SlideShare una empresa de Scribd logo

Экспресс-анализ вредоносов / Crowdsourced Malware Triage

Positive Hack Days
Positive Hack Days

Ведущие: Сергей Франкофф и Шон Уилсон Сортировка вредоносного ПО представляет собой процесс быстрого анализа потенциально опасных файлов или URL. Любая тщательно продуманная система реагирования на инциденты безопасности обладает этой важной функцией. Но что, если у вас не установлена программа реагирования на инциденты? Как быть, если вы только начали ее настраивать? А вдруг у вас нет программных средств для проведения анализа? Грамотно выбранный бесплатный онлайн-инструмент, веб-браузер и блокнот — вот все, что вам пригодится. На мастер-классе участники самостоятельно будут заниматься сортировкой вредоносного ПО. Ведущий предоставит информацию о необходимых инструментах.

Tecnología
1 de 89
Crowdsourced Malware Triage! Making Sense of Malware With a Browser and a Notepad
Hello, My Name is: Sergei Frankoff sergei@openanalysis.net Sean Wilson sean@openanalysis.net
WARNING! We use real malware and real exploits in the workshops. These have been specifically designed to NOT harm your workstation even if you make a mistake. However, your Anti-Virus and your employer probably don’t know the difference. Use your own judgement.
Malware? 01101101 01100001 01101100 01110111 01100001 01110010 01100101 00100000 Malware is just code! 01101001 01110011 00100000 01100011 01101111 01100100 01100101 00100000
Malware Triage Is it malicious? What is it exploiting? Do we have exposure? Suspicious URL Suspicious E-mail Intel feed
Effective Triage is Not Analysis Triage is effective when malware has been detected in the delivery phase. Quick way to answer “Do I have exposure?” “If yes, then what next?” (Lockheed Martin’s Intrusion Kill Chain)
Toolbelt Notepad (with find/replace) Web Browser Internet Access
Crowdsource! urlQuery
OPSEC Warning! By using these tools you will be sharing data with an unknown third party and in some cases with the entire internet.
The Scenario http://cdn.tequilacritico.net:16122/archive/stargalaxy.php?nebula=3
Triage Workflow Passive analysis Initial interaction and download Web component analysis Exploit Analysis Payload extraction Payload analysis Build IOCs
VirusTotal BlueCoat Web Pulse Passive Total Domain Tools Passive Analysis
You can’t shouldn’t fake reputation.
UserAgentString Online Curl URL Query JS Beautify Initial Interaction
DO IT LIVE!
Make sure you can access the following tools: http://www.useragentstring.com/ http://onlinecurl.com/ or http://hurl.it http://urlquery.net/ Collect a sample of the exploit using CURL with your user agent. Make sure you copied the response to your notepad. Try to get URLQuery to analyze the URL: This may be very slow or not work at all… try searching for the URL on URLQuery instead. 10 MINUTES
Briefing
Chapman Online JS Interpreter JS Beautify Web Browser Base64Decode Web Component Analysis
Ad Blocked Ad Blocked
TIPS!
TIPS!
DO IT LIVE!
Make sure you can access the following tools: http://jsbeautifier.org/ https://www.base64decode.org/ Use the Javascript interpreter and JSBeutifier to decode the downloaded HTML and Javascript. TIPS: • First identify the JS in the HTML by beautifying what you downloaded • Copy the JS into the interpreter and replace all eval() and document.write functions with writeln() • Beautify the output from the JS… 20 MINUTES
Briefing
VirusTotal Metasploit Git (Google) ShowMyCode IDEOne Notepad Exploit Analysis
Ad Blocked Ad Blocked
Ad Blocked Ad Blocked
IDEOne Web Browser Virus Total Payload Extraction
Ad Blocked Ad Blocked
TIPS!
DO IT LIVE!
Make sure you can access the following tools: https://www.virustotal.com/ http://www.showmycode.com/ http://ideone.com/ https://github.com/rapid7/metasploit-framework Upload the exploit to VirusTotal and see what it says. Use ShowMyCode to decompile exploit and IDEOne to run decompiled code and de-obfuscate it. Search around on Metasploit’s GitHub and see if you can identify the exploit. Can you download the payload? 20 MINUTES
Briefing
Virus Total Malwr Payload Analysis
DO IT LIVE!
Make sure you can access the following tools: https://www.virustotal.com/ https://malwr.com/ Upload the payload to VirusTotal and see what it says. Upload the payload to Malwr and review the sandbox results. Use the results from the above tools to build a list of unique attributes for the malware that may be used as indicators. 10 MINUTES
Briefing
TotalHash Malwr YaraGenerator IOCBucket Build IOCs
Analysis Discovery Development
DO IT LIVE!
Register a free account for the following tools (if you haven’t already): https://yaragenerator.com/ https://www.iocbucket.com https://www.virustotal.com/ https://malwr.com/ Make sure you can access the following tools: http://totalhash.com/ Use the indicators you identified to search for related malware samples on TotalHash and Malwr. Generate an IOC stub from your malware analysis on VirusTotal. Edit the IOC to make it general enough to match the other related samples that you identified above. NOTE: OpenIOC uses the term ‘Process Handle’ for Mutex 20 MINUTES
Briefing
Close Feedback Loop Upload samples. Leave comments. Join a trust group. Blog your analysis.
Image Attribution • Email designed by <a href="http://www.thenounproject.com/saleshenrique">Henrique Sales</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Browser designed by <a href="http://www.thenounproject.com/KW351">Kwesi Phillips</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Handshake designed by <a href="http://www.thenounproject.com/Deadtype">DEADTYPE</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Gears designed by <a href="http://www.thenounproject.com/rebwal">Rebecca Walthall</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Magnifying Glass designed by <a href="http://www.thenounproject.com/edward">Edward Boatman</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Warning designed by <a href="http://www.thenounproject.com/swiffermuis">Melissa Holterman</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Plus designed by <a href="http://www.thenounproject.com/alex.s.lakas">Alex S. Lakas</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Notepad designed by <a href="http://www.thenounproject.com/lemonliu">Lemon Liu</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Browser designed by <a href="http://www.thenounproject.com/esteves_emerick">Adriano Emerick</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • “Bill O’reilly Flips Out (Do it Live!!!!!11) [DiscoTech RMX]”, http://www.youtube.com/user/morevidznow/about • No designed by <a href="http://www.thenounproject.com/PixelatorNyc">Alex Dee</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Sad designed by <a href="http://www.thenounproject.com/dys">Brian Dys Sahagun</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Surveillance designed by <a href="http://www.thenounproject.com/Luis">Luis Prado</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Download designed by <a href="http://www.thenounproject.com/jsearfoss">Jonathan Searfoss</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Analysis designed by <a href="http://www.thenounproject.com/ChrisHolm">Christopher Holm-Hansen</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Js File designed by <a href="http://www.thenounproject.com/useiconic.com">useiconic.com</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Bug designed by <a href="http://www.thenounproject.com/matt.crum">Matt Crum</a> from the <a href="http://www.thenounproject.com">Noun Project</a>
One More Thing…
One More Thing…
One More Thing… https://www.circl.lu/services/misp- malware-information-sharing-platform

Recomendados

Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?HackIT Ukraine
 
Audit
AuditAudit
AuditMark Ellzey Thomas
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Advanced Debugging with WinDbg and SOS
Advanced Debugging with WinDbg and SOSAdvanced Debugging with WinDbg and SOS
Advanced Debugging with WinDbg and SOSSasha Goldshtein
 
VS Debugging Tricks
VS Debugging TricksVS Debugging Tricks
VS Debugging TricksSasha Goldshtein
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Abraham Aranguren
 
C++ Production Debugging
C++ Production DebuggingC++ Production Debugging
C++ Production DebuggingSasha Goldshtein
 
From 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startupFrom 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startupDiogo Mónica
 

Recomendados

Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?HackIT Ukraine
 
Audit
AuditAudit
AuditMark Ellzey Thomas
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Advanced Debugging with WinDbg and SOS
Advanced Debugging with WinDbg and SOSAdvanced Debugging with WinDbg and SOS
Advanced Debugging with WinDbg and SOSSasha Goldshtein
 
VS Debugging Tricks
VS Debugging TricksVS Debugging Tricks
VS Debugging TricksSasha Goldshtein
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Abraham Aranguren
 
C++ Production Debugging
C++ Production DebuggingC++ Production Debugging
C++ Production DebuggingSasha Goldshtein
 
From 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startupFrom 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startupDiogo Mónica
 
Город никогда не спит / The City Never Sleeps
Город никогда не спит / The City Never SleepsГород никогда не спит / The City Never Sleeps
Город никогда не спит / The City Never SleepsPositive Hack Days
 
Justin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application deliveryJustin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application deliveryDevSecCon
 
How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF n|u - The Open Security Community
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousFrancis Alexander
 
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsJakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsDevSecCon
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can youShakacon
 
Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assemblyShakacon
 
Advanced windows debugging
Advanced windows debuggingAdvanced windows debugging
Advanced windows debuggingchrisortman
 
Nginx warhead
Nginx warheadNginx warhead
Nginx warheadSergey Belov
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Automating Security Testing with the OWTF
Automating Security Testing with the OWTFAutomating Security Testing with the OWTF
Automating Security Testing with the OWTFJerod Brennen
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Simon Bennetts
 
Nikto
NiktoNikto
NiktoSorina Chirilă
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Manich Koomsusi
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
ZeroNights - SmartTV
ZeroNights - SmartTV ZeroNights - SmartTV
ZeroNights - SmartTV Sergey Belov
 
Advanced Weapons Training for the Empire
Advanced Weapons Training for the EmpireAdvanced Weapons Training for the Empire
Advanced Weapons Training for the EmpireJeremy Johnson
 
Выживший
ВыжившийВыживший
ВыжившийPositive Hack Days
 
Вирусы есть? А если найду?
Вирусы есть? А если найду?Вирусы есть? А если найду?
Вирусы есть? А если найду?Positive Hack Days
 

Más contenido relacionado

La actualidad más candente

Город никогда не спит / The City Never Sleeps
Город никогда не спит / The City Never SleepsГород никогда не спит / The City Never Sleeps
Город никогда не спит / The City Never SleepsPositive Hack Days
 
Justin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application deliveryJustin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application deliveryDevSecCon
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousFrancis Alexander
 
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsJakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsDevSecCon
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can youShakacon
 
Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assemblyShakacon
 
Advanced windows debugging
Advanced windows debuggingAdvanced windows debugging
Advanced windows debuggingchrisortman
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Automating Security Testing with the OWTF
Automating Security Testing with the OWTFAutomating Security Testing with the OWTF
Automating Security Testing with the OWTFJerod Brennen
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Simon Bennetts
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Manich Koomsusi
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
ZeroNights - SmartTV
ZeroNights - SmartTV ZeroNights - SmartTV
ZeroNights - SmartTV Sergey Belov
 
Advanced Weapons Training for the Empire
Advanced Weapons Training for the EmpireAdvanced Weapons Training for the Empire
Advanced Weapons Training for the EmpireJeremy Johnson
 

La actualidad más candente (20)

Город никогда не спит / The City Never Sleeps
Город никогда не спит / The City Never SleepsГород никогда не спит / The City Never Sleeps
Город никогда не спит / The City Never Sleeps
 
Justin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application deliveryJustin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application delivery
 
How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life Scenarious
 
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsJakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can you
 
Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assembly
 
Advanced windows debugging
Advanced windows debuggingAdvanced windows debugging
Advanced windows debugging
 
Nginx warhead
Nginx warheadNginx warhead
Nginx warhead
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
Automating Security Testing with the OWTF
Automating Security Testing with the OWTFAutomating Security Testing with the OWTF
Automating Security Testing with the OWTF
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
 
Nikto
NiktoNikto
Nikto
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
 
ZeroNights - SmartTV
ZeroNights - SmartTV ZeroNights - SmartTV
ZeroNights - SmartTV
 
Advanced Weapons Training for the Empire
Advanced Weapons Training for the EmpireAdvanced Weapons Training for the Empire
Advanced Weapons Training for the Empire
 

Destacado

Вирусы есть? А если найду?
Вирусы есть? А если найду?Вирусы есть? А если найду?
Вирусы есть? А если найду?Positive Hack Days
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromePositive Hack Days
 
AVTOKYO2012 Android Malware Heuristics(en)
AVTOKYO2012 Android Malware Heuristics(en)AVTOKYO2012 Android Malware Heuristics(en)
AVTOKYO2012 Android Malware Heuristics(en)雅太 西田
 
Android malware overview, status and dilemmas
Android malware overview, status and dilemmasAndroid malware overview, status and dilemmas
Android malware overview, status and dilemmasTech and Law Center
 
Semantics aware malware detection ppt
Semantics aware malware detection pptSemantics aware malware detection ppt
Semantics aware malware detection pptManish Yadav
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysisJason Ross
 
Как увидеть невидимые инциденты
Как увидеть невидимые инцидентыКак увидеть невидимые инциденты
Как увидеть невидимые инцидентыPositive Hack Days
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days
 
SSDL: один день из жизни разработчика
SSDL: один день из жизни разработчикаSSDL: один день из жизни разработчика
SSDL: один день из жизни разработчикаPositive Hack Days
 
Аспекты деятельности инсайдеров на предприятии
Аспекты деятельности инсайдеров на предприятииАспекты деятельности инсайдеров на предприятии
Аспекты деятельности инсайдеров на предприятииPositive Hack Days
 
Janitor to CISO in 360 Seconds: Exploiting Mechanical Privilege Escalation
Janitor to CISO in 360 Seconds: Exploiting Mechanical Privilege EscalationJanitor to CISO in 360 Seconds: Exploiting Mechanical Privilege Escalation
Janitor to CISO in 360 Seconds: Exploiting Mechanical Privilege EscalationPositive Hack Days
 
Восток — дело тонкое, или Уязвимости медицинского и индустриального ПО
Восток — дело тонкое, или Уязвимости медицинского и индустриального ПОВосток — дело тонкое, или Уязвимости медицинского и индустриального ПО
Восток — дело тонкое, или Уязвимости медицинского и индустриального ПОPositive Hack Days
 
Fingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructureFingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructurePositive Hack Days
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPPositive Hack Days
 
Magic Box, или Как пришлось сломать банкоматы, чтобы их спасти
Magic Box, или Как пришлось сломать банкоматы, чтобы их спастиMagic Box, или Как пришлось сломать банкоматы, чтобы их спасти
Magic Box, или Как пришлось сломать банкоматы, чтобы их спастиPositive Hack Days
 
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблюNFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблюPositive Hack Days
 
Боремся с читингом в онлайн-играх
Боремся с читингом в онлайн-играхБоремся с читингом в онлайн-играх
Боремся с читингом в онлайн-играхPositive Hack Days
 

Destacado (20)

Выживший
ВыжившийВыживший
Выживший
 
Вирусы есть? А если найду?
Вирусы есть? А если найду?Вирусы есть? А если найду?
Вирусы есть? А если найду?
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
 
AVTOKYO2012 Android Malware Heuristics(en)
AVTOKYO2012 Android Malware Heuristics(en)AVTOKYO2012 Android Malware Heuristics(en)
AVTOKYO2012 Android Malware Heuristics(en)
 
Android malware overview, status and dilemmas
Android malware overview, status and dilemmasAndroid malware overview, status and dilemmas
Android malware overview, status and dilemmas
 
Semantics aware malware detection ppt
Semantics aware malware detection pptSemantics aware malware detection ppt
Semantics aware malware detection ppt
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
 
Кратко про тенденции ИБ к обсуждению (Код ИБ)
Кратко про тенденции ИБ к обсуждению (Код ИБ)Кратко про тенденции ИБ к обсуждению (Код ИБ)
Кратко про тенденции ИБ к обсуждению (Код ИБ)
 
Как увидеть невидимые инциденты
Как увидеть невидимые инцидентыКак увидеть невидимые инциденты
Как увидеть невидимые инциденты
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
 
SSDL: один день из жизни разработчика
SSDL: один день из жизни разработчикаSSDL: один день из жизни разработчика
SSDL: один день из жизни разработчика
 
Why IT Security Is Fucked Up
Why IT Security Is Fucked UpWhy IT Security Is Fucked Up
Why IT Security Is Fucked Up
 
Аспекты деятельности инсайдеров на предприятии
Аспекты деятельности инсайдеров на предприятииАспекты деятельности инсайдеров на предприятии
Аспекты деятельности инсайдеров на предприятии
 
Janitor to CISO in 360 Seconds: Exploiting Mechanical Privilege Escalation
Janitor to CISO in 360 Seconds: Exploiting Mechanical Privilege EscalationJanitor to CISO in 360 Seconds: Exploiting Mechanical Privilege Escalation
Janitor to CISO in 360 Seconds: Exploiting Mechanical Privilege Escalation
 
Восток — дело тонкое, или Уязвимости медицинского и индустриального ПО
Восток — дело тонкое, или Уязвимости медицинского и индустриального ПОВосток — дело тонкое, или Уязвимости медицинского и индустриального ПО
Восток — дело тонкое, или Уязвимости медицинского и индустриального ПО
 
Fingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructureFingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare Infrastructure
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAP
 
Magic Box, или Как пришлось сломать банкоматы, чтобы их спасти
Magic Box, или Как пришлось сломать банкоматы, чтобы их спастиMagic Box, или Как пришлось сломать банкоматы, чтобы их спасти
Magic Box, или Как пришлось сломать банкоматы, чтобы их спасти
 
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблюNFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
 
Боремся с читингом в онлайн-играх
Боремся с читингом в онлайн-играхБоремся с читингом в онлайн-играх
Боремся с читингом в онлайн-играх
 

Similar a Экспресс-анализ вредоносов / Crowdsourced Malware Triage

Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software developmentNick Galbreath
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Nick Galbreath
 
Android mobile app security offensive security workshop
Android mobile app security offensive security workshopAndroid mobile app security offensive security workshop
Android mobile app security offensive security workshopAbhinav Sejpal
 
10 practices that every developer needs to start right now
10 practices that every developer needs to start right now10 practices that every developer needs to start right now
10 practices that every developer needs to start right nowCaleb Jenkins
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Juniper Networks
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
Hacking for Innovation - WPP, New York
Hacking for Innovation - WPP, New YorkHacking for Innovation - WPP, New York
Hacking for Innovation - WPP, New YorkSaurabh Sahni
 
Intro to CI/CD using Docker
Intro to CI/CD using DockerIntro to CI/CD using Docker
Intro to CI/CD using DockerMichael Irwin
 
Codeception Testing Framework -- English #phpkansai
Codeception Testing Framework -- English #phpkansaiCodeception Testing Framework -- English #phpkansai
Codeception Testing Framework -- English #phpkansaiFlorent Batard
 
Work with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec CaliforniaWork with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec Californialeifdreizler
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane LackeyYandex
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackRan Bar-Zik
 
Let's pwn a chinese web browser!
Let's pwn a chinese web browser!Let's pwn a chinese web browser!
Let's pwn a chinese web browser!Juho Nurminen
 

Similar a Экспресс-анализ вредоносов / Crowdsourced Malware Triage (20)

Hacking101 delhi 2013
Hacking101 delhi 2013Hacking101 delhi 2013
Hacking101 delhi 2013
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software development
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
 
Android mobile app security offensive security workshop
Android mobile app security offensive security workshopAndroid mobile app security offensive security workshop
Android mobile app security offensive security workshop
 
App locker
App lockerApp locker
App locker
 
10 practices that every developer needs to start right now
10 practices that every developer needs to start right now10 practices that every developer needs to start right now
10 practices that every developer needs to start right now
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
 
Kanban in Action
Kanban in ActionKanban in Action
Kanban in Action
 
Backtrack Manual Part9
Backtrack Manual Part9Backtrack Manual Part9
Backtrack Manual Part9
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
 
Hacking for Innovation - WPP, New York
Hacking for Innovation - WPP, New YorkHacking for Innovation - WPP, New York
Hacking for Innovation - WPP, New York
 
Intro to CI/CD using Docker
Intro to CI/CD using DockerIntro to CI/CD using Docker
Intro to CI/CD using Docker
 
Codeception Testing Framework -- English #phpkansai
Codeception Testing Framework -- English #phpkansaiCodeception Testing Framework -- English #phpkansai
Codeception Testing Framework -- English #phpkansai
 
Work with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec CaliforniaWork with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec California
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stack
 
Let's pwn a chinese web browser!
Let's pwn a chinese web browser!Let's pwn a chinese web browser!
Let's pwn a chinese web browser!
 

Más de Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

Más de Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Último

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 

Último (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 

Экспресс-анализ вредоносов / Crowdsourced Malware Triage

  • 1. Crowdsourced Malware Triage! Making Sense of Malware With a Browser and a Notepad
  • 2. Hello, My Name is: Sergei Frankoff sergei@openanalysis.net Sean Wilson sean@openanalysis.net
  • 3. WARNING! We use real malware and real exploits in the workshops. These have been specifically designed to NOT harm your workstation even if you make a mistake. However, your Anti-Virus and your employer probably don’t know the difference. Use your own judgement.
  • 4. Malware? 01101101 01100001 01101100 01110111 01100001 01110010 01100101 00100000 Malware is just code! 01101001 01110011 00100000 01100011 01101111 01100100 01100101 00100000
  • 5. Malware Triage Is it malicious? What is it exploiting? Do we have exposure? Suspicious URL Suspicious E-mail Intel feed
  • 6. Effective Triage is Not Analysis Triage is effective when malware has been detected in the delivery phase. Quick way to answer “Do I have exposure?” “If yes, then what next?” (Lockheed Martin’s Intrusion Kill Chain)
  • 9. OPSEC Warning! By using these tools you will be sharing data with an unknown third party and in some cases with the entire internet.
  • 12. VirusTotal BlueCoat Web Pulse Passive Total Domain Tools Passive Analysis
  • 13.
  • 14.
  • 15.
  • 16.
  • 17. You can’t shouldn’t fake reputation.
  • 18. UserAgentString Online Curl URL Query JS Beautify Initial Interaction
  • 19.
  • 20.
  • 21.
  • 22.
  • 24. Make sure you can access the following tools: http://www.useragentstring.com/ http://onlinecurl.com/ or http://hurl.it http://urlquery.net/ Collect a sample of the exploit using CURL with your user agent. Make sure you copied the response to your notepad. Try to get URLQuery to analyze the URL: This may be very slow or not work at all… try searching for the URL on URLQuery instead. 10 MINUTES
  • 26. Chapman Online JS Interpreter JS Beautify Web Browser Base64Decode Web Component Analysis
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 34. TIPS!
  • 35. TIPS!
  • 37. Make sure you can access the following tools: http://jsbeautifier.org/ https://www.base64decode.org/ Use the Javascript interpreter and JSBeutifier to decode the downloaded HTML and Javascript. TIPS: • First identify the JS in the HTML by beautifying what you downloaded • Copy the JS into the interpreter and replace all eval() and document.write functions with writeln() • Beautify the output from the JS… 20 MINUTES
  • 40.
  • 41.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
  • 51.
  • 52. TIPS!
  • 54. Make sure you can access the following tools: https://www.virustotal.com/ http://www.showmycode.com/ http://ideone.com/ https://github.com/rapid7/metasploit-framework Upload the exploit to VirusTotal and see what it says. Use ShowMyCode to decompile exploit and IDEOne to run decompiled code and de-obfuscate it. Search around on Metasploit’s GitHub and see if you can identify the exploit. Can you download the payload? 20 MINUTES
  • 57.
  • 58.
  • 59.
  • 60.
  • 61.
  • 62.
  • 64. Make sure you can access the following tools: https://www.virustotal.com/ https://malwr.com/ Upload the payload to VirusTotal and see what it says. Upload the payload to Malwr and review the sandbox results. Use the results from the above tools to build a list of unique attributes for the malware that may be used as indicators. 10 MINUTES
  • 67.
  • 69.
  • 70.
  • 71.
  • 72.
  • 73.
  • 74.
  • 75.
  • 76.
  • 77.
  • 78.
  • 79.
  • 80.
  • 81.
  • 83. Register a free account for the following tools (if you haven’t already): https://yaragenerator.com/ https://www.iocbucket.com https://www.virustotal.com/ https://malwr.com/ Make sure you can access the following tools: http://totalhash.com/ Use the indicators you identified to search for related malware samples on TotalHash and Malwr. Generate an IOC stub from your malware analysis on VirusTotal. Edit the IOC to make it general enough to match the other related samples that you identified above. NOTE: OpenIOC uses the term ‘Process Handle’ for Mutex 20 MINUTES
  • 85. Close Feedback Loop Upload samples. Leave comments. Join a trust group. Blog your analysis.
  • 86. Image Attribution • Email designed by <a href="http://www.thenounproject.com/saleshenrique">Henrique Sales</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Browser designed by <a href="http://www.thenounproject.com/KW351">Kwesi Phillips</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Handshake designed by <a href="http://www.thenounproject.com/Deadtype">DEADTYPE</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Gears designed by <a href="http://www.thenounproject.com/rebwal">Rebecca Walthall</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Magnifying Glass designed by <a href="http://www.thenounproject.com/edward">Edward Boatman</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Warning designed by <a href="http://www.thenounproject.com/swiffermuis">Melissa Holterman</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Plus designed by <a href="http://www.thenounproject.com/alex.s.lakas">Alex S. Lakas</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Notepad designed by <a href="http://www.thenounproject.com/lemonliu">Lemon Liu</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Browser designed by <a href="http://www.thenounproject.com/esteves_emerick">Adriano Emerick</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • “Bill O’reilly Flips Out (Do it Live!!!!!11) [DiscoTech RMX]”, http://www.youtube.com/user/morevidznow/about • No designed by <a href="http://www.thenounproject.com/PixelatorNyc">Alex Dee</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Sad designed by <a href="http://www.thenounproject.com/dys">Brian Dys Sahagun</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Surveillance designed by <a href="http://www.thenounproject.com/Luis">Luis Prado</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Download designed by <a href="http://www.thenounproject.com/jsearfoss">Jonathan Searfoss</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Analysis designed by <a href="http://www.thenounproject.com/ChrisHolm">Christopher Holm-Hansen</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Js File designed by <a href="http://www.thenounproject.com/useiconic.com">useiconic.com</a> from the <a href="http://www.thenounproject.com">Noun Project</a> • Bug designed by <a href="http://www.thenounproject.com/matt.crum">Matt Crum</a> from the <a href="http://www.thenounproject.com">Noun Project</a>