reverse engineering & malware analysis...malware uses a year old privilege escalation...
TRANSCRIPT
![Page 1: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/1.jpg)
Reverse
Engineering &
Malware Analysis ENG. AHMED KHLIEF , CYBER SECURITY ANALYST
![Page 2: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/2.jpg)
Must-Know Cybersecurity Statistics
“In Q3 2016 alone, 18 million new malware samples were captured.”
- Panda Labs.
“More than 4,000 ransomware attacks have occurred every day
since the beginning of 2016.” - CCIPS
“78% of people claim to be aware of the risks of unknown links in
emails. And yet they click anyway.” - Friedrich-Alexander University
![Page 3: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/3.jpg)
Must-Know Cybersecurity Statistics
“52% of organizations that suffered successful cyber attacks in 2016
aren't making any changes to their security in 2017” - Barkly,
December 2016
![Page 4: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/4.jpg)
What is Malware?
The term malware is a contraction of malicious software .
Any piece of software that was written with the intent of doing harm
to data, devices or to people.
Viruses
Worms
Intrusion Tools
Spyware
ransomware
Rootkits
![Page 5: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/5.jpg)
ccleaner malware
Targeting windows devices.
Discovered in 13/9/2017.
Suspected Chinese hacking group called Axiom.
Hackers compromised a portion of (CCleaner’s) development .
They inserted a malware into the CCleaner build that was released
and hosted by the organization.
Malware consist of two stages .
The researchers believe the secondary stage malware was likely
intended for industrial espionage.
![Page 6: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/6.jpg)
Linux.ProxyM Malware
Discovered in 22/9/2017
Targeting linux devices .
It act as mass spam mailer .
Hackers used default credentials to access the devices .
Can operate on any IoT device running linux with following Arch :
X86
MIPS
PowerPC
ARM
SPARC
Motorola 680000
![Page 7: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/7.jpg)
AndroidOS_ZNIU Malware
Discovered in 26/9/2107.
Targeting Android Devices .
Malware uses a year old privilege escalation vulnerability (CVE-2016-
5195) known as Dirty COW, to gain root access on the mobile .
It serves as backdoor for potential remote control attacks in the
future .
It also send payments via premium SMS messages that sent on
behalf of the mobile user .
![Page 8: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/8.jpg)
Why Analyze Malware ?
To assess damage.
To discover indicators of compromise.
To determine sophistication level of an intruder.
To identify a vulnerability ( Zero-Days like SMB bug… ).
To catch the “bad guy”®.
To stop the spread of malware.
To answer questions…
![Page 9: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/9.jpg)
Why Analyze Malware ?
Business Questions :
What is the purpose of the malware?
How did it get here?
Who is targeting us and how good are they?
How can I get rid of it?
What did they steal?
![Page 10: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/10.jpg)
Why Analyze Malware ?
Business Questions :
How long has it been here?
Does it spread on its own?
How can I find it on other machines?
How do I prevent this from happening in the future?
![Page 11: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/11.jpg)
Technical Questions :
Network Indicators ?
Host-based Indicators ?
Persistence Mechanism ?
What language was it written in ?
Is it packed ?
Anti-analysis ?
![Page 12: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/12.jpg)
Malware Analysis techniques
Dynamic Analysis
Executing the Malware. Simple, Fast. Easy to miss things.
Static Analysis
Reverse Engineering. Slow, need deep technical knowledge. With enough time anything can be reversed.
Hybrid Static/ Dynamic
Most Analysis is a mixture: You find something in the disassembly then you confirm/investigate while the malware is executing.
Memory Forensics.
![Page 13: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/13.jpg)
Preparing a Safe Environment
Each malware requires environment same as its target system.
Do Not Run Malware on Your Computer !
To be safe there is two choices :
Grab some devices with an isolated network, create disk images, re-image a
target machine to return to pristine state .
Adv : malware can’t easily detect if it’s a honeypot .
Disadv : time consuming , hard to implement , cost much .
Use virtualization to make things fast and safe .
Adv : easy to implement
Disadv : some malware can detect the virtual environment and stop the execution .
![Page 14: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/14.jpg)
Virtual machines as safe
environment
Use WinXP for windows executable dynamic and static analysis .
Comptabile with almost all malwares .
Does not require high specs .
Less security control ( let the malware do what it like ) .
Use REMnux for static analysis .
Linux distribution created for malware analysis
Many tools to extract information from malware .
Support analysis for many file types : exe , .doc , .pdf , bin
Pre-installed static and network analysis tools .
![Page 15: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/15.jpg)
Preparing a Safe Environment
It is easier to perform analysis if you allow the malware to “call
home”…
However:
The attacker might change his behavior
Your IP might become the target for additional attacks (consider using
TOR)
You may end up attacking other people
![Page 16: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/16.jpg)
Preparing a Safe Environment
Therefore, we usually do not allow malware to touch the real
network
Use the host-only networking feature of your virtualization platform
Establish real services (DNS, Web, etc) on your host OS or other virtual
machines
Use netsim and netcat to create listening ports and interact with text-
based client
Build custom controlling servers as required (usually in a high-level
scripting language)
![Page 17: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/17.jpg)
Dynamic Analysis
Dynamic analysis is conducted by observing and manipulating malware as
it runs .
Usually you care more about “what” malware is doing than “how” it is
being accomplished .
Monitoring the system for changes and IOC .
![Page 18: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/18.jpg)
Dynamic Analysis
![Page 19: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/19.jpg)
Using Snapshot to save time.
Many Virtualization software offer snapshots .
You can Return to present state any time .
![Page 20: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/20.jpg)
System Monitoring
We need to monitor :
Registry Activity : Regshot , Sysinternals Process monitor , etc…
File Activity : Sysinternal file monitor
Process Activity : process monitor and process hacker
Network Traffic : wireshark , netsim , fakedns , sysinternal tcpview .
![Page 21: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/21.jpg)
Process Monitor
One of the most powerful tool for malware analyst.
Its power resides in the filter configuration .
![Page 22: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/22.jpg)
Wireshark and TCPView
Wireshark is a protocol analyzer that captures and decodes network traffic .
Wireshark is not aware of what process generates traffic .
TCPVIEW can show process name and ID which is making connections with
destiniation IP and port used in the connection .
Using TCPVIEW and Wireshark we can connect the traffic to each process .
![Page 23: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/23.jpg)
Static Analysis
Collect information about an executable file without running it .
Search for interesting strings to act as IOC .
Create A finger print for the malware ( Hash using sha256 )
Gather info about executable structure ( PE Headers ) .
Search for known crypto , packers signatures .
![Page 24: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/24.jpg)
Extracting strings
Using Strings command in REMnux .
Using Strings Command added by MAP tool installed in windows .
Be careful about drawing conclusions
There is nothing stopping the attacker from planting strings meant
to deceive the analyst
![Page 25: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/25.jpg)
PE Headers analysis
The Architecture of the executable x86 or x64 .
Compilation date .
Signs of packed executable .
Number of Sections and their properties .
Tools to parse the PE headers :
Peframe - Remnux
Pescanner - Remnux
Cffexplorer - Windows
Peview - Windows
![Page 26: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/26.jpg)
Extracting data
Malware can pack exploits , other malicious executable in its
resources section .
To identify and extract them we use :
Resource Hacker - Windows
Bulk_extraction - Remnux
Signsrch - Remnux
Foremost - Remnux
![Page 27: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/27.jpg)
Disassembly and Reverse
Engineering
Automated disassemblers can take machine code and “reverse” it
to a slightly higher-level
Many tools can disassemble x86 and X64 code .
Objdump, OLLyDBG, IDA Pro
But, IDA Pro is what everyone uses
Manual examination of disassembly is somewhat painstaking, slow,
and can be hard
Keep your goals in mind and don’t get bogged down
![Page 28: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/28.jpg)
Disassemblers – IDA Pro
It automatically identifies code and data .
It groups instruction streams into functions and show its arguments .
It can show code flow as a graph.
It automatically identifies library functions of common compilers .
You can easily navigate in the whole binary, rename any location
to a descriptive name and add comments .
![Page 29: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/29.jpg)
Disassemblers
![Page 30: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/30.jpg)
Future relies on automating
malware analysis
Malware Analyst now focuses on using Machine Learning to catch
malwares .
Sandboxes can be very useful .
You can try Cuckoo sand box
Open source .
Great performance .
Can be used to gather initial info before digging manually .
Easy to use APIs .
![Page 31: Reverse Engineering & Malware Analysis...Malware uses a year old privilege escalation vulnerability (CVE-2016-5195) known as Dirty COW, to gain root access on the mobile . It serves](https://reader033.vdocuments.mx/reader033/viewer/2022052310/5f078d387e708231d41d8c48/html5/thumbnails/31.jpg)
The END
Thank you for listening