Professional Documents
Culture Documents
Malware Intelligence
Malware Intelligence
University
of Cagliari, Italy
Department of
Electrical and Electronic
Engineering
Preparation & Tools
http://pralab.diee.unica.it 2
OnionWRT: Tor router
1. Buy a $20 micro router or Raspberry Pi
2. Install OpenWRT and OnionWRT
3. Investigate over TOR from behind router
4. Put all your devices behind your router
WiFi Encryption
http://www.securityskeptic.com/2016/01/how-to-turn-a-nexx-wt3020-router-into-a-tor-router.html
http://pralab.diee.unica.it 3
Software to anonymize traffic
https://www.torproject.org/projects/
– Amnesic Incognito Live System (TAILS) Linux distribution
– Tor browser
• Browser tricks
– Incognito/private mode can still be tracked
– User agent changes (can do with cURL as well)
http://pralab.diee.unica.it 4
Cyber Threat Intelligence Tools
• Google Dorks
e.g., filetype: ext: intext: intitle: inurl:
• Shodan
https://www.shodan.io
• Maltego
https://www.paterva.com/buy/maltego-clients/maltego-
ce.php
• Threat Crowd
http://www.threatcrowd.com
• HaveIbeenPwned
repository of compromised accounts
http://pralab.diee.unica.it 5
Cyber Threat Intelligence Tools
• CAPEC
– Collect and Analyze Information
https://capec.mitre.org/data/definitions/118.html
http://pralab.diee.unica.it 6
Cyber Threat Intelligence Tools
• Malware analysis
– https://www.hybrid-analysis.com/
– https://any.run/
•
http://www.virustotal.com
http://pralab.diee.unica.it 7
Example
• SHAMOON malware
– https://www.enisa.europa.eu/publications/info-
notes/shamoon-campaigns-with-disttrack
– SHAMOON 2 analysis
https://logrhythm.com/wp-
content/uploads/2020/03/shamoon-2-malware-analysis-
logrhythm-labs-threat-intelligence-report.pdf
– SHAMOON 3 analysis
https://unit42.paloaltonetworks.com/shamoon-3-targets-
oil-gas-organization/
• Look for behaviour and components
– VirusTotal
– Hybrid-Analysis
– other sources
http://pralab.diee.unica.it 8
Example
• Analysis of the Top 10 Routinely Exploited
Vulnerabilities in the period 2016-2019
https://www.us-cert.gov/ncas/alerts/aa20-133a
• For each vulnerability
– Read the CVE description on the CVE website
– Look for available exploits
– Analyse the reported Indicators of Compromise (IoC)
• i.e., the report on the static an dynamic analysis of malware
– Look for details on the malware samples in VirusTotal,
Hybrid-Analysis and Any.Run
http://pralab.diee.unica.it 9
Sandboxing
http://pralab.diee.unica.it 10
Sandboxing
• Virtual machines or containers where applications are
executed in an isolated environment
– Operating system components, device drivers,
configuration files, network connections can be tailored to
the application at hand
– No interference with other applications
• Avoidance of deadlocks and other concurrency issues
– Strict control of data exchange with other applications
• Explicitly defined
– Stopping and resuming the execution is easy, as well as
investigating the inspection of the application behaviour
through instrumentation
• e.g., Android apps are executed in a sandbox
http://pralab.diee.unica.it 11
Sandboxing for malware analysis
• Virtual machines or containers where malware is
executed in a isolated and controlled environment
– Instrumentation to record all the activities
• Process creation
• System calls
• File system operations
• Internet activities
• Available online services
– Virustotal
– Any.Run
– Hybrid-analysis
• On-premises sandbox
– Cuckoo (https://cuckoosandbox.org/)
http://pralab.diee.unica.it 12