SlideShare una empresa de Scribd logo

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

D
DaveEdwards12

Instrumenting Point of Sale Malware

Software
1 de 22
Descargar para leer sin conexión
Instrumenting Point-of-Sale Malware A Case Study in Communicating Malware Analysis More Effectively Wesley McGrew Assistant Research Professor Mississippi State University Department of Computer Science & Engineering Distributed Analytics and Security Institute
Introduction • The pragmatic and unapologetic offensive security guy • Breaking things • Reversing things • Mississippi State University - NSA CAE Cyber Ops • Enjoying my fourth year speaking at DEF CON
The Plan • In general: • Adopt better practices in describing and demonstrating malware capabilities • Proposal to supplement written analyses with illustration that uses the malware itself • What we’ll spend a good chunk of today’s session doing: • Showing off some cool instrumented POS malware • Talk about how you can do the same
Scientific Method (the really important bits) • Reproducibility • Reasons: • Verifying results • Starting new analysis where old analysis left off • Education of new reverse engineering specialists • IOC consumers vs. fellow analysts as an audience
What’s often missing? • Sample info • Hashes • Availability • Procedure • Subverting malware-specific countermeasures • Context • Redacted info on compromised hosts and C2 hosts • Internal points of reference • Addresses of functionality/data being discussed
Devil’s Advocate: Why it’s not there… • Fellow analysts and students are not the target audience of many published analyses • We’re left to “pick” through for technically useful info • Added effort - It’s a lot of work to get your internal notes and tools fit for outside consumption • Analysis-consumer safety - preventing the reader for inadvertently infecting • Client confidentiality - Compelling. May be client-specific data in targeted malware • Competitive advantage - public relations, advertising services, showcase of technical ability • Perhaps not in our best interest to allow someone to further it, do it better, or worse: prove it wrong.
What’s Being Done Elsewhere? • Reproducibility and verifiability are a big deal in any academic/scientific endeavor • Peer review is supposed to act as the filter here • (Though maybe we aren’t as rigorous as we ought to be with it in computer science/engineering) • Software, environment, data, documented to the point that someone can recreate the experiment • Executable/interactive research paper • Embedded algorithms and data, • (Doesn’t that sound a bit scary re: Malware? :) )
Recommendations • Beyond sandbox output… • Sample availability (!!!!!!!!!) • virusshare.com is the best positive example of the right direction here • Host environment documentation • Target data - give it something to exfiltrate • Network environment - give it what it wants to talk to • Instrumentation - programmatic, running commentary • Scriptable debugging (winappdbg!) • Isolate functionality, document points of interest, put it all into a big picture
Case Study: JackPOS
(to make sure I get these in before we geek-out on the demo) Acknowledgements • Samples - @xylit0l - http://cybercrime-tracker.net • Prior-to-now-but-post-this-work analyses • http://blog.spiderlabs.com/2014/02/jackpos-the-house- always-wins.html • http://blog.malwaremustdie.org/2014/02/cyber-intelligence- jackpos-behind-screen.html • Please check the white paper citations for tools, executable paper prior work, etc.
Why JackPOS? • Current concern surrounding POS malware • C2 availability - Ability to demonstrate a complete environment • From card-swipe to command-and-control • C++ strings, STL - runtime objects make static analysis with IDA Pro a bit more awkward • Good use case for harnesses • Independent memory-search functionality
Harness Design • WinAppDbg - Python scriptable debugging • Really fun library - Well-documented, lots of examples, easy to use • Callbacks for breakpoints
JackPOS • Example sample - SHA1 9fa9364add245ce873552aced7b4a757dceceb9e • Available on virusshare (and mcgrewsecurity.com) • This is the only part not on the DEF CON DVD. • Command and Control • PHP, Yii Framework
Command and Control • Data model - bots, cards, commands, dumps, ranges, tracks, users
Back to the sample • UPX (thankfully not an unpacking talk/tutorial) • Unpacked version crashes due the stack cookie seed address not relocating • Easy fix: disable ASLR (also makes our analysis easier), unset: • IMAGE_NT_HEADERS > IMAGE_OPTIONAL_HEADER > IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
Setup • String setup - c2, executable filenames, process names for memory search • Installation (copying self)/persistence (registry) • Harness patches - • Command and control • Installation check • Prevents watchdog process (and anything else from ShellExecute’ing)
Communication • Command and Control Check-in • Checks C2 for http://[c2]/post_echo • (PostController.php responds “up”) • Prevents simple sandbox from getting much • If there’s track data, base64 it and send it • Harness configured to display data sent • Check command queue • Hosts uniquely identify by MAC
Commands • Credit card track theft happens without having to be commanded to do so • Remainder of command set is simple: • kill • update - (replace current install with latest from /post/download) • exec <url>
Scraping Memory • Get a list of functions • No 64-bit process • No processes matching internal table (system, etc) • Iterate and search for card data using two regular-expression-esque functions • ISO/IEC 7813 (we can generate and instrument this) • Harness identifies search process • Another harness can be used to instrument the code to scan arbitrary PIDs
Demo • Sample MD5 - aa9686c3161242ba61b779aa325e9d24 • Harnesses • jackpos_harness.py - Instruments all operation • search_proc_harness.py - Skips to and illustrates track-data capture • Track data generator - Generate and hold card swipes in memory • PHP source for (actual) C2 • (recreated DB schema (uh it works))
Wrapping up • Addressing reproducibility/verifiability, potential benefits • Effective illustration for lay audiences, students • Base to work from (not “from scratch”) for other analysts • Illustration using the resources malware “wants”, vs. generic sandbox • Potential for publishing instrumented analysis in virtual/ cloud environments for others to work with more immediately
Contact Info ! wesley@mcgrewsecurity.com @McGrewSecurity

Recomendados

Materials Project Validation, Provenance, and Sandboxes by Dan Gunter
Materials Project Validation, Provenance, and Sandboxes by Dan GunterMaterials Project Validation, Provenance, and Sandboxes by Dan Gunter
Materials Project Validation, Provenance, and Sandboxes by Dan GunterDan Gunter
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...SegInfo
 
Billions & Billions of Logs
Billions & Billions of LogsBillions & Billions of Logs
Billions & Billions of LogsJack Crook
 
Analisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoAnalisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoConferencias FIST
 
Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_EndgameInc
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?Raffael Marty
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation Damir Delija
 
scrazzl - A technical overview
scrazzl - A technical overviewscrazzl - A technical overview
scrazzl - A technical overviewscrazzl
 

Recomendados

Materials Project Validation, Provenance, and Sandboxes by Dan Gunter
Materials Project Validation, Provenance, and Sandboxes by Dan GunterMaterials Project Validation, Provenance, and Sandboxes by Dan Gunter
Materials Project Validation, Provenance, and Sandboxes by Dan GunterDan Gunter
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...SegInfo
 
Billions & Billions of Logs
Billions & Billions of LogsBillions & Billions of Logs
Billions & Billions of LogsJack Crook
 
Analisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoAnalisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoConferencias FIST
 
Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_EndgameInc
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?Raffael Marty
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation Damir Delija
 
scrazzl - A technical overview
scrazzl - A technical overviewscrazzl - A technical overview
scrazzl - A technical overviewscrazzl
 
Machine Learning Concepts for Software Monitoring - Lior Redlus, Coralogix - ...
Machine Learning Concepts for Software Monitoring - Lior Redlus, Coralogix - ...Machine Learning Concepts for Software Monitoring - Lior Redlus, Coralogix - ...
Machine Learning Concepts for Software Monitoring - Lior Redlus, Coralogix - ...DevOpsDays Tel Aviv
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsRahul Mohandas
 
Debugging Skynet: A Machine Learning Approach to Log Analysis - Ianir Ideses,...
Debugging Skynet: A Machine Learning Approach to Log Analysis - Ianir Ideses,...Debugging Skynet: A Machine Learning Approach to Log Analysis - Ianir Ideses,...
Debugging Skynet: A Machine Learning Approach to Log Analysis - Ianir Ideses,...DevOpsDays Tel Aviv
 
DEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And AttributionDEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And AttributionMichael Boman
 
Data Visualization for Big Data: Experience from the Front Line
Data Visualization for Big Data: Experience from the Front LineData Visualization for Big Data: Experience from the Front Line
Data Visualization for Big Data: Experience from the Front LineRosa Romero Gómez, PhD
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Malachi Jones
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityRaffael Marty
 
Cloud - Security - Big Data
Cloud - Security - Big DataCloud - Security - Big Data
Cloud - Security - Big DataRaffael Marty
 
Bottlenecks in Java Applications
Bottlenecks in Java ApplicationsBottlenecks in Java Applications
Bottlenecks in Java ApplicationsGlobalLogic Ukraine
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentChristopher Gerritz
 
Paranoia 2018: A Process is No One
Paranoia 2018: A Process is No OneParanoia 2018: A Process is No One
Paranoia 2018: A Process is No OneJared Atkinson
 
HTML5 Security
HTML5 SecurityHTML5 Security
HTML5 SecurityVille Säävuori
 
Attacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By SymantecAttacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By SymantecCheapSSLsecurity
 
Point of Sale (POS) Malware: Easy to Spot, Hard to Stop
Point of Sale (POS) Malware: Easy to Spot, Hard to StopPoint of Sale (POS) Malware: Easy to Spot, Hard to Stop
Point of Sale (POS) Malware: Easy to Spot, Hard to StopSymantec
 
Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Halo Metrics
 
StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware Lancope, Inc.
 
POS Malware: Is your Debit/Credit Transcations Secure?
POS Malware: Is your Debit/Credit Transcations Secure?POS Malware: Is your Debit/Credit Transcations Secure?
POS Malware: Is your Debit/Credit Transcations Secure?Cysinfo Cyber Security Community
 
Understanding the POS Malware
Understanding the POS MalwareUnderstanding the POS Malware
Understanding the POS Malwarevijay1926
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis PrimerCoverity
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 

Más contenido relacionado

La actualidad más candente

Machine Learning Concepts for Software Monitoring - Lior Redlus, Coralogix - ...
Machine Learning Concepts for Software Monitoring - Lior Redlus, Coralogix - ...Machine Learning Concepts for Software Monitoring - Lior Redlus, Coralogix - ...
Machine Learning Concepts for Software Monitoring - Lior Redlus, Coralogix - ...DevOpsDays Tel Aviv
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsRahul Mohandas
 
Debugging Skynet: A Machine Learning Approach to Log Analysis - Ianir Ideses,...
Debugging Skynet: A Machine Learning Approach to Log Analysis - Ianir Ideses,...Debugging Skynet: A Machine Learning Approach to Log Analysis - Ianir Ideses,...
Debugging Skynet: A Machine Learning Approach to Log Analysis - Ianir Ideses,...DevOpsDays Tel Aviv
 
DEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And AttributionDEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And AttributionMichael Boman
 
Data Visualization for Big Data: Experience from the Front Line
Data Visualization for Big Data: Experience from the Front LineData Visualization for Big Data: Experience from the Front Line
Data Visualization for Big Data: Experience from the Front LineRosa Romero Gómez, PhD
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Malachi Jones
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityRaffael Marty
 
Cloud - Security - Big Data
Cloud - Security - Big DataCloud - Security - Big Data
Cloud - Security - Big DataRaffael Marty
 
Bottlenecks in Java Applications
Bottlenecks in Java ApplicationsBottlenecks in Java Applications
Bottlenecks in Java ApplicationsGlobalLogic Ukraine
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentChristopher Gerritz
 
Paranoia 2018: A Process is No One
Paranoia 2018: A Process is No OneParanoia 2018: A Process is No One
Paranoia 2018: A Process is No OneJared Atkinson
 

La actualidad más candente (12)

Machine Learning Concepts for Software Monitoring - Lior Redlus, Coralogix - ...
Machine Learning Concepts for Software Monitoring - Lior Redlus, Coralogix - ...Machine Learning Concepts for Software Monitoring - Lior Redlus, Coralogix - ...
Machine Learning Concepts for Software Monitoring - Lior Redlus, Coralogix - ...
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware Kits
 
Debugging Skynet: A Machine Learning Approach to Log Analysis - Ianir Ideses,...
Debugging Skynet: A Machine Learning Approach to Log Analysis - Ianir Ideses,...Debugging Skynet: A Machine Learning Approach to Log Analysis - Ianir Ideses,...
Debugging Skynet: A Machine Learning Approach to Log Analysis - Ianir Ideses,...
 
DEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And AttributionDEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And Attribution
 
Data Visualization for Big Data: Experience from the Front Line
Data Visualization for Big Data: Experience from the Front LineData Visualization for Big Data: Experience from the Front Line
Data Visualization for Big Data: Experience from the Front Line
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
 
Cloud - Security - Big Data
Cloud - Security - Big DataCloud - Security - Big Data
Cloud - Security - Big Data
 
Bottlenecks in Java Applications
Bottlenecks in Java ApplicationsBottlenecks in Java Applications
Bottlenecks in Java Applications
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
 
Paranoia 2018: A Process is No One
Paranoia 2018: A Process is No OneParanoia 2018: A Process is No One
Paranoia 2018: A Process is No One
 
HTML5 Security
HTML5 SecurityHTML5 Security
HTML5 Security
 

Destacado

Attacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By SymantecAttacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By SymantecCheapSSLsecurity
 
Point of Sale (POS) Malware: Easy to Spot, Hard to Stop
Point of Sale (POS) Malware: Easy to Spot, Hard to StopPoint of Sale (POS) Malware: Easy to Spot, Hard to Stop
Point of Sale (POS) Malware: Easy to Spot, Hard to StopSymantec
 
Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Halo Metrics
 
StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware Lancope, Inc.
 
Understanding the POS Malware
Understanding the POS MalwareUnderstanding the POS Malware
Understanding the POS Malwarevijay1926
 

Destacado (6)

Attacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By SymantecAttacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By Symantec
 
Point of Sale (POS) Malware: Easy to Spot, Hard to Stop
Point of Sale (POS) Malware: Easy to Spot, Hard to StopPoint of Sale (POS) Malware: Easy to Spot, Hard to Stop
Point of Sale (POS) Malware: Easy to Spot, Hard to Stop
 
Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!
 
StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware
 
POS Malware: Is your Debit/Credit Transcations Secure?
POS Malware: Is your Debit/Credit Transcations Secure?POS Malware: Is your Debit/Credit Transcations Secure?
POS Malware: Is your Debit/Credit Transcations Secure?
 
Understanding the POS Malware
Understanding the POS MalwareUnderstanding the POS Malware
Understanding the POS Malware
 

Similar a Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis PrimerCoverity
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Paul Haskell-Dowland
 
Silicon Valley Code Camp 2016 - MongoDB in production
Silicon Valley Code Camp 2016 - MongoDB in productionSilicon Valley Code Camp 2016 - MongoDB in production
Silicon Valley Code Camp 2016 - MongoDB in productionDaniel Coupal
 
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapDEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapFelipe Prado
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerShakacon
 
Blue Teaming on a Budget of Zero
Blue Teaming on a Budget of ZeroBlue Teaming on a Budget of Zero
Blue Teaming on a Budget of ZeroKyle Bubp
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Getting started with RISC-V verification what's next after compliance testing
Getting started with RISC-V verification what's next after compliance testingGetting started with RISC-V verification what's next after compliance testing
Getting started with RISC-V verification what's next after compliance testingRISC-V International
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)Aj Maurya
 
Recon-Fu @BsidesKyiv 2016
Recon-Fu @BsidesKyiv 2016Recon-Fu @BsidesKyiv 2016
Recon-Fu @BsidesKyiv 2016Vlad Styran
 
How I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWHow I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWSounil Yu
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the InternetAndrew Morris
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesAtif Ghauri
 
Demystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels CampDemystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels CampAndré Baptista
 

Similar a Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware (20)

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis Primer
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019
 
Silicon Valley Code Camp 2016 - MongoDB in production
Silicon Valley Code Camp 2016 - MongoDB in productionSilicon Valley Code Camp 2016 - MongoDB in production
Silicon Valley Code Camp 2016 - MongoDB in production
 
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapDEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Becoming a better pen tester overview
Becoming a better pen tester overviewBecoming a better pen tester overview
Becoming a better pen tester overview
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
 
Blue Teaming on a Budget of Zero
Blue Teaming on a Budget of ZeroBlue Teaming on a Budget of Zero
Blue Teaming on a Budget of Zero
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Getting started with RISC-V verification what's next after compliance testing
Getting started with RISC-V verification what's next after compliance testingGetting started with RISC-V verification what's next after compliance testing
Getting started with RISC-V verification what's next after compliance testing
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
 
Recon-Fu @BsidesKyiv 2016
Recon-Fu @BsidesKyiv 2016Recon-Fu @BsidesKyiv 2016
Recon-Fu @BsidesKyiv 2016
 
How I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWHow I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKW
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
 
Demystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels CampDemystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels Camp
 

Más de DaveEdwards12

A Journey to Protect Points of Sale (POS)
A Journey to Protect Points of Sale (POS)A Journey to Protect Points of Sale (POS)
A Journey to Protect Points of Sale (POS)DaveEdwards12
 
Man in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsMan in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsDaveEdwards12
 
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsNew realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsDaveEdwards12
 
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsNew realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsDaveEdwards12
 
Insecurity in security products 2013
Insecurity in security products 2013Insecurity in security products 2013
Insecurity in security products 2013DaveEdwards12
 
Why current security solutions fail
Why current security solutions failWhy current security solutions fail
Why current security solutions failDaveEdwards12
 
Anatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilitiesAnatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilitiesDaveEdwards12
 
Using 80 20 rule in application security management
Using 80 20 rule in application security managementUsing 80 20 rule in application security management
Using 80 20 rule in application security managementDaveEdwards12
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012DaveEdwards12
 
Vulnerability in Security Products
Vulnerability in Security ProductsVulnerability in Security Products
Vulnerability in Security ProductsDaveEdwards12
 
Insecurity in security products v1.5
Insecurity in security products v1.5Insecurity in security products v1.5
Insecurity in security products v1.5DaveEdwards12
 

Más de DaveEdwards12 (11)

A Journey to Protect Points of Sale (POS)
A Journey to Protect Points of Sale (POS)A Journey to Protect Points of Sale (POS)
A Journey to Protect Points of Sale (POS)
 
Man in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsMan in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactions
 
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsNew realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systems
 
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsNew realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systems
 
Insecurity in security products 2013
Insecurity in security products 2013Insecurity in security products 2013
Insecurity in security products 2013
 
Why current security solutions fail
Why current security solutions failWhy current security solutions fail
Why current security solutions fail
 
Anatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilitiesAnatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilities
 
Using 80 20 rule in application security management
Using 80 20 rule in application security managementUsing 80 20 rule in application security management
Using 80 20 rule in application security management
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
Vulnerability in Security Products
Vulnerability in Security ProductsVulnerability in Security Products
Vulnerability in Security Products
 
Insecurity in security products v1.5
Insecurity in security products v1.5Insecurity in security products v1.5
Insecurity in security products v1.5
 

Último

TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 

Último (20)

TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

  • 1. Instrumenting Point-of-Sale Malware A Case Study in Communicating Malware Analysis More Effectively Wesley McGrew Assistant Research Professor Mississippi State University Department of Computer Science & Engineering Distributed Analytics and Security Institute
  • 2. Introduction • The pragmatic and unapologetic offensive security guy • Breaking things • Reversing things • Mississippi State University - NSA CAE Cyber Ops • Enjoying my fourth year speaking at DEF CON
  • 3. The Plan • In general: • Adopt better practices in describing and demonstrating malware capabilities • Proposal to supplement written analyses with illustration that uses the malware itself • What we’ll spend a good chunk of today’s session doing: • Showing off some cool instrumented POS malware • Talk about how you can do the same
  • 4. Scientific Method (the really important bits) • Reproducibility • Reasons: • Verifying results • Starting new analysis where old analysis left off • Education of new reverse engineering specialists • IOC consumers vs. fellow analysts as an audience
  • 5. What’s often missing? • Sample info • Hashes • Availability • Procedure • Subverting malware-specific countermeasures • Context • Redacted info on compromised hosts and C2 hosts • Internal points of reference • Addresses of functionality/data being discussed
  • 6. Devil’s Advocate: Why it’s not there… • Fellow analysts and students are not the target audience of many published analyses • We’re left to “pick” through for technically useful info • Added effort - It’s a lot of work to get your internal notes and tools fit for outside consumption • Analysis-consumer safety - preventing the reader for inadvertently infecting • Client confidentiality - Compelling. May be client-specific data in targeted malware • Competitive advantage - public relations, advertising services, showcase of technical ability • Perhaps not in our best interest to allow someone to further it, do it better, or worse: prove it wrong.
  • 7. What’s Being Done Elsewhere? • Reproducibility and verifiability are a big deal in any academic/scientific endeavor • Peer review is supposed to act as the filter here • (Though maybe we aren’t as rigorous as we ought to be with it in computer science/engineering) • Software, environment, data, documented to the point that someone can recreate the experiment • Executable/interactive research paper • Embedded algorithms and data, • (Doesn’t that sound a bit scary re: Malware? :) )
  • 8. Recommendations • Beyond sandbox output… • Sample availability (!!!!!!!!!) • virusshare.com is the best positive example of the right direction here • Host environment documentation • Target data - give it something to exfiltrate • Network environment - give it what it wants to talk to • Instrumentation - programmatic, running commentary • Scriptable debugging (winappdbg!) • Isolate functionality, document points of interest, put it all into a big picture
  • 10. (to make sure I get these in before we geek-out on the demo) Acknowledgements • Samples - @xylit0l - http://cybercrime-tracker.net • Prior-to-now-but-post-this-work analyses • http://blog.spiderlabs.com/2014/02/jackpos-the-house- always-wins.html • http://blog.malwaremustdie.org/2014/02/cyber-intelligence- jackpos-behind-screen.html • Please check the white paper citations for tools, executable paper prior work, etc.
  • 11. Why JackPOS? • Current concern surrounding POS malware • C2 availability - Ability to demonstrate a complete environment • From card-swipe to command-and-control • C++ strings, STL - runtime objects make static analysis with IDA Pro a bit more awkward • Good use case for harnesses • Independent memory-search functionality
  • 12. Harness Design • WinAppDbg - Python scriptable debugging • Really fun library - Well-documented, lots of examples, easy to use • Callbacks for breakpoints
  • 13. JackPOS • Example sample - SHA1 9fa9364add245ce873552aced7b4a757dceceb9e • Available on virusshare (and mcgrewsecurity.com) • This is the only part not on the DEF CON DVD. • Command and Control • PHP, Yii Framework
  • 14. Command and Control • Data model - bots, cards, commands, dumps, ranges, tracks, users
  • 15. Back to the sample • UPX (thankfully not an unpacking talk/tutorial) • Unpacked version crashes due the stack cookie seed address not relocating • Easy fix: disable ASLR (also makes our analysis easier), unset: • IMAGE_NT_HEADERS > IMAGE_OPTIONAL_HEADER > IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
  • 16. Setup • String setup - c2, executable filenames, process names for memory search • Installation (copying self)/persistence (registry) • Harness patches - • Command and control • Installation check • Prevents watchdog process (and anything else from ShellExecute’ing)
  • 17. Communication • Command and Control Check-in • Checks C2 for http://[c2]/post_echo • (PostController.php responds “up”) • Prevents simple sandbox from getting much • If there’s track data, base64 it and send it • Harness configured to display data sent • Check command queue • Hosts uniquely identify by MAC
  • 18. Commands • Credit card track theft happens without having to be commanded to do so • Remainder of command set is simple: • kill • update - (replace current install with latest from /post/download) • exec <url>
  • 19. Scraping Memory • Get a list of functions • No 64-bit process • No processes matching internal table (system, etc) • Iterate and search for card data using two regular-expression-esque functions • ISO/IEC 7813 (we can generate and instrument this) • Harness identifies search process • Another harness can be used to instrument the code to scan arbitrary PIDs
  • 20. Demo • Sample MD5 - aa9686c3161242ba61b779aa325e9d24 • Harnesses • jackpos_harness.py - Instruments all operation • search_proc_harness.py - Skips to and illustrates track-data capture • Track data generator - Generate and hold card swipes in memory • PHP source for (actual) C2 • (recreated DB schema (uh it works))
  • 21. Wrapping up • Addressing reproducibility/verifiability, potential benefits • Effective illustration for lay audiences, students • Base to work from (not “from scratch”) for other analysts • Illustration using the resources malware “wants”, vs. generic sandbox • Potential for publishing instrumented analysis in virtual/ cloud environments for others to work with more immediately
  • 22. Contact Info ! wesley@mcgrewsecurity.com @McGrewSecurity