Presentation is loading. Please wait.

Presentation is loading. Please wait.

Defense Against the Dark Arts Defense Against The Dark Arts Christiaan Beek McAfee.

Similar presentations


Presentation on theme: "Defense Against the Dark Arts Defense Against The Dark Arts Christiaan Beek McAfee."— Presentation transcript:

1 Defense Against the Dark Arts Defense Against The Dark Arts Christiaan Beek McAfee

2 Defense Against the Dark Arts Malware terms & definitions Naming conventions Online analysis services and tools Basic replication & setup Sample execution Tools

3 Defense Against the Dark Arts APT’s Forensic, Static, and Code analysis Continue replication discussion

4 Defense Against the Dark Arts Term created in 2006 by US Air-force analysts Describes three aspects of attackers that represent their profile, intent, and structure: –Advanced – The attacker is fluent with cyber intrusion methods and administrative techniques, and is capable of crafting custom exploits and related tools. –Persistent – The attacker has an objective (or mission in longer-term campaigns) and works to achieve their goals without detection. –Threat – The attacker is organized, receives instructions, is sufficiently funded to perform their (sometimes extended) operations, and is motivated.

5 Defense Against the Dark Arts Characteristics of an APT: –Actors –Motives –Targets –Goals Actors: –Terrorists/activists –Governments –Organized crime groups –Competitors –Malicious insiders/ex-employee

6 Defense Against the Dark Arts Motives: –Money –Disgruntlement or revenge –Ideology –Excitement Targets: –Large corporations –Governments –Defense Contractors –Anyone

7 Defense Against the Dark Arts Goals: –Use stealth during intrusion to avoid detection –Create backdoors to allow greater access, especially if other access points have been discovered and patched – Initiating the primary mission: Stealing sensitive data Monitoring communications Disrupting operations – Leaving undetected

8 8 Start Step 2 Weaponization Step 5 Installation Step 1 Reconnaissance Step 4 Exploitation Step 3 Delivery Step 6 Command and Control Actions on Objectives Step 7

9 Defense Against the Dark Arts Chinese Gh0st RAT

10 Defense Against the Dark Arts RAT used: Zwshell Pwd: zw.china

11 Defense Against the Dark Arts Hidden menu

12 Defense Against the Dark Arts What is forensic analysis? –Contextual metadata leading researcher to this point Customer submission Anecdotal details about attack Honeypot Association with other threats

13 Defense Against the Dark Arts Dynamic analysis

14 Defense Against the Dark Arts What is static analysis? –Sample analysis performed without the benefit of dynamic execution environment –Pros? –Cons?

15 Defense Against the Dark Arts -Get sample from share called “gimmegimme.zip” -Extract to desktop -Did you have your snapshot made? -Run tools like process- explorer/procmon/fakenet/antispy/flypaper -Execute the sample -Investigate what this sample is doing -What is the purpose of this sample?

16 Defense Against the Dark Arts Elements of static analysis? –String analysis –Binary analysis –Source analysis

17 Defense Against the Dark Arts 0x00001840: 'px.exe' 0x00001850: 'gmfa' 0x00001860: 'G2013\av' 0x00001880: 'G\AV' 0x00001892: 'DosDevices\C:\Arquivos de programas\AV' 0x000018E0: 'vc.exe' 0x000018F0: 'stS' 0x00001900: 'st\Ava' 0x00001910: 'ST Software\Ava' 0x00001932: 'DosDevices\C:\Arquivos de programas\AVA' … 0x00001F0A: 'ZwDeleteFile'

18 Defense Against the Dark Arts

19 Defense Against the Dark Arts AutoIT Keytools CHM decompiler DJJavaDecompiler dotPeek.NET decompiler

20 Defense Against the Dark Arts Use Forensic Information to Rate Sample

21 Defense Against the Dark Arts Right-click flypaper.exe and choose SendTo->FileInsight

22 Defense Against the Dark Arts Open Sample 1 in FileInsight Use the tool to decode Sample 1 and extract strings Take 20 minutes –Using string analysis, what can be said about these 3 samples Class2\Labs\Lab1\Strings/Sample 1 Class2\Labs\Lab1\Strings/Sample 2 Class2\Labs\Lab1\Strings/Sample 3 –How would you prioritize these samples for further research? Why?

23 Defense Against the Dark Arts Use FileInsight and investigate the follwong samples For each sample, what type of file is it? How would you replicate it? What dependencies would you expect? –Class2\Labs\Lab1\Binary\Sample 1 –Class2\Labs\Lab1\Binary\Sample 2 –Class2\Labs\Lab1\Binary\Sample 4

24 Defense Against the Dark Arts Christiaan_Beek@Intelsecurity.com


Download ppt "Defense Against the Dark Arts Defense Against The Dark Arts Christiaan Beek McAfee."

Similar presentations


Ads by Google