Professional Documents
Culture Documents
H@Dfex 2015 - Malware Analysis
H@Dfex 2015 - Malware Analysis
About Me
Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI
Researcher Information Security Research Group and Lecturer
Swiss German University
Charles.lims [at] gmail.com and charles.lim [at] sgu.ac.id
http://people.sgu.ac.id/charleslim
I am currently doing my doctoral study in Universitas Indonesia
Research Interest
Malware
Intrusion Detection
Threats Intelligence
Vulnerability Analysis
Digital Forensics
Cloud Security
Community
Indonesia Honeynet Project - Chapter Lead
Academy CSIRT member
Asosiasi Digital Forensik Indonesia - member
Agenda
About Honeynet
What is Malware?
Why Malware Analysis?
Types of Malware Analysis
Static Analysis
Dynamic Analysis
Memory Analysis
Case Study
Future Challenges
About Honeynet
Volunteer open source computer security
research organization since 1999 (US 501c3
non-profit)
Mission: learn the tools, tactics and motives
involved in computer and network attacks,
and share the lessons learned http://www.honeynet.org
About Honeynet
Share all of our tools, research and findings, at
no cost to the public Know Your Tools
(KYT)
Know Your Enemy(KYE) white papers
regularly published on current research topics
Members release regular activity status reports
Committed to open source and creative
commons
Partially funded by sponsors, nothing to sell!
About Honeynet
About Honeynet
About Honeynet
2009
Learning
Period
2011
Early
Period
2013
2015
Growing
Period
Expanding
Period
Honeypot:
Nepenthes
Honeypot:
Honeypot:
Nepenthes, Dionaea Dionaea
Honeypot:
Dionaea, Kippo,
Glastopf, Honeytrap
Learning How to
install and configure
Deployed 1st
Honeypot in SGU
Target: Academic,
Government, ISP
# Honeypots
deployed: None
# Honeypots
deployed: 1
# Honeypots
deployed: 5
# Honeypots
deployed: 16
Hardware: Client
Hardware: Simple
Client and Server
Hardware: Mini PC
and Server
Hardware:
Raspberry Pi and
Dedicated servers
Our Contribution
Our Contribution
Our Contribution
Other Research
Join Us
Indonesia Honeynet Project
idhoneynet
http://www.honeynet.or.id
http://groups.google.com/group/id-honeynet
What is Malware?
Malware (Malicious Software)
all kind of software that disrupt computer
operations, gather sensitive information, or gain
access to private computer systems
Type of Malware
Viruses
Worms
Trojans
Ransomeware
Rootkits
What is Malware?
Dynamic
Analysis
Memory
Analysis
Static Analysis
To gain insight into nature and purpose of
malware
To identify host-based and network
indicators Forensics: Indicators of
Compromise (IOC)
To understand malware behaviors and its
persistence mechanism
Extract information used for learning and
malware detection
Static Analysis
Input File Type: EXE, DLL, documents, etc.
Output:
Metadata
Code
Data
File
Binaries
Static Analysis
Tools
Static Features:
Metadata
Code
Data
Source: https://code.google.com/p/corkami/wiki/PE101
Static Analysis
Questions to answer:
Is the malware binary packed?
Can the malware binary be unpacked?
What are the important static features to be
extracted?
https://code.google.com/p/corkami/downloads/detail?name=packers.pdf
Static Analysis
PE Header Section
Dynamic Analysis
To gain insight into malware behaviors
(interactions malware binaries with
operating system)
Important Features:
File System Activities
Process Activities
Network Activities
System Calls
Dynamic Analysis
Input File Type: EXE, DLL, documents, etc.
Output:
File System Activities
Process Activities
Network Activities
System Calls
File
Binaries
Sandbox
Or
Virtual Env.
Dynamic Features:
File System Activities
Process Activities
Network Activities
System Calls
Dynamic Analysis
Dynamic Analysis
Questions to answer:
Does the malware seems to execute properly?
Does the malware stop while executed?
Is there any unique execution? (File System,
Process, Network, System Calls)
If the malware has anti-analysis, anti antianalysis must be done first (Pafish is a good
tool)
Maybe sequence of instructions can be good
features
Memory Analysis
To gain insight into malware footprints in
memory
Important Features:
Running Processes
Shared Libraries
Network Connections
Hooking Detection
Rootkit Detection
Code Injection
Hidden artifacts
Memory Analysis
Memory Analysis
Memory Analysis
Memory Analysis
Memory Analysis
File Handles that starts with TDSS and detect the hidden file
Case Study
Huge Traffic detected on MRTG (outbound)
Case Study
Isolate and reconstruct the incident
Sniff the traffic while the server is running
Switch
Desktop as Gateway
Case Study
Sending Huge Syn Packet to China IP
Address
Case Study
The malware must have entered the system through
a service. We noticed that ssh service is running
Case Study
ssh authentication was successful
Related Publications
Joshua Tommy Juwono, Charles Lim, Alva Erwin, A Comparative Study
of Behavior Analysis Sandboxes in Malware Detection, The 3rd
International Conference on New Media 2015, Jakarta, Indonesia, 2015
Charles Lim, Nicsen, Mal-EVE Static Detection Model for Evasive
Malware, 10th EAI International Conference on Communications and
Networking in China, Shanghai, China, 2015
Charles Lim, Darryl Y. Sulistyan, Suryadi, and Kalamullah Ramli,
Experiences in Instrumented Binary Analysis for Malware, The 3rd
International Conference on Internet Services Technology and
Information Engineering 2015 (ISTIE 2015), Bali, 2015
Charles Lim, Meily, Nicsen, and Herry Ahmadi, Forensics Analysis of USB
Flash Drives in Educational Environment, The 8th International
Conference on Information & Communication Technology and Systems,
Surabaya, 2014
Charles Lim, and Kalamullah Ramli, Mal-ONE: A Unified Framework for
Fast and Efficient Malware Detection, 2014 2nd International
Conference on Technology, Informatics, Management, Engineering &
Environment, Bandung, 2014.
Conclusion
Malware continue to rise in numbers and
sophistication
Malware authors usually combine common
malware modules with few changes
Packers and Anti Analysis are real challenges
Malware analysis usually part of Threats
Intelligence, Incident Response, and Digital
Forensics.
There is no silver bullet for Malware Analysis