1. CS 492/592: Malware (Reverse Engineering)

2. About this course
Learn tools and techniques to analyze what malicious software does

3. Ethics
Explore only on your own systems or places you have permission to
Do not break or break into other people's machines

4. Format
Lectures followed by labs and homework

5. Pre-requisite
Course assumes an understanding of how software executes on a system (e.g. CS 201)
Media Space channel available for review

6. Syllabus

7. VM for course
Vanilla Windows XP VM image located on D: drive Also located on linuxlab at /stash/cs492/492_WinXP_x86.ova All software from book installed When importing the VM, store the disk in D:\cs492

8. Installed software on your VM
Install WinXP 32-bit instance with VirtualBox Guest Additions CD
Install cygwin with sharutils, binutils, zip/unzip, and nc
Install WinRAR or cygwin p7zip
Install Sysinternals tools (Process Explorer, Process Monitor) (technet.microsoft.com)
Install PEView (wjradburn.com)
Install Resource Hacker (angusj.com)
Install Dependency Walker (dependencywalker.com)
Install IDA Pro 5.0 Freeware (hex-rays.com)
Install Wireshark (wireshark.org)
Install Apate DNS (mandiant.com)
Install OllyDbg 1.10 (ollydbg.de) and its Phant0m plug-in (woodmann.com)
Install WinHex (winhex.com)
Install PEiD (softpedia.com) <= CAUTION, it is a zip file not an installer
Install UPX (upx.sourceforge.net)
Install Regshot (code.google.com/p/regshot/)
Install labs from textbook (practicalmalwareanalysis.com) Encrypted zipfile (password: malware) Will set off Windows defender alarms Make two copies, a working one and a read-only one

9. Securing your VM Always shut the VM down when not in use
Do *not* enable shared folders
To protect EB 325 hosts
Do *not* enable bridged networking mode
To protect the VM itself

10. Motivation

11. Motivation What is malware? What is reverse-engineering?
Set of instructions that run on your computer and make your system do something that an attacker wants it to do
What is reverse-engineering?
The ability to understand what the software being run is doing
A useful skill to have (at both the source-code and binary level)

12. Example #1: FBI Playpen
8/2014

13. Example #2: Stuxnet

14. Example #3: Shellshock

15. Example #4: Good software gone bad
Avast CCleaner (2017)

16. Example #4: Good software gone bad
Avast CCleaner

17. Example #5: Amazon Echo Easter EggQ

18. Why is malware so prevalent?
Unprecedented connectivity
Vulnerable users
Homogenous software and hardware
Focus on time to market
Mature malicious software industry
Data and instruction mixing (see next)

19. Data vs. code Data is information that your CPU acts on
Code tells your CPU to take action (danger!)‏
To a computer, what’s the difference between code and data?
Not much in a Von Neumann architecture where data and instructions share same memory/bus
Data & code are intermixed everywhere
ELF, .exe, .html, .docx ….
Adds flexibility (.docx), features (.html), and efficiency (.js)

20. Types of malware Viruses and worms Botnets Backdoors Trojans
Self-replicating code that infects other systems manually (virus) or automatically (worm)
Botnets
Software that puts your computer under the command and control of an adversary to send spam or attack other systems
Backdoors
Code that bypasses normal security controls to provide continued, unauthorized access to an adversary
Trojans
Code that appears legitimate, but performs an unauthorized action

21. Types of malware Rootkits Information theft (data exfiltration)
Tools to hide the presence of an adversary
Information theft (data exfiltration)
Keystrokes, passwords, credit cards, browsing habits, webcams
Ransomware
Code that renders your computer or data inaccessable until payment received

22. Course context
11/three-cyber-war-fallacies
Edited version:
Dave Aitel USENIX Security 2011 keynote
CEO of Immunity Inc.
daily-dave newsletter
Covers both technical and policy issues involved in cybersecurity
Why show such an old talk?

23. Revisiting Aitel
Asymmetric Kinetic Attribution Attacking ideology Deterrence

24. Kinetic

25. Kinetic

26. Kinetic

28. Attribution
about-2014-russian-hack-of-the-state-department-it-was-hand-to-hand- combat/2017/04/03/d89168e0-124c-11e7-833c-503e1f6394c9_story.html

29. Attribution The importance of being everywhere…
(19:45 – 21:45) 4/4/2017

30. Attacking ideology
Democracy is an ideology that threatens Russia (and China and North Korea and Iran and Syria and ISIS)
Attack a competing ideology to protect your own
Russian goal in 2016 election hacking
Shake the fundamental belief in the US democratic system and its ideology
"Cyberwar attacks ideology best"

31. Expose its secrets
Aitel "A nation-state is a collection of secrets"

32. Subvert its media

33. Attack its voting infrastructure
Sow the seeds of distrust in the election system
Slow down voting systems in strategic locations
Compromise machines for counting votes and registering voters

34. Likely not the worst of it…
Election systems only now being considered critical infrastructure
"One former senior U.S. official expressed concern that the Russians now have three years to build on their knowledge of U.S. voting systems before the next presidential election, and there is every reason to believe they will use what they have learned in future attacks."

35. The new frontline Gen. John Allen
brookings-panel-cybersecurity-us-elections "As a guy who has spent a lot of time overseas dealing with threats to America, I now recognize at the speed of light, the very heartland of America is under threat today. The enemy has moved beyond my reach. The first line of defense of American democracy and the last line of defense are in our states and counties."

36. Looking ahead Countries ramping up capabilities
North Korea, Unit 180, Lazarus
Syrian Electronic Army
Iran Cyber Army
ISIS's Digital Caliphate
Chinese PLA Unit (Shady RAT)
Russian Fancy Bear (APT 28)
How do we fight these threats?
Can we learn from conventional war?

37. Lessons from deterrence
Deterrence theory of national security in a nuclear age
Mutual Assured Destruction prevents escalation into war
Requires
Maximizing offensive capability (e.g. aircraft carrier deckspace)
Minimizing defensive vulnerability (e.g. missile defense systems)
Is there a cyber-equivalent and how does the US stack up?

38. Not well Defensive vulnerability US with the most to lose
Crap in a hurry gives us ant-level smarts in IoT devices
Weakens position in cyber-realm
Example: Iranian attacks on US Banks after Stuxnet
When the Obama administration was weighing a response to distributed denial-of-service attacks against U.S. banks in 2012 (by Iran), officials vetoed any retaliation because they were worried that the country’s digital infrastructure wouldn’t be able to deal with counterattacks.

39. Is North Korea deterred?
Why not?

40. Does this help?
Has the most to gain in building offensive capability

41. Why we need to do more…

42. Extra

43. VM for course (linuxlab)
See handout Vanilla Windows XP VM image located on MCECS file server /stash/cs492/492_WinXP_x86.ova All software from book installed Contact if you are not in the “vagrant” group

44. Deterrence and cyberwar
What constitutes an act of war between nation states in cyber? (Fred Kaplan, "Dark Territory")
Blowing up a power plant? (US)
Tampering with elections? (Russia)
Industrial espionage? (China)
Taking down the banking system? (Iran)

45. Attacking ideology You may not even need to hack anymore…
(10:00-12:20)

46. Cyber deterrence
Why does this make sense from a deterrence standpoint for N. Korea?