• Home

  • Documents

  • Juan Garrido ://media.blackhat.com/us-13/Arsenal/us-13-Garrido-Triana-Slides.pdf · Agenda One new...
19
Juan Garrido MVP Enterprise Security http://windowstips.wordpress.com @tr1ana

Juan Garrido ://media.blackhat.com/us-13/Arsenal/us-13-Garrido-Triana-Slides.pdf · Agenda One new malware every 2 seconds It’s like epidemic Many variety of vectors: APT Drive

  • Upload
    others

  • View
    3

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Juan Garrido ://media.blackhat.com/us-13/Arsenal/us-13-Garrido-Triana-Slides.pdf · Agenda One new malware every 2 seconds It’s like epidemic Many variety of vectors: APT Drive

Juan Garrido

MVP Enterprise Security

http://windowstips.wordpress.com @tr1ana

http://windowstips.wordpress.com/
http://windowstips.wordpress.com/
https://twitter.com/tr1ana
https://twitter.com/tr1ana
Page 2: Juan Garrido ://media.blackhat.com/us-13/Arsenal/us-13-Garrido-Triana-Slides.pdf · Agenda One new malware every 2 seconds It’s like epidemic Many variety of vectors: APT Drive

Agenda

Page 3: Juan Garrido ://media.blackhat.com/us-13/Arsenal/us-13-Garrido-Triana-Slides.pdf · Agenda One new malware every 2 seconds It’s like epidemic Many variety of vectors: APT Drive

Agenda

Introduction Malware public information TRIANA Conclusions

Page 4: Juan Garrido ://media.blackhat.com/us-13/Arsenal/us-13-Garrido-Triana-Slides.pdf · Agenda One new malware every 2 seconds It’s like epidemic Many variety of vectors: APT Drive

Agenda

One new malware every 2 seconds It’s like epidemic Many variety of vectors:

APT Drive by downloads USB Rootkits, Bootkits, etc...

Page 5: Juan Garrido ://media.blackhat.com/us-13/Arsenal/us-13-Garrido-Triana-Slides.pdf · Agenda One new malware every 2 seconds It’s like epidemic Many variety of vectors: APT Drive

Introduction

Many variety of technology: MS Office PDF Windows Apple based Mobile

Big problem when analyze a lot of samples

Page 6: Juan Garrido ://media.blackhat.com/us-13/Arsenal/us-13-Garrido-Triana-Slides.pdf · Agenda One new malware every 2 seconds It’s like epidemic Many variety of vectors: APT Drive

Introduction

• Some questions:

– The Malware analyst have tools to perform analysis?

• Like a sandbox, scripts, little unit tools

– The Malware analyst have a deep know in the malware analysis art?

• Static analysis, dynamic analysis, reversing, etc..

• It’s possible reduce the analysis time?

– Is a sample available for analyze?

Page 7: Juan Garrido ://media.blackhat.com/us-13/Arsenal/us-13-Garrido-Triana-Slides.pdf · Agenda One new malware every 2 seconds It’s like epidemic Many variety of vectors: APT Drive

Introduction

• Is a sample available for analyze?

Page 8: Juan Garrido ://media.blackhat.com/us-13/Arsenal/us-13-Garrido-Triana-Slides.pdf · Agenda One new malware every 2 seconds It’s like epidemic Many variety of vectors: APT Drive

Malware Public Information

• Why need MD5 instead of SHA1 or SHA256?

• Easy: For URL based search

Page 9: Juan Garrido ://media.blackhat.com/us-13/Arsenal/us-13-Garrido-Triana-Slides.pdf · Agenda One new malware every 2 seconds It’s like epidemic Many variety of vectors: APT Drive

Malware Public Information

Page 10: Juan Garrido ://media.blackhat.com/us-13/Arsenal/us-13-Garrido-Triana-Slides.pdf · Agenda One new malware every 2 seconds It’s like epidemic Many variety of vectors: APT Drive

DEMO

Malware based search

Page 11: Juan Garrido ://media.blackhat.com/us-13/Arsenal/us-13-Garrido-Triana-Slides.pdf · Agenda One new malware every 2 seconds It’s like epidemic Many variety of vectors: APT Drive

WHERE IS MY SAMPLE

• In many cases:

– The sample is located in public site

– The sample is located in hacking site

– The sample is located in Web Access tool (Like VT, Malwr, etc…)

– The sample is located in a public repository

Page 12: Juan Garrido ://media.blackhat.com/us-13/Arsenal/us-13-Garrido-Triana-Slides.pdf · Agenda One new malware every 2 seconds It’s like epidemic Many variety of vectors: APT Drive

WHERE IS MY SAMPLE

• IP, Host, Domain:

– Useful for discover new samples

• Whois

• Domain Lookup

• Etc…

– Useful for discover APT Threats, Malware located by country, etc…

Page 13: Juan Garrido ://media.blackhat.com/us-13/Arsenal/us-13-Garrido-Triana-Slides.pdf · Agenda One new malware every 2 seconds It’s like epidemic Many variety of vectors: APT Drive

WHERE IS MY SAMPLE

Page 14: Juan Garrido ://media.blackhat.com/us-13/Arsenal/us-13-Garrido-Triana-Slides.pdf · Agenda One new malware every 2 seconds It’s like epidemic Many variety of vectors: APT Drive

DEMO

Malware sample search

Page 15: Juan Garrido ://media.blackhat.com/us-13/Arsenal/us-13-Garrido-Triana-Slides.pdf · Agenda One new malware every 2 seconds It’s like epidemic Many variety of vectors: APT Drive

TRIANA

• Python based script:

– Perform HASH and File Hash search

– Many public information reference

– Ability to download the sample if found it

– Many sources One JSON source

– DOCX Report

Page 16: Juan Garrido ://media.blackhat.com/us-13/Arsenal/us-13-Garrido-Triana-Slides.pdf · Agenda One new malware every 2 seconds It’s like epidemic Many variety of vectors: APT Drive

TRIANA

• IP & Domain collector:

– Check in IP and Domain reputation lists

• Plugin based:

– VirusTotal plugin

– Malwr plugin

– ThreatExpert plugin

– Etc, etc…

Page 17: Juan Garrido ://media.blackhat.com/us-13/Arsenal/us-13-Garrido-Triana-Slides.pdf · Agenda One new malware every 2 seconds It’s like epidemic Many variety of vectors: APT Drive

TRIANA

Page 18: Juan Garrido ://media.blackhat.com/us-13/Arsenal/us-13-Garrido-Triana-Slides.pdf · Agenda One new malware every 2 seconds It’s like epidemic Many variety of vectors: APT Drive

CONCLUSIONS

• It’s possible reduce time in malware analysis – Automate unit test – Automate malware analysis – Automate static analysis – Automated search based malware

• It’s useful to attach like annex – JSON results – DOCX report

• It’s useful to search malware – Many public information sites – Different public sandbox perform different analysis – Many public repositories

Page 19: Juan Garrido ://media.blackhat.com/us-13/Arsenal/us-13-Garrido-Triana-Slides.pdf · Agenda One new malware every 2 seconds It’s like epidemic Many variety of vectors: APT Drive

THANKS ;)

Juan Garrido

[email protected]

http://www.innotecsystem.com

mailto:[email protected]
http://www.innotecsystem.com/

Pasaporte Good Night Triana 2015

Pasaporte Good Night Triana 2015

Documents
Triana un barrio de retablos 7

Triana un barrio de retablos 7

Art & Photos
Trees of Triana - Alabama Cooperative Extension System€¦ · species of trees commonly found in Triana, Alabama. These particular trees are marked in various places around Triana

Trees of Triana - Alabama Cooperative Extension System€¦ · species of trees commonly found in Triana, Alabama. These particular trees are marked in various places around Triana

Documents
BIRDS of TRIANA

BIRDS of TRIANA

Documents
Triana Single Design Review TRIANA COMPUTATION HUB Quang Nguyen/Code 561 NASA/Goddard Space Flight Center Triana SDR June 7 - 9, 1999 Computation Hub

Triana Single Design Review TRIANA COMPUTATION HUB Quang Nguyen/Code 561 NASA/Goddard Space Flight Center Triana SDR June 7 - 9, 1999 Computation Hub

Documents
TRIANA - leungdesign.net€¦ · Triana incorporates a hierarchy of town center to urban neighbor-hoods and streets, promoting a strong sense of place. TRIANA Monterrey, Mexico Client:

TRIANA - leungdesign.net€¦ · Triana incorporates a hierarchy of town center to urban neighbor-hoods and streets, promoting a strong sense of place. TRIANA Monterrey, Mexico Client:

Documents
Sanchez-Garrido Architects

Sanchez-Garrido Architects

Documents
7f872 Jurnal Gabungan Triana

7f872 Jurnal Gabungan Triana

Documents
Free Pattern Download Annies Winter Beanie - Knit …...YOU WILL NEED: 1 x 100g Katia Triana or Triana Lux (Colour 1) 1 x 100g Katia Triana or Triana Lux (Colour 2)1 x 15.00mm Needles

Free Pattern Download Annies Winter Beanie - Knit …...YOU WILL NEED: 1 x 100g Katia Triana or Triana Lux (Colour 1) 1 x 100g Katia Triana or Triana Lux (Colour 2)1 x 15.00mm Needles

Documents
TRIANA BLVD. PROPERTIES...3325 Triana Blvd. (Building Two) and 3411 Triana Blvd. (Building Three) can be purchased with Building One as a unit or each can be purchased separately

TRIANA BLVD. PROPERTIES...3325 Triana Blvd. (Building Two) and 3411 Triana Blvd. (Building Three) can be purchased with Building One as a unit or each can be purchased separately

Documents
Celso garrido

Celso garrido

Technology
02. garrido 30

02. garrido 30

Documents
Portafolio William GArrido

Portafolio William GArrido

Documents
6. Garrido vs Garrido

6. Garrido vs Garrido

Documents
TIES Program Feb – Jun 2008 Ulises Triana Natalia Montenegro Ulises Triana Natalia Montenegro

TIES Program Feb – Jun 2008 Ulises Triana Natalia Montenegro Ulises Triana Natalia Montenegro

Documents
How to Hack Millions of Routers - [media.blackhat.com]

How to Hack Millions of Routers - [media.blackhat.com]

Documents
José Jerónimo Triana - unal.edu.co

José Jerónimo Triana - unal.edu.co

Documents
Mapa Good Night Triana 2012

Mapa Good Night Triana 2012

News & Politics
Barrio de Triana

Barrio de Triana

Documents
GYPSY ROOTS FROM TRIANA - RAÍCES GITANAS DE … · GYPSY ROOTS FROM TRIANA - RAÍCES GITANAS DE TRIANA Paco ... • Basic and intermediate flamenco guitar lessons/Lecciones básicas

GYPSY ROOTS FROM TRIANA - RAÍCES GITANAS DE … · GYPSY ROOTS FROM TRIANA - RAÍCES GITANAS DE TRIANA Paco ... • Basic and intermediate flamenco guitar lessons/Lecciones básicas

Documents
De triana al orbe

De triana al orbe

Education
Pub triana

Pub triana

Entertainment & Humor
Lisseth garrido

Lisseth garrido

Technology
garrido -- saludmentaltrabajo.pdf

garrido -- saludmentaltrabajo.pdf

Documents
Using Federated Services with Triana

Using Federated Services with Triana

Documents
Triana User Guide - poc.vl-e.nlpoc.vl-e.nl/distribution/manual/triana-3.2/UserManual.pdfContents 1 Overview 1 1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . .

Triana User Guide - poc.vl-e.nlpoc.vl-e.nl/distribution/manual/triana-3.2/UserManual.pdfContents 1 Overview 1 1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . .

Documents
Consumer Grid - Triana

Consumer Grid - Triana

Documents
Julia garrido 2

Julia garrido 2

Documents
6. Javier Garrido

6. Javier Garrido

Documents
Salesianos Triana

Salesianos Triana

Documents