agenda - hitb sigint... · agenda •history •the new ... •world map malware plotting ......
TRANSCRIPT
![Page 1: Agenda - HITB SIGINT... · Agenda •History •The New ... •World map Malware plotting ... –Proof of concept for modularity of new design –Reuse previous web interface](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aea26177f8b9ab24d8cfd1c/html5/thumbnails/1.jpg)
![Page 2: Agenda - HITB SIGINT... · Agenda •History •The New ... •World map Malware plotting ... –Proof of concept for modularity of new design –Reuse previous web interface](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aea26177f8b9ab24d8cfd1c/html5/thumbnails/2.jpg)
Agenda
• History
• The New MyKotakPasir
• Web User Interfaces
• How it Works
• Where is the URL?
• Limitation
• Other Malware Sandbox
• Future Implementation
2
![Page 3: Agenda - HITB SIGINT... · Agenda •History •The New ... •World map Malware plotting ... –Proof of concept for modularity of new design –Reuse previous web interface](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aea26177f8b9ab24d8cfd1c/html5/thumbnails/3.jpg)
Introduction
• Also known as Automated Malware Analysis or Malware Sandbox
• Help malware analyst to save their time.
• Use sandbox for baseline analysis, and analyst can do static analysis for further info
• Programmed using PHP, Python, MS Visual Basic, C++
3
![Page 4: Agenda - HITB SIGINT... · Agenda •History •The New ... •World map Malware plotting ... –Proof of concept for modularity of new design –Reuse previous web interface](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aea26177f8b9ab24d8cfd1c/html5/thumbnails/4.jpg)
4
![Page 5: Agenda - HITB SIGINT... · Agenda •History •The New ... •World map Malware plotting ... –Proof of concept for modularity of new design –Reuse previous web interface](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aea26177f8b9ab24d8cfd1c/html5/thumbnails/5.jpg)
History
• Simple Web user interfaces
• For internal use only
• Take more time to analyze the sample
• Based on external tools
• Unmanaged source code, unstable, not optimized
• A lot of weakness
– Weak password, pcap file reveal internal data, shell upload.
5
![Page 6: Agenda - HITB SIGINT... · Agenda •History •The New ... •World map Malware plotting ... –Proof of concept for modularity of new design –Reuse previous web interface](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aea26177f8b9ab24d8cfd1c/html5/thumbnails/6.jpg)
Copyright © 2010 CyberSecurity Malaysia 6
![Page 7: Agenda - HITB SIGINT... · Agenda •History •The New ... •World map Malware plotting ... –Proof of concept for modularity of new design –Reuse previous web interface](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aea26177f8b9ab24d8cfd1c/html5/thumbnails/7.jpg)
7
![Page 8: Agenda - HITB SIGINT... · Agenda •History •The New ... •World map Malware plotting ... –Proof of concept for modularity of new design –Reuse previous web interface](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aea26177f8b9ab24d8cfd1c/html5/thumbnails/8.jpg)
Current Implementations
• One of 2010 Project
• More stable, less time to analyze
• The URL open to public access
• Report produced more detailed result
• New improved Web UI for easy access
• Require user registration for account management
8
![Page 9: Agenda - HITB SIGINT... · Agenda •History •The New ... •World map Malware plotting ... –Proof of concept for modularity of new design –Reuse previous web interface](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aea26177f8b9ab24d8cfd1c/html5/thumbnails/9.jpg)
Current Implementations
• Secured web access
• User can edit their result
• User statistics
• World map Malware plotting
• User Profile
• User have their own web preferences
• Improved search result
9
![Page 10: Agenda - HITB SIGINT... · Agenda •History •The New ... •World map Malware plotting ... –Proof of concept for modularity of new design –Reuse previous web interface](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aea26177f8b9ab24d8cfd1c/html5/thumbnails/10.jpg)
10
![Page 11: Agenda - HITB SIGINT... · Agenda •History •The New ... •World map Malware plotting ... –Proof of concept for modularity of new design –Reuse previous web interface](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aea26177f8b9ab24d8cfd1c/html5/thumbnails/11.jpg)
11
![Page 12: Agenda - HITB SIGINT... · Agenda •History •The New ... •World map Malware plotting ... –Proof of concept for modularity of new design –Reuse previous web interface](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aea26177f8b9ab24d8cfd1c/html5/thumbnails/12.jpg)
12
![Page 13: Agenda - HITB SIGINT... · Agenda •History •The New ... •World map Malware plotting ... –Proof of concept for modularity of new design –Reuse previous web interface](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aea26177f8b9ab24d8cfd1c/html5/thumbnails/13.jpg)
How it works?
13
1
2
6
7
5
3
4
Virtual Machine
![Page 14: Agenda - HITB SIGINT... · Agenda •History •The New ... •World map Malware plotting ... –Proof of concept for modularity of new design –Reuse previous web interface](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aea26177f8b9ab24d8cfd1c/html5/thumbnails/14.jpg)
Public Access URL
14
![Page 15: Agenda - HITB SIGINT... · Agenda •History •The New ... •World map Malware plotting ... –Proof of concept for modularity of new design –Reuse previous web interface](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aea26177f8b9ab24d8cfd1c/html5/thumbnails/15.jpg)
Limitation
• Some malware have unique stealth technique.
• Currently we do not provide any Web API for mass upload.
• We cannot guaranteed that our services can provide fast enough to see the result.
15
![Page 16: Agenda - HITB SIGINT... · Agenda •History •The New ... •World map Malware plotting ... –Proof of concept for modularity of new design –Reuse previous web interface](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aea26177f8b9ab24d8cfd1c/html5/thumbnails/16.jpg)
Other Malware Sandbox
• GFI CWSandbox (Sunbelt CWSandbox)
• ThreatExpert
• Joe Sandbox (formerly Joebox)
• Anubis
• Norman Sandbox
16
![Page 17: Agenda - HITB SIGINT... · Agenda •History •The New ... •World map Malware plotting ... –Proof of concept for modularity of new design –Reuse previous web interface](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aea26177f8b9ab24d8cfd1c/html5/thumbnails/17.jpg)
Next Iteration
• Going framework, going modular
• Modularize everything for flexibility
• Potential integration with other services
• Scale for parallel analysis
• More opportunity to experiment
![Page 18: Agenda - HITB SIGINT... · Agenda •History •The New ... •World map Malware plotting ... –Proof of concept for modularity of new design –Reuse previous web interface](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aea26177f8b9ab24d8cfd1c/html5/thumbnails/18.jpg)
Next Iteration
• Python + Django as backend
• “Daemonized” django to serve as the master controller
– WSGI running in daemon mode
• Why not PHP and cronjobs?
– Do the right thing
– Not exactly efficient
– Troublesome to maintain states
![Page 19: Agenda - HITB SIGINT... · Agenda •History •The New ... •World map Malware plotting ... –Proof of concept for modularity of new design –Reuse previous web interface](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aea26177f8b9ab24d8cfd1c/html5/thumbnails/19.jpg)
The Big Picture
1
kotakpasird (daemon)
Sandbox Provider
Session Manager
Virtual Machine
kotakpasirc (agent)
Report Generator
Submission Handler
2 3
4
Network.py Process.py
Registry.py File.py
5
6
7
![Page 20: Agenda - HITB SIGINT... · Agenda •History •The New ... •World map Malware plotting ... –Proof of concept for modularity of new design –Reuse previous web interface](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aea26177f8b9ab24d8cfd1c/html5/thumbnails/20.jpg)
Our Work So Far
• Basic core daemon prototype
• Partially replaced previously poll-driven session manager
• “Backport” the daemon to fit in old system
– Proof of concept for modularity of new design
– Reuse previous web interface
– Convenient unit test
![Page 21: Agenda - HITB SIGINT... · Agenda •History •The New ... •World map Malware plotting ... –Proof of concept for modularity of new design –Reuse previous web interface](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aea26177f8b9ab24d8cfd1c/html5/thumbnails/21.jpg)
Our Work So Far
kotakpasird
1
2
6
7
5
3
4
Virtual Machine
![Page 22: Agenda - HITB SIGINT... · Agenda •History •The New ... •World map Malware plotting ... –Proof of concept for modularity of new design –Reuse previous web interface](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aea26177f8b9ab24d8cfd1c/html5/thumbnails/22.jpg)
Expected Improvements
• Parallel analysis – Handle more sample in shorter time period
– Spread the analysis load across multiple servers
• Integration – API to perform automated submission and
analysis
• Hack friendly – Write less code to experiment
– “Battery included”
![Page 23: Agenda - HITB SIGINT... · Agenda •History •The New ... •World map Malware plotting ... –Proof of concept for modularity of new design –Reuse previous web interface](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aea26177f8b9ab24d8cfd1c/html5/thumbnails/23.jpg)
Expected Improvements
• Multi sandbox engine support • Analysis in multiple environment
– Observe if malware might behave differently on different platform
– Eg. Windows XP, Windows 7 64-bit
• Specialized analysis engine – Targets .Net and Java malwares
• “Timewarp” analysis – Observe if malware might behave differently on different
date/time
– “Fast forward” the VM clock 1 week/month/year in advance
• Any radical ideas you might think of :)
![Page 24: Agenda - HITB SIGINT... · Agenda •History •The New ... •World map Malware plotting ... –Proof of concept for modularity of new design –Reuse previous web interface](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aea26177f8b9ab24d8cfd1c/html5/thumbnails/24.jpg)
Conclusion
• Save a lot of time to analyze the malware and its behaviour
• Report generated in readable format.
• Easy to manage your own malware analysis result.
• Cost saving
24
![Page 25: Agenda - HITB SIGINT... · Agenda •History •The New ... •World map Malware plotting ... –Proof of concept for modularity of new design –Reuse previous web interface](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aea26177f8b9ab24d8cfd1c/html5/thumbnails/25.jpg)
Q&A
25
HELP!
![Page 26: Agenda - HITB SIGINT... · Agenda •History •The New ... •World map Malware plotting ... –Proof of concept for modularity of new design –Reuse previous web interface](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aea26177f8b9ab24d8cfd1c/html5/thumbnails/26.jpg)
Corporate Office:
CyberSecurity Malaysia, Level 8, Block A,
Mines Waterfront Business Park, No 3 Jalan Tasik, The Mines Resort City, 43300 Seri Kembangan,
Selangor Darul Ehsan, Malaysia.
Tel. +603 8946 0999 Fax. +603 8946 0888
Hotline. +1 300 88 2999
www.cybersecurity.my
26