SlideShare a Scribd company logo

Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, 2014

grecsl
grecsl

Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.

Technology
1 of 75
Malware Analysis N00b to Ninja in 60 Minutes* @grecs NovaInfosec.com * Most listeners do not become Ninjas in under 60 minutes.
Disclaimer • Opinions expressed do not express the views or opinions of my – my employers – my customers, – my wife, – my kids, – my parents – my in-laws – my high school girlfriend from Canada Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Pic of hacked sites; news articles of breaches, mid-2000s Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Infosec COTS Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Agenda • Introduction • Environment • Methodology • Where to Learn More • Conclusion Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Introduction WARNING!!! DO NOT ANALYZE MALWARE ON PRODUCTION SYSTEMS Security Analysts Looking to Expand Skills beyond Event Monitoring & Basic Analysis General Security Practitioners Interested in Getting Started in Malware Analysis
Introduction What Is Malware Analysis • The Analysis of Malware ;) • Reverse Engineering Malware to Understand How It Works and What It Does • Types – Triage – Dynamic Analysis – Static Analysis “Mastering 4 Stages of Malware Analysis” – Lenny Zeltser
Introduction What Is Triage? • Definition – Quickie Analysis To Understand as Much as Possible about the Malware • Goals – Gain Gist of What Malware Is & What Could Do What How Determine Basic Running Properties Automated Analysis See If Others Found Hash Search Analyze File Props (type, imports) PE Examination Find Textual Clues of Activity (if packed) Strings
Introduction Triage Is That Enough? Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Introduction What Is Dynamic Analysis? • Definition – Execute Malware & Watch What It Does • Goals – Acquire Understanding of How Malware Acts What How Sense Host Changes Registry, File, Log, … Monitoring Uncover Runtime Properties Process Monitoring, Memory Analysis* Reveal Network Activity TCP/UDP Monitoring (DNS, HTTP, HTTPS) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Introduction Dynamic Analysis • Process – Establish Baseline of Environment – Start Monitoring Applications & Execute Malware – Monitor Activities & Stop Monitoring Applications – Analyze Differences & Activity Recorded Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Introduction Dynamic Analysis Is That Enough? Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Introduction What Is Static Analysis? • Definition – Disassemble Malware Down to Computer Instructions • Goals – Reverse Engineer to Understand Exactly What It Does Easy Hard
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Environment • Platform – Virtual – Physical • Options – Automated – Single Box – Dual Box
Environment Platform • Virtual – Efficient & Easy to Setup – Snap-Shots to Revert Back To – Malware Detecting VM & Terminating – Note: Use Non-Host Connected Interface (host- only doesn’t count) • Physical – VM Detection Not Possible – Resource Intensive Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Environment Options • Automated – Triage Analysis Performed in Automated Environment – Emulates User Execution of & Interaction with Malware – Collects Artifacts on Malware Activity • Single Box – Triage and/or Dynamic Analysis Performed on One Machine – Potential Risk of Malware Sabotaging • Dual Box – Mitigates Some Sabotage Risk – Gateway to Simulate a Network – Realistic External View (ports open, network traffic) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Environment Automated Analysis • Online – Malwr.com – Norman Sandbox – GFI Sandbox – Anubis – ThreatExpert.com • In-House – Commercial Products – e.g., Companies Above – Open Source – e.g., Cuckoo Sandbox – Minimum: Machine Loaded with Several AV Products Pic here showing one online form Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Environment Automated Analysis • Cuckoo Sandbox – Automated Dynamic Analysis of Malware – Data Captured • API Calls: Trace of Relevant Win32 API Calls Performed • Network Traffic: Dump of Traffic Generated During Analysis • Screenshots: Taken During Analysis • Files: Created, Deleted, and Downloaded by Malware • Assembly Instructions: Trace of Assembly Instructions Executed – Setup • Can Be Frustrating CuckooBox: http://cuckoobox.org/
Environment Automated Analysis
Environment Single Box • Start with Base Unpatched Win XP SP2 Box in VMware – Similar to First Set of Post-Install Instructions for Metasploit Unleashed – Turn Off Automatic Updates – Disable Alerts • Where to Get – eBay, NewEgg, etc. – Windows Evals • Current Eval: http://technet.microsoft.com/en-us/evalcenter/default • Previous Vs: http://technet.microsoft.com/en-us/evalcenter/dn407368 • Modern IE: http://www.modern.ie/ (even Windows XP) – AWS (servers only) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Environment Single Box • Install Triage Analysis Tools – Strings • Strings from Sysinternals (also strings2) • BinText from McAfee – PeStudio – FileInsight • Hex Editor & Analysis Tool by McAfee
Environment Single Box • Install Dynamic Analysis Tools – Process Monitor • Exposes File System, Registry & Process Activity that Started During Malware Execution – Process Explorer • Advanced Task Manager Replacement • Reveals Info about Handles/DLLs Processes Opened/Loaded – WireShark (along with WinPCAP) • Sniffer to Capture Malware-Initiated Network Traffic – RegShot • View Changes Malware Makes in the Registry/File System Process Monitor: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653 WireShark: https://www.wireshark.org/ RegShot: http://sourceforge.net/projects/regshot/
Environment Single Box • Install Dynamic Analysis Tools (cont) – TCPView • Allows Detection of Malware Initiated Network Connections – FakeNet • Aids Dynamic Analysis of Malicious Software • Simulates Network so Malware Thinks Its Interacting with Remote Hosts • DNS, HTTP, SSL, Dummy Listener TCPView: http://technet.microsoft.com/en-us/sysinternals/bb897437 FakeNet: http://practicalmalwareanalysis.com/fakenet/
Environment Single Box • Install Static Analysis Tools – OllyDbg with OllyDump Plugin • General Disassembler/Debugger for Windows Used to Analyze Malware in Assembly • Plugin to View Encrypted Malware When In Memory – Specialized Tools • PDFs: Didier Stevens’s pdfid.py & pdf-parser.py • Flash: SWFTtools • Others: Office, Java, JavaScript OllyDbg: http://www.ollydbg.de/ OllyDump: http://www.openrce.org/downloads/details/108/OllyDump Didier Stevens PDF Tools: http://blog.didierstevens.com/programs/pdf-tools/
Environment Single Box - Others • Other Ideas for Base Install or On-the-Fly – Several AV Products – Users of Various Permissions – Malware Analysis Pack (FakeDNS, Right-Click Opts – MD5, strings, VT) – CaptureBAT • File Analysis Tools – WinHex (restrictions under eval version; priced high for hobbyist) – 010 Editor (30 day eval; priced high for hobbyist) – FileAlyzer (similar to PeStudio but different capabilities) • Forensics – FTK Imager Lite – Autopsy/The Sleuth Kit – DumpIt – Volatility Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Environment Single Box • Baseline – Configure VM to "Host-Only” Mode Secluded Network • Temporarily Change to NAT to Download Malware • Write-Once Media (e.g., CDs) • USB Key with Physical Write-Protect Switch – Imation USB 2.0 Clip Flash Drive – Kanguru Flashblu 2 – Snapshot VM • Rinse & Repeat – Library of Different OSs at Various SPs (XP SP1, 2, & 3) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Environment Dual Box – Fake Gateway Server • Second Machine for Target to Connect To – Additional Advantage of Examining Network Traffic without Possible Malware Sabotage – Implement Linux Server in VMware & Configure to Be Default Route on Victim Machine – Should Have Fixed IP Addresses • Enable or Install Software that Provides Needed Services – DNS: Configured to Return Fake Servers IP for All Queries – HTTP – IRC – Others: DHCP, FTP, SSH – Other Services Depending on Goal of Analysis Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Environment Dual Box – Fake Gateway Server • Install Network Analysis Tools – WireShark: Records Network Traffic from Victim – Netcat: Start Needed Ad-Hoc Services – Nmap: Scan for Open Ports External to Victim • Snapshot Fake Server Revert Back To Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Environment Dual Box – Fake Gateway Server • REMnux – Created by Lenny Zeltser – ISO or Virtual Appliance – Triage • Load Malware on & Analyze • Web-Based Malware (e.g., Malicious JavaScript, Java Programs, & Flash Files) • Malicious Documents (e.g., Microsoft Office & Adobe PDF files) • Utilities for Reversing Malware through Memory Forensics – Dynamic Analysis • Emulate Network Services Used as Fake Gateway Server • Emulate Services in Isolated Lab Environment • Infects Another Laboratory System with Malware Sample • Directs Potentially-Malicious Connections to REMnux that's Listening on Appropriate Ports REMnux: http://zeltser.com/remnux/ v4
Environment Dual Box – Fake Gateway Server
Environment Malware Sources – To Learn With+ • PracticalMalwareAnalysis.com/labs • ContagioDump.blogspot.com • VirusShare.com (request invite) • Malwr.com (if select share) • Malware-Traffic-Analysis.net Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Methodology 1. Triage 2. Dynamic Analysis 3. Static Analysis Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Methodology 1. Triage Checklist  Run through External/Internal Sandbox Services for QnD Results • Goals: Rough Understanding of Malware Activities • Tools: Cuckcoo, Malwr.com, Norman, GFI Sandbox, Anubis, ThreatExpert.com  b. MD5 Hash Comparison (can run live is possible) • Goals: When Compiled, Packed or Obfuscated) • Tools: VirusTotal.com, PeStudio, Google Hash  c. Determine Real File Type • UNIX “file” Command and/or TrID • Open in FileInsight & Look for Magic Numbers: Win Exe (MZ), PDF (%PDF), ZIP (PK), … (more at Wikipedia)  Analyze Imports • Goals: Discovery Interesting Libs Malware May Be Importing (networking APIs for non-networking app) • Tools: PeStudio, PEView  Extract Readable Strings • Goals: Discover Interesting Data Points like Host Name & IP Addresses • Tools: strings, strings2  Unpack If Needed • Tools: OllyDump, PE Explorer (UPX built- in)  Specialized Tools • E.g., pdfid.py, pdf-parser.py, SWFTtools a. b. c. d. e. f. e. MASTIFF: Open Source Linux Tool Automates Much of Above (on REMnux) v4
Methodology 2. Dynamic Analysis Checklist  Establish Baseline of Environment • Add Target Software: Reader, Java, Flash, browsers (OldVersion.com / OldApps.com) • Disable Windows Firewall • Create Snapshot if Testing Multiple Times  Start Monitoring Apps & Execute Malware • Take RegShot & Start WireShark, Process Monitor, Process Explorer, FakeNet & TCPView • Monitors File and Registry Access, Network Traffic, Process Creation, etc. • Execute Malware & Let it Run for 15 Minutes or Until Activity Dies Down  Monitor Activities & Stop Monitoring Applications • Watching WireShark, Process Monitor, & TCPView for Anything Interesting • Take Second RegShot & Stop WireShark, Process Monitor, FakeNet  Analyze Differences & Activity Recorded • Compare Initial & Final RegShots • Review All Monitoring Tool Logs a. b. c. d. RegShot: Set Scan dir1 option to c:
Methodology 3. Static Analysis • Use OllyDbg or IDA Pro to Disassemble & Analyze Deobfuscated Malware  Just Stare at It  ...  Stare Some More  ...  And Some More Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs, a. b. c. d. e.
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Where to Learn More OpenSecurityTraining.info
Where to Learn More • OpenSecurityTraining.info – “Intro x86” • http://opensecuritytraining.info/IntroX86.html – “Reverse Engineering” • http://opensecuritytraining.info/IntroductionToR everseEngineering.html – “Malware Dynamic Analysis • http://opensecuritytraining.info/MalwareDynami cAnalysis.html – “Malware Static Analysis” • http://opensecuritytraining.info/ReverseEngineer ingMalware.html • Matt Briggs & Frank Poz • “Practical Malware Analysis” by M. Sikorski/A. Honig
Where to Learn More • Hacker Academy – “Reverse Engineering” • Foundation RE Material & Concepts • Covers Many Malware Analysis Tech & Tools – PE File Format – Packers & Unpackers – Ollydbg – Digital Forensics – Other Classes • “Ethical Hacking” • “Penetration Testing” • “Cutting Edge” Annual Pro Enrollment: $699 NovaInfosec.com Discount: $599 Free 30-Day Trial http://bit.ly/grecshackerdeal
Where to Learn More • Zeltser.com – Malware Analysis Toolkit: http://zeltser.com/malware-analysis- toolkit/ – Intro to Malware Analysis: http://zeltser.com/reverse- malware/intro-to-malware-analysis.pdf • Certifications: SANS GREM, EC-Council CHFI • NIST: 800-94, 800-83, 800-61 • NovaInfosec – Workshop Style? Here? – Follow @grecs for Announcement
Where to Learn More • MAnux – Pre-Build VM with Cuckoo Sandbox Installed – Future • Dynamic Analysis Tools as Different Snapshot • …
Conclusion • Introduction • Environment – Platform – Automated – Single Box - Analysis – Dual Box – Fake Gateway • Methodology – Triage – Dynamic Analysis – Static Analysis • Where to Learn More – OpenSecurityTraining.info – NovaInfosec/Hacker Academy – Zeltser.com • Conclusion Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Questions? • Presentation http://bit.ly/grecsbsideslv • Twitter @grecs • Website NovaInfosec.com • Contact http://bit.ly/nispcontact • Hacker Academy http://bit.ly/grecshackerdeal
Backup Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
DYNAMIC ANALYSIS Step-by-Step Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Methodology 2. Dynamic Analysis (Setup) Be Careful Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Methodology 2. Dynamic Analysis (Regshot & Wireshark) b-1. b-3. b-2.
Methodology 2. Dynamic Analysis (Process Monitor) b-4. b-5. b-6.
Methodology 2. Dynamic Analysis (Process Explorer) b-7. Just Start
Methodology 2. Dynamic Analysis (FakeNet) b-8. Just Start
Methodology 2. Dynamic Analysis (TCPView) b-9. Just Start
Methodology 2. Dynamic Analysis (Execute Malware) • Double-Click EXE • Rundll32.exe DLLName, Export arguments – PE Explorer to Discover Export arguments – E.g., rundll32.exe rip.dll, Install • Visit Website • Watch All Monitoring Tools & Stop When Activity Dies Down b-10. Execute Malware c-1. Just Monitor
Methodology 2. Dynamic Analysis (Spin Down) c-2. c-4. c-3.
Methodology 2. Dynamic Analysis (Spin Down) c-5.
Methodology 2. Dynamic Analysis (Spin Down) c-6.
Methodology 2. Dynamic Analysis (Analysis) • Save Logs for Future Reference • Compare Initial & Final RegShots & Review All Monitoring Tool Logs c-7. d. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Recommended

Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
 
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELKThreat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
Elasticsearch
 
WannaCry ransomware attack
WannaCry ransomware attackWannaCry ransomware attack
WannaCry ransomware attack
Abdelhakim Salama
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Offensive OSINT
Offensive OSINTOffensive OSINT
Offensive OSINT
Christian Martorella
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
Sameera Amjad
 
The Indicators of Compromise
The Indicators of CompromiseThe Indicators of Compromise
The Indicators of Compromise
Tomasz Jakubowski
 

Recommended

Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
 
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELKThreat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
Elasticsearch
 
WannaCry ransomware attack
WannaCry ransomware attackWannaCry ransomware attack
WannaCry ransomware attack
Abdelhakim Salama
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Offensive OSINT
Offensive OSINTOffensive OSINT
Offensive OSINT
Christian Martorella
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
Sameera Amjad
 
The Indicators of Compromise
The Indicators of CompromiseThe Indicators of Compromise
The Indicators of Compromise
Tomasz Jakubowski
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
DNIF
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
Packet Sniffing
Packet SniffingPacket Sniffing
Packet Sniffing
guestfa1226
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
Splunk
 
Cloud Computing Forensic Science
Cloud Computing Forensic Science Cloud Computing Forensic Science
Cloud Computing Forensic Science
David Sweigert
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensics
sdavis532
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration Testing
Cheah Eng Soon
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
Sudeshna Basak
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N Nessus
Utkarsh Verma
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
Ben Rothke
 
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...
Amazon Web Services
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Lane Huff
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
Juan F. Padilla
 
NcN2015. Técnicas OSINT para investigadores de seguridad.
NcN2015. Técnicas OSINT para investigadores de seguridad.NcN2015. Técnicas OSINT para investigadores de seguridad.
NcN2015. Técnicas OSINT para investigadores de seguridad.
Internet Security Auditors
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to know
Symantec Security Response
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
OSINT with Practical: Real Life Examples
OSINT with Practical: Real Life ExamplesOSINT with Practical: Real Life Examples
OSINT with Practical: Real Life Examples
SyedAmoz
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
grecsl
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
grecsl
 

More Related Content

What's hot

Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensics
sdavis532
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
Sudeshna Basak
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N Nessus
Utkarsh Verma
 
NcN2015. Técnicas OSINT para investigadores de seguridad.
NcN2015. Técnicas OSINT para investigadores de seguridad.NcN2015. Técnicas OSINT para investigadores de seguridad.
NcN2015. Técnicas OSINT para investigadores de seguridad.
Internet Security Auditors
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to know
Symantec Security Response
 

What's hot (20)

Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Packet Sniffing
Packet SniffingPacket Sniffing
Packet Sniffing
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
 
Cloud Computing Forensic Science
Cloud Computing Forensic Science Cloud Computing Forensic Science
Cloud Computing Forensic Science
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensics
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration Testing
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N Nessus
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
 
NcN2015. Técnicas OSINT para investigadores de seguridad.
NcN2015. Técnicas OSINT para investigadores de seguridad.NcN2015. Técnicas OSINT para investigadores de seguridad.
NcN2015. Técnicas OSINT para investigadores de seguridad.
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to know
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
OSINT with Practical: Real Life Examples
OSINT with Practical: Real Life ExamplesOSINT with Practical: Real Life Examples
OSINT with Practical: Real Life Examples
 

Similar to Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, 2014

Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
grecsl
 
Analisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoAnalisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario Malicioso
Conferencias FIST
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
Stephan Chenette
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Lastline, Inc.
 
Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docx
briancrawford30935
 

Similar to Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, 2014 (20)

Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
 
Analisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoAnalisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario Malicioso
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a BudgetCISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoring
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]
 
Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docx
 
ethical Hack
ethical Hackethical Hack
ethical Hack
 
Wm4
Wm4Wm4
Wm4
 
Wm4
Wm4Wm4
Wm4
 
honeypots.ppt
honeypots.ppthoneypots.ppt
honeypots.ppt
 

More from grecsl

Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
grecsl
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
grecsl
 
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
grecsl
 

More from grecsl (7)

Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
 
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
 
Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...
 
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
 
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
 
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Recently uploaded (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, 2014

  • 1. Malware Analysis N00b to Ninja in 60 Minutes* @grecs NovaInfosec.com * Most listeners do not become Ninjas in under 60 minutes.
  • 2. Disclaimer • Opinions expressed do not express the views or opinions of my – my employers – my customers, – my wife, – my kids, – my parents – my in-laws – my high school girlfriend from Canada Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 3. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 4. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 5. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 6. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 7. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 8. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 9. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 10. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 11. Pic of hacked sites; news articles of breaches, mid-2000s Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 12. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 13. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 14. Infosec COTS Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 15. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 16. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 17. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 18. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 19. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 20. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 21. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 22. Agenda • Introduction • Environment • Methodology • Where to Learn More • Conclusion Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 23. Introduction WARNING!!! DO NOT ANALYZE MALWARE ON PRODUCTION SYSTEMS Security Analysts Looking to Expand Skills beyond Event Monitoring & Basic Analysis General Security Practitioners Interested in Getting Started in Malware Analysis
  • 24. Introduction What Is Malware Analysis • The Analysis of Malware ;) • Reverse Engineering Malware to Understand How It Works and What It Does • Types – Triage – Dynamic Analysis – Static Analysis “Mastering 4 Stages of Malware Analysis” – Lenny Zeltser
  • 25. Introduction What Is Triage? • Definition – Quickie Analysis To Understand as Much as Possible about the Malware • Goals – Gain Gist of What Malware Is & What Could Do What How Determine Basic Running Properties Automated Analysis See If Others Found Hash Search Analyze File Props (type, imports) PE Examination Find Textual Clues of Activity (if packed) Strings
  • 26. Introduction Triage Is That Enough? Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 27. Introduction What Is Dynamic Analysis? • Definition – Execute Malware & Watch What It Does • Goals – Acquire Understanding of How Malware Acts What How Sense Host Changes Registry, File, Log, … Monitoring Uncover Runtime Properties Process Monitoring, Memory Analysis* Reveal Network Activity TCP/UDP Monitoring (DNS, HTTP, HTTPS) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 28. Introduction Dynamic Analysis • Process – Establish Baseline of Environment – Start Monitoring Applications & Execute Malware – Monitor Activities & Stop Monitoring Applications – Analyze Differences & Activity Recorded Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 29. Introduction Dynamic Analysis Is That Enough? Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 30. Introduction What Is Static Analysis? • Definition – Disassemble Malware Down to Computer Instructions • Goals – Reverse Engineer to Understand Exactly What It Does Easy Hard
  • 31. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 32. Environment • Platform – Virtual – Physical • Options – Automated – Single Box – Dual Box
  • 33. Environment Platform • Virtual – Efficient & Easy to Setup – Snap-Shots to Revert Back To – Malware Detecting VM & Terminating – Note: Use Non-Host Connected Interface (host- only doesn’t count) • Physical – VM Detection Not Possible – Resource Intensive Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 34. Environment Options • Automated – Triage Analysis Performed in Automated Environment – Emulates User Execution of & Interaction with Malware – Collects Artifacts on Malware Activity • Single Box – Triage and/or Dynamic Analysis Performed on One Machine – Potential Risk of Malware Sabotaging • Dual Box – Mitigates Some Sabotage Risk – Gateway to Simulate a Network – Realistic External View (ports open, network traffic) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 35. Environment Automated Analysis • Online – Malwr.com – Norman Sandbox – GFI Sandbox – Anubis – ThreatExpert.com • In-House – Commercial Products – e.g., Companies Above – Open Source – e.g., Cuckoo Sandbox – Minimum: Machine Loaded with Several AV Products Pic here showing one online form Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 36. Environment Automated Analysis • Cuckoo Sandbox – Automated Dynamic Analysis of Malware – Data Captured • API Calls: Trace of Relevant Win32 API Calls Performed • Network Traffic: Dump of Traffic Generated During Analysis • Screenshots: Taken During Analysis • Files: Created, Deleted, and Downloaded by Malware • Assembly Instructions: Trace of Assembly Instructions Executed – Setup • Can Be Frustrating CuckooBox: http://cuckoobox.org/
  • 38. Environment Single Box • Start with Base Unpatched Win XP SP2 Box in VMware – Similar to First Set of Post-Install Instructions for Metasploit Unleashed – Turn Off Automatic Updates – Disable Alerts • Where to Get – eBay, NewEgg, etc. – Windows Evals • Current Eval: http://technet.microsoft.com/en-us/evalcenter/default • Previous Vs: http://technet.microsoft.com/en-us/evalcenter/dn407368 • Modern IE: http://www.modern.ie/ (even Windows XP) – AWS (servers only) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 39. Environment Single Box • Install Triage Analysis Tools – Strings • Strings from Sysinternals (also strings2) • BinText from McAfee – PeStudio – FileInsight • Hex Editor & Analysis Tool by McAfee
  • 40. Environment Single Box • Install Dynamic Analysis Tools – Process Monitor • Exposes File System, Registry & Process Activity that Started During Malware Execution – Process Explorer • Advanced Task Manager Replacement • Reveals Info about Handles/DLLs Processes Opened/Loaded – WireShark (along with WinPCAP) • Sniffer to Capture Malware-Initiated Network Traffic – RegShot • View Changes Malware Makes in the Registry/File System Process Monitor: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653 WireShark: https://www.wireshark.org/ RegShot: http://sourceforge.net/projects/regshot/
  • 41. Environment Single Box • Install Dynamic Analysis Tools (cont) – TCPView • Allows Detection of Malware Initiated Network Connections – FakeNet • Aids Dynamic Analysis of Malicious Software • Simulates Network so Malware Thinks Its Interacting with Remote Hosts • DNS, HTTP, SSL, Dummy Listener TCPView: http://technet.microsoft.com/en-us/sysinternals/bb897437 FakeNet: http://practicalmalwareanalysis.com/fakenet/
  • 42. Environment Single Box • Install Static Analysis Tools – OllyDbg with OllyDump Plugin • General Disassembler/Debugger for Windows Used to Analyze Malware in Assembly • Plugin to View Encrypted Malware When In Memory – Specialized Tools • PDFs: Didier Stevens’s pdfid.py & pdf-parser.py • Flash: SWFTtools • Others: Office, Java, JavaScript OllyDbg: http://www.ollydbg.de/ OllyDump: http://www.openrce.org/downloads/details/108/OllyDump Didier Stevens PDF Tools: http://blog.didierstevens.com/programs/pdf-tools/
  • 43. Environment Single Box - Others • Other Ideas for Base Install or On-the-Fly – Several AV Products – Users of Various Permissions – Malware Analysis Pack (FakeDNS, Right-Click Opts – MD5, strings, VT) – CaptureBAT • File Analysis Tools – WinHex (restrictions under eval version; priced high for hobbyist) – 010 Editor (30 day eval; priced high for hobbyist) – FileAlyzer (similar to PeStudio but different capabilities) • Forensics – FTK Imager Lite – Autopsy/The Sleuth Kit – DumpIt – Volatility Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 44. Environment Single Box • Baseline – Configure VM to "Host-Only” Mode Secluded Network • Temporarily Change to NAT to Download Malware • Write-Once Media (e.g., CDs) • USB Key with Physical Write-Protect Switch – Imation USB 2.0 Clip Flash Drive – Kanguru Flashblu 2 – Snapshot VM • Rinse & Repeat – Library of Different OSs at Various SPs (XP SP1, 2, & 3) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 45. Environment Dual Box – Fake Gateway Server • Second Machine for Target to Connect To – Additional Advantage of Examining Network Traffic without Possible Malware Sabotage – Implement Linux Server in VMware & Configure to Be Default Route on Victim Machine – Should Have Fixed IP Addresses • Enable or Install Software that Provides Needed Services – DNS: Configured to Return Fake Servers IP for All Queries – HTTP – IRC – Others: DHCP, FTP, SSH – Other Services Depending on Goal of Analysis Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 46. Environment Dual Box – Fake Gateway Server • Install Network Analysis Tools – WireShark: Records Network Traffic from Victim – Netcat: Start Needed Ad-Hoc Services – Nmap: Scan for Open Ports External to Victim • Snapshot Fake Server Revert Back To Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 47. Environment Dual Box – Fake Gateway Server • REMnux – Created by Lenny Zeltser – ISO or Virtual Appliance – Triage • Load Malware on & Analyze • Web-Based Malware (e.g., Malicious JavaScript, Java Programs, & Flash Files) • Malicious Documents (e.g., Microsoft Office & Adobe PDF files) • Utilities for Reversing Malware through Memory Forensics – Dynamic Analysis • Emulate Network Services Used as Fake Gateway Server • Emulate Services in Isolated Lab Environment • Infects Another Laboratory System with Malware Sample • Directs Potentially-Malicious Connections to REMnux that's Listening on Appropriate Ports REMnux: http://zeltser.com/remnux/ v4
  • 48. Environment Dual Box – Fake Gateway Server
  • 49. Environment Malware Sources – To Learn With+ • PracticalMalwareAnalysis.com/labs • ContagioDump.blogspot.com • VirusShare.com (request invite) • Malwr.com (if select share) • Malware-Traffic-Analysis.net Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 50. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 51. Methodology 1. Triage 2. Dynamic Analysis 3. Static Analysis Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 52. Methodology 1. Triage Checklist  Run through External/Internal Sandbox Services for QnD Results • Goals: Rough Understanding of Malware Activities • Tools: Cuckcoo, Malwr.com, Norman, GFI Sandbox, Anubis, ThreatExpert.com  b. MD5 Hash Comparison (can run live is possible) • Goals: When Compiled, Packed or Obfuscated) • Tools: VirusTotal.com, PeStudio, Google Hash  c. Determine Real File Type • UNIX “file” Command and/or TrID • Open in FileInsight & Look for Magic Numbers: Win Exe (MZ), PDF (%PDF), ZIP (PK), … (more at Wikipedia)  Analyze Imports • Goals: Discovery Interesting Libs Malware May Be Importing (networking APIs for non-networking app) • Tools: PeStudio, PEView  Extract Readable Strings • Goals: Discover Interesting Data Points like Host Name & IP Addresses • Tools: strings, strings2  Unpack If Needed • Tools: OllyDump, PE Explorer (UPX built- in)  Specialized Tools • E.g., pdfid.py, pdf-parser.py, SWFTtools a. b. c. d. e. f. e. MASTIFF: Open Source Linux Tool Automates Much of Above (on REMnux) v4
  • 53. Methodology 2. Dynamic Analysis Checklist  Establish Baseline of Environment • Add Target Software: Reader, Java, Flash, browsers (OldVersion.com / OldApps.com) • Disable Windows Firewall • Create Snapshot if Testing Multiple Times  Start Monitoring Apps & Execute Malware • Take RegShot & Start WireShark, Process Monitor, Process Explorer, FakeNet & TCPView • Monitors File and Registry Access, Network Traffic, Process Creation, etc. • Execute Malware & Let it Run for 15 Minutes or Until Activity Dies Down  Monitor Activities & Stop Monitoring Applications • Watching WireShark, Process Monitor, & TCPView for Anything Interesting • Take Second RegShot & Stop WireShark, Process Monitor, FakeNet  Analyze Differences & Activity Recorded • Compare Initial & Final RegShots • Review All Monitoring Tool Logs a. b. c. d. RegShot: Set Scan dir1 option to c:
  • 54. Methodology 3. Static Analysis • Use OllyDbg or IDA Pro to Disassemble & Analyze Deobfuscated Malware  Just Stare at It  ...  Stare Some More  ...  And Some More Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs, a. b. c. d. e.
  • 55. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 56. Where to Learn More OpenSecurityTraining.info
  • 57. Where to Learn More • OpenSecurityTraining.info – “Intro x86” • http://opensecuritytraining.info/IntroX86.html – “Reverse Engineering” • http://opensecuritytraining.info/IntroductionToR everseEngineering.html – “Malware Dynamic Analysis • http://opensecuritytraining.info/MalwareDynami cAnalysis.html – “Malware Static Analysis” • http://opensecuritytraining.info/ReverseEngineer ingMalware.html • Matt Briggs & Frank Poz • “Practical Malware Analysis” by M. Sikorski/A. Honig
  • 58. Where to Learn More • Hacker Academy – “Reverse Engineering” • Foundation RE Material & Concepts • Covers Many Malware Analysis Tech & Tools – PE File Format – Packers & Unpackers – Ollydbg – Digital Forensics – Other Classes • “Ethical Hacking” • “Penetration Testing” • “Cutting Edge” Annual Pro Enrollment: $699 NovaInfosec.com Discount: $599 Free 30-Day Trial http://bit.ly/grecshackerdeal
  • 59. Where to Learn More • Zeltser.com – Malware Analysis Toolkit: http://zeltser.com/malware-analysis- toolkit/ – Intro to Malware Analysis: http://zeltser.com/reverse- malware/intro-to-malware-analysis.pdf • Certifications: SANS GREM, EC-Council CHFI • NIST: 800-94, 800-83, 800-61 • NovaInfosec – Workshop Style? Here? – Follow @grecs for Announcement
  • 60. Where to Learn More • MAnux – Pre-Build VM with Cuckoo Sandbox Installed – Future • Dynamic Analysis Tools as Different Snapshot • …
  • 61. Conclusion • Introduction • Environment – Platform – Automated – Single Box - Analysis – Dual Box – Fake Gateway • Methodology – Triage – Dynamic Analysis – Static Analysis • Where to Learn More – OpenSecurityTraining.info – NovaInfosec/Hacker Academy – Zeltser.com • Conclusion Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 62. Questions? • Presentation http://bit.ly/grecsbsideslv • Twitter @grecs • Website NovaInfosec.com • Contact http://bit.ly/nispcontact • Hacker Academy http://bit.ly/grecshackerdeal
  • 63. Backup Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 64. DYNAMIC ANALYSIS Step-by-Step Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 65. Methodology 2. Dynamic Analysis (Setup) Be Careful Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 66. Methodology 2. Dynamic Analysis (Regshot & Wireshark) b-1. b-3. b-2.
  • 67. Methodology 2. Dynamic Analysis (Process Monitor) b-4. b-5. b-6.
  • 68. Methodology 2. Dynamic Analysis (Process Explorer) b-7. Just Start
  • 69. Methodology 2. Dynamic Analysis (FakeNet) b-8. Just Start
  • 70. Methodology 2. Dynamic Analysis (TCPView) b-9. Just Start
  • 71. Methodology 2. Dynamic Analysis (Execute Malware) • Double-Click EXE • Rundll32.exe DLLName, Export arguments – PE Explorer to Discover Export arguments – E.g., rundll32.exe rip.dll, Install • Visit Website • Watch All Monitoring Tools & Stop When Activity Dies Down b-10. Execute Malware c-1. Just Monitor
  • 72. Methodology 2. Dynamic Analysis (Spin Down) c-2. c-4. c-3.
  • 75. Methodology 2. Dynamic Analysis (Analysis) • Save Logs for Future Reference • Compare Initial & Final RegShots & Review All Monitoring Tool Logs c-7. d. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,