Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEIThe Third Hacking and Digital Forensics Exposed

28 November 2015 | Hotel Indoluxe | Yogyakarta, Indonesia

Malware Analysis

About MeCharles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEIResearcher Information Security Research Group and LecturerSwiss German UniversityCharles.lims [at] gmail.com and charles.lim [at] sgu.ac.idhttp://people.sgu.ac.id/charleslim

I am currently doing my doctoral study in Universitas Indonesia

Research Interest

CommunityIndonesia Honeynet Project - Chapter Lead

Academy CSIRT memberAsosiasi Digital Forensik Indonesia - member

MalwareIntrusion DetectionThreats Intelligence

Vulnerability AnalysisDigital ForensicsCloud Security

Agenda

About Honeynet

What is Malware?

Why Malware Analysis?

Types of Malware Analysis

Static Analysis

Dynamic Analysis

Memory Analysis

Case Study

Future Challenges

About Honeynet Volunteer open source computer security

research organization since 1999 (US 501c3 non-profit)

Mission: learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned -http://www.honeynet.org

About Honeynet Share all of our tools, research and findings, at

no cost to the public Know Your Tools (KYT)

Know Your Enemy(KYE) white papers regularly published on current research topics

Members release regular activity status reports

Committed to open source and creative commons

Partially funded by sponsors, nothing to sell!

About Honeynet

Honeynet Project Workshop | 18-20 May 2015 | Stavanger, Norway

About Honeynet

CONPOT 0.5.0 Release | 13 November 2015

About Honeynet

55 Chapters and 37 Countries

About Indonesia Honeynet Project 15 passionate security

professionals, academicians and government officials met signed a petition in 25 November 2011

Indonesia Chapter officially recognized 9 January 2012

Current members: 130 (20 active members)

About Indonesia Honeynet Project Yearly Seminar and Workshop since 2012

Focus on Security Awareness and Security Research

Honeynet communities: Jakarta, Semarang, Surabaya, Yogya, Denpasar, Palembang, Lampung

Research Topics: Incident handling, Vulnerability Analysis, Malware, Digital Forensics, Penetration Testing, Threats Intelligence

About Indonesia Honeynet Project

Honeynet Seminar & Workshop | 10-11 Juni 2015 | Lampung, Indonesia

Honeypots Research & Deployment

2009 2011 2013 2015

LearningPeriod

Early Period

GrowingPeriod

ExpandingPeriod

Honeypot: Nepenthes

Honeypot:Nepenthes, Dionaea

Honeypot:Dionaea

Honeypot:Dionaea, Kippo, Glastopf, Honeytrap

Learning How to install and configure

Deployed 1st

Honeypot in SGUTarget: Academic, Government, ISP

Coverage: Java, Bali, Sumatera,

# Honeypots deployed: None

# Honeypots deployed: 1

# Honeypotsdeployed: 5

# Honeypots deployed: 16

Hardware: Client Hardware: SimpleClient and Server

Hardware: Mini PC and Server

Hardware: Raspberry Pi and Dedicated servers

Our Contribution

Our Contribution

Attacker Statistics: Attacker IP, Malware, Targeted Ports, Provinces attacked

Our Contribution

Attacker Statistics: Attacker IP, Malware, Targeted Ports, Provinces attacked

Other Research

Second Hand USB Forensics and Publications

Join Us

Indonesia Honeynet Project

idhoneynet

http://www.honeynet.or.id

http://groups.google.com/group/id-honeynet

What is Malware? Malware (Malicious Software)

all kind of software that disrupt computer operations, gather sensitive information, or gain access to private computer systems

Type of Malware

Viruses

Worms

Trojans

Ransomeware

Rootkits

What is Malware?

Reference: PandaLabs Q2 2015 Report

Why Malware Analysis? To gain insight into nature and purpose of

malware

To identify host-based and network indicators Forensics: Indicators of Compromise (IOC)

To understand malware behaviors and its persistence mechanism

Extract information used for learning and malware detection

Types of Malware Analysis

Static

Analysis

A method of examining computer program/code without executing the

program

Dynamic

Analysis

Memory

Analysis

A method of examining computer program/code while executing the

program in a real or virtual processor

A method of examining computer program/code after executing the

program in a real or virtual processor

Static Analysis To gain insight into nature and purpose of

malware

To identify host-based and network indicators Forensics: Indicators of Compromise (IOC)

To understand malware behaviors and its persistence mechanism

Extract information used for learning and malware detection

Static Analysis Input File Type: EXE, DLL, documents, etc.

Output:

Metadata

Code

Data

Static AnalysisTools

File Binaries

Static Features:MetadataCodeData

Static Analysis Tools PEiD (http://bob.droppages.com/projects/peid)

Packer and compiler detector Pafish (https://github.com/a0rtega/pafish) - checking

for anti sandbox and anti-vm Yara (https://plusvic.github.io/yara/) pattern

matching for malware analysis Ssdeep (https://pypi.python.org/pypi/ssdeep) fuzzy

hash Strings Utility (https://technet.microsoft.com/en-

us/sysinternals/strings.aspx) Strings extraction tool Olly Dbg (http://www.ollydbg.de/) Code Debugger IDA Pro (https://www.hex-rays.com/products/ida/)

Disassembler, Debugger

PE (Portable Executable) Header

PE (Portable Executable) Header

Source: https://code.google.com/p/corkami/wiki/PE101

PE (Portable Executable) Header

Static Analysis Questions to answer:

Is the malware binary packed?

Can the malware binary be unpacked?

What are the important static features to be extracted?

If the malware can be unpacked (due to complexity of packing method), then we can only rely on Dynamic Analysis

Static Analysis (Packer Landscape)

https://code.google.com/p/corkami/downloads/detail?name=packers.pdf

Static Analysis PE Header Section

Entropy > 6.67 indicates that data section is packed/encrypted

Static Analysis Static Features Strings (one of the most important)

Import DLL

Assembly Code

Byte Code

Strings Example - Brute Force Dictionary Password (Allaple Malware Samples)

Dynamic Analysis To gain insight into malware behaviors

(interactions malware binaries with operating system)

Important Features:

File System Activities

Process Activities

Network Activities

System Calls

Dynamic Analysis Input File Type: EXE, DLL, documents, etc.

Output:

File System Activities

Process Activities

Network Activities

System Calls

SandboxOr

Virtual Env.

File Binaries

Dynamic Features:File System ActivitiesProcess ActivitiesNetwork ActivitiesSystem Calls

Dynamic Analysis Tools Detours (http://research.microsoft.com/en-

us/projects/detours/) Binary instrumentation for Win32 functions

Sandboxes:

Cuckoo Sandbox (http://www.cuckoosandbox.org/)

Anubis (http://anubis.iseclab.org/)

ThreatTrack(http://www.threattracksecurity.com/resources/sandbox-malware-analysis.aspx)

Comodo Automated Analysis (http://camas.comodo.com/)

Dynamic Analysis

File System Activities, Network Activities, Process Activities

Dynamic Analysis Questions to answer:

Does the malware seems to execute properly?

Does the malware stop while executed?

Is there any unique execution? (File System, Process, Network, System Calls)

If the malware has anti-analysis, anti anti-analysis must be done first (Pafish is a good tool)

Maybe sequence of instructions can be good features

Memory Analysis To gain insight into malware footprints in

memory

Important Features: Running Processes

Shared Libraries

Network Connections

Hooking Detection

Rootkit Detection

Code Injection

Hidden artifacts

Memory Analysis Tools Volatility

(https://code.google.com/p/volatility/) Framework for memory analysis

Dynamic Binary Instrumentation (DBI)

Pin Tools (https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool)

Valgrind (http://valgrind.org/)

Memory Analysis

Start with what we know

Memory Analysis

Yara Scan of the known process;

Memory Analysis

Suspicious mutex is making connection

Memory Analysis

File Handles that starts with TDSS

Memory Analysis

File Handles that starts with TDSS and detect the hidden file

Case Study Huge Traffic detected on MRTG (outbound)

Case Study Isolate and reconstruct the incident

Sniff the traffic while the server is running

Virtual Server with VM1 running

Switch

Desktop as Gateway

Case Study Sending Huge Syn Packet to China IP

Address

We found that it was user .Iptables that was sending the huge traffic

Case Study The malware must have entered the system through

a service. We noticed that ssh service is running

We also noticed that the root account was enabled

Case Study ssh authentication was successful

We found that the password for root password using easy to guess 7 characters (combination of alpha and numeric)

It was a Korean IP address that made the connection

Case Study (Lesson Learned) The user (also an admin) installed the

system, made some simple but devastating mistakes:

Use a simple (easy to guess) password

Root of account of ssh service was enabled

The malware caused a Denial of Service attack using Syn Flooding

A Reverse Engineering of the malware showed that the malware could also perform DNS Flooding

Current and Future Challenges Malware Packers or Crypter

Anti-Analysis (Anti-Debugging, Anti-Disassembler, Anti-Sandbox, Anti-Emulation,

NO SILVER BULLET

Must use combination of all malware analysis techniques

Machine Learning is also a big help

Related Publications Joshua Tommy Juwono, Charles Lim, Alva Erwin, A Comparative Study

of Behavior Analysis Sandboxes in Malware Detection, The 3rd International Conference on New Media 2015, Jakarta, Indonesia, 2015

Charles Lim, Nicsen, Mal-EVE Static Detection Model for Evasive Malware, 10th EAI International Conference on Communications and Networking in China, Shanghai, China, 2015

Charles Lim, Darryl Y. Sulistyan, Suryadi, and Kalamullah Ramli, Experiences in Instrumented Binary Analysis for Malware, The 3rd International Conference on Internet Services Technology and Information Engineering 2015 (ISTIE 2015), Bali, 2015

Charles Lim, Meily, Nicsen, and Herry Ahmadi, Forensics Analysis of USB Flash Drives in Educational Environment, The 8th International Conference on Information & Communication Technology and Systems, Surabaya, 2014

Charles Lim, and Kalamullah Ramli, Mal-ONE: A Unified Framework for Fast and Efficient Malware Detection, 2014 2nd International Conference on Technology, Informatics, Management, Engineering & Environment, Bandung, 2014.

Conclusion Malware continue to rise in numbers and

sophistication

Malware authors usually combine common malware modules with few changes

Packers and Anti Analysis are real challenges

Malware analysis usually part of Threats Intelligence, Incident Response, and Digital Forensics.

There is no silver bullet for Malware Analysis

Call for More Research

Indonesia Honeynet Project

idhoneynet

http://www.honeynet.or.id

http://groups.google.com/group/id-honeynet