44con malware workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON)

Malware Analysis Reverse Engineering Workshop(44Con 2013)

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 2

• Thumb drives being passed around– Disclaimer about new malware of your own

• Wifi– SSID hbn– PSK ILoveTheSmellOfHackInTheMorning

– www http://192.168.252.5/

Grab a copy of the files

1. Basic Concepts

2. Behaviors Analysis

3. Memory Analysis

4. Static Analysis

Agenda

• Any piece of software that performs malicious activities.– Executable– Documents– Flash– Java– …

What is Malware

• Some examples of categories

Types of Malware

Worm Trojan

Spyware Adware

Ransomware Rootkit

Keyloggers Stealers

Virus Backdoor

• An executable under the hood• Structure:

• Imported Functions• Exported Functions• Sections• Code• Data• Relocation information• Certificate

•PE File

Windows Executable

Binary Content

Interpreted Content

The BIG picture

• Examining the content of a Windows executable (exe, cpl, ocx, dll, …)

• Editor, disassembler, resource editor.

PE Explorer

General Info

Data Directories

Sections Resource Editor

Imports Dependencies

• Use PE Explorer over installer.exe and pafish.exe

• Questions– Could you enumerate some notable

differences?– Could you find something interesting in

installer.exe?

LAB – 1

• From File to Process

From File to Process

Loader

Read Header

Place Executable in Memory

Create Process Object

Monitoring Behavior

Process

Fun1Fun2Fun 3

DLL DLL

Fun1Fun2Fun 3

• Interaction with the Operating System

• File Activity• Network flows• Registry monitor• Api Calls

• Execution in a controlled environment.• Not as time consuming as static analysis.• Focused on results.• VM and Snapshots.• MSDN – Api calls

Behavior Analysis

• New processes• Code injection• Downloads• File activity• Persistence mechanism• Registry changes• C&C Communication• Network activity (LAN)

What are we looking for

• Included in the Sysinternals Suite with many other interesting tools.

Process Monitor

Filter Search Event

Filter by Event

Process Monitor

Lab – 2 (File Activities)• Open Process Explorer• Execute installer.exe• Filter the results• Questions

– Which file was created?– Where?– Why has the installer.exe vanished?

LAB – 2 (Answers)

Lab – 3 (Process Activities)• Use the previous capture• Questions

– How many processes were spawned?– Could you identify who deleted the original

installer.exe file?

Lab – 3 (Answers)

Regshot

• Takes Registry Snapshots• Compare Snapshots

Regshot Report

Lab – 4 (Registry)• Restore the Snapshot• Execute Regshot and take a first

snapshot.• Execute Process Explorer.• Execute installer.exe.• Sleep 1m • Take a second snapshot and compare.

Lab – 4 (Registry)• Questions

– Could you identify the persistence mechanism using RegShot?

– And with Process Monitor?– Could you find any new service added by the

malware?

Lab – 4 (Answer)

Network Activity• Wireshark is a well known network sniffer.• Many protocol decoders• Drawback: Secure connections

Capture Options

Restart

Lab – 5 • Network Activity – Wireshark• Questions

– Did the malware contact with a C&C?– Was it successful?– What was the IP/domain name?– Could you find information about the C&C?

• DNS redirection (*)

Lab – 5 (Answers)

Sysanalyzer• Logs some interesting APIs• Sniffer• Less noisy• Less information

Lab – 7 • Run installer.exe and compare the results

from previous tools.

• Logs a set of Windows APIs from a large set of them

• Low-level information• Don’t try to log all

API Monitor

Start new process

Filters

WinApiOverride32

• Log the network and file activity• Monitor newly created processes on

demand.• Questions

– Could you find the C&C?– Could you find when the file is deleted?

Lab – 8

LAB – 8 (Answers)

LAB – 8 (Answers)• Were you able to find the C&C?• Why?

• Why not automation?• Cuckoo Sandbox executes the malware

inside a VM for us.• Analyzer and reporting system all in one

solution.• Extensible• Must be installed on Linux

Sandbox

• Web interface

• Command Line

Submit Samples

Cuckoo Architecture

Agent.py

Cuckoomon.dll

malware

Analyzer.py

Cuckoo.py

Processors

Signatures

Reports

Virtual MachineHost

• Upload a sample to the Sandbox• Meanwhile, check the report for sample

a6ff0e175acc7aaa3c2a855e44b11e3b.• Question

– Could you identify the same indicators of compromise from extracted from previous tools?

– Could you find the C&C? – And the function call?

Lab – 9

Lab – 9 (Answers)

• Volatility can extract information from a memory dump.

• Hidden process, handles, connections, …• Malfind• Dump memory from Cuckoo, Winpmem,

Post Mortem Analysis

Dumping Memory

Cuckoo

VirtualBox

• Offline Memory analysis tool• Search for

– Open handles– Hooked Apis– New Dlls– Hidden processes– Registry values

• No diff tool (Anyone?)

Volatility

• Dump memory from a clean system• List process list• Find explorer.exe and list its dlls• Store this information in a file and repeat

all the process with the malware running

LAB – 10

• Question– Could you find anything suspicious?

LAB – 10

LAB – 10 (Answers)

• Iñaki Rodriguez– @virtualminds_es– irodriguez@virtualminds.es

CONTACT ME

44con malware workshop

pe file

process activities

new malware

results questions

registry snapshots

malware contact

types of malware

use pe explorer

Technology

nsc-jst workshop · fighting malware & botnets –...

ncc group 44con workshop: how to assess and secure ios apps

44con london 2015 - how to drive a malware analyst crazy

44con 2013 - culture & cna behaviors - char sample

malware workshop

44con 2014 - greedybts: hacking adventures in gsm, hacker...

malware analysis as a hobby - 44con 2012

44con 2014 - breaking av software

modern post-exploitation strategies - 44con 2012

44con london 2015 - inside terracotta vpn

44con & ruxcon: sdn security

44con 2014 - advanced excel hacking, didier stevens

malware analysis workshop june 5, 2012 - ccdcoe · malware...

workshop – malware applications

44con 2014 - security analytics beyond cyber, phil huggins

44con 2014 - meterpreter internals, oj reeves

building the 44con ctf

reverse engineering malware workshop

trusts you might have missed - 44con

44con 2013 - controlling a pc using arduino