Part 1: Basic Analysis Chapter 1: Basic Static Techniques

Slides:



Advertisements
Similar presentations
Scalable Parallel Intrusion Detection Fahad Zafar Advising Faculty: Dr. John Dorband and Dr. Yaacov Yeesha 1 University of Maryland Baltimore County.
Advertisements

Detection Scenarios ReconWeaponizationDeliverExploitationInstallationC2 Act on Objectives File File - Name URI – Domain Name URI – URL HTTP - GET HTTP.
Web Communication Client attempts to “pull” information from server – http message sent across Internet by TCP/IP* – packet switching used to route message.
Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools.
Web server security Dr Jim Briggs WEBP security1.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
In-Band Detection of Virtual Machines Estefan Ortiz & Cory Hayes Computer Science and Engineering Graduate Operating Systems December 16,
Automated Malware Analysis
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
INTRODUCTION TO WEB DATABASE PROGRAMMING
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
APT29 HAMMERTOSS Jayakrishnan M.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,
Chapter 16 The World Wide Web. 2 The Web An infrastructure of information combined and the network software used to access it Web page A document that.
16-1 The World Wide Web The Web An infrastructure of distributed information combined with software that uses networks as a vehicle to exchange that information.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.
Android Security Auditing Slides and projects at samsclass.info.
Hands-On Microsoft Windows Server Implementing Microsoft Internet Information Services Microsoft Internet Information Services (IIS) –Software included.
Application Block Diagram III. SOFTWARE PLATFORM Figure above shows a network protocol stack for a computer that connects to an Ethernet network and.
MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
Module 7: Advanced Application and Web Filtering.
Mastering Windows Network Forensics and Investigation Chapter 10: Tool Analysis.
Mastering Windows Network Forensics and Investigation Chapter 10: Introduction to Malware.
Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.
Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.
Slides and projects at samsclass.info. Adding Trojans to Apps Slides and projects at samsclass.info.
METAMORPHIC VIRUS NGUYEN LE VAN.
WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory
Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August
Powerpoint presentation on Drive-by download attack -By Yogita Goyal.
Top 10 Hacking Tool Welcome TO hackaholic Kumar shubham.
Title Line Subtitle Line Top of Content Box Line Top of Footer Line Left Margin LineRight Margin Line Top of Footer Line Top of Content Box Line Subtitle.
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
1 Chapter 1 INTRODUCTION TO WEB. 2 Objectives In this chapter, you will: Become familiar with the architecture of the World Wide Web Learn about communication.
Chapter 40 Internet Security.
CS 492/592: Malware
Black-box analysis of malware
Chapter 2. Malware Analysis in VMs
Lab assignments Follow each lab walkthrough in textbook
Ilija Jovičić Sophos Consultant.
Critical Security Controls
Topic 7 Malware Analysis Basics
Malware Reverse Engineering Process
Techniques, Tools, and Research Issues
Techniques, Tools, and Research Issues
Chapter 1. Basic Static Techniques
Ad-blocker circumvention System
Techniques, Tools, and Research Issues
Malware Reverse Engineering Process
Techniques, Tools, and Research Issues
Microsoft /6/ :30 PM BRK3293 Explore adventures in the underland: Forensic techniques against hackers evading the hook Paula Januszkiewicz.
ADVANCED PERSISTENT THREATS (APTs) - Simulation
Topic: Java Security Models
Chapter 2. Malware Analysis in VMs
Practical Rootkit Detection with RAI
Chapter 3. Basic Dynamic Analysis
Chap 10 Malicious Software.
Virus 18/11/2018.
Lab assignments Follow each lab walkthrough in textbook
Chap 10 Malicious Software.
CMSC 491/691 Malware Analysis
Basic Dynamic Analysis VMs and Sandboxes
Talking Malware Analysis with MITRE
Presentation transcript:

Part 1: Basic Analysis Chapter 1: Basic Static Techniques Chapter 2: Malware Analysis in Virtual Machines Chapter 3: Basic Dynamic Analysis

Chapter 1: Basic Static Techniques

Static analysis Examine payload without executing it to determine function and maliciousness Done via scanning content

File signatures Common code or data used across malware instances e.g. embedded URL strings, decryptor code Examples Strings search on metadata, errors, constants Regular expression searches Hashing (e.g. MD5, SHA)

Signatures generated via analysis Artifacts revealed by binary Tools for dumping linked libraries Dependency Walker, PEView, PEBrowse, PE Explorer, ldd Look for common shared libraries (e.g. kernel32.dll, User32.dll, libc.so, etc) Disassemblers

But… Astronomical growth in signatures Coverage by a single tool is difficult Cloud-based anti-virus http://www.virustotal.com Bought by Google But, public service that allows attacker to know when their malware has been uploaded and identified! Can use private malware sandbox analysis (VMRay)

Malware counter-measures Obfuscation Code execution is hidden by author to make static analysis difficult Packing Code compressed and encrypted to completely thwart static analysis (Figure 1-4) Code to unpack binaries is common, however Some can be identified (PEiD) Polymorphism and metamorphism Code transformed into equivalent, but different form to thwart static signatures Example: Mimikatz (Metasploit module to do weaponized credential theft on Windows) From 54/54 (100% detection) to 4/54 when replacing ‘mimikatz’ with ‘kitikatz’ and recompiling AV with signatures is now completely dead

Chapter 2: Malware Analysis on VMs Chapter 3: Basic Dynamic Analysis

Malware and VMs Most malware must be executed in order to analyze them Requires a safe environment VirtualBox, VMware Host-only networking to monitor network traffic Snapshots and roll-back Record and replay execution

Sandboxes Simpler alternative to VMs Behavior isolation and coarse-grained tracking of malware execution File system activity Registry activity Network activity Examples: GFI Sandbox, Norman SandBox Always use a sandbox or VM to analyze malware

Don’t be like…

But, can be subtle FireEye anti-virus (12/2015) Static analysis of Java byte-code via a Java decompiler (JODE) so did not run in a VM But, did not realize decompiler executed byte code as well Instant remote code execution AV now *worse* than no AV

Monitoring execution Procmon (Sysmon) www.sysinternals.com Combines process, file, and registry monitoring to track execution behavior Spits out XML on events, allows one to reconstruct process tree Prochacker (http://processhacker.sourceforge.net/) Process (memory) monitoring Process explorer Verify running process against the disk executable image Determine if malicious documents are launching new processes Regshot Flag changes in registry

Monitoring execution ApateDNS Netcat Wireshark INetSim Capture DNS requests and modify replies More comprehensive follow-on tool.. Flare-NG https://github.com/fireeye/flare-fakenet-ng/releases Netcat Proxying and emulating connections Wireshark Packet capturing tool INetSim Simulate common Internet services

Tools in action See p. 57 in text (msts.exe) Setup tools (process/network/registry monitoring, setup VMs, server emulation) – Fig. 3-12 Contacts web site (the textbook's) – ApateDNS Creates new file (winhlp2.exe) – procmon Modifies registry to autorun – regshot Creates a mutex to ensure only a single execution – Process Explorer Contacts a server over port 443 (https), but does not speak SSL – INetSim Speaks a custom protocol – Wireshark

In-class exercises Lab 1-1, Lab 1-2 Lab 3-2, Lab 3-4

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.