Presentation is loading. Please wait.

Presentation is loading. Please wait.

Reverse Engineering Malware and Mitigation Techniques Jacek Milunski – NATO Computer Incident Response Center Andrzej Dereszowski – NATO Computer Incident.

Similar presentations


Presentation on theme: "Reverse Engineering Malware and Mitigation Techniques Jacek Milunski – NATO Computer Incident Response Center Andrzej Dereszowski – NATO Computer Incident."— Presentation transcript:

1 Reverse Engineering Malware and Mitigation Techniques Jacek Milunski – NATO Computer Incident Response Center Andrzej Dereszowski – NATO Computer Incident Response Center Raf Cox – Microsoft BeLux SIA404

2

3 NTM-I OPERATION OCEAN SHIELD DARFUR Support African Union KFOR ISAF OUP Libya Norfolk Naples Lisbon EUFOR Brunssum NATO HQ & Agencies NATO HQ NC3A NAMSA NETMA …….. Mons

4 PreventDetectRespondRecoverFeedback

5

6

7 DO NOT TRY THIS AT HOME OR AT THE OFFICE! Weve selected actual malware targeted at NATO that has been analyzed (so we know what it does) Testing malware can will infect your systems Malware testing and reverse engineering must only be done on fully isolated systems We selected a few (real) samples that are relevant for the purpose of this presentation (mainly based on older PDF exploits) WARNING

8 Winword.js Adobe.pdf ~temqp.tmp

9 Malware-dropper

10

11 Malware-dropper blocked by AppLocker

12

13 Process Code Stack Heap ShellCode NTDLL Kernel32 EAT ShellCode

14 Process Code Stack Heap ShellCode NTDLL Kernel32 EAT

15 Malware scanning Extended Address Tables versus EAF

16

17 Process Code Heap exploit 0c0c 0csc 0c0c 0csc 0c0c 0csc 0c0c 0csc 0c0c 0csc 0c0c 0csc 0c0c 0csc 0c0c 0csc 0c0c 0csc 0c0c 0csc 0c0c 0csc 0c0c 0csc 0c0c 0csc 0c0c 0csc 0c0c 0csc 0c0c 0csc 0c0c 0csc 0c0c 0csc 0c0c 0csc 0c0c 0csc 0c0c 0csc 0c0c 0csc 0c0c 0csc 0c0c 0csc nop slide … shellcode

18 Buffer overflow

19

20 Buffer overflow (EMET DEP enabled)

21

22 Buffer overflow (EMET HeapSpraying enabled)

23

24

25 Buffer overflow with ROP exploit (EMET DEP enabled)

26

27 Buffer overflow with ROP exploit (EMET DEP + Mandatory ASLR enabled)

28

29

30 Connect. Share. Discuss. Learning Microsoft Certification & Training Resources TechNet Resources for IT Professionals Resources for Developers

31 Evaluations Submit your evals online

32


Download ppt "Reverse Engineering Malware and Mitigation Techniques Jacek Milunski – NATO Computer Incident Response Center Andrzej Dereszowski – NATO Computer Incident."

Similar presentations


Ads by Google