Reversing & malware analysis training part 9 advanced malware analysis
Malware analysis
-
Upload
prakashchandra-suthar -
Category
Education
-
view
77 -
download
1
Transcript of Malware analysis
Agenda
1Intro and Recent
Malware Attack
3Make Your Own
Malware Analysis toolkit
Malware Analysis &
Types2
• Generally–Any code that perform evil…
• Today–Executable content with unknown functionality that
is resident on a system of investigative interest• Virus• Worms• Spyware• Adware• Rootkits
Malware?
HA HA HAHAH
A..!
•Why Analyze Malware?• To assess damage• To discover indicators of compromise• To identify vulnerability• To catch the “Bad Guy”• To answer questions…
Analyzing Malware
Attacks in Synerzip
• 2007– DNS hacked
• 2008 – FTP Server Hacked
• 2010 – DDOS on the DNY Network
• 2011– Dos attack on DNS Server– False Dos attack on Firewall due to Quickoffice Connect Application bug
• 2013 – Router Hacked @ DNY, Botnet Zeroaccess
• 2014 – Zibmra VLAN MITM
• Note – No Network is 100% secured, but we can make things difficult for the hackers
What is Cryptolocker?
• Began September 2013 • Encrypts victim’s files, asks for $300
ransom• Impossible to recover files without a key• Ransom increases after deadline• Goal is monetary via Bitcoin• 250,000+ victims worldwide
(According to Secureworks)
NightHunter – Name explained
NightHunter, because of its use of SMTP (email) for data exfiltration. Email is often overlooked, so it can be a more stealthy way of data theft, akin to hunting at night.
NightHunter Infections To Date
There are at least 1,800 unique infections
3OWL
Ieindia
Drmike
Hanco
Gmail
Comcast
1000
350
200
150
100*
60
Number of unique infections per email server
NightHunter DeliveryEmail subject/attachment names:• Jobs List• Inquiry• Order• PO• Purchase Order• Payment Slip• Reconfirm Pls• Remittance Payment
Slip• WireSlip
Capabilities
• Download malware updates via Peer to Peer protocol (Ports – 16464, 16465, 16470 and 16471 )
• Deploy a rootkit to avoid detection• Disable Anti-Virus and Anti-Malware software
Index
• File hashing• File type identification• Packer/Compiler Identification • Entropy Analysis • Strings• PE Header Analysis• Verify Signature• Disassemble• PDF Shell code analysis
Dynamic (Behavioral) Analysis
• Static Analysis will reveal some immediate information
• Exhaustive static analysis could theoretically answer any question, but it is slow and hard
• Usually you care more about “what” malware is doing than “how” it is being accomplished
• Dynamic analysis is conducted by observing and manipulating malware as it runs
System Monitoring
• What we are after• Registry Activity• File Activity• Process Activity• Network Traffic
Step 1: Allocate physical or virtual systems for the analysis lab
• Virtualization software options include – VMware Server– Windows Virtual PC– Microsoft Virtual Server– VirtualBox
Step 2: Isolate laboratory systems from the production environment
• Separate the laboratory network from production using a firewall
• Don't connect laboratory and production networks at all
• Use removable media to bring tools and malware into the lab
• Don't use the physical machine that's hosting your virtualized lab for any other purpose.
Step 3: Install behavioral analysis tools
• File system and registry monitoring: – Process Monitor– Capture BAT
• Process monitoring:– Process Explorer– Process Hacker
• Network monitoring:– Wireshark – SmartSniff
• Change detection :– Regshot
Step 4: Install code-analysis tools
• Disassembler and debugger:– OllyDbg / Immunity Debugger– IDA Pro
• Memory dumper:– LordPE – OllyDump