SlideShare a Scribd company logo

Malware analysis as a hobby (Owasp Göteborg)

Download as PPTX, PDF
Michael Boman
Michael Boman

This document discusses Michael Boman's hobby of analyzing malware samples. It describes how he initially analyzed samples manually in a virtual environment but found it time consuming. He then created the Malware Analysis Research Toolkit (MART) project to automate the process. MART uses tools like Cuckoo Sandbox to analyze samples in virtual machines. It also includes components for sample acquisition, analysis, reporting, and data mining. The document discusses challenges with virtual machine analysis and ways to iterate the automation, such as doing brief static analysis on samples. It provides an overview of the hardware used in Boman's malware lab and discusses next steps for the project.

Technology
1 of 37
Malware Analysis as a Hobby Michael Boman - Security Consultant/Researcher, Father of 5
Why the strange hobby?
The manual way 1.Start virtual environment 2.Copy sample 3.Start logging facilities 4.Execute sample 5.Stop logging facilities 6.Analyze logs
Drawbacks • Time consuming • Boring in the long run (not all malware are created equal)
Choose any two…. Cheap Good Fast
I can do it cheaply (hardware and license cost-wise). Human time not Choose any two? included. Why not all of them? I can do it quickly (I spend up to 3 Cheap hours a day doing this, at average even less). I get pretty good results (quality). Where the system lacks I can compensate for its shortcomings. Good Fast
Automate everything! Automate Engineer yourself out of the workflow
Birth of the MART Project Malware Analyst Research Toolkit
Components
Sample Acquisition • Public & Private Collections • Exchange with other malware analysts • Finding and collecting malware yourself • Download files from the web • Grab attachments from email • Feed BrowserSpider with links from your SPAM-folder
BrowserSpider • Written in Python • Using the Selenium framework to control REAL browsers • Flash, PDFs, Java applets etc. executes as per normal • All the browser bugs exists for real • Spiders and follows all links seen
Sample Analysis • Cuckoo Sandbox • VirusTotal
A days work for a Cuckoo Fetch a task Process and Prepare the create reports analysis Launch Store the result analyzer in virtual machine Execute an Complete the analysis analysis package
DEMO: Submit sample for analysis
Sample Reporting Results are stored in MongoDB (optional, highly recommended) Accessed using a analyst GUI
Data Mining
Where Virtual Machine analysis fails And what to do about it
Problems • Cuckoo is easly bypassed • User-detection • Sleeping malware
Problems • VM or Sandbox detection • The guest OS might not be sufficient enough • Any multistage attack
Iterating automatiation Sort out clearly non-malicious Devide the Do brief static and obviosly samples into analysis malicious categories samples Known Known Good Bad Unknown
Iterating automatiation Sort out clearly non-malicious Devide the Do brief static and obviosly samples into analysis malicious categories samples • Does not do anything • Detects environment • Encrypted segments • Failed execution
Iterating automatiation Sort out clearly non-malicious Devide the Do brief static and obviosly samples into analysis malicious categories samples • Run longer • Envirnoment customization
Budget • Computer: €520 • MSDN License: €800 (€590 renewal) • Year 1: €1320 • Year N: €590 • Money saved from stopped smoking (yearly): €2040
Malware Lab
MART Hardware (overview)
MART Hardware (mounts)
MART Hardware (HDD)
MART Hardware (SSD)
Next steps • Barebone on-the-iron malware analysis • Android platform support • OSX platform support • iOS patform support
Proof of Concept hardware Prototype Shield Arduino 4-Channel Relay Shield Arduino Ethernet Shield Duemilanove
Questions? Michael Boman Michael Boman michael.boman@2secure.se michael@michaelboman.org http://michaelboman.org http://www.2secure.se @mboman

Recommended

Malware Analysis as a Hobby
Malware Analysis as a HobbyMalware Analysis as a Hobby
Malware Analysis as a Hobby
Michael Boman
 
Deep Dive Modern Apps Lifecycle with Visual Studio 2012: Software Testing wit...
Deep Dive Modern Apps Lifecycle with Visual Studio 2012: Software Testing wit...Deep Dive Modern Apps Lifecycle with Visual Studio 2012: Software Testing wit...
Deep Dive Modern Apps Lifecycle with Visual Studio 2012: Software Testing wit...
Microsoft Developer Network (MSDN) - Belgium and Luxembourg
 
Notes on Debugging
Notes on DebuggingNotes on Debugging
Notes on Debugging
Cotap Engineering
 
Is this how you hate unit testing?
Is this how you hate unit testing?Is this how you hate unit testing?
Is this how you hate unit testing?
Steven Mak
 
Alexey Ostapov: Distributed Video Management and Security Systems: Tips and T...
Alexey Ostapov: Distributed Video Management and Security Systems: Tips and T...Alexey Ostapov: Distributed Video Management and Security Systems: Tips and T...
Alexey Ostapov: Distributed Video Management and Security Systems: Tips and T...
Andriy Krayniy
 
Unit Test + Functional Programming = Love
Unit Test + Functional Programming = LoveUnit Test + Functional Programming = Love
Unit Test + Functional Programming = Love
Alvaro Videla
 
Kickoff Test Automation Day 2012
Kickoff Test Automation Day 2012Kickoff Test Automation Day 2012
Kickoff Test Automation Day 2012
Arie van Deursen
 
Testing & should i do it
Testing & should i do itTesting & should i do it
Testing & should i do it
Martin Sykora
 

Recommended

Malware Analysis as a Hobby
Malware Analysis as a HobbyMalware Analysis as a Hobby
Malware Analysis as a Hobby
Michael Boman
 
Deep Dive Modern Apps Lifecycle with Visual Studio 2012: Software Testing wit...
Deep Dive Modern Apps Lifecycle with Visual Studio 2012: Software Testing wit...Deep Dive Modern Apps Lifecycle with Visual Studio 2012: Software Testing wit...
Deep Dive Modern Apps Lifecycle with Visual Studio 2012: Software Testing wit...
Microsoft Developer Network (MSDN) - Belgium and Luxembourg
 
Notes on Debugging
Notes on DebuggingNotes on Debugging
Notes on Debugging
Cotap Engineering
 
Is this how you hate unit testing?
Is this how you hate unit testing?Is this how you hate unit testing?
Is this how you hate unit testing?
Steven Mak
 
Alexey Ostapov: Distributed Video Management and Security Systems: Tips and T...
Alexey Ostapov: Distributed Video Management and Security Systems: Tips and T...Alexey Ostapov: Distributed Video Management and Security Systems: Tips and T...
Alexey Ostapov: Distributed Video Management and Security Systems: Tips and T...
Andriy Krayniy
 
Unit Test + Functional Programming = Love
Unit Test + Functional Programming = LoveUnit Test + Functional Programming = Love
Unit Test + Functional Programming = Love
Alvaro Videla
 
Kickoff Test Automation Day 2012
Kickoff Test Automation Day 2012Kickoff Test Automation Day 2012
Kickoff Test Automation Day 2012
Arie van Deursen
 
Testing & should i do it
Testing & should i do itTesting & should i do it
Testing & should i do it
Martin Sykora
 
Benefit From Unit Testing In The Real World
Benefit From Unit Testing In The Real WorldBenefit From Unit Testing In The Real World
Benefit From Unit Testing In The Real World
Dror Helper
 
An Introduction to Unit Testing
An Introduction to Unit TestingAn Introduction to Unit Testing
An Introduction to Unit Testing
Joe Tremblay
 
Integration and Unit Testing in Java using Test Doubles like mocks and stubs
Integration and Unit Testing in Java using Test Doubles like mocks and stubsIntegration and Unit Testing in Java using Test Doubles like mocks and stubs
Integration and Unit Testing in Java using Test Doubles like mocks and stubs
Rody Middelkoop
 
How and what to unit test
How and what to unit testHow and what to unit test
How and what to unit test
Eugenio Lentini
 
Tests antipatterns
Tests antipatternsTests antipatterns
Tests antipatterns
Maciej Przewoznik
 
Attack-driven defense
Attack-driven defenseAttack-driven defense
Attack-driven defense
Zane Lackey
 
Unit testing (workshop)
Unit testing (workshop)Unit testing (workshop)
Unit testing (workshop)
Foyzul Karim
 
Android lint presentation
Android lint presentationAndroid lint presentation
Android lint presentation
Sinan KOZAK
 
Malware vm setup
Malware vm setupMalware vm setup
Malware vm setup
Aspen Lindblom
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
isc2-hellenic
 
Nunit
NunitNunit
Nunit
Dinuka Malalanayake
 
Winning the battle against Automated testing
Winning the battle against Automated testingWinning the battle against Automated testing
Winning the battle against Automated testing
Elena Laskavaia
 
BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat v18 || Improving security posture through increased agility with meas...BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat Security Conference
 
Chaos Engineering Talk at DevOps Days Austin
Chaos Engineering Talk at DevOps Days AustinChaos Engineering Talk at DevOps Days Austin
Chaos Engineering Talk at DevOps Days Austin
matthewbrahms
 
Final presentation
Final presentationFinal presentation
Final presentation
Brandon Barclay
 
Unit Testing, TDD and the Walking Skeleton
Unit Testing, TDD and the Walking SkeletonUnit Testing, TDD and the Walking Skeleton
Unit Testing, TDD and the Walking Skeleton
Seb Rose
 
BlueHat v18 || Crafting synthetic attack examples from past cyber-attacks for...
BlueHat v18 || Crafting synthetic attack examples from past cyber-attacks for...BlueHat v18 || Crafting synthetic attack examples from past cyber-attacks for...
BlueHat v18 || Crafting synthetic attack examples from past cyber-attacks for...
BlueHat Security Conference
 
Testing 101
Testing 101Testing 101
Testing 101
Noam Barkai
 
DevOps - Boldly Go for Distro
DevOps - Boldly Go for DistroDevOps - Boldly Go for Distro
DevOps - Boldly Go for Distro
Paul Boos
 
Second Life at MIT
Second Life at MITSecond Life at MIT
Second Life at MIT
New Media Consortium
 
Cuckoo sandbox
Cuckoo sandboxCuckoo sandbox
Cuckoo sandbox
Tensor
 
Анализ запросов российских пользователей на туры в различные страны в октябре...
Анализ запросов российских пользователей на туры в различные страны в октябре...Анализ запросов российских пользователей на туры в различные страны в октябре...
Анализ запросов российских пользователей на туры в различные страны в октябре...
ATOR
 

More Related Content

What's hot

Benefit From Unit Testing In The Real World
Benefit From Unit Testing In The Real WorldBenefit From Unit Testing In The Real World
Benefit From Unit Testing In The Real World
Dror Helper
 
Attack-driven defense
Attack-driven defenseAttack-driven defense
Attack-driven defense
Zane Lackey
 
Unit testing (workshop)
Unit testing (workshop)Unit testing (workshop)
Unit testing (workshop)
Foyzul Karim
 
Winning the battle against Automated testing
Winning the battle against Automated testingWinning the battle against Automated testing
Winning the battle against Automated testing
Elena Laskavaia
 
BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat v18 || Improving security posture through increased agility with meas...BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat Security Conference
 
BlueHat v18 || Crafting synthetic attack examples from past cyber-attacks for...
BlueHat v18 || Crafting synthetic attack examples from past cyber-attacks for...BlueHat v18 || Crafting synthetic attack examples from past cyber-attacks for...
BlueHat v18 || Crafting synthetic attack examples from past cyber-attacks for...
BlueHat Security Conference
 

What's hot (19)

Benefit From Unit Testing In The Real World
Benefit From Unit Testing In The Real WorldBenefit From Unit Testing In The Real World
Benefit From Unit Testing In The Real World
 
An Introduction to Unit Testing
An Introduction to Unit TestingAn Introduction to Unit Testing
An Introduction to Unit Testing
 
Integration and Unit Testing in Java using Test Doubles like mocks and stubs
Integration and Unit Testing in Java using Test Doubles like mocks and stubsIntegration and Unit Testing in Java using Test Doubles like mocks and stubs
Integration and Unit Testing in Java using Test Doubles like mocks and stubs
 
How and what to unit test
How and what to unit testHow and what to unit test
How and what to unit test
 
Tests antipatterns
Tests antipatternsTests antipatterns
Tests antipatterns
 
Attack-driven defense
Attack-driven defenseAttack-driven defense
Attack-driven defense
 
Unit testing (workshop)
Unit testing (workshop)Unit testing (workshop)
Unit testing (workshop)
 
Android lint presentation
Android lint presentationAndroid lint presentation
Android lint presentation
 
Malware vm setup
Malware vm setupMalware vm setup
Malware vm setup
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 
Nunit
NunitNunit
Nunit
 
Winning the battle against Automated testing
Winning the battle against Automated testingWinning the battle against Automated testing
Winning the battle against Automated testing
 
BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat v18 || Improving security posture through increased agility with meas...BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat v18 || Improving security posture through increased agility with meas...
 
Chaos Engineering Talk at DevOps Days Austin
Chaos Engineering Talk at DevOps Days AustinChaos Engineering Talk at DevOps Days Austin
Chaos Engineering Talk at DevOps Days Austin
 
Final presentation
Final presentationFinal presentation
Final presentation
 
Unit Testing, TDD and the Walking Skeleton
Unit Testing, TDD and the Walking SkeletonUnit Testing, TDD and the Walking Skeleton
Unit Testing, TDD and the Walking Skeleton
 
BlueHat v18 || Crafting synthetic attack examples from past cyber-attacks for...
BlueHat v18 || Crafting synthetic attack examples from past cyber-attacks for...BlueHat v18 || Crafting synthetic attack examples from past cyber-attacks for...
BlueHat v18 || Crafting synthetic attack examples from past cyber-attacks for...
 
Testing 101
Testing 101Testing 101
Testing 101
 
DevOps - Boldly Go for Distro
DevOps - Boldly Go for DistroDevOps - Boldly Go for Distro
DevOps - Boldly Go for Distro
 

Viewers also liked

Анализ запросов российских пользователей на туры в различные страны в октябре...
Анализ запросов российских пользователей на туры в различные страны в октябре...Анализ запросов российских пользователей на туры в различные страны в октябре...
Анализ запросов российских пользователей на туры в различные страны в октябре...
ATOR
 
BSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
BSides Augusta 2015 - Building a Better Analyst Using Cognitive PsychologyBSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
BSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
chrissanders88
 
Effective PowerPoint Presentations
Effective PowerPoint PresentationsEffective PowerPoint Presentations
Effective PowerPoint Presentations
Samantha Blevins
 

Viewers also liked (20)

Second Life at MIT
Second Life at MITSecond Life at MIT
Second Life at MIT
 
Cuckoo sandbox
Cuckoo sandboxCuckoo sandbox
Cuckoo sandbox
 
Анализ запросов российских пользователей на туры в различные страны в октябре...
Анализ запросов российских пользователей на туры в различные страны в октябре...Анализ запросов российских пользователей на туры в различные страны в октябре...
Анализ запросов российских пользователей на туры в различные страны в октябре...
 
What is your hobby?
What is your hobby?What is your hobby?
What is your hobby?
 
Hobby of Internet Browsing and Blogging
Hobby of Internet Browsing and Blogging Hobby of Internet Browsing and Blogging
Hobby of Internet Browsing and Blogging
 
Sec day cuckoo_workshop
Sec day cuckoo_workshopSec day cuckoo_workshop
Sec day cuckoo_workshop
 
Hobby
HobbyHobby
Hobby
 
BSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
BSides Augusta 2015 - Building a Better Analyst Using Cognitive PsychologyBSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
BSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
 
Pengenalan dan Analisa Malware
Pengenalan dan Analisa MalwarePengenalan dan Analisa Malware
Pengenalan dan Analisa Malware
 
Building performance analysis system IES VE main features overview
Building performance analysis system IES VE main features overviewBuilding performance analysis system IES VE main features overview
Building performance analysis system IES VE main features overview
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
Apa itu malware
Apa itu malwareApa itu malware
Apa itu malware
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
 
Effective PowerPoint Presentations
Effective PowerPoint PresentationsEffective PowerPoint Presentations
Effective PowerPoint Presentations
 
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
My presentation about hobby
My presentation about hobbyMy presentation about hobby
My presentation about hobby
 
My hobby my interest
My hobby my interestMy hobby my interest
My hobby my interest
 
My hobby
My hobbyMy hobby
My hobby
 

Similar to Malware analysis as a hobby (Owasp Göteborg)

EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
MichaelM85042
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineering
Saswat Padhi
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
Positive Hack Days
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
Stephan Chenette
 
Agile Testing at eBay
Agile Testing at eBayAgile Testing at eBay
Agile Testing at eBay
Dominik Dary
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Digital Bond
 
Beyond TDD: Enabling Your Team to Continuously Deliver Software
Beyond TDD: Enabling Your Team to Continuously Deliver SoftwareBeyond TDD: Enabling Your Team to Continuously Deliver Software
Beyond TDD: Enabling Your Team to Continuously Deliver Software
Chris Weldon
 

Similar to Malware analysis as a hobby (Owasp Göteborg) (20)

Malware Analysis as a Hobby - 44CON 2012
Malware Analysis as a Hobby - 44CON 2012Malware Analysis as a Hobby - 44CON 2012
Malware Analysis as a Hobby - 44CON 2012
 
Malware Analysis on a Shoestring Budget
Malware Analysis on a Shoestring BudgetMalware Analysis on a Shoestring Budget
Malware Analysis on a Shoestring Budget
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineering
 
Reading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of ProcrastinationReading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of Procrastination
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
Using formal testing to make better AVR apps
Using formal testing to make better AVR appsUsing formal testing to make better AVR apps
Using formal testing to make better AVR apps
 
Agile Testing at eBay
Agile Testing at eBayAgile Testing at eBay
Agile Testing at eBay
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
 
Beyond TDD: Enabling Your Team to Continuously Deliver Software
Beyond TDD: Enabling Your Team to Continuously Deliver SoftwareBeyond TDD: Enabling Your Team to Continuously Deliver Software
Beyond TDD: Enabling Your Team to Continuously Deliver Software
 
PHP - Introduction to PHP Bugs - Debugging
PHP - Introduction to PHP Bugs - DebuggingPHP - Introduction to PHP Bugs - Debugging
PHP - Introduction to PHP Bugs - Debugging
 
Continuous integration at CartoDB March '16
Continuous integration at CartoDB March '16Continuous integration at CartoDB March '16
Continuous integration at CartoDB March '16
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality Tools
 

More from Michael Boman

Malware analysis as a hobby - the short story (lightning talk)
Malware analysis as a hobby - the short story (lightning talk)Malware analysis as a hobby - the short story (lightning talk)
Malware analysis as a hobby - the short story (lightning talk)
Michael Boman
 
Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...
Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...
Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...
Michael Boman
 
Enkla hackerknep för testare
Enkla hackerknep för testareEnkla hackerknep för testare
Enkla hackerknep för testare
Michael Boman
 
Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08
Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08
Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08
Michael Boman
 
Privacy in Wireless Networks
Privacy in Wireless NetworksPrivacy in Wireless Networks
Privacy in Wireless Networks
Michael Boman
 

More from Michael Boman (20)

How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradication
 
44CON 2014: Using hadoop for malware, network, forensics and log analysis
44CON 2014: Using hadoop for malware, network, forensics and log analysis44CON 2014: Using hadoop for malware, network, forensics and log analysis
44CON 2014: Using hadoop for malware, network, forensics and log analysis
 
DEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And AttributionDEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And Attribution
 
44CON 2013 - Controlling a PC using Arduino
44CON 2013 - Controlling a PC using Arduino44CON 2013 - Controlling a PC using Arduino
44CON 2013 - Controlling a PC using Arduino
 
Malware analysis as a hobby - the short story (lightning talk)
Malware analysis as a hobby - the short story (lightning talk)Malware analysis as a hobby - the short story (lightning talk)
Malware analysis as a hobby - the short story (lightning talk)
 
Sans och vett på Internet
Sans och vett på InternetSans och vett på Internet
Sans och vett på Internet
 
Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...
Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...
Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...
 
Hur man kan testa sin HTTPS-server
Hur man kan testa sin HTTPS-serverHur man kan testa sin HTTPS-server
Hur man kan testa sin HTTPS-server
 
OWASP AppSec Research 2010 - The State of SSL in the World
OWASP AppSec Research 2010 - The State of SSL in the WorldOWASP AppSec Research 2010 - The State of SSL in the World
OWASP AppSec Research 2010 - The State of SSL in the World
 
Enkla hackerknep för testare
Enkla hackerknep för testareEnkla hackerknep för testare
Enkla hackerknep för testare
 
Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08
Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08
Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08
 
USB (In)Security 2008-08-22
USB (In)Security 2008-08-22USB (In)Security 2008-08-22
USB (In)Security 2008-08-22
 
Automatic Malware Analysis 2008-09-19
Automatic Malware Analysis 2008-09-19Automatic Malware Analysis 2008-09-19
Automatic Malware Analysis 2008-09-19
 
Overcoming USB (In)Security
Overcoming USB (In)SecurityOvercoming USB (In)Security
Overcoming USB (In)Security
 
Privacy in Wireless Networks
Privacy in Wireless NetworksPrivacy in Wireless Networks
Privacy in Wireless Networks
 
Network Security Monitoring - Theory and Practice
Network Security Monitoring - Theory and PracticeNetwork Security Monitoring - Theory and Practice
Network Security Monitoring - Theory and Practice
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux Security
 
Snort
SnortSnort
Snort
 
SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Recently uploaded (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Malware analysis as a hobby (Owasp Göteborg)

  • 1. Malware Analysis as a Hobby Michael Boman - Security Consultant/Researcher, Father of 5
  • 3. The manual way 1.Start virtual environment 2.Copy sample 3.Start logging facilities 4.Execute sample 5.Stop logging facilities 6.Analyze logs
  • 4. Drawbacks • Time consuming • Boring in the long run (not all malware are created equal)
  • 5. Choose any two…. Cheap Good Fast
  • 6. I can do it cheaply (hardware and license cost-wise). Human time not Choose any two? included. Why not all of them? I can do it quickly (I spend up to 3 Cheap hours a day doing this, at average even less). I get pretty good results (quality). Where the system lacks I can compensate for its shortcomings. Good Fast
  • 7. Automate everything! Automate Engineer yourself out of the workflow
  • 8. Birth of the MART Project Malware Analyst Research Toolkit
  • 10.
  • 11. Sample Acquisition • Public & Private Collections • Exchange with other malware analysts • Finding and collecting malware yourself • Download files from the web • Grab attachments from email • Feed BrowserSpider with links from your SPAM-folder
  • 12. BrowserSpider • Written in Python • Using the Selenium framework to control REAL browsers • Flash, PDFs, Java applets etc. executes as per normal • All the browser bugs exists for real • Spiders and follows all links seen
  • 13. Sample Analysis • Cuckoo Sandbox • VirusTotal
  • 14. A days work for a Cuckoo Fetch a task Process and Prepare the create reports analysis Launch Store the result analyzer in virtual machine Execute an Complete the analysis analysis package
  • 15. DEMO: Submit sample for analysis
  • 16.
  • 17. Sample Reporting Results are stored in MongoDB (optional, highly recommended) Accessed using a analyst GUI
  • 18.
  • 19.
  • 20.
  • 22. Where Virtual Machine analysis fails And what to do about it
  • 23. Problems • Cuckoo is easly bypassed • User-detection • Sleeping malware
  • 24. Problems • VM or Sandbox detection • The guest OS might not be sufficient enough • Any multistage attack
  • 25. Iterating automatiation Sort out clearly non-malicious Devide the Do brief static and obviosly samples into analysis malicious categories samples Known Known Good Bad Unknown
  • 26. Iterating automatiation Sort out clearly non-malicious Devide the Do brief static and obviosly samples into analysis malicious categories samples • Does not do anything • Detects environment • Encrypted segments • Failed execution
  • 27. Iterating automatiation Sort out clearly non-malicious Devide the Do brief static and obviosly samples into analysis malicious categories samples • Run longer • Envirnoment customization
  • 28.
  • 29. Budget • Computer: €520 • MSDN License: €800 (€590 renewal) • Year 1: €1320 • Year N: €590 • Money saved from stopped smoking (yearly): €2040
  • 35. Next steps • Barebone on-the-iron malware analysis • Android platform support • OSX platform support • iOS patform support
  • 36. Proof of Concept hardware Prototype Shield Arduino 4-Channel Relay Shield Arduino Ethernet Shield Duemilanove
  • 37. Questions? Michael Boman Michael Boman michael.boman@2secure.se michael@michaelboman.org http://michaelboman.org http://www.2secure.se @mboman