[CB19] tknk_scanner v2:community-based integrated malware identification system by Shota Nakajima, Keita Nomura
•
1 like•161 views
We presented tknk_scanner using YARA at Black Hat Europe 2018 Arsenal. tknk_scanner is a community-based integrated malware identification system, which aims to easily identify malware families by automating this process using an integration of open source community-based tools and freeware. The previous tknk_scanner only supported binary based scanning(Scanning by YARA, a summary of VirusTotal using AVClass, file signatures by Detect It Easy). This major update adds packet capture and network based scanning mode. It allows the scanner to use network based signatures (snot rules, suricata rules). Not only that, you can get process communication information and associate network signatures with binary signatures. Of course, those results can be easily checked from the cool Web-UI. Support for binary based and network based signatures enabled simple dynamic analysis and provided malware identification accuracy. With this update, tknk_scanner further supports analysis by SOC operators, CSIRT members, and malware analysts.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to [CB19] tknk_scanner v2:community-based integrated malware identification system by Shota Nakajima, Keita Nomura
Similar to [CB19] tknk_scanner v2:community-based integrated malware identification system by Shota Nakajima, Keita Nomura (20)
More from CODE BLUE
More from CODE BLUE (20)
Recently uploaded
Recently uploaded (20)
[CB19] tknk_scanner v2:community-based integrated malware identification system by Shota Nakajima, Keita Nomura
- 1. Copyright©2019 nao_sec All Rights Reserved. tknk_scanner V2: Community-based integrated malware identification system Cyber Defense Institute, Inc. Shota Nakajima, Keita Nomura
- 2. Copyright©2019 nao_sec All Rights Reserved. Who are we
- 3. Copyright©2019 nao_sec All Rights Reserved. Background • Sometimes we encounter unknown malware • Using Antivirus software or Virus Total, yara, etc. • However, the detection name may not be correct or may not be useful • Do you want to analyze similar malware over and over? • We would like to do other fun jobs • Utilize past analysis results and published information
- 4. Copyright©2019 nao_sec All Rights Reserved. What is tknk_scanner • Automatic identification and classification of malware • Scan the original malware code with yara • Dumps original malware code • You can easily get the original code • Community-based • Integrates multiple Open Source Software and free tools • User-friendly Web-UI • Users can submit malware and check scan results using the Web-UI • Packet capture and network-based scanning mode[New!] • Use tcpdump and Suricata
- 5. Copyright©2019 nao_sec All Rights Reserved. Concept • We don’t want to analyze known malware manually • If malware is obfuscated/encrypt/encode, use debuggers or other techniques • We cannot get good result with yara • Malware works most of the time • Except: evasive malware and APT Malware • Original code of malware is copied in the memory • It is useful to automatically dump the original code in memory and automatically identify the malware
- 6. Copyright©2019 nao_sec All Rights Reserved. System Overview Web UI tknk.py REST API xmlrpc_client.py mongoDB db update xmlrpc_server.py VM XML-RPC redis dump modules CLI
- 7. Copyright©2019 nao_sec All Rights Reserved. Features • Scan • Mode • hollows_hunter, procdump, diff • yara • With the rules you own • Additional Information • python-magic • Detect it easy • Detect It Easy is a packer identifier • https://github.com/horsicq/Detect-It-Easy • avclass • AVClass is a malware labeling tool. • https://github.com/malicialab/avclass You give it as input the AV labels for a large number of malware samples and it outputs the most likely family name for each sample that it can extract from the AV labels.
- 8. Copyright©2019 nao_sec All Rights Reserved. Features [New!] • Network Scan • It allows the scanner to use network based signatures (snot rules, suricata rules) • Connections • It provides connection information of the process at running malware
- 9. Copyright©2019 nao_sec All Rights Reserved. Scan
- 10. Copyright©2019 nao_sec All Rights Reserved. hollows_hunter • hollows_hunter developed by @hasherezade • https://github.com/hasherezade/hollows_hunter • A process scanner detecting and dumping hollowed PE modules • Uses PE-sieve (DLL version) • It has powerful features • Recognizes and dumps variety of implants within the scanned process: replaced/injected PEs, shellcodes, hooks, and other in-memory patches
- 11. Copyright©2019 nao_sec All Rights Reserved. Procdump • Windows Sysinternals • https://docs.microsoft.com/en-us/sysinternals/downloads/procdump • Execute the following command • procdump.exe -t -ma PID • Write a dump when the process terminates or after a specified time • Please note that the size of file is large • Parsed by memory area [New!]
- 12. Copyright©2019 nao_sec All Rights Reserved. DEMO Movie
- 13. Copyright©2019 nao_sec All Rights Reserved. Limitations • tknk_scanner does not include signature • You can download the public yara rule • https://github.com/Yara-Rules/rules • You can download the ETOpen rules • https://rules.emergingthreats.net/ • Matching signature does not exist • Please write your own yara rule and share it • Dump fails • Try manual analysis • tknk_scanner is not … • Sandbox • Using Cuckoo Sandbox • Antivirus scanner • Using IRMA
- 14. Copyright©2019 nao_sec All Rights Reserved. Thank you!! Any Questions? https://github.com/nao-sec/tknk_scanner Twitter: @nao_sec @PINKSAWTOOTH @nomuken personal account