SlideShare uma empresa Scribd logo

Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt

Security Bootcamp
Security Bootcamp
Tecnologia
1 de 24
Baixar para ler offline
Automated Malware Analysis Nguyễn Chấn Việt
Đơn vị tổ chức: Đơn vị tài trợ:
Malware Attacks Growing • • • • Office exploits PDF exploits Browser exploits … 10/29/2013 11:15 AM www.securitybootcamp.vn
Anatomy of the attack Stage 1 : Exploitation / Phishing / Social Engineer Stage 2 : The dropper execute & disable existing security control Stage 3 : “Real” malwares is downloaded and installed Stage 4 : Steal sensitive data Stage 5 : Communicate with external C&C servers, used for facilitate futher attacks 10/29/2013 11:15 AM www.securitybootcamp.vn
Why we need ? • • • • • Malwares in the wild are way too many Manual analysis takes a lot of time Static analysis requires strong skillsets Need to deal with packed, polymorphic, self-modifying code Performing dynamic analysis manually is a tedious work => How can we handle the large volume of malware samples collected each day ? 10/29/2013 11:15 AM www.securitybootcamp.vn
Method of malware analysis Signatures Heuristics Discrete Objects Analysis Contextual Analysis 10/29/2013 11:15 AM www.securitybootcamp.vn
Online AMAs • • • • VirusTotal : http://www.virustotal.com/ ThreatExpert : http://www.threatexpert.com/filescan.aspx Anubis : http://anubis.iseclab.org/ Joebox : – – – – http://www.file-analyzer.net/ http://www.apk-analyzer.net/ http://www.document-analyzer.net/ http://www.url-analyzer.net/ 10/29/2013 11:15 AM www.securitybootcamp.vn
Offline AMAs • CWSandbox : commercial • Cuckoo Sandbox : free and open source • Zerowine : a full-featured tool for dynamically analyzing the behavior of Windows malware by running it within the WINE emulator on Linux • Malheur 10/29/2013 11:15 AM www.securitybootcamp.vn
Cuckoo is my choice • Cuckoo Sandbox was started in 2010 Summer of Code Project • Now it consists of around 50000 lines of code written by Python and C • Sponsored by Rapid7 in a program called “Magnificent7” • Why we choose it ? – – – – Easy to use Easy to customize Nice Web-UI and Comprehensive reports Opensource 10/29/2013 11:15 AM www.securitybootcamp.vn
Cuckoo is my choice 10/29/2013 11:15 AM www.securitybootcamp.vn
Execution flow • • • • • • • Fetch a task Prepare the analysis Launch analyzer in virtual machine Execute an analysis package Complete the analysis Store the results Process and create reports 10/29/2013 11:15 AM www.securitybootcamp.vn
Your VM can be detected 10/29/2013 11:15 AM www.securitybootcamp.vn
Your sandbox can be detected 10/29/2013 11:15 AM www.securitybootcamp.vn
Hardening • Integrate with pafish (Paranoid Fish) • Update bypass vm methods • More info : – http://www.alienvault.com/open-threat-exchange/blog/hardening-cuckoosandbox-against-vm-aware-malware – http://kromer.pl/malware-analysis/installing-and-hardening-latest-cuckoosandbox-on-gentoo-linux/ – http://0xmalware.blogspot.com/2013/10/cuckoo-sandbox-hardeningvirtualbox.html 10/29/2013 11:15 AM www.securitybootcamp.vn
Others • CuckooMX: Automating Email Attachments Scanning with Cuckoo 10/29/2013 11:15 AM www.securitybootcamp.vn
How about post analysis ? • Cuckoo + Volatility + YARA 10/29/2013 11:15 AM www.securitybootcamp.vn
Volatility • • • • An advanced memory forensics framework Written by Python Opensource Active development – Month of Volatility Plugins (MoVP) – Annual Volatility Framework Plugin Contest • Large community 10/29/2013 11:15 AM www.securitybootcamp.vn
Volatility • There are many modules for : – – – – – – Detecting Windows GUI Hooking Detecting Usermode Hooks (IAT/Inline/…) Detect Kernelmode Hooks (SSDT/IRP/…) Detecting hidden processes Detecting hidden kernel module Detecting hidden connections 10/29/2013 11:15 AM www.securitybootcamp.vn
YARA • YARA is a tool aimed at helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families based on textual or binary patterns contained on samples of those families 10/29/2013 11:15 AM www.securitybootcamp.vn
YARA • Example : The rule below is telling YARA that any file containing one of the three strings must be reported as silent_banker. • rule silent_banker : banker { meta: description = "This is just an example" thread_level = 3 in_the_wild = true strings: $a = {6A 40 68 00 30 00 00 6A 14 8D 91} $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9} $c = "UVODFRYSIHLNWPEJXQZAKCBGMT" } condition: $a or $b or $c 10/29/2013 11:15 AM www.securitybootcamp.vn
Who’s using YARA • • • • • VirusTotal Intelligence (https://www.virustotal.com/intelligence/) jsunpack-n (http://jsunpack.jeek.org/) We Watch Your Website (http://www.wewatchyourwebsite.com/) FireEye, Inc. (http://www.fireeye.com) Fidelis XPS (http://www.fidelissecurity.com/network-securityappliance/Fidelis-XPS) 10/29/2013 11:15 AM www.securitybootcamp.vn
New Automated Malware Capability Detection System • CrowdSource: Applying machine learning to web technical documents toautomatically identify malware capabilities – – – – – – – – – – – detects debugger based reversing encrypts / decrypts data provides remote desktop capability steals or modifies cookies mines or steals bitcoins communicates over smtp has gui functionality communicates with database communicates via irc protocol logs keystrokes takes screenshots • Planning to release CrowdSource as an open source tool for November 10/29/2013 11:15 AM www.securitybootcamp.vn
Conclusion • The fight against malware is a cat-and-mouse game • We should : – Make use of Automated Malware Analysis – Update new techniques – Use simplest method for each scenario 10/29/2013 11:15 AM www.securitybootcamp.vn
Thank you ! 10/29/2013 11:15 AM www.securitybootcamp.vn

Recomendados

Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
Security Bootcamp
 
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp
 
Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmTriển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Security Bootcamp
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat Security Conference
 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat Security Conference
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Nahidul Kibria
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
 
Advanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEFAdvanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEF
1N3
 

Recomendados

Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
Security Bootcamp
 
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp
 
Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmTriển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Security Bootcamp
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat Security Conference
 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat Security Conference
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Nahidul Kibria
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
 
Advanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEFAdvanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEF
1N3
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
Denis Kolegov
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
drewz lin
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
HackIT Ukraine
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
PROIDEA
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!
Nahidul Kibria
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005
James Morris
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOps
Pichaya Morimoto
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
BGA Cyber Security
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackers
VeilFramework
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn Việt
Security Bootcamp
 
Pen-Testing with Metasploit
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with Metasploit
Mohammed Danish Amber
 
Flashack
FlashackFlashack
Flashack
n|u - The Open Security Community
 
Hacking Lab con ProxMox e Metasploitable
Hacking Lab con ProxMox e MetasploitableHacking Lab con ProxMox e Metasploitable
Hacking Lab con ProxMox e Metasploitable
Andrea Draghetti
 
Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksAdaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber Attacks
Jermund Ottermo
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
Positive Hack Days
 
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
Mauricio Velazco
 
CheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareCheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted Malware
Brandon Arvanaghi
 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enough
Sumedt Jitpukdebodin
 
Хакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовХакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентов
Positive Hack Days
 
Security Bootcamp 2013 - Cach tiep can ISO27001-Lương Trung Thành
Security Bootcamp 2013 - Cach tiep can ISO27001-Lương Trung ThànhSecurity Bootcamp 2013 - Cach tiep can ISO27001-Lương Trung Thành
Security Bootcamp 2013 - Cach tiep can ISO27001-Lương Trung Thành
Security Bootcamp
 
Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm
Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh TâmSecurity Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm
Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm
Security Bootcamp
 

Mais conteúdo relacionado

Mais procurados

Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
drewz lin
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
HackIT Ukraine
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
PROIDEA
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
Positive Hack Days
 
Хакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовХакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентов
Positive Hack Days
 

Mais procurados (20)

Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOps
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackers
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn Việt
 
Pen-Testing with Metasploit
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with Metasploit
 
Flashack
FlashackFlashack
Flashack
 
Hacking Lab con ProxMox e Metasploitable
Hacking Lab con ProxMox e MetasploitableHacking Lab con ProxMox e Metasploitable
Hacking Lab con ProxMox e Metasploitable
 
Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksAdaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber Attacks
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
 
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
 
CheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareCheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted Malware
 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enough
 
Хакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовХакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентов
 

Destaque

Security Bootcamp 2013 - Cach tiep can ISO27001-Lương Trung Thành
Security Bootcamp 2013 - Cach tiep can ISO27001-Lương Trung ThànhSecurity Bootcamp 2013 - Cach tiep can ISO27001-Lương Trung Thành
Security Bootcamp 2013 - Cach tiep can ISO27001-Lương Trung Thành
Security Bootcamp
 
Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm
Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh TâmSecurity Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm
Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm
Security Bootcamp
 
Security Bootcamp 2013 - Thiết bị không dây không chỉ phát sóng không dây - T...
Security Bootcamp 2013 - Thiết bị không dây không chỉ phát sóng không dây - T...Security Bootcamp 2013 - Thiết bị không dây không chỉ phát sóng không dây - T...
Security Bootcamp 2013 - Thiết bị không dây không chỉ phát sóng không dây - T...
Security Bootcamp
 
Security Bootcamp 2013 - OWASP TOP 10- 2013
Security Bootcamp 2013 - OWASP TOP 10- 2013Security Bootcamp 2013 - OWASP TOP 10- 2013
Security Bootcamp 2013 - OWASP TOP 10- 2013
Security Bootcamp
 
Security Bootcamp 2013 - Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...
Security Bootcamp 2013 - Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...Security Bootcamp 2013 - Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...
Security Bootcamp 2013 - Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...
Security Bootcamp
 
Security Bootcamp 2013 - Lap trinh web an toan
Security Bootcamp 2013 - Lap trinh web an toanSecurity Bootcamp 2013 - Lap trinh web an toan
Security Bootcamp 2013 - Lap trinh web an toan
Security Bootcamp
 
Web Application Security Testing Tools
Web Application Security Testing ToolsWeb Application Security Testing Tools
Web Application Security Testing Tools
Eric Lai
 
Security Bootcamp 2013 - Giải pháp phát hiện xâm nhập mạng không dây - WIDS -...
Security Bootcamp 2013 - Giải pháp phát hiện xâm nhập mạng không dây - WIDS -...Security Bootcamp 2013 - Giải pháp phát hiện xâm nhập mạng không dây - WIDS -...
Security Bootcamp 2013 - Giải pháp phát hiện xâm nhập mạng không dây - WIDS -...
Security Bootcamp
 
SCB 2013 DLP, công nghệ, và phương pháp triển khai
SCB 2013 DLP, công nghệ, và phương pháp triển khaiSCB 2013 DLP, công nghệ, và phương pháp triển khai
SCB 2013 DLP, công nghệ, và phương pháp triển khai
Security Bootcamp
 

Destaque (10)

Security Bootcamp 2013 - Cach tiep can ISO27001-Lương Trung Thành
Security Bootcamp 2013 - Cach tiep can ISO27001-Lương Trung ThànhSecurity Bootcamp 2013 - Cach tiep can ISO27001-Lương Trung Thành
Security Bootcamp 2013 - Cach tiep can ISO27001-Lương Trung Thành
 
Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm
Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh TâmSecurity Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm
Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm
 
Security Bootcamp 2013 - Thiết bị không dây không chỉ phát sóng không dây - T...
Security Bootcamp 2013 - Thiết bị không dây không chỉ phát sóng không dây - T...Security Bootcamp 2013 - Thiết bị không dây không chỉ phát sóng không dây - T...
Security Bootcamp 2013 - Thiết bị không dây không chỉ phát sóng không dây - T...
 
Security Bootcamp 2013 - OWASP TOP 10- 2013
Security Bootcamp 2013 - OWASP TOP 10- 2013Security Bootcamp 2013 - OWASP TOP 10- 2013
Security Bootcamp 2013 - OWASP TOP 10- 2013
 
Profile của Võ Thái Lâm
Profile của Võ Thái LâmProfile của Võ Thái Lâm
Profile của Võ Thái Lâm
 
Security Bootcamp 2013 - Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...
Security Bootcamp 2013 - Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...Security Bootcamp 2013 - Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...
Security Bootcamp 2013 - Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...
 
Security Bootcamp 2013 - Lap trinh web an toan
Security Bootcamp 2013 - Lap trinh web an toanSecurity Bootcamp 2013 - Lap trinh web an toan
Security Bootcamp 2013 - Lap trinh web an toan
 
Web Application Security Testing Tools
Web Application Security Testing ToolsWeb Application Security Testing Tools
Web Application Security Testing Tools
 
Security Bootcamp 2013 - Giải pháp phát hiện xâm nhập mạng không dây - WIDS -...
Security Bootcamp 2013 - Giải pháp phát hiện xâm nhập mạng không dây - WIDS -...Security Bootcamp 2013 - Giải pháp phát hiện xâm nhập mạng không dây - WIDS -...
Security Bootcamp 2013 - Giải pháp phát hiện xâm nhập mạng không dây - WIDS -...
 
SCB 2013 DLP, công nghệ, và phương pháp triển khai
SCB 2013 DLP, công nghệ, và phương pháp triển khaiSCB 2013 DLP, công nghệ, và phương pháp triển khai
SCB 2013 DLP, công nghệ, và phương pháp triển khai
 

Semelhante a Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt

Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
Jeremy Brown
 
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to HelpTowards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Stephen Donner
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysis
Chong-Kuan Chen
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal
 

Semelhante a Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt (20)

Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
 
VorlonJS
VorlonJSVorlonJS
VorlonJS
 
Have you been stalking your servers?
Have you been stalking your servers?Have you been stalking your servers?
Have you been stalking your servers?
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to HelpTowards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Disaster Planning Backup, Backup, Backup
Disaster Planning Backup, Backup, BackupDisaster Planning Backup, Backup, Backup
Disaster Planning Backup, Backup, Backup
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
 
Adversary Emulation and Cracking The Bridge – Overview EMERSON EDUARDO RODRIGUES
Adversary Emulation and Cracking The Bridge – Overview EMERSON EDUARDO RODRIGUESAdversary Emulation and Cracking The Bridge – Overview EMERSON EDUARDO RODRIGUES
Adversary Emulation and Cracking The Bridge – Overview EMERSON EDUARDO RODRIGUES
 
Deploy secure, scalable, and highly available web apps with Azure Front Door ...
Deploy secure, scalable, and highly available web apps with Azure Front Door ...Deploy secure, scalable, and highly available web apps with Azure Front Door ...
Deploy secure, scalable, and highly available web apps with Azure Front Door ...
 
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysis
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 

Mais de Security Bootcamp

GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active DirectoryGOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
Security Bootcamp
 
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
Security Bootcamp
 

Mais de Security Bootcamp (20)

Ransomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
 
Hieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurityHieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurity
 
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewNguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
 
Sbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe moSbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe mo
 
Deception change-the-game
Deception change-the-gameDeception change-the-game
Deception change-the-game
 
Giam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdrGiam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdr
 
Sbc2019 luong-cyber startup
Sbc2019 luong-cyber startupSbc2019 luong-cyber startup
Sbc2019 luong-cyber startup
 
Insider threat-what-us-do d-want
Insider threat-what-us-do d-wantInsider threat-what-us-do d-want
Insider threat-what-us-do d-want
 
Macro malware common techniques - public
Macro malware common techniques - publicMacro malware common techniques - public
Macro malware common techniques - public
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learning
 
Tim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cuTim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cu
 
Threat detection with 0 cost
Threat detection with 0 costThreat detection with 0 cost
Threat detection with 0 cost
 
Build SOC
Build SOC Build SOC
Build SOC
 
AD red vs blue
AD red vs blueAD red vs blue
AD red vs blue
 
Securitybox
SecurityboxSecuritybox
Securitybox
 
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active DirectoryGOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
 
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
 
Api security-present
Api security-presentApi security-present
Api security-present
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber Attacks
 
Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018
 

Último

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Último (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt

  • 2. Đơn vị tổ chức: Đơn vị tài trợ:
  • 3. Malware Attacks Growing • • • • Office exploits PDF exploits Browser exploits … 10/29/2013 11:15 AM www.securitybootcamp.vn
  • 4. Anatomy of the attack Stage 1 : Exploitation / Phishing / Social Engineer Stage 2 : The dropper execute & disable existing security control Stage 3 : “Real” malwares is downloaded and installed Stage 4 : Steal sensitive data Stage 5 : Communicate with external C&C servers, used for facilitate futher attacks 10/29/2013 11:15 AM www.securitybootcamp.vn
  • 5. Why we need ? • • • • • Malwares in the wild are way too many Manual analysis takes a lot of time Static analysis requires strong skillsets Need to deal with packed, polymorphic, self-modifying code Performing dynamic analysis manually is a tedious work => How can we handle the large volume of malware samples collected each day ? 10/29/2013 11:15 AM www.securitybootcamp.vn
  • 6. Method of malware analysis Signatures Heuristics Discrete Objects Analysis Contextual Analysis 10/29/2013 11:15 AM www.securitybootcamp.vn
  • 7. Online AMAs • • • • VirusTotal : http://www.virustotal.com/ ThreatExpert : http://www.threatexpert.com/filescan.aspx Anubis : http://anubis.iseclab.org/ Joebox : – – – – http://www.file-analyzer.net/ http://www.apk-analyzer.net/ http://www.document-analyzer.net/ http://www.url-analyzer.net/ 10/29/2013 11:15 AM www.securitybootcamp.vn
  • 8. Offline AMAs • CWSandbox : commercial • Cuckoo Sandbox : free and open source • Zerowine : a full-featured tool for dynamically analyzing the behavior of Windows malware by running it within the WINE emulator on Linux • Malheur 10/29/2013 11:15 AM www.securitybootcamp.vn
  • 9. Cuckoo is my choice • Cuckoo Sandbox was started in 2010 Summer of Code Project • Now it consists of around 50000 lines of code written by Python and C • Sponsored by Rapid7 in a program called “Magnificent7” • Why we choose it ? – – – – Easy to use Easy to customize Nice Web-UI and Comprehensive reports Opensource 10/29/2013 11:15 AM www.securitybootcamp.vn
  • 10. Cuckoo is my choice 10/29/2013 11:15 AM www.securitybootcamp.vn
  • 11. Execution flow • • • • • • • Fetch a task Prepare the analysis Launch analyzer in virtual machine Execute an analysis package Complete the analysis Store the results Process and create reports 10/29/2013 11:15 AM www.securitybootcamp.vn
  • 12. Your VM can be detected 10/29/2013 11:15 AM www.securitybootcamp.vn
  • 13. Your sandbox can be detected 10/29/2013 11:15 AM www.securitybootcamp.vn
  • 14. Hardening • Integrate with pafish (Paranoid Fish) • Update bypass vm methods • More info : – http://www.alienvault.com/open-threat-exchange/blog/hardening-cuckoosandbox-against-vm-aware-malware – http://kromer.pl/malware-analysis/installing-and-hardening-latest-cuckoosandbox-on-gentoo-linux/ – http://0xmalware.blogspot.com/2013/10/cuckoo-sandbox-hardeningvirtualbox.html 10/29/2013 11:15 AM www.securitybootcamp.vn
  • 15. Others • CuckooMX: Automating Email Attachments Scanning with Cuckoo 10/29/2013 11:15 AM www.securitybootcamp.vn
  • 16. How about post analysis ? • Cuckoo + Volatility + YARA 10/29/2013 11:15 AM www.securitybootcamp.vn
  • 17. Volatility • • • • An advanced memory forensics framework Written by Python Opensource Active development – Month of Volatility Plugins (MoVP) – Annual Volatility Framework Plugin Contest • Large community 10/29/2013 11:15 AM www.securitybootcamp.vn
  • 18. Volatility • There are many modules for : – – – – – – Detecting Windows GUI Hooking Detecting Usermode Hooks (IAT/Inline/…) Detect Kernelmode Hooks (SSDT/IRP/…) Detecting hidden processes Detecting hidden kernel module Detecting hidden connections 10/29/2013 11:15 AM www.securitybootcamp.vn
  • 19. YARA • YARA is a tool aimed at helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families based on textual or binary patterns contained on samples of those families 10/29/2013 11:15 AM www.securitybootcamp.vn
  • 20. YARA • Example : The rule below is telling YARA that any file containing one of the three strings must be reported as silent_banker. • rule silent_banker : banker { meta: description = "This is just an example" thread_level = 3 in_the_wild = true strings: $a = {6A 40 68 00 30 00 00 6A 14 8D 91} $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9} $c = "UVODFRYSIHLNWPEJXQZAKCBGMT" } condition: $a or $b or $c 10/29/2013 11:15 AM www.securitybootcamp.vn
  • 21. Who’s using YARA • • • • • VirusTotal Intelligence (https://www.virustotal.com/intelligence/) jsunpack-n (http://jsunpack.jeek.org/) We Watch Your Website (http://www.wewatchyourwebsite.com/) FireEye, Inc. (http://www.fireeye.com) Fidelis XPS (http://www.fidelissecurity.com/network-securityappliance/Fidelis-XPS) 10/29/2013 11:15 AM www.securitybootcamp.vn
  • 22. New Automated Malware Capability Detection System • CrowdSource: Applying machine learning to web technical documents toautomatically identify malware capabilities – – – – – – – – – – – detects debugger based reversing encrypts / decrypts data provides remote desktop capability steals or modifies cookies mines or steals bitcoins communicates over smtp has gui functionality communicates with database communicates via irc protocol logs keystrokes takes screenshots • Planning to release CrowdSource as an open source tool for November 10/29/2013 11:15 AM www.securitybootcamp.vn
  • 23. Conclusion • The fight against malware is a cat-and-mouse game • We should : – Make use of Automated Malware Analysis – Update new techniques – Use simplest method for each scenario 10/29/2013 11:15 AM www.securitybootcamp.vn
  • 24. Thank you ! 10/29/2013 11:15 AM www.securitybootcamp.vn