Upload File

malware analysis - what to learn from your invaders

Download Malware analysis - What to learn from your invaders

If you can't read please download the document

Upload: tazdrumm3r

Post on 19-Aug-2015

164 views

Category:

Technology


1 download

Report

TRANSCRIPT

  1. 1. Malware Analysis What to learn from your invaders
  2. 2. Disclaimer All opinions expressed during this talk are mine and do not reflect that of my employer I will not be held responsible for any damage you do to your system at home. I do not condone you doing this at work, especially in a production environment. Be aware this is live malware we're talking about and if you don't take the proper precautions, it's on your dime, not mine. :) This talk is about learning of the everyday ever evolving threats which face anyone on the Internet. scare tactic>
  3. 3. Agenda Whoami Tools Analysis Resources
  4. 4. Whoami Father Geek Drummer SIEM Manager by day, malware analyst by night... when I can...
  5. 5. Background
  6. 6. Tools VirtualBox Remnux Regshot FakeNet DNSChef Wireshark PEStudio Volatility
  7. 7. Samples Unpaid taxes. Notice #12831 phishing email LogMeIn Spear phishing link Vendor site cart purchase phishing email
  8. 8. Unpaid taxes. Notice #12831 phishing email
  9. 9. Unpaid taxes. Notice #12831 phishing email
  10. 10. LogMeIn spear phishing
  11. 11. Vendor site cart purchase phishing email
  12. 12. Static analysis Regshot Remnux tools (imports, pescan, pescanner, pyew.txt) PEStudio
  13. 13. Vendor site cart purchase phishing email
  14. 14. Vendor site cart purchase phishing email
  15. 15. Behavioral analysis How does it react? What does it do?
  16. 16. Lab configuration Virtualbox Windows 7 (Victim of course) Remnux 6.0 (Ubuntu 14.04) Traffic capture Wireshark Procmon
  17. 17. Network behavior analysis First attempt
  18. 18. Network behavior analysis First attempt 174.16.157.26 130.37.198.90 203.80.102.213 88.68.117.47 75.99.113.250 184.166.216.26 212.235.62.68 172.245.217.122 24.231.61.81 27.110.203.125 221.193.254.122 183.87.238.127 198.50.128.48 82.127.150.123 85.64.52.205 24.78.17.137 79.119.228.199 219.77.136.199 76.234.37.14
  19. 19. Network behavior analysis Second attempt
  20. 20. Network behavior analysis Third attempt
  21. 21. Host analysis - Files
  22. 22. Time of Day Process Name PID Operation Path Detail 9:45:03.5627178 PM Explorer.EXE 644Process Create C:toolsMalwaretazdrummerInvoice_06.04.2014Invoice_06.04. 2014.pdf.scr PID: 2684, Command line: "C:toolsMalwaretazdrummerInvoice_06.04.2014Invoice_06.04.20 14.pdf.scr" /S 9:45:04.5837508 PM Invoice_06.04.20 14.pdf.scr 2684Process Create C:UserskeithAppDataLocalTempEttevaupeqe.exe PID: 2236, Command line: "C:UserskeithAppDataLocalTempEttevaupeqe.exe" 9:45:05.6715395 PM Invoice_06.04.20 14.pdf.scr 2684Process Create C:WindowsSysWOW64cmd.exe PID: 2316, Command line: "C:Windowssystem32cmd.exe" /c "C:UserskeithAppDataLocalTempCQV2090.bat" 9:45:05.6715490 PM cmd.exe 2316Process Start Parent PID: 2684, Command line: "C:Windowssystem32cmd.exe" /c "C:UserskeithAppDataLocalTempCQV2090.bat", Current directory: C:toolsMalwaretazdrummerInvoice_06.04.2014, 9:45:05.9865492 PM Invoice_06.04.20 14.pdf.scr 2684Process Exit 9:45:06.0210210 PM conhost.exe 3048Process Start Parent PID: 392, Command line: ??C:Windowssystem32conhost.exe "7004549161928483034-634817172- 12620106904102454541647554162437855351-2089999309", Current directory: C:Windowssystem32, 9:45:07.1049881 PM WinMail.exe 2588Process Start Parent PID: 608, Command line: "C:Program FilesWindows MailWinMail.exe" -Embedding 9:45:20.7850986 PM rundll32.exe 1064Process Start Parent PID: 1236, Command line: C:WindowsSystem32rundll32.exe C:WindowsSystem32FirewallControlPanel.dll,ShowNotificationDial og /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "C:userskeithappdatalocaltempettevaupeqe.exe", Host analysis - Processes
  23. 23. Wrapping up What's been learned? Network activity Host based activity Where can it be used? SIEM
  24. 24. Resources Blogs Lenny Zeltzer's blog - https://zeltser.com/ Malware Analysis blog - http://www.malware-traffic-analysis.net/ MalwareMust Die blog - http://blog.malwaremustdie.org/ Malwageddon's blog - http://malwageddon.blogspot.com/ MalwareDontNeedCoffee blog - http://malware.dontneedcoffee.com/ Live samples Contagio - http://contagiodump.blogspot.com/ Malc0de database - http://malc0de.com/database/ Tools VirtualBox Remnux SysInternals Volatility
  25. 25. Resources Training OpenSecurityTraining.Info - http://opensecuritytraining.info/
  26. 26. Questions Twitter - @Tazdrumm3r Email [email protected] Blog - https://tazdrumm3r.wordpress.com

Trade Invaders

The Invaders

Seek test-invaders

Space Invaders Bilbao

Space Invaders Daejeon

Pocket Invaders 1

Presentacion invaders global

Space Invaders 1985

Invaders F.E.M

Space Invaders Grenoble

Seals as "Invaders"

Invaders, Traders, and Empire Buildersmrlucco.weebly.com/uploads/3/2/1/6/32167751/2.2... · Invaders, Traders, and Empire Builders Objectives ... Hittites Learn the Secret of Ironworking

Repel the Invaders

Alien Invaders:

Malware Analysis The Basicsshinnai.altervista.org/papers_videos/MATBLH.pdf · Malware Analysis: The Basics Malware Analysis The Facts ¾It is an art ¾There is a process to learn

POCKET INVADERS

Know, Protect, Empower. Don’t learn malware.€¦ · Know, Protect, Empower Don’t learn Malware 15 KNOW Detection process does not require vendor-specific or malware knowledge

IUCN Invaders

Space Invaders Rotterdam

Space Invaders London

Biological Invaders

FreeForm: Reality Invaders

Place Invaders

Space Invaders Basel

INVADERS - University of Southern Mississippi invaders-webfinal.pdf · Finned Invaders Mozambique tilapia, Oreochromis mossambicus Vulnerable Locations: Northern Gulf of Mexico. Native

Space Invaders Ljubjana

HTML5 Space Invaders

Space Invaders Tutorial

Space Invaders Istanbul

Space Invaders Vienna

alien invaders

Space Invaders Paris11

Space Invaders Lyon

Space Invaders Rome

The mil invaders