Malware Analysis as a Hobby - 44CON 2012
-
Upload
44con -
Category
Technology
-
view
489 -
download
0
description
Transcript of Malware Analysis as a Hobby - 44CON 2012
![Page 1: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/1.jpg)
Malware Analysis as a HobbyMichael Boman - Security Consultant/Researcher, Father of 5
Siavosh Zarrasvand – Security Consultant/Researcher, Searching
![Page 2: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/2.jpg)
Why the strange hobby?
![Page 3: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/3.jpg)
The manual way
![Page 4: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/4.jpg)
DrawbacksTime consuming
Boring in the long run (not all malware are created equal)
![Page 5: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/5.jpg)
Choose any two….Cheap
FastGood
![Page 6: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/6.jpg)
Choose any two? Why not all of them?
I can do it cheaply (hardware and license cost-wise). Human time not included.
I can do it quickly (I spend up to 3 hours a day doing this, at average even less).
I get pretty good results (quality). Where the system lacks I can compensate for its shortcomings.
Cheap
FastGood
![Page 7: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/7.jpg)
AutomateEngineer yourself out of the workflow
Automate everything!
![Page 8: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/8.jpg)
Birth of theMART ProjectMalware Analyst Research Toolkit
![Page 9: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/9.jpg)
Components
![Page 10: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/10.jpg)
![Page 11: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/11.jpg)
Sample Acquisition• Public & Private Collections• Exchange with other malware analysts• Finding and collecting malware
yourself• Download files from the web
• Grab attachments from email
• Feed BrowserSpider with links from your SPAM-folder
![Page 12: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/12.jpg)
BrowserSpider Written in Python
Using the Selenium framework to control REAL browsers Flash, PDFs, Java applets etc. executes as per normal All the browser bugs exists for real
Spiders and follows all links seen
![Page 13: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/13.jpg)
Sample Analysis• Cuckoo Sandbox• VirusTotal
![Page 14: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/14.jpg)
A days work for a CuckooFetch a task
Prepare the analysis
Lunch analyzer in virtual machine
Execute an analysis package
Complete the analysis
Store the result
Process and create reports
![Page 15: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/15.jpg)
DEMO: Submit sample for analysis
![Page 16: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/16.jpg)
![Page 17: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/17.jpg)
Sample Reporting• Results are stored in MongoDB
(optional, highly recommended)• Accessed using a analyst GUI
![Page 18: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/18.jpg)
![Page 19: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/19.jpg)
![Page 20: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/20.jpg)
![Page 21: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/21.jpg)
Data Mining
![Page 22: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/22.jpg)
Where Virtual Machine analysis fails
And what to do about it
![Page 23: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/23.jpg)
Problems Cuckoo is easly bypassed
User-detection
Sleeping malware
![Page 24: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/24.jpg)
Problems VM or Sandbox detection
The guest OS might not be sufficient enough
Any multistage attack
![Page 25: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/25.jpg)
Iterating automatiation
Sort out clearly non-malicious and obviosly malicious
samples
Devide the samples into
categories
Do brief static analysis
Known Good
Known Bad
Unknown
![Page 26: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/26.jpg)
Iterating automatiation
Sort out clearly non-malicious and obviosly malicious
samples
Devide the samples into
categories
Do brief static analysis
• Does not do anything
• Detects environment
• Encrypted segments
• Failed execution
![Page 27: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/27.jpg)
Iterating automatiation
Sort out clearly non-malicious and obviosly malicious
samples
Devide the samples into
categories
Do brief static analysis
• Run longer• Envirnoment customization
![Page 28: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/28.jpg)
![Page 29: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/29.jpg)
Budget Computer: €520
MSDN License: €800 (€590 renewal)
Year 1: €1320
Year N: €590
Money saved from stopped smoking (yearly): €2040
![Page 30: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/30.jpg)
Next steps• Barebone on-the-iron malware
analysis• Android platform support• OSX platform support• iOS patform support
![Page 31: Malware Analysis as a Hobby - 44CON 2012](https://reader035.fdocuments.in/reader035/viewer/2022062513/556807fad8b42a242a8b4c88/html5/thumbnails/31.jpg)
Questions?
Michael [email protected]
http://michaelboman.org@mboman
Siavosh [email protected]
@zarrasvand