SlideShare una empresa de Scribd logo

Introduction to Malware Detection and Reverse Engineering

Descargar como PPTX, PDF
I
intertelinvestigations

Beginner level presentation on Malware Identification as part of the Malware Reverse Engineering course. Learn what malware is, how it functions, how it can be detected, identified and isolated for reverse engineering. For more information about malware detection and removal visit https://www.intertel.co.za

Internet
1 de 97
www.intertel.co.za
WHAT WE’LL BE COVERING • What is malware? • How do they infect hosts? • How do they hide? • How do they propagate? • How to detect them? www.intertel.co.za
WHAT IS MALWARE ? • Malware is a set of instructions that run on your computer and make your system do something that an attacker wants it to do. www.intertel.co.za
WHAT IT IS GOOD FOR ? • Steal personal information • Delete files • Click fraud • Steal software serial numbers • Use your computer as relay www.intertel.co.za
THE MALWARE ZOO • Virus • Backdoor • Trojan horse • Rootkit • Scareware • Adware • Worm www.intertel.co.za
WHAT IS A VIRUS ? • a program that can infect other programs by modifying them to include a, possibly evolved, version of itself • Fred Cohen 1983 www.intertel.co.za
SOME VIRUS TYPE • Polymorphic : uses a polymorphic engine to mutate while keeping the original algorithm intact (packer) • Methamorpic : Change after each infection www.intertel.co.za
WHAT IS A TROJAN A trojan describes the class of malware that appears to perform a desirable function but in fact performs undisclosed malicious functions that allow unauthorized access to the victim computer Wikipedia www.intertel.co.za
WHAT IS ROOTKIT • A root kit is a component that uses stealth to maintain a persistent and undetectable presence on the machine • Symantec www.intertel.co.za
WHAT IS A WORM A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes and do so without any user intervention. www.intertel.co.za
ALMOST 30 YEARS OF MALWARE • From Malware fighting malicious code www.intertel.co.za
NUMBER OF MALWARE SIGNATURES Symantec report 2009 www.intertel.co.za
MALWARE REPARTITION Panda Q1 report 2009 www.intertel.co.za
INFECTION METHODS www.intertel.co.za
WHAT TO INFECT • Executable • Interpreted file • Kernel • Service • MBR • Hypervisor www.intertel.co.za
OVERWRITING MALWARE Targeted Executable MalwareMalware www.intertel.co.za
PREPENDING MALWARE Targeted Executable Malware Infected host Executable Malware www.intertel.co.za
APPENDING MALWARE Targeted Executable Malware Infected host Executable Malware www.intertel.co.za
CAVITY MALWARE Targeted Executable Infected host Executable Malware Malware www.intertel.co.za
MULTI-CAVITY MALWARE Targeted Executable Malware Malware Malware Malware www.intertel.co.za
PACKERS Malware Infected host Executable Packer Payload www.intertel.co.za
PACKER FUNCTIONALITIES • Compress • Encrypt • Randomize (polymorphism) • Anti-debug technique (int / fake jmp) • Add-junk • Anti-VM • Virtualization www.intertel.co.za
AUTO START • Folder auto-start : C:Documents and Settings[user_name]Start MenuProgramsStartup • Win.ini : run=[backdoor]" or "load=[backdoor]". • System.ini : shell=”myexplorer.exe” • Wininit • Config.sys www.intertel.co.za
AUTO START CONT. • Assign know extension (.doc) to the malware • Add a Registry key such as HKCUSOFTWAREMicrosoftWindows CurrentVersionRun • Add a task in the task scheduler • Run as service www.intertel.co.za
UNIX AUTOSTART • Init.d • /etc/rc.local • .login .xsession • crontab • crontab -e • /etc/crontab www.intertel.co.za
MACRO VIRUS • Use the builtin script engine • Example of call back used (word) • AutoExec() • AutoClose() • AutoOpen() • AutoNew() www.intertel.co.za
DOCUMENT BASED MALWARE • MS Office • Open Office • Acrobat www.intertel.co.za
USERLAND ROOT KIT • Perform • login • sshd • passwd • Hide activity • ps • netstat • ls • find • du www.intertel.co.za
SUBVERTING THE KERNEL • Kernel task • Process management • File access • Memory management • Network management What to hide ➡Process ➡Files ➡Network traffic www.intertel.co.za
KERNEL ROOTKIT PS KERNEL Hardware : HD, keyboard, mouse, NIC, GPU P1 P2 P3 P3 rootkit www.intertel.co.za
SUBVERTING TECHNIQUES • Kernel patch • Loadable Kernel Module • Kernel memory patching (/dev/kmem) www.intertel.co.za
WINDOWS KERNEL P1 P2 Pn Csrss.e xe Win32 subsystem DLLs User32.dll, Gdi32.dll and Kernel32.dll Other Subsytems (OS/2 Posix) Ntdll.dll ntoskrnl.exe Hardware Abstraction Layer (HAL.dll) Hardware Underlying kernel Executive www.intertel.co.za
KERNEL DEVICE DRIVER P2 Win32 subsystem DLLs Ntdll.dll ntoskrnl.exe Interrupt Hook System service dispatcher System service dispatch table Driver Overwriting functions Driver Replacing Functions New pointer A C B www.intertel.co.za
MBR/BOOTKIT • Bootkits can be used to avoid all protections of an OS, because OS consider that the system was in trusted stated at the moment the OS boot loader took control. www.intertel.co.za
BIOS MBR VBS NT Boot Sector BOOTMGR.EXEWINLOAD.EXE Windows 7 kernel HAL.DLL www.intertel.co.za
VBOOT • Work on every Windows (vista,7) • 3ko • Bypass checks by letting them run and then do inflight patching • Communicate via ping www.intertel.co.za
HYPERVISOR ROOTKIT Target OS Hardware AppApp www.intertel.co.za
HYPERVISOR ROOTKIT Target OS Hardware AppApp Virtual machine monitorHost OS Rogue app www.intertel.co.za
PROPAGATION VECTOR www.intertel.co.za
SHARED FOLDER www.intertel.co.za
EMAIL PROPAGATION www.intertel.co.za
VALENTINE DAY ... www.intertel.co.za
EMAIL AGAIN www.intertel.co.za
FAKE ANTIVIRUS www.intertel.co.za
HIJACK YOU BROWSER www.intertel.co.za
FAKE PAGE ! www.intertel.co.za
P2P FILES • Popular query • 35.5% are malwares (Kalafut 2006) www.intertel.co.za
BACKDOOR www.intertel.co.za
BASIC Infected Host Attacker TCP www.intertel.co.za
REVERSE Infected Host Attacker TCP www.intertel.co.za
COVERT Infected Host Attacker ICMP www.intertel.co.za
RENDEZ VOUS BACKDOOR Infected Host Attacker RDV Point www.intertel.co.za
BESTIARY www.intertel.co.za
ADWARE www.intertel.co.za
BACKORIFICE • Defcon 1998 • new version in 2000 www.intertel.co.za
NETBUS • 1998 • Used for “prank” www.intertel.co.za
SYMANTEC PCANYWHERE www.intertel.co.za
BROWSER TOOLBAR ... www.intertel.co.za
TOOLBAR AGAIN www.intertel.co.za
RANSOMWARE • Trj/SMSlock.A • Russian ransomware • April 2009 To unlock you need to send an SMS with the text4121800286to the number3649 Enter the resulting code:Any attempt to reinstall the system may lead to loss of important information and computer damage from pandalab blog www.intertel.co.za
DETECTION www.intertel.co.za
ANTI-VIRUS • Analyze system behavior • Analyze binary to decide if it a virus • Type : • Scanner • Real time monitor www.intertel.co.za
IMPOSSIBILITY RESULT • It is not possible to build a perfect virus/malware detector (Cohen) www.intertel.co.za
IMPOSSIBILITY RESULT • Diagonal argument • P is a perfect detection program • V is a virus • V can call P • if P(V) = true -> halt • if P(V) = false -> spread www.intertel.co.za
VIRUS SIGNATURE • Find a string that can identify the virus • Fingerprint like www.intertel.co.za
HEURISTICS • Analyze program behavior • Network access • File open • Attempt to delete file • Attempt to modify the boot sector www.intertel.co.za
CHECKSUM • Compute a checksum for • Good binary • Configuration file • Detect change by comparing checksum • At some point there will more malware than “goodware” ... www.intertel.co.za
SANDBOX ANALYSIS • Running the executable in a VM • Observe it • File activity • Network • Memory www.intertel.co.za
DEALING WITH PACKER • Launch the exe • Wait until it is unpack • Dump the memory www.intertel.co.za
OUTLINE • What malware are • How do they infect hosts • How do they propagate • Zoo visit ! • How to detect them • Worms www.intertel.co.za
71 WORM A worm is self-replicating software designed to spread through the network  Typically, exploit security flaws in widely used services  Can cause enormous damage  Launch DDOS attacks, install bot networks  Access sensitive information  Cause confusion by corrupting the sensitive information Worm vs Virus vs Trojan horse  A virus is code embedded in a file or program  Viruses and Trojan horses rely on human intervention  Worms are self-contained and may spread autonomously www.intertel.co.za
72 COST OF WORM ATTACKS Morris worm, 1988  Infected approximately 6,000 machines  10% of computers connected to the Internet  cost ~ $10 million in downtime and cleanup Code Red worm, July 16 2001  Direct descendant of Morris’ worm  Infected more than 500,000 servers  Programmed to go into infinite sleep mode July 28  Caused ~ $2.6 Billion in damages, Love Bug worm: $8.75 billion • Statistics: Computer Economics Inc., Carlsbad, California www.intertel.co.za
73 INTERNET WORM (FIRST MAJOR ATTACK) Released November 1988  Program spread through Digital, Sun workstations  Exploited Unix security vulnerabilities  VAX computers and SUN-3 workstations running versions 4.2 and 4.3 Berkeley UNIX code Consequences  No immediate damage from program itself  Replication and threat of damage  Load on network, systems used in attack  Many systems shut down to prevent further attack www.intertel.co.za
74 SOME HISTORICAL WORMS OF NOTE Worm Date Distinction Morris 11/88 Used multiple vulnerabilities, propagate to “nearby” sys ADM 5/98 Random scanning of IP address space Ramen 1/01 Exploited three vulnerabilities Lion 3/01 Stealthy, rootkit worm Cheese 6/01 Vigilante worm that secured vulnerable systems Code Red 7/01 First sig Windows worm; Completely memory resident Walk 8/01 Recompiled source code locally Nimda 9/01 Windows worm: client-to-server, c-to-c, s-to-s, … Scalper 6/02 11 days after announcement of vulnerability; peer-to-peer network of compromised systems Slammer 1/03 Used a single UDP packet for explosive growth www.intertel.co.za
75 INCREASING PROPAGATION SPEED Code Red, July 2001  Affects Microsoft Index Server 2.0,  Windows 2000 Indexing service on Windows NT 4.0.  Windows 2000 that run IIS 4.0 and 5.0 Web servers  Exploits known buffer overflow in Idq.dll  Vulnerable population (360,000 servers) infected in 14 hours SQL Slammer, January 2003  Affects in Microsoft SQL 2000  Exploits known buffer overflow vulnerability  Server Resolution service vulnerability reported June 2002  Patched released in July 2002 Bulletin MS02-39  Vulnerable population infected in less than 10 minutes www.intertel.co.za
76 CODE RED Initial version released July 13, 2001  Sends its code as an HTTP request  HTTP request exploits buffer overflow  Malicious code is not stored in a file  Placed in memory and then run When executed,  Worm checks for the file C:Notworm  If file exists, the worm thread goes into infinite sleep state  Creates new threads  If the date is before the 20th of the month, the next 99 threads attempt to exploit more computers by targeting random IP addresses www.intertel.co.za
77 CODE RED OF JULY 13 AND JULY 19 Initial release of July 13  1st through 20th month: Spread  via random scan of 32-bit IP addr space  20th through end of each month: attack.  Flooding attack against 198.137.240.91 (www.whitehouse.gov)  Failure to seed random number generator linear growth Revision released July 19, 2001.  White House responds to threat of flooding attack by changing the address of www.whitehouse.gov  Causes Code Red to die for date ≥ 20th of the month.  But: this time random number generator correctly seeded www.intertel.co.za
78 Infection rate www.intertel.co.za
79 MEASURING ACTIVITY: NETWORK TELESCOPE Monitor cross-section of Internet address space, measure traffic  “Backscatter” from DOS floods  Attackers probing blindly  Random scanning from worms LBNL’s cross-section: 1/32,768 of Internet UCSD, UWisc’s cross-section: 1/256. www.intertel.co.za
80 SPREAD OF CODE RED Network telescopes estimate of # infected hosts: 360K. (Beware DHCP & NAT) Course of infection fits classic logistic. Note: larger the vulnerable population, faster the worm spreads. That night (20th), worm dies … • … except for hosts with inaccurate clocks! It just takes one of these to restart the worm on August 1st … www.intertel.co.za
81 www.intertel.co.za
82 CODE RED 2 Released August 4, 2001. Comment in code: “Code Red 2.”  But in fact completely different code base. Payload: a root backdoor, resilient to reboots. Bug: crashes NT, only works on Windows 2000. Localized scanning: prefers nearby addresses. Kills Code Red 1. Safety valve: programmed to die Oct 1, 2001. www.intertel.co.za
83 STRIVING FOR GREATER VIRULENCE: NIMDA Released September 18, 2001. Multi-mode spreading:  attack IIS servers via infected clients  email itself to address book as a virus  copy itself across open network shares  modifying Web pages on infected servers w/ client exploit  scanning for Code Red II backdoors (!) worms form an ecosystem! Leaped across firewalls.www.intertel.co.za
84 Code Red 2 kills off Code Red 1 Code Red 2 settles into weekly pattern Nimda enters the ecosystem Code Red 2 dies off as programmed CR 1 returns thanks to bad clocks www.intertel.co.za
85 HOW DO WORMS PROPAGATE? Scanning worms : Worm chooses “random” address Coordinated scanning : Different worm instances scan different addresses Flash worms  Assemble tree of vulnerable hosts in advance, propagate along tree  Not observed in the wild, yet  Potential for 106 hosts in < 2 sec ! [Staniford] Meta-server worm :Ask server for hosts to infect (e.g., Google for “powered by phpbb”) Topological worm: Use information from infected hosts (web server logs, email address books, config files, SSH “known hosts”) Contagion worm : Propagate parasitically along with normally initiated communication www.intertel.co.za
SLAMMER • 01/25/2003 • Vulnerability disclosed : 25 june 2002 • Better scanning algorithm • UDP Single packet : 380bytes www.intertel.co.za
SLAMMER PROPAGATION www.intertel.co.za
NUMBER OF SCAN/SEC www.intertel.co.za
PACKET LOSS www.intertel.co.za
A SERVER VIEW www.intertel.co.za
CONSEQUENCES • ATM systems not available • Phone network overloaded (no 911!) • 5 DNS root down • Planes delayed www.intertel.co.za
92 WORM DETECTION AND DEFENSE Detect via honeyfarms: collections of “honeypots” fed by a network telescope.  Any outbound connection from honeyfarm = worm. • (at least, that’s the theory)  Distill signature from inbound/outbound traffic.  If telescope covers N addresses, expect detection when worm has infected 1/N of population. Thwart via scan suppressors: network elements that block traffic from hosts that make failed connection attempts to too many other hosts  5 minutes to several weeks to write a signature  Several hours or more for testing www.intertel.co.za
93 SIGNATURE INFERENCE Challenge  need to automatically learn a content “signature” for each new worm – potentially in less than a second! Some proposed solutions  Singh et al, Automated Worm Fingerprinting, OSDI ’04  Kim et al, Autograph: Toward Automated, Distributed Worm Signature Detection, USENIX Sec ‘04 www.intertel.co.za
94 SIGNATURE INFERENCE Monitor network and look for strings common to traffic with worm-like behavior  Signatures can then be used for content filtering Slide: S Savage www.intertel.co.za
95 CONTENT SIFTING Assume there exists some (relatively) unique invariant bitstring W across all instances of a particular worm (true today, not tomorrow...) Two consequences  Content Prevalence: W will be more common in traffic than other bitstrings of the same length  Address Dispersion: the set of packets containing W will address a disproportionate number of distinct sources and destinations Content sifting: find W’s with high content prevalence and high address dispersion and drop that traffic Slide: S Savage www.intertel.co.za
96 OBSERVATION: HIGH-PREVALENCE STRINGS ARE RARE (Stefan Savage, UCSD *) Only 0.6% of the 40 byte substrings repeat more than 3 times in a minute www.intertel.co.za
97 CHALLENGES Computation  To support a 1Gbps line rate we have 12us to process each packet, at 10Gbps 1.2us, at 40Gbps…  Dominated by memory references; state expensive  Content sifting requires looking at every byte in a packet State  On a fully-loaded 1Gbps link a naïve implementation can easily consume 100MB/sec for table  Computation/memory duality: on high-speed (ASIC) implementation, latency requirements may limit state to on-chip SRAM www.intertel.co.za

Recomendados

Malware Dectection Using Machine learning
Malware Dectection Using Machine learningMalware Dectection Using Machine learning
Malware Dectection Using Machine learningShubham Dubey
 
Malware Detection Using Machine Learning Techniques
Malware Detection Using Machine Learning TechniquesMalware Detection Using Machine Learning Techniques
Malware Detection Using Machine Learning TechniquesArshadRaja786
 
Reverse engineering malware
Reverse engineering malwareReverse engineering malware
Reverse engineering malwareCysinfo Cyber Security Community
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Futurekaranwayne
 
Malware Detection using Machine Learning
Malware Detection using Machine Learning Malware Detection using Machine Learning
Malware Detection using Machine Learning Cysinfo Cyber Security Community
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learningSecurity Bootcamp
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 

Recomendados

Malware Dectection Using Machine learning
Malware Dectection Using Machine learningMalware Dectection Using Machine learning
Malware Dectection Using Machine learningShubham Dubey
 
Malware Detection Using Machine Learning Techniques
Malware Detection Using Machine Learning TechniquesMalware Detection Using Machine Learning Techniques
Malware Detection Using Machine Learning TechniquesArshadRaja786
 
Reverse engineering malware
Reverse engineering malwareReverse engineering malware
Reverse engineering malwareCysinfo Cyber Security Community
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Futurekaranwayne
 
Malware Detection using Machine Learning
Malware Detection using Machine Learning Malware Detection using Machine Learning
Malware Detection using Machine Learning Cysinfo Cyber Security Community
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learningSecurity Bootcamp
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Malware and security
Malware and securityMalware and security
Malware and securityGurbakash Phonsa
 
Malware forensics
Malware forensicsMalware forensics
Malware forensicsSameera Amjad
 
Malware and it's types
Malware and it's typesMalware and it's types
Malware and it's typesAakash Baloch
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveChong-Kuan Chen
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis Cysinfo Cyber Security Community
 
Trojans and backdoors
Trojans and backdoorsTrojans and backdoors
Trojans and backdoorsGaurav Dalvi
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?Datto
 
Malware classification using Machine Learning
Malware classification using Machine LearningMalware classification using Machine Learning
Malware classification using Machine LearningJapneet Singh
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Malware ppt
Malware pptMalware ppt
Malware pptFaiz Khan
 
Malware ppt final.pptx
Malware ppt final.pptxMalware ppt final.pptx
Malware ppt final.pptxLakshayNRReddy
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityPratap Dangeti
 
Machine Learning in Malware Detection
Machine Learning in Malware DetectionMachine Learning in Malware Detection
Machine Learning in Malware DetectionKaspersky
 
malware analysis
malware analysismalware analysis
malware analysis20CS201AkashR
 
Fast detection of Android malware: machine learning approach
Fast detection of Android malware: machine learning approachFast detection of Android malware: machine learning approach
Fast detection of Android malware: machine learning approachYury Leonychev
 
Virus & Anti Virus ppt
Virus & Anti Virus pptVirus & Anti Virus ppt
Virus & Anti Virus pptOECLIB Odisha Electronics Control Library
 
Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Sam Bowne
 
Computer Worms
Computer WormsComputer Worms
Computer Wormssadique_ghitm
 
Ransomware Attack.pptx
Ransomware Attack.pptxRansomware Attack.pptx
Ransomware Attack.pptxIkramSabir4
 
Evading & Bypassing Anti-Malware applications using metasploit
Evading & Bypassing Anti-Malware applications using metasploitEvading & Bypassing Anti-Malware applications using metasploit
Evading & Bypassing Anti-Malware applications using metasploitn|u - The Open Security Community
 
Reverse Engineering Malware Workshop
Reverse Engineering Malware WorkshopReverse Engineering Malware Workshop
Reverse Engineering Malware WorkshopMustafa Qasim
 

Más contenido relacionado

La actualidad más candente

Malware and it's types
Malware and it's typesMalware and it's types
Malware and it's typesAakash Baloch
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveChong-Kuan Chen
 
Trojans and backdoors
Trojans and backdoorsTrojans and backdoors
Trojans and backdoorsGaurav Dalvi
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?Datto
 
Malware classification using Machine Learning
Malware classification using Machine LearningMalware classification using Machine Learning
Malware classification using Machine LearningJapneet Singh
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
Malware ppt final.pptx
Malware ppt final.pptxMalware ppt final.pptx
Malware ppt final.pptxLakshayNRReddy
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityPratap Dangeti
 
Machine Learning in Malware Detection
Machine Learning in Malware DetectionMachine Learning in Malware Detection
Machine Learning in Malware DetectionKaspersky
 
Fast detection of Android malware: machine learning approach
Fast detection of Android malware: machine learning approachFast detection of Android malware: machine learning approach
Fast detection of Android malware: machine learning approachYury Leonychev
 
Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Sam Bowne
 
Ransomware Attack.pptx
Ransomware Attack.pptxRansomware Attack.pptx
Ransomware Attack.pptxIkramSabir4
 

La actualidad más candente (20)

Malware and security
Malware and securityMalware and security
Malware and security
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
Malware and it's types
Malware and it's typesMalware and it's types
Malware and it's types
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning Perspective
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
Trojans and backdoors
Trojans and backdoorsTrojans and backdoors
Trojans and backdoors
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?
 
Malware classification using Machine Learning
Malware classification using Machine LearningMalware classification using Machine Learning
Malware classification using Machine Learning
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Malware ppt
Malware pptMalware ppt
Malware ppt
 
Malware ppt final.pptx
Malware ppt final.pptxMalware ppt final.pptx
Malware ppt final.pptx
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in Cybersecurity
 
Machine Learning in Malware Detection
Machine Learning in Malware DetectionMachine Learning in Malware Detection
Machine Learning in Malware Detection
 
malware analysis
malware analysismalware analysis
malware analysis
 
Fast detection of Android malware: machine learning approach
Fast detection of Android malware: machine learning approachFast detection of Android malware: machine learning approach
Fast detection of Android malware: machine learning approach
 
Virus & Anti Virus ppt
Virus & Anti Virus pptVirus & Anti Virus ppt
Virus & Anti Virus ppt
 
Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging
 
Computer Worms
Computer WormsComputer Worms
Computer Worms
 
Ransomware Attack.pptx
Ransomware Attack.pptxRansomware Attack.pptx
Ransomware Attack.pptx
 

Destacado

Evading & Bypassing Anti-Malware applications using metasploit
Evading & Bypassing Anti-Malware applications using metasploitEvading & Bypassing Anti-Malware applications using metasploit
Evading & Bypassing Anti-Malware applications using metasploitn|u - The Open Security Community
 
Reverse Engineering Malware Workshop
Reverse Engineering Malware WorkshopReverse Engineering Malware Workshop
Reverse Engineering Malware WorkshopMustafa Qasim
 
Phân tích Confuser 1.9.0.0 - Anti-tamper protection - Bản dịch
Phân tích Confuser 1.9.0.0 - Anti-tamper protection - Bản dịchPhân tích Confuser 1.9.0.0 - Anti-tamper protection - Bản dịch
Phân tích Confuser 1.9.0.0 - Anti-tamper protection - Bản dịchLevis Nickaster
 
Hacking de4dot for fun - Bài dịch
Hacking de4dot for fun - Bài dịchHacking de4dot for fun - Bài dịch
Hacking de4dot for fun - Bài dịchLevis Nickaster
 
Hướng dẫn deobfuscate DotnetPatcher 3.1 - Bài dịch
Hướng dẫn deobfuscate DotnetPatcher 3.1 - Bài dịchHướng dẫn deobfuscate DotnetPatcher 3.1 - Bài dịch
Hướng dẫn deobfuscate DotnetPatcher 3.1 - Bài dịchLevis Nickaster
 
Reverse Engineering in Linux - The tools showcase
Reverse Engineering in Linux - The tools showcaseReverse Engineering in Linux - The tools showcase
Reverse Engineering in Linux - The tools showcaseLevis Nickaster
 
Xây dựng nhóm phân tích mã độc
Xây dựng nhóm phân tích mã độcXây dựng nhóm phân tích mã độc
Xây dựng nhóm phân tích mã độcLevis Nickaster
 
Tong Quan Ve Malware
Tong Quan Ve MalwareTong Quan Ve Malware
Tong Quan Ve Malwareguest4a3ff91
 
Understanding APT1 malware techniques using malware analysis and reverse engi...
Understanding APT1 malware techniques using malware analysis and reverse engi...Understanding APT1 malware techniques using malware analysis and reverse engi...
Understanding APT1 malware techniques using malware analysis and reverse engi...Cysinfo Cyber Security Community
 

Destacado (9)

Evading & Bypassing Anti-Malware applications using metasploit
Evading & Bypassing Anti-Malware applications using metasploitEvading & Bypassing Anti-Malware applications using metasploit
Evading & Bypassing Anti-Malware applications using metasploit
 
Reverse Engineering Malware Workshop
Reverse Engineering Malware WorkshopReverse Engineering Malware Workshop
Reverse Engineering Malware Workshop
 
Phân tích Confuser 1.9.0.0 - Anti-tamper protection - Bản dịch
Phân tích Confuser 1.9.0.0 - Anti-tamper protection - Bản dịchPhân tích Confuser 1.9.0.0 - Anti-tamper protection - Bản dịch
Phân tích Confuser 1.9.0.0 - Anti-tamper protection - Bản dịch
 
Hacking de4dot for fun - Bài dịch
Hacking de4dot for fun - Bài dịchHacking de4dot for fun - Bài dịch
Hacking de4dot for fun - Bài dịch
 
Hướng dẫn deobfuscate DotnetPatcher 3.1 - Bài dịch
Hướng dẫn deobfuscate DotnetPatcher 3.1 - Bài dịchHướng dẫn deobfuscate DotnetPatcher 3.1 - Bài dịch
Hướng dẫn deobfuscate DotnetPatcher 3.1 - Bài dịch
 
Reverse Engineering in Linux - The tools showcase
Reverse Engineering in Linux - The tools showcaseReverse Engineering in Linux - The tools showcase
Reverse Engineering in Linux - The tools showcase
 
Xây dựng nhóm phân tích mã độc
Xây dựng nhóm phân tích mã độcXây dựng nhóm phân tích mã độc
Xây dựng nhóm phân tích mã độc
 
Tong Quan Ve Malware
Tong Quan Ve MalwareTong Quan Ve Malware
Tong Quan Ve Malware
 
Understanding APT1 malware techniques using malware analysis and reverse engi...
Understanding APT1 malware techniques using malware analysis and reverse engi...Understanding APT1 malware techniques using malware analysis and reverse engi...
Understanding APT1 malware techniques using malware analysis and reverse engi...
 

Similar a Introduction to Malware Detection and Reverse Engineering

Kinds of Viruses
Kinds of VirusesKinds of Viruses
Kinds of Virusesjenniel143
 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software rajakhurram
 
Program and System Threats
Program and System ThreatsProgram and System Threats
Program and System ThreatsReddhi Basu
 
computer viruses
computer virusescomputer viruses
computer virusesupenthira I
 
6unit1 virus and their types
6unit1 virus and their types6unit1 virus and their types
6unit1 virus and their typesNeha Kurale
 
Virus and Worms
Virus and WormsVirus and Worms
Virus and WormsGrittyCC
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfRohitGautam261127
 
Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Pruthvi Monarch
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy codeG Prachi
 
Computer Security and Ethics
Computer Security and EthicsComputer Security and Ethics
Computer Security and EthicsMohsin Riaz
 
Trojan horsies prez
Trojan horsies prezTrojan horsies prez
Trojan horsies prezStudio Sheen
 
computer virus full explain ppt.pptx
computer virus full explain ppt.pptxcomputer virus full explain ppt.pptx
computer virus full explain ppt.pptxTayyabaAbbas4
 

Similar a Introduction to Malware Detection and Reverse Engineering (20)

Malware
MalwareMalware
Malware
 
Virus vs worms vs trojans
Virus vs worms vs trojansVirus vs worms vs trojans
Virus vs worms vs trojans
 
Kinds of Viruses
Kinds of VirusesKinds of Viruses
Kinds of Viruses
 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software
 
Isas
IsasIsas
Isas
 
Program and System Threats
Program and System ThreatsProgram and System Threats
Program and System Threats
 
computer viruses
computer virusescomputer viruses
computer viruses
 
6unit1 virus and their types
6unit1 virus and their types6unit1 virus and their types
6unit1 virus and their types
 
Viruses &amp; worms
Viruses &amp; wormsViruses &amp; worms
Viruses &amp; worms
 
Virus and Worms
Virus and WormsVirus and Worms
Virus and Worms
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
Malicious
MaliciousMalicious
Malicious
 
Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
 
Computer Security and Ethics
Computer Security and EthicsComputer Security and Ethics
Computer Security and Ethics
 
Trojan horsies prez
Trojan horsies prezTrojan horsies prez
Trojan horsies prez
 
computer virus full explain ppt.pptx
computer virus full explain ppt.pptxcomputer virus full explain ppt.pptx
computer virus full explain ppt.pptx
 
Isys20261 lecture 05
Isys20261 lecture 05Isys20261 lecture 05
Isys20261 lecture 05
 
Computer Virus
Computer VirusComputer Virus
Computer Virus
 

Último

✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663Call Girls Mumbai
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.soniya singh
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Delhi Call girls
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)Delhi Call girls
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...singhpriety023
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445ruhi
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service OnlineCALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Onlineanilsa9823
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 

Último (20)

✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
 
@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶
@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶
@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
 
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in DubaiRussian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service OnlineCALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
 

Introduction to Malware Detection and Reverse Engineering

  • 2. WHAT WE’LL BE COVERING • What is malware? • How do they infect hosts? • How do they hide? • How do they propagate? • How to detect them? www.intertel.co.za
  • 3. WHAT IS MALWARE ? • Malware is a set of instructions that run on your computer and make your system do something that an attacker wants it to do. www.intertel.co.za
  • 4. WHAT IT IS GOOD FOR ? • Steal personal information • Delete files • Click fraud • Steal software serial numbers • Use your computer as relay www.intertel.co.za
  • 5. THE MALWARE ZOO • Virus • Backdoor • Trojan horse • Rootkit • Scareware • Adware • Worm www.intertel.co.za
  • 6. WHAT IS A VIRUS ? • a program that can infect other programs by modifying them to include a, possibly evolved, version of itself • Fred Cohen 1983 www.intertel.co.za
  • 7. SOME VIRUS TYPE • Polymorphic : uses a polymorphic engine to mutate while keeping the original algorithm intact (packer) • Methamorpic : Change after each infection www.intertel.co.za
  • 8. WHAT IS A TROJAN A trojan describes the class of malware that appears to perform a desirable function but in fact performs undisclosed malicious functions that allow unauthorized access to the victim computer Wikipedia www.intertel.co.za
  • 9. WHAT IS ROOTKIT • A root kit is a component that uses stealth to maintain a persistent and undetectable presence on the machine • Symantec www.intertel.co.za
  • 10. WHAT IS A WORM A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes and do so without any user intervention. www.intertel.co.za
  • 11. ALMOST 30 YEARS OF MALWARE • From Malware fighting malicious code www.intertel.co.za
  • 12. NUMBER OF MALWARE SIGNATURES Symantec report 2009 www.intertel.co.za
  • 13. MALWARE REPARTITION Panda Q1 report 2009 www.intertel.co.za
  • 15. WHAT TO INFECT • Executable • Interpreted file • Kernel • Service • MBR • Hypervisor www.intertel.co.za
  • 22. PACKER FUNCTIONALITIES • Compress • Encrypt • Randomize (polymorphism) • Anti-debug technique (int / fake jmp) • Add-junk • Anti-VM • Virtualization www.intertel.co.za
  • 23. AUTO START • Folder auto-start : C:Documents and Settings[user_name]Start MenuProgramsStartup • Win.ini : run=[backdoor]" or "load=[backdoor]". • System.ini : shell=”myexplorer.exe” • Wininit • Config.sys www.intertel.co.za
  • 24. AUTO START CONT. • Assign know extension (.doc) to the malware • Add a Registry key such as HKCUSOFTWAREMicrosoftWindows CurrentVersionRun • Add a task in the task scheduler • Run as service www.intertel.co.za
  • 25. UNIX AUTOSTART • Init.d • /etc/rc.local • .login .xsession • crontab • crontab -e • /etc/crontab www.intertel.co.za
  • 26. MACRO VIRUS • Use the builtin script engine • Example of call back used (word) • AutoExec() • AutoClose() • AutoOpen() • AutoNew() www.intertel.co.za
  • 27. DOCUMENT BASED MALWARE • MS Office • Open Office • Acrobat www.intertel.co.za
  • 28. USERLAND ROOT KIT • Perform • login • sshd • passwd • Hide activity • ps • netstat • ls • find • du www.intertel.co.za
  • 29. SUBVERTING THE KERNEL • Kernel task • Process management • File access • Memory management • Network management What to hide ➡Process ➡Files ➡Network traffic www.intertel.co.za
  • 30. KERNEL ROOTKIT PS KERNEL Hardware : HD, keyboard, mouse, NIC, GPU P1 P2 P3 P3 rootkit www.intertel.co.za
  • 31. SUBVERTING TECHNIQUES • Kernel patch • Loadable Kernel Module • Kernel memory patching (/dev/kmem) www.intertel.co.za
  • 32. WINDOWS KERNEL P1 P2 Pn Csrss.e xe Win32 subsystem DLLs User32.dll, Gdi32.dll and Kernel32.dll Other Subsytems (OS/2 Posix) Ntdll.dll ntoskrnl.exe Hardware Abstraction Layer (HAL.dll) Hardware Underlying kernel Executive www.intertel.co.za
  • 33. KERNEL DEVICE DRIVER P2 Win32 subsystem DLLs Ntdll.dll ntoskrnl.exe Interrupt Hook System service dispatcher System service dispatch table Driver Overwriting functions Driver Replacing Functions New pointer A C B www.intertel.co.za
  • 34. MBR/BOOTKIT • Bootkits can be used to avoid all protections of an OS, because OS consider that the system was in trusted stated at the moment the OS boot loader took control. www.intertel.co.za
  • 35. BIOS MBR VBS NT Boot Sector BOOTMGR.EXEWINLOAD.EXE Windows 7 kernel HAL.DLL www.intertel.co.za
  • 36. VBOOT • Work on every Windows (vista,7) • 3ko • Bypass checks by letting them run and then do inflight patching • Communicate via ping www.intertel.co.za
  • 38. HYPERVISOR ROOTKIT Target OS Hardware AppApp Virtual machine monitorHost OS Rogue app www.intertel.co.za
  • 47. P2P FILES • Popular query • 35.5% are malwares (Kalafut 2006) www.intertel.co.za
  • 55. BACKORIFICE • Defcon 1998 • new version in 2000 www.intertel.co.za
  • 56. NETBUS • 1998 • Used for “prank” www.intertel.co.za
  • 60. RANSOMWARE • Trj/SMSlock.A • Russian ransomware • April 2009 To unlock you need to send an SMS with the text4121800286to the number3649 Enter the resulting code:Any attempt to reinstall the system may lead to loss of important information and computer damage from pandalab blog www.intertel.co.za
  • 62. ANTI-VIRUS • Analyze system behavior • Analyze binary to decide if it a virus • Type : • Scanner • Real time monitor www.intertel.co.za
  • 63. IMPOSSIBILITY RESULT • It is not possible to build a perfect virus/malware detector (Cohen) www.intertel.co.za
  • 64. IMPOSSIBILITY RESULT • Diagonal argument • P is a perfect detection program • V is a virus • V can call P • if P(V) = true -> halt • if P(V) = false -> spread www.intertel.co.za
  • 65. VIRUS SIGNATURE • Find a string that can identify the virus • Fingerprint like www.intertel.co.za
  • 66. HEURISTICS • Analyze program behavior • Network access • File open • Attempt to delete file • Attempt to modify the boot sector www.intertel.co.za
  • 67. CHECKSUM • Compute a checksum for • Good binary • Configuration file • Detect change by comparing checksum • At some point there will more malware than “goodware” ... www.intertel.co.za
  • 68. SANDBOX ANALYSIS • Running the executable in a VM • Observe it • File activity • Network • Memory www.intertel.co.za
  • 69. DEALING WITH PACKER • Launch the exe • Wait until it is unpack • Dump the memory www.intertel.co.za
  • 70. OUTLINE • What malware are • How do they infect hosts • How do they propagate • Zoo visit ! • How to detect them • Worms www.intertel.co.za
  • 71. 71 WORM A worm is self-replicating software designed to spread through the network  Typically, exploit security flaws in widely used services  Can cause enormous damage  Launch DDOS attacks, install bot networks  Access sensitive information  Cause confusion by corrupting the sensitive information Worm vs Virus vs Trojan horse  A virus is code embedded in a file or program  Viruses and Trojan horses rely on human intervention  Worms are self-contained and may spread autonomously www.intertel.co.za
  • 72. 72 COST OF WORM ATTACKS Morris worm, 1988  Infected approximately 6,000 machines  10% of computers connected to the Internet  cost ~ $10 million in downtime and cleanup Code Red worm, July 16 2001  Direct descendant of Morris’ worm  Infected more than 500,000 servers  Programmed to go into infinite sleep mode July 28  Caused ~ $2.6 Billion in damages, Love Bug worm: $8.75 billion • Statistics: Computer Economics Inc., Carlsbad, California www.intertel.co.za
  • 73. 73 INTERNET WORM (FIRST MAJOR ATTACK) Released November 1988  Program spread through Digital, Sun workstations  Exploited Unix security vulnerabilities  VAX computers and SUN-3 workstations running versions 4.2 and 4.3 Berkeley UNIX code Consequences  No immediate damage from program itself  Replication and threat of damage  Load on network, systems used in attack  Many systems shut down to prevent further attack www.intertel.co.za
  • 74. 74 SOME HISTORICAL WORMS OF NOTE Worm Date Distinction Morris 11/88 Used multiple vulnerabilities, propagate to “nearby” sys ADM 5/98 Random scanning of IP address space Ramen 1/01 Exploited three vulnerabilities Lion 3/01 Stealthy, rootkit worm Cheese 6/01 Vigilante worm that secured vulnerable systems Code Red 7/01 First sig Windows worm; Completely memory resident Walk 8/01 Recompiled source code locally Nimda 9/01 Windows worm: client-to-server, c-to-c, s-to-s, … Scalper 6/02 11 days after announcement of vulnerability; peer-to-peer network of compromised systems Slammer 1/03 Used a single UDP packet for explosive growth www.intertel.co.za
  • 75. 75 INCREASING PROPAGATION SPEED Code Red, July 2001  Affects Microsoft Index Server 2.0,  Windows 2000 Indexing service on Windows NT 4.0.  Windows 2000 that run IIS 4.0 and 5.0 Web servers  Exploits known buffer overflow in Idq.dll  Vulnerable population (360,000 servers) infected in 14 hours SQL Slammer, January 2003  Affects in Microsoft SQL 2000  Exploits known buffer overflow vulnerability  Server Resolution service vulnerability reported June 2002  Patched released in July 2002 Bulletin MS02-39  Vulnerable population infected in less than 10 minutes www.intertel.co.za
  • 76. 76 CODE RED Initial version released July 13, 2001  Sends its code as an HTTP request  HTTP request exploits buffer overflow  Malicious code is not stored in a file  Placed in memory and then run When executed,  Worm checks for the file C:Notworm  If file exists, the worm thread goes into infinite sleep state  Creates new threads  If the date is before the 20th of the month, the next 99 threads attempt to exploit more computers by targeting random IP addresses www.intertel.co.za
  • 77. 77 CODE RED OF JULY 13 AND JULY 19 Initial release of July 13  1st through 20th month: Spread  via random scan of 32-bit IP addr space  20th through end of each month: attack.  Flooding attack against 198.137.240.91 (www.whitehouse.gov)  Failure to seed random number generator linear growth Revision released July 19, 2001.  White House responds to threat of flooding attack by changing the address of www.whitehouse.gov  Causes Code Red to die for date ≥ 20th of the month.  But: this time random number generator correctly seeded www.intertel.co.za
  • 79. 79 MEASURING ACTIVITY: NETWORK TELESCOPE Monitor cross-section of Internet address space, measure traffic  “Backscatter” from DOS floods  Attackers probing blindly  Random scanning from worms LBNL’s cross-section: 1/32,768 of Internet UCSD, UWisc’s cross-section: 1/256. www.intertel.co.za
  • 80. 80 SPREAD OF CODE RED Network telescopes estimate of # infected hosts: 360K. (Beware DHCP & NAT) Course of infection fits classic logistic. Note: larger the vulnerable population, faster the worm spreads. That night (20th), worm dies … • … except for hosts with inaccurate clocks! It just takes one of these to restart the worm on August 1st … www.intertel.co.za
  • 82. 82 CODE RED 2 Released August 4, 2001. Comment in code: “Code Red 2.”  But in fact completely different code base. Payload: a root backdoor, resilient to reboots. Bug: crashes NT, only works on Windows 2000. Localized scanning: prefers nearby addresses. Kills Code Red 1. Safety valve: programmed to die Oct 1, 2001. www.intertel.co.za
  • 83. 83 STRIVING FOR GREATER VIRULENCE: NIMDA Released September 18, 2001. Multi-mode spreading:  attack IIS servers via infected clients  email itself to address book as a virus  copy itself across open network shares  modifying Web pages on infected servers w/ client exploit  scanning for Code Red II backdoors (!) worms form an ecosystem! Leaped across firewalls.www.intertel.co.za
  • 84. 84 Code Red 2 kills off Code Red 1 Code Red 2 settles into weekly pattern Nimda enters the ecosystem Code Red 2 dies off as programmed CR 1 returns thanks to bad clocks www.intertel.co.za
  • 85. 85 HOW DO WORMS PROPAGATE? Scanning worms : Worm chooses “random” address Coordinated scanning : Different worm instances scan different addresses Flash worms  Assemble tree of vulnerable hosts in advance, propagate along tree  Not observed in the wild, yet  Potential for 106 hosts in < 2 sec ! [Staniford] Meta-server worm :Ask server for hosts to infect (e.g., Google for “powered by phpbb”) Topological worm: Use information from infected hosts (web server logs, email address books, config files, SSH “known hosts”) Contagion worm : Propagate parasitically along with normally initiated communication www.intertel.co.za
  • 86. SLAMMER • 01/25/2003 • Vulnerability disclosed : 25 june 2002 • Better scanning algorithm • UDP Single packet : 380bytes www.intertel.co.za
  • 91. CONSEQUENCES • ATM systems not available • Phone network overloaded (no 911!) • 5 DNS root down • Planes delayed www.intertel.co.za
  • 92. 92 WORM DETECTION AND DEFENSE Detect via honeyfarms: collections of “honeypots” fed by a network telescope.  Any outbound connection from honeyfarm = worm. • (at least, that’s the theory)  Distill signature from inbound/outbound traffic.  If telescope covers N addresses, expect detection when worm has infected 1/N of population. Thwart via scan suppressors: network elements that block traffic from hosts that make failed connection attempts to too many other hosts  5 minutes to several weeks to write a signature  Several hours or more for testing www.intertel.co.za
  • 93. 93 SIGNATURE INFERENCE Challenge  need to automatically learn a content “signature” for each new worm – potentially in less than a second! Some proposed solutions  Singh et al, Automated Worm Fingerprinting, OSDI ’04  Kim et al, Autograph: Toward Automated, Distributed Worm Signature Detection, USENIX Sec ‘04 www.intertel.co.za
  • 94. 94 SIGNATURE INFERENCE Monitor network and look for strings common to traffic with worm-like behavior  Signatures can then be used for content filtering Slide: S Savage www.intertel.co.za
  • 95. 95 CONTENT SIFTING Assume there exists some (relatively) unique invariant bitstring W across all instances of a particular worm (true today, not tomorrow...) Two consequences  Content Prevalence: W will be more common in traffic than other bitstrings of the same length  Address Dispersion: the set of packets containing W will address a disproportionate number of distinct sources and destinations Content sifting: find W’s with high content prevalence and high address dispersion and drop that traffic Slide: S Savage www.intertel.co.za
  • 96. 96 OBSERVATION: HIGH-PREVALENCE STRINGS ARE RARE (Stefan Savage, UCSD *) Only 0.6% of the 40 byte substrings repeat more than 3 times in a minute www.intertel.co.za
  • 97. 97 CHALLENGES Computation  To support a 1Gbps line rate we have 12us to process each packet, at 10Gbps 1.2us, at 40Gbps…  Dominated by memory references; state expensive  Content sifting requires looking at every byte in a packet State  On a fully-loaded 1Gbps link a naïve implementation can easily consume 100MB/sec for table  Computation/memory duality: on high-speed (ASIC) implementation, latency requirements may limit state to on-chip SRAM www.intertel.co.za

Notas del editor

  1. more like autoexec.bat etc
  2. Crss.exe Client/server run time sub system -> used to run a keep state of process => can be query in userland Ntdll -> convert api call to kernel call NTll do call gate jumps Executive dispatch syscall to the underlying kernel SSDT system service dispatch table HAL.dll hardware abstraction Transition using the int0x2E interrupt
  3. A Overwrite B Redirect by patching the service dispatch table C Redirect the interrupt
  4. VBS : volume boot sector MBR: master boot record white unknown green - 16 bits red 32 bits blue 64 bits
  5. Blue pill (Joanna) SubVirt (Microsoft)
  6. Blue pill (Joanna) injection method using raw disk access from user mode patched need a signed driver
  7. Sir Dystic Cult of the dead cow demonstrate the vuln of 98
  8. used to plant child pornography on the work computer of Magnus Eriksson law scholar at Lund University. The 3,500 images n lost his research position Fled the country acquitted in 2004
  9. Speak of sending mail