h@dfex 2015 - malware analysis
DESCRIPTION
H@Dfex 2015 - Malware AnalysisTRANSCRIPT
-
Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEIThe Third Hacking and Digital Forensics Exposed
28 November 2015 | Hotel Indoluxe | Yogyakarta, Indonesia
Malware Analysis
-
About MeCharles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEIResearcher Information Security Research Group and LecturerSwiss German UniversityCharles.lims [at] gmail.com and charles.lim [at] sgu.ac.idhttp://people.sgu.ac.id/charleslim
I am currently doing my doctoral study in Universitas Indonesia
Research Interest
CommunityIndonesia Honeynet Project - Chapter Lead
Academy CSIRT memberAsosiasi Digital Forensik Indonesia - member
MalwareIntrusion DetectionThreats Intelligence
Vulnerability AnalysisDigital ForensicsCloud Security
-
Agenda
About Honeynet
What is Malware?
Why Malware Analysis?
Types of Malware Analysis
Static Analysis
Dynamic Analysis
Memory Analysis
Case Study
Future Challenges
-
About Honeynet Volunteer open source computer security
research organization since 1999 (US 501c3 non-profit)
Mission: learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned -http://www.honeynet.org
-
About Honeynet Share all of our tools, research and findings, at
no cost to the public Know Your Tools (KYT)
Know Your Enemy(KYE) white papers regularly published on current research topics
Members release regular activity status reports
Committed to open source and creative commons
Partially funded by sponsors, nothing to sell!
-
About Honeynet
Honeynet Project Workshop | 18-20 May 2015 | Stavanger, Norway
-
About Honeynet
CONPOT 0.5.0 Release | 13 November 2015
-
About Honeynet
55 Chapters and 37 Countries
-
About Indonesia Honeynet Project 15 passionate security
professionals, academicians and government officials met signed a petition in 25 November 2011
Indonesia Chapter officially recognized 9 January 2012
Current members: 130 (20 active members)
-
About Indonesia Honeynet Project Yearly Seminar and Workshop since 2012
Focus on Security Awareness and Security Research
Honeynet communities: Jakarta, Semarang, Surabaya, Yogya, Denpasar, Palembang, Lampung
Research Topics: Incident handling, Vulnerability Analysis, Malware, Digital Forensics, Penetration Testing, Threats Intelligence
-
About Indonesia Honeynet Project
Honeynet Seminar & Workshop | 10-11 Juni 2015 | Lampung, Indonesia
-
Honeypots Research & Deployment
2009 2011 2013 2015
LearningPeriod
Early Period
GrowingPeriod
ExpandingPeriod
Honeypot: Nepenthes
Honeypot:Nepenthes, Dionaea
Honeypot:Dionaea
Honeypot:Dionaea, Kippo, Glastopf, Honeytrap
Learning How to install and configure
Deployed 1st
Honeypot in SGUTarget: Academic, Government, ISP
Coverage: Java, Bali, Sumatera,
# Honeypots deployed: None
# Honeypots deployed: 1
# Honeypotsdeployed: 5
# Honeypots deployed: 16
Hardware: Client Hardware: SimpleClient and Server
Hardware: Mini PC and Server
Hardware: Raspberry Pi and Dedicated servers
-
Our Contribution
-
Our Contribution
Attacker Statistics: Attacker IP, Malware, Targeted Ports, Provinces attacked
-
Our Contribution
Attacker Statistics: Attacker IP, Malware, Targeted Ports, Provinces attacked
-
Other Research
Second Hand USB Forensics and Publications
-
Join Us
Indonesia Honeynet Project
idhoneynet
http://www.honeynet.or.id
http://groups.google.com/group/id-honeynet
-
What is Malware? Malware (Malicious Software)
all kind of software that disrupt computer operations, gather sensitive information, or gain access to private computer systems
Type of Malware
Viruses
Worms
Trojans
Ransomeware
Rootkits
-
What is Malware?
Reference: PandaLabs Q2 2015 Report
-
Why Malware Analysis? To gain insight into nature and purpose of
malware
To identify host-based and network indicators Forensics: Indicators of Compromise (IOC)
To understand malware behaviors and its persistence mechanism
Extract information used for learning and malware detection
-
Types of Malware Analysis
Static
Analysis
A method of examining computer program/code without executing the
program
Dynamic
Analysis
Memory
Analysis
A method of examining computer program/code while executing the
program in a real or virtual processor
A method of examining computer program/code after executing the
program in a real or virtual processor
-
Static Analysis To gain insight into nature and purpose of
malware
To identify host-based and network indicators Forensics: Indicators of Compromise (IOC)
To understand malware behaviors and its persistence mechanism
Extract information used for learning and malware detection
-
Static Analysis Input File Type: EXE, DLL, documents, etc.
Output:
Metadata
Code
Data
Static AnalysisTools
File Binaries
Static Features:MetadataCodeData
-
Static Analysis Tools PEiD (http://bob.droppages.com/projects/peid)
Packer and compiler detector Pafish (https://github.com/a0rtega/pafish) - checking
for anti sandbox and anti-vm Yara (https://plusvic.github.io/yara/) pattern
matching for malware analysis Ssdeep (https://pypi.python.org/pypi/ssdeep) fuzzy
hash Strings Utility (https://technet.microsoft.com/en-
us/sysinternals/strings.aspx) Strings extraction tool Olly Dbg (http://www.ollydbg.de/) Code Debugger IDA Pro (https://www.hex-rays.com/products/ida/)
Disassembler, Debugger
-
PE (Portable Executable) Header
-
PE (Portable Executable) Header
Source: https://code.google.com/p/corkami/wiki/PE101
-
PE (Portable Executable) Header
-
Static Analysis Questions to answer:
Is the malware binary packed?
Can the malware binary be unpacked?
What are the important static features to be extracted?
If the malware can be unpacked (due to complexity of packing method), then we can only rely on Dynamic Analysis
-
Static Analysis (Packer Landscape)
https://code.google.com/p/corkami/downloads/detail?name=packers.pdf
-
Static Analysis PE Header Section
Entropy > 6.67 indicates that data section is packed/encrypted
-
Static Analysis Static Features Strings (one of the most important)
Import DLL
Assembly Code
Byte Code
Strings Example - Brute Force Dictionary Password (Allaple Malware Samples)
-
Dynamic Analysis To gain insight into malware behaviors
(interactions malware binaries with operating system)
Important Features:
File System Activities
Process Activities
Network Activities
System Calls
-
Dynamic Analysis Input File Type: EXE, DLL, documents, etc.
Output:
File System Activities
Process Activities
Network Activities
System Calls
SandboxOr
Virtual Env.
File Binaries
Dynamic Features:File System ActivitiesProcess ActivitiesNetwork ActivitiesSystem Calls
-
Dynamic Analysis Tools Detours (http://research.microsoft.com/en-
us/projects/detours/) Binary instrumentation for Win32 functions
Sandboxes:
Cuckoo Sandbox (http://www.cuckoosandbox.org/)
Anubis (http://anubis.iseclab.org/)
ThreatTrack(http://www.threattracksecurity.com/resources/sandbox-malware-analysis.aspx)
Comodo Automated Analysis (http://camas.comodo.com/)
-
Dynamic Analysis
File System Activities, Network Activities, Process Activities
-
Dynamic Analysis Questions to answer:
Does the malware seems to execute properly?
Does the malware stop while executed?
Is there any unique execution? (File System, Process, Network, System Calls)
If the malware has anti-analysis, anti anti-analysis must be done first (Pafish is a good tool)
Maybe sequence of instructions can be good features
-
Memory Analysis To gain insight into malware footprints in
memory
Important Features: Running Processes
Shared Libraries
Network Connections
Hooking Detection
Rootkit Detection
Code Injection
Hidden artifacts
-
Memory Analysis Tools Volatility
(https://code.google.com/p/volatility/) Framework for memory analysis
Dynamic Binary Instrumentation (DBI)
Pin Tools (https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool)
Valgrind (http://valgrind.org/)
-
Memory Analysis
Start with what we know
-
Memory Analysis
Yara Scan of the known process;
-
Memory Analysis
Suspicious mutex is making connection
-
Memory Analysis
File Handles that starts with TDSS
-
Memory Analysis
File Handles that starts with TDSS and detect the hidden file
-
Case Study Huge Traffic detected on MRTG (outbound)
-
Case Study Isolate and reconstruct the incident
Sniff the traffic while the server is running
Virtual Server with VM1 running
Switch
Desktop as Gateway
-
Case Study Sending Huge Syn Packet to China IP
Address
We found that it was user .Iptables that was sending the huge traffic
-
Case Study The malware must have entered the system through
a service. We noticed that ssh service is running
We also noticed that the root account was enabled
-
Case Study ssh authentication was successful
We found that the password for root password using easy to guess 7 characters (combination of alpha and numeric)
It was a Korean IP address that made the connection
-
Case Study (Lesson Learned) The user (also an admin) installed the
system, made some simple but devastating mistakes:
Use a simple (easy to guess) password
Root of account of ssh service was enabled
The malware caused a Denial of Service attack using Syn Flooding
A Reverse Engineering of the malware showed that the malware could also perform DNS Flooding
-
Current and Future Challenges Malware Packers or Crypter
Anti-Analysis (Anti-Debugging, Anti-Disassembler, Anti-Sandbox, Anti-Emulation,
NO SILVER BULLET
Must use combination of all malware analysis techniques
Machine Learning is also a big help
-
Related Publications Joshua Tommy Juwono, Charles Lim, Alva Erwin, A Comparative Study
of Behavior Analysis Sandboxes in Malware Detection, The 3rd International Conference on New Media 2015, Jakarta, Indonesia, 2015
Charles Lim, Nicsen, Mal-EVE Static Detection Model for Evasive Malware, 10th EAI International Conference on Communications and Networking in China, Shanghai, China, 2015
Charles Lim, Darryl Y. Sulistyan, Suryadi, and Kalamullah Ramli, Experiences in Instrumented Binary Analysis for Malware, The 3rd International Conference on Internet Services Technology and Information Engineering 2015 (ISTIE 2015), Bali, 2015
Charles Lim, Meily, Nicsen, and Herry Ahmadi, Forensics Analysis of USB Flash Drives in Educational Environment, The 8th International Conference on Information & Communication Technology and Systems, Surabaya, 2014
Charles Lim, and Kalamullah Ramli, Mal-ONE: A Unified Framework for Fast and Efficient Malware Detection, 2014 2nd International Conference on Technology, Informatics, Management, Engineering & Environment, Bandung, 2014.
-
Conclusion Malware continue to rise in numbers and
sophistication
Malware authors usually combine common malware modules with few changes
Packers and Anti Analysis are real challenges
Malware analysis usually part of Threats Intelligence, Incident Response, and Digital Forensics.
There is no silver bullet for Malware Analysis
-
Call for More Research
Indonesia Honeynet Project
idhoneynet
http://www.honeynet.or.id
http://groups.google.com/group/id-honeynet