SlideShare una empresa de Scribd logo

44Con Malware Workshop

Descargar como PPTX, PDF
Iñaki Rodríguez
Iñaki Rodríguez

Dynamic analysis malware workshop I did for 44Con 2013

Tecnología
1 de 62
Malware Analysis Reverse Engineering Workshop (44Con 2013) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON)
Grab a copy of the files • Thumb drives being passed around – Disclaimer about new malware of your own  SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 2 • Wifi – SSID hbn – PSK ILoveTheSmellOfHackInTheMorning – www http://192.168.252.5/
Agenda 1. Basic Concepts 2. Behaviors Analysis 3. Memory Analysis 4. Static Analysis SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 3
What is Malware • Any piece of software that performs malicious activities. – Executable – Documents – Flash – Java – … SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 4
Types of Malware • Some examples of categories Worm Trojan Spyware Adware Ransomware Rootkit Keyloggers Stealers Virus Backdoor SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 5
Windows Executable • An executable under the hood • Structure: • Imported Functions • Exported Functions • Sections • Code • Data • Relocation information • Certificate SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 6 • PE File
Binary Content SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 7
Interpreted Content SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 8
The BIG picture SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 9
PE Explorer • Examining the content of a Windows executable (exe, cpl, ocx, dll, …) • Editor, disassembler, resource editor. Imports Dependencies Sections Resource Data Directories SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 10 General Info Editor
LAB – 1 • Use PE Explorer over installer.exe and pafish.exe • Questions – Could you enumerate some notable differences? – Could you find something interesting in installer.exe? SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 11
LAB – 1 SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 12
LAB – 1 SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 13
LAB – 1 SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 14
From File to Process • From File to Process SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 15 Loader Read Header Place Executable in Memory Create Process Object
Monitoring Behavior Process SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 16 DLL Fun1 Fun2 Fun 3 DLL DLL Fun1 Fun2 Fun 3 Fun1 Fun2 Fun 3 • Interaction with the Operating System • File Activity • Network flows • Registry monitor • Api Calls
Behavior Analysis • Execution in a controlled environment. • Not as time consuming as static analysis. • Focused on results. • VM and Snapshots. • MSDN – Api calls SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 17
What are we looking for • New processes • Code injection • Downloads • File activity • Persistence mechanism • Registry changes • C&C Communication • Network activity (LAN) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 18
Process Monitor • Included in the Sysinternals Suite with many other interesting tools. Filter Search Event Filter by Event SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 19
Process Monitor SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 20
Lab – 2 (File Activities) • Open Process Explorer • Execute installer.exe • Filter the results • Questions – Which file was created? – Where? – Why has the installer.exe vanished? SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 21
LAB – 2 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 22
LAB – 2 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 23
Lab – 3 (Process Activities) • Use the previous capture • Questions – How many processes were spawned? – Could you identify who deleted the original installer.exe file? SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 24
Lab – 3 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 25
Lab – 3 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 26
Regshot • Takes Registry Snapshots • Compare Snapshots SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 27
Regshot Report SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 28
Lab – 4 (Registry) • Restore the Snapshot • Execute Regshot and take a first snapshot. • Execute Process Explorer. • Execute installer.exe. • Sleep 1m  • Take a second snapshot and compare. SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 29
Lab – 4 (Registry) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 30 • Questions – Could you identify the persistence mechanism using RegShot? – And with Process Monitor? – Could you find any new service added by the malware?
Lab – 4 (Answer) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 31
Lab – 4 (Answer) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 32
Network Activity • Wireshark is a well known network sniffer. • Many protocol decoders • Drawback: Secure connections  SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 33 Restart Stop Start Capture Options
Lab – 5 • Network Activity – Wireshark • Questions – Did the malware contact with a C&C? – Was it successful? – What was the IP/domain name? – Could you find information about the C&C? • DNS redirection (*) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 34
Lab – 5 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 35
Lab – 5 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 36
Lab – 5 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 37
Sysanalyzer • Logs some interesting APIs • Sniffer • Less noisy • Less information SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 38
Lab – 7 • Run installer.exe and compare the results from previous tools. SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 39
API Monitor • Logs a set of Windows APIs from a large set of them • Low-level information • Don’t try to log all  SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 40
API Monitor Start new process SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 41 Filters
WinApiOverride32 SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 42
Lab – 8 • Log the network and file activity • Monitor newly created processes on demand. • Questions – Could you find the C&C? – Could you find when the file is deleted? SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 43
LAB – 8 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 44
LAB – 8 (Answers) • Were you able to find the C&C? • Why? SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 45
Sandbox • Why not automation? • Cuckoo Sandbox executes the malware inside a VM for us. • Analyzer and reporting system all in one solution. • Extensible • Must be installed on Linux SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 46
Submit Samples • Web interface • Command Line SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 47
Cuckoo Architecture Host Virtual Machine Agent.py Analyzer.py Cuckoomon.dll malware SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 48 Cuckoo.py Processors Signatures Reports
Lab – 9 • Upload a sample to the Sandbox • Meanwhile, check the report for sample a6ff0e175acc7aaa3c2a855e44b11e3b. • Question – Could you identify the same indicators of compromise from extracted from previous tools? – Could you find the C&C? – And the function call? SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 49
Lab – 9 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 50
Lab – 9 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 51
Post Mortem Analysis • Volatility can extract information from a memory dump. • Hidden process, handles, connections, … • Malfind • Dump memory from Cuckoo, Winpmem, SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 52
Dumping Memory SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 53
Dumping Memory SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 54
Dumping Memory Cuckoo VirtualBox SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 55
Volatility • Offline Memory analysis tool • Search for – Open handles – Hooked Apis – New Dlls – Hidden processes – Registry values • No diff tool  (Anyone?) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 56
LAB – 10 • Dump memory from a clean system • List process list • Find explorer.exe and list its dlls • Store this information in a file and repeat all the process with the malware running SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 57
LAB – 10 SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 58 • Question – Could you find anything suspicious?
LAB – 10 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 59
LAB – 10 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 60
LAB – 10 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 61
CONTACT ME • Iñaki Rodriguez –@virtualminds_es – irodriguez@virtualminds.es SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 62

Recomendados

A guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol softwareA guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol software
binish_hyunseok
 
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
Balazs Bucsay
 
We Make Debugging Sucks Less
We Make Debugging Sucks LessWe Make Debugging Sucks Less
We Make Debugging Sucks Less
Alon Fliess
 
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
Balazs Bucsay
 
Python testing like a pro by Keith Yang
Python testing like a pro by Keith YangPython testing like a pro by Keith Yang
Python testing like a pro by Keith Yang
PYCON MY PLT
 
SBW 2016: MultiQC Workshop
SBW 2016: MultiQC WorkshopSBW 2016: MultiQC Workshop
SBW 2016: MultiQC Workshop
Phil Ewels
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The Things
Balazs Bucsay
 
Project report
Project reportProject report
Project report
Arijit Roy
 

Recomendados

A guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol softwareA guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol software
binish_hyunseok
 
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
Balazs Bucsay
 
We Make Debugging Sucks Less
We Make Debugging Sucks LessWe Make Debugging Sucks Less
We Make Debugging Sucks Less
Alon Fliess
 
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
Balazs Bucsay
 
Python testing like a pro by Keith Yang
Python testing like a pro by Keith YangPython testing like a pro by Keith Yang
Python testing like a pro by Keith Yang
PYCON MY PLT
 
SBW 2016: MultiQC Workshop
SBW 2016: MultiQC WorkshopSBW 2016: MultiQC Workshop
SBW 2016: MultiQC Workshop
Phil Ewels
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The Things
Balazs Bucsay
 
Project report
Project reportProject report
Project report
Arijit Roy
 
One Flaw over the Cuckoo's Nest
One Flaw over the Cuckoo's NestOne Flaw over the Cuckoo's Nest
One Flaw over the Cuckoo's Nest
Iñaki Rodríguez
 
Treat Detection using Hadoop
Treat Detection using HadoopTreat Detection using Hadoop
Treat Detection using Hadoop
DataWorks Summit
 
.Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 .Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017
Amanda Rousseau
 
Phonosurgery
PhonosurgeryPhonosurgery
Phonosurgery
praneeth koduru
 
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGICXPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
The Linux Foundation
 
TYPES OF JOINTS
TYPES OF JOINTS TYPES OF JOINTS
TYPES OF JOINTS
PMAS Arid Agriculture Univsersity Rawalpindi
 
Rf atp nibong tebal p00128 rev 1 30 nov2016
Rf atp nibong tebal p00128 rev 1 30 nov2016Rf atp nibong tebal p00128 rev 1 30 nov2016
Rf atp nibong tebal p00128 rev 1 30 nov2016
ewin aulia
 
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Source Conference
 
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfSOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
Chris Gates
 
Splunk Enterprise for InfoSec Hands-On Breakout Session
Splunk Enterprise for InfoSec Hands-On Breakout SessionSplunk Enterprise for InfoSec Hands-On Breakout Session
Splunk Enterprise for InfoSec Hands-On Breakout Session
Splunk
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP
DevSecCon
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroOWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP Intro
Simon Bennetts
 
Blue Teaming on a Budget of Zero
Blue Teaming on a Budget of ZeroBlue Teaming on a Budget of Zero
Blue Teaming on a Budget of Zero
Kyle Bubp
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD
Simon Bennetts
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usage
djenoalbania
 
AllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CIAllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CI
Simon Bennetts
 
Publishing Linked Data from RDB
Publishing Linked Data from RDBPublishing Linked Data from RDB
Publishing Linked Data from RDB
Boris Villazón-Terrazas
 
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
Simon Bennetts
 
AppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxAppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptx
Josh Grossman
 

Más contenido relacionado

Destacado

Treat Detection using Hadoop
Treat Detection using HadoopTreat Detection using Hadoop
Treat Detection using Hadoop
DataWorks Summit
 
.Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 .Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017
Amanda Rousseau
 
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGICXPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
The Linux Foundation
 

Destacado (7)

One Flaw over the Cuckoo's Nest
One Flaw over the Cuckoo's NestOne Flaw over the Cuckoo's Nest
One Flaw over the Cuckoo's Nest
 
Treat Detection using Hadoop
Treat Detection using HadoopTreat Detection using Hadoop
Treat Detection using Hadoop
 
.Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 .Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017
 
Phonosurgery
PhonosurgeryPhonosurgery
Phonosurgery
 
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGICXPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
 
TYPES OF JOINTS
TYPES OF JOINTS TYPES OF JOINTS
TYPES OF JOINTS
 
Rf atp nibong tebal p00128 rev 1 30 nov2016
Rf atp nibong tebal p00128 rev 1 30 nov2016Rf atp nibong tebal p00128 rev 1 30 nov2016
Rf atp nibong tebal p00128 rev 1 30 nov2016
 

Similar a 44Con Malware Workshop

Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Source Conference
 
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfSOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
Chris Gates
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usage
djenoalbania
 
Standard Provenance Reporting and Scientific Software Management in Virtual L...
Standard Provenance Reporting and Scientific Software Management in Virtual L...Standard Provenance Reporting and Scientific Software Management in Virtual L...
Standard Provenance Reporting and Scientific Software Management in Virtual L...
njcar
 

Similar a 44Con Malware Workshop (20)

Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
 
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfSOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
 
Splunk Enterprise for InfoSec Hands-On Breakout Session
Splunk Enterprise for InfoSec Hands-On Breakout SessionSplunk Enterprise for InfoSec Hands-On Breakout Session
Splunk Enterprise for InfoSec Hands-On Breakout Session
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
 
Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroOWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP Intro
 
Blue Teaming on a Budget of Zero
Blue Teaming on a Budget of ZeroBlue Teaming on a Budget of Zero
Blue Teaming on a Budget of Zero
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usage
 
AllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CIAllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CI
 
Publishing Linked Data from RDB
Publishing Linked Data from RDBPublishing Linked Data from RDB
Publishing Linked Data from RDB
 
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
 
AppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxAppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptx
 
AppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxAppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptx
 
Introduction to Galaxy and RNA-Seq
Introduction to Galaxy and RNA-SeqIntroduction to Galaxy and RNA-Seq
Introduction to Galaxy and RNA-Seq
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security Sanity
 
Standard Provenance Reporting and Scientific Software Management in Virtual L...
Standard Provenance Reporting and Scientific Software Management in Virtual L...Standard Provenance Reporting and Scientific Software Management in Virtual L...
Standard Provenance Reporting and Scientific Software Management in Virtual L...
 

Más de Iñaki Rodríguez

Más de Iñaki Rodríguez (7)

Seguridad en Internet para 6 Primaria Nuevo
Seguridad en Internet para 6 Primaria NuevoSeguridad en Internet para 6 Primaria Nuevo
Seguridad en Internet para 6 Primaria Nuevo
 
Seguridad en Internet v2
Seguridad en Internet v2Seguridad en Internet v2
Seguridad en Internet v2
 
Seguridad internet para niños
Seguridad internet para niñosSeguridad internet para niños
Seguridad internet para niños
 
Seguridad internet para padres y madres (AMPAs)
Seguridad internet para padres y madres (AMPAs)Seguridad internet para padres y madres (AMPAs)
Seguridad internet para padres y madres (AMPAs)
 
APT - A Pretty Trojan
APT - A Pretty TrojanAPT - A Pretty Trojan
APT - A Pretty Trojan
 
Show me your kung fuzz
Show me your kung fuzzShow me your kung fuzz
Show me your kung fuzz
 
Mysql Motores
Mysql MotoresMysql Motores
Mysql Motores
 

Último

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
WSO2
 

Último (20)

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 

44Con Malware Workshop

  • 1. Malware Analysis Reverse Engineering Workshop (44Con 2013) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON)
  • 2. Grab a copy of the files • Thumb drives being passed around – Disclaimer about new malware of your own  SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 2 • Wifi – SSID hbn – PSK ILoveTheSmellOfHackInTheMorning – www http://192.168.252.5/
  • 3. Agenda 1. Basic Concepts 2. Behaviors Analysis 3. Memory Analysis 4. Static Analysis SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 3
  • 4. What is Malware • Any piece of software that performs malicious activities. – Executable – Documents – Flash – Java – … SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 4
  • 5. Types of Malware • Some examples of categories Worm Trojan Spyware Adware Ransomware Rootkit Keyloggers Stealers Virus Backdoor SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 5
  • 6. Windows Executable • An executable under the hood • Structure: • Imported Functions • Exported Functions • Sections • Code • Data • Relocation information • Certificate SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 6 • PE File
  • 7. Binary Content SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 7
  • 8. Interpreted Content SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 8
  • 9. The BIG picture SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 9
  • 10. PE Explorer • Examining the content of a Windows executable (exe, cpl, ocx, dll, …) • Editor, disassembler, resource editor. Imports Dependencies Sections Resource Data Directories SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 10 General Info Editor
  • 11. LAB – 1 • Use PE Explorer over installer.exe and pafish.exe • Questions – Could you enumerate some notable differences? – Could you find something interesting in installer.exe? SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 11
  • 12. LAB – 1 SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 12
  • 13. LAB – 1 SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 13
  • 14. LAB – 1 SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 14
  • 15. From File to Process • From File to Process SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 15 Loader Read Header Place Executable in Memory Create Process Object
  • 16. Monitoring Behavior Process SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 16 DLL Fun1 Fun2 Fun 3 DLL DLL Fun1 Fun2 Fun 3 Fun1 Fun2 Fun 3 • Interaction with the Operating System • File Activity • Network flows • Registry monitor • Api Calls
  • 17. Behavior Analysis • Execution in a controlled environment. • Not as time consuming as static analysis. • Focused on results. • VM and Snapshots. • MSDN – Api calls SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 17
  • 18. What are we looking for • New processes • Code injection • Downloads • File activity • Persistence mechanism • Registry changes • C&C Communication • Network activity (LAN) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 18
  • 19. Process Monitor • Included in the Sysinternals Suite with many other interesting tools. Filter Search Event Filter by Event SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 19
  • 20. Process Monitor SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 20
  • 21. Lab – 2 (File Activities) • Open Process Explorer • Execute installer.exe • Filter the results • Questions – Which file was created? – Where? – Why has the installer.exe vanished? SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 21
  • 22. LAB – 2 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 22
  • 23. LAB – 2 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 23
  • 24. Lab – 3 (Process Activities) • Use the previous capture • Questions – How many processes were spawned? – Could you identify who deleted the original installer.exe file? SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 24
  • 25. Lab – 3 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 25
  • 26. Lab – 3 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 26
  • 27. Regshot • Takes Registry Snapshots • Compare Snapshots SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 27
  • 28. Regshot Report SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 28
  • 29. Lab – 4 (Registry) • Restore the Snapshot • Execute Regshot and take a first snapshot. • Execute Process Explorer. • Execute installer.exe. • Sleep 1m  • Take a second snapshot and compare. SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 29
  • 30. Lab – 4 (Registry) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 30 • Questions – Could you identify the persistence mechanism using RegShot? – And with Process Monitor? – Could you find any new service added by the malware?
  • 31. Lab – 4 (Answer) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 31
  • 32. Lab – 4 (Answer) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 32
  • 33. Network Activity • Wireshark is a well known network sniffer. • Many protocol decoders • Drawback: Secure connections  SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 33 Restart Stop Start Capture Options
  • 34. Lab – 5 • Network Activity – Wireshark • Questions – Did the malware contact with a C&C? – Was it successful? – What was the IP/domain name? – Could you find information about the C&C? • DNS redirection (*) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 34
  • 35. Lab – 5 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 35
  • 36. Lab – 5 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 36
  • 37. Lab – 5 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 37
  • 38. Sysanalyzer • Logs some interesting APIs • Sniffer • Less noisy • Less information SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 38
  • 39. Lab – 7 • Run installer.exe and compare the results from previous tools. SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 39
  • 40. API Monitor • Logs a set of Windows APIs from a large set of them • Low-level information • Don’t try to log all  SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 40
  • 41. API Monitor Start new process SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 41 Filters
  • 42. WinApiOverride32 SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 42
  • 43. Lab – 8 • Log the network and file activity • Monitor newly created processes on demand. • Questions – Could you find the C&C? – Could you find when the file is deleted? SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 43
  • 44. LAB – 8 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 44
  • 45. LAB – 8 (Answers) • Were you able to find the C&C? • Why? SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 45
  • 46. Sandbox • Why not automation? • Cuckoo Sandbox executes the malware inside a VM for us. • Analyzer and reporting system all in one solution. • Extensible • Must be installed on Linux SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 46
  • 47. Submit Samples • Web interface • Command Line SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 47
  • 48. Cuckoo Architecture Host Virtual Machine Agent.py Analyzer.py Cuckoomon.dll malware SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 48 Cuckoo.py Processors Signatures Reports
  • 49. Lab – 9 • Upload a sample to the Sandbox • Meanwhile, check the report for sample a6ff0e175acc7aaa3c2a855e44b11e3b. • Question – Could you identify the same indicators of compromise from extracted from previous tools? – Could you find the C&C? – And the function call? SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 49
  • 50. Lab – 9 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 50
  • 51. Lab – 9 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 51
  • 52. Post Mortem Analysis • Volatility can extract information from a memory dump. • Hidden process, handles, connections, … • Malfind • Dump memory from Cuckoo, Winpmem, SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 52
  • 53. Dumping Memory SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 53
  • 54. Dumping Memory SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 54
  • 55. Dumping Memory Cuckoo VirtualBox SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 55
  • 56. Volatility • Offline Memory analysis tool • Search for – Open handles – Hooked Apis – New Dlls – Hidden processes – Registry values • No diff tool  (Anyone?) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 56
  • 57. LAB – 10 • Dump memory from a clean system • List process list • Find explorer.exe and list its dlls • Store this information in a file and repeat all the process with the malware running SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 57
  • 58. LAB – 10 SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 58 • Question – Could you find anything suspicious?
  • 59. LAB – 10 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 59
  • 60. LAB – 10 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 60
  • 61. LAB – 10 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 61
  • 62. CONTACT ME • Iñaki Rodriguez –@virtualminds_es – irodriguez@virtualminds.es SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 62