Embed Size (px)
Citation preview
Defense Against the Dark Arts
MALWARE
Defense Against The Dark Arts
Christiaan BeekMcAfee
Defense Against the Dark Arts
BASICS OF MALWARE: RECAP
• Malware terms & definitions
• Naming conventions
• Online analysis services and tools
• Basic replication & setup
• Sample execution
• Tools
Defense Against the Dark Arts
BASICS OF MALWARE: AGENDA
• APT’s
• Forensic, Static, and Code analysis
• Continue replication discussion
Defense Against the Dark Arts
ADVANCED PERSISTENT THREATS
• Term created in 2006 by US Air-force analysts
• Describes three aspects of attackers that represent their profile, intent, and structure:
– Advanced – The attacker is fluent with cyber intrusion methods and administrative techniques, and is capable of crafting custom exploits and related tools.
– Persistent – The attacker has an objective (or mission in longer-term campaigns) and works to achieve their goals without detection.
– Threat – The attacker is organized, receives instructions, is sufficiently funded to perform their (sometimes extended) operations, and is motivated.
Defense Against the Dark Arts
MALWARE ECONOMY - APT
• Characteristics of an APT:– Actors– Motives– Targets– Goals
• Actors:– Terrorists/activists– Governments– Organized crime groups– Competitors– Malicious insiders/ex-employee
Defense Against the Dark Arts
MALWARE ECONOMY - APT
• Motives:– Money– Disgruntlement or revenge– Ideology– Excitement
• Targets:– Large corporations– Governments– Defense Contractors– Anyone
Defense Against the Dark Arts
MALWARE ECONOMY - APT
• Goals:– Use stealth during intrusion to avoid detection– Create backdoors to allow greater access, especially if other access points have been
discovered and patched– Initiating the primary mission:
• Stealing sensitive data• Monitoring communications• Disrupting operations
– Leaving undetected
8
INTRODUCING THE ‘APT-KILL-CHAIN’
Start
Step 2
Weaponization
Step 5
Installation
Step 1
Reconnaissance
Step 4
Exploitation
Step 3
Delivery
Step 6
Command and Control
Actions on Objectives
Step 7
Defense Against the Dark Arts
CUSTOM/TARGETED MALWARE
• Chinese Gh0st RAT
Defense Against the Dark Arts
MALWARE ECONOMY - APT
• RAT used: Zwshell
Pwd: zw.china
Defense Against the Dark Arts
MALWARE ECONOMY - APT
• Hidden menu
Defense Against the Dark Arts
BASICS OF MALWARE: FORENSIC ANALYSIS
• What is forensic analysis?– Contextual metadata leading researcher to this point
• Customer submission• Anecdotal details about attack• Honeypot• Association with other threats
Defense Against the Dark Arts
LAB
Dynamic analysis
Defense Against the Dark Arts
BASICS OF MALWARE: STATIC ANALYSIS
• What is static analysis?– Sample analysis performed without the benefit of
dynamic execution environment– Pros?– Cons?
Defense Against the Dark Arts
BASICS OF MALWARE: STATIC ANALYSIS
- Get sample from share called “gimmegimme.zip”
- Extract to desktop
- Did you have your snapshot made?
- Run tools like process-explorer/procmon/fakenet/antispy/flypaper
- Execute the sample
- Investigate what this sample is doing
- What is the purpose of this sample?
Defense Against the Dark Arts
BASICS OF MALWARE: STATIC ANALYSIS
• Elements of static analysis?– String analysis– Binary analysis– Source analysis
Defense Against the Dark Arts
BASICS OF MALWARE: STRING ANALYSIS
0x00001840: 'px.exe'0x00001850: 'gmfa'0x00001860: 'G2013\av'0x00001880: 'G\AV'0x00001892: 'DosDevices\C:\Arquivos de programas\AV'0x000018E0: 'vc.exe'0x000018F0: 'stS'0x00001900: 'st\Ava'0x00001910: 'ST Software\Ava'0x00001932: 'DosDevices\C:\Arquivos de programas\AVA'…0x00001F0A: 'ZwDeleteFile'
'DosDevices\C:\Arquivos de programas\AVG\AVG2013\avgmfapx.exe''DosDevices\C:\Arquivos de programas\AVAST Software\Avast\AvastSvc.exe'
Defense Against the Dark Arts
BASICS OF MALWARE: BINARY ANALYSIS
<xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2"> <ms_asmv2:security> <ms_asmv2:requestedPrivileges> <ms_asmv2:requestedExecutionLevel level="requireAdministrator" uiAccess="false" /> </ms_asmv2:requestedPrivileges> </ms_asmv2:security> </ms_asmv2:trustInfo> </assembly>
Defense Against the Dark Arts
BASICS OF MALWARE: SOURCE ANALYSIS
• AutoIT
• Keytools CHM decompiler
• DJJavaDecompiler
• dotPeek .NET decompiler
Defense Against the Dark Arts
LAB
Use Forensic Information to Rate Sample
Defense Against the Dark Arts
BASICS OF MALWARE: STRING ANALYSIS LAB
• Right-click flypaper.exe and choose SendTo->FileInsight
Defense Against the Dark Arts
BASICS OF MALWARE: STRING ANALYSIS LAB
• Open Sample 1 in FileInsight
• Use the tool to decode Sample 1 and extract strings
• Take 20 minutes– Using string analysis, what can be said about these 3
samples• Class2\Labs\Lab1\Strings/Sample 1• Class2\Labs\Lab1\Strings/Sample 2• Class2\Labs\Lab1\Strings/Sample 3
– How would you prioritize these samples for further research? Why?
Defense Against the Dark Arts
BASICS OF MALWARE: BINARY ANALYSIS LAB
• Use FileInsight and investigate the follwong samples
• For each sample, what type of file is it? How would you replicate it? What dependencies would you expect?
– Class2\Labs\Lab1\Binary\Sample 1– Class2\Labs\Lab1\Binary\Sample 2– Class2\Labs\Lab1\Binary\Sample 4
