Open source malware analysis
description
Transcript of Open source malware analysis
![Page 1: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/1.jpg)
Defenses against malware, automated analysis using Open Source technology
Autor: Marc Rivero LópezFecha: Octubre 2012
![Page 2: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/2.jpg)
La información contenida en este documento es propiedad intelectual de S21sec. Cualquier modificación o utilización total o parcial del contenido de este documento sin consentimiento expreso y por escrito de S21sec está estrictamente prohibida. La ausencia de respuesta a cualquier solicitud de consentimiento en ningún caso deberá ser entendida como consentimiento tácito por parte de S21sec autorizando utilización alguna. © Grupo S21sec Gestión, S.A.
![Page 3: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/3.jpg)
about
• ACSS (Advanced cyber Security Services)
• Analista ecrime
Datos de contacto:
[email protected]@seifreed
![Page 4: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/4.jpg)
// ÍNDICE
*
¿Solución automatizada de Malware?
Solución Open Source
Funcionamiento de Cuckoo
Presentación de resultados
Extras en los análisis
Cuckoo VS Citadel
Cuckoo VS Exploits Kits
Conclusiones
![Page 5: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/5.jpg)
*
// ¿SOLUCIÓN AUTOMATIZADA DE MALWARE?01
![Page 6: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/6.jpg)
MOTIVOS
• Malware en todas las plataformas poulares
• Muchísima cantidad de malware
![Page 7: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/7.jpg)
¿Porque un Sandbox?
Ventajas:•Entorno controlado.•Análisis por lotes•Análisis automatizado•Poder analizar grandes cantidades de malware
Inconvenientes:•Fácilmente detectable
![Page 8: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/8.jpg)
*
// SOLUCIÓN OPEN SOURCE02
![Page 9: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/9.jpg)
¿Porque una solución Open Source?
• Soluciones comerciales muy caras.
• Poder introducir nuevas funcionalidades.
etc...
![Page 10: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/10.jpg)
Cuckoo Sandbox
• Plataforma para el análisis de malware
• Capaz de analizar exe, pdf, doc...
• Usa virtualización para los análisis
• 100% Open Source
![Page 11: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/11.jpg)
*
// FUNCIONAMENTO DE CUCKOO03
![Page 12: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/12.jpg)
¿Como funciona la plataforma?
![Page 13: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/13.jpg)
Componentes de Cuckoo
![Page 14: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/14.jpg)
Análisis de malware
• Configuración de Cuckoo con el engine de virtualización
• Daemon a la espera de los análisis
![Page 15: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/15.jpg)
*
//
DEMO
D
![Page 16: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/16.jpg)
*
// PRESENTACIÓN DE RESULTADOS04
![Page 17: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/17.jpg)
Resultados...
• Los análisis se irán mostrando en la parte web de Cuckoo.
![Page 18: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/18.jpg)
Resultados...
• Información sobre el binario, firmas de yara, PEiD y Virus Total
![Page 19: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/19.jpg)
Resultados...
• Firmas y pantallazos
![Page 20: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/20.jpg)
Resultados...
• Análisis estático e información sobre la muestra
![Page 21: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/21.jpg)
Resultados...
• Cuckoo analizará los archivos recogidos por la muestra
![Page 22: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/22.jpg)
Resultados...
• Análisis de red
![Page 23: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/23.jpg)
Resultados...
• Cambios en el sistema de ficheros
![Page 24: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/24.jpg)
Resultados...
• Mutex
![Page 25: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/25.jpg)
Resultados...
• Cambios que ha sufrido el registro
![Page 26: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/26.jpg)
Resultados...
• Información 4detallada sobre los procesos
![Page 27: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/27.jpg)
*
// EXTRAS EN LOS ANÁLISIS05
![Page 28: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/28.jpg)
API de Virus Total
• Cuckoo consultará el HASH de la muestra en Virus Total
![Page 29: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/29.jpg)
Conexión a dominios maliciosos
• Cuckoo avisará cuando una muestra quiera conectarse a un dominio malicioso.
![Page 30: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/30.jpg)
*
// CUCKOO VS CITADEL06
![Page 31: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/31.jpg)
Datos falsos
• Algunas versiones de Citadel contienen protección de máquina virtual
![Page 32: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/32.jpg)
*
// CUCKOO VS EXPLOITS KITS07
![Page 33: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/33.jpg)
Para ver esta película, debedisponer de QuickTime™ y de
un descompresor Photo - JPEG.
Cuckoo analiza el Exploit Kit
• Cuckoo es capaz de analizar URL que contengan exploits kits y recoger los archivos.
![Page 34: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/34.jpg)
*
// CONCLUSIONES08
![Page 35: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/35.jpg)
*
//
¿PREGUNTAS?
![Page 36: Open source malware analysis](https://reader033.fdocuments.in/reader033/viewer/2022052601/55975a0d1a28ab833c8b4847/html5/thumbnails/36.jpg)
GRACIASwww.s21sec.com
SPAIN MEXICO BRASIL UK USA