gummer brucon0x07
TRANSCRIPT
![Page 1: Gummer BruCON0x07](https://reader031.vdocuments.net/reader031/viewer/2022030305/587108221a28abac6d8b45d3/html5/thumbnails/1.jpg)
Gummer Advanced Malware Hunting
![Page 2: Gummer BruCON0x07](https://reader031.vdocuments.net/reader031/viewer/2022030305/587108221a28abac6d8b45d3/html5/thumbnails/2.jpg)
Le me
ERNESTO CORRAL Incident Response and Forensic Analyst
@xgusix xgusix.com securityinside.info
![Page 3: Gummer BruCON0x07](https://reader031.vdocuments.net/reader031/viewer/2022030305/587108221a28abac6d8b45d3/html5/thumbnails/3.jpg)
Introduction – Hunting Malware
• Hunt previously unknown malicious artifacts. – Anomalies
Hunting Malware != Detecting Malware
Deviation or departure from the normal or common behavior of a system or network.
![Page 4: Gummer BruCON0x07](https://reader031.vdocuments.net/reader031/viewer/2022030305/587108221a28abac6d8b45d3/html5/thumbnails/4.jpg)
Gummer – What is Gummer?
“Host for plug-ins”
FRAMEWORK for hunting Advanced Malware based on anomalies. Modular DB Query Engine. Python
![Page 5: Gummer BruCON0x07](https://reader031.vdocuments.net/reader031/viewer/2022030305/587108221a28abac6d8b45d3/html5/thumbnails/5.jpg)
Gummer – Goal
Gummer’s aim is not to hunt “normal” malware. Using the anomalies approach will give you hints on where to go during the investigation, not evidence. Using it for day-to-day detection: only if you are looking for APTs or state-sponsored malware (a lot of time may be wasted reviewing Gummer’s output).
![Page 6: Gummer BruCON0x07](https://reader031.vdocuments.net/reader031/viewer/2022030305/587108221a28abac6d8b45d3/html5/thumbnails/6.jpg)
Gummer – Structure
gummer.py
analyzers DB
connectors outputs collectors
Modules
![Page 7: Gummer BruCON0x07](https://reader031.vdocuments.net/reader031/viewer/2022030305/587108221a28abac6d8b45d3/html5/thumbnails/7.jpg)
Gummer – Modules
logs
db
analyzer
output
![Page 8: Gummer BruCON0x07](https://reader031.vdocuments.net/reader031/viewer/2022030305/587108221a28abac6d8b45d3/html5/thumbnails/8.jpg)
Gummer – Modules - Collector
![Page 9: Gummer BruCON0x07](https://reader031.vdocuments.net/reader031/viewer/2022030305/587108221a28abac6d8b45d3/html5/thumbnails/9.jpg)
Status: Working
Analyzers • Eric Cole’s APT book DB Connectors • MySQL • SQLite • Mongo
Outputs • Terminal
Collectors • Squid • pDNS
![Page 10: Gummer BruCON0x07](https://reader031.vdocuments.net/reader031/viewer/2022030305/587108221a28abac6d8b45d3/html5/thumbnails/10.jpg)
To Do
• Software engineering • Add more modules – DB Connectors – Outputs – Collectors
• Create community a la Yara Exchange • Spread the word
![Page 11: Gummer BruCON0x07](https://reader031.vdocuments.net/reader031/viewer/2022030305/587108221a28abac6d8b45d3/html5/thumbnails/11.jpg)
Questions? Ernesto Corral E-mail: [email protected] Twitter: @xgusix Project: github.com/xgusix/gummer