Upload
charles-lim
View
822
Download
0
Embed Size (px)
Citation preview
Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEIThe Third Hacking and Digital Forensics Exposed
28 November 2015 | Hotel Indoluxe | Yogyakarta, Indonesia
Malware Analysis
About MeCharles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEIResearcher – Information Security Research Group and LecturerSwiss German UniversityCharles.lims [at] gmail.com and charles.lim [at] sgu.ac.idhttp://people.sgu.ac.id/charleslim
I am currently doing my doctoral study in Universitas Indonesia
Research Interest
CommunityIndonesia Honeynet Project - Chapter Lead
Academy CSIRT – member
Asosiasi Digital Forensik Indonesia - member
MalwareIntrusion DetectionThreats Intelligence
Vulnerability AnalysisDigital ForensicsCloud Security
Agenda
• About Honeynet
• What is Malware?
• Why Malware Analysis?
• Types of Malware Analysis
• Static Analysis
• Dynamic Analysis
• Memory Analysis
• Case Study
• Future Challenges
About Honeynet• Volunteer open source computer security
research organization since 1999 (US 501c3 non-profit)
• Mission: ¨learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned¨ -http://www.honeynet.org
About Honeynet• Share all of our tools, research and findings, at
no cost to the public – “Know Your Tools” (KYT)
• “Know Your Enemy”(KYE) white papers regularly published on current research topics
• Members release regular activity status reports
• Committed to open source and creative commons
• Partially funded by sponsors, nothing to sell!
About Indonesia Honeynet Project• 15 passionate security
professionals, academicians and government officials met signed a petition in 25 November 2011
• Indonesia Chapter officially recognized 9 January 2012
• Current members: 130 (20 active members)
About Indonesia Honeynet Project• Yearly Seminar and Workshop since 2012
• Focus on Security Awareness and Security Research
• Honeynet communities: Jakarta, Semarang, Surabaya, Yogya, Denpasar, Palembang, Lampung
• Research Topics: Incident handling, Vulnerability Analysis, Malware, Digital Forensics, Penetration Testing, Threats Intelligence
Honeypots Research & Deployment
2009 2011 2013 2015
LearningPeriod
Early Period
GrowingPeriod
ExpandingPeriod
Honeypot: Nepenthes
Honeypot:Nepenthes, Dionaea
Honeypot:Dionaea
Honeypot:Dionaea, Kippo, Glastopf, Honeytrap
Learning How to install and configure
Deployed 1st
Honeypot in SGUTarget: Academic, Government, ISP
Coverage: Java, Bali, Sumatera,
# Honeypots deployed: None
# Honeypots deployed: 1
# Honeypotsdeployed: 5
# Honeypots deployed: 16
Hardware: Client Hardware: SimpleClient and Server
Hardware: Mini PC and Server
Hardware: Raspberry Pi and Dedicated servers
Join Us
• Indonesia Honeynet Project
• idhoneynet
• http://www.honeynet.or.id
• http://groups.google.com/group/id-honeynet
What is Malware?• Malware (Malicious Software)
– all kind of software that disrupt computer operations, gather sensitive information, or gain access to private computer systems
• Type of Malware
– Viruses
– Worms
– Trojans
– Ransomeware
– Rootkits
Why Malware Analysis?• To gain insight into nature and purpose of
malware
• To identify host-based and network indicators Forensics: Indicators of Compromise (IOC)
• To understand malware behaviors and its persistence mechanism
• Extract information used for learning and malware detection
Types of Malware Analysis
Static
Analysis
A method of examining computer program/code without executing the
program
Dynamic
Analysis
Memory
Analysis
A method of examining computer program/code while executing the
program in a real or virtual processor
A method of examining computer program/code after executing the
program in a real or virtual processor
Static Analysis• To perform disassembling the given binary
or Dynamic Load Library (DLL) or APK (mobile apps)
• To extract static features, such as metadata of the files (section names) and the body of the files (strings, code, import libraries)
Static Analysis• Input File Type: EXE, DLL, documents, etc.
• Output:
– Metadata
– Code
– Data
Static AnalysisTools
File Binaries
Static Features:MetadataCodeData
Static Analysis Tools• PEiD (http://bob.droppages.com/projects/peid) –
Packer and compiler detector• Pafish (https://github.com/a0rtega/pafish) - checking
for anti sandbox and anti-vm• Yara (https://plusvic.github.io/yara/) – pattern
matching for malware analysis• Ssdeep (https://pypi.python.org/pypi/ssdeep) – fuzzy
hash• Strings Utility (https://technet.microsoft.com/en-
us/sysinternals/strings.aspx) – Strings extraction tool• Olly Dbg (http://www.ollydbg.de/) – Code Debugger• IDA Pro (https://www.hex-rays.com/products/ida/) –
Disassembler, Debugger
Static Analysis• Questions to answer:
– Is the malware binary packed?
– Can the malware binary be unpacked?
– What are the important static features to be extracted?
• If the malware can be unpacked (due to complexity of packing method), then we can only rely on Dynamic Analysis
Static Analysis (Packer Landscape)
https://code.google.com/p/corkami/downloads/detail?name=packers.pdf
Static Analysis – Static Features• Strings (one of the most important)
• Import DLL
• Assembly Code
• Byte Code
Strings Example - Brute Force Dictionary Password (Allaple Malware Samples)
Dynamic Analysis• To gain insight into malware behaviors
(interactions malware binaries with operating system)
• Important Features:
– File System Activities
– Process Activities
– Network Activities
– System Calls
Dynamic Analysis• Input File Type: EXE, DLL, documents, etc.
• Output:
– File System Activities
– Process Activities
– Network Activities
– System Calls
SandboxOr
Virtual Env.
File Binaries
Dynamic Features:File System ActivitiesProcess ActivitiesNetwork ActivitiesSystem Calls
Dynamic Analysis Tools• Detours (http://research.microsoft.com/en-
us/projects/detours/) – Binary instrumentation for Win32 functions
• Sandboxes:
– Cuckoo Sandbox (http://www.cuckoosandbox.org/)
– Anubis (http://anubis.iseclab.org/)
– ThreatTrack(http://www.threattracksecurity.com/resources/sandbox-malware-analysis.aspx)
– Comodo Automated Analysis (http://camas.comodo.com/)
Dynamic Analysis• Questions to answer:
– Does the malware seems to execute properly?
– Does the malware stop while executed?
– Is there any unique execution? (File System, Process, Network, System Calls)
• If the malware has anti-analysis, anti anti-analysis must be done first (Pafish is a good tool)
• Maybe sequence of instructions can be good features
Memory Analysis• To gain insight into malware “footprints” in
memory
• Important Features:– Running Processes
– Shared Libraries
– Network Connections
– Hooking Detection
– Rootkit Detection
– Code Injection
– Hidden artifacts
Memory Analysis Tools• Volatility
(https://code.google.com/p/volatility/) –Framework for memory analysis
• Dynamic Binary Instrumentation (DBI)
– Pin Tools (https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool)
– Valgrind (http://valgrind.org/)
Case Study• Isolate and reconstruct the incident
• Sniff the traffic while the server is running
Virtual Server with VM1 running
Switch
Desktop as Gateway
Case Study• Sending Huge Syn Packet to China IP
Address
• We found that it was user .Iptables that was sending the huge traffic
Case Study• The malware must have entered the system through
a service. We noticed that ssh service is running
• We also noticed that the root account was enabled
Case Study• ssh authentication was successful
• We found that the password for root password using easy to guess 7 characters (combination of alpha and numeric)
• It was a Korean IP address that made the connection
Case Study (Lesson Learned)• The user (also an admin) installed the
system, made some simple but devastating mistakes:
– Use a simple (easy to guess) password
– Root of account of ssh service was enabled
• The malware caused a Denial of Service attack using Syn Flooding
• A Reverse Engineering of the malware showed that the malware could also perform DNS Flooding
Current and Future Challenges• Malware Packers or Crypter
• Anti-Analysis (Anti-Debugging, Anti-Disassembler, Anti-Sandbox, Anti-Emulation,
• NO SILVER BULLET
• Must use combination of all malware analysis techniques
• Machine Learning is also a big help
Related Publications• Joshua Tommy Juwono, Charles Lim, Alva Erwin, A Comparative Study
of Behavior Analysis Sandboxes in Malware Detection, The 3rd International Conference on New Media 2015, Jakarta, Indonesia, 2015
• Charles Lim, Nicsen, Mal-EVE Static Detection Model for Evasive Malware, 10th EAI International Conference on Communications and Networking in China, Shanghai, China, 2015
• Charles Lim, Darryl Y. Sulistyan, Suryadi, and Kalamullah Ramli, Experiences in Instrumented Binary Analysis for Malware, The 3rd International Conference on Internet Services Technology and Information Engineering 2015 (ISTIE 2015), Bali, 2015
• Charles Lim, Meily, Nicsen, and Herry Ahmadi, Forensics Analysis of USB Flash Drives in Educational Environment, The 8th International Conference on Information & Communication Technology and Systems, Surabaya, 2014
• Charles Lim, and Kalamullah Ramli, Mal-ONE: A Unified Framework for Fast and Efficient Malware Detection, 2014 2nd International Conference on Technology, Informatics, Management, Engineering & Environment, Bandung, 2014.
Conclusion• Malware continue to rise in numbers and
sophistication
• Malware authors usually combine common malware modules with few changes
• Packers and Anti Analysis are real challenges
• Malware analysis usually part of Threats Intelligence, Incident Response, and Digital Forensics.
• There is no silver bullet for Malware Analysis
Call for More Research
• Indonesia Honeynet Project
• idhoneynet
• http://www.honeynet.or.id
• http://groups.google.com/group/id-honeynet