reverse engineering & malware analysis engineering... · reverse engineering & malware...
TRANSCRIPT
Must-Know Cybersecurity Statistics
“In Q3 2016 alone, 18 million new malware samples were captured.”
- Panda Labs.
“More than 4,000 ransomware attacks have occurred every day
since the beginning of 2016.” - CCIPS
“78% of people claim to be aware of the risks of unknown links in
emails. And yet they click anyway.” - Friedrich-Alexander University
Must-Know Cybersecurity Statistics
“52% of organizations that suffered successful cyber attacks in 2016
aren't making any changes to their security in 2017” - Barkly,
December 2016
What is Malware?
The term malware is a contraction of malicious software .
Any piece of software that was written with the intent of doing harm
to data, devices or to people.
Viruses
Worms
Intrusion Tools
Spyware
ransomware
Rootkits
ccleaner malware
Targeting windows devices.
Discovered in 13/9/2017.
Suspected Chinese hacking group called Axiom.
Hackers compromised a portion of (CCleaner’s) development .
They inserted a malware into the CCleaner build that was released
and hosted by the organization.
Malware consist of two stages .
The researchers believe the secondary stage malware was likely
intended for industrial espionage.
Linux.ProxyM Malware
Discovered in 22/9/2017
Targeting linux devices .
It act as mass spam mailer .
Hackers used default credentials to access the devices .
Can operate on any IoT device running linux with following Arch :
X86
MIPS
PowerPC
ARM
SPARC
Motorola 680000
AndroidOS_ZNIU Malware
Discovered in 26/9/2107.
Targeting Android Devices .
Malware uses a year old privilege escalation vulnerability (CVE-2016-
5195) known as Dirty COW, to gain root access on the mobile .
It serves as backdoor for potential remote control attacks in the
future .
It also send payments via premium SMS messages that sent on
behalf of the mobile user .
Why Analyze Malware ?
To assess damage.
To discover indicators of compromise.
To determine sophistication level of an intruder.
To identify a vulnerability ( Zero-Days like SMB bug… ).
To catch the “bad guy”®.
To stop the spread of malware.
To answer questions…
Why Analyze Malware ?
Business Questions :
What is the purpose of the malware?
How did it get here?
Who is targeting us and how good are they?
How can I get rid of it?
What did they steal?
Why Analyze Malware ?
Business Questions :
How long has it been here?
Does it spread on its own?
How can I find it on other machines?
How do I prevent this from happening in the future?
Technical Questions :
Network Indicators ?
Host-based Indicators ?
Persistence Mechanism ?
What language was it written in ?
Is it packed ?
Anti-analysis ?
Malware Analysis techniques
Dynamic Analysis
Executing the Malware. Simple, Fast. Easy to miss things.
Static Analysis
Reverse Engineering. Slow, need deep technical knowledge. With enough time anything can be reversed.
Hybrid Static/ Dynamic
Most Analysis is a mixture: You find something in the disassembly then you confirm/investigate while the malware is executing.
Memory Forensics.
Preparing a Safe Environment
Each malware requires environment same as its target system.
Do Not Run Malware on Your Computer !
To be safe there is two choices :
Grab some devices with an isolated network, create disk images, re-image a
target machine to return to pristine state .
Adv : malware can’t easily detect if it’s a honeypot .
Disadv : time consuming , hard to implement , cost much .
Use virtualization to make things fast and safe .
Adv : easy to implement
Disadv : some malware can detect the virtual environment and stop the execution .
Virtual machines as safe
environment
Use WinXP for windows executable dynamic and static analysis .
Comptabile with almost all malwares .
Does not require high specs .
Less security control ( let the malware do what it like ) .
Use REMnux for static analysis .
Linux distribution created for malware analysis
Many tools to extract information from malware .
Support analysis for many file types : exe , .doc , .pdf , bin
Pre-installed static and network analysis tools .
Preparing a Safe Environment
It is easier to perform analysis if you allow the malware to “call
home”…
However:
The attacker might change his behavior
Your IP might become the target for additional attacks (consider using
TOR)
You may end up attacking other people
Preparing a Safe Environment
Therefore, we usually do not allow malware to touch the real
network
Use the host-only networking feature of your virtualization platform
Establish real services (DNS, Web, etc) on your host OS or other virtual
machines
Use netsim and netcat to create listening ports and interact with text-
based client
Build custom controlling servers as required (usually in a high-level
scripting language)
Dynamic Analysis
Dynamic analysis is conducted by observing and manipulating malware as
it runs .
Usually you care more about “what” malware is doing than “how” it is
being accomplished .
Monitoring the system for changes and IOC .
Using Snapshot to save time.
Many Virtualization software offer snapshots .
You can Return to present state any time .
System Monitoring
We need to monitor :
Registry Activity : Regshot , Sysinternals Process monitor , etc…
File Activity : Sysinternal file monitor
Process Activity : process monitor and process hacker
Network Traffic : wireshark , netsim , fakedns , sysinternal tcpview .
Process Monitor
One of the most powerful tool for malware analyst.
Its power resides in the filter configuration .
Wireshark and TCPView
Wireshark is a protocol analyzer that captures and decodes network traffic .
Wireshark is not aware of what process generates traffic .
TCPVIEW can show process name and ID which is making connections with
destiniation IP and port used in the connection .
Using TCPVIEW and Wireshark we can connect the traffic to each process .
Static Analysis
Collect information about an executable file without running it .
Search for interesting strings to act as IOC .
Create A finger print for the malware ( Hash using sha256 )
Gather info about executable structure ( PE Headers ) .
Search for known crypto , packers signatures .
Extracting strings
Using Strings command in REMnux .
Using Strings Command added by MAP tool installed in windows .
Be careful about drawing conclusions
There is nothing stopping the attacker from planting strings meant
to deceive the analyst
PE Headers analysis
The Architecture of the executable x86 or x64 .
Compilation date .
Signs of packed executable .
Number of Sections and their properties .
Tools to parse the PE headers :
Peframe - Remnux
Pescanner - Remnux
Cffexplorer - Windows
Peview - Windows
Extracting data
Malware can pack exploits , other malicious executable in its
resources section .
To identify and extract them we use :
Resource Hacker - Windows
Bulk_extraction - Remnux
Signsrch - Remnux
Foremost - Remnux
Disassembly and Reverse
Engineering
Automated disassemblers can take machine code and “reverse” it
to a slightly higher-level
Many tools can disassemble x86 and X64 code .
Objdump, OLLyDBG, IDA Pro
But, IDA Pro is what everyone uses
Manual examination of disassembly is somewhat painstaking, slow,
and can be hard
Keep your goals in mind and don’t get bogged down
Disassemblers – IDA Pro
It automatically identifies code and data .
It groups instruction streams into functions and show its arguments .
It can show code flow as a graph.
It automatically identifies library functions of common compilers .
You can easily navigate in the whole binary, rename any location
to a descriptive name and add comments .
Future relies on automating
malware analysis
Malware Analyst now focuses on using Machine Learning to catch
malwares .
Sandboxes can be very useful .
You can try Cuckoo sand box
Open source .
Great performance .
Can be used to gather initial info before digging manually .
Easy to use APIs .