9. Bad Guys
Motivated by money
New school bad guys are after your electronic wallet
Take over payment systems
Take over the world
Just like Doctor Evil
10.
11. About Me
Work at Capilano University
Hack wet paper bags for a living
I live in Vancouver
I commute by bike
I love 80’s music
I love Backtrack4
20. What is Malware Analysis?
Like being in science class in high school
For example studying a worm
Used microscope
Draw picture or diagram of worm
Observed worm before dissection
24. Malware
Short for malicious program
Program designed to alter the flow of the
program
Designed with malicious intent
Gain access to systems
Used to gather information, usually
without permission of owner
25.
26. When I was younger…
Used to deliver malware via floppy disks
My favorite piece of malware was Sub7
38. Zeus
The most notorious and widely-spread
information stealing Trojans in existence
Targets financial data theft
Lead to the loss of millions worldwide
39. Crimeware Toolkit
Zeus is a toolkit that provides a malware
creator all of the tools required to build
and administer a botnet
Zeus tools are primarily designed for
stealing banking information
Zeus can easily be used for other types of
data or identity theft
40. Controllers of ZBOT
Capture (banking) credentials
Remote control
Keystroke logging
Screen capture
Proxy services
Spamming
41. Zeus Builder
This page is where you create your bot executables
Once created, you are responsible for distribution
Go find some victims
42. Zeus Configuration
The bot needs a configuration to tell it
which address to send all the stolen data
What’s the use of misconfiguring a botnet
that can’t send you stolen data?
49. Zeus Flow
Copy itself to another location, execute
the copy, delete the original
Lowers browser security settings by
changing IE registry entries
Injects code into other processes, main
process exits
50. Zeus - Flow
Injected code hooks APIs in each process
Steals several different type of credential
found on the system
51. Zeus - Flow
Downloads config file and processes it
Uses API hooks to steal data
Sends data back to C&C
56. Finding Mules
Recruited job websites
Receive instructions via website
Process Payments
Laundry via purchases
Write proper phishing emails
57. Zeus characteristics
Continuously changing, software gets
routinely updated
Strong encryption used in program of
various functions to hide secrets
Software uses packers and unpackers
Anti-virus evasion techniques used
62. Kung Fu
Build analysis workstation
Behavior and Code Analysis
Reverse Engineer
Virus Total
63. Click Happy Fun ( )
Fundamental aspects of malware analysis
Setup an inexpensive and flexible
laboratory
Use lab for exploring characteristics of
real-world malware
72. Other Tools
Fake DNS and shellcode2exe
LordPE, and PEiD
Malzilla, and SpiderMonkey
Firefox, No Script, BurpSuite
Honeyd, NetCat, curl, wget,
Volatility Framework and plug-ins such as malfind2
FTK Imager
73. Kung Fu
Build analysis workstation
Behavior and Code Analysis
Reverse Engineer
Virus Total
80. You can rely on…
Your anti-virus vendor
Web or malware gateway
Network analysis tools
81. Rootkit Revealer
Rootkit detection utility
Lists Registry and file system API discrepancies
Helps indicate the presence of a user-mode or kernel-mode
rootkits
86. Temporal Reconstruction
Forensic analysis to reconstruct events surrounding a hacking
incident or malware infection
Dead machine and Live System Analysis
AKA = Building a Timeline
NOTE : Live Analysis means data is volatile
87. MACtime
forensic tool in your digital detective toolkit
Unix and Linux
mtime, atime, and ctime
Windows
LastWriteTime, LastAccessTime, and CreationTime
91. File Carving
Tool for recovering files and fragments of files when
directory entries are corrupt or missing
For example – listing directory of pictures
Pictures are all deleted in the catalogue
File Carving allows investigator to recover pictures without
directory listings
108. VAD Walk
Virtual Address Descriptor (VAD) tree
structure in Windows memory dumps
Method to locate and parse the structure
of physical memory
Method walks the tree for the “hacked”
process
115. Click Happy – Infect your
system
Set up your process viewers
Snapshot your registry with Regshot
Configure FakeDNS
Start Wireshark
Double Click that Executable
Intercept system and network-level activities in the analysis
lab
119. Reverse engineering is the
process of analyzing a subject
to create representations of
the system at a higher level of
abstraction
120. Understanding 1 and 0’s
Software person programs in language
Program gets compiled
1’s and 0’s get “translated” from human readable code to
machine instruction
Reverse Engineering attempts to take machine instruction
and create human readable code
128. Purpose of R.E.
Manually follow flow of program visually using graphs
Manually follow flow of program reading the code
Execute code with breakpoints to control the flow of
the program during runtime
Look for hints or clues to origin, signatures, or
programming style
Look for characteristics of program
129. Reverse-Engineering Benefits
Sophisticated malware protects itself from
discovery and analysis
Malware will have passwords, backdoor, and
secret methods to hide and protect information
Allows analyst to discover great detail on the
operations and flow control of the program
130. Wouldn’t it be nice to have the
login and password to the
Command and Control Server
of a BotNet?
134. Other Benefits of R.E.
Performing static and dynamic code
analysis of malicious Windows
executables
Step through code using debuggers like
OllyDbg or SoftICE
136. Using OllyDbg
Drag executable onto OllyDbg
“Step into” each instruction until
something fun happens
In the register section you can observe
what is being run in memory
147. APT?
Advanced Persistent Threat
Threat, such as a foreign nation
state government, with both the
capability and the intent to
persistently and effectively target
a specific entity
148. Coordinated human involvement
NOT mindless and automated piece of
code
Specific objective
Skilled and motivated
Organized and well funded