Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Analyzing Malware with REMnux

Analyzing Malware with REMnux

"This talk will outline how one can more efficiently and effectively perform their malware analysis by focusing on resources such as REMnux. While the topic’s scope can be quite large, the focus will be mainly on analyzing Portable Executable (PE) files. We’ll see how to identify what the file in question is to ascertain that it is a PE file and then dive into how one can perform file analysis in an automated fashion as well use some manual methods. With the automated methods, we will look at some simple scripting that the analyst can do and touch on what’s currently included in the tools so the analyst can fully understand what the tools do and how they can be altered to fit their needs."
http://www.nyc4sec.info/events/54791592/?eventId=54791592

hiddenillusion

June 11, 2012
Tweet

More Decks by hiddenillusion

Other Decks in Technology

Transcript

  1. Analyzing Malware with REMnux Glenn P. Edwards Jr. Senior Consultant

    Incident Response & Digital Forensic Practice Foundstone Professional Services
  2. www.foundstone.com Copyright © 2012, McAfee, Inc. # whoami Glenn P.

    Edwards Jr. ▪ Have some fancy letters after my name  M.S. in Digital Forensics, University of Central Florida  B.S. in Information Security & Privacy, High Point University  GREM, GCIH, GCFA (yada yada…) ▪ started to come out of the shadows…  @hiddenillusion  hiddenillusion.blogspot.com  blog.opensecurityresearch.com … you get the point # id uid=0(Senior Consultant) gid=0(Foundstone) groups=0(IR Practice)
  3. www.foundstone.com Copyright © 2012, McAfee, Inc. REMnux ▪ Around since

    2010 ▪ VM based or ISO ▪ Current v3 is based on Ubuntu 11.10 ▪ Full of goodies   ~remnux/.bash_aliases  /usr/local/bin/  /usr/bin/ http://zeltser.com/remnux/ http://zeltser.com/remnux/remnux-malware-analysis-tips.html $ man REMnux
  4. www.foundstone.com Copyright © 2012, McAfee, Inc. REMnux wireshark honeyd fakedns

    fakemail iietsim netcat NetworkMiner tcpdump trid file 7z clamscan pescanner pyew upx packerid volatility strings hachoir- metadata hachoir-subfile jd-gui js-beautify pdnstool swf_mastah flashbug pdfextract $ sudo find / -group goodies –exec basename {} \; pdfid pdf-parser pdfxray_lite peepdfvbindiff ssdeep md5deep hashdeep sha1sum bytehist pyew radare icat ils sorter swfdump swfextract srch_strings yara rhino burpsuite Xorsearch origami
  5. www.foundstone.com Copyright © 2012, McAfee, Inc. REMnux ► File Analysis

    ▪ strings ▪ srch_strings ▪ hachoir-subfile ▪ pyew ▪ pescanner
  6. www.foundstone.com Copyright © 2012, McAfee, Inc. REMnux ▪ INetSIM 

    /etc/inetsim/inetsim.conf – #service_bind_address 10.10.10.1 – #dns_default_ip 10.10.10.1  Sample of services … – HTTP / HTTPS – SMTP / SMTPS – POP3 / POP3S – DNS – FTP / FTPS – TFTP – IRC – NTP – Ident – Finger – Syslog $ man INetSIM