Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malware Identification and Classification

Similar presentations

Presentation on theme: "Malware Identification and Classification"— Presentation transcript:

1 Malware Identification and Classification
Yara & Python Malware Identification and Classification CarolinaCon 7 Michael Goffin @mjxg

2 Hey sir! Why hello there!! Rochester Institute of Technology
Computer Science House Information Security Scientist/Engineer

3 What’s in store? Malware Yara Python
Identification and Classification of Malware Showing it all off QQ session

4 Malware! Sonofa...

5 Methods of acquisition
downloads compromised website content (ex: images) attachments links to compromised site content

6 You’ve been infiltrated!
Things to note: You don’t know it yet, and might not for a while You don’t know the scope of it You don’t know the severity of it But you eventually see something…

7 Start the cycle!

8 Management wants answers!

9 What do you do next? Go into a panic!
Oh no! We should remove the known compromised host(s) from network! We should assess the compromise…somehow! Oh geez, might be good to change passwords – let’s just have everyone do it just in case! We need to go through logs and other hosts for signs of lateral movement – wait, what are we looking for? Can we make firewall rules to block any IPs or domains? Do we have any AV or IDS appliances?

10 Most importantly You did get a copy of the malware to analyze, right? …Right?

11 Get better at data mining!
Who is interested in this user or your company? What are they trying to do with this malware (and what are they exploiting?)? When did this malware come in? Where did it come from and where did it go to? Why are they after your company, or this user? How does this malware help them accomplish their goals?

12 What do we do with all the data?
Build a classification database over time! Identify trends Find commonalities

13 Lots of action, now what?

14 Enter Yara

15 What does Yara do? Identify and classify malware samples based on textual or binary patterns contained within those samples MALWARE!

16 How does it do it? Pretty basic: Search for patterns
Use defined conditions to determine if the patterns are a positive match Output matching rule content for consumption

17 Yara and Python Step 1: % python Step 2: > import yara > rules = yara.compile(signatures) > matches = rules.match(filetoscan) Step 3: profit

18 As the old saying goes… If it walks like a duck…
And it quacks like a duck… It’s probably the DHA installing backdoors and keyloggers while xfil’ing your data.

19 Identification Can we tease out specific characteristics about this piece of malware that can describe it both from a functional and fashionable perspective? What does it attempt to touch? What does it attempt to modify? Is this type of malware stylish? Etc.

20 Identification Are there any quantitative or qualitative datasets about this malware that can help further describe its nature? Functions used in other malware Code style similar to other malware IPs or domains used Specific targets (files, processes, etc.) End result of successful execution

21 Classification Questions[1]:
Does an unknown malware instance belong to a known malware family or does it constitute a novel malware strain? What behavioral features are discriminative for distinguishing instances of one malware family from those of other families? Compare these to our Identification

22 Strains Trojan Rootkit Backdoor Xfil Worms Ransomware Keylogger

23 Build Signatures Generate conditions Build rules for those conditions
Compile rules into a signature set Develop process to scan files using those signature sets Generate alerts Set human response expectations to these alerts!!

24 What a rule looks like rule foo { meta: key: value strings: $variable = something condition: logic_for_determining_positive_rule_match }

25 Conditions Some basic condition examples: A string or value exists
A set of strings or values exist Strings or values at certain offsets exist The number of times a string or value occurs File size restriction

26 Let’s see Yara in action!

27 How to incorporate Yara
Web downloads Web content Urllib attachments Honeypots Grab files from AV and IDS appliances to scan!

28 Why Yara? Supplement to additional applications (Snort, AV, detonation chambers) MD5 of known malware only good if exact file is seen again Detect future malware with similar identifiers that AV or IDS might not catch yet Free

29 The cooldown… Questions?

30 References [1] Learning and Classification of Malware Behavior – Rieck, Holz, Willems, Dussel, Laskov

Download ppt "Malware Identification and Classification"

Similar presentations

Ads by Google