malware analysis
TRANSCRIPT
introducing
Malware Analysis
Agenda
1Intro and Recent
Malware Attack
3Make Your Own
Malware Analysis toolkit
Malware Analysis &
Types2
• Generally–Any code that perform evil…
• Today–Executable content with unknown functionality that
is resident on a system of investigative interest• Virus• Worms• Spyware• Adware• Rootkits
Malware?
HA HA HAHAH
A..!
Family of Malware
• Fame • Money $$• It’s a Business (not a kiddie) • Antivirus
Why build Malware ?
•Why Analyze Malware?• To assess damage• To discover indicators of compromise• To identify vulnerability• To catch the “Bad Guy”• To answer questions…
Analyzing Malware
Attacks in Synerzip
• 2007– DNS hacked
• 2008 – FTP Server Hacked
• 2010 – DDOS on the DNY Network
• 2011– Dos attack on DNS Server– False Dos attack on Firewall due to Quickoffice Connect Application bug
• 2013 – Router Hacked @ DNY, Botnet Zeroaccess
• 2014 – Zibmra VLAN MITM
• Note – No Network is 100% secured, but we can make things difficult for the hackers
Recent malware attacks
What is Cryptolocker?
• Began September 2013 • Encrypts victim’s files, asks for $300
ransom• Impossible to recover files without a key• Ransom increases after deadline• Goal is monetary via Bitcoin• 250,000+ victims worldwide
(According to Secureworks)
Who pays the ransom?
Police department paid $750 to decrypt images and word documents
NightHunter – Name explained
NightHunter, because of its use of SMTP (email) for data exfiltration. Email is often overlooked, so it can be a more stealthy way of data theft, akin to hunting at night.
NightHunter Infections To Date
There are at least 1,800 unique infections
3OWL
Ieindia
Drmike
Hanco
Gmail
Comcast
1000
350
200
150
100*
60
Number of unique infections per email server
NightHunter DeliveryEmail subject/attachment names:• Jobs List• Inquiry• Order• PO• Purchase Order• Payment Slip• Reconfirm Pls• Remittance Payment
Slip• WireSlip
NightHunter – How it works?
ZeroAccess Botnet
• Also known as– 0Access– Sirefef– Maxplus– Smiscer
Spreads Via
• Drive-by-Download sites• Keygen and crack programs(Games)• Fake game downloads
Capabilities
• Download malware updates via Peer to Peer protocol (Ports – 16464, 16465, 16470 and 16471 )
• Deploy a rootkit to avoid detection• Disable Anti-Virus and Anti-Malware software
Money
• Click fraud – Instruct bots to visit• Spam• Bitcoin Mining – Small number of varients
How it works?
• Static (Source Code) Analysis• Dynamic (Behavioral) Analysis• Sandboxing
How To Analyze Malware
Static Analysis “The Dissection”
Index
• File hashing• File type identification• Packer/Compiler Identification • Entropy Analysis • Strings• PE Header Analysis• Verify Signature• Disassemble• PDF Shell code analysis
DYNAMIC (BEHAVIORAL) ANALYSIS
Dynamic (Behavioral) Analysis
• Static Analysis will reveal some immediate information
• Exhaustive static analysis could theoretically answer any question, but it is slow and hard
• Usually you care more about “what” malware is doing than “how” it is being accomplished
• Dynamic analysis is conducted by observing and manipulating malware as it runs
System Monitoring
• What we are after• Registry Activity• File Activity• Process Activity• Network Traffic
Anti Techiniques
• Anti-virtualization• Anti-Debugging • Anti-Disassembling• Anti-Sandboxing
Make your own Malware Analysis Toolkit Using Free Tools
Step 1: Allocate physical or virtual systems for the analysis lab
• Virtualization software options include – VMware Server– Windows Virtual PC– Microsoft Virtual Server– VirtualBox
Step 2: Isolate laboratory systems from the production environment
• Separate the laboratory network from production using a firewall
• Don't connect laboratory and production networks at all
• Use removable media to bring tools and malware into the lab
• Don't use the physical machine that's hosting your virtualized lab for any other purpose.
Step 3: Install behavioral analysis tools
• File system and registry monitoring: – Process Monitor– Capture BAT
• Process monitoring:– Process Explorer– Process Hacker
• Network monitoring:– Wireshark – SmartSniff
• Change detection :– Regshot
Step 4: Install code-analysis tools
• Disassembler and debugger:– OllyDbg / Immunity Debugger– IDA Pro
• Memory dumper:– LordPE – OllyDump
Utilize online analysis tools
• Anubis• CWSandbox• Joebox• Norman SandBox• ThreatExpert• Malwr
Cuckoo Sandbox Automated Malware Analysis
Malware Analysis Video
Questions????Thank You
