HaboMalHunter - Black Hat | Home · HaboMalHunter An Automated Malware Analysis Tool for Linux ELF...
Transcript of HaboMalHunter - Black Hat | Home · HaboMalHunter An Automated Malware Analysis Tool for Linux ELF...
![Page 1: HaboMalHunter - Black Hat | Home · HaboMalHunter An Automated Malware Analysis Tool for Linux ELF Files {JingyuYANG, Zhao LIU }@ Tencent](https://reader036.fdocuments.in/reader036/viewer/2022071218/6053458bb3933a0ee22b8324/html5/thumbnails/1.jpg)
HaboMalHunter
An Automated Malware Analysis Tool for Linux ELF Files
{Jingyu YANG, Zhao LIU }@Tencent
![Page 2: HaboMalHunter - Black Hat | Home · HaboMalHunter An Automated Malware Analysis Tool for Linux ELF Files {JingyuYANG, Zhao LIU }@ Tencent](https://reader036.fdocuments.in/reader036/viewer/2022071218/6053458bb3933a0ee22b8324/html5/thumbnails/2.jpg)
Agenda
3/26/17
• Introduction
• Background
• Architecture
• Implementation
• Demonstration
• Conclusion
![Page 3: HaboMalHunter - Black Hat | Home · HaboMalHunter An Automated Malware Analysis Tool for Linux ELF Files {JingyuYANG, Zhao LIU }@ Tencent](https://reader036.fdocuments.in/reader036/viewer/2022071218/6053458bb3933a0ee22b8324/html5/thumbnails/3.jpg)
Introduction
3/26/17
•• https://habo.qq.com/en
• Username: BlackHatAsia17
• Password: Habo@BlackHat17
• expired on May, 2017
• The Project
• https://github.com/Tencent/HaboMalHunter
![Page 4: HaboMalHunter - Black Hat | Home · HaboMalHunter An Automated Malware Analysis Tool for Linux ELF Files {JingyuYANG, Zhao LIU }@ Tencent](https://reader036.fdocuments.in/reader036/viewer/2022071218/6053458bb3933a0ee22b8324/html5/thumbnails/4.jpg)
3/26/17
![Page 5: HaboMalHunter - Black Hat | Home · HaboMalHunter An Automated Malware Analysis Tool for Linux ELF Files {JingyuYANG, Zhao LIU }@ Tencent](https://reader036.fdocuments.in/reader036/viewer/2022071218/6053458bb3933a0ee22b8324/html5/thumbnails/5.jpg)
Background
3/26/17
• Dose Linux virus exist?
• Difference between Windows Malware
• quantity
• categories
• Impact
• Related Works
![Page 6: HaboMalHunter - Black Hat | Home · HaboMalHunter An Automated Malware Analysis Tool for Linux ELF Files {JingyuYANG, Zhao LIU }@ Tencent](https://reader036.fdocuments.in/reader036/viewer/2022071218/6053458bb3933a0ee22b8324/html5/thumbnails/6.jpg)
Quantity
3/26/17
![Page 7: HaboMalHunter - Black Hat | Home · HaboMalHunter An Automated Malware Analysis Tool for Linux ELF Files {JingyuYANG, Zhao LIU }@ Tencent](https://reader036.fdocuments.in/reader036/viewer/2022071218/6053458bb3933a0ee22b8324/html5/thumbnails/7.jpg)
Categories
• Windows
• Downloader
• RAT
• Backdoor
• Keylogger
• PUA
• Ransomware3/26/17
![Page 8: HaboMalHunter - Black Hat | Home · HaboMalHunter An Automated Malware Analysis Tool for Linux ELF Files {JingyuYANG, Zhao LIU }@ Tencent](https://reader036.fdocuments.in/reader036/viewer/2022071218/6053458bb3933a0ee22b8324/html5/thumbnails/8.jpg)
3/26/17
![Page 9: HaboMalHunter - Black Hat | Home · HaboMalHunter An Automated Malware Analysis Tool for Linux ELF Files {JingyuYANG, Zhao LIU }@ Tencent](https://reader036.fdocuments.in/reader036/viewer/2022071218/6053458bb3933a0ee22b8324/html5/thumbnails/9.jpg)
3/26/17
![Page 10: HaboMalHunter - Black Hat | Home · HaboMalHunter An Automated Malware Analysis Tool for Linux ELF Files {JingyuYANG, Zhao LIU }@ Tencent](https://reader036.fdocuments.in/reader036/viewer/2022071218/6053458bb3933a0ee22b8324/html5/thumbnails/10.jpg)
Architecture
3/26/17
VM Scheduler
Analyze Controller
• Static Analyzer• ELF Loader• Dynamic Analyzer
Log Processer
![Page 11: HaboMalHunter - Black Hat | Home · HaboMalHunter An Automated Malware Analysis Tool for Linux ELF Files {JingyuYANG, Zhao LIU }@ Tencent](https://reader036.fdocuments.in/reader036/viewer/2022071218/6053458bb3933a0ee22b8324/html5/thumbnails/11.jpg)
Implementation
3/26/17
• Static Analysis• ELF formats• Interesting strings
• ELF Loader• Dynamic Analysis
• Process• I/O• Network• System Calls• Memory Forensics
![Page 12: HaboMalHunter - Black Hat | Home · HaboMalHunter An Automated Malware Analysis Tool for Linux ELF Files {JingyuYANG, Zhao LIU }@ Tencent](https://reader036.fdocuments.in/reader036/viewer/2022071218/6053458bb3933a0ee22b8324/html5/thumbnails/12.jpg)
Demonstration
3/26/17
• Linux.Gafgyt
• 2adf8194c30f3638152f1635096cfdc8
• Linux. Gates
• f0eacba95df5e796114a930b97b33053
![Page 13: HaboMalHunter - Black Hat | Home · HaboMalHunter An Automated Malware Analysis Tool for Linux ELF Files {JingyuYANG, Zhao LIU }@ Tencent](https://reader036.fdocuments.in/reader036/viewer/2022071218/6053458bb3933a0ee22b8324/html5/thumbnails/13.jpg)
YARA Rules
3/26/17
![Page 14: HaboMalHunter - Black Hat | Home · HaboMalHunter An Automated Malware Analysis Tool for Linux ELF Files {JingyuYANG, Zhao LIU }@ Tencent](https://reader036.fdocuments.in/reader036/viewer/2022071218/6053458bb3933a0ee22b8324/html5/thumbnails/14.jpg)
Linux.Gafgyt
3/26/17
![Page 15: HaboMalHunter - Black Hat | Home · HaboMalHunter An Automated Malware Analysis Tool for Linux ELF Files {JingyuYANG, Zhao LIU }@ Tencent](https://reader036.fdocuments.in/reader036/viewer/2022071218/6053458bb3933a0ee22b8324/html5/thumbnails/15.jpg)
Linux. Gates
3/26/17
![Page 16: HaboMalHunter - Black Hat | Home · HaboMalHunter An Automated Malware Analysis Tool for Linux ELF Files {JingyuYANG, Zhao LIU }@ Tencent](https://reader036.fdocuments.in/reader036/viewer/2022071218/6053458bb3933a0ee22b8324/html5/thumbnails/16.jpg)
Conclusion
3/26/17
• Linux Malware
• Benefits of HaboMalHunter
• Automated
• Malware Report
• YARA Rules
• Malware Research
• https://github.com/Tencent/HaboMalHunter
![Page 17: HaboMalHunter - Black Hat | Home · HaboMalHunter An Automated Malware Analysis Tool for Linux ELF Files {JingyuYANG, Zhao LIU }@ Tencent](https://reader036.fdocuments.in/reader036/viewer/2022071218/6053458bb3933a0ee22b8324/html5/thumbnails/17.jpg)
References
3/26/17
1. White Paper: https://github.com/Tencent/HaboMalHunter/blob/master/WhitePaper.md
2. YARA: The pattern matching swiss knife for malware researchers, http://virustotal.github.io/yara/
3. Monnappa, Automating Linux Malware Analysis Using Limon Sandbox. Black Hat 2015.
4. Guarnieri, C., Tanasi, A., Bremer, J., & Schloesser, M. (2012). The cuckoo sandbox.