Professional Documents
Culture Documents
Pres Malware Getting Your Hands Dirty
Pres Malware Getting Your Hands Dirty
Pres Malware Getting Your Hands Dirty
Christopher Low
CISSP, GSEC, OPST, OPSA, CCSE, TCI
ThinkSECURE
www.securitystartshere.net
1
About
• Chief Technology Officer, ThinkSECURE
• ThinkSECURE
2
• AIRRAID – Asia’s first wireless hacking tournament
Scope
• What are we going to run through
Introduction
4
Introduction
- Definition
- Threats
- Categories
- Infection Modes
Introduction
Definition
Malware
6
Introduction
Malicious Software
Virus
¾ Computer program which replicates itself (sometimes
Introduction
Malicious Software
Keylogger
¾ Program which captures keystrokes
Adware / Spyware
¾ Software program in which advertising banners are
displayed while the program is running, it usually
includes code that tracks a user's personal information
and passes it on to third parties – thus spyware
Rootkit
¾ Special class of code which attempts to hide itself from
prying eyes by modifying different parts of the
operating system
8
Introduction
Introduction
10
Introduction
11
Introduction
12
Introduction
13
Introduction
Threats to end users
Nuisance / Annoyance
Propaganda – religious / political
Bandwidth / resource utilization (Bots & Botnet)
Denial of Service
Privacy Invasion
Information theft / alteration / destruction
Spam relays
Malicious code for profit – recent new trend
¾ Adware download fee
¾ Extortion
14
Introduction
Infection Modes
File Infection
¾ Email
¾ P2P
¾ IM
Network infection
¾ Web browsing
¾ Known exploits
¾ No / Weak authentication access
¾ Backdoors
¾ Explicit / Implicit Trust
15
Malicious Code
Analysis
16
Malicious Code Analysis
We’ll look at the following:
- Symptoms
- Their Hiding Place / Identification
- Dead Code Analysis
- Live Code Analysis
17
- AV / Antispyware notification
- Unknown error messages
- System stops working / reboots spontaneously
- Slow / No network connectivity
- System exhibits strange behavior
Ö Browser homepage – hijacked
Ö AV stops functioning
18
Malicious Code Analysis
Their Hiding Place
Identification
19
DEMO !!
20
Malicious Code Analysis
Step 2
Common place
¾ %SYSTEMROOT%
¾ %SYSTEMDIRECTORY%
DEMO !!
21
DEMO !!
22
Malicious Code Analysis
Step 4
Common place
¾ HKLM\Software\Microsoft\Windows\CurrentVersion\Run
¾ HKLM\Software\Microsoft\Windows\CurrentVersion\Run
once\
¾ http://www.silentrunners.org/sr_launchpoints.html
¾ AutoRuns – www.sysinternals.com
DEMO !!
23
24
Malicious Code Analysis
Step 5
DEMO !!
25
DEMO !!
26
Malicious Code Analysis
Step 7
DEMO !!
27
28
Malicious Code Analysis
Step 8
DEMO !!
29
30
Recovery
31
Recovery
We’ll look at the following:
32
Recovery
Conventional recovery techniques
33
Recovery
Manual recovery techniques
Demo !!
34
Rootkit
35
Recovery
What About Rootkit ?
- “Almost” undetectable
- Fakes response (at the kernel level) to deceive
applications
- There are rootkit detectors BUT …
- More info – http://www.rootkit.com
36
Conclusion
37
Prevention
Prevention Techniques
38
Prevention
39
40
Look Carefully Before Accept!
41
42
Something Fun
43
Resources
http://www.foundstone.com/resources/intrusion_detection.htm Fport
http://www.sysinternals.com/ProcessesAndThreadsUtilities.html AutoRuns
http://www.sysinternals.com/FileAndDiskUtilities.html Sigcheck
http://support.microsoft.com/default.aspx?scid=kb;en-us;841290 FCIV
http://www.sysinternals.com/Utilities/Strings.html Strings
http://www.sysinternals.com/Utilities/Filemon.html Filemon
http://www.sysinternals.com/Utilities/Regmon.html Regmon
http://www.ollydbg.de/ OllyDbg
http://www.microsoft.com/whdc/devtools/debugging/default.mspx Windbg
http://www.clamwin.com/ ClamWin
http://www.download.com/3000-2144-10045910.html Ad-Aware
http://www.download.com/HijackThis/3000-8022_4-10379544.html HijackThis
http://winpooch.sourceforge.net/home/index.php Winpooch
Email : c.low@securitystartshere.net
Slides downloadable : www.securitystartshere.net/download
45