security bootcamp 2013 - automated malware analysis - nguyễn chấn việt
TRANSCRIPT
Automated MalwareAnalysis
Nguyễn Chấn Việt
Đơn vị tổ chức:
Đơn vị tài trợ:
Malware Attacks Growing• Office exploits• PDF exploits• Browser exploits• …
10/29/2013 11:15 AM www.securitybootcamp.vn
Anatomy of the attackStage 1 : Exploitation / Phishing / Social EngineerStage 2 : The dropper execute & disable existing securitycontrolStage 3 : “Real” malwares is downloaded and installedStage 4 : Steal sensitive dataStage 5 : Communicate with external C&C servers, used forfacilitate futher attacks
10/29/2013 11:15 AM www.securitybootcamp.vn
Why we need ?• Malwares in the wild are way too many• Manual analysis takes a lot of time• Static analysis requires strong skillsets• Need to deal with packed, polymorphic, self-modifying code• Performing dynamic analysis manually is a tedious work
=> How can we handle the large volume of malware samplescollected each day ?
10/29/2013 11:15 AM www.securitybootcamp.vn
Method of malware analysisSignaturesHeuristicsDiscrete Objects AnalysisContextual Analysis
10/29/2013 11:15 AM www.securitybootcamp.vn
Online AMAs• VirusTotal : http://www.virustotal.com/• ThreatExpert : http://www.threatexpert.com/filescan.aspx• Anubis : http://anubis.iseclab.org/• Joebox :
– http://www.file-analyzer.net/– http://www.apk-analyzer.net/– http://www.document-analyzer.net/– http://www.url-analyzer.net/
10/29/2013 11:15 AM www.securitybootcamp.vn
Offline AMAs• CWSandbox : commercial• Cuckoo Sandbox : free and open source• Zerowine : a full-featured tool for dynamically analyzing the
behavior of Windows malware by running it within the WINEemulator on Linux
• Malheur
10/29/2013 11:15 AM www.securitybootcamp.vn
Cuckoo is my choice• Cuckoo Sandbox was started in 2010 Summer of Code Project• Now it consists of around 50000 lines of code written by Python
and C• Sponsored by Rapid7 in a program called “Magnificent7”
• Why we choose it ?– Easy to use– Easy to customize– Nice Web-UI and Comprehensive reports– Opensource
10/29/2013 11:15 AM www.securitybootcamp.vn
Cuckoo is my choice
10/29/2013 11:15 AM www.securitybootcamp.vn
Execution flow• Fetch a task• Prepare the analysis• Launch analyzer in virtual machine• Execute an analysis package• Complete the analysis• Store the results• Process and create reports
10/29/2013 11:15 AM www.securitybootcamp.vn
Your VM can be detected
10/29/2013 11:15 AM www.securitybootcamp.vn
Your sandbox can be detected
10/29/2013 11:15 AM www.securitybootcamp.vn
Hardening• Integrate with pafish (Paranoid Fish)• Update bypass vm methods
• More info :– http://www.alienvault.com/open-threat-exchange/blog/hardening-cuckoo-
sandbox-against-vm-aware-malware– http://kromer.pl/malware-analysis/installing-and-hardening-latest-cuckoo-
sandbox-on-gentoo-linux/– http://0xmalware.blogspot.com/2013/10/cuckoo-sandbox-hardening-
virtualbox.html
10/29/2013 11:15 AM www.securitybootcamp.vn
Others• CuckooMX: Automating Email Attachments Scanning with
Cuckoo
10/29/2013 11:15 AM www.securitybootcamp.vn
How about post analysis ?• Cuckoo + Volatility + YARA
10/29/2013 11:15 AM www.securitybootcamp.vn
Volatility• An advanced memory forensics framework• Written by Python• Opensource• Active development
– Month of Volatility Plugins (MoVP)– Annual Volatility Framework Plugin Contest
• Large community
10/29/2013 11:15 AM www.securitybootcamp.vn
Volatility• There are many modules for :
– Detecting Windows GUI Hooking– Detecting Usermode Hooks (IAT/Inline/…)– Detect Kernelmode Hooks (SSDT/IRP/…)– Detecting hidden processes– Detecting hidden kernel module– Detecting hidden connections
10/29/2013 11:15 AM www.securitybootcamp.vn
YARA• YARA is a tool aimed at helping malware researchers to identify
and classify malware samples. With YARA you can createdescriptions of malware families based on textual or binarypatterns contained on samples of those families
10/29/2013 11:15 AM www.securitybootcamp.vn
YARA• Example : The rule below is telling YARA that any file containing
one of the three strings must be reported as silent_banker.• rule silent_banker : banker
{meta:
description = "This is just an example"thread_level = 3in_the_wild = true
strings:$a = {6A 40 68 00 30 00 00 6A 14 8D 91}$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
condition:$a or $b or $c
}
10/29/2013 11:15 AM www.securitybootcamp.vn
Who’s using YARA• VirusTotal Intelligence (https://www.virustotal.com/intelligence/)• jsunpack-n (http://jsunpack.jeek.org/)• We Watch Your Website (http://www.wewatchyourwebsite.com/)• FireEye, Inc. (http://www.fireeye.com)• Fidelis XPS (http://www.fidelissecurity.com/network-security-
appliance/Fidelis-XPS)
10/29/2013 11:15 AM www.securitybootcamp.vn
New Automated Malware Capability DetectionSystem
• CrowdSource: Applying machine learning to web technicaldocuments toautomatically identify malware capabilities
– detects debugger based reversing– encrypts / decrypts data– provides remote desktop capability– steals or modifies cookies– mines or steals bitcoins– communicates over smtp– has gui functionality– communicates with database– communicates via irc protocol– logs keystrokes– takes screenshots
• Planning to release CrowdSource as an open source tool forNovember
10/29/2013 11:15 AM www.securitybootcamp.vn
Conclusion• The fight against malware is a cat-and-mouse game• We should :
– Make use of Automated Malware Analysis– Update new techniques– Use simplest method for each scenario
10/29/2013 11:15 AM www.securitybootcamp.vn
Thank you !
10/29/2013 11:15 AM www.securitybootcamp.vn