security bootcamp 2013 - automated malware analysis - nguyễn chấn việt

Automated MalwareAnalysis

Nguyễn Chấn Việt

Đơn vị tổ chức:

Đơn vị tài trợ:

Malware Attacks Growing• Office exploits• PDF exploits• Browser exploits• …

10/29/2013 11:15 AM www.securitybootcamp.vn

Anatomy of the attackStage 1 : Exploitation / Phishing / Social EngineerStage 2 : The dropper execute & disable existing securitycontrolStage 3 : “Real” malwares is downloaded and installedStage 4 : Steal sensitive dataStage 5 : Communicate with external C&C servers, used forfacilitate futher attacks


Why we need ?• Malwares in the wild are way too many• Manual analysis takes a lot of time• Static analysis requires strong skillsets• Need to deal with packed, polymorphic, self-modifying code• Performing dynamic analysis manually is a tedious work

=> How can we handle the large volume of malware samplescollected each day ?


Method of malware analysisSignaturesHeuristicsDiscrete Objects AnalysisContextual Analysis


Online AMAs• VirusTotal : http://www.virustotal.com/• ThreatExpert : http://www.threatexpert.com/filescan.aspx• Anubis : http://anubis.iseclab.org/• Joebox :

– http://www.file-analyzer.net/– http://www.apk-analyzer.net/– http://www.document-analyzer.net/– http://www.url-analyzer.net/


Offline AMAs• CWSandbox : commercial• Cuckoo Sandbox : free and open source• Zerowine : a full-featured tool for dynamically analyzing the

behavior of Windows malware by running it within the WINEemulator on Linux

• Malheur


Cuckoo is my choice• Cuckoo Sandbox was started in 2010 Summer of Code Project• Now it consists of around 50000 lines of code written by Python

and C• Sponsored by Rapid7 in a program called “Magnificent7”

• Why we choose it ?– Easy to use– Easy to customize– Nice Web-UI and Comprehensive reports– Opensource


Cuckoo is my choice


Execution flow• Fetch a task• Prepare the analysis• Launch analyzer in virtual machine• Execute an analysis package• Complete the analysis• Store the results• Process and create reports


Your VM can be detected


Your sandbox can be detected


Hardening• Integrate with pafish (Paranoid Fish)• Update bypass vm methods

• More info :– http://www.alienvault.com/open-threat-exchange/blog/hardening-cuckoo-

sandbox-against-vm-aware-malware– http://kromer.pl/malware-analysis/installing-and-hardening-latest-cuckoo-

sandbox-on-gentoo-linux/– http://0xmalware.blogspot.com/2013/10/cuckoo-sandbox-hardening-

virtualbox.html


Others• CuckooMX: Automating Email Attachments Scanning with

Cuckoo


How about post analysis ?• Cuckoo + Volatility + YARA


Volatility• An advanced memory forensics framework• Written by Python• Opensource• Active development

– Month of Volatility Plugins (MoVP)– Annual Volatility Framework Plugin Contest

• Large community


Volatility• There are many modules for :

– Detecting Windows GUI Hooking– Detecting Usermode Hooks (IAT/Inline/…)– Detect Kernelmode Hooks (SSDT/IRP/…)– Detecting hidden processes– Detecting hidden kernel module– Detecting hidden connections


YARA• YARA is a tool aimed at helping malware researchers to identify

and classify malware samples. With YARA you can createdescriptions of malware families based on textual or binarypatterns contained on samples of those families


YARA• Example : The rule below is telling YARA that any file containing

one of the three strings must be reported as silent_banker.• rule silent_banker : banker

{meta:

description = "This is just an example"thread_level = 3in_the_wild = true

strings:$a = {6A 40 68 00 30 00 00 6A 14 8D 91}$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"

condition:$a or $b or $c

}


Who’s using YARA• VirusTotal Intelligence (https://www.virustotal.com/intelligence/)• jsunpack-n (http://jsunpack.jeek.org/)• We Watch Your Website (http://www.wewatchyourwebsite.com/)• FireEye, Inc. (http://www.fireeye.com)• Fidelis XPS (http://www.fidelissecurity.com/network-security-

appliance/Fidelis-XPS)


New Automated Malware Capability DetectionSystem

• CrowdSource: Applying machine learning to web technicaldocuments toautomatically identify malware capabilities

– detects debugger based reversing– encrypts / decrypts data– provides remote desktop capability– steals or modifies cookies– mines or steals bitcoins– communicates over smtp– has gui functionality– communicates with database– communicates via irc protocol– logs keystrokes– takes screenshots

• Planning to release CrowdSource as an open source tool forNovember


Conclusion• The fight against malware is a cat-and-mouse game• We should :

– Make use of Automated Malware Analysis– Update new techniques– Use simplest method for each scenario


Thank you !


security bootcamp 2013 - automated malware analysis - nguyễn chấn việt

Technology