defense against the dark arts defense against the dark arts christiaan beek mcafee
TRANSCRIPT
Defense Against the Dark Arts
MALWARE
Defense Against The Dark Arts
Christiaan BeekMcAfee
Defense Against the Dark Arts
BASICS OF MALWARE: RECAP
• Malware terms & definitions
• Naming conventions
• Online analysis services and tools
• Basic replication & setup
• Sample execution
• Tools
Defense Against the Dark Arts
BASICS OF MALWARE: AGENDA
• APT’s
• Forensic, Static, and Code analysis
• Continue replication discussion
Defense Against the Dark Arts
ADVANCED PERSISTENT THREATS
• Term created in 2006 by US Air-force analysts
• Describes three aspects of attackers that represent their profile, intent, and structure:
– Advanced – The attacker is fluent with cyber intrusion methods and administrative techniques, and is capable of crafting custom exploits and related tools.
– Persistent – The attacker has an objective (or mission in longer-term campaigns) and works to achieve their goals without detection.
– Threat – The attacker is organized, receives instructions, is sufficiently funded to perform their (sometimes extended) operations, and is motivated.
Defense Against the Dark Arts
MALWARE ECONOMY - APT
• Characteristics of an APT:– Actors– Motives– Targets– Goals
• Actors:– Terrorists/activists– Governments– Organized crime groups– Competitors– Malicious insiders/ex-employee
Defense Against the Dark Arts
MALWARE ECONOMY - APT
• Motives:– Money– Disgruntlement or revenge– Ideology– Excitement
• Targets:– Large corporations– Governments– Defense Contractors– Anyone
Defense Against the Dark Arts
MALWARE ECONOMY - APT
• Goals:– Use stealth during intrusion to avoid detection– Create backdoors to allow greater access, especially if other access points have been
discovered and patched– Initiating the primary mission:
• Stealing sensitive data• Monitoring communications• Disrupting operations
– Leaving undetected
8
INTRODUCING THE ‘APT-KILL-CHAIN’
Start
Step 2
Weaponization
Step 5
Installation
Step 1
Reconnaissance
Step 4
Exploitation
Step 3
Delivery
Step 6
Command and Control
Actions on Objectives
Step 7
Defense Against the Dark Arts
CUSTOM/TARGETED MALWARE
• Chinese Gh0st RAT
Defense Against the Dark Arts
MALWARE ECONOMY - APT
• RAT used: Zwshell
Pwd: zw.china
Defense Against the Dark Arts
MALWARE ECONOMY - APT
• Hidden menu
Defense Against the Dark Arts
BASICS OF MALWARE: FORENSIC ANALYSIS
• What is forensic analysis?– Contextual metadata leading researcher to this point
• Customer submission• Anecdotal details about attack• Honeypot• Association with other threats
Defense Against the Dark Arts
LAB
Dynamic analysis
Defense Against the Dark Arts
BASICS OF MALWARE: STATIC ANALYSIS
• What is static analysis?– Sample analysis performed without the benefit of
dynamic execution environment– Pros?– Cons?
Defense Against the Dark Arts
BASICS OF MALWARE: STATIC ANALYSIS
- Get sample from share called “gimmegimme.zip”
- Extract to desktop
- Did you have your snapshot made?
- Run tools like process-explorer/procmon/fakenet/antispy/flypaper
- Execute the sample
- Investigate what this sample is doing
- What is the purpose of this sample?
Defense Against the Dark Arts
BASICS OF MALWARE: STATIC ANALYSIS
• Elements of static analysis?– String analysis– Binary analysis– Source analysis
Defense Against the Dark Arts
BASICS OF MALWARE: STRING ANALYSIS
0x00001840: 'px.exe'0x00001850: 'gmfa'0x00001860: 'G2013\av'0x00001880: 'G\AV'0x00001892: 'DosDevices\C:\Arquivos de programas\AV'0x000018E0: 'vc.exe'0x000018F0: 'stS'0x00001900: 'st\Ava'0x00001910: 'ST Software\Ava'0x00001932: 'DosDevices\C:\Arquivos de programas\AVA'…0x00001F0A: 'ZwDeleteFile'
'DosDevices\C:\Arquivos de programas\AVG\AVG2013\avgmfapx.exe''DosDevices\C:\Arquivos de programas\AVAST Software\Avast\AvastSvc.exe'
Defense Against the Dark Arts
BASICS OF MALWARE: BINARY ANALYSIS
<xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2"> <ms_asmv2:security> <ms_asmv2:requestedPrivileges> <ms_asmv2:requestedExecutionLevel level="requireAdministrator" uiAccess="false" /> </ms_asmv2:requestedPrivileges> </ms_asmv2:security> </ms_asmv2:trustInfo> </assembly>
Defense Against the Dark Arts
BASICS OF MALWARE: SOURCE ANALYSIS
• AutoIT
• Keytools CHM decompiler
• DJJavaDecompiler
• dotPeek .NET decompiler
Defense Against the Dark Arts
LAB
Use Forensic Information to Rate Sample
Defense Against the Dark Arts
BASICS OF MALWARE: STRING ANALYSIS LAB
• Right-click flypaper.exe and choose SendTo->FileInsight
Defense Against the Dark Arts
BASICS OF MALWARE: STRING ANALYSIS LAB
• Open Sample 1 in FileInsight
• Use the tool to decode Sample 1 and extract strings
• Take 20 minutes– Using string analysis, what can be said about these 3
samples• Class2\Labs\Lab1\Strings/Sample 1• Class2\Labs\Lab1\Strings/Sample 2• Class2\Labs\Lab1\Strings/Sample 3
– How would you prioritize these samples for further research? Why?
Defense Against the Dark Arts
BASICS OF MALWARE: BINARY ANALYSIS LAB
• Use FileInsight and investigate the follwong samples
• For each sample, what type of file is it? How would you replicate it? What dependencies would you expect?
– Class2\Labs\Lab1\Binary\Sample 1– Class2\Labs\Lab1\Binary\Sample 2– Class2\Labs\Lab1\Binary\Sample 4
