2. Agenda
@me
Light
Operating System
User Mode
Kernel Mode
Camera
Malware
History
Types
Properties
&Action
Take
n|u Null Meet Dharamsala
2
July 2014
3. @me
Malware Analyst
Can protect my Web Applications.
Know of: C, C++, Java, Ruby, Python
I “google” a lot.
badboy16a@gmail.com
@_badbot
*PC Gamer*
n|u Null Meet Dharamsala
3
July 2014
4. Light, Camera, Action
Light
Relevant Information about OS
Some historical information
Camera
Statistics
Predictions
Action
Finding and acting on clues
Take
Recommendations
July 2014n|u Null Meet Dharamsala
4
10. Memory Model
Real Memory
Exact amount of installed
H/W RAM.
Fixed size.
Shared among everything
running in system.
Backed by H/W
Protected by OS
Virtual Memory
Amount of RAM perceived
by every process.
Variable size.
Owned exclusively.
Backed by OS Memory
Management.
Mixed Protection.
July 2014n|u Null Meet Dharamsala
10
11. Memory Model
User Mode
Unprotected
Program code/data
Un-privileged
Exclusive for process
Swappable
Libraries(.dll, .so, …)
Kernel Mode
Protected
Kernel code/data
Privileged
Shared in real space
Mostly not-swappable
Drivers(.drv, .sys, .ko,…)
July 2014n|u Null Meet Dharamsala
11
0x00000000-0x7FFFFFFF 0X80000000 – 0xFFFFFFFF
12. Windows Access Levels
July 2014n|u Null Meet Dharamsala
12
•Own Processes
•Other User’s Processes
User
•User Access
•Other User’s Processes
•Unrestricted Access
Administrator
•Administrative Access.
•Unrestricted Access to Local System.
NT_AUTHORITY
SYSTEM
14. Windows Executables
PE (based on COFF) file format.
File starts with “MZ”
Entry point defined in header.
Typically used extensions
EXE: Normal Executable
DLL: Dynamic link library
LIB: Static Library
SYS: Driver
OCX: ActiveX Controls (special purpose DLL)
July 2014n|u Null Meet Dharamsala
14
15. Malware
Software programs designed to damage or do
unwanted actions on a computer system. In
Spanish, "mal" is a prefix that means "bad," making
the term "badware“.
July 2014n|u Null Meet Dharamsala
15
Malware
Malicious Software
23. Malware Predictions
More attack binaries will use stolen or valid code
signature.
Browser vulnerabilities may be more common.
Cybercrime gets personal.
More targeted attacks.
More stealthier techniques for C&C.
Expect more malicious code in BIOS and firmware
updates.
64bit Malwares.
Malware Diversifies and Specializes.
Sandbox Evasion.
July 2014n|u Null Meet Dharamsala
23
24. Malware Classification
Worm
Propagates by itself on different machine.
Virus
Attaches itself to targets. Infects other systems when target moves.
Trojan
Masquerades itself as legitimate/useful software.
Spyware
Spies on your data and send it to controller.
Adware
Displays unwanted/unsolicited advertisements.
July 2014n|u Null Meet Dharamsala
24
25. Malware Classification
Ransomware
Locks access to your systems or files and demands ransom for
further access.
Backdoor(Remote Administration Toolkit):
Allows unauthorized remote user connect to and control your
system.
Downloader
Primary payload for exploits. Download/Installs other malwares.
Rootkit
Interferes with kernel to hide itself from user and security tools.
July 2014n|u Null Meet Dharamsala
25
26. Malware Lifecycle
Infection
It has to infect the target. First run.
Persistence
It has to persist. Cannot be downloaded every time.
Run
It has to run. Preferably without user action e.g. Boot,
Timed…
Hide
Hide itself from naked eye.
July 2014n|u Null Meet Dharamsala
26
27. &Action
Almost at every stage malwares leave clues.
Identify Clues.
Identify Malware.
Remove Malware.
July 2014n|u Null Meet Dharamsala
27
28. Infection
Exploitation:
Using vulnerabilities to achieve code execution.
Vulnerable program crashes/restarts most of the time.
External Media
Carried to the target system using external media e.g. USB
Stick.
Un-mounting the media usually fails.
E-mail Attachments
Sent via email attachment.
Grammatical/Spelling mistakes. Duplicate e-mail.
Attachments with double extension, wrong extension.
July 2014n|u Null Meet Dharamsala
28
29. Persistence
Files
Stored as files.
Cryptic file names.
Known file names in unexpected locations.
Misspelled file name.
Streams
Data is stored as NTFS alternate stream.
Pathname containing ‘:’ character.
July 2014n|u Null Meet Dharamsala
29
30. Run & Hide
Hiding in plain sight.
An entry in process list.
Unknown process name.
Unexpected Process.
Process binary at unusual location.
Process with unexpected user account/privilege.
Hiding deep inside
No entry in process list.
Unexpected library.
Unusual usage of system resources.
Re-appearance of some files after deletion.
July 2014n|u Null Meet Dharamsala
30
40. Other Tools
GMER
Redline
Kaspersky Virus Fighting Utilities
TDSS Killer
McAfee Stinger
Sophos Anti-Rootkit
Norton Power Eraser
Trend Micro House Call
July 2014n|u Null Meet Dharamsala
40
41. GMER
By default downloads
with random file name.
Similar to Rootkit Revealer
More signature and
parameters to look into.
July 2014n|u Null Meet Dharamsala
41
42. Redline
Separate data
collection and
analysis system.
Collector can run
from removable
media.
Verifies against
hashes of known
good modules.
Reporting
July 2014n|u Null Meet Dharamsala
42
43. Take
Antivirus Not Enough
Understand
Be Updated
Be Paranoid
Don’t Trust
Protect
Backup
July 2014n|u Null Meet Dharamsala
43
44. The END
All the images, statistics, data belong to their respective owners (including me).
July 2014n|u Null Meet Dharamsala
44