Handwritten Text Recognition for manuscripts and early printed texts
Workshop on Setting up Malware Lab
1. Malware L b S
M l Lab Setup
25 Mei 2011,
Workshop Ac cademy CERT
CERT,
Institut Teknologi Sepuluh Nopember
Surabaya, Indonesia
y ,
Charles Lim, Msc., ECSA ECSP, ECIH, CEH, CEI
A,
Dipl-inf. Randy Annthony, S.Kom, CEH
Mich l
Michael
Willia Ang
am
2. Agenda
A
Background
The Search for Malwar Samples
re
SGU Malware Researc & Malware Lab
ch
Honeypot – Randy An
nthony
Dionaea – Michael & W
William Ang
Malware Sample Resu
ults
The call for Indonesia Honeynet
Dionaea – Setting up (
(step by step)
(step-by-step)
Questions & Answers
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 2
3. Bac
ckground
It all began with …
Students wants to learn about analyzing malware
using data mining techniques
We contacted Thorsten Holz (U of Mannheim), he
gave us their malware sa
amples
But we need Indonesian (local) samples
n( ) p
We invited Aat Shadew (virologi.info) to
wa
share his experience
He had several local s
samples that we can use
to
t analyze
l
But, we need more sam
mples …
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 3
4. The search for malware samples
After discussing with several experts, the
best ways to collect m
malware is the following:
User submitting malware (e.g.
e
http://anubis.iseclab.org, http://virustotal.com)
Collect from public sites (Copy Center, Warnet,
People Flash Disk)
Purchase email account on several ISP and begin
ts
get malware from SPAM email etc.
M
Catch your own malware using honeypot (more about
e
this later)
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 4
5. SGU M
Malware Lab
We began with our goals:
To be able to obtain mal
lware samples
To be able to analyze malware using static analysis
To be able to analyze malware using behavior
analysis
Our Research focuses on using Data Mining
s
techniques to classify Local Malware.
y
The results have been p
published in IEEE International
Conference in Decembe 2010.
er
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 5
6. SGU M
Malware Lab
Our Methodology
Static
Analysis
Malware Reporting
Capture
Dyna
amic
Analysis
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 6
7. SGU M
Malware Lab
Our Methodology (in d
detail)
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 7
8. SGU M
Malware Lab
We began with the Room Blueprint
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 8
9. SGU M
Malware Lab
We simulate using 3D images of the room
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 9
10. SGU M
Malware Lab
SGU Malware Lab
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 10
11. SGU M
Malware Lab
We design the isolated network
d
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 11
12. SGU M
Malware Lab
Our Hardware Spec
cification
Processor: Dual Core 2 5 Ghz
e 2.5
RAM 2GB DDRII
Hard Disk 160GB
The tools for analys that used:
sis
Debugger : OllyDBG
Packer Detector : PEiD
Monitoring tools ( g stry, network, process):
g (regi y, ,p )
Regshot, Wireshark, Process Monitor
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 12
13. SGU Malware Re
esearch Publications
Firdausi I., Lim C., Erwin A., Nugroh A. S., “Analysis of Machine learning
ho
Techniques Used in Behavior-Base Malware Detection,” 2010 Second
ed
International Conference on Advances in Computing, Control, and
Telecommunication Technologies, J k t 2 D
T l i ti T h l i Jakarta, December 2010
b 2010.
Simanjuntak D. A., Ipung H. P., Lim C., Nugroho A. S., “Text Classification
Techniques Used to Faciliate Cyber Terrorism Investigation,” 2010
r
Second International Conference on Advances in Computing, Control,
and Telecommunication Technolog gies, Jakarta, 2 December 2010.
Christian R., Lim C., Nugroho A. S., Kisworo M., “Integrating Dynamic
, Integrating
Analysis Using Clustering Techniqu for local Malware in Indonesia,”
ues
2010 Second International Conferen on Advances in Computing,
nce
Control, and Telecommunication Te echnologies, Jakarta, 2 December
2010.
Endy, Lim C., Eng K.I., Nugroho A.S “Implementation of Intelligent
S.,
Searching Using Self Organizing M for Webmining Used in Document
Self-Organizing Map
Containing Information in Relation to Cyber Terrorism,” 2010 Second
International Conference on Advances in Computing, Control, and
Telecommunication Technologies, Jakarta, 2 December 2010.
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 13
14. SGU Curr
rent Research
Indonesia Malware Profiling
Forensic Research on Remnant Data
Cloud Security
y
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 14
15. Agenda
A
Background
The Search for Malwar Samples
re
SGU Malware Researc & Malware Lab
ch
Honeypot – Randy An
nthony
Dionaea – Michael & W
William Ang
Malware Sample Resu
ults
The call for Indonesia Honeynet
Dionaea – Setting up (
(step by step)
(step-by-step)
Questions & Answers
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 15
16. Ho
oneypot
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 16
17. Why Using Honeypo in Malware Analysis Lab
ot
Used to capture Autono
omous Spreading
Malware / Worm.
We as a CERT ( Compu Emergency
uter
Response Team) must find a way to stop the
spreading and the counter measure.
Late response on Worm infection can cause
m
massive damage.
Example : Conficker Wo (2008 – 2009)
orm
Caused around 9.1 Billion USD /
78 triliun Rupiah
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 17
18. Introductio to Honeypot
on
“Is a decoy that is used to lu
ured malware or attacker
(hacker).”
“It is a computer that have n production value, so if it is
no
compromised or destroyed sh hould not affect the activities
of the companies.”
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 18
19. Honeypot Bas on Interaction
sed
Two kinds of honeypo :
ot
Low Interaction Honeypo
ot
High Interaction Honeyp
pot
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 19
20. Low Interaction Honeypot
Do not implements actual service
Disguise as a real s
system
Good for finding known attack and
g
expected behavior
Usually automated
Lower cost needed
Example : Nepenthe Amun, Dionaea
es,
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 20
21. High Intera
action Honeypot
It is a “real” system usually with
m
different configuration than the real
g
system.
Riskier than Low-Interacti it d e to
Lo Interactivity due
“Allow all” configur
ration
Difficult to maintain and manually
n
configure
Higher cost needed
Example : Physical HIH, Virtual HIH
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 21
22. Table of Comparison
f
Low-inte
eraction High-interaction
Degree of interaction Lo
ow High
Real operating system No
N Yes
Risk Lo
ow High
Knowledge gain Connectio
on/Request Everything
Can be conquered No
N Yes
Maintenance time Lo
ow High
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 22
23. Choosin Honeypot
ng
Must know the pu
urpose :
Detecting attacker ?
Risk Identification ?
Risk Mitigation & AAnalysis ?
Identifying
Id tif i new thre t ?
th eats
Research ?
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 23
24. SWISS GERMA UNIVERSITY
AN
HONEYPOT 2010 - NEPENTHES
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 24
25. Nep
penthes
Low interaction Hon
neypot
Resource needed : Low
New Vulnerabilities : No
New Exploits : Yes
Maintenance Time : Low
Risk : Low
Installed
I t ll d on VMW re
VMWar
Windows -> Ubuntu - Nepenthes
-> p
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 25
26. SGU Honeyne Physical Design
et
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 26
27. SGU Honeyn Logical Design
net
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 27
28. Malware Capture ( 3.06.10 – 24.07.10)
ed
427 Malwares and 111 Uniqu Malwares
ue
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 28
29. Dynamic Ana
alysis Using AVG
Type Na
ame Total
Trojan Horse Backdoor Rbot.IN 1
Trojan Horse Generic15.EHT 1
Trojan Horse Generic17.ASMD D 1
Trojan Horse Generic2_c.AGVVC 1
Trojan Horse IRC/Backdoor SdBot2.HHB 7
Trojan Horse IRC/Backdoor SdBot2.KWD 4
Trojan Horse IRC/Backdoor SdBot2.RJW 19
Trojan Horse SpamTool.EZW 1
Virus
Vi BackDoor.Rbot
B kD Rb t 1
Win32 Virus Heur 2
Win32 Virus Virut 7
Win32 Virus Virut.AA
Virut AA 3
Worm Allaple.A 9
Worm Allaple.B 30
Worm Allaple.C 7
Worm Allaple.D 11
Worm Allaple.E 3
Worm Allaple.L
p 1
Unknown Unknown 2
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 29
30. Dynamic Analys Using Kaspersky
sis
Type Na
ame Total
Backdoor FlyAgent.k 1
Backdoor Nepoe.mk
Nepoe mk 1
Backdoor Nepoe.tv 1
Backdoor Rbot.adqd 7
Backdoor Rbot.advj 1
Backdoor Rbot.aftu 21
Backdoor Rbot.bni 4
Backdoor Rbot.bqj 6
Net-Worm Allaple.b 39
Net-Worm
N tW Allaple.d
All l d 2
Net-Worm Allaple.e 17
Trojan-PSW Kukudva.ad 1
Trojan Agent.ayuc 1
Trojan VB.ahzy 1
Virus Virut.av
Virut av 3
Unknown Unknown 5
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 30
31. Agenda
A
Background
The Search for Malwar Samples
re
SGU Malware Researc & Malware Lab
ch
Honeypot – Randy An
nthony
Dionaea – Michael & W
William Ang
Malware Sample Resu
ults
The call for Indonesia Honeynet
Dionaea – Setting up (
(step by step)
(step-by-step)
Questions & Answers
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 31
33. Dionaea
Dionaea is Nephe entes predecessor.
Dionaea is lo int
low teraction hone pot
honeypot
Dionaea has many new functions,
y
such as using libeemu, support TLS
and IPv6.
IPv6
Dionaea using Py yhton as scripting
language
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 33
34. How Dio
onaea works
Dionaea works like Nephentes.
Dionaea intentison is to trap malware
exposed by services offered by a
network.
net ork
In order to minimize the possible of
e p
bugs, dionaea can ddrop privileges and
chroot.
Dionaea using SMB protocol as the main
B
protocol
t l
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 34
35. How Diona Work(Cont.)
aea
Dionaea using SMB protocol as the
B
p
protocol.
Dionaea using libem to detect and
mu
evaluate
e al ate the pa load.
payloa
Once dionaea gaine the location of the
g ed
file, the attacker wants it to downloads
from the shellcode, dionaea will try
download the file.
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 35
36. ollected in a day
Malwares co
70
60
64
50
62
40
56 53
30
20
10
10
1
0
1
12/5/2011 13/5/2011 14/5/2011 18/5/2011 19/5/2011 20/5/2011
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 36
37. Attack in a week (List every one hour)
k
1600
1400
1200
Attack in a week (List every one hour)
w
1000
800
600
400
200
0
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 37
38. Agenda
A
Background
The Search for Malwar Samples
re
SGU Malware Researc & Malware Lab
ch
Honeypot – Randy An
nthony
Dionaea – Michael & W
William Ang
Malware Sample Resu
ults
The call for Indonesia Honeynet
Dionaea – Setting up (
(step by step)
(step-by-step)
Questions & Answers
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 38
39. Malware Map in Indonesia
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 39
40. Future Malwar Map in Indonesia
re
Indonesia Honeynet
Malwar Repository
re
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 40
41. The call for In
ndonesia Honeynet
Malware collected from all universities in
Indonesia
All malware sample sent to IDSIRTII for
es
Malware repository
p y
Lots of research can be performed on
these malware samples
p
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 41
42. Agenda
A
Background
The Search for Malwar Samples
re
SGU Malware Researc & Malware Lab
ch
Honeypot – Randy An
nthony
Dionaea – Michael & W
William Ang
Malware Sample Resu
ults
The call for Indonesia Honeynet
Dionaea – Setting up (
(step by step)
(step-by-step)
Questions & Answers
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 42
43. La Time
ab
Setup D
Dionaea
(step-b
by-step)
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 43
44. Setup Information
Requirement:
Ubuntu 9.10 or 10 10
9 10 10.1
Honeypot ( Dionaea)
y a)
Internet Connection (IP Public)
n
Software download from:
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 44
45. Question & Answers
ns
SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 45