Malware Analysis 101

Transcript

1. Malware Forensics 101 Benjamin Scott github.com/benjaminxscott

2. Impetus •Usually malware violates Confidentiality of financial information or trade

   secrets •Malware can damage Integrity of logs, valuable data, and possibly physical systems •A network of infected machines can prevent Availability of web sites via Distributed Denial of Service

3. Example Intrusion Trojanized document Malware Deliver to victim Transfer stolen

   data Control infected systems Bad Guy Generate trojan Victim Network Malware

4. Examination methods •Dynamic analysis ◦Record malware behavior ◦ Sift through

   results ◦Cheap, fast •Reverse Code Engineering ◦Deep surgery on malware code ◦Access to underlying source code ◦Expensive, time-consuming Further information about malware RCE: SANS 'Reverse Engineering Malware' Course: http://zeltser.com/reverse-malware/malware-analysis-webcast.html

5. Dynamic analysis •Avoid accidental infection ◦Isolate from Internet ◦Unix-based host

   machine ◦Encrypt live malware •Host logging on Infected VM ◦CaptureBAT will grab any modified files ◦Process Monitor lists system API calls ◦Process Hacker shows process info •Network logging on Analysis VM ◦Wireshark shows packets in a nice GUI ◦tcpdump is a cmd line packet capture tool ◦inetsim will emulate a network http://zeltser.com/malware-analysis-toolkit/ Virtual Environment Infected VM Analysis VM Emulated network

6. Giving back to the community •Share your data: ◦Make blog

   posts ◦Publish through your university ◦Present at conferences ◦Get on community forums and mailing lists •What to share: ◦Technical writeups ◦IP/ASN/domain names ◦Dynamic analysis logs ◦IDA database (.idb) ◦Snort signatures ◦Malware author fingerprints

7. Writeups Michael Hale Ligh: http://mnin.blogspot.com/ Mila's malware dump http://contagiodump.blogspot.com/ Didier

   Steven's PDF tools: http://blog.didierstevens.com/ Brandon Dixon's tools: http://blog.9bplus.com/ Norman Sandbox's malware analysis http://blogs.norman.com/ Harlan Carvey's windows forensics: http://windowsir.blogspot.com/ http://www.reddit.com/r/ReverseEngineering/ http://www.woodmann.com/forum/forum.php

8. VIrtualization Environment Malware analysis virtual machine: FREE http://zeltser.com/remnux/ "Malware Analyst's

   Cookbook": $40 http://www.amazon.com/Malware-Analysts-Cookbook-DVD-Techniques/dp/0470613033 Memory Analysis: FREE https://www.volatilesystems.com/default/volatility https://code.google.com/p/malwarecookbook/source/browse/trunk/malware.py VMware Workstation: $200 http://www.vmware.com/products/workstation/ Extra copies of Windows: FREE from your school

9. Great tools Dissemblers: IDA Pro Free Edition (5.0) [GUI] http://www.hex-rays.com/products/ida/support/download_freeware.shtml

   Radare [command line] http://radare.org/y/ Process Debugging: OllyDBG http://www.ollydbg.de/odbg110.zip Immunity Debugger http://www.immunitysec.com/products-immdbg.shtml

10. Free training! Introduction to malware analysis from Lenny Zeltser http://zeltser.com/reverse-malware/malware-analysis-webcast.html

    http://zeltser.com/reverse-malware/reverse-malware-cheat-sheet.html Highly technical open-source classes http://www.opensecuritytraining.info/Training.html Crimeware and targeted malware samples http://contagiodump.blogspot.com/2010/11/links-and-resources-for-malware-samples.html Reverse engineering tutorials, focused on cracking http://tuts4you.com/download.php?view.2876 Challenges http://www.phreedom.org/blog/2010/csaw-reversing-challenge/