Welcome to Cyber Bury. My name is Sean Pearson on the subject matter expert. From our analysis,
I'll be teaching a short introduction. Siri's of these videos
today I'm gonna be covering the first class, which is basic terminology and a quick, like, one minute triage of some malware.
Well, a zee. I said before, my name is Sean Pierce. I have a number of certifications.
uh, my twitter handle.
If you need to email me, there's an email there. I've worked as Mauer analyst
I am not penetration tester. I'm not a developer, and my employer is a company called Eyesight.
Uh, and I am not a PR guy for them. And whatever opinions I have, they're mine,
So let's just jump right into it. So what exactly is malware analysis and why is it useful?
This because mainly anti virus software can't be relied upon because it is a very difficult task to write a program or making algorithm to Terminus. Some software is malicious,
and some people say a V, the antivirus is dead. I wouldn't go so far as to say that,
because they do catch a lot of old stuff.
But statistics show that
when malware is released on Day zero or Day One,
detected about 17% of the time, on average, between all of the vendors. By Day 10 it's usually up to, like 32 80%. That's a huge range of detection, and most of that issue
is due to heuristics. So
the malware or the antivirus spender may not actually know of its malicious. It's just taking a guess.
why is it important that we pay so close attention to malware animals? Because 50 to 97% of the breach is involved might wear,
and that's a huge amount.
you might consider like, Okay, that's kind of obvious, but maybe not necessarily. Maybe there's SQL Injection and someone steals the database. Okay, New real malware was used, but
in most breaches, Mauer
is automating some task for a new tack er, or
instead of automation, they are increasing their capabilities there.
They're taking advantage of a vulnerability on the system. They're exploiting something they may be,
are increasing their foothold on the system. Maybe they use some hour to automatically create a new administrator of
they wanna automate something like lower some security settings like firewall, preventing some security pop up warning toe.
Maybe they're preventing some security pop up
dialogues for appearing to the user. Maybe they wantto enable remote desktop or
a great many other number of things. But Mauer is quite essential to most Attackers and their tactics.
Now on the defender side,
I've worked in I t. For a few years, a CZ like Help Tusk and I remember the most typical reaction to an infection is that we go collect the machine. You know, just pull it off the network and re image it and give it back to the user as fast as we could
because it was a nuisance. And that's how most people react. Um,
some companies, governments, institutions, organizations have a rather more mature information security maturity program
and they go and have an incident response person or team or policy,
where they go through and look at the logs, network traffic processes, they figure out exactly what malware it is, and they try to trace where it came from, And how did it get there? And how can they prevent it in the future? Now? Ah, really mature organization would attempt to gather intelligence.
This is pretty common in government and financial.
very influential industries.
At that point, they would go to 1/3 party malware analyzing firm or forensics team our forensics company, Or maybe they have some people on staff, which is pretty common
to help them with unstinted.
this is this is really important because, as um, our analyst, you know, people are going to rely on you. Your boss is going to say, What is the impact? What is the risk? And
this is something anti virus cannot health. Um, this is something that ah program will not be able to give them.
tell your superior weed
a lot of resources on this because this is very important. Say, you found some malware on a computer and it had a little ticking time bomb and
24 hours the next day or something, it was about to go off and wipe the computer.
Well, now you need to know
more. You need to know who else is infected. You need to know who else is compromise. You go to your boss and you need to say we need to pull everyone off of everything else. We need to scan the whole organization. We need to find where this is and neutralize it. Or else our company could be under water tomorrow. We don't know.
um, our analyst skills are just irreplaceable.
They're very important because software cannot do what humans can.
this is especially important in the big World
where attribution is really important.
because if you find some hour on machine, need to know if it was an insider threat. If it was hacktivism, if was opportunistic, was financially motivated. Or foods that big buzzword a p t for advanced, persistent threat. If it's some kind nation state,
if it's some kind of a very advanced group, you need to know
who they are, how to battle them. And
these are the things that our analysts
usually have a pretty good insight into.
Like many a PT groups use very common off the shelf malware,
um, like poison ivy dart Comment.
Z x shell. Whatever else you
you as a Mauer analyst could determine the difference between a
advanced, persistent threat group
or some scripted a some guy and, you know, 17 year old kid who barely knows what they're doing.
this is particularly important when you consider
the fact that false negatives are far, far worse than false positives.
If you think about that, you should much prefer that an anti virus software
you, alert you on benign programs
being labeled as malicious
it letting an actual malicious file through.
Unfortunately, there they aren't there.
breach reports like the Horizon data breach report. I think it's there fairly good, uh, reports. And you can see that
quotes like 70 to 90% of our samples are unique to an organization.
targeting does really happen. I promise you,
ah, high enough industry,
you have been or will be
targeted and will be compromised
So the scope of this is
a very basic introduction to malware analysis. Just to get your feet would just show you that it's not witchcraft. It's not black magic, So
malware analysis is really just Ah, subset of software analysis. If you want to figure out what a program is doing, what installer is doing what you know program like a zip programmer, winrow or whatever else
you have to use ah few tools to either say, Oh, no, it's using
these files. It's adding these registered keys, whatever else and my words a bit
interesting and that it's usually pretty small and much less noisy
than traditional software.
we'll show that analyze malware and actually sometimes easier than
analyzing regular software. And so you should know
some stuff about Mao already should know something about software, about networking, about how operating systems were. You know, you should probably know what a Colonel is. It's basically the operating system at its core.
You should probably know a bit about software vulnerabilities. So if I say Oh,
you know this malware is using
the stock base buffer overflow
to elevate its privileges
and be good to know that.
your problems will probably know what
de dos is like distributed denial of service. What a script kiddie is. I just referenced. It should probably know what Lennox is and be moderately comfortable with using it.
with these foundations were we will cover some of the basics of malware. Analysis of basic forensics on that response may be hunting some malware and some reverse engineering.
And if you don't know what that is, that's okay. We'll cover it in the future.
Like I was saying, What exactly is malware? Well, it's malicious software. It is something that executes with out your permission
or tricks you into thinking it's something else or it is something that is working against the user's wishes.
Um, it's a really abstract
thing I know, but once you get looking at it, you'll know it's malicious. And what's not
like I was saying earlier Malware is
software, and it suffers from all the same problems as regular software does. So I've seen lots malware out there that has compatibility issues. Have
bugs have customer service, you know,
I mean seriously, if you go on to some of the
um, forms on the underground and you say I want to buy this or I want to go with this,
you know, sometimes if you pay a little extra, you'll get better customer support or customer service. You'll get, um, updates. You'll get
you can put in helped us tickets. If something's not working right or, you know,
putting ticket for bugs to be fixed,
you know, you can say, Oh, I want the next version when it comes out in a few months. Um,
you know? And even then, like, um, our authors have issues maintaining, like source code. Sometimes they have issues with stuff getting leaked, proprietary stuff or even their their mouth or being Pirated. That's happened a number times like Zeus malware.
if you want to know more about this, which I think is a good
background for a lot of this stuff, I was
suggests that you look for Def Con 17 making fun of your malware.
Def Con 17 Mauer Freak show and Def Con 18. My Life is a spyware developer. Those air good talks that really give you insight and, uh, good perspective and how
you've probably heard a lot of terms like Virus Trojan Worm and you know you'll get pretty generic descriptions of those, and I'll go through these really fast right now in that virus. Virgin Erik Lee is what most people refer to, but technically that's ah file infect er where
excusable code is inserted into an executed all file
the hijack, its execution.
I've never seen one that in the wild, like
in the few years that I've been working,
I just think they're very rare, like I've seen some before. Like to store cold things, Um, and some games that hackers play and some proof of concept stuff. But I've never seen a real malicious one. Trojans are much more common. They're usually bundled with games like
North Koreans did that. They took some,
ah, game developer and they said, Oh, you know, we'll insert this code and we'll distribute it for free or really cheap. And then one day they decided to start de dos ing the South Korean banks so that that's fairly common worms. Actually, on the Internet, there are some that are just still going, uh, but I find them
They usually execute without your permission, and they don't try to trick you and executing them. Like trojans or viruses, worms are self propagating. They usually are exploiting some vulnerability in an operating system and then Suzie get killed. Execution Operates is
operates system. They scan
you know, the network or the Internet for more vulnerable systems and just repeat the process.
Bots are extremely common. They're the most common things I see.
Um, bots are usually financially motivated, the helping spamming. They sell personal information. They do deed off stuff. It's usually cybercrime type campaigns. Root kits are
is mount, where that usually corrupts and modifies the operating system most the time
for any user land of programs. So hides deep in the operating system just to hide its other components. Rats are very common,
Our rats. I should find that as a remote access tool or remote Access Trojan
they are. There's legitimate ones. There's not so legitimate ones. They are
like. They're the most common, I think,
and they are very, um,
easy to find. I've seen rats that have been around for 10 years. They're still being used like that. Comment Z X shell.
So seven was the 1st 1 I ever saw, and
you know those air broad categories and there are there's malware that overlap so about could have a root kit attached to it. Um,
you know, a rat could be bundled with a Trojan. These are very broad descriptions, like I said, and you're his mom was certainly more specialized, like spyware, which just steals your information. Just scare where which just trying scares you into giving over some money. You know, adware, backdoors,
credential, theft like pony.
Ah, and there was, like, anti analysis code, sometimes baked into these things where
you know you as an analyst or trying to figure out what
and they throw in some
weird tricks to try toe stop you or defeat
your goal, which is to figure out something about it. So I've seen Mauer out there that says, Oh, you know, if I think I'm being analyzed, do this. You open up a port and then, you know, start taking commands from it was basically a backdoor. But if it's not being analyzed,
I'll tell you exactly how these things work.
Then it would do its normal bought operations, would reach out to the correct I p address from or instructions. Um,
and really, the purpose depends on,
The malware is that you might be thinking.
What do you mean, industry? I'm talking about there.
the underground economy where there's buyers and sellers, banks and s crows that support these economic systems, like paper install. So you can go and say I want this piece of malware that I'm gonna give you. I want it installed on 1000 computers. They will go and do that,
or you say I wanna buy credit card
information dumps as they call it, or I want to hire some hackers to get into this company or I want to, you know, whatever.
And there's other software that sometimes is considered malware with those industries like builders. This is some software that'll make malware for you
usually a rat or a Trojan, uh,
exploit kits. You know, these air
kind of websites that you can rent so you can say, Oh, I want to use this actually kit for two days,
and you will try to spam
that website link out as much as you can.
And as soon as someone clicks on that link, they will get compromised and
it will be loaded up through malware.
So you could, you know, go in with a couple $1000 by a Trojan, then you can configure it and then you can say OK, I want
by access to exploit Kit and I want to buy,
two days or five days on it. And then you say, OK, now I have a couple 100 people
that my mouth where is controlling on then you can say, Well, I want some more, So I'm gonna buy another 1000 computers.
and let's say the antivirus is quickly catching on. They're starting to detect malware. We can use a
packer or a crypt. ER, too.
Scramble its insides to encrypt your malware. And you can say, OK, I wantto change it out, like every day or even every hour. You can change out.
and packers and critters will help bad guys do that.
So you should be aware of how these things work and particularly packers and critters.
I mostly calling packers just that,
um, you should pay attention to that, and we will talk about that in the future because that definitely does hinder analysis.
When I talk about analysis, I'm saying usually one of two things dynamic analysis, which is where we just takes him out, were executed in a virtual machine and to what happens.
pretty telling, you know, you can get some network information. We get the
command control servers we can get the I P addresses, speaking out to network information, all sorts of stuff.
But it is easy to miss things. For instance, if there is a killed eight baked into the malware
like I know of one instance where there is a
payment gateway that was compromised with some malware and
they couldn't get it off and they couldn't restart it. And they said they would lose a lot of money if they ever took it off line,
and it would cost a lot to try.
So they decided to just firewall it off that Onley that it couldn't talk to the Internet and then on Lee a certain computers could talk to could Senate information.
And they said, Okay, well, it's not gonna do anything. It's not going to
you know, reboot is not going to the malware is not gonna
you kill it, so we'll just make sure you never contact home, and the hackers can never
said that information
I said, Well, that that's good, I guess I said, that is Ah, creative solution. However, what? It has a killed eight in it in the at some point in the future,
ill wipe the computer.
They're just like, what? Was that common? No, certainly not.
Not usually ever. But it could happen. And the only way to figure something out like that.
You know, other than saying the clock far ahead in the future
would be something called static analysis where you don't execute the malware, but you slowly step through it. You say one instruction at a time. What is this doing? What is this doing? What is this doing? You know, and then you can identify capabilities in the mall where you pick out a lot more information.
this technique requires a very deep technical knowledge.
Um, and it can take a long time, especially with anything
that has a lot of information in it. That's it's particularly sophisticated or or large,
and it's important to note that most
of what we say our analysis is actually hybrid is where you are using a virtual machine to execute the smile. We're safely or some kind of sand box or,
you know, whatever reporting feature. And then you also verify this with a static approach where you say Okay, yeah, that that I p address is in there And, yes, being decrypted like this. And yeah, the network works like this and supports these commands. And then you can also do things like
in memory, like volatile forensics, where
you execute this malware
and then dump whatever is in memory and you look at it statically like that, you just pause it effectively.
And then you look at what is in memory of the time. This is useful for packers. So packers
usually, you know, well, encrypt the malware
and then you won't be able to see anything from a static perspective, so you can execute it. It will load up in the memory. It'll decrypt the original malware and then begin executing it. So if you dump that and from memory, you can see what the original thing waas that it was trying to protect. Now,
don't worry. If this doesn't make too much, since you will cover in the future