Identifying and Removing Malwares

Identifying and
Removing
Malwares
FOR BEGINNERS
n|uNullMeetDharamsala
1
July2014

Agenda
 @me
 Light
 Operating System
 User Mode
 Kernel Mode
 Camera
 Malware
 History
 Types
 Properties
 &Action
 Take
n|u Null Meet Dharamsala
2
July 2014

@me
 Malware Analyst
 Can protect my Web Applications.
 Know of: C, C++, Java, Ruby, Python
 I “google” a lot.
 badboy16a@gmail.com
 @_badbot
 *PC Gamer*
3
July 2014

Light, Camera, Action
 Light
 Relevant Information about OS
 Some historical information
 Camera
 Statistics
 Predictions
 Action
 Finding and acting on clues
 Take
 Recommendations
July 2014n|u Null Meet Dharamsala
4

“Ware”
5
July 2014

Malware
A software that
performs
unintended actions
without user
consent.
6
July 2014

Operating System
7
July 2014

Operating System
Hardware
Operating
System
Application
User
Command
8
July 2014

Operating System
Hardware
Device
Driver
Kernel
Programs
9
July 2014

Memory Model
Real Memory
 Exact amount of installed
H/W RAM.
 Fixed size.
 Shared among everything
running in system.
 Backed by H/W
 Protected by OS
Virtual Memory
 Amount of RAM perceived
by every process.
 Variable size.
 Owned exclusively.
 Backed by OS Memory
Management.
 Mixed Protection.
10

Memory Model
User Mode
 Unprotected
 Program code/data
 Un-privileged
 Exclusive for process
 Swappable
 Libraries(.dll, .so, …)
Kernel Mode
 Protected
 Kernel code/data
 Privileged
 Shared in real space
 Mostly not-swappable
 Drivers(.drv, .sys, .ko,…)
11
0x00000000-0x7FFFFFFF 0X80000000 – 0xFFFFFFFF

Windows Access Levels
12
•Own Processes
•Other User’s Processes
User
•User Access
•Other User’s Processes
•Unrestricted Access
Administrator
•Administrative Access.
•Unrestricted Access to Local System.
NT_AUTHORITY
SYSTEM

Windows Registry
 Configuration Database.
 Key  [Key] Value[or Default] = [Data]
 Permanent and Transient Keys
 Derived Keys
 Root Keys:
 CLASSES_ROOT
 LOCAL_MACHINE
 USERS
 CURRENT_USER
 CURRENT_CONFIG
13

Windows Executables
 PE (based on COFF) file format.
 File starts with “MZ”
 Entry point defined in header.
 Typically used extensions
 EXE: Normal Executable
 DLL: Dynamic link library
 LIB: Static Library
 SYS: Driver
 OCX: ActiveX Controls (special purpose DLL)
14

Malware
 Software programs designed to damage or do
unwanted actions on a computer system. In
Spanish, "mal" is a prefix that means "bad," making
the term "badware“.
15
Malware
Malicious Software

Malware Evolution
1948
Self-
Reproducing
Automata
-John Von Neumann
1970Creeper
-PDP-10
-Bob Thomas
-Reaper
1975
The
Shockwave
Rider
-Xerox
- John Shock & John
Hepps
16

Malware Evolution
1981
Elk-
Cloner
•Apple DOS 3.3
• 15 year old
1986
Brain
•PC-DOS
• Alvi Brothers
1988
Morris
• UNIX Finger
service
• Robert Morris
1995
Concept
• MS Word
• Macro Virus
17

Malware Evolution
2000
I LOVE
YOU
•VBScript
• Reomel
Lamores
2004
Cabir
•Symbian OS
2007-2008
Zeus
Conficker
2010
Stuxnet
• SCADA
Systems
18

Malware Evolution
2011
Duqu,
Anti
Spyware
2011
2012
Flame
2013
Cyptolocker
BlackPOS
Dexter
vSkimmer
2014
Dragonfly
19

Malware Statistics
 Categories that Delivered Malicious Code, 2013 : Symantec
20

Malware Statistics
21

Malware Statistics
22

Malware Predictions
 More attack binaries will use stolen or valid code
signature.
 Browser vulnerabilities may be more common.
 Cybercrime gets personal.
 More targeted attacks.
 More stealthier techniques for C&C.
 Expect more malicious code in BIOS and firmware
updates.
 64bit Malwares.
 Malware Diversifies and Specializes.
 Sandbox Evasion.
23

Malware Classification
 Worm
 Propagates by itself on different machine.
 Virus
 Attaches itself to targets. Infects other systems when target moves.
 Trojan
 Masquerades itself as legitimate/useful software.
 Spyware
 Spies on your data and send it to controller.
 Adware
 Displays unwanted/unsolicited advertisements.
24

Malware Classification
 Ransomware
 Locks access to your systems or files and demands ransom for
further access.
 Backdoor(Remote Administration Toolkit):
 Allows unauthorized remote user connect to and control your
system.
 Downloader
 Primary payload for exploits. Download/Installs other malwares.
 Rootkit
 Interferes with kernel to hide itself from user and security tools.
25

Malware Lifecycle
 Infection
 It has to infect the target. First run.
 Persistence
 It has to persist. Cannot be downloaded every time.
 Run
 It has to run. Preferably without user action e.g. Boot,
Timed…
 Hide
 Hide itself from naked eye.
26

&Action
 Almost at every stage malwares leave clues.
 Identify Clues.
 Identify Malware.
 Remove Malware.
27

Infection
 Exploitation:
 Using vulnerabilities to achieve code execution.
 Vulnerable program crashes/restarts most of the time.
 External Media
 Carried to the target system using external media e.g. USB
Stick.
 Un-mounting the media usually fails.
 E-mail Attachments
 Sent via email attachment.
 Grammatical/Spelling mistakes. Duplicate e-mail.
Attachments with double extension, wrong extension.
28

Persistence
 Files
 Stored as files.
 Cryptic file names.
 Known file names in unexpected locations.
 Misspelled file name.
 Streams
 Data is stored as NTFS alternate stream.
 Pathname containing ‘:’ character.
29

Run & Hide
 Hiding in plain sight.
 An entry in process list.
 Unknown process name.
 Unexpected Process.
 Process binary at unusual location.
 Process with unexpected user account/privilege.
 Hiding deep inside
 No entry in process list.
 Unexpected library.
 Unusual usage of system resources.
 Re-appearance of some files after deletion.
30

Detection Difficulty
Hardware
Kernel
Device Driver
User Programs
31

Sysinternal Tools
 Sysinternal Suite
 Autoruns
 ListDll
 Handle
 Process Explorer
 Process Monitor
 RootkitRevealer
 Strings
32

Autoruns
33

ListDLLs
34

Handle
35

Process Explorer
36

Process Monitor
37

Rootkit Revealer
38

Strings
39

Other Tools
 GMER
 Redline
 Kaspersky Virus Fighting Utilities
 TDSS Killer
 McAfee Stinger
 Sophos Anti-Rootkit
 Norton Power Eraser
 Trend Micro House Call
40

GMER
 By default downloads
with random file name.
 Similar to Rootkit Revealer
 More signature and
parameters to look into.
41

Redline
 Separate data
collection and
analysis system.
 Collector can run
from removable
media.
 Verifies against
hashes of known
good modules.
 Reporting
42

Take
 Antivirus Not Enough
 Understand
 Be Updated
 Be Paranoid
 Don’t Trust
 Protect
 Backup
43

The END
 All the images, statistics, data belong to their respective owners (including me).
44

Identifying and Removing Malwares

Recomendados

Recomendados

Mais conteúdo relacionado

Semelhante a Identifying and Removing Malwares

Semelhante a Identifying and Removing Malwares (20)

Mais de n|u - The Open Security Community

Mais de n|u - The Open Security Community (20)

Último

Último (20)

Identifying and Removing Malwares