Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malware Identification and Classification

Published byTrey Bellamy Modified over 9 years ago

Similar presentations

Presentation on theme: "Malware Identification and Classification"— Presentation transcript:

1 Malware Identification and Classification
Yara & Python Malware Identification and Classification CarolinaCon 7 Michael Goffin @mjxg

2 Hey sir! Why hello there!! Rochester Institute of Technology
Computer Science House Information Security Scientist/Engineer

3 What’s in store? Malware Yara Python
Identification and Classification of Malware Showing it all off QQ session

4 Malware! Sonofa...

5 Methods of acquisition
downloads compromised website content (ex: images) attachments links to compromised site content

6 You’ve been infiltrated!
Things to note: You don’t know it yet, and might not for a while You don’t know the scope of it You don’t know the severity of it But you eventually see something…

7 Start the cycle!

8 Management wants answers!

9 What do you do next? Go into a panic!
Oh no! We should remove the known compromised host(s) from network! We should assess the compromise…somehow! Oh geez, might be good to change passwords – let’s just have everyone do it just in case! We need to go through logs and other hosts for signs of lateral movement – wait, what are we looking for? Can we make firewall rules to block any IPs or domains? Do we have any AV or IDS appliances?

10 Most importantly You did get a copy of the malware to analyze, right? …Right?

11 Get better at data mining!
Who is interested in this user or your company? What are they trying to do with this malware (and what are they exploiting?)? When did this malware come in? Where did it come from and where did it go to? Why are they after your company, or this user? How does this malware help them accomplish their goals?

12 What do we do with all the data?
Build a classification database over time! Identify trends Find commonalities

13 Lots of action, now what?

14 Enter Yara

15 What does Yara do? Identify and classify malware samples based on textual or binary patterns contained within those samples MALWARE!

16 How does it do it? Pretty basic: Search for patterns
Use defined conditions to determine if the patterns are a positive match Output matching rule content for consumption

17 Yara and Python Step 1: % python Step 2: > import yara > rules = yara.compile(signatures) > matches = rules.match(filetoscan) Step 3: profit

18 As the old saying goes… If it walks like a duck…
And it quacks like a duck… It’s probably the DHA installing backdoors and keyloggers while xfil’ing your data.

19 Identification Can we tease out specific characteristics about this piece of malware that can describe it both from a functional and fashionable perspective? What does it attempt to touch? What does it attempt to modify? Is this type of malware stylish? Etc.

20 Identification Are there any quantitative or qualitative datasets about this malware that can help further describe its nature? Functions used in other malware Code style similar to other malware IPs or domains used Specific targets (files, processes, etc.) End result of successful execution

21 Classification Questions[1]:
Does an unknown malware instance belong to a known malware family or does it constitute a novel malware strain? What behavioral features are discriminative for distinguishing instances of one malware family from those of other families? Compare these to our Identification

22 Strains Trojan Rootkit Backdoor Xfil Worms Ransomware Keylogger

23 Build Signatures Generate conditions Build rules for those conditions
Compile rules into a signature set Develop process to scan files using those signature sets Generate alerts Set human response expectations to these alerts!!

24 What a rule looks like rule foo { meta: key: value strings: $variable = something condition: logic_for_determining_positive_rule_match }

25 Conditions Some basic condition examples: A string or value exists
A set of strings or values exist Strings or values at certain offsets exist The number of times a string or value occurs File size restriction

26 Let’s see Yara in action!

27 How to incorporate Yara
Web downloads Web content Urllib attachments Honeypots Grab files from AV and IDS appliances to scan!

28 Why Yara? Supplement to additional applications (Snort, AV, detonation chambers) MD5 of known malware only good if exact file is seen again Detect future malware with similar identifiers that AV or IDS might not catch yet Free

29 The cooldown… Questions?

30 References [1] Learning and Classification of Malware Behavior – Rieck, Holz, Willems, Dussel, Laskov

Download ppt "Malware Identification and Classification"

Similar presentations

Reuel A. Morales (Sr. Security Analyst, APAC-RTL) 04.29.2008 APAC RTL Clean Tool v5.0 Solution.

Reuel A. Morales (Sr. Security Analyst, APAC-RTL) APAC RTL Clean Tool v5.0 Solution.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
What you don’t know CAN hurt you!

What you don’t know CAN hurt you!
Safe IT – Protect your computer and Family from unwanted programs viruses and websites.

Safe IT – Protect your computer and Family from unwanted programs viruses and websites.
Starting up a Security Class for Students Created by: Beth Byrnes Larry James Zac Reimer For Information Services University of Nebraska-Lincoln.

Starting up a Security Class for Students Created by: Beth Byrnes Larry James Zac Reimer For Information Services University of Nebraska-Lincoln.
Security, Privacy, and Ethics Online Computer Crimes.

Security, Privacy, and Ethics Online Computer Crimes.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
LittleOrange Internet Security an Endpoint Security Appliance.

LittleOrange Internet Security an Endpoint Security Appliance.
Computer Security Fundamentals by Chuck Easttom Chapter 5 Malware.

Computer Security Fundamentals by Chuck Easttom Chapter 5 Malware.
Department Of Computer Engineering

Department Of Computer Engineering
Beyond Anti-Virus by Dan Keller 1987- Fred Cohen- Computer Scientist “there is no algorithm that can perfectly detect all possible computer viruses”

Beyond Anti-Virus by Dan Keller Fred Cohen- Computer Scientist “there is no algorithm that can perfectly detect all possible computer viruses”
Week 5 IBS 520 Computer and Online Security. Cybercrime Online or Internet- based illegal acts What is a computer security risk? Computer crime Any illegal.

Week 5 IBS 520 Computer and Online Security. Cybercrime Online or Internet- based illegal acts What is a computer security risk? Computer crime Any illegal.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.

Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.
Introduction to InfoSec – Recitation 15 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 15 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Introduction to Information and Computer Science Security Lecture b This material (Comp4_Unit8b) was developed by Oregon Health and Science University,

Introduction to Information and Computer Science Security Lecture b This material (Comp4_Unit8b) was developed by Oregon Health and Science University,
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Similar presentations

Ads by Google