Malware Analysis as a Hobby - 44CON 2012

Transcript

1. Malware  Analysis  as  a  Hobby   Michael  Boman  -­‐  Security

    Consultant/Researcher,  Father  of  5   Siavosh  Zarrasvand  –  Security  Consultant/Researcher,  Searching  

2. Why  the  strange  hobby?  

3. The  manual  way  

4. Drawbacks   Time  consuming   Boring  in  the  long  run

    (not  all  malware  are  created  equal)  

5. Choose  any  two….   Cheap Fast Good

6. Choose  any  two?  Why   not  all  of  them?  

   l  I  can  do  it  cheaply  (hardware  and   license  cost-­‐wise).  Human  Pme  not   included.   l  I  can  do  it  quickly  (I  spend  up  to  3   hours  a  day  doing  this,  at  average  even   less).   l  I  get  preRy  good  results  (quality).   Where  the  system  lacks  I  can   compensate  for  its  shortcomings.   Cheap Fast Good

7. Automate   Engineer  yourself  out  of  the  workflow   Automate

     everything!  

8. Birth  of  the   MART  Project   Malware  Analyst  Research

    Toolkit  

9. Components  

10. None

11. Sample  AcquisiPon   •  Public  &  Private  CollecPons   • 

    Exchange  with  other  malware  analysts   •  Finding  and  collecPng  malware   yourself   •  Download  files  from  the  web   •  Grab  aRachments  from  email   •  Feed  BrowserSpider  with  links  from  your   SPAM-­‐folder  

12. BrowserSpider   l  WriRen  in  Python   l  Using  the

     Selenium  framework  to  control  REAL  browsers   l  Flash,  PDFs,  Java  applets  etc.  executes  as  per  normal   l  All  the  browser  bugs  exists  for  real   l  Spiders  and  follows  all  links  seen  

13. Sample  Analysis   •  Cuckoo  Sandbox   •  VirusTotal  

14. A  days  work  for  a  Cuckoo   Fetch  a  task

      Prepare  the   analysis   Lunch  analyzer  in   virtual  machine   Execute  an   analysis  package   Complete  the   analysis   Store  the  result   Process  and   create  reports  

15. DEMO:  Submit  sample  for   analysis  

16. None

17. Sample  ReporPng   •  Results  are  stored  in  MongoDB  

    (opPonal,  highly  recommended)   •  Accessed  using  a  analyst  GUI  
18. None
19. None
20. None

21. Data  Mining  

22. Where  Virtual  Machine   analysis  fails   And  what  to

     do  about  it  

23. Problems   l  Cuckoo  is  easly  bypassed   l  User-­‐detecPon

      l  Sleeping  malware  

24. Problems   l  VM  or  Sandbox  detecPon   l  The

     guest  OS  might  not  be  sufficient  enough   l  Any  mulPstage  aRack  

25. IteraPng  automaPaPon   Sort  out  clearly   non-­‐malicious  and  

    obviosly  malicious   samples   Devide  the   samples  into   categories   Do  brief  staPc   analysis   Known   Good   Known  Bad   Unknown  

26. IteraPng  automaPaPon   Sort  out  clearly   non-­‐malicious  and  

    obviosly  malicious   samples   Devide  the   samples  into   categories   Do  brief  staPc   analysis   •  Does not do anything •  Detects environment •  Encrypted segments •  Failed execution

27. IteraPng  automaPaPon   Sort  out  clearly   non-­‐malicious  and  

    obviosly  malicious   samples   Devide  the   samples  into   categories   Do  brief  staPc   analysis   •  Run longer •  Envirnoment customization
28. None

29. Budget   l  Computer:  €520   l  MSDN  License:  €800

     (€590  renewal)   l  Year  1:  €1320   l  Year  N:  €590   l  Money  saved  from  stopped  smoking  (yearly):  €2040  

30. Next  steps   •  Barebone  on-­‐the-­‐iron  malware   analysis  

    •  Android  planorm  support   •  OSX  planorm  support   •  iOS  panorm  support  

31. QuesPons?   Michael Boman [email protected] http://michaelboman.org @mboman Siavosh Zarrasvand [email protected]

    @zarrasvand