Download - Malware analysis as a hobby (Owasp Göteborg)
![Page 1: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/1.jpg)
Malware Analysis as a HobbyMichael Boman - Security Consultant/Researcher, Father of 5
![Page 2: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/2.jpg)
Why the strange hobby?
![Page 3: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/3.jpg)
The manual way1.Start virtual environment
2.Copy sample
3.Start logging facilities
4.Execute sample
5.Stop logging facilities
6.Analyze logs
![Page 4: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/4.jpg)
Drawbacks• Time consuming
• Boring in the long run (not all malware are created equal)
![Page 5: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/5.jpg)
Choose any two….
Cheap
FastGood
![Page 6: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/6.jpg)
Choose any two? Why not all of
them?
I can do it cheaply (hardware and license cost-wise). Human time not included.
I can do it quickly (I spend up to 3 hours a day doing this, at average even less).
I get pretty good results (quality). Where the system lacks I can compensate for its shortcomings.
Cheap
FastGood
![Page 7: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/7.jpg)
AutomateEngineer yourself out of the workflow
Automate everythin
g!
![Page 8: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/8.jpg)
Birth of theMART Project
Malware Analyst Research Toolkit
![Page 9: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/9.jpg)
Components
![Page 10: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/10.jpg)
![Page 11: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/11.jpg)
Sample Acquisition• Public & Private
Collections
• Exchange with other malware analysts
• Finding and collecting malware yourself
• Download files from the web• Grab attachments from email• Feed BrowserSpider with
links from your SPAM-folder
![Page 12: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/12.jpg)
BrowserSpider• Written in Python• Using the Selenium framework to control REAL browsers
• Flash, PDFs, Java applets etc. executes as per normal• All the browser bugs exists for real
• Spiders and follows all links seen
![Page 13: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/13.jpg)
Sample Analysis• Cuckoo Sandbox• VirusTotal
![Page 14: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/14.jpg)
A days work for a CuckooFetch a task
Prepare the analysis
Launch analyzer in
virtual machine
Execute an analysis package
Complete the analysis
Store the result
Process and create reports
![Page 15: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/15.jpg)
DEMO: Submit sample for analysis
![Page 16: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/16.jpg)
![Page 17: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/17.jpg)
Sample ReportingResults are stored in MongoDB (optional, highly recommended)
Accessed using a analyst GUI
![Page 18: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/18.jpg)
![Page 19: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/19.jpg)
![Page 20: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/20.jpg)
![Page 21: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/21.jpg)
Data Mining
![Page 22: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/22.jpg)
Where Virtual Machine analysis
failsAnd what to do about it
![Page 23: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/23.jpg)
Problems• Cuckoo is easly bypassed• User-detection• Sleeping malware
![Page 24: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/24.jpg)
Problems• VM or Sandbox detection• The guest OS might not be sufficient enough• Any multistage attack
![Page 25: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/25.jpg)
Iterating automatiation
Sort out clearly non-malicious and obviosly malicious
samples
Devide the samples into categories
Do brief static analysis
Known Good
Known Bad
Unknown
![Page 26: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/26.jpg)
Iterating automatiation
Sort out clearly non-malicious and obviosly malicious
samples
Devide the samples into categories
Do brief static analysis
• Does not do anything• Detects environment• Encrypted segments• Failed execution
![Page 27: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/27.jpg)
Iterating automatiation
Sort out clearly non-malicious and obviosly malicious
samples
Devide the samples into categories
Do brief static analysis
• Run longer• Envirnoment customization
![Page 28: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/28.jpg)
![Page 29: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/29.jpg)
Budget• Computer: €520• MSDN License: €800 (€590 renewal)• Year 1: €1320• Year N: €590• Money saved from stopped smoking (yearly): €2040
![Page 30: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/30.jpg)
Malware Lab
![Page 31: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/31.jpg)
MART Hardware (overview)
![Page 32: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/32.jpg)
MART Hardware (mounts)
![Page 33: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/33.jpg)
MART Hardware (HDD)
![Page 34: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/34.jpg)
MART Hardware (SSD)
![Page 35: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/35.jpg)
Next steps• Barebone on-the-iron malware
analysis
• Android platform support
• OSX platform support
• iOS patform support
![Page 36: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/36.jpg)
Proof of Concept hardware
Arduino Duemilanove
Ethernet Shield
Prototype Shield
Arduino 4-ChannelRelay Shield
![Page 37: Malware analysis as a hobby (Owasp Göteborg)](https://reader035.vdocument.in/reader035/viewer/2022062708/5588e898d8b42a11448b46f4/html5/thumbnails/37.jpg)
Questions?Michael Boman
[email protected]://michaelboman.org
@mboman
Michael [email protected]://www.2secure.se