Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Published byAshanti Andros Modified over 9 years ago

Similar presentations

Presentation on theme: "Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions."— Presentation transcript:

1 www.SecurityXploded.com

2 Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the Trainer nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here. www.SecurityXploded.com

3 Acknowledgement  Special thanks to Null community for their extended support and co-operation.  Special thanks to ThoughtWorks for the beautiful venue.  Thanks to all the trainers who have devoted their precious time and countless hours to make it happen. www.SecurityXploded.com

4 Advanced Malware Analysis Training This presentation is part of our Advanced Malware Analysis Training program. Currently it is delivered only during our local meets for FREE of cost. For complete details of this course, visit our Security Training page.Security Training page www.SecurityXploded.com

5 Who Are We? Nagareshwar  Founder of SecurityXploded  Reversing, Malware Analysis, Crypto, Secure Coding  Twitter: @tnagareshwar Monnappa  Info Security Investigator @ Cisco  Member of SecurityXploded (SX)  Reverse Engineering, Malware Analysis, Memory Forensics  Twitter: @monnappa22 www.SecurityXploded.com

6 Part I The Trailer (by Nagareshwar) www.SecurityXploded.com

7 Contents of Part 1  What is Virus/Malware/Worm  Symptoms of Infection  Agent in Action  Last Resort  Anti-Malware Tips www.SecurityXploded.com

8 What is Virus/Malware/Worm ?  Malware: Software written for malicious purposes - destroy data, steal money, annoy users  Virus: Malware which requires human intervention to spread - require user to click on the exe, open a document or visit a website  Worm: Malware which can spread automatically - automatically infect other systems in the network - spreads through plug & play devices www.SecurityXploded.com

9 Symptoms of Infection  Unusual Behaviour in Applications  System Slowdown  (Suddenly) Laptop Getting Heated Heavily  Password Change/Reset Emails for your Bank or Online Accounts  Surprise Financial Transactions on your Credit Cards www.SecurityXploded.com

10 Agent in Action  Full Anti-virus Scan (manual) - detect known malwares if any  Rootkit Scan - GMER, SpyDLLRemover (helps in removal of malware DLLs)  Scan the Infected or Suspicious file with VirusTotal - Get the name of virus/malware family - Use VirusTotal Scanner Tool for quick scan  Check with AV sites like McAfee, Symantec for the detected Malware - to understand infection details or for any removal steps www.SecurityXploded.com

11 Agent in Action (contd)  BHO Scan (System Slowdown) - Run SpyBHORemover and disable unusable BHOs  Delete Locked/Hidden/Protected Malware Files - Use GMER to delete Hidden Files/Registry Keys - Boot with BackTrack, mount your drives and delete the files/registry keys  Change Passwords of Bank & other important accounts - Facebook, Google, Twitter, PayPal etc. www.SecurityXploded.com

12 Rootkit Scan using GMER www.SecurityXploded.com

13 Remove Malware DLLs using SpyDLLRemover www.SecurityXploded.com

14 VirusTotal Scanner Tool www.SecurityXploded.com

15 Remove BHOs using SpyBHORemover www.SecurityXploded.com

16 Threat Report on Virus www.SecurityXploded.com

17 Last Resort In case of full system or widespread infections,  System Restore to ‘Right Restore Point’ - look at the dates of infected files and it should give you right date to restore from  Format and Re-install OS - clean-up other drives if necessary  Scan other systems/devices in your Network - Your laptops, office systems or friends system may be infected as well www.SecurityXploded.com

18 Anti-Malware Tips  Never Trust your AntiVirus for Full Protection - It cannot detect advanced virus especially rootkit oriented ones, - Smart virus can disable AV auto protection silently giving you false sense of security  Always Scan any EXE with VirusTotal - scan files downloaded from Internet and even files sent by close friends - Use VirusTotal Scanner for quick scan  Disable AutoRun - most malwares use this mechanism spread very effectively - prevent getting infected through USB stick and stop it from spreading www.SecurityXploded.com

19 Anti-Malware Tips (contd)  Keep tab on your Startup programs - Use HijackThis or AutoRuns from SysInternals  Monitor Worms coming through Network - Use NetShareMonitor  Backup your Critical Files Periodically - One who Laughs last is the one who had the backup :) www.SecurityXploded.com

20 Part II The Real Show (by Monnappa) www.SecurityXploded.com

21 Contents of Part 2  Detection and Removal  Persistent Mechanism  Demo 1  Demo 2  Demo 3  Demo 4 www.SecurityXploded.com

22 Detection and Removal 1) Isolate the system from the rest of the network 2) Look for suspicious file, process, network and registry values 3) Identify the file generating the suspicious activity 4) Isolate the suspicious file 5) verify if the file is malicious 6) Identify the persistence mechanism 7) Break its persistence mechanism 8) Delete the malicious files from the system 9) monitor for suspicious activities (repeat step 2 to step 8) www.SecurityXploded.com

23 Persistent mechanism Below are some of the persistent mechanism used by malware: 1) Run Registry key 2) Appinit_DLL’s 3) WinLogon Notify 4) Runs as Service 5) Service DLL 6) BHO www.SecurityXploded.com

24

25 Suspicious Network Activity www.SecurityXploded.com Packet capture shows suspicious activity from 192.168.1.100

26 Suspicious Process www.SecurityXploded.com Process explorer shows suspicious process on192.168.1.100

27 Persistence Mechanism www.SecurityXploded.com Registers the malicious executable in the “Run” registry key, to survive reboot

28 VirusTotal Results www.SecurityXploded.com Suspicious file was confirmed to be malicious

29 Breaking the Persistence www.SecurityXploded.com Deleting the registry value removes the persistence mechanism used by the malware

30 Removal www.SecurityXploded.com Deleting the malicious file to remove the malware from the system

31

32 Suspicious Network Activity www.SecurityXploded.com Packet capture shows suspicious activity from 192.168.1.100

33 Suspicious Process www.SecurityXploded.com Process explorer shows suspicious process on192.168.1.100

34 Persistence Mechanism www.SecurityXploded.com Malware runs as service which is set to auto-start

35 VirusTotal Results www.SecurityXploded.com Suspicious file was confirmed to be malicious

36 Breaking the Persistence www.SecurityXploded.com Deleting the registry value removes the persistence mechanism used by the malware

37 Removal www.SecurityXploded.com Deleting the malicious file to remove the malware from the system

38

39 Suspicious Network Activity www.SecurityXploded.com Packet capture shows suspicious activity from 192.168.1.100

40 Suspicious Process www.SecurityXploded.com Below screenshot shows svchost.exe (pid 1052) making connections on port 80

41 Persistence Mechanism www.SecurityXploded.com Malware installs a service DLL under the “netsvcs” svchost group

42 VirusTotal Results www.SecurityXploded.com Suspicious file was confirmed to be malicious

43 Breaking the Persistence www.SecurityXploded.com Deleting the registry key removes the persistence mechanism used by the malware

44 Removal www.SecurityXploded.com Deleting the malicious file to remove the malware from the system

45

46 Suspicious Network Activity www.SecurityXploded.com Packet capture shows suspicious activity from 192.168.1.100

47 Suspicious Process Activity www.SecurityXploded.com Shows iexplore.exe making connections on port 80 (even though iexplore.exe was not run manually)

48 Persistence Mechanism www.SecurityXploded.com Malware installs Appinit DLL which loads the DLL into all the process which loads user32.dll

49 Persistence Mechanism (contd) www.SecurityXploded.com Malware hooks to the winlogon event

50 VirusTotal Results www.SecurityXploded.com Suspicious files were confirmed to be malicious

51 Breaking the Persistence www.SecurityXploded.com Deleting the registry key removes the persistence mechanism used by the malware

52 Removal www.SecurityXploded.com Deleting both the malicious files to remove the malware from the system

53 Reference www.SecurityXploded.com Complete Reference Guide for Advanced Malware Analysis Training [Include links for all the Demos & Tools]

54 Thank You ! www.SecurityXploded.com

Download ppt "Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions."

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.
Online Safety. Introduction The Internet is a very public place Need to be cautious Minimize your personal risk while online Exposure to: viruses, worms,

Online Safety. Introduction The Internet is a very public place Need to be cautious Minimize your personal risk while online Exposure to: viruses, worms,
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Viruses,Hacking and Backups By Grace Mackay 8K Viruses Hacking and Hackers Backups.

Viruses,Hacking and Backups By Grace Mackay 8K Viruses Hacking and Hackers Backups.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
NCS welcome all participants on behalf of Quick Heal Anti Virus and Fortinet Firewall solution.

NCS welcome all participants on behalf of Quick Heal Anti Virus and Fortinet Firewall solution.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Computer Viruses.

Computer Viruses.
IDENTITY THEFT ARE YOU SAFE?. HOW DOES THIS HAPPEN TO ME? Internet “Security “ When using a public computer, never access any vital accounts like banking.

IDENTITY THEFT ARE YOU SAFE?. HOW DOES THIS HAPPEN TO ME? Internet “Security “ When using a public computer, never access any vital accounts like banking.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
Spring 2008 www.umsl.edu/~iclabs. Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.

Spring Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.
Free Software Alternatives: Avast! Anti-virus

Free Software Alternatives: Avast! Anti-virus
INTERNET THREATS AND HOW TO PROTECT YOUR COMPUTER -BRIAN ARENDT.

INTERNET THREATS AND HOW TO PROTECT YOUR COMPUTER -BRIAN ARENDT.
Viruses, Hacking, and AntiVirus. What is a Virus? A type of Malware – Malware is short for malicious software A virus – a computer program – Can replicate.

Viruses, Hacking, and AntiVirus. What is a Virus? A type of Malware – Malware is short for malicious software A virus – a computer program – Can replicate.
Security Advice Georgie Pepper Campsmount Acadamy.

Security Advice Georgie Pepper Campsmount Acadamy.
Contents  Viruses Viruses  Computer Worms Computer Worms  Trojans Trojans  Spyware Spyware  Adware Adware  Spam Spam  Hoaxes and Scams Hoaxes and.

Contents  Viruses Viruses  Computer Worms Computer Worms  Trojans Trojans  Spyware Spyware  Adware Adware  Spam Spam  Hoaxes and Scams Hoaxes and.

Similar presentations

Ads by Google