4. Anatomy of the attack
Stage 1 : Exploitation / Phishing / Social Engineer
Stage 2 : The dropper execute & disable existing security
control
Stage 3 : “Real” malwares is downloaded and installed
Stage 4 : Steal sensitive data
Stage 5 : Communicate with external C&C servers, used for
facilitate futher attacks
10/29/2013 11:15 AM
www.securitybootcamp.vn
5. Why we need ?
•
•
•
•
•
Malwares in the wild are way too many
Manual analysis takes a lot of time
Static analysis requires strong skillsets
Need to deal with packed, polymorphic, self-modifying code
Performing dynamic analysis manually is a tedious work
=> How can we handle the large volume of malware samples
collected each day ?
10/29/2013 11:15 AM
www.securitybootcamp.vn
6. Method of malware analysis
Signatures
Heuristics
Discrete Objects Analysis
Contextual Analysis
10/29/2013 11:15 AM
www.securitybootcamp.vn
8. Offline AMAs
• CWSandbox : commercial
• Cuckoo Sandbox : free and open source
• Zerowine : a full-featured tool for dynamically analyzing the
behavior of Windows malware by running it within the WINE
emulator on Linux
• Malheur
10/29/2013 11:15 AM
www.securitybootcamp.vn
9. Cuckoo is my choice
• Cuckoo Sandbox was started in 2010 Summer of Code Project
• Now it consists of around 50000 lines of code written by Python
and C
• Sponsored by Rapid7 in a program called “Magnificent7”
• Why we choose it ?
–
–
–
–
Easy to use
Easy to customize
Nice Web-UI and Comprehensive reports
Opensource
10/29/2013 11:15 AM
www.securitybootcamp.vn
10. Cuckoo is my choice
10/29/2013 11:15 AM
www.securitybootcamp.vn
11. Execution flow
•
•
•
•
•
•
•
Fetch a task
Prepare the analysis
Launch analyzer in virtual machine
Execute an analysis package
Complete the analysis
Store the results
Process and create reports
10/29/2013 11:15 AM
www.securitybootcamp.vn
12. Your VM can be detected
10/29/2013 11:15 AM
www.securitybootcamp.vn
13. Your sandbox can be detected
10/29/2013 11:15 AM
www.securitybootcamp.vn
14. Hardening
• Integrate with pafish (Paranoid Fish)
• Update bypass vm methods
• More info :
– http://www.alienvault.com/open-threat-exchange/blog/hardening-cuckoosandbox-against-vm-aware-malware
– http://kromer.pl/malware-analysis/installing-and-hardening-latest-cuckoosandbox-on-gentoo-linux/
– http://0xmalware.blogspot.com/2013/10/cuckoo-sandbox-hardeningvirtualbox.html
10/29/2013 11:15 AM
www.securitybootcamp.vn
16. How about post analysis ?
• Cuckoo + Volatility + YARA
10/29/2013 11:15 AM
www.securitybootcamp.vn
17. Volatility
•
•
•
•
An advanced memory forensics framework
Written by Python
Opensource
Active development
– Month of Volatility Plugins (MoVP)
– Annual Volatility Framework Plugin Contest
• Large community
10/29/2013 11:15 AM
www.securitybootcamp.vn
18. Volatility
• There are many modules for :
–
–
–
–
–
–
Detecting Windows GUI Hooking
Detecting Usermode Hooks (IAT/Inline/…)
Detect Kernelmode Hooks (SSDT/IRP/…)
Detecting hidden processes
Detecting hidden kernel module
Detecting hidden connections
10/29/2013 11:15 AM
www.securitybootcamp.vn
19. YARA
• YARA is a tool aimed at helping malware researchers to identify
and classify malware samples. With YARA you can create
descriptions of malware families based on textual or binary
patterns contained on samples of those families
10/29/2013 11:15 AM
www.securitybootcamp.vn
20. YARA
• Example : The rule below is telling YARA that any file containing
one of the three strings must be reported as silent_banker.
•
rule silent_banker : banker
{
meta:
description = "This is just an example"
thread_level = 3
in_the_wild = true
strings:
$a = {6A 40 68 00 30 00 00 6A 14 8D 91}
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
}
condition:
$a or $b or $c
10/29/2013 11:15 AM
www.securitybootcamp.vn
21. Who’s using YARA
•
•
•
•
•
VirusTotal Intelligence (https://www.virustotal.com/intelligence/)
jsunpack-n (http://jsunpack.jeek.org/)
We Watch Your Website (http://www.wewatchyourwebsite.com/)
FireEye, Inc. (http://www.fireeye.com)
Fidelis XPS (http://www.fidelissecurity.com/network-securityappliance/Fidelis-XPS)
10/29/2013 11:15 AM
www.securitybootcamp.vn
22. New Automated Malware Capability Detection
System
• CrowdSource: Applying machine learning to web technical
documents toautomatically identify malware capabilities
–
–
–
–
–
–
–
–
–
–
–
detects debugger based reversing
encrypts / decrypts data
provides remote desktop capability
steals or modifies cookies
mines or steals bitcoins
communicates over smtp
has gui functionality
communicates with database
communicates via irc protocol
logs keystrokes
takes screenshots
• Planning to release CrowdSource as an open source tool for
November
10/29/2013 11:15 AM
www.securitybootcamp.vn
23. Conclusion
• The fight against malware is a cat-and-mouse game
• We should :
– Make use of Automated Malware Analysis
– Update new techniques
– Use simplest method for each scenario
10/29/2013 11:15 AM
www.securitybootcamp.vn