aleph - Malware analysis pipelining for the masses
-
Upload
jan-seidl -
Category
Technology
-
view
706 -
download
4
Transcript of aleph - Malware analysis pipelining for the masses
![Page 1: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/1.jpg)
alephMalware analysis pipe-lining for the
masses
![Page 2: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/2.jpg)
Who we are?
Jan Seidl @jseidl
Aleph Project Lead Developer
*NIX/BSD freak
Digital tools blacksmith / python & C lover
Lousy guitar player
Coffee dependent
Hates printers, doesn't likes social networks anything
Selectively-social
![Page 3: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/3.jpg)
Who we are?
Actually we are a bunch of people...
![Page 4: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/4.jpg)
Malware
![Page 5: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/5.jpg)
Definition
'Malware' is an umbrella term used to refer to a variety of
forms of hostile or intrusive software, including computer
viruses, worms, trojan horses, ransomware,
spyware, adware, scareware, and other malicious
programs.
It can take the form of executable code, scripts, active
content, and other software
Wikipedia
![Page 6: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/6.jpg)
Malware growth
![Page 7: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/7.jpg)
Detecting malware
![Page 8: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/8.jpg)
Detecting malware● Signature-based
● Sample must be previously-known and flagged as malicious
● Heuristics-based● Can trigger loads of false-positives
● Behavior-based● Can trigger loads of false-positives
![Page 9: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/9.jpg)
Detection is not enoughYou need to understand the malware
![Page 10: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/10.jpg)
Understanding malware
● Features extraction
● Which characteristics this file has?
● Feature correlation
● Make sense of features combinations / disposition
● Sample correlation & Family classification
● Identify common features between different samples
![Page 11: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/11.jpg)
Understanding malware
● Enables you to identify families
● Enables you to identify acting groups
● Enables you to identify techniques
● Enables you to identify trends
![Page 12: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/12.jpg)
Manual approachEveryday workhorse method
![Page 13: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/13.jpg)
Manual approach
● Use lots of separate tools to extract data from sample (each in its own format)
● Correlate output from the tools using spreadsheets, word files, napkins, tears
![Page 14: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/14.jpg)
![Page 15: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/15.jpg)
Manual approach
● Find out new samples embedded into original sample
● Rinse, repeat, get more whiskey/coffee
![Page 16: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/16.jpg)
![Page 17: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/17.jpg)
Automated approachPipeline method
![Page 18: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/18.jpg)
Automated approach
● Insert sample into one end● Wait until processing is done● Get report on the other end● Get emotional about hours of work saved● Focus on most important evidences
![Page 19: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/19.jpg)
![Page 20: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/20.jpg)
Commercial playersGiving you some free analysis while you
feed their database for free
![Page 21: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/21.jpg)
● Akana (Android files)● Anubis● BitBlaze Malware Analysis Service● Comodo Automated Analysis System
and Valkyrie● EUREKA Malware Analysis Internet
Service● Joe Sandbox Document Analyzer (PDF,
RTF and MS Office files)● Malwr● MASTIFF● VxStream Sandbox (Hybrid Analysis)● VirusTotal*● ThreatExpert● ThreatTrack● ViCheck● VisualThreat (Android files)● XecScan (PDF and MS Office files from
targeted attacks)
![Page 22: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/22.jpg)
Bringing it to the massesGiving you the ability to spin up your
own commercial-grade malware research infrastructure
![Page 23: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/23.jpg)
Components
![Page 24: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/24.jpg)
Aleph ProcessFrom fetching samples to report building
![Page 25: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/25.jpg)
Main Features
● Cross-platform (tested on: Windows, Linux, OS X)Almost all modules are pure-python
● Scalable + Easily Extensible
● Web Interface for browsing reports
![Page 26: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/26.jpg)
From fetching samples to report building
![Page 27: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/27.jpg)
Aleph Process
Sample
Sample data
Aleph Process
Sample Sample data
![Page 28: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/28.jpg)
Aleph Process
Collector Sample Manager
Sample Queue
Sample Plugins
Data
![Page 29: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/29.jpg)
Aleph Process: Collection
●Detect new file on medium (filesystem, email account etc)
●Check if meets predefined criteria (min/max size)
![Page 30: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/30.jpg)
Aleph Process: Triage
●Detect file type (mimetype)
●Calculate hashes
●Add sample to process queue
![Page 31: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/31.jpg)
Aleph Process: Processing
●Enumerate plugins suitable for sample mimetype
●Run plugins and extract features
●Save features as structured data into database
![Page 32: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/32.jpg)
Aleph Process: Reporting
●Fetch sample information from database
●Generate report based on retrieved data
![Page 33: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/33.jpg)
Currently supported files●Windows Portable Executable (PE) (exe,
cpl & dll)
Coming up support for:● Android APK
● PDF Documents
● Linux ELF
● iOS Apps
● URLs & Emails
● Apple Mach-O
● MS Office Documents
● SWF & Much more!
![Page 34: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/34.jpg)
Aleph: Web Interface
![Page 35: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/35.jpg)
Aleph: Web Interface
![Page 36: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/36.jpg)
Aleph: Web Interface
![Page 37: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/37.jpg)
Aleph: Web Interface
![Page 38: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/38.jpg)
Aleph: Web Interface
![Page 39: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/39.jpg)
Shifting the paradigmNew exciting features coming up
![Page 40: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/40.jpg)
DecouplingDividing the functionality into
standalone components
![Page 41: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/41.jpg)
Decoupling
Collector
Sample
WebInterface
AlephProcessor
RDBMSSample
DatastoreStorage
StorageConnector
Web UI Info
HTTP API, SSH...
TransportConnector
Transport
Executable, Email, URL,PDF, APK etc
Local File, FTP, Email etc Redis, RabbitMQ,Memcached
SQLite, MySQL,PostgreSQL, SQL Server
Filesystem, VXVault, Amazon S3, Azure etc
ElasticSearch
Sample + Initial Meta
Sample + Initial Meta
Send & Retrieve
Download
Sample + Initial Meta
![Page 42: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/42.jpg)
Adapters & ConnectorsAbstracting functionality so you use
what you have, or what you're familiar with...
![Page 43: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/43.jpg)
Adapters & Connectors
CollectorManager
Sample File Collector
E-Mail Collector
FTP Collector
Sample
Sample
Transport
TransportConnector
Redis, RabbitMQ,Memcached
![Page 44: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/44.jpg)
Scoring SystemThe path to the Evil Index
![Page 45: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/45.jpg)
Data Correlation PluginsAutomatic linking and enrichment of
gathered data
![Page 46: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/46.jpg)
Data Visualization PluginsBecause everyone loves graphs and scatterplots
![Page 47: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/47.jpg)
Online DisassemblyDisassembled code & memory dumps will be saved as a new sample/artifact
![Page 48: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/48.jpg)
Tons of more cool plugins
●VxCage●Viper● Java Decompiler●Maltrieve
![Page 49: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/49.jpg)
CollaborationWhat got us here in the first place
![Page 50: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/50.jpg)
Collaboration
The power of many
![Page 51: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/51.jpg)
Deployment TypesFrom small to huge scaling
![Page 52: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/52.jpg)
Deployment Types
Deployed in a single host containing all the required services.
3rd Party Software Aleph Components
Redis Local Filesystem Elasticsearch SQLite
Collector Processor Web Interface
![Page 53: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/53.jpg)
Deployment Types
Deployed across multiple hosts in order to achieve HP and HA.
Datastore Host GroupElasticsearch Cluster
Nodes
Transport Host GroupRabbitMQ Cluster Nodes
Processing Host GroupAleph Cluster Nodes
Web Interface Host Group
NGinx Cluster Nodes
Collection Host GroupAleph Cluster Nodes
Storage Host GroupDFS Cluster Nodes
![Page 54: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/54.jpg)
Use, fork and contribute!
https://github.com/trendmicro/Aleph
![Page 55: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/55.jpg)
Questions?We can try to answer some….
![Page 56: aleph - Malware analysis pipelining for the masses](https://reader033.fdocuments.in/reader033/viewer/2022042722/58a94e2d1a28ab77408b4639/html5/thumbnails/56.jpg)
Thank you!
Jan Seidl @jseidl <[email protected]>
Slides: http://slideshare.net/jseidl Codes: https://github.com/jseidl