SlideShare una empresa de Scribd logo

Malware Analysis: N00b to Ninja in 60 Minutes -- TakeDownCon St. Louis on June 3, 2013

grecsl
grecsl

These were the slides used in in my presentation at TakeDownCon St. Louis on June 3, 2013. Abstract: Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a “ninja” per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis. More on various aspects of this talk can be found at the following URL: https://www.novainfosec.com/tag/malware-analysis/

Tecnología
1 de 56
Malware Analysis N00b to Ninja in 60 Minutes* @grecs * Most listeners do not become Ninjas in under 60 minutes. ;) NoVA Infosec
NoVA Infosec https://www.novainfosec.com/
NoVA Infosec https://www.novainfosec.com/
NoVA Infosec https://www.novainfosec.com/
NoVA Infosec https://www.novainfosec.com/
NoVA Infosec https://www.novainfosec.com/
Pic of hacked sites; news articles of breaches, mid-2000s
NoVA Infosec https://www.novainfosec.com/
NoVA Infosec https://www.novainfosec.com/
Infosec COTS
NoVA Infosec https://www.novainfosec.com/
NoVA Infosec https://www.novainfosec.com/
https://www.novainfosec.com/
Tweet/Post: Thanks … for sponsoring @grecs & @novainfosec… @MiltonSecurity @BulbSecurity @PenTestTraining Thanks
NoVA Infosec https://www.novainfosec.com/
Agenda • Introduction • Environment • Methodology • Where to Learn More • Conclusion NoVA Infosec https://www.novainfosec.com/
Introduction WARNING!!! DO NOT ANALYZE MALWARE ON PRODUCTION SYSTEMS SOC Analysts Looking to Expand Skills beyond Event Monitoring & Basic Analysis General Security Practitioners Interested in Getting Started in Malware Analysis
Environment • Setup – Virtual – Physical • Options – Single Box – Dual+ Box NoVA Infosec https://www.novainfosec.com/
Environment Setup • Virtual – Efficient & Easy to Setup – Snap-Shots to Revert Back To – Malware Detecting VM & Terminating • Physical – VM Detection Not Possible – Resource Intensive NoVA Infosec https://www.novainfosec.com/
Environment Setup – Virtual • Network: Use Non-Host Connected Interface Be Careful
Environment Options • Single Box – All Analysis Performed on One Machine – Risk of Potential Malware Sabotage • Dual+ Box – Mitigates Some Potential Sabotage – Gateway to Simulate More Real Network – Realistic External View (ports open, network traffic) NoVA Infosec https://www.novainfosec.com/
Environment Options – Single Box • Start with Base Unpatched Windows XP SP2 Box in VMware – Similar to First Set of Post-Install Instructions for Metasploit Unleashed – Switch to Classic View – Disable Windows Firewall – Turn Off Automatic Updates – Disable Alerts – Uncheck Simple File Sharing • Add Target Software – Older Versions If Needed • Starting Points: OldVersion.com & OldApps.com • Google for Others
Environment Options – Single Box • Install Dynamic Analysis Tools – Process Monitor • Show Processes that Started During Malware Execution – Process Explorer • Shows Files, Registry Keys, … Opened by Malware – WireShark • Sniffer to Capture Network the Malware May Make – RegShot • View Changes Malware May Make in the Registry Process Monitor: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653 WireShark: https://www.wireshark.org/ RegShot: http://sourceforge.net/projects/regshot/
Environment Options – Single Box • Install Dynamic Analysis Tools (cont) – TCPView • Allows Detection of Malware Initiated Network Connections – Malware Analysis Pack • MAP FakeDNS • MAP Right-Click (MD5 Hash, Strings, VirusTotal) – FakeNet • Aids Dynamic Analysis of Malicious Software • Simulates Network so Malware Thinks Its Interacting with Remote Hosts • DNS, HTTP, SSL, Dummy Listener TCPView: http://technet.microsoft.com/en-us/sysinternals/bb897437 MAP: http://www.woodmann.com/collaborative/tools/index.php/Malcode_Analysis_Pack FakeNet: http://practicalmalwareanalysis.com/fakenet/
Environment Options – Single Box • Install Static Analysis Tools – OllyDbg with OllyDump Plugin • General Disassembler/Debugger for Windows Used to Analyze Malware in Assembly; Plugin to View Encrypted Malware – IDA Pro • Windows Disassembler/Debugger with Freeware Alternative – 010 Editor • Standard Hex Editor – Specialized Tools • PDFs: Didier Stevens’s pdfid.py & pdf-parser.py • Flash: SWFTtools • Others: Java, JavaScript OllyDbg: http://www.ollydbg.de/ OllyDump: http://www.openrce.org/downloads/details/108/OllyDump IDA Pro Freeware: http://www.hex-rays.com/products/ida/support/download_freeware.shtml Didier Stevens PDF Tools: http://blog.didierstevens.com/programs/pdf-tools/
Environment Options – Single Box • Baseline – Configure VM to "Host-Only” Mode Secluded Network • Temporarily Change to NAT to Download Malware • Write-Once Media (e.g., CDs) • USB Key with Physical Write-Protect Switch – Imation USB 2.0 Clip Flash Drive – Kanguru Flashblu 2 – Snapshot VM NoVA Infosec https://www.novainfosec.com/
Environment Dual+ Box – Fake Gateway Server • Second Machine for Target to Connect To – Additional Advantage of Examining Network Traffic without Possible Malware Sabotage – Implement Linux Server in VMware & Configure to Be Default Route on Victim Machine – Should Have Fixed IP Addresses • Enable or Install Software that Provides Needed Services – DNS: Configured to Return Fake Servers IP for All Queries – HTTP – IRC – Others: DHCP, FTP, SSH – Other Services Depending on Goal of Analysis NoVA Infosec https://www.novainfosec.com/
Environment Dual+ Box – Fake Gateway Server • Install Network Analysis Tools – WireShark: Records Network Traffic from Victim – Netcat: Start Needed Ad-Hoc Services – Nmap: Scan for Open Ports External to Victim • Snapshot Fake Server Revert Back To NoVA Infosec https://www.novainfosec.com/
Environment Preconfigured • REMnux – Created by Lenny Zeltser – ISO or Virtual Appliance – Static Analysis • Load Malware on & Analyze • Web-Based Malware (e.g., Malicious JavaScript, Java Programs, & Flash Files) • Malicious Documents (e.g., Microsoft Office & Adobe PDF files) • Utilities for Reversing Malware through Memory Forensics – Dynamic Analysis • Emulate Network Services Used as Fake Gateway Server • Emulate Services in Isolated Lab Environment • Infects Another Laboratory System with Malware Sample • Directs Potentially-Malicious Connections to REMnux that's Listening on Appropriate Ports REMnux: http://zeltser.com/remnux/ v4
Environment Preconfigured
Environment Preconfigured • CuckooBox – Automated Dynamic Analysis of Malware – Data Captured • Trace of Performed Relevant Win32 API Calls • Dump of Network Traffic Generated During Analysis • Creation of Screenshots Taken During Analysis • Dump of Files Created, Deleted and Downloaded by the Malware During Analysis • Trace of Assembly Instructions Executed by Malware Process CuckooBox: http://cuckoobox.org/
Environment Preconfigured NoVA Infosec https://www.novainfosec.com/
Methodology 1. Triage 2. Dynamic Analysis 3. Static Analysis NoVA Infosec https://www.novainfosec.com/
Methodology 1. Triage  Run through External Sandbox Services for QnD Results If Possible • Goals: Establish Rough Idea of Malware Activities • Tools: Norman Sandbox, GFI Sandbox, Anubis, ThreatExpert, …  b. MD5 Hash Comparison (can run live is possible) • Goals: When Compiled, Packed or Obfuscated) • Tools: VirusTotal.com, MAP, FileAlyzer, Google Hash  c. Determine Real File Type • UNIX “file” Command and/or TrID • Open in 010 & Look for Magic Numbers: Win Exe (MZ), PDF (%PDF), ZIP (PK), … (more at Wikipedia)  Unpack If Needed • Tools: OllyDump, PE Explorer (UPX built- in)  Analyze Imports • Goals: Discovery Interesting Things Malware May Be Importing (networking APIs for non-networking app) • Tools: FileAlyzer (PD Imports tab)  f. Extract Readable Strings • Goals: Discover Interesting Data Points like Host Name & IP Addresses • Tools: MAP  Specialized Tools • E.g., pdfid.py, pdf-parser.py, SWFTtools, … a. b. c. d. e. f. e. MASTIFF: Open Source Linux Tool Automates Much of Above (on REMnux) v4
Methodology 2. Dynamic Analysis • Take RegShot & Start WireShark, Process Monitor, Process Explorer, FakeNet & TCPView – Monitors File and Registry Access, Network Traffic, Process Creation, etc. • Execute Malware & Let it Run for 15 Minutes or Until Activity Dies Down – Watching WireShark, Process Monitor, & TCPView for Anything Interesting • Take Second RegShot & Stop WireShark, Process Monitor, FakeNet • Compare Initial & Final RegShots & Review All Monitoring Tool Logs a. b. c. d. NoVA Infosec https://www.novainfosec.com/
Methodology 2. Dynamic Analysis (Regshot & Wireshark) a-1. a-3. a-2.
Methodology 2. Dynamic Analysis (Process Monitor) a-4. a-5. a-6.
Methodology 2. Dynamic Analysis (Process Explorer) a-7. Just Start
Methodology 2. Dynamic Analysis (FakeNet) a-8. Just Start
Methodology 2. Dynamic Analysis (TCPView) a-9. Just Start
Methodology 2. Dynamic Analysis (Execute Malware) • Double-Click EXE • Rundll32.exe DLLName, Export arguments – PE Explorer to Discover Export arguments – E.g., rundll32.exe rip.dll, Install • Watch All Monitoring Tools & Stop When Activity Dies Down b. Just Monitor
Methodology 2. Dynamic Analysis (Spin Down) c-1. c-3. c-2.
Methodology 2. Dynamic Analysis (Spin Down) c-4.
Methodology 2. Dynamic Analysis (Spin Down) c-5.
Methodology 2. Dynamic Analysis (Analysis) • Save Logs for Future Reference • Analyze c-6. c-7. NoVA Infosec https://www.novainfosec.com/
Methodology 3. Static Analysis • Use OllyDbg or IDA Pro to Disassemble & Analyze Deobfuscated Malware – Just Stare at It – ... – Stare Some More – ... – And Some More d. NoVA Infosec https://www.novainfosec.com/
Where to Learn More OpenSecurityTraining.info
Where to Learn More • OpenSecurityTraining.info – “Reverse Engineering Malware” • Matt Briggs & Frank Poz • “Practical Malware Analysis” by M. Sikorski/A. Honig • http://opensecuritytraining.info/ReverseEngineeringM alware.html
Where to Learn More • Malware Analysis Toolkit: http://zeltser.com/malware-analysis-toolkit/ • OpenRCE: http://www.openrce.org/ • TrainACE – Advanced Malware Analysis (AMA) • NoVA Infosec – Workshop Style – Posts • Videos, how-tos, etc. on news, process,es, REMnux, Noriben, and more • http://novainfosec.com/tag/malware-analysis
Conclusion • Introduction • Environment – Setup – Single Box - Victim – Dual+ Box – Fake Server – Preconfigured • Methodology – Triage – Dynamic Analysis – Static Analysis • Where to Learn More – OpenSecurityTraining.info – Zeltser.com – OpenRCE.org • Conclusion NoVA Infosec https://www.novainfosec.com/
Conclusion Thanks
Questions? • Twitter @grecs • Website NovaInfosec.com • Contact http://bit.ly/nispcontact

Recomendados

Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Rhydham Joshi
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of Artifacts
Rhydham Joshi
 
Rain water harvesting
Rain water harvestingRain water harvesting
Rain water harvesting
Miqdad Tharammal
 
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
grecsl
 
презентация компании Via
презентация компании Viaпрезентация компании Via
презентация компании Via
Александр Шаповалов
 
презентация оборудования Via
презентация оборудования Viaпрезентация оборудования Via
презентация оборудования Via
Александр Шаповалов
 
Undersink water purifier [호환 모드]
Undersink water purifier [호환 모드]Undersink water purifier [호환 모드]
Undersink water purifier [호환 모드]
J2smartceo
 
Dog 10 commandments
Dog 10 commandmentsDog 10 commandments
Dog 10 commandments
Chayanid Eiamsathaporn
 

Recomendados

Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Rhydham Joshi
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of Artifacts
Rhydham Joshi
 
Rain water harvesting
Rain water harvestingRain water harvesting
Rain water harvesting
Miqdad Tharammal
 
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
grecsl
 
презентация компании Via
презентация компании Viaпрезентация компании Via
презентация компании Via
Александр Шаповалов
 
презентация оборудования Via
презентация оборудования Viaпрезентация оборудования Via
презентация оборудования Via
Александр Шаповалов
 
Undersink water purifier [호환 모드]
Undersink water purifier [호환 모드]Undersink water purifier [호환 모드]
Undersink water purifier [호환 모드]
J2smartceo
 
Dog 10 commandments
Dog 10 commandmentsDog 10 commandments
Dog 10 commandments
Chayanid Eiamsathaporn
 
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
grecsl
 
UVa Protocol
UVa ProtocolUVa Protocol
UVa Protocol
UVA Slideshare
 
Filter part list
Filter part listFilter part list
Filter part list
J2smartceo
 
Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...
grecsl
 
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
grecsl
 
Green rich shower
Green rich showerGreen rich shower
Green rich shower
J2smartceo
 
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
grecsl
 
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documentsREMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
Rhydham Joshi
 
Memory forensics with volatility
Memory forensics with volatilityMemory forensics with volatility
Memory forensics with volatility
Youngjun Chang
 
REMnux tutorial 4.1 - Datagrams, Fragmentation & Anomalies
REMnux tutorial 4.1 - Datagrams, Fragmentation & AnomaliesREMnux tutorial 4.1 - Datagrams, Fragmentation & Anomalies
REMnux tutorial 4.1 - Datagrams, Fragmentation & Anomalies
Rhydham Joshi
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
grecsl
 
Bridges
BridgesBridges
Bridges
Deewas Kharka
 
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
grecsl
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
grecsl
 
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
grecsl
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
grecsl
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
grecsl
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
grecsl
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
rafiqahmad00786416
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
The Digital Insurer
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 

Más contenido relacionado

Destacado

Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
grecsl
 
Green rich shower
Green rich showerGreen rich shower
Green rich shower
J2smartceo
 

Destacado (12)

Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
 
UVa Protocol
UVa ProtocolUVa Protocol
UVa Protocol
 
Filter part list
Filter part listFilter part list
Filter part list
 
Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...
 
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
 
Green rich shower
Green rich showerGreen rich shower
Green rich shower
 
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
 
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documentsREMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
 
Memory forensics with volatility
Memory forensics with volatilityMemory forensics with volatility
Memory forensics with volatility
 
REMnux tutorial 4.1 - Datagrams, Fragmentation & Anomalies
REMnux tutorial 4.1 - Datagrams, Fragmentation & AnomaliesREMnux tutorial 4.1 - Datagrams, Fragmentation & Anomalies
REMnux tutorial 4.1 - Datagrams, Fragmentation & Anomalies
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
 
Bridges
BridgesBridges
Bridges
 

Más de grecsl

Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
grecsl
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
grecsl
 

Más de grecsl (6)

Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
 
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 

Último

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Último (20)

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

Malware Analysis: N00b to Ninja in 60 Minutes -- TakeDownCon St. Louis on June 3, 2013

  • 1. Malware Analysis N00b to Ninja in 60 Minutes* @grecs * Most listeners do not become Ninjas in under 60 minutes. ;) NoVA Infosec
  • 4.
  • 7.
  • 8.
  • 10. Pic of hacked sites; news articles of breaches, mid-2000s
  • 15.
  • 18. Tweet/Post: Thanks … for sponsoring @grecs & @novainfosec… @MiltonSecurity @BulbSecurity @PenTestTraining Thanks
  • 20. Agenda • Introduction • Environment • Methodology • Where to Learn More • Conclusion NoVA Infosec https://www.novainfosec.com/
  • 21. Introduction WARNING!!! DO NOT ANALYZE MALWARE ON PRODUCTION SYSTEMS SOC Analysts Looking to Expand Skills beyond Event Monitoring & Basic Analysis General Security Practitioners Interested in Getting Started in Malware Analysis
  • 22. Environment • Setup – Virtual – Physical • Options – Single Box – Dual+ Box NoVA Infosec https://www.novainfosec.com/
  • 23. Environment Setup • Virtual – Efficient & Easy to Setup – Snap-Shots to Revert Back To – Malware Detecting VM & Terminating • Physical – VM Detection Not Possible – Resource Intensive NoVA Infosec https://www.novainfosec.com/
  • 24. Environment Setup – Virtual • Network: Use Non-Host Connected Interface Be Careful
  • 25. Environment Options • Single Box – All Analysis Performed on One Machine – Risk of Potential Malware Sabotage • Dual+ Box – Mitigates Some Potential Sabotage – Gateway to Simulate More Real Network – Realistic External View (ports open, network traffic) NoVA Infosec https://www.novainfosec.com/
  • 26. Environment Options – Single Box • Start with Base Unpatched Windows XP SP2 Box in VMware – Similar to First Set of Post-Install Instructions for Metasploit Unleashed – Switch to Classic View – Disable Windows Firewall – Turn Off Automatic Updates – Disable Alerts – Uncheck Simple File Sharing • Add Target Software – Older Versions If Needed • Starting Points: OldVersion.com & OldApps.com • Google for Others
  • 27. Environment Options – Single Box • Install Dynamic Analysis Tools – Process Monitor • Show Processes that Started During Malware Execution – Process Explorer • Shows Files, Registry Keys, … Opened by Malware – WireShark • Sniffer to Capture Network the Malware May Make – RegShot • View Changes Malware May Make in the Registry Process Monitor: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653 WireShark: https://www.wireshark.org/ RegShot: http://sourceforge.net/projects/regshot/
  • 28. Environment Options – Single Box • Install Dynamic Analysis Tools (cont) – TCPView • Allows Detection of Malware Initiated Network Connections – Malware Analysis Pack • MAP FakeDNS • MAP Right-Click (MD5 Hash, Strings, VirusTotal) – FakeNet • Aids Dynamic Analysis of Malicious Software • Simulates Network so Malware Thinks Its Interacting with Remote Hosts • DNS, HTTP, SSL, Dummy Listener TCPView: http://technet.microsoft.com/en-us/sysinternals/bb897437 MAP: http://www.woodmann.com/collaborative/tools/index.php/Malcode_Analysis_Pack FakeNet: http://practicalmalwareanalysis.com/fakenet/
  • 29. Environment Options – Single Box • Install Static Analysis Tools – OllyDbg with OllyDump Plugin • General Disassembler/Debugger for Windows Used to Analyze Malware in Assembly; Plugin to View Encrypted Malware – IDA Pro • Windows Disassembler/Debugger with Freeware Alternative – 010 Editor • Standard Hex Editor – Specialized Tools • PDFs: Didier Stevens’s pdfid.py & pdf-parser.py • Flash: SWFTtools • Others: Java, JavaScript OllyDbg: http://www.ollydbg.de/ OllyDump: http://www.openrce.org/downloads/details/108/OllyDump IDA Pro Freeware: http://www.hex-rays.com/products/ida/support/download_freeware.shtml Didier Stevens PDF Tools: http://blog.didierstevens.com/programs/pdf-tools/
  • 30. Environment Options – Single Box • Baseline – Configure VM to "Host-Only” Mode Secluded Network • Temporarily Change to NAT to Download Malware • Write-Once Media (e.g., CDs) • USB Key with Physical Write-Protect Switch – Imation USB 2.0 Clip Flash Drive – Kanguru Flashblu 2 – Snapshot VM NoVA Infosec https://www.novainfosec.com/
  • 31. Environment Dual+ Box – Fake Gateway Server • Second Machine for Target to Connect To – Additional Advantage of Examining Network Traffic without Possible Malware Sabotage – Implement Linux Server in VMware & Configure to Be Default Route on Victim Machine – Should Have Fixed IP Addresses • Enable or Install Software that Provides Needed Services – DNS: Configured to Return Fake Servers IP for All Queries – HTTP – IRC – Others: DHCP, FTP, SSH – Other Services Depending on Goal of Analysis NoVA Infosec https://www.novainfosec.com/
  • 32. Environment Dual+ Box – Fake Gateway Server • Install Network Analysis Tools – WireShark: Records Network Traffic from Victim – Netcat: Start Needed Ad-Hoc Services – Nmap: Scan for Open Ports External to Victim • Snapshot Fake Server Revert Back To NoVA Infosec https://www.novainfosec.com/
  • 33. Environment Preconfigured • REMnux – Created by Lenny Zeltser – ISO or Virtual Appliance – Static Analysis • Load Malware on & Analyze • Web-Based Malware (e.g., Malicious JavaScript, Java Programs, & Flash Files) • Malicious Documents (e.g., Microsoft Office & Adobe PDF files) • Utilities for Reversing Malware through Memory Forensics – Dynamic Analysis • Emulate Network Services Used as Fake Gateway Server • Emulate Services in Isolated Lab Environment • Infects Another Laboratory System with Malware Sample • Directs Potentially-Malicious Connections to REMnux that's Listening on Appropriate Ports REMnux: http://zeltser.com/remnux/ v4
  • 35. Environment Preconfigured • CuckooBox – Automated Dynamic Analysis of Malware – Data Captured • Trace of Performed Relevant Win32 API Calls • Dump of Network Traffic Generated During Analysis • Creation of Screenshots Taken During Analysis • Dump of Files Created, Deleted and Downloaded by the Malware During Analysis • Trace of Assembly Instructions Executed by Malware Process CuckooBox: http://cuckoobox.org/
  • 37. Methodology 1. Triage 2. Dynamic Analysis 3. Static Analysis NoVA Infosec https://www.novainfosec.com/
  • 38. Methodology 1. Triage  Run through External Sandbox Services for QnD Results If Possible • Goals: Establish Rough Idea of Malware Activities • Tools: Norman Sandbox, GFI Sandbox, Anubis, ThreatExpert, …  b. MD5 Hash Comparison (can run live is possible) • Goals: When Compiled, Packed or Obfuscated) • Tools: VirusTotal.com, MAP, FileAlyzer, Google Hash  c. Determine Real File Type • UNIX “file” Command and/or TrID • Open in 010 & Look for Magic Numbers: Win Exe (MZ), PDF (%PDF), ZIP (PK), … (more at Wikipedia)  Unpack If Needed • Tools: OllyDump, PE Explorer (UPX built- in)  Analyze Imports • Goals: Discovery Interesting Things Malware May Be Importing (networking APIs for non-networking app) • Tools: FileAlyzer (PD Imports tab)  f. Extract Readable Strings • Goals: Discover Interesting Data Points like Host Name & IP Addresses • Tools: MAP  Specialized Tools • E.g., pdfid.py, pdf-parser.py, SWFTtools, … a. b. c. d. e. f. e. MASTIFF: Open Source Linux Tool Automates Much of Above (on REMnux) v4
  • 39. Methodology 2. Dynamic Analysis • Take RegShot & Start WireShark, Process Monitor, Process Explorer, FakeNet & TCPView – Monitors File and Registry Access, Network Traffic, Process Creation, etc. • Execute Malware & Let it Run for 15 Minutes or Until Activity Dies Down – Watching WireShark, Process Monitor, & TCPView for Anything Interesting • Take Second RegShot & Stop WireShark, Process Monitor, FakeNet • Compare Initial & Final RegShots & Review All Monitoring Tool Logs a. b. c. d. NoVA Infosec https://www.novainfosec.com/
  • 40. Methodology 2. Dynamic Analysis (Regshot & Wireshark) a-1. a-3. a-2.
  • 41. Methodology 2. Dynamic Analysis (Process Monitor) a-4. a-5. a-6.
  • 42. Methodology 2. Dynamic Analysis (Process Explorer) a-7. Just Start
  • 43. Methodology 2. Dynamic Analysis (FakeNet) a-8. Just Start
  • 44. Methodology 2. Dynamic Analysis (TCPView) a-9. Just Start
  • 45. Methodology 2. Dynamic Analysis (Execute Malware) • Double-Click EXE • Rundll32.exe DLLName, Export arguments – PE Explorer to Discover Export arguments – E.g., rundll32.exe rip.dll, Install • Watch All Monitoring Tools & Stop When Activity Dies Down b. Just Monitor
  • 46. Methodology 2. Dynamic Analysis (Spin Down) c-1. c-3. c-2.
  • 49. Methodology 2. Dynamic Analysis (Analysis) • Save Logs for Future Reference • Analyze c-6. c-7. NoVA Infosec https://www.novainfosec.com/
  • 50. Methodology 3. Static Analysis • Use OllyDbg or IDA Pro to Disassemble & Analyze Deobfuscated Malware – Just Stare at It – ... – Stare Some More – ... – And Some More d. NoVA Infosec https://www.novainfosec.com/
  • 51. Where to Learn More OpenSecurityTraining.info
  • 52. Where to Learn More • OpenSecurityTraining.info – “Reverse Engineering Malware” • Matt Briggs & Frank Poz • “Practical Malware Analysis” by M. Sikorski/A. Honig • http://opensecuritytraining.info/ReverseEngineeringM alware.html
  • 53. Where to Learn More • Malware Analysis Toolkit: http://zeltser.com/malware-analysis-toolkit/ • OpenRCE: http://www.openrce.org/ • TrainACE – Advanced Malware Analysis (AMA) • NoVA Infosec – Workshop Style – Posts • Videos, how-tos, etc. on news, process,es, REMnux, Noriben, and more • http://novainfosec.com/tag/malware-analysis
  • 54. Conclusion • Introduction • Environment – Setup – Single Box - Victim – Dual+ Box – Fake Server – Preconfigured • Methodology – Triage – Dynamic Analysis – Static Analysis • Where to Learn More – OpenSecurityTraining.info – Zeltser.com – OpenRCE.org • Conclusion NoVA Infosec https://www.novainfosec.com/
  • 56. Questions? • Twitter @grecs • Website NovaInfosec.com • Contact http://bit.ly/nispcontact