![Page 1: Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt](https://reader033.vdocuments.site/reader033/viewer/2022060107/554a18a0b4c9055c598b5217/html5/thumbnails/1.jpg)
Automated MalwareAnalysis
Nguyễn Chấn Việt
![Page 2: Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt](https://reader033.vdocuments.site/reader033/viewer/2022060107/554a18a0b4c9055c598b5217/html5/thumbnails/2.jpg)
Đơn vị tổ chức:
Đơn vị tài trợ:
![Page 3: Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt](https://reader033.vdocuments.site/reader033/viewer/2022060107/554a18a0b4c9055c598b5217/html5/thumbnails/3.jpg)
Malware Attacks Growing• Office exploits• PDF exploits• Browser exploits• …
10/29/2013 11:15 AM www.securitybootcamp.vn
![Page 4: Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt](https://reader033.vdocuments.site/reader033/viewer/2022060107/554a18a0b4c9055c598b5217/html5/thumbnails/4.jpg)
Anatomy of the attackStage 1 : Exploitation / Phishing / Social EngineerStage 2 : The dropper execute & disable existing securitycontrolStage 3 : “Real” malwares is downloaded and installedStage 4 : Steal sensitive dataStage 5 : Communicate with external C&C servers, used forfacilitate futher attacks
10/29/2013 11:15 AM www.securitybootcamp.vn
![Page 5: Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt](https://reader033.vdocuments.site/reader033/viewer/2022060107/554a18a0b4c9055c598b5217/html5/thumbnails/5.jpg)
Why we need ?• Malwares in the wild are way too many• Manual analysis takes a lot of time• Static analysis requires strong skillsets• Need to deal with packed, polymorphic, self-modifying code• Performing dynamic analysis manually is a tedious work
=> How can we handle the large volume of malware samplescollected each day ?
10/29/2013 11:15 AM www.securitybootcamp.vn
![Page 6: Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt](https://reader033.vdocuments.site/reader033/viewer/2022060107/554a18a0b4c9055c598b5217/html5/thumbnails/6.jpg)
Method of malware analysisSignaturesHeuristicsDiscrete Objects AnalysisContextual Analysis
10/29/2013 11:15 AM www.securitybootcamp.vn
![Page 7: Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt](https://reader033.vdocuments.site/reader033/viewer/2022060107/554a18a0b4c9055c598b5217/html5/thumbnails/7.jpg)
Online AMAs• VirusTotal : http://www.virustotal.com/• ThreatExpert : http://www.threatexpert.com/filescan.aspx• Anubis : http://anubis.iseclab.org/• Joebox :
– http://www.file-analyzer.net/– http://www.apk-analyzer.net/– http://www.document-analyzer.net/– http://www.url-analyzer.net/
10/29/2013 11:15 AM www.securitybootcamp.vn
![Page 8: Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt](https://reader033.vdocuments.site/reader033/viewer/2022060107/554a18a0b4c9055c598b5217/html5/thumbnails/8.jpg)
Offline AMAs• CWSandbox : commercial• Cuckoo Sandbox : free and open source• Zerowine : a full-featured tool for dynamically analyzing the
behavior of Windows malware by running it within the WINEemulator on Linux
• Malheur
10/29/2013 11:15 AM www.securitybootcamp.vn
![Page 9: Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt](https://reader033.vdocuments.site/reader033/viewer/2022060107/554a18a0b4c9055c598b5217/html5/thumbnails/9.jpg)
Cuckoo is my choice• Cuckoo Sandbox was started in 2010 Summer of Code Project• Now it consists of around 50000 lines of code written by Python
and C• Sponsored by Rapid7 in a program called “Magnificent7”
• Why we choose it ?– Easy to use– Easy to customize– Nice Web-UI and Comprehensive reports– Opensource
10/29/2013 11:15 AM www.securitybootcamp.vn
![Page 10: Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt](https://reader033.vdocuments.site/reader033/viewer/2022060107/554a18a0b4c9055c598b5217/html5/thumbnails/10.jpg)
Cuckoo is my choice
10/29/2013 11:15 AM www.securitybootcamp.vn
![Page 11: Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt](https://reader033.vdocuments.site/reader033/viewer/2022060107/554a18a0b4c9055c598b5217/html5/thumbnails/11.jpg)
Execution flow• Fetch a task• Prepare the analysis• Launch analyzer in virtual machine• Execute an analysis package• Complete the analysis• Store the results• Process and create reports
10/29/2013 11:15 AM www.securitybootcamp.vn
![Page 12: Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt](https://reader033.vdocuments.site/reader033/viewer/2022060107/554a18a0b4c9055c598b5217/html5/thumbnails/12.jpg)
Your VM can be detected
10/29/2013 11:15 AM www.securitybootcamp.vn
![Page 13: Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt](https://reader033.vdocuments.site/reader033/viewer/2022060107/554a18a0b4c9055c598b5217/html5/thumbnails/13.jpg)
Your sandbox can be detected
10/29/2013 11:15 AM www.securitybootcamp.vn
![Page 14: Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt](https://reader033.vdocuments.site/reader033/viewer/2022060107/554a18a0b4c9055c598b5217/html5/thumbnails/14.jpg)
Hardening• Integrate with pafish (Paranoid Fish)• Update bypass vm methods
• More info :– http://www.alienvault.com/open-threat-exchange/blog/hardening-cuckoo-
sandbox-against-vm-aware-malware– http://kromer.pl/malware-analysis/installing-and-hardening-latest-cuckoo-
sandbox-on-gentoo-linux/– http://0xmalware.blogspot.com/2013/10/cuckoo-sandbox-hardening-
virtualbox.html
10/29/2013 11:15 AM www.securitybootcamp.vn
![Page 15: Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt](https://reader033.vdocuments.site/reader033/viewer/2022060107/554a18a0b4c9055c598b5217/html5/thumbnails/15.jpg)
Others• CuckooMX: Automating Email Attachments Scanning with
Cuckoo
10/29/2013 11:15 AM www.securitybootcamp.vn
![Page 16: Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt](https://reader033.vdocuments.site/reader033/viewer/2022060107/554a18a0b4c9055c598b5217/html5/thumbnails/16.jpg)
How about post analysis ?• Cuckoo + Volatility + YARA
10/29/2013 11:15 AM www.securitybootcamp.vn
![Page 17: Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt](https://reader033.vdocuments.site/reader033/viewer/2022060107/554a18a0b4c9055c598b5217/html5/thumbnails/17.jpg)
Volatility• An advanced memory forensics framework• Written by Python• Opensource• Active development
– Month of Volatility Plugins (MoVP)– Annual Volatility Framework Plugin Contest
• Large community
10/29/2013 11:15 AM www.securitybootcamp.vn
![Page 18: Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt](https://reader033.vdocuments.site/reader033/viewer/2022060107/554a18a0b4c9055c598b5217/html5/thumbnails/18.jpg)
Volatility• There are many modules for :
– Detecting Windows GUI Hooking– Detecting Usermode Hooks (IAT/Inline/…)– Detect Kernelmode Hooks (SSDT/IRP/…)– Detecting hidden processes– Detecting hidden kernel module– Detecting hidden connections
10/29/2013 11:15 AM www.securitybootcamp.vn
![Page 19: Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt](https://reader033.vdocuments.site/reader033/viewer/2022060107/554a18a0b4c9055c598b5217/html5/thumbnails/19.jpg)
YARA• YARA is a tool aimed at helping malware researchers to identify
and classify malware samples. With YARA you can createdescriptions of malware families based on textual or binarypatterns contained on samples of those families
10/29/2013 11:15 AM www.securitybootcamp.vn
![Page 20: Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt](https://reader033.vdocuments.site/reader033/viewer/2022060107/554a18a0b4c9055c598b5217/html5/thumbnails/20.jpg)
YARA• Example : The rule below is telling YARA that any file containing
one of the three strings must be reported as silent_banker.• rule silent_banker : banker
{meta:
description = "This is just an example"thread_level = 3in_the_wild = true
strings:$a = {6A 40 68 00 30 00 00 6A 14 8D 91}$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
condition:$a or $b or $c
}
10/29/2013 11:15 AM www.securitybootcamp.vn
![Page 21: Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt](https://reader033.vdocuments.site/reader033/viewer/2022060107/554a18a0b4c9055c598b5217/html5/thumbnails/21.jpg)
Who’s using YARA• VirusTotal Intelligence (https://www.virustotal.com/intelligence/)• jsunpack-n (http://jsunpack.jeek.org/)• We Watch Your Website (http://www.wewatchyourwebsite.com/)• FireEye, Inc. (http://www.fireeye.com)• Fidelis XPS (http://www.fidelissecurity.com/network-security-
appliance/Fidelis-XPS)
10/29/2013 11:15 AM www.securitybootcamp.vn
![Page 22: Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt](https://reader033.vdocuments.site/reader033/viewer/2022060107/554a18a0b4c9055c598b5217/html5/thumbnails/22.jpg)
New Automated Malware Capability DetectionSystem
• CrowdSource: Applying machine learning to web technicaldocuments toautomatically identify malware capabilities
– detects debugger based reversing– encrypts / decrypts data– provides remote desktop capability– steals or modifies cookies– mines or steals bitcoins– communicates over smtp– has gui functionality– communicates with database– communicates via irc protocol– logs keystrokes– takes screenshots
• Planning to release CrowdSource as an open source tool forNovember
10/29/2013 11:15 AM www.securitybootcamp.vn
![Page 23: Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt](https://reader033.vdocuments.site/reader033/viewer/2022060107/554a18a0b4c9055c598b5217/html5/thumbnails/23.jpg)
Conclusion• The fight against malware is a cat-and-mouse game• We should :
– Make use of Automated Malware Analysis– Update new techniques– Use simplest method for each scenario
10/29/2013 11:15 AM www.securitybootcamp.vn
![Page 24: Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt](https://reader033.vdocuments.site/reader033/viewer/2022060107/554a18a0b4c9055c598b5217/html5/thumbnails/24.jpg)
Thank you !
10/29/2013 11:15 AM www.securitybootcamp.vn