Presentation is loading. Please wait.

Presentation is loading. Please wait.

Live Malware Analysis for the Incident Responder

Published byScarlett Harrington Modified over 6 years ago

Similar presentations

Presentation on theme: "Live Malware Analysis for the Incident Responder"— Presentation transcript:

1 Live Malware Analysis for the Incident Responder

2 Military Strategists agree…
A Successful defense begins with good intelligence about the enemies tactics and techniques

3 Agenda Resources for lab exercises The Problem: Cybercrime is rampant
Live Analysis should be part of Incident Response Goals of Live Analysis Live Analysis Methodology Tools and Techniques Case Study & Lab Exercises Zero Day - Readme.pdf – received 3/26/2009 Resources for lab exercises

4 Speakers Rich Cummings CTO at HBGary
Director Security Engineering, Guidance Software Principal Consultant, Network Associates Incident Response, Computer Investigations Penetration Testing

5 Why Bring Malware Analysis In-House?
Goes beyond anti-virus applications… Detection and remediation based on signatures for malware is so 1990’s…. Answer the following questions: What happened? What is being stolen? How did it happen? How do we clean it up? When did the infection occur? Possibly Who is behind it?

6 The Problem

7 # of New Malware Every Day!

8 Top 3 AV companies don’t detect 80% of new malware
Anti-virus Shortcomings Source: “Eighty percent of new malware defeats antivirus”, ZDNet Australia, July 19, 2006 Top 3 AV companies don’t detect 80% of new malware The sheer volume and complexity of computer viruses being released on the Internet today has the anti-virus industry on the defensive, experts say, underscoring the need for consumers to avoid relying on anti-virus software alone to keep their…computers safe and secure. Source: “Anti-Virus Firms Scrambling to Keep Up ”, The Washington Post, March 19, 2008 8

9 Cybercrime Market Currently larger than global drug trade
$350 Billion per year Some malware authors make 6 figure income every month*! *

10 How Did We Get Here?

11 Cybercrime Evolution Cybercrime Authors have evolved over the last 30 years Continued improvement and innovation Capitalistic Shadow Economy - Competition Malware Authors Professional Software Development Lifecycle model Professional Quality Assurance Product doesn’t ship until code is undetected by latest Antivirus products

12 Antivirus has not evolved
Antivirus Engines have not evolved much over the last 30 years Signature based, re-active & pro-active Incidents growing in frequency and sophistication Heuristics has failed – Why fix it, were making money! The Antivirus business model provides an annual revenue stream – why change it?

13 It’s not a matter of if but when you will be compromised

14 Why Live Analysis Vs Static Analysis

15 Static Analysis is tough…
Many challenges to deal with: Packing Obfuscation Encryption Polymorphic engines Requires more skilled analyst Must read assembly language Takes a long time…

16 Static Analysis is tough…
Add more

17 Live Analysis is Easier
We Run the Malware We log activities while malware executes Live analysis often removes the need for unpacking and removing the obfuscation layers Add more

18 Live Analysis is Easier
Add more

19 Goals of Live Malware Analysis

20 Basic Goals of Malware Analysis
Identify the following: Is it malware/crimeware? How does it install itself? Does it use Self Defense? What are the information security implications? How does it communicate? How does it steal stuff? What does it steal? How do I clean it up ASAP?

21 Goals for Corp Security Analyst
Identify how it got in so we can quickly clean it up… Is it malware/crimeware? How does it install itself? Does it use Self Defense? What are the information security implications? How does it communicate? How does it steal stuff? What does it steal? How do I clean it up ASAP?

22 Goals for Law Enforcement
Identify Is it malware/crimeware? How does it install itself? Does it use Self Defense? What are the information security implications? How does it communicate? How does it steal stuff? What does it steal?

23 Goals for Govt Org’s Identify Is it written by kids or professionals
Who is behind the attack Foreign govt’s Kids? How does it install itself? How do I clean it up? What is the attack vector? Does it use Self Defense? How does it communicate? What and How does it steal my information?

24 Goals of Malware Analysis
Rapidly determine Is it malicious or not? Does it warrant deeper investigation? Identify specific behaviors of the malware We broadly group the behaviors into six categories we call Attribution Factors Malware Analysis Factors

25 Malware Analysis & Attribution Factors
Installation and Deployment Communication Information Security Self Defense Command and Control Development

26 Installation and Deployment Factors
Does it use the registry? Does it drop any files? Does it attempt to infect other machines on the network? Does it sleep and awaken later?

27 Communication Factors
Where does it connect to on the Internet? Drop point IP addresses or DNS names Does it allow incoming connections? Does it use encryption? Does it use stego?

28 Information Security Factors
Identifies the risks associated with the binary What does it steal? Does it sniff keystrokes? Can it destroy data? Can it alter or inject data? Does it download additional tools?

29 Self Defense Factors Does it have self-defense? Does it use stealth?
Does it bypass parts of the operating system? Does it bypass virus scanners?

30 Command and Control Factors
How is the malware controlled by its master? Do commands come from a cutout site? What commands does it support? Sniffing, logging, file system? Attack? Poison Pill - Self-destruct? Self-uninstall / silent modes?

31 Development Factors In what country was the malware created?
Was it professionally developed? Are there multiple versions? Is there a platform involved? Is the a toolkit involved? Are there multiple parts developed by different groups or developers?

32 Malware Analysis Tools

33 Crimeware Analysis Questions
How does it communicate with? With Whom? Does it steal my information? If so What? How does it survive a reboot? Who created it? What does it do to my networks and how do I clean it up?

34 Live Demonstration readme.pdf

35 Our Lab Setup VMware Workstation & ESX Server
HBGary Flypaper (free download hbgary.com) Wireshark - free Netwitness – Investigator SysInternals - Free Responder Professional with Digital DNA (evaluation version available on our web site good for 15 days)

36 Self Defense Techniques
Encryption Polymorphic engines Metamorphic engines Packing Themida, VMProtect, UPX, Aspack and 100’s more Rootkit techniques

37 Anti-Debugging Techniques
Ways for a program to detect if it is being run under the control of a debugger Used to prevent or slow the process of reverse-engineering Commercial executable protectors Packers Malicious software

38 Static Binary Analysis
Target malware is not running Disassemble the binary (.EXE, .SYS, .DLL) Strings: human-readable Symbols: imported functions N.B.: Winsock driver é network capabilities Functions and subroutines Malware countermeasures Packers Encrypters

39 Tools for Malware Analysis
Sysinternals: filemon, regmon, tdimon, etc. Winbat IDA Pro: Interactive disassembler Ollydbg WinDbg SoftICE: kernel debugger PEiD: identifies over 470 executable signatures/packers PE Explorer InCtrl5 DeDe: Delphi executable reverser REC: reverse engineering compiler Programmer’s file editor HBGary Responder™

40 Who are Incident Responders?
Corporate Security Analysts Corporate Security Officers Corporate Legal Council & HR Federal, Local Law Enforcement Computer Forensic Investigators Home PC user…..

41 Malware Analysis = Reverse Engineering
Static Analysis Dead Listing IDA Pro Difficult – You must understand Assembly Language Dynamic Analysis Live Runtime

42 Today’s Cybercrime Problem
There is a lot worth stealing Information is 100% digital and exposed Identities are digital Attackers are motivated and well-funded Funded Criminal and State-sponsored Malware is sophisticated and targeted Existing security isn’t stopping the attacks

43 Anti-virus Shortcomings
Source: “Eighty percent of new malware defeats antivirus”, ZDNet Australia, July 19, 2006 Top 3 AV companies don’t detect 80% of new malware The sheer volume and complexity of computer viruses being released on the Internet today has the anti-virus industry on the defensive, experts say, underscoring the need for consumers to avoid relying on anti-virus software alone to keep their…computers safe and secure. Source: “Anti-Virus Firms Scrambling to Keep Up ”, The Washington Post, March 19, 2008 43

44 Malware Analysis Tools (freeware)
Ollydbg Sysinternals (now microsoft) Procmon, filemon, regmon, tdimon, etc Inctrl-5

45 Additional Resources for malware analysis
Ollydbg Sysinternals (now microsoft) Procmon, filemon, regmon, tdimon, etc Inctrl-5

46 Any Questions? Thank you for your time. HBGary

47 HBGary Core Technology

48 Physical Memory Forensics
Core Technology Digital DNA (Behavioral Analysis) Engineering Reverse Code Physical Memory Forensics

49 Offline Physical Memory Analysis
The Core Technology Offline Physical Memory Analysis Rootkit Detection Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations This is The Advantage! Rebuilds underlying undocumented data structures Rebuilds running state of machine “exposes all objects ” Malware cannot hide itself actively

50 The Core Technology Offline Physical Memory Analysis Rootkit Detection
Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations Direct Kernel Object Manipulation Detection Hook Detection IDT/SSDT/Driver Chains These tricks expose themselves by interacting with OS Crossview Based Analysis

51 The Core Technology Offline Physical Memory Analysis Rootkit Detection
Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations Code is Disassembled Integration with Flypaper & RECon Code is extracted from RAM Code Visualization

52 The Core Technology Offline Physical Memory Analysis Rootkit Detection
Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations ALL Memory is Scanned A Threat Score is provided for all code Code Behavior Identification White & Black List Code /Behaviors

53 The Core Technology Offline Physical Memory Analysis Rootkit Detection
Automated Malware Analysis Digital DNA Alerting & Reporting Reports can be sent to Enterprise Console Behavioral Analysis Scan and others Custom Reports in XML, RTF, PDF, other Alert on Suspicious Behaviors and coding tricks

54 Advantages of our approach
Forensic Quality Approach Analysis is 100% offline Like Crash Dump Analysis – No Code Running! Automated Reverse Engineering Engine Digital DNA™ detects zero-day threats 5+ years of reverse engineering technology AUTOMATED! No Reverse Engineering expertise required

55 Memory Forensics and Incident Response Products

56 Stand Alone Products 1 Analyst : 1 Machine
Responder Professional Comprehensive physical memory and malware investigation platform Host Intrusion Detection & Incident Response Live Windows Forensics Automated Malware Analysis Computer incident responders, malware analysts, security assessments Digital DNA Responder Field Edition Comprehensive Memory Investigation platform. Geared towards Law Enforcement and computer forensic investigators Basic Malware Analysis

57 HBGary Enterprise Malware Detection

58 Enterprise Products 1 Analyst : N machines
Enterprise Digital DNA – McAfee EPO Solution Enterprise Malware/Rootkit Detection & Reporting Distributed Physical Memory Analysis with Digital DNA Rapid Response Policy Lockdown Enterprise Responder – Guidance Software Encase Enterprise Solution Suspicious & Malicious Code Detection

59 Client Testimonials

60 Client Testimonial 1 of the Largest Pharmaceutical Co’s
Under attack every day Uses Enterprise Anti Virus Sends malware to vendor Waits for signature 1-8 hours - Uses Responder Pro – Responder provides immediate critical intelligence to secure the network and mitigate the threat to the data

61 Client Testimonial 2 1 of the largest Entertainment Co’s
Under attack every day & Uses Enterprise Anti Virus When a machine is compromised, they perform various levels of remediation with their antivirus vendor signatures. Once the machine is determined clean by the AntiVirus software, they use our technology to verify the machine is no longer infected… Findings: about 50% of machines are still infected…

62 Conclusion Improve Enterprise Security Posture With
Memory Forensics & Malware Analysis Memory Forensics can detect malicious code that nothing else can… Memory Forensics is not only for Incident Response Memory Forensics can be used during Security Assessments too Malware Analysis should be brought in house Malware Analysis can help you… minimize costs and impact. identify the “Scope of Breach” mitigate the threat before you have a anti-virus signature

63 Questions? Thank you very much

Download ppt "Live Malware Analysis for the Incident Responder"

Similar presentations

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Supplied on \web site. on January 10 th, 2008 Reducing Risk Through Incremental Malware Detection January 2008.

Supplied on \web site. on January 10 th, 2008 Reducing Risk Through Incremental Malware Detection January 2008.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.

Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.
The Changing World of Endpoint Protection

The Changing World of Endpoint Protection
Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.

Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.
November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:

November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:
Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.

Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.
n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.

n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.
BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.

BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.

©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.
Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.

Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.
Software Reverse Engineering Binary analysis: concepts, methods and tools. Catalin Patulea Mar 5, 2008.

Software Reverse Engineering Binary analysis: concepts, methods and tools. Catalin Patulea Mar 5, 2008.
Powerpoint presentation on Drive-by download attack -By Yogita Goyal.

Powerpoint presentation on Drive-by download attack -By Yogita Goyal.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

Similar presentations

Ads by Google