SlideShare a Scribd company logo

Malware Analysis: N00b to Ninja in 60 Mins

grecsl
grecsl

The document discusses malware analysis methodology for those new to the field. It describes setting up an analysis environment including virtual machines and tools for triage, dynamic, and static analysis. The methodology section outlines checklists for conducting triage, dynamic analysis including establishing baselines and monitoring malware execution, and static analysis through disassembly. The goal is to provide an overview to help analysts expand skills from basic analysis to malware analysis.

Technology
1 of 74
Malware Analysis N00b to Ninja in 60 Minutes* @grecs NovaInfosec.com * Most listeners do not become Ninjas in under 60 minutes.
Disclaimer • Opinions expressed do not express the views or opinions of my – my employers – my customers, – my wives, – my kids, – my parents – my in-laws – my high school girlfriend from Canada Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Disclaimer • The opinions don't even express the opinions of myself. • They are solely of some being that I am possessed with Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Pic of hacked sites; news articles of breaches, mid-2000s Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Infosec COTS Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Agenda • Introduction • Environment • Methodology • Where to Learn More • Conclusion Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Introduction WARNING!!! DO NOT ANALYZE MALWARE ON PRODUCTION SYSTEMS Security Analysts Looking to Expand Skills beyond Event Monitoring & Basic Analysis General Security Practitioners Interested in Getting Started in Malware Analysis
Introduction What Is Malware Analysis • The Analysis of Malware ;) • Reverse Engineering Malware to Understand How It Works and What It Does • Types – Triage – Dynamic Analysis – Static Analysis “Mastering 4 Stages of Malware Analysis” – Lenny Zeltser
Introduction Triage • Definition – Quickie Analysis To Understand as Much as Possible about the Malware • Goals – Gain Gist of What Malware Is & What Could Do What How Determine Basic Running Properties Automated Analysis See If Others Found Hash Search Analyze File Props (type, imports) PE Examination Find Textual Clues of Activity (if packed) Strings
Introduction Triage Is That Enough? Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Introduction Dynamic Analysis • Definition – Execute Malware & Watch What It Does • Goals – Acquire Understanding of How Malware Acts What How Sense Host Changes Registry, File, Log, … Monitoring Uncover Runtime Properties Process Monitoring, Memory Analysis* Reveal Network Activity TCP/UDP Monitoring (DNS, HTTP, HTTPS) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Introduction Dynamic Analysis • Process – Establish Baseline of Environment – Start Monitoring Applications & Execute Malware – Monitor Activities & Stop Monitoring Applications – Analyze Differences & Activity Recorded Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Introduction Dynamic Analysis Is That Enough? Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Introduction Dynamic Analysis Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Introduction Static Analysis • Definition – Disassemble Malware Down to Computer Instructions • Goals – Reverse Engineer to Understand Exactly What It Does Easy Hard
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Environment • Platform – Virtual – Physical • Options – Automated – Single Box – Dual Box
Environment Platform • Virtual – Efficient & Easy to Setup – Snap-Shots to Revert Back To – Malware Detecting VM & Terminating – Note: Use Non-Host Connected Interface (host- only doesn’t count) • Physical – VM Detection Not Possible – Resource Intensive Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Environment Options • Automated – Triage Analysis Performed in Automated Environment – Emulates User Execution of & Interaction with Malware – Collects Artifacts on Malware Activity • Single Box – Triage and/or Dynamic Analysis Performed on One Machine – Potential Risk of Malware Sabotaging • Dual Box – Mitigates Some Sabotage Risk – Gateway to Simulate a Network – Realistic External View (ports open, network traffic) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Environment Automated Analysis • Online – Malwr.com – Norman Sandbox – GFI Sandbox – Anubis – ThreatExpert.com • In-House – Commercial Products – e.g., Companies Above, FireEye – Open Source – e.g., Cuckoo Sandbox, ZeroWine – Minimum: Machine Loaded with Several AV Products Pic here showing one online form Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Environment Automated Analysis • Cuckoo Sandbox – Automated Dynamic Analysis of Malware – Data Captured • API Calls: Trace of Relevant Win32 API Calls Performed • Network Traffic: Dump of Traffic Generated During Analysis • Screenshots: Taken During Analysis • Files: Created, Deleted, and Downloaded by Malware • Assembly Instructions: Trace of Assembly Instructions Executed – Setup • Can Be Frustrating CuckooBox: http://cuckoobox.org/
Environment Automated Analysis
Environment Single Box • Start with Base Unpatched Win XP SP2 Box in VMware – Similar to First Set of Post-Install Instructions for Metasploit Unleashed – Turn Off Automatic Updates – Disable Alerts • Where to Get – eBay, NewEgg, etc. – Win Eval OSs (prev vs) – AWS (servers only) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Environment Single Box • Install Triage Analysis Tools – Strings • Strings from Sysinternals (also strings2) • BinText from McAfee – PeStudio – FileInsight • Hex Editor & Analysis Tool by McAfee
Environment Single Box • Install Dynamic Analysis Tools – Process Monitor • Exposes File System, Registry & Process Activity that Started During Malware Execution – Process Explorer • Advanced Task Manager Replacement • Reveals Info about Handles/DLLs Processes Opened/Loaded – WireShark (along with WinPCAP) • Sniffer to Capture Malware-Initiated Network Traffic – RegShot • View Changes Malware Makes in the Registry/File System Process Monitor: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653 WireShark: https://www.wireshark.org/ RegShot: http://sourceforge.net/projects/regshot/
Environment Single Box • Install Dynamic Analysis Tools (cont) – TCPView • Allows Detection of Malware Initiated Network Connections – FakeNet • Aids Dynamic Analysis of Malicious Software • Simulates Network so Malware Thinks Its Interacting with Remote Hosts • DNS, HTTP, SSL, Dummy Listener TCPView: http://technet.microsoft.com/en-us/sysinternals/bb897437 FakeNet: http://practicalmalwareanalysis.com/fakenet/
Environment Single Box • Install Static Analysis Tools – OllyDbg with OllyDump Plugin • General Disassembler/Debugger for Windows Used to Analyze Malware in Assembly • Plugin to View Encrypted Malware When In Memory – Specialized Tools • PDFs: Didier Stevens’s pdfid.py & pdf-parser.py • Flash: SWFTtools • Others: Office, Java, JavaScript OllyDbg: http://www.ollydbg.de/ OllyDump: http://www.openrce.org/downloads/details/108/OllyDump Didier Stevens PDF Tools: http://blog.didierstevens.com/programs/pdf-tools/
Environment Single Box - Others • Other Ideas for Base Install or On-the-Fly – Several AV Products – Users of Various Permissions – Malware Analysis Pack (FakeDNS, Right-Click Opts – MD5, strings, VT) – CaptureBAT • File Analysis Tools – WinHex (restrictions under eval vs; priced high for hobbiest) – 010 Editor (30 day eval; priced high for hobbiest) – FileAlyzer (similar to PeStudio but different capabilities) • Forensics – FTK Imager Lite – Autopsy/The Sleuth Kit – DumpIt – Volatility Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Environment Single Box • Baseline – Configure VM to "Host-Only” Mode Secluded Network • Temporarily Change to NAT to Download Malware • Write-Once Media (e.g., CDs) • USB Key with Physical Write-Protect Switch – Imation USB 2.0 Clip Flash Drive – Kanguru Flashblu 2 – Snapshot VM • Rinse & Repeat – Library of Different OSs at Various SPs (XP SP1, 2, & 3) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Environment Dual Box – Fake Gateway Server • Second Machine for Target to Connect To – Additional Advantage of Examining Network Traffic without Possible Malware Sabotage – Implement Linux Server in VMware & Configure to Be Default Route on Victim Machine – Should Have Fixed IP Addresses • Enable or Install Software that Provides Needed Services – DNS: Configured to Return Fake Servers IP for All Queries – HTTP – IRC – Others: DHCP, FTP, SSH – Other Services Depending on Goal of Analysis Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Environment Dual Box – Fake Gateway Server • Install Network Analysis Tools – WireShark: Records Network Traffic from Victim – Netcat: Start Needed Ad-Hoc Services – Nmap: Scan for Open Ports External to Victim • Snapshot Fake Server Revert Back To Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Environment Dual Box – Fake Gateway Server • REMnux – Created by Lenny Zeltser – ISO or Virtual Appliance – Triage • Load Malware on & Analyze • Web-Based Malware (e.g., Malicious JavaScript, Java Programs, & Flash Files) • Malicious Documents (e.g., Microsoft Office & Adobe PDF files) • Utilities for Reversing Malware through Memory Forensics – Dynamic Analysis • Emulate Network Services Used as Fake Gateway Server • Emulate Services in Isolated Lab Environment • Infects Another Laboratory System with Malware Sample • Directs Potentially-Malicious Connections to REMnux that's Listening on Appropriate Ports REMnux: http://zeltser.com/remnux/ v4
Environment Dual Box – Fake Gateway Server
Environment Malware Sources – To Learn With+ • PracticalMalwareAnalysis.com/labs • ContagioDump.blogspot.com • VirusShare.com (request invite) • Malwr.com (if select share) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Methodology 1. Triage 2. Dynamic Analysis 3. Static Analysis Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Methodology 1. Triage Checklist  Run through External/Internal Sandbox Services for QnD Results • Goals: Rough Understanding of Malware Activities • Tools: Cuckcoo, Malwr.com, Norman, GFI Sandbox, Anubis, ThreatExpert.com  b. MD5 Hash Comparison (can run live is possible) • Goals: When Compiled, Packed or Obfuscated) • Tools: VirusTotal.com, PeStudio, Google Hash  c. Determine Real File Type • UNIX “file” Command and/or TrID • Open in FileInsight & Look for Magic Numbers: Win Exe (MZ), PDF (%PDF), ZIP (PK), … (more at Wikipedia)  Analyze Imports • Goals: Discovery Interesting Libs Malware May Be Importing (networking APIs for non-networking app) • Tools: PeStudio, PEView  Extract Readable Strings • Goals: Discover Interesting Data Points like Host Name & IP Addresses • Tools: strings, strings2  Unpack If Needed • Tools: OllyDump, PE Explorer (UPX built- in)  Specialized Tools • E.g., pdfid.py, pdf-parser.py, SWFTtools a. b. c. d. e. f. e. MASTIFF: Open Source Linux Tool Automates Much of Above (on REMnux) v4
Methodology 2. Dynamic Analysis Checklist  Establish Baseline of Environment • Add Target Software: Reader, Java, Flash, browsers (OldVersion.com / OldApps.com) • Disable Windows Firewall • Create Snapshot if Testing Multiple Times  Start Monitoring Apps & Execute Malware • Take RegShot & Start WireShark, Process Monitor, Process Explorer, FakeNet & TCPView • Monitors File and Registry Access, Network Traffic, Process Creation, etc. • Execute Malware & Let it Run for 15 Minutes or Until Activity Dies Down  Monitor Activities & Stop Monitoring Applications • Watching WireShark, Process Monitor, & TCPView for Anything Interesting • Take Second RegShot & Stop WireShark, Process Monitor, FakeNet  Analyze Differences & Activity Recorded • Compare Initial & Final RegShots • Review All Monitoring Tool Logs a. b. c. d. RegShot: Set Scan dir1 option to c:
Methodology 2. Dynamic Analysis (Setup) Be Careful Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Methodology 2. Dynamic Analysis (Regshot & Wireshark) b-1. b-3. b-2.
Methodology 2. Dynamic Analysis (Process Monitor) b-4. b-5. b-6.
Methodology 2. Dynamic Analysis (Process Explorer) b-7. Just Start
Methodology 2. Dynamic Analysis (FakeNet) b-8. Just Start
Methodology 2. Dynamic Analysis (TCPView) b-9. Just Start
Methodology 2. Dynamic Analysis (Execute Malware) • Double-Click EXE • Rundll32.exe DLLName, Export arguments – PE Explorer to Discover Export arguments – E.g., rundll32.exe rip.dll, Install • Visit Website • Watch All Monitoring Tools & Stop When Activity Dies Down b-10. Execute Malware c-1. Just Monitor
Methodology 2. Dynamic Analysis (Spin Down) c-2. c-4. c-3.
Methodology 2. Dynamic Analysis (Spin Down) c-5.
Methodology 2. Dynamic Analysis (Spin Down) c-6.
Methodology 2. Dynamic Analysis (Analysis) • Save Logs for Future Reference • Compare Initial & Final RegShots & Review All Monitoring Tool Logs c-7. d. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Methodology 3. Static Analysis • Use OllyDbg or IDA Pro to Disassemble & Analyze Deobfuscated Malware  Just Stare at It  ...  Stare Some More  ...  And Some More Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs, a. b. c. d. e.
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Where to Learn More OpenSecurityTraining.info
Where to Learn More • OpenSecurityTraining.info – “Reverse Engineering Malware” • Matt Briggs & Frank Poz • “Practical Malware Analysis” by M. Sikorski/A. Honig • http://opensecuritytraining.info/ReverseEngineeringM alware.html
Where to Learn More • Hacker Academy – “Reverse Engineering” • Foundation RE Material & Concepts • Covers Many Malware Analysis Tech & Tools – PE File Format – Packers & Unpackers – Ollydbg – Digital Forensics – Other Classes • “Ethical Hacking” • “Penetration Testing” • “Cutting Edge” Annual Enrollment for All: $1499 NovaInfosec.com Discount: $499 Free 30-Day Trial http://bit.ly/grecshackerdeal
Where to Learn More • Zeltser.com – Malware Analysis Toolkit: http://zeltser.com/malware-analysis- toolkit/ – Intro to Malware Analysis: http://zeltser.com/reverse- malware/intro-to-malware-analysis.pdf • Certifications: SANS GREM, EC-Council CHFI • NIST: 800-94, 800-83, 800-61 • NovaInfosec – Workshop Style? Here? – Follow @grecs for announcement
Conclusion • Introduction • Environment – Platform – Automated – Single Box - Analysis – Dual Box – Fake Gateway • Methodology – Triage – Dynamic Analysis – Static Analysis • Where to Learn More – OpenSecurityTraining.info – NovaInfosec/Hacker Academy – Zeltser.com • Conclusion Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
Questions? • Presentation http://bit.ly/grecsnotacon • Twitter @grecs • Website NovaInfosec.com • Contact http://bit.ly/nispcontact • Hacker Academy http://bit.ly/grecshackerdeal

Recommended

Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP SinghBipin Upadhyay
 
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan Knudsen[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan KnudsenTI Safe
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 

Recommended

Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP SinghBipin Upadhyay
 
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan Knudsen[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan KnudsenTI Safe
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHAndrew Morris
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunterAndrew McNicol
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonKenneth Kwon
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22SensePost
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the InternetAndrew Morris
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Brandon Arvanaghi
 
Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014chrissanders88
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...B.A.
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersAndrew McNicol
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip HopFlaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip HopAndrew Morris
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsJustin Warner
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementAndrew McNicol
 
презентация+портфолио для фармацевтических и медицинских компаний
презентация+портфолио для фармацевтических и медицинских компаний презентация+портфолио для фармацевтических и медицинских компаний
презентация+портфолио для фармацевтических и медицинских компаний Андрей Лекарев
 
презентация аштон
презентация аштонпрезентация аштон
презентация аштонAlexander Murygin
 

More Related Content

What's hot

Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHAndrew Morris
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonKenneth Kwon
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22SensePost
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the InternetAndrew Morris
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Brandon Arvanaghi
 
Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014chrissanders88
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...B.A.
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersAndrew McNicol
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip HopFlaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip HopAndrew Morris
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsJustin Warner
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementAndrew McNicol
 

What's hot (20)

Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSH
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
 
Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
 
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip HopFlaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The Pros
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
 

Viewers also liked

презентация+портфолио для фармацевтических и медицинских компаний
презентация+портфолио для фармацевтических и медицинских компаний презентация+портфолио для фармацевтических и медицинских компаний
презентация+портфолио для фармацевтических и медицинских компаний Андрей Лекарев
 
презентация аштон
презентация аштонпрезентация аштон
презентация аштонAlexander Murygin
 
презентация по Автоивенту
презентация по Автоивентупрезентация по Автоивенту
презентация по АвтоивентуАндрей Лекарев
 
Addressing Indonesia's Economy in Transisitional Era
Addressing Indonesia's Economy in Transisitional EraAddressing Indonesia's Economy in Transisitional Era
Addressing Indonesia's Economy in Transisitional EraDahlia Dahlia
 
Презентацию агентства компании EventСтолица
Презентацию агентства компании EventСтолицаПрезентацию агентства компании EventСтолица
Презентацию агентства компании EventСтолицаАндрей Лекарев
 
презентация по автоивенту
презентация по автоивентупрезентация по автоивенту
презентация по автоивентуАндрей Лекарев
 
Event столица предложение для автосалонов лето-осень 2013
Event столица предложение для автосалонов лето-осень 2013Event столица предложение для автосалонов лето-осень 2013
Event столица предложение для автосалонов лето-осень 2013Андрей Лекарев
 
с днем рождения, любимый
с днем рождения, любимыйс днем рождения, любимый
с днем рождения, любимыйsolesita-n
 
Level gauges for industrial measurement
Level gauges for industrial measurementLevel gauges for industrial measurement
Level gauges for industrial measurementЛимако
 
новогодняя презентация 2014 2015
новогодняя презентация 2014 2015новогодняя презентация 2014 2015
новогодняя презентация 2014 2015Андрей Лекарев
 
Unimex sociedad y economía de méxico - historia del imss
Unimex sociedad y economía de méxico - historia del imssUnimex sociedad y economía de méxico - historia del imss
Unimex sociedad y economía de méxico - historia del imssUlises Humberto Guillén Urbina
 

Viewers also liked (20)

презентация+портфолио для фармацевтических и медицинских компаний
презентация+портфолио для фармацевтических и медицинских компаний презентация+портфолио для фармацевтических и медицинских компаний
презентация+портфолио для фармацевтических и медицинских компаний
 
презентация аштон
презентация аштонпрезентация аштон
презентация аштон
 
Carbon block
Carbon blockCarbon block
Carbon block
 
China5/2 -1,6,10,21
China5/2 -1,6,10,21China5/2 -1,6,10,21
China5/2 -1,6,10,21
 
презентация по Автоивенту
презентация по Автоивентупрезентация по Автоивенту
презентация по Автоивенту
 
Addressing Indonesia's Economy in Transisitional Era
Addressing Indonesia's Economy in Transisitional EraAddressing Indonesia's Economy in Transisitional Era
Addressing Indonesia's Economy in Transisitional Era
 
Prezi.para saber más de la demografía
Prezi.para saber más de la demografíaPrezi.para saber más de la demografía
Prezi.para saber más de la demografía
 
Unimex reforma energetica
Unimex reforma energeticaUnimex reforma energetica
Unimex reforma energetica
 
Презентацию агентства компании EventСтолица
Презентацию агентства компании EventСтолицаПрезентацию агентства компании EventСтолица
Презентацию агентства компании EventСтолица
 
презентация по автоивенту
презентация по автоивентупрезентация по автоивенту
презентация по автоивенту
 
Event столица предложение для автосалонов лето-осень 2013
Event столица предложение для автосалонов лето-осень 2013Event столица предложение для автосалонов лето-осень 2013
Event столица предложение для автосалонов лето-осень 2013
 
с днем рождения, любимый
с днем рождения, любимыйс днем рождения, любимый
с днем рождения, любимый
 
Level gauges for industrial measurement
Level gauges for industrial measurementLevel gauges for industrial measurement
Level gauges for industrial measurement
 
предложение для тц 2014
предложение для тц 2014предложение для тц 2014
предложение для тц 2014
 
Unimex bienestar social
Unimex bienestar socialUnimex bienestar social
Unimex bienestar social
 
Chocolate dessert
Chocolate dessert Chocolate dessert
Chocolate dessert
 
Unimex crisis educativa
Unimex crisis educativaUnimex crisis educativa
Unimex crisis educativa
 
новогодняя презентация 2014 2015
новогодняя презентация 2014 2015новогодняя презентация 2014 2015
новогодняя презентация 2014 2015
 
Unimex sociedad y economía de méxico - historia del imss
Unimex sociedad y economía de méxico - historia del imssUnimex sociedad y economía de méxico - historia del imss
Unimex sociedad y economía de méxico - historia del imss
 
Ude ci epistemología - wilhelm f hegel (primera parte)
Ude ci epistemología - wilhelm f hegel (primera parte)Ude ci epistemología - wilhelm f hegel (primera parte)
Ude ci epistemología - wilhelm f hegel (primera parte)
 

Similar to Malware Analysis: N00b to Ninja in 60 Mins

Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016grecsl
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...SegInfo
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment isc2-hellenic
 
Reading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of ProcrastinationReading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of ProcrastinationMichael Rushanan
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a BudgetCISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budgetchrissanders88
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoringchrissanders88
 
Analisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoAnalisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoConferencias FIST
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Lastline, Inc.
 
Open Anti-Cheat System (OACS)
Open Anti-Cheat System (OACS)Open Anti-Cheat System (OACS)
Open Anti-Cheat System (OACS)Stephen Larroque
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Juniper Networks
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Michael Gough
 
OWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced FeaturesOWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced FeaturesSimon Bennetts
 
Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxbriancrawford30935
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 

Similar to Malware Analysis: N00b to Ninja in 60 Mins (20)

Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 
Reading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of ProcrastinationReading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of Procrastination
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a BudgetCISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoring
 
Analisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoAnalisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario Malicioso
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
 
Open Anti-Cheat System (OACS)
Open Anti-Cheat System (OACS)Open Anti-Cheat System (OACS)
Open Anti-Cheat System (OACS)
 
ethical Hack
ethical Hackethical Hack
ethical Hack
 
Wm4
Wm4Wm4
Wm4
 
Wm4
Wm4Wm4
Wm4
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
 
Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security Analysis
 
OWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced FeaturesOWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced Features
 
Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docx
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
 

More from grecsl

Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016grecsl
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016grecsl
 
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015grecsl
 
Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...grecsl
 
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...grecsl
 
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...grecsl
 
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...grecsl
 

More from grecsl (7)

Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
 
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
 
Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...
 
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
 
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
 
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
 

Recently uploaded

How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 

Malware Analysis: N00b to Ninja in 60 Mins

  • 1. Malware Analysis N00b to Ninja in 60 Minutes* @grecs NovaInfosec.com * Most listeners do not become Ninjas in under 60 minutes.
  • 2. Disclaimer • Opinions expressed do not express the views or opinions of my – my employers – my customers, – my wives, – my kids, – my parents – my in-laws – my high school girlfriend from Canada Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 3. Disclaimer • The opinions don't even express the opinions of myself. • They are solely of some being that I am possessed with Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 4. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 5. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 6. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 7. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 8. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 9. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 10. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 11. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 12. Pic of hacked sites; news articles of breaches, mid-2000s Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 13. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 14. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 15. Infosec COTS Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 16. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 17. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 18. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 19. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 20. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 21. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 22. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 23. Agenda • Introduction • Environment • Methodology • Where to Learn More • Conclusion Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 24. Introduction WARNING!!! DO NOT ANALYZE MALWARE ON PRODUCTION SYSTEMS Security Analysts Looking to Expand Skills beyond Event Monitoring & Basic Analysis General Security Practitioners Interested in Getting Started in Malware Analysis
  • 25. Introduction What Is Malware Analysis • The Analysis of Malware ;) • Reverse Engineering Malware to Understand How It Works and What It Does • Types – Triage – Dynamic Analysis – Static Analysis “Mastering 4 Stages of Malware Analysis” – Lenny Zeltser
  • 26. Introduction Triage • Definition – Quickie Analysis To Understand as Much as Possible about the Malware • Goals – Gain Gist of What Malware Is & What Could Do What How Determine Basic Running Properties Automated Analysis See If Others Found Hash Search Analyze File Props (type, imports) PE Examination Find Textual Clues of Activity (if packed) Strings
  • 27. Introduction Triage Is That Enough? Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 28. Introduction Dynamic Analysis • Definition – Execute Malware & Watch What It Does • Goals – Acquire Understanding of How Malware Acts What How Sense Host Changes Registry, File, Log, … Monitoring Uncover Runtime Properties Process Monitoring, Memory Analysis* Reveal Network Activity TCP/UDP Monitoring (DNS, HTTP, HTTPS) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 29. Introduction Dynamic Analysis • Process – Establish Baseline of Environment – Start Monitoring Applications & Execute Malware – Monitor Activities & Stop Monitoring Applications – Analyze Differences & Activity Recorded Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 30. Introduction Dynamic Analysis Is That Enough? Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 31. Introduction Dynamic Analysis Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 32. Introduction Static Analysis • Definition – Disassemble Malware Down to Computer Instructions • Goals – Reverse Engineer to Understand Exactly What It Does Easy Hard
  • 33. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 34. Environment • Platform – Virtual – Physical • Options – Automated – Single Box – Dual Box
  • 35. Environment Platform • Virtual – Efficient & Easy to Setup – Snap-Shots to Revert Back To – Malware Detecting VM & Terminating – Note: Use Non-Host Connected Interface (host- only doesn’t count) • Physical – VM Detection Not Possible – Resource Intensive Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 36. Environment Options • Automated – Triage Analysis Performed in Automated Environment – Emulates User Execution of & Interaction with Malware – Collects Artifacts on Malware Activity • Single Box – Triage and/or Dynamic Analysis Performed on One Machine – Potential Risk of Malware Sabotaging • Dual Box – Mitigates Some Sabotage Risk – Gateway to Simulate a Network – Realistic External View (ports open, network traffic) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 37. Environment Automated Analysis • Online – Malwr.com – Norman Sandbox – GFI Sandbox – Anubis – ThreatExpert.com • In-House – Commercial Products – e.g., Companies Above, FireEye – Open Source – e.g., Cuckoo Sandbox, ZeroWine – Minimum: Machine Loaded with Several AV Products Pic here showing one online form Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 38. Environment Automated Analysis • Cuckoo Sandbox – Automated Dynamic Analysis of Malware – Data Captured • API Calls: Trace of Relevant Win32 API Calls Performed • Network Traffic: Dump of Traffic Generated During Analysis • Screenshots: Taken During Analysis • Files: Created, Deleted, and Downloaded by Malware • Assembly Instructions: Trace of Assembly Instructions Executed – Setup • Can Be Frustrating CuckooBox: http://cuckoobox.org/
  • 40. Environment Single Box • Start with Base Unpatched Win XP SP2 Box in VMware – Similar to First Set of Post-Install Instructions for Metasploit Unleashed – Turn Off Automatic Updates – Disable Alerts • Where to Get – eBay, NewEgg, etc. – Win Eval OSs (prev vs) – AWS (servers only) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 41. Environment Single Box • Install Triage Analysis Tools – Strings • Strings from Sysinternals (also strings2) • BinText from McAfee – PeStudio – FileInsight • Hex Editor & Analysis Tool by McAfee
  • 42. Environment Single Box • Install Dynamic Analysis Tools – Process Monitor • Exposes File System, Registry & Process Activity that Started During Malware Execution – Process Explorer • Advanced Task Manager Replacement • Reveals Info about Handles/DLLs Processes Opened/Loaded – WireShark (along with WinPCAP) • Sniffer to Capture Malware-Initiated Network Traffic – RegShot • View Changes Malware Makes in the Registry/File System Process Monitor: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653 WireShark: https://www.wireshark.org/ RegShot: http://sourceforge.net/projects/regshot/
  • 43. Environment Single Box • Install Dynamic Analysis Tools (cont) – TCPView • Allows Detection of Malware Initiated Network Connections – FakeNet • Aids Dynamic Analysis of Malicious Software • Simulates Network so Malware Thinks Its Interacting with Remote Hosts • DNS, HTTP, SSL, Dummy Listener TCPView: http://technet.microsoft.com/en-us/sysinternals/bb897437 FakeNet: http://practicalmalwareanalysis.com/fakenet/
  • 44. Environment Single Box • Install Static Analysis Tools – OllyDbg with OllyDump Plugin • General Disassembler/Debugger for Windows Used to Analyze Malware in Assembly • Plugin to View Encrypted Malware When In Memory – Specialized Tools • PDFs: Didier Stevens’s pdfid.py & pdf-parser.py • Flash: SWFTtools • Others: Office, Java, JavaScript OllyDbg: http://www.ollydbg.de/ OllyDump: http://www.openrce.org/downloads/details/108/OllyDump Didier Stevens PDF Tools: http://blog.didierstevens.com/programs/pdf-tools/
  • 45. Environment Single Box - Others • Other Ideas for Base Install or On-the-Fly – Several AV Products – Users of Various Permissions – Malware Analysis Pack (FakeDNS, Right-Click Opts – MD5, strings, VT) – CaptureBAT • File Analysis Tools – WinHex (restrictions under eval vs; priced high for hobbiest) – 010 Editor (30 day eval; priced high for hobbiest) – FileAlyzer (similar to PeStudio but different capabilities) • Forensics – FTK Imager Lite – Autopsy/The Sleuth Kit – DumpIt – Volatility Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 46. Environment Single Box • Baseline – Configure VM to "Host-Only” Mode Secluded Network • Temporarily Change to NAT to Download Malware • Write-Once Media (e.g., CDs) • USB Key with Physical Write-Protect Switch – Imation USB 2.0 Clip Flash Drive – Kanguru Flashblu 2 – Snapshot VM • Rinse & Repeat – Library of Different OSs at Various SPs (XP SP1, 2, & 3) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 47. Environment Dual Box – Fake Gateway Server • Second Machine for Target to Connect To – Additional Advantage of Examining Network Traffic without Possible Malware Sabotage – Implement Linux Server in VMware & Configure to Be Default Route on Victim Machine – Should Have Fixed IP Addresses • Enable or Install Software that Provides Needed Services – DNS: Configured to Return Fake Servers IP for All Queries – HTTP – IRC – Others: DHCP, FTP, SSH – Other Services Depending on Goal of Analysis Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 48. Environment Dual Box – Fake Gateway Server • Install Network Analysis Tools – WireShark: Records Network Traffic from Victim – Netcat: Start Needed Ad-Hoc Services – Nmap: Scan for Open Ports External to Victim • Snapshot Fake Server Revert Back To Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 49. Environment Dual Box – Fake Gateway Server • REMnux – Created by Lenny Zeltser – ISO or Virtual Appliance – Triage • Load Malware on & Analyze • Web-Based Malware (e.g., Malicious JavaScript, Java Programs, & Flash Files) • Malicious Documents (e.g., Microsoft Office & Adobe PDF files) • Utilities for Reversing Malware through Memory Forensics – Dynamic Analysis • Emulate Network Services Used as Fake Gateway Server • Emulate Services in Isolated Lab Environment • Infects Another Laboratory System with Malware Sample • Directs Potentially-Malicious Connections to REMnux that's Listening on Appropriate Ports REMnux: http://zeltser.com/remnux/ v4
  • 50. Environment Dual Box – Fake Gateway Server
  • 51. Environment Malware Sources – To Learn With+ • PracticalMalwareAnalysis.com/labs • ContagioDump.blogspot.com • VirusShare.com (request invite) • Malwr.com (if select share) Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 52. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 53. Methodology 1. Triage 2. Dynamic Analysis 3. Static Analysis Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 54. Methodology 1. Triage Checklist  Run through External/Internal Sandbox Services for QnD Results • Goals: Rough Understanding of Malware Activities • Tools: Cuckcoo, Malwr.com, Norman, GFI Sandbox, Anubis, ThreatExpert.com  b. MD5 Hash Comparison (can run live is possible) • Goals: When Compiled, Packed or Obfuscated) • Tools: VirusTotal.com, PeStudio, Google Hash  c. Determine Real File Type • UNIX “file” Command and/or TrID • Open in FileInsight & Look for Magic Numbers: Win Exe (MZ), PDF (%PDF), ZIP (PK), … (more at Wikipedia)  Analyze Imports • Goals: Discovery Interesting Libs Malware May Be Importing (networking APIs for non-networking app) • Tools: PeStudio, PEView  Extract Readable Strings • Goals: Discover Interesting Data Points like Host Name & IP Addresses • Tools: strings, strings2  Unpack If Needed • Tools: OllyDump, PE Explorer (UPX built- in)  Specialized Tools • E.g., pdfid.py, pdf-parser.py, SWFTtools a. b. c. d. e. f. e. MASTIFF: Open Source Linux Tool Automates Much of Above (on REMnux) v4
  • 55. Methodology 2. Dynamic Analysis Checklist  Establish Baseline of Environment • Add Target Software: Reader, Java, Flash, browsers (OldVersion.com / OldApps.com) • Disable Windows Firewall • Create Snapshot if Testing Multiple Times  Start Monitoring Apps & Execute Malware • Take RegShot & Start WireShark, Process Monitor, Process Explorer, FakeNet & TCPView • Monitors File and Registry Access, Network Traffic, Process Creation, etc. • Execute Malware & Let it Run for 15 Minutes or Until Activity Dies Down  Monitor Activities & Stop Monitoring Applications • Watching WireShark, Process Monitor, & TCPView for Anything Interesting • Take Second RegShot & Stop WireShark, Process Monitor, FakeNet  Analyze Differences & Activity Recorded • Compare Initial & Final RegShots • Review All Monitoring Tool Logs a. b. c. d. RegShot: Set Scan dir1 option to c:
  • 56. Methodology 2. Dynamic Analysis (Setup) Be Careful Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 57. Methodology 2. Dynamic Analysis (Regshot & Wireshark) b-1. b-3. b-2.
  • 58. Methodology 2. Dynamic Analysis (Process Monitor) b-4. b-5. b-6.
  • 59. Methodology 2. Dynamic Analysis (Process Explorer) b-7. Just Start
  • 60. Methodology 2. Dynamic Analysis (FakeNet) b-8. Just Start
  • 61. Methodology 2. Dynamic Analysis (TCPView) b-9. Just Start
  • 62. Methodology 2. Dynamic Analysis (Execute Malware) • Double-Click EXE • Rundll32.exe DLLName, Export arguments – PE Explorer to Discover Export arguments – E.g., rundll32.exe rip.dll, Install • Visit Website • Watch All Monitoring Tools & Stop When Activity Dies Down b-10. Execute Malware c-1. Just Monitor
  • 63. Methodology 2. Dynamic Analysis (Spin Down) c-2. c-4. c-3.
  • 66. Methodology 2. Dynamic Analysis (Analysis) • Save Logs for Future Reference • Compare Initial & Final RegShots & Review All Monitoring Tool Logs c-7. d. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 67. Methodology 3. Static Analysis • Use OllyDbg or IDA Pro to Disassemble & Analyze Deobfuscated Malware  Just Stare at It  ...  Stare Some More  ...  And Some More Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs, a. b. c. d. e.
  • 68. Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 69. Where to Learn More OpenSecurityTraining.info
  • 70. Where to Learn More • OpenSecurityTraining.info – “Reverse Engineering Malware” • Matt Briggs & Frank Poz • “Practical Malware Analysis” by M. Sikorski/A. Honig • http://opensecuritytraining.info/ReverseEngineeringM alware.html
  • 71. Where to Learn More • Hacker Academy – “Reverse Engineering” • Foundation RE Material & Concepts • Covers Many Malware Analysis Tech & Tools – PE File Format – Packers & Unpackers – Ollydbg – Digital Forensics – Other Classes • “Ethical Hacking” • “Penetration Testing” • “Cutting Edge” Annual Enrollment for All: $1499 NovaInfosec.com Discount: $499 Free 30-Day Trial http://bit.ly/grecshackerdeal
  • 72. Where to Learn More • Zeltser.com – Malware Analysis Toolkit: http://zeltser.com/malware-analysis- toolkit/ – Intro to Malware Analysis: http://zeltser.com/reverse- malware/intro-to-malware-analysis.pdf • Certifications: SANS GREM, EC-Council CHFI • NIST: 800-94, 800-83, 800-61 • NovaInfosec – Workshop Style? Here? – Follow @grecs for announcement
  • 73. Conclusion • Introduction • Environment – Platform – Automated – Single Box - Analysis – Dual Box – Fake Gateway • Methodology – Triage – Dynamic Analysis – Static Analysis • Where to Learn More – OpenSecurityTraining.info – NovaInfosec/Hacker Academy – Zeltser.com • Conclusion Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,
  • 74. Questions? • Presentation http://bit.ly/grecsnotacon • Twitter @grecs • Website NovaInfosec.com • Contact http://bit.ly/nispcontact • Hacker Academy http://bit.ly/grecshackerdeal