Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[CB19] tknk_scanner v2:community-based integrated malware identification system by Shota Nakajima, Keita Nomura

116 views

Published on

We presented tknk_scanner using YARA at Black Hat Europe 2018 Arsenal. tknk_scanner is a community-based integrated malware identification system, which aims to easily identify malware families by automating this process using an integration of open source community-based tools and freeware.
The previous tknk_scanner only supported binary based scanning(Scanning by YARA, a summary of VirusTotal using AVClass, file signatures by Detect It Easy). This major update adds packet capture and network based scanning mode. It allows the scanner to use network based signatures (snot rules, suricata rules). Not only that, you can get process communication information and associate network signatures with binary signatures. Of course, those results can be easily checked from the cool Web-UI. Support for binary based and network based signatures enabled simple dynamic analysis and provided malware identification accuracy. With this update, tknk_scanner further supports analysis by SOC operators, CSIRT members, and malware analysts.

  • Login to see the comments

  • Be the first to like this

[CB19] tknk_scanner v2:community-based integrated malware identification system by Shota Nakajima, Keita Nomura

  1. 1. Copyright©2019 nao_sec All Rights Reserved. tknk_scanner V2: Community-based integrated malware identification system Cyber Defense Institute, Inc. Shota Nakajima, Keita Nomura
  2. 2. Copyright©2019 nao_sec All Rights Reserved. Who are we
  3. 3. Copyright©2019 nao_sec All Rights Reserved. Background • Sometimes we encounter unknown malware • Using Antivirus software or Virus Total, yara, etc. • However, the detection name may not be correct or may not be useful • Do you want to analyze similar malware over and over? • We would like to do other fun jobs • Utilize past analysis results and published information
  4. 4. Copyright©2019 nao_sec All Rights Reserved. What is tknk_scanner • Automatic identification and classification of malware • Scan the original malware code with yara • Dumps original malware code • You can easily get the original code • Community-based • Integrates multiple Open Source Software and free tools • User-friendly Web-UI • Users can submit malware and check scan results using the Web-UI • Packet capture and network-based scanning mode[New!] • Use tcpdump and Suricata
  5. 5. Copyright©2019 nao_sec All Rights Reserved. Concept • We don’t want to analyze known malware manually • If malware is obfuscated/encrypt/encode, use debuggers or other techniques • We cannot get good result with yara • Malware works most of the time • Except: evasive malware and APT Malware • Original code of malware is copied in the memory • It is useful to automatically dump the original code in memory and automatically identify the malware
  6. 6. Copyright©2019 nao_sec All Rights Reserved. System Overview Web UI tknk.py REST API xmlrpc_client.py mongoDB db update xmlrpc_server.py VM XML-RPC redis dump modules CLI
  7. 7. Copyright©2019 nao_sec All Rights Reserved. Features • Scan • Mode • hollows_hunter, procdump, diff • yara • With the rules you own • Additional Information • python-magic • Detect it easy • Detect It Easy is a packer identifier • https://github.com/horsicq/Detect-It-Easy • avclass • AVClass is a malware labeling tool. • https://github.com/malicialab/avclass You give it as input the AV labels for a large number of malware samples and it outputs the most likely family name for each sample that it can extract from the AV labels.
  8. 8. Copyright©2019 nao_sec All Rights Reserved. Features [New!] • Network Scan • It allows the scanner to use network based signatures (snot rules, suricata rules) • Connections • It provides connection information of the process at running malware
  9. 9. Copyright©2019 nao_sec All Rights Reserved. Scan
  10. 10. Copyright©2019 nao_sec All Rights Reserved. hollows_hunter • hollows_hunter developed by @hasherezade • https://github.com/hasherezade/hollows_hunter • A process scanner detecting and dumping hollowed PE modules • Uses PE-sieve (DLL version) • It has powerful features • Recognizes and dumps variety of implants within the scanned process: replaced/injected PEs, shellcodes, hooks, and other in-memory patches
  11. 11. Copyright©2019 nao_sec All Rights Reserved. Procdump • Windows Sysinternals • https://docs.microsoft.com/en-us/sysinternals/downloads/procdump • Execute the following command • procdump.exe -t -ma PID • Write a dump when the process terminates or after a specified time • Please note that the size of file is large • Parsed by memory area [New!]
  12. 12. Copyright©2019 nao_sec All Rights Reserved. DEMO Movie
  13. 13. Copyright©2019 nao_sec All Rights Reserved. Limitations • tknk_scanner does not include signature • You can download the public yara rule • https://github.com/Yara-Rules/rules • You can download the ETOpen rules • https://rules.emergingthreats.net/ • Matching signature does not exist • Please write your own yara rule and share it • Dump fails • Try manual analysis • tknk_scanner is not … • Sandbox • Using Cuckoo Sandbox • Antivirus scanner • Using IRMA
  14. 14. Copyright©2019 nao_sec All Rights Reserved. Thank you!! Any Questions? https://github.com/nao-sec/tknk_scanner Twitter: @nao_sec @PINKSAWTOOTH @nomuken personal account

×