Malware Analysis as a Hobby
-
Upload
michael-boman -
Category
Technology
-
view
2.441 -
download
1
Transcript of Malware Analysis as a Hobby
![Page 1: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/1.jpg)
Malware Analysis as a HobbyMichael Boman - Security Consultant/Researcher, Father of 5
Siavosh Zarrasvand – Security Consultant/Researcher, Searching
![Page 2: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/2.jpg)
Why the strange hobby?
![Page 3: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/3.jpg)
The manual way
![Page 4: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/4.jpg)
DrawbacksTime consuming
Boring in the long run (not all malware are created equal)
![Page 5: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/5.jpg)
Choose any two….Cheap
FastGood
![Page 6: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/6.jpg)
Choose any two? Why not all of them?
I can do it cheaply (hardware and license cost-wise). Human time not included.
I can do it quickly (I spend up to 3 hours a day doing this, at average even less).
I get pretty good results (quality). Where the system lacks I can compensate for its shortcomings.
Cheap
FastGood
![Page 7: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/7.jpg)
AutomateEngineer yourself out of the workflow
Automate everything!
![Page 8: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/8.jpg)
Birth of theMART ProjectMalware Analyst Research Toolkit
![Page 9: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/9.jpg)
Components
![Page 10: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/10.jpg)
![Page 11: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/11.jpg)
Sample Acquisition• Public & Private Collections• Exchange with other malware analysts• Finding and collecting malware
yourself• Download files from the web
• Grab attachments from email
• Feed BrowserSpider with links from your SPAM-folder
![Page 12: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/12.jpg)
BrowserSpider Written in Python
Using the Selenium framework to control REAL browsers Flash, PDFs, Java applets etc. executes as per normal All the browser bugs exists for real
Spiders and follows all links seen
![Page 13: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/13.jpg)
Sample Analysis• Cuckoo Sandbox• VirusTotal
![Page 14: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/14.jpg)
A days work for a CuckooFetch a task
Prepare the analysis
Lunch analyzer in virtual machine
Execute an analysis package
Complete the analysis
Store the result
Process and create reports
![Page 15: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/15.jpg)
DEMO: Submit sample for analysis
![Page 16: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/16.jpg)
![Page 17: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/17.jpg)
Sample Reporting• Results are stored in MongoDB
(optional, highly recommended)• Accessed using a analyst GUI
![Page 18: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/18.jpg)
![Page 19: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/19.jpg)
![Page 20: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/20.jpg)
![Page 21: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/21.jpg)
Data Mining
![Page 22: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/22.jpg)
Where Virtual Machine analysis fails
And what to do about it
![Page 23: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/23.jpg)
Problems Cuckoo is easly bypassed
User-detection
Sleeping malware
![Page 24: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/24.jpg)
Problems VM or Sandbox detection
The guest OS might not be sufficient enough
Any multistage attack
![Page 25: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/25.jpg)
Iterating automatiation
Sort out clearly non-malicious and obviosly malicious
samples
Devide the samples into
categories
Do brief static analysis
Known Good
Known Bad
Unknown
![Page 26: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/26.jpg)
Iterating automatiation
Sort out clearly non-malicious and obviosly malicious
samples
Devide the samples into
categories
Do brief static analysis
• Does not do anything
• Detects environment
• Encrypted segments
• Failed execution
![Page 27: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/27.jpg)
Iterating automatiation
Sort out clearly non-malicious and obviosly malicious
samples
Devide the samples into
categories
Do brief static analysis
• Run longer• Envirnoment customization
![Page 28: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/28.jpg)
![Page 29: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/29.jpg)
Budget Computer: €520
MSDN License: €800 (€590 renewal)
Year 1: €1320
Year N: €590
Money saved from stopped smoking (yearly): €2040
![Page 30: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/30.jpg)
Next steps• Barebone on-the-iron malware
analysis• Android platform support• OSX platform support• iOS patform support
![Page 31: Malware Analysis as a Hobby](https://reader033.fdocuments.us/reader033/viewer/2022052906/5588e7bbd8b42a25448b4606/html5/thumbnails/31.jpg)
Questions?
Michael [email protected]
http://michaelboman.org@mboman
Siavosh [email protected]
@zarrasvand