malware analysis from the trenches - sas 2015sas2015.inria.fr/mor-sas2015.pdf · malware analysis...
TRANSCRIPT
![Page 1: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/1.jpg)
Malware analysis from the trenches
Marcos Orallo
September 8th, 2015
1
![Page 2: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/2.jpg)
Intro
2
![Page 3: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/3.jpg)
Who
$ whois [email protected]
• Telecommunications Engineer
• 8 years working in public and private CERTs.
• GREM, GCFA, CISSP, CISA
• NOT a malware reverser
3
![Page 4: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/4.jpg)
Where
Airbus Group CERT
• Private, non-commercial CERT
• Constituency1: Airbus Group divisions and other subsidiaries.
• Missions:• Coordinate incident response and write report• Center for technical expertise• Internal and external focal point of contact
1the organization (or group of organisations) and/or people whose incidents wehandle (or co-ordinate). 4
![Page 5: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/5.jpg)
Why
To show you how malware analysis is currently done in a CERT(ours).
So that the real experts (you!) will be able to find ideas forimprovement.
E.g. show you how lame we are, so you can help us.
5
![Page 6: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/6.jpg)
Why
To show you how malware analysis is currently done in a CERT(ours).
So that the real experts (you!) will be able to find ideas forimprovement.
E.g. show you how lame we are, so you can help us.
5
![Page 7: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/7.jpg)
CERT
6
![Page 8: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/8.jpg)
Computer Emergency Response Team R©
a.k.a. CSIRT (Computer Security Incident Response Team)
“A CSIRT is a team that responds to computersecurity incidents by providing all necessary servicesto solve the problem(s) or to support the resolution ofthem.
In order to mitigate risks and minimize the number ofrequired responses, most CSIRTs also providepreventative and educational services for theirconstituency. They issue advisories on vulnerabilitiesand viruses in the soft- and hardware running on theirconstituent’s systems.” 2
2Source: ENISA 7
![Page 9: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/9.jpg)
Computer Emergency Response Team R©
a.k.a. CSIRT (Computer Security Incident Response Team)
“A CSIRT is a team that responds to computersecurity incidents by providing all necessary servicesto solve the problem(s) or to support the resolution ofthem.
In order to mitigate risks and minimize the number ofrequired responses, most CSIRTs also providepreventative and educational services for theirconstituency. They issue advisories on vulnerabilitiesand viruses in the soft- and hardware running on theirconstituent’s systems.” 2
2Source: ENISA 7
![Page 10: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/10.jpg)
8
![Page 11: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/11.jpg)
Incident Response: the theory
• We are firefighters.
• We don’t check if fire prevention measures are in place.
• We don’t maintain the smoke detectors and fireextinguishers.
• We don’t test if the materials are flammable.
• We don’t rebuild after the fire.
• We contain and take out the fire.
• We give advice to people on how to prevent the fire.
• We investigate how the fire started.
9
![Page 12: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/12.jpg)
10
![Page 13: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/13.jpg)
Incident qualification & threat assessment
• “There is a match for one of the markersprovided in advisory X”
• “We have a malware alert!”
• “They have defaced one of our web sites!”
• “This pastebin says someone has pwnedus”
11
![Page 14: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/14.jpg)
Digital forensics and investigation
• Evidence acquisition
• Host forensics
• Network forensics
• e-Discovery
12
![Page 15: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/15.jpg)
The reality
In a normal business day, a CERT does a little bit of everything
13
![Page 16: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/16.jpg)
Intelligence collection and sharing
• “What do you know about this IP/domain?”
• “Are you aware of the new $fancy backronym vulnerability?”
• “Have you seen the new report about $scary animal nameAPT group?”
This means...
• Staying up to date (RSS feeds, twitter, conference papers,reports from infosec companies)
• Keeping record of malicious activities
• Writing advisories and communications
14
![Page 17: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/17.jpg)
Intelligence collection and sharing
• “What do you know about this IP/domain?”
• “Are you aware of the new $fancy backronym vulnerability?”
• “Have you seen the new report about $scary animal nameAPT group?”
This means...
• Staying up to date (RSS feeds, twitter, conference papers,reports from infosec companies)
• Keeping record of malicious activities
• Writing advisories and communications
14
![Page 18: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/18.jpg)
SOC analyst
Security Operations Center
• Manage prevention and detection controls
• Watch for alerts and triage
• Heavily procedured
• SOC operator:
“Is this IDS alert a false positive?”
“We received this malware that our systems don’t detect. Canyou analyze it?”
• User:
“Is this e-mail legit? Can I open this attachment?”
15
![Page 19: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/19.jpg)
SOC analyst
Security Operations Center
• Manage prevention and detection controls
• Watch for alerts and triage
• Heavily procedured
• SOC operator:
“Is this IDS alert a false positive?”
“We received this malware that our systems don’t detect. Canyou analyze it?”
• User:
“Is this e-mail legit? Can I open this attachment?”
15
![Page 20: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/20.jpg)
Security officer and consultant
• “Should we allow this URL in the proxy?”
• “Can we publish our Exchange server?”
• Policies and procedures
16
![Page 21: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/21.jpg)
Vulnerability/Abuse report handling
• “Your corporate website is vulnerable”
• “One of your IPs is sending spam”
17
![Page 22: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/22.jpg)
Awareness raising
• Training
• User awareness
18
![Page 23: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/23.jpg)
Internal sysadmin
• Who wants to deal with the IT department?
• Let’s deploy our own infrastructure!
19
![Page 24: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/24.jpg)
Provider management
• Technical specification
• Request for proposals
• Project management
20
![Page 25: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/25.jpg)
Miscellanea
“If you could do. . .
• Data recovery
• Pentesting
• Take down offending/illegal content
21
![Page 26: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/26.jpg)
Miscellanea
“If you could do. . .
• Data recovery
• Pentesting
• Take down offending/illegal content
21
![Page 27: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/27.jpg)
Common pattern in CERTs
Lack of manpower
leads to. . .
• Multitasking (actually context switching)
• Need for processes
• Industrialization whenever possible
22
![Page 28: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/28.jpg)
Common pattern in CERTs
Lack of manpowerleads to. . .
• Multitasking (actually context switching)
• Need for processes
• Industrialization whenever possible
22
![Page 29: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/29.jpg)
23
![Page 30: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/30.jpg)
Malware analysis in a CERT
24
![Page 31: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/31.jpg)
What is “malware”?
Any code that makes your computer do what the malware writerwants, and not what YOU want.
• Trojans, Remote Access Tools, “Implants”
• Password stealers, keyloggers, bankers
• Malicious documents and web sites, downloaders, droppers
• Ransomware
• Worms
25
![Page 32: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/32.jpg)
APT vs BOA
Advanced Persistent Threat
vs.
Basic Opportunistic Annoyance
26
![Page 33: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/33.jpg)
BOA: Conficker
• First detected in 2008
• Botherders arrested in 2011
• Yes, you still get detections in 2015
27
![Page 34: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/34.jpg)
BOA: Dridex
“Banker”3 delivered by spam e-mails
1 Attached Word/Excel file with macro that downloads binary
2 Multiple macros, better obfuscation
3 Multi-stage (encoded batch/Powershell script)
4 Payload hosted in the cloud (pastebin)
5 New file formats (RTF, XML, PDF, MIME) with embeddedOLE
6 .lnk attachments
3Online banking password stealer 28
![Page 35: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/35.jpg)
BOA: Dridex
“Banker”3 delivered by spam e-mails
1 Attached Word/Excel file with macro that downloads binary
2 Multiple macros, better obfuscation
3 Multi-stage (encoded batch/Powershell script)
4 Payload hosted in the cloud (pastebin)
5 New file formats (RTF, XML, PDF, MIME) with embeddedOLE
6 .lnk attachments
3Online banking password stealer 28
![Page 36: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/36.jpg)
BOA: Dridex
“Banker”3 delivered by spam e-mails
1 Attached Word/Excel file with macro that downloads binary
2 Multiple macros, better obfuscation
3 Multi-stage (encoded batch/Powershell script)
4 Payload hosted in the cloud (pastebin)
5 New file formats (RTF, XML, PDF, MIME) with embeddedOLE
6 .lnk attachments
3Online banking password stealer 28
![Page 37: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/37.jpg)
BOA: Dridex
“Banker”3 delivered by spam e-mails
1 Attached Word/Excel file with macro that downloads binary
2 Multiple macros, better obfuscation
3 Multi-stage (encoded batch/Powershell script)
4 Payload hosted in the cloud (pastebin)
5 New file formats (RTF, XML, PDF, MIME) with embeddedOLE
6 .lnk attachments
3Online banking password stealer 28
![Page 38: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/38.jpg)
BOA: Dridex
“Banker”3 delivered by spam e-mails
1 Attached Word/Excel file with macro that downloads binary
2 Multiple macros, better obfuscation
3 Multi-stage (encoded batch/Powershell script)
4 Payload hosted in the cloud (pastebin)
5 New file formats (RTF, XML, PDF, MIME) with embeddedOLE
6 .lnk attachments
3Online banking password stealer 28
![Page 39: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/39.jpg)
BOA: Dridex
“Banker”3 delivered by spam e-mails
1 Attached Word/Excel file with macro that downloads binary
2 Multiple macros, better obfuscation
3 Multi-stage (encoded batch/Powershell script)
4 Payload hosted in the cloud (pastebin)
5 New file formats (RTF, XML, PDF, MIME) with embeddedOLE
6 .lnk attachments
3Online banking password stealer 28
![Page 40: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/40.jpg)
29
![Page 41: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/41.jpg)
APT: PlugX
RAT used by multiple attacking groups4
• Legitimate signed executable
• Malicious DLL (side loading)
• Encrypted custom configuration
4https://www.blackhat.com/docs/asia-14/materials/Haruyama/Asia-14-Haruyama-I-Know-You-Want-Me-Unplugging-PlugX.pdf 30
![Page 42: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/42.jpg)
APT: PoisonIvy
• It’s been around since 2005
• Still evolving
• “The AK-47 of RATs”
31
![Page 43: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/43.jpg)
APT Wars: Episode I
The Phishing Menace
• A VIP user receives a spear phishing5e-mail with a maliciousattachment
• “Is this suspicious e-mail dangerous?”
• “The antivirus didn’t block it, so I guess I can open it”
5A malicious e-mail customized for a specific target 32
![Page 44: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/44.jpg)
APT Wars: Episode I
The Phishing Menace
• A VIP user receives a spear phishing5e-mail with a maliciousattachment
• “Is this suspicious e-mail dangerous?”
• “The antivirus didn’t block it, so I guess I can open it”
5A malicious e-mail customized for a specific target 32
![Page 45: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/45.jpg)
APT Wars: Episode I
The Phishing Menace
• A VIP user receives a spear phishing5e-mail with a maliciousattachment
• “Is this suspicious e-mail dangerous?”
• “The antivirus didn’t block it, so I guess I can open it”
5A malicious e-mail customized for a specific target 32
![Page 46: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/46.jpg)
APT Wars: Episode I
The Phishing Menace
• A VIP user receives a spear phishing5e-mail with a maliciousattachment
• “Is this suspicious e-mail dangerous?”
• “The antivirus didn’t block it, so I guess I can open it”
5A malicious e-mail customized for a specific target 32
![Page 47: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/47.jpg)
APT Wars: Episode II
The SOC Strikes Back
• A SOC operator sees an alert about an EXE running from%TEMP% folder
• Some unusual network activity is identified from the samemachine.
• “Is this malware sample well known?”• “How bad is it?”• “Are we protected?”• “Is it similar to a previously known threat?”• “Has it been detected before? When, where, how many
times?”
33
![Page 48: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/48.jpg)
APT Wars: Episode II
The SOC Strikes Back
• A SOC operator sees an alert about an EXE running from%TEMP% folder
• Some unusual network activity is identified from the samemachine.
• “Is this malware sample well known?”• “How bad is it?”• “Are we protected?”• “Is it similar to a previously known threat?”• “Has it been detected before? When, where, how many
times?”
33
![Page 49: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/49.jpg)
User and SOC needs
• High number of analyses
• Both benign and malicious samples
• Many different types of files to analyze
requires. . .
• Performance
• Effectiveness in detection
• Accept multiple types of input
34
![Page 50: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/50.jpg)
User and SOC needs
• High number of analyses
• Both benign and malicious samples
• Many different types of files to analyze
requires. . .
• Performance
• Effectiveness in detection
• Accept multiple types of input
34
![Page 51: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/51.jpg)
APT Wars: Episode III
The CERT Awakens
• The SOC escalates the incident as the user has access tocritical information.
• The CERT takes a memory dump of the machine for triage,finds an unknown DLL loaded into the explorer.exe process.
• Is it tailor made or off-the-shelf?• What’s its purpose? (a banker? a RAT? password dumper?)• How does it spread?• What does it use for persistence?• Where does it come from?• How can I detect it in my constituency?
35
![Page 52: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/52.jpg)
APT Wars: Episode III
The CERT Awakens
• The SOC escalates the incident as the user has access tocritical information.
• The CERT takes a memory dump of the machine for triage,finds an unknown DLL loaded into the explorer.exe process.
• Is it tailor made or off-the-shelf?• What’s its purpose? (a banker? a RAT? password dumper?)• How does it spread?• What does it use for persistence?• Where does it come from?• How can I detect it in my constituency?
35
![Page 53: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/53.jpg)
Indicators of Compromise
• Filename
• Path
• Hash
• Mutex
• Named pipe
• Registry key/value
• Service name
• IP
• Domain
• URL pattern
• User-Agent
• E-mail• sender• recipient• subject• attachment name
... and anything that is actionable!
36
![Page 54: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/54.jpg)
Malware analysis for Incident Response
• The malware has already infected one (or more) machines.
• We need to contain and clean it.
• Time is essential.
• Sample volume is a lot smaller than for a SOC.
this means. . .
• Performance requirement is not as high
• Comprehensiveness
• Actionable results
37
![Page 55: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/55.jpg)
Malware analysis for Incident Response
• The malware has already infected one (or more) machines.
• We need to contain and clean it.
• Time is essential.
• Sample volume is a lot smaller than for a SOC.
this means. . .
• Performance requirement is not as high
• Comprehensiveness
• Actionable results
37
![Page 56: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/56.jpg)
Acting on the results
• Search host/network logs
• Check hosts for IOCs
• Monitor/blocking lists in proxies, firewalls.
• Find links
38
![Page 57: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/57.jpg)
Correlation
Threat Intelligence Database
39
![Page 58: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/58.jpg)
Standard formats
40
![Page 59: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/59.jpg)
Challenges
• Volume of samples
• Malware zoology
• Multi-stage malware toolkits
• Registry based and memory-only malware
• Lowest level implants (malicious firmware analysis)
• Malware writers learn
41
![Page 60: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/60.jpg)
TL;DR;
• We need to identify malware, quickly.
• Automation• Scalability
• We want actionable information
• Comprehensive analysis• IOCs
42
![Page 61: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/61.jpg)
TL;DR;
• We need to identify malware, quickly.• Automation• Scalability
• We want actionable information
• Comprehensive analysis• IOCs
42
![Page 62: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/62.jpg)
TL;DR;
• We need to identify malware, quickly.• Automation• Scalability
• We want actionable information
• Comprehensive analysis• IOCs
42
![Page 63: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/63.jpg)
TL;DR;
• We need to identify malware, quickly.• Automation• Scalability
• We want actionable information• Comprehensive analysis• IOCs
42
![Page 64: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/64.jpg)
Static analysis of malware
43
![Page 65: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/65.jpg)
Red vs Blue
• Red team finds and exploits vulnerabilities
• High level code available• Well-behaving targets
• Blue team analyzes exploits and malicious programs
• Low level code analysis is often the only option• The program is your enemy.
44
![Page 66: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/66.jpg)
Static vs. Dynamic
Pros
• Fast (compared to a sandbox)
• Scalable
• Harder to thwart by the sample
Cons
• Packers
• Complexity
45
![Page 67: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/67.jpg)
What do we use static analysis for?
• File type identification
• Sample identification and classification
• Triage (malicious pattern detection)
• Packer detection (signatures, entropy)
• Full reversing
46
![Page 68: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/68.jpg)
What is “static analysis”
(for an Incident Responder)
• ASCII/unicode strings
• Antivirus engines (signatures and “heuristics”)
• Hash (classic, fuzzy, imphash. . . )
• Byte patterns (YARA rules!)
• Entropy analysis
• PE6 properties• Metadata• Import/Export table• Sections• Resources
• Manual dissassembly (but remember the time constraints)
6Portable Executable, the most common format for Windows binaries 47
![Page 69: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/69.jpg)
Tools
• strings
• PeID
• PeStudio
• pescanner
• ExifTool
• YARA
• IRMA (antivirus)
• signsrch
• oledump.py
• IDA Pro
• . . .
48
![Page 70: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/70.jpg)
Ideas & Wishlist
49
![Page 71: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/71.jpg)
“Big data” static analysis
• Imagine collecting every binary that is seen on an enterprise.
• What could you do with such a corpus?
50
![Page 72: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/72.jpg)
Script based malware
For once, we have the source code :-)
But it is obfuscated in most cases.
• Office Macros (VBScript)
• PDF javascript
• Malicious web javascript
• Powershell
• Python
51
![Page 73: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/73.jpg)
52
![Page 74: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/74.jpg)
Think outside the (static) box
• Can dynamic analysis give useful information?
• Can you provide useful info for dynamic analysis?
• What checks/conditions would prevent the execution of a bigportion of the program?
• What kind of properties of the environment trigger certain APIcalls?
• Are there “time-bombs” that would make the execution toolong or the logs too big?
53
![Page 75: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/75.jpg)
Help with obfuscation
• Can you reach an unpacked stage without actually runningthe malware?
• What can you do to fix imports of a dumped process?
• Can you determine what’s the real list of imported functions?
• Can you extract dynamically constructed or obfuscatedstrings?
54
![Page 76: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/76.jpg)
How to be awesome useful
1 Embrace the Suck
2 Do It in Public
3 Pick Stuff That Matters
(by Jeff Attwood - the Stack Overflow and Coding Horror guy)7
7http://blog.codinghorror.com/how-to-stop-sucking-and-be-awesome-instead/ 55
![Page 77: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/77.jpg)
PoC
Release code!Try the github experience. Bitbucket is ok too :-)
• README and examples
• Make a docker image
• Integrate into REMnux
56
![Page 78: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/78.jpg)
Make it easy to adopt
Integrate into existing frameworks and workflows
• Develop a Rebus8agent
• Implement a Volatility plugin
• Create a YARA module
• Make an IRMA probe
• Code an IDA or OllyDbgplugin
8https://bitbucket.org/iwseclabs/rebus 57
![Page 79: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/79.jpg)
Thanks for your attention! Now. . .
58
![Page 80: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/80.jpg)
References
Slides 8,10: Backdraft (movie,1991)Slide 17: Halt and Catch Fire (tv show, 2014)Slide 18: Watchmen (comic). Image from dropthecow.comSlide 19: The IT Crowd (tv show, 2006)Slide 21: Office Space (movie, 1999)Slides 11,72: Mr. Robot (tv show, 2015)
Slide 12: Image by Mila Atkovska (Shutterstock)Slide 13: Victorinox SwissChamp knife. Image from zombie.wikia.comSlide 23: Image by Jameson Gagnepain in flickr.com (CC BY-NC-SA 2.0)Slide 29: Unknown author. Image from imgneed.com.Slide 31: Unknown author. Image from pinterest.com
59
![Page 81: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/81.jpg)
Backup slides
60
![Page 82: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/82.jpg)
Malware sample sources
• VirusTotal Intelligence ($$$)
• Mailing lists
• Spam traps, honeypots, honeyclients
• Web repositories9
• Malwr.com• ContagioDump (http://contagiodump.blogspot.com)• VXvault.net• Virusshare.com
9https://zeltser.com/malware-sample-sources/ 61
![Page 83: Malware analysis from the trenches - SAS 2015sas2015.inria.fr/mor-sas2015.pdf · Malware analysis from the trenches Marcos Orallo September 8th, 2015 1](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd8566db7985a51c81784e7/html5/thumbnails/83.jpg)
62