Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis,...
Transcript of Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis,...
![Page 1: Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis, Reverse Engineering, Computer Forensics CERT.at / GovCERT.gv.at Papers Mass Malware](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5b2a36d932b651a156f8bf/html5/thumbnails/1.jpg)
Christian Wojner, CERT.at
1 02.04.2013
![Page 2: Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis, Reverse Engineering, Computer Forensics CERT.at / GovCERT.gv.at Papers Mass Malware](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5b2a36d932b651a156f8bf/html5/thumbnails/2.jpg)
Wh01am
02.04.2013 2
Person
Christian Wojner
Malware Analysis, Reverse Engineering, Computer Forensics
CERT.at / GovCERT.gv.at
Papers Mass Malware Analysis: A DIY Kit An Analysis of the Skype IMBot Logic and
Functionality
The WOW-Effect
Articles
HITB Online Mag
The Art of DLL Injection
Automated Malware Analysis - An Introduction to Minibis
HAKIN9 Online Mag Minibis
Software
Minibis
Bytehist (REMnux)
Densityscout (REMnux)
ProcDOT (REMnux)
FIRST Symposium 2010
CertVerbund-DE 2010
Deepsec 2010
Teliasonera 2011
Joint FIRST/TF-CSIRT Technical Seminar 2012
CanSecWest 2012
CertVerbund-DE 2012
0ct0b3rf3st 2012
SANS Forensic Summit Prague 2012
Deepsec 2012
Publications Speaker
![Page 3: Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis, Reverse Engineering, Computer Forensics CERT.at / GovCERT.gv.at Papers Mass Malware](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5b2a36d932b651a156f8bf/html5/thumbnails/3.jpg)
I had a dream ...
Malware infections are complex
Humans are visually oriented
Pictures tell a 1000 words
Humans are top in understanding complex pictures
Goal: Put all aspects of a malware infection in one big picture using the most common of freely available tools
Goal: Distinguish between good/evil with a glance
Goal: Gut feeling for an entire situation within minutes
Goal: Freely available to everyone 02.04.2013 3
![Page 4: Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis, Reverse Engineering, Computer Forensics CERT.at / GovCERT.gv.at Papers Mass Malware](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5b2a36d932b651a156f8bf/html5/thumbnails/4.jpg)
Proof of concept
02.04.2013 4
GOOD EVIL
![Page 5: Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis, Reverse Engineering, Computer Forensics CERT.at / GovCERT.gv.at Papers Mass Malware](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5b2a36d932b651a156f8bf/html5/thumbnails/5.jpg)
Proof of concept
02.04.2013 5
GOOD
EVIL
![Page 6: Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis, Reverse Engineering, Computer Forensics CERT.at / GovCERT.gv.at Papers Mass Malware](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5b2a36d932b651a156f8bf/html5/thumbnails/6.jpg)
ProcDOT – The name
Proc ...
Process Monitor (Procmon) from Sysinternals
DOT ...
DOT module of the Graphviz Suite
02.04.2013 6
![Page 7: Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis, Reverse Engineering, Computer Forensics CERT.at / GovCERT.gv.at Papers Mass Malware](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5b2a36d932b651a156f8bf/html5/thumbnails/7.jpg)
Behavioral analysis
Monitoring activities
02.04.2013 7
Activity Procmon PCAP (Windump, Tcpdump, Wireshark)
Filesystem
Network
Windows Messages
Registry
Process-Management
Thread-Management
![Page 8: Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis, Reverse Engineering, Computer Forensics CERT.at / GovCERT.gv.at Papers Mass Malware](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5b2a36d932b651a156f8bf/html5/thumbnails/8.jpg)
Data-Correlation
02.04.2013 8
PROCMON Data
PCAP Data
PROCESSES
![Page 9: Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis, Reverse Engineering, Computer Forensics CERT.at / GovCERT.gv.at Papers Mass Malware](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5b2a36d932b651a156f8bf/html5/thumbnails/9.jpg)
Noise (-reduction)
Relevance: Smart-Following-Algorithms Paths Compression Registry Files Networktraffic
Filters Files Registrykeys Servers (Longnames/Shortnames)
Contents Nodes Edges
02.04.2013 9
![Page 10: Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis, Reverse Engineering, Computer Forensics CERT.at / GovCERT.gv.at Papers Mass Malware](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5b2a36d932b651a156f8bf/html5/thumbnails/10.jpg)
02.04.2013 10
![Page 11: Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis, Reverse Engineering, Computer Forensics CERT.at / GovCERT.gv.at Papers Mass Malware](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5b2a36d932b651a156f8bf/html5/thumbnails/11.jpg)
Questions
Feedback
Flowers
Presents
Kisses
Hugs
Hand-shakes Slaps
Smalltalks
Longtalks
Short-drinks
Longdrinks
…
Reactions?
02.04.2013 11
![Page 12: Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis, Reverse Engineering, Computer Forensics CERT.at / GovCERT.gv.at Papers Mass Malware](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5b2a36d932b651a156f8bf/html5/thumbnails/12.jpg)
02.04.2013 12
![Page 13: Christian Wojner, CERT - FIRST · Wh01am 02.04.2013 2 Person Christian Wojner Malware Analysis, Reverse Engineering, Computer Forensics CERT.at / GovCERT.gv.at Papers Mass Malware](https://reader034.fdocuments.net/reader034/viewer/2022042917/5f5b2a36d932b651a156f8bf/html5/thumbnails/13.jpg)
02.04.2013 13