forensic   •  It  is  useful  if  we  can  recover  files  deleted  by  malware  
Disk  Forensic  Arch.
Recover  Mechanism •  In  sodware  approach   – Basic  method  need  file  system’s  meta-­‐data  to   recover  files   – File  carving  is  proposed  to  recover  files  without   file  system’s  meta-­‐data  
File  System  Data  Structure   Filename Start  cluster Recover.jpg Cluster  50 Hello.txt Cluster  53 Cluster   number Next   cluster   50 51 51 52 52 EOF 53 57 Recover.jpg  content Recover.jpg  content Recover.jpg  content Hello.txt  content Unknown Cluster  50 Cluster  51 Cluster  52 Cluster  53 Cluster  54 Directory  Entry File  Alloca+on  Table Disk  Data  Area 15/14
Delete  a  File Filename Start  cluster _ecover.jpg Cluster  50 Hello.txt Cluster  53 Cluster   number Next   cluster   50 0 51 0 52 0 53 57 Recover.jpg  content Recover.jpg  content Recover.jpg  content Hello.txt  content Unknown Cluster  50 Cluster  51 Cluster  52 Cluster  53 Cluster  54 Directory  Entry File  Alloca+on  Table Storage  Data  Area 16/14
Basic  Recover  Method Filename Start  cluster _ecover.jpg Cluster  50 Hello.txt Cluster  53 Recover.jpg  content Recover.jpg  content Recover.jpg  content Hello.txt  content Unknown Cluster  50 Cluster  51 Cluster  52 Cluster  53 Cluster  54 Directory  Entry File  Alloca+on  Table Disk  Data  Area Cluster   number Next   cluster   50 0 51 0 52 0 53 57 Predict  file   allocate  in   con+nues   cluster 17/14
File  Carving  Method Recover.jpg  content Recover.jpg  content Recover.jpg  content Hello.txt  content Unknown Cluster  50 Cluster  51 Cluster  52 Cluster  53 Cluster  54 Storage  Data  Area FF  D8  AA  BB  01  33.... ...  70  BB  01  2A  FF  D9 JPEG  files  use  “FF  D8”  as  header   and  “FF  D9”  as  footer 18/14
Recover  Result
Web  Crawler •  To  collect  malware  across  the  web,  we  use   crawler  to  automa+c  download  files  from   internet   – Nutch    +  Hadoop   – Collect  about  10000  files  1  /day   •  Rarely  malicious   – Not  run  javascript   – No  vulnerability   – Password
Malware  Sharing  Repository •  There  are  many  website  provide  free  malware   sharing   –  ASack  Response   •  Malc0de   •  Malware  Black  List   •  Malware  Domain  List   –  Malware  Sharing   •  VXHeaven   •  Malware  Dump   •  VirusSign     •  …….  
Malware  Profile File  Metadata File  Name  “setup.exe” Origin  File  Name MD5(SHA1)  Hash ccffcb94e4058ed22a94881ba2 d26f35 File  Size 65024 File  Type PE32  executable  for  MS   Windows  (GUI)  Intel  80386  32-­‐ bit IsMalicious True Some  of  our  source  may   upload  benign  file File  Source Collec+on  Date 2013-­‐11-­‐21 Collec+on  Source Email Email/Disk/Crawler/Honeypot Collec+on  Loca+on bletchley@dsns.cs.nctu.edu.t w Email  address,  disk  id,  URL,  ip   of  honeypot
Executable  Related  ASribute Behavior Network  Trace Log  All  Communica+on   Flow   Instruc+on  Trace Log  All  Instruc+on   Executed Func+on  Trace Log  All  API  func+on  code Modified  Files All  Modified  Files Shellcode Shellcode  iden+fied  in  Files (document  only) Modified  Registry All  Registry  Modified   SSDT  Hook If  SSDT  changed  by  this  sample MBR  Modified If  this  sample  modified  MBR Screenshots
Security  Detector  ASributed An:Virus Packer Packer  Name PEID AV  Result All  an+virus  report ClamAV,  Kaspersky,   Norton…. Other  Field  Needed  by  Each  Analyzer
Conclusion •  Secmap  is  an  infrastructure  to  automa+c   collect,  analysis  and  store  the  malware  sample   •  Different  Way  to  collect  wide  range  of   samples   – Honeypot   – Disk   – Email   – Web  
Q&A

Recomendados

Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014Chong-Kuan Chen
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application SecurityChong-Kuan Chen
 
2012 S&P Paper Reading Session1
2012 S&P Paper Reading Session12012 S&P Paper Reading Session1
2012 S&P Paper Reading Session1Chong-Kuan Chen
 
Addios!
Addios!Addios!
Addios!Chong-Kuan Chen
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaEC-Council
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 

Recomendados

Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014Chong-Kuan Chen
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application SecurityChong-Kuan Chen
 
2012 S&P Paper Reading Session1
2012 S&P Paper Reading Session12012 S&P Paper Reading Session1
2012 S&P Paper Reading Session1Chong-Kuan Chen
 
Addios!
Addios!Addios!
Addios!Chong-Kuan Chen
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaEC-Council
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCanSecWest
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsAPNIC
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat Security Conference
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selectionamiable_indian
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...BlueHat Security Conference
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopPriyanka Aash
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?Tomasz Jakubowski
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentestingn|u - The Open Security Community
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentationisc2-hellenic
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 

Más contenido relacionado

La actualidad más candente

CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCanSecWest
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsAPNIC
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat Security Conference
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selectionamiable_indian
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...BlueHat Security Conference
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopPriyanka Aash
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?Tomasz Jakubowski
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentationisc2-hellenic
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
 

La actualidad más candente (20)

CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selection
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shop
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentation
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
 

Similar a Malware collection and analysis

Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerShakacon
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 
Sasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protectionSasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protectionDejan Jeremic
 
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad SahputraContent Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputraidsecconf
 
Content Disarm Reconstruction & Cyber Kill Chain
Content Disarm Reconstruction & Cyber Kill ChainContent Disarm Reconstruction & Cyber Kill Chain
Content Disarm Reconstruction & Cyber Kill ChainMuhammad Sahputra
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...RootedCON
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecurityTao Xie
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsJerod Brennen
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017J Hartig
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
 
Drupal, lessons learnt from real world security incidents
Drupal, lessons learnt from real world security incidentsDrupal, lessons learnt from real world security incidents
Drupal, lessons learnt from real world security incidentssydneydrupal
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesLeo Loobeek
 

Similar a Malware collection and analysis (20)

Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Sasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protectionSasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protection
 
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad SahputraContent Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
 
Content Disarm Reconstruction & Cyber Kill Chain
Content Disarm Reconstruction & Cyber Kill ChainContent Disarm Reconstruction & Cyber Kill Chain
Content Disarm Reconstruction & Cyber Kill Chain
 
Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container Pipeline
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and Security
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 
Drupal, lessons learnt from real world security incidents
Drupal, lessons learnt from real world security incidentsDrupal, lessons learnt from real world security incidents
Drupal, lessons learnt from real world security incidents
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
 

Más de Chong-Kuan Chen

DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueDARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueChong-Kuan Chen
 
Compilation and Execution
Compilation and ExecutionCompilation and Execution
Compilation and ExecutionChong-Kuan Chen
 
Oram And Secure Computation
Oram And Secure ComputationOram And Secure Computation
Oram And Secure ComputationChong-Kuan Chen
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysisChong-Kuan Chen
 
Intro. to static analysis
Intro. to static analysisIntro. to static analysis
Intro. to static analysisChong-Kuan Chen
 
HITCON CTF 2014 BambooFox 解題心得分享
HITCON CTF 2014 BambooFox 解題心得分享HITCON CTF 2014 BambooFox 解題心得分享
HITCON CTF 2014 BambooFox 解題心得分享Chong-Kuan Chen
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Become A Security Master
Become A Security MasterBecome A Security Master
Become A Security MasterChong-Kuan Chen
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveChong-Kuan Chen
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detectionChong-Kuan Chen
 

Más de Chong-Kuan Chen (13)

Cgc2
Cgc2Cgc2
Cgc2
 
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueDARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
 
Compilation and Execution
Compilation and ExecutionCompilation and Execution
Compilation and Execution
 
Oram And Secure Computation
Oram And Secure ComputationOram And Secure Computation
Oram And Secure Computation
 
Mem forensic
Mem forensicMem forensic
Mem forensic
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
 
Intro. to static analysis
Intro. to static analysisIntro. to static analysis
Intro. to static analysis
 
Android system security
Android system securityAndroid system security
Android system security
 
HITCON CTF 2014 BambooFox 解題心得分享
HITCON CTF 2014 BambooFox 解題心得分享HITCON CTF 2014 BambooFox 解題心得分享
HITCON CTF 2014 BambooFox 解題心得分享
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
Become A Security Master
Become A Security MasterBecome A Security Master
Become A Security Master
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning Perspective
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detection
 

Último

Indian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.pptIndian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.pptMadan Karki
 
Risk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfRisk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfROCENODodongVILLACER
 
National Level Hackathon Participation Certificate.pdf
National Level Hackathon Participation Certificate.pdfNational Level Hackathon Participation Certificate.pdf
National Level Hackathon Participation Certificate.pdfRajuKanojiya4
 
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...Amil Baba Dawood bangali
 
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfAsst.prof M.Gokilavani
 
Industrial Safety Unit-I SAFETY TERMINOLOGIES
Industrial Safety Unit-I SAFETY TERMINOLOGIESIndustrial Safety Unit-I SAFETY TERMINOLOGIES
Industrial Safety Unit-I SAFETY TERMINOLOGIESNarmatha D
 
Input Output Management in Operating System
Input Output Management in Operating SystemInput Output Management in Operating System
Input Output Management in Operating SystemRashmi Bhat
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catcherssdickerson1
 
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgUnit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgsaravananr517913
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncssuser2ae721
 
Correctly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleCorrectly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleAlluxio, Inc.
 
Earthing details of Electrical Substation
Earthing details of Electrical SubstationEarthing details of Electrical Substation
Earthing details of Electrical Substationstephanwindworld
 
Solving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.pptSolving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.pptJasonTagapanGulla
 
home automation using Arduino by Aditya Prasad
home automation using Arduino by Aditya Prasadhome automation using Arduino by Aditya Prasad
home automation using Arduino by Aditya Prasadaditya806802
 
Industrial Safety Unit-IV workplace health and safety.ppt
Industrial Safety Unit-IV workplace health and safety.pptIndustrial Safety Unit-IV workplace health and safety.ppt
Industrial Safety Unit-IV workplace health and safety.pptNarmatha D
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort servicejennyeacort
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxKartikeyaDwivedi3
 

Último (20)

Indian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.pptIndian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.ppt
 
Risk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfRisk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdf
 
young call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Serviceyoung call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Service
 
National Level Hackathon Participation Certificate.pdf
National Level Hackathon Participation Certificate.pdfNational Level Hackathon Participation Certificate.pdf
National Level Hackathon Participation Certificate.pdf
 
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
 
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
 
Industrial Safety Unit-I SAFETY TERMINOLOGIES
Industrial Safety Unit-I SAFETY TERMINOLOGIESIndustrial Safety Unit-I SAFETY TERMINOLOGIES
Industrial Safety Unit-I SAFETY TERMINOLOGIES
 
Input Output Management in Operating System
Input Output Management in Operating SystemInput Output Management in Operating System
Input Output Management in Operating System
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
 
Design and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdfDesign and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdf
 
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgUnit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
 
POWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examplesPOWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examples
 
Correctly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleCorrectly Loading Incremental Data at Scale
Correctly Loading Incremental Data at Scale
 
Earthing details of Electrical Substation
Earthing details of Electrical SubstationEarthing details of Electrical Substation
Earthing details of Electrical Substation
 
Solving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.pptSolving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.ppt
 
home automation using Arduino by Aditya Prasad
home automation using Arduino by Aditya Prasadhome automation using Arduino by Aditya Prasad
home automation using Arduino by Aditya Prasad
 
Industrial Safety Unit-IV workplace health and safety.ppt
Industrial Safety Unit-IV workplace health and safety.pptIndustrial Safety Unit-IV workplace health and safety.ppt
Industrial Safety Unit-IV workplace health and safety.ppt
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptx
 

Malware collection and analysis

  • 1. Malware  Collec+on  and  Analysis C.K.Chen  @  DSNSLab,  NCTU   2014/05/20  
  • 2. DSNS   •  Boss   –  謝續平教授   •  IEEE  Fellow   •  ACM  Dis+nguished  Scien+st     •  國立交通大學資訊工程系特聘教授   •  資通安全研究與教學中心主任   •  法務部調查局顧問   •  實驗室研究方向   –  惡意程式分析   –  虛擬機器   –  數位鑑識   –  網路安全  
  • 3. Outline •  Rapid  Increasing  of  Malware   •  Secmap   –  Automa+c  Malware  Analysis  Cycle   –  High  Performance  and  Fault  Tolerance   –  Modula+on   •  Malware  Collec+on     –  Disk  Forensics   –  Email  ASachment   –  Web  Crawler   –  Malware  Sharing  Repository   –  Honey  Pot   •  Malware  ASributes     u  Note:  Some  part  of  this  slide  is  removed  due  to  research  is  under   processing.    
  • 4. Rapid  Increasing  of  Malware •  Malware  increasing McAfee  Labs  Threat  Report  in  Fourth  Quarter  2013
  • 5. Malware  Life  Cycle •  Malware  Life  Cycle  and  Response  Window hSp://www.fireeye.com/blog/corporate/2014/05/ghost-­‐hun+ng-­‐with-­‐ an+-­‐virus.html
  • 6. Malware  Analysis  Ecosystem     Internet •  Machine  Learning   •  System  Level  Virtual  Machine   •  Taint     •  Symbolic   •  Complex  Analysis •  Signature-­‐based  Detec+on   •  Classifier   •  Informa+on  Collec+on  &   Feedback Back-­‐end  Cloud Front-­‐end  Device 4.  Feedback  Info 3.  Update  Signature/Model 1.  Gathering  Sample 2.  Analysis
  • 7. SECMAP •  Scalable  sEcurity  Cloud-­‐compu+ng  for  Malware  Analysis   Pla_orm(SECMAP)   –  Aim  to  automa+c  whole  analysis  procedure   •  Malware  Collec+on   •  Malware  Storage   •  Malware  Analysis   •  Large  Scale  Data  Mining   –  Increase  throughput  with  high  performance  compu+ng   –  Decrease  overall  process  +me  to  shorten  response  window  
  • 9. Analyzers •  Malware  Behavior  Analyzer   •  Forensor   •  Malware  Func+on  Call  Trcer   •  Malware  Code  Block   Retriver   •  Instruc+on  Trace   •  Rootkit  Detec+on   •  ……..   •  ClamAV   •  Avira   •  Trend  Micro   •  Kaspaskey   •  VirusTotal
  • 11. Malware  Collec+on •  Malware  samples  can  help  to  construct  detec+on   model,  design  signature   •  Therefore,  we  use  following  way  to  collect   samples   –  HoneyPot   –  Web  Crawler   –  Shared  Repository   –  Email   –  Disk  Forensics   –  User  Upload
  • 12. Disk  Forensics •  When  host  are  infected,  disk  forensics  is  needed  to   discover  malware   –  Delete   –  Hidden   •  Dele+ng  file  is  one  of  important  behavior  of  malware   –  About  half  of  malware  delete  some  files  when  execu+on   –  Malware  oden  delete  log  files  ,  binary  created  or  remove   itself    to  prevent  from  forensic   •  It  is  useful  if  we  can  recover  files  deleted  by  malware  
  • 14. Recover  Mechanism •  In  sodware  approach   – Basic  method  need  file  system’s  meta-­‐data  to   recover  files   – File  carving  is  proposed  to  recover  files  without   file  system’s  meta-­‐data  
  • 15. File  System  Data  Structure   Filename Start  cluster Recover.jpg Cluster  50 Hello.txt Cluster  53 Cluster   number Next   cluster   50 51 51 52 52 EOF 53 57 Recover.jpg  content Recover.jpg  content Recover.jpg  content Hello.txt  content Unknown Cluster  50 Cluster  51 Cluster  52 Cluster  53 Cluster  54 Directory  Entry File  Alloca+on  Table Disk  Data  Area 15/14
  • 16. Delete  a  File Filename Start  cluster _ecover.jpg Cluster  50 Hello.txt Cluster  53 Cluster   number Next   cluster   50 0 51 0 52 0 53 57 Recover.jpg  content Recover.jpg  content Recover.jpg  content Hello.txt  content Unknown Cluster  50 Cluster  51 Cluster  52 Cluster  53 Cluster  54 Directory  Entry File  Alloca+on  Table Storage  Data  Area 16/14
  • 17. Basic  Recover  Method Filename Start  cluster _ecover.jpg Cluster  50 Hello.txt Cluster  53 Recover.jpg  content Recover.jpg  content Recover.jpg  content Hello.txt  content Unknown Cluster  50 Cluster  51 Cluster  52 Cluster  53 Cluster  54 Directory  Entry File  Alloca+on  Table Disk  Data  Area Cluster   number Next   cluster   50 0 51 0 52 0 53 57 Predict  file   allocate  in   con+nues   cluster 17/14
  • 18. File  Carving  Method Recover.jpg  content Recover.jpg  content Recover.jpg  content Hello.txt  content Unknown Cluster  50 Cluster  51 Cluster  52 Cluster  53 Cluster  54 Storage  Data  Area FF  D8  AA  BB  01  33.... ...  70  BB  01  2A  FF  D9 JPEG  files  use  “FF  D8”  as  header   and  “FF  D9”  as  footer 18/14
  • 20. Web  Crawler •  To  collect  malware  across  the  web,  we  use   crawler  to  automa+c  download  files  from   internet   – Nutch    +  Hadoop   – Collect  about  10000  files  1  /day   •  Rarely  malicious   – Not  run  javascript   – No  vulnerability   – Password
  • 21. Malware  Sharing  Repository •  There  are  many  website  provide  free  malware   sharing   –  ASack  Response   •  Malc0de   •  Malware  Black  List   •  Malware  Domain  List   –  Malware  Sharing   •  VXHeaven   •  Malware  Dump   •  VirusSign     •  …….  
  • 22. Malware  Profile File  Metadata File  Name  “setup.exe” Origin  File  Name MD5(SHA1)  Hash ccffcb94e4058ed22a94881ba2 d26f35 File  Size 65024 File  Type PE32  executable  for  MS   Windows  (GUI)  Intel  80386  32-­‐ bit IsMalicious True Some  of  our  source  may   upload  benign  file File  Source Collec+on  Date 2013-­‐11-­‐21 Collec+on  Source Email Email/Disk/Crawler/Honeypot Collec+on  Loca+on bletchley@dsns.cs.nctu.edu.t w Email  address,  disk  id,  URL,  ip   of  honeypot
  • 23. Executable  Related  ASribute Behavior Network  Trace Log  All  Communica+on   Flow   Instruc+on  Trace Log  All  Instruc+on   Executed Func+on  Trace Log  All  API  func+on  code Modified  Files All  Modified  Files Shellcode Shellcode  iden+fied  in  Files (document  only) Modified  Registry All  Registry  Modified   SSDT  Hook If  SSDT  changed  by  this  sample MBR  Modified If  this  sample  modified  MBR Screenshots
  • 24. Security  Detector  ASributed An:Virus Packer Packer  Name PEID AV  Result All  an+virus  report ClamAV,  Kaspersky,   Norton…. Other  Field  Needed  by  Each  Analyzer
  • 25. Conclusion •  Secmap  is  an  infrastructure  to  automa+c   collect,  analysis  and  store  the  malware  sample   •  Different  Way  to  collect  wide  range  of   samples   – Honeypot   – Disk   – Email   – Web  
  • 26. Q&A