Malware Reverse Engineering Process

Slides:



Advertisements
Similar presentations
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
Advertisements

11 INSTALLING WINDOWS XP Chapter 2. Chapter 2: Installing Windows XP2 INSTALLING WINDOWS XP  Prepare a computer for the installation of Microsoft Windows.
SHAREPOINT CONNECTOR What’s new in SharePoint 2010 Market SharePoint is widely adopted by all types of companies. Kyocera offers a Simple but feature.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
1 Configuring Linksys Wireless Router Prof. Valencia Community College.
Automated Malware Analysis
Trojan Horse Implementation and Prevention By Pallavi Dharmadhikari Sirisha Bollineni VijayaLakshmi Jothiram Vasanthi Madala.
eScan Total Security Suite with Cloud Security
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
13Computer Intrusions Dr. John P. Abraham Professor UTPA.
Classroom User Training June 29, 2005 Presented by:
Module 4: Add Client Computers and Devices to the Network.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Live Forensics Investigations Computer Forensics 2013.
Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title,
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Module 14: Configuring Server Security Compliance
1 Operating Systems Security. 2 Where Malware hides ? Autoexec.bat or autoexec.nt can start malware before windows start Config.sys, config.nt Autorun.inf.
Monnappa KA  Info Security Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics 
Types of Electronic Infection
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.
Module 14: Advanced Topics and Troubleshooting. Microsoft ® Windows ® Small Business Server (SBS) 2008 Management Console (Advanced Mode) Managing Windows.
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.
Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
1 RIC 2009 Symbolic Nuclear Analysis Package - SNAP version 1.0: Features and Applications Chester Gingrich RES/DSA/CDB 3/12/09.
Intro to Digital Technology Review for Final Introduction to Digital Technology Finals Seniors Monday, 5/16 – 2 nd Tuesday 5/17 – 1 st,3 rd Underclassmen.
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.
Responder Field Edition & Pro
Air Force Research Labs Dept Homeland Security (HSARPA)
“Enterprise Malware Detection”
Air Force Research Labs Dept Homeland Security (HSARPA)
ACTIVE DEFENSE Leveraging Threat Intelligence in the Enterprise
Advanced Endpoint Security Data Connectors-Charlotte January 2016
SmartCenter for Pointsec - MI
VMware ESX and ESXi Module 3.
Actionable Intelligence
Company Overview.
Chapter 10: Web Basics.
Live Malware Analysis for the Incident Responder
Instructor Materials Chapter 5 Providing Network Services
Detect Malware No One Else Can… Rapidly Identify it’s capabilities, Mitigate the Threat with Actionable Risk Intelligence.
Chapter 7: Identifying Advanced Attacks
Topic 7 Malware Analysis Basics
Malware Reverse Engineering Process
Chapter 1. Basic Static Techniques
Guidance Encase Enterprise Architecture
Enterprise Botnet Detection and Mitigation System DHS Phase II SBIR Contract QUESTION: By a show of hands, how many of you believe that your networks.
Enterprise Botnet Detection and Mitigation System
DHS Phase II SBIR Contract Senior Security Engineer
Defeat Tomorrow’s Threats Today
Air Force Research Labs Dept Homeland Security (HSARPA)
Overview.
Defeat Tomorrow’s Threats Today
ACTIVE DEFENSE Leveraging Threat Intelligence in the Enterprise
Responder Field Edition & Pro
CIT 480: Securing Computer Systems
USING ADOBE ACROBAT READER DC
Part 1: Basic Analysis Chapter 1: Basic Static Techniques
Chapter 3. Basic Dynamic Analysis
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Professional Malware is Unstoppable
Backtrack Metasploit and SET
Designing IIS Security (IIS – Internet Information Service)
Basic Dynamic Analysis VMs and Sandboxes
Presentation transcript:

Malware Reverse Engineering Process 1. Acquire Malware Specimen 2. Automated Reverse Engineering 3. Review Automated RE Report 4. Manual Reverse Engineering 5. Document Findings Physical Memory Remote Memory Snapshot Live Recon Session Static Binary Forensic Binary Journal Responder Pro 2.0 Digital DNA Report contains suspicious behaviors and malicious characteristics exhibited by code and ranked by severity If needed, an analyst can examine the suspicious code objects and conduct additional reverse engineering Analyst documents findings in malware report: Processes and Drivers Loaded Modules Network Socket Info Passwords Encryption Keys Decrypted files Order of execution Runtime State Information Rootkits Configuration Information Logged in Users NDIS buffers Open Files Unsaved Documents Live Registry Video Buffers – screen shots BIOS Memory VOIP Phone calls Instant Messenger chat Goal:  Gain the lowest level of diagnostic visibility in order to detect unknown malware and malicious behaviors To obtain our goal we created the latest advances in memory forensics & reverse engineering technology. The result was Digital DNA. HBGary Malware Reverse Engineering Process Version 0.1

1. Acquire Malware Specimen Malware Reverse Engineering Process:  Acquire Malware Specimen 1. Acquire Malware Specimen 2. Automated Reverse Engineering 3. Review Automated RE Report 4. Manual Reverse Engineering 5. Document Findings Create Responder project, a container for all the files necessary to analyze, annotate and interpret a memory image or static binary Malware specimens can be analyzed using Responder Pro 2.0 from: Physical Memory Snapshot Virtual Machine infection Regular host infection Live REcon Session in Virtual Machine Live REcon Session on regular host Static Disassembly Analysis Combinations of 1 - 4   HBGary Malware Reverse Engineering Process Version 0.1

2. Automated Reverse Engineering Malware Reverse Engineering Process:  Automated Reverse Engineering 1. Acquire Malware Specimen 2. Automated Reverse Engineering 3. Review Automated RE Report 4. Manual Reverse Engineering 5. Document Findings Responder 2.0 with Digital DNA automatically reverse engineers the malware specimen. Live REcon launches malware safely in virtual machine, executes code, creates forensic binary journal for analysis in Responder Pro. Responder automatically scans for suspicious behavior and adds this to the Report Tab, ranked by severity. HBGary Malware Reverse Engineering Process Version 0.1

3. Review Automated RE Report Malware Reverse Engineering Process:  Review Automated RE Report 1. Acquire Malware Specimen 2. Automated Reverse Engineering 3. Review Automated RE Report 4. Manual Reverse Engineering 5. Document Findings The Report Tab stores the human-readable results of an analysis and allows the user to quickly create report items from interesting pieces of data. Identifies any SDT entries that contain hooks. Identifies any IDT entries that contain hooks. Results in the Report Tab are ranked by Severity. HBGary Malware Reverse Engineering Process Version 0.1

4. Manual Reverse Engineering Malware Reverse Engineering Process:  Manual Reverse Engineering 1. Acquire Malware Specimen 2. Automated Reverse Engineering 3. Review Automated RE Report 4. Manual Reverse Engineering 5. Document Findings Responder Pro 2.0 provides Analysts with a framework and logical workflow for malware reverse engineering: Malware installation & deployment factors Communication factors Information security factors Defensive factors Development factors Command & control factors Using the Object Tab as a guide, the Analyst performs manual reverse engineering to answer questions about the malware's behavior such as... HBGary Malware Reverse Engineering Process Version 0.1

4. Manual Reverse Engineering Malware Reverse Engineering Process:  Manual Reverse Engineering (Cont) 1. Acquire Malware Specimen 2. Automated Reverse Engineering 3. Review Automated RE Report 4. Manual Reverse Engineering 5. Document Findings Development Factors In what country was the malware created? Was it professionally developed? Are there multiple versions? Is there a platform involved? Is the a toolkit involved? Are there multiple parts developed by different groups or developers? Communication Factors Where does it connect to on the Internet? Drop points, Update Sites, C&C,  IP addresses or DNS names incoming or outbound connections? Does it use encryption? Does it use Steganography? Command & Control Factors How is the malware controlled by its master? Do commands come from a cutout site? What commands are supported? Sniffing, logging, search file system, Attack Poison Pill - Self-destruct? Installation & Deployment Factors Does it use the registry? Does it drop any files? Autorun.inf? USB? Open shares? Does it sleep and awaken later? JavaScript?  Flash? Infection Point/Attack Vector Defensive Factors Signs of packing or obfuscation AV Sabotage Does it have self-defense? Does it use rootkit techniques/stealth? Does it bypass the operating system? Information Security Factors Identify the risks associated with the binary What does it steal? Does it sniff keystrokes, passwords, 2 factor authentication tokens? Can it destroy data? Can it alter or inject data? Does it download additional tools? HBGary Malware Reverse Engineering Process Version 0.1

4. Manual Reverse Engineering Malware Reverse Engineering Process:  Manual Reverse Engineering (Cont) 1. Acquire Malware Specimen 2. Automated Reverse Engineering 3. Review Automated RE Report 4. Manual Reverse Engineering 5. Document Findings 3.  Responder Pro 2.0 provides an organized view into malware behavior and traits: Interrupt Descriptor Table Panel Network Sockets Panel Registry Keys Panel Drivers Panel Keys & Passwords Panel Processes Panel System Descriptor Tables Panel 4.  Responder Canvas Tool provides graphical representations of code and data so an analyst can rapidly identify relationships, view control flow of modules, program dependancies and interactions. HBGary Malware Reverse Engineering Process Version 0.1

Malware Reverse Engineering Process: Document Findings 1. Acquire Malware Specimen 2. Automated Reverse Engineering 3. Review Automated RE Report 4. Manual Reverse Engineering 5. Document Findings The Analyst documents the malware in the Report Tab Processes and Drivers Loaded Modules Network Socket Info Passwords Encryption Keys Decrypted files Order of execution Runtime State Information Reports can be exported in several formats Adobe (PDF) Microsoft Excel (XLS) Comma-separated Value File (CSV) HTML page Text file Rich Text Format file (RTF) Results are incorporated into a formal deliverable HBGary Malware Reverse Engineering Process Version 0.1