Malware Identification and Classification

Slides:



Advertisements
Similar presentations
Reuel A. Morales (Sr. Security Analyst, APAC-RTL) APAC RTL Clean Tool v5.0 Solution.
Advertisements

Thank you to IT Training at Indiana University Computer Malware.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
By Hiranmayi Pai Neeraj Jain
Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
What you don’t know CAN hurt you!
Safe IT – Protect your computer and Family from unwanted programs viruses and websites.
Starting up a Security Class for Students Created by: Beth Byrnes Larry James Zac Reimer For Information Services University of Nebraska-Lincoln.
Security, Privacy, and Ethics Online Computer Crimes.
Intrusion Detection Systems and Practices
LittleOrange Internet Security an Endpoint Security Appliance.
Computer Security Fundamentals by Chuck Easttom Chapter 5 Malware.
Department Of Computer Engineering
Beyond Anti-Virus by Dan Keller Fred Cohen- Computer Scientist “there is no algorithm that can perfectly detect all possible computer viruses”
Week 5 IBS 520 Computer and Online Security. Cybercrime Online or Internet- based illegal acts What is a computer security risk? Computer crime Any illegal.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.
Introduction to InfoSec – Recitation 15 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Introduction to Information and Computer Science Security Lecture b This material (Comp4_Unit8b) was developed by Oregon Health and Science University,
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Staying Safe. Files can be added to a computer by:- when users are copying files from a USB stick or CD/DVD - downloading files from the Internet - opening.
Hacker Zombie Computer Reflectors Target.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Staying Safe Online Keep your Information Secure.
Spyware and Viruses Group 6 Magen Price, Candice Fitzgerald, & Brittnee Breze.
Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research.
© 2003 By Default! A Free sample background from Slide 1 Week 2  Free PHP Hosting Setup  PHP Backend  Backend Security 
 a crime committed on a computer network, esp. the Internet.
Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.
Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.
 Two types of malware propagating through social networks, Cross Site Scripting (XSS) and Koobface worm.  How these two types of malware are propagated.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.
1 Higher Computing Topic 8: Supporting Software Updated
Computer Viruses Susan Rascati CS30 Section 11 George Washington University.
Hacker’s Strategies Revealed WEST CHESTER UNIVERSITY Computer Science Department Yuchen Zhou March 22, 2002.
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Jan 11 Encryption and Hacking. Your Answer Data encryption is used to keep information safe from unauthorised users. Data encryption software makes the.
Dealing with Malware By: Brandon Payne Image source: TechTips.com.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
CISC Machine Learning for Solving Systems Problems Presented by: Satyajeet Dept of Computer & Information Sciences University of Delaware Automatic.
Intrusion Detection System
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.
Chapter 5 Initial Development of Leads Spring Incident Response & Computer Forensics.
NETWORK SECURITY Definitions and Preventions Toby Wilson.
Security Issues and Ethics in Education Chapter 8 Brooke Blanscet, Morgan Chatman, Lynsey Turner, Bryan Howerton.
Foundation year Lec.4: Lec.4: Communication Software Internet & Security Lecturer: Dalia Mirghani Year : 2014/2015.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.
ANTIVIRUS ANTIVIRUS Author: Somnath G. Kavalase Junior Software developer at PBWebvsion PVT.LTD.
Remember effective ways to search +walk (includes words) Intitle:iPad Intext:ipad site:pbs.org Site:gov filetype:jpg.
Access Account Activation and Electronic Signature Web Application.
Unveiling Zeus Automated Classification of Malware Samples Abedelaziz Mohaisen Omar Alrawi Verisign Inc, VA, USA Verisign Labs, VA, USA
Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.
Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.
Computer Security Keeping you and your computer safe in the digital world.
Protecting Computers From Viruses and Similarly Programmed Threats Ryan Gray COSC 316.
Travis DeBona COSC  What is Malicious Code  Types of Malicious Code  Who’s Behind It  How To Secure My Computer.
Computer safety Filip Hruby.
Managing Windows Security
IDS Intrusion Detection Systems
Lesson #8 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 8 Configuring Applications and Internet Explorer.
Chap 10 Malicious Software.
Lab 7 – Defeating MALWARE
HOW DO I KEEP MY COMPUTER SAFE?
Chap 10 Malicious Software.
Presentation transcript:

Malware Identification and Classification Yara & Python Malware Identification and Classification CarolinaCon 7 Michael Goffin @mjxg http://www.mgoff.in

Hey sir! Why hello there!! Rochester Institute of Technology Computer Science House Information Security Scientist/Engineer

What’s in store? Malware Yara Python Identification and Classification of Malware Showing it all off QQ session

Malware! Sonofa...

Methods of acquisition downloads compromised website content (ex: images) attachments links to compromised site content

You’ve been infiltrated! Things to note: You don’t know it yet, and might not for a while You don’t know the scope of it You don’t know the severity of it But you eventually see something…

Start the cycle!

Management wants answers!

What do you do next? Go into a panic! Oh no! We should remove the known compromised host(s) from network! We should assess the compromise…somehow! Oh geez, might be good to change passwords – let’s just have everyone do it just in case! We need to go through logs and other hosts for signs of lateral movement – wait, what are we looking for? Can we make firewall rules to block any IPs or domains? Do we have any AV or IDS appliances?

Most importantly You did get a copy of the malware to analyze, right? …Right?

Get better at data mining! Who is interested in this user or your company? What are they trying to do with this malware (and what are they exploiting?)? When did this malware come in? Where did it come from and where did it go to? Why are they after your company, or this user? How does this malware help them accomplish their goals?

What do we do with all the data? Build a classification database over time! Identify trends Find commonalities

Lots of action, now what?

Enter Yara

What does Yara do? Identify and classify malware samples based on textual or binary patterns contained within those samples MALWARE!

How does it do it? Pretty basic: Search for patterns Use defined conditions to determine if the patterns are a positive match Output matching rule content for consumption

Yara and Python Step 1: % python Step 2: > import yara > rules = yara.compile(signatures) > matches = rules.match(filetoscan) Step 3: profit

As the old saying goes… If it walks like a duck… And it quacks like a duck… It’s probably the DHA installing backdoors and keyloggers while xfil’ing your data.

Identification Can we tease out specific characteristics about this piece of malware that can describe it both from a functional and fashionable perspective? What does it attempt to touch? What does it attempt to modify? Is this type of malware stylish? Etc.

Identification Are there any quantitative or qualitative datasets about this malware that can help further describe its nature? Functions used in other malware Code style similar to other malware IPs or domains used Specific targets (files, processes, etc.) End result of successful execution

Classification Questions[1]: Does an unknown malware instance belong to a known malware family or does it constitute a novel malware strain? What behavioral features are discriminative for distinguishing instances of one malware family from those of other families? Compare these to our Identification

Strains Trojan Rootkit Backdoor Xfil Worms Ransomware Keylogger

Build Signatures Generate conditions Build rules for those conditions Compile rules into a signature set Develop process to scan files using those signature sets Generate alerts Set human response expectations to these alerts!!

What a rule looks like rule foo { meta: key: value strings: $variable = something condition: logic_for_determining_positive_rule_match }

Conditions Some basic condition examples: A string or value exists A set of strings or values exist Strings or values at certain offsets exist The number of times a string or value occurs File size restriction

Let’s see Yara in action!

How to incorporate Yara Web downloads Web content Urllib Email attachments Honeypots Grab files from AV and IDS appliances to scan!

Why Yara? Supplement to additional applications (Snort, AV, detonation chambers) MD5 of known malware only good if exact file is seen again Detect future malware with similar identifiers that AV or IDS might not catch yet Free

The cooldown… http://code.google.com/p/yara-project/ Questions?

References [1] Learning and Classification of Malware Behavior – Rieck, Holz, Willems, Dussel, Laskov http://pi1.informatik.uni-mannheim.de/filepool/publications/malware-classification-dimva08.pdf

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.