Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9

Video Description

Almost every system or network breach involves a Trojan, backdoor, virus, or rootkit. Incident responders (or Malware Analysts) perform appropriate malware analysis in order to fix the current infections and prevent any future ones. According to the Verizon Data Breach Report 2015, "70-90% of malware samples are unique to an organization". There are 7 Modules in the Malware Analysis and Reverse Engineering course. The course begins with an introduction of the Malware Analysis approach and how it is useful in preventing security breaches. While going through this course, you'll learn about several tools and methodologies used to perform malware analysis on systems using typical, advanced, and/or hands on approach. You'll understand the various types of malware, their features, and how they are different from each other. The class also covers the various types of analysis, such as dynamic, static, and hybrid state/dynamic analysis, which are used to detect malware in a system or a network. The Malware Analysis course covers a wide range of topics such as Windows Malware Analysis, Basic Forensics, Incident Response, Malware Discovery, and Basic Reverse Engineering. Note that neither programming experience nor knowledge of assembly is required to benefit from the course. However, it is advisable to have a general idea about the following topics: - Networking – TCP/IP - Operating System Internals - Programming (C/C++) - Software Vulnerabilities - Hacking

Video Transcription

00:04
Welcome to Cyber Bury. My name is Sean Pearson on the subject matter expert. From our analysis,
00:08
I'll be teaching a short introduction. Siri's of these videos
00:13
today I'm gonna be covering the first class, which is basic terminology and a quick, like, one minute triage of some malware.
00:22
So who am I?
00:24
Well, a zee. I said before, my name is Sean Pierce. I have a number of certifications.
00:30
Such a za si SSP
00:32
uh, my twitter handle.
00:34
If you need to email me, there's an email there. I've worked as Mauer analyst
00:39
for ah few years,
00:41
and I
00:44
I am not penetration tester. I'm not a developer, and my employer is a company called Eyesight.
00:51
Uh, and I am not a PR guy for them. And whatever opinions I have, they're mine,
00:57
not my companies.
00:59
So let's just jump right into it. So what exactly is malware analysis and why is it useful?
01:04
No.
01:06
This because mainly anti virus software can't be relied upon because it is a very difficult task to write a program or making algorithm to Terminus. Some software is malicious,
01:18
and some people say a V, the antivirus is dead. I wouldn't go so far as to say that,
01:25
because they do catch a lot of old stuff.
01:27
But statistics show that
01:30
when malware is released on Day zero or Day One,
01:34
uh,
01:36
it's only
01:38
detected about 17% of the time, on average, between all of the vendors. By Day 10 it's usually up to, like 32 80%. That's a huge range of detection, and most of that issue
01:53
is due to heuristics. So
01:57
the malware or the antivirus spender may not actually know of its malicious. It's just taking a guess.
02:05
So,
02:06
um,
02:07
why is it important that we pay so close attention to malware animals? Because 50 to 97% of the breach is involved might wear,
02:16
and that's a huge amount.
02:20
And
02:21
you might consider like, Okay, that's kind of obvious, but maybe not necessarily. Maybe there's SQL Injection and someone steals the database. Okay, New real malware was used, but
02:31
in most breaches, Mauer
02:35
is automating some task for a new tack er, or
02:39
instead of automation, they are increasing their capabilities there.
02:45
They're taking advantage of a vulnerability on the system. They're exploiting something they may be,
02:52
are increasing their foothold on the system. Maybe they use some hour to automatically create a new administrator of
03:00
user. May be
03:01
they wanna automate something like lower some security settings like firewall, preventing some security pop up warning toe.
03:12
Maybe they're preventing some security pop up
03:15
dialogues for appearing to the user. Maybe they wantto enable remote desktop or
03:21
a great many other number of things. But Mauer is quite essential to most Attackers and their tactics.
03:28
Now on the defender side,
03:30
I've worked in I t. For a few years, a CZ like Help Tusk and I remember the most typical reaction to an infection is that we go collect the machine. You know, just pull it off the network and re image it and give it back to the user as fast as we could
03:46
because it was a nuisance. And that's how most people react. Um,
03:52
but if some
03:54
some companies, governments, institutions, organizations have a rather more mature information security maturity program
04:02
and they go and have an incident response person or team or policy,
04:08
where they go through and look at the logs, network traffic processes, they figure out exactly what malware it is, and they try to trace where it came from, And how did it get there? And how can they prevent it in the future? Now? Ah, really mature organization would attempt to gather intelligence.
04:27
This is pretty common in government and financial.
04:30
Another
04:32
very influential industries.
04:34
No.
04:36
At that point, they would go to 1/3 party malware analyzing firm or forensics team our forensics company, Or maybe they have some people on staff, which is pretty common
04:50
to help them with unstinted.
04:54
No,
04:55
this is this is really important because, as um, our analyst, you know, people are going to rely on you. Your boss is going to say, What is the impact? What is the risk? And
05:08
this is something anti virus cannot health. Um, this is something that ah program will not be able to give them.
05:15
You would be ableto
05:16
tell your superior weed
05:18
a lot of resources on this because this is very important. Say, you found some malware on a computer and it had a little ticking time bomb and
05:28
24 hours the next day or something, it was about to go off and wipe the computer.
05:32
Well, now you need to know
05:35
more. You need to know who else is infected. You need to know who else is compromise. You go to your boss and you need to say we need to pull everyone off of everything else. We need to scan the whole organization. We need to find where this is and neutralize it. Or else our company could be under water tomorrow. We don't know.
05:50
So,
05:53
Mauer,
05:54
um, our analyst skills are just irreplaceable.
05:58
They're very important because software cannot do what humans can.
06:03
And
06:05
this is especially important in the big World
06:10
where attribution is really important.
06:14
Um,
06:15
because if you find some hour on machine, need to know if it was an insider threat. If it was hacktivism, if was opportunistic, was financially motivated. Or foods that big buzzword a p t for advanced, persistent threat. If it's some kind nation state,
06:30
if it's some kind of a very advanced group, you need to know
06:34
who they are, how to battle them. And
06:38
these are the things that our analysts
06:41
usually have a pretty good insight into.
06:46
Like many a PT groups use very common off the shelf malware,
06:50
um, like poison ivy dart Comment.
06:56
Z x shell. Whatever else you
07:00
you as a Mauer analyst could determine the difference between a
07:03
advanced, persistent threat group
07:06
or some scripted a some guy and, you know, 17 year old kid who barely knows what they're doing.
07:15
And
07:15
this is particularly important when you consider
07:17
the fact that false negatives are far, far worse than false positives.
07:25
If you think about that, you should much prefer that an anti virus software
07:31
would go off on
07:33
you, alert you on benign programs
07:38
that are
07:41
being labeled as malicious
07:44
rather than
07:46
it letting an actual malicious file through.
07:48
Unfortunately, there they aren't there.
07:54
No,
07:56
you can look at
07:58
breach reports like the Horizon data breach report. I think it's there fairly good, uh, reports. And you can see that
08:07
quotes like 70 to 90% of our samples are unique to an organization.
08:11
So
08:13
targeting does really happen. I promise you,
08:18
if you are in a
08:18
ah, high enough industry,
08:20
you have been or will be
08:24
targeted and will be compromised
08:26
if not
08:28
already.
08:31
So the scope of this is
08:33
a very basic introduction to malware analysis. Just to get your feet would just show you that it's not witchcraft. It's not black magic, So
08:43
malware analysis is really just Ah, subset of software analysis. If you want to figure out what a program is doing, what installer is doing what you know program like a zip programmer, winrow or whatever else
09:01
eyes doing?
09:03
Then
09:03
you have to use ah few tools to either say, Oh, no, it's using
09:09
these files. It's adding these registered keys, whatever else and my words a bit
09:16
interesting and that it's usually pretty small and much less noisy
09:20
than traditional software.
09:22
So
09:24
we'll show that analyze malware and actually sometimes easier than
09:28
analyzing regular software. And so you should know
09:33
some stuff about Mao already should know something about software, about networking, about how operating systems were. You know, you should probably know what a Colonel is. It's basically the operating system at its core.
09:50
You should probably know a bit about software vulnerabilities. So if I say Oh,
09:56
you know this malware is using
09:58
the stock base buffer overflow
10:00
to elevate its privileges
10:03
and be good to know that.
10:05
So, um,
10:07
your problems will probably know what
10:09
ah
10:11
de dos is like distributed denial of service. What a script kiddie is. I just referenced. It should probably know what Lennox is and be moderately comfortable with using it.
10:24
So
10:24
with these foundations were we will cover some of the basics of malware. Analysis of basic forensics on that response may be hunting some malware and some reverse engineering.
10:37
And if you don't know what that is, that's okay. We'll cover it in the future.
10:41
Like I was saying, What exactly is malware? Well, it's malicious software. It is something that executes with out your permission
10:52
or tricks you into thinking it's something else or it is something that is working against the user's wishes.
11:00
Um, it's a really abstract
11:03
thing I know, but once you get looking at it, you'll know it's malicious. And what's not
11:07
like I was saying earlier Malware is
11:11
software, and it suffers from all the same problems as regular software does. So I've seen lots malware out there that has compatibility issues. Have
11:22
bugs have customer service, you know,
11:26
I mean seriously, if you go on to some of the
11:30
um, forms on the underground and you say I want to buy this or I want to go with this,
11:35
you know, sometimes if you pay a little extra, you'll get better customer support or customer service. You'll get, um, updates. You'll get
11:45
you can put in helped us tickets. If something's not working right or, you know,
11:50
putting ticket for bugs to be fixed,
11:52
you know, you can say, Oh, I want the next version when it comes out in a few months. Um,
12:00
you know? And even then, like, um, our authors have issues maintaining, like source code. Sometimes they have issues with stuff getting leaked, proprietary stuff or even their their mouth or being Pirated. That's happened a number times like Zeus malware.
12:18
So
12:18
if you want to know more about this, which I think is a good
12:22
background for a lot of this stuff, I was
12:26
suggests that you look for Def Con 17 making fun of your malware.
12:31
Def Con 17 Mauer Freak show and Def Con 18. My Life is a spyware developer. Those air good talks that really give you insight and, uh, good perspective and how
12:43
the stuff works.
12:46
So
12:46
you've probably heard a lot of terms like Virus Trojan Worm and you know you'll get pretty generic descriptions of those, and I'll go through these really fast right now in that virus. Virgin Erik Lee is what most people refer to, but technically that's ah file infect er where
13:03
excusable code is inserted into an executed all file
13:07
like an e x c
13:09
the hijack, its execution.
13:13
Ah,
13:15
I've never seen one that in the wild, like
13:18
in the few years that I've been working,
13:20
Uh, I just don't
13:22
I just think they're very rare, like I've seen some before. Like to store cold things, Um, and some games that hackers play and some proof of concept stuff. But I've never seen a real malicious one. Trojans are much more common. They're usually bundled with games like
13:39
North Koreans did that. They took some,
13:43
ah, game developer and they said, Oh, you know, we'll insert this code and we'll distribute it for free or really cheap. And then one day they decided to start de dos ing the South Korean banks so that that's fairly common worms. Actually, on the Internet, there are some that are just still going, uh, but I find them
14:03
kind of rare.
14:05
They usually execute without your permission, and they don't try to trick you and executing them. Like trojans or viruses, worms are self propagating. They usually are exploiting some vulnerability in an operating system and then Suzie get killed. Execution Operates is
14:22
operates system. They scan
14:24
you know, the network or the Internet for more vulnerable systems and just repeat the process.
14:31
Bots are extremely common. They're the most common things I see.
14:35
Um, bots are usually financially motivated, the helping spamming. They sell personal information. They do deed off stuff. It's usually cybercrime type campaigns. Root kits are
14:50
is mount, where that usually corrupts and modifies the operating system most the time
14:56
they are hiding
15:00
files or processes
15:03
for any user land of programs. So hides deep in the operating system just to hide its other components. Rats are very common,
15:11
such a cz.
15:13
Our rats. I should find that as a remote access tool or remote Access Trojan
15:20
they are. There's legitimate ones. There's not so legitimate ones. They are
15:26
like. They're the most common, I think,
15:31
and they are very, um,
15:35
easy to find. I've seen rats that have been around for 10 years. They're still being used like that. Comment Z X shell.
15:46
So seven was the 1st 1 I ever saw, and
15:50
you know those air broad categories and there are there's malware that overlap so about could have a root kit attached to it. Um,
15:58
you know, a rat could be bundled with a Trojan. These are very broad descriptions, like I said, and you're his mom was certainly more specialized, like spyware, which just steals your information. Just scare where which just trying scares you into giving over some money. You know, adware, backdoors,
16:18
credential, theft like pony.
16:19
Ah, and there was, like, anti analysis code, sometimes baked into these things where
16:26
you know you as an analyst or trying to figure out what
16:29
some hours doing,
16:30
and they throw in some
16:32
weird tricks to try toe stop you or defeat
16:37
your goal, which is to figure out something about it. So I've seen Mauer out there that says, Oh, you know, if I think I'm being analyzed, do this. You open up a port and then, you know, start taking commands from it was basically a backdoor. But if it's not being analyzed,
16:55
I'll tell you exactly how these things work.
16:56
Then it would do its normal bought operations, would reach out to the correct I p address from or instructions. Um,
17:06
and really, the purpose depends on,
17:08
uh what industry?
17:11
The malware is that you might be thinking.
17:15
What do you mean, industry? I'm talking about there.
17:18
Pockets of
17:19
the underground economy where there's buyers and sellers, banks and s crows that support these economic systems, like paper install. So you can go and say I want this piece of malware that I'm gonna give you. I want it installed on 1000 computers. They will go and do that,
17:40
Um,
17:41
or you say I wanna buy credit card
17:44
information dumps as they call it, or I want to hire some hackers to get into this company or I want to, you know, whatever.
17:52
And there's other software that sometimes is considered malware with those industries like builders. This is some software that'll make malware for you
18:03
usually a rat or a Trojan, uh,
18:07
exploit kits. You know, these air
18:10
kind of websites that you can rent so you can say, Oh, I want to use this actually kit for two days,
18:18
and you will try to spam
18:21
that website link out as much as you can.
18:22
And as soon as someone clicks on that link, they will get compromised and
18:29
it will be loaded up through malware.
18:30
So you could, you know, go in with a couple $1000 by a Trojan, then you can configure it and then you can say OK, I want
18:40
by access to exploit Kit and I want to buy,
18:44
you know,
18:45
two days or five days on it. And then you say, OK, now I have a couple 100 people
18:52
that my mouth where is controlling on then you can say, Well, I want some more, So I'm gonna buy another 1000 computers.
18:57
Um,
19:00
and let's say the antivirus is quickly catching on. They're starting to detect malware. We can use a
19:04
packer or a crypt. ER, too.
19:08
Scramble its insides to encrypt your malware. And you can say, OK, I wantto change it out, like every day or even every hour. You can change out.
19:18
You're malware,
19:19
and packers and critters will help bad guys do that.
19:26
So you should be aware of how these things work and particularly packers and critters.
19:30
I mostly calling packers just that,
19:33
um, you should pay attention to that, and we will talk about that in the future because that definitely does hinder analysis.
19:42
When I talk about analysis, I'm saying usually one of two things dynamic analysis, which is where we just takes him out, were executed in a virtual machine and to what happens.
19:56
Usually it's
19:56
pretty telling, you know, you can get some network information. We get the
20:00
command control servers we can get the I P addresses, speaking out to network information, all sorts of stuff.
20:08
But it is easy to miss things. For instance, if there is a killed eight baked into the malware
20:15
like I know of one instance where there is a
20:21
payment gateway that was compromised with some malware and
20:26
they couldn't get it off and they couldn't restart it. And they said they would lose a lot of money if they ever took it off line,
20:33
and it would cost a lot to try.
20:36
No, replace it.
20:37
So they decided to just firewall it off that Onley that it couldn't talk to the Internet and then on Lee a certain computers could talk to could Senate information.
20:48
And they said, Okay, well, it's not gonna do anything. It's not going to
20:53
you know, reboot is not going to the malware is not gonna
20:57
you kill it, so we'll just make sure you never contact home, and the hackers can never
21:03
said that information
21:06
I said, Well, that that's good, I guess I said, that is Ah, creative solution. However, what? It has a killed eight in it in the at some point in the future,
21:15
ill wipe the computer.
21:18
They're just like, what? Was that common? No, certainly not.
21:22
Not usually ever. But it could happen. And the only way to figure something out like that.
21:29
You know, other than saying the clock far ahead in the future
21:33
would be something called static analysis where you don't execute the malware, but you slowly step through it. You say one instruction at a time. What is this doing? What is this doing? What is this doing? You know, and then you can identify capabilities in the mall where you pick out a lot more information.
21:51
And
21:52
this technique requires a very deep technical knowledge.
21:56
Um, and it can take a long time, especially with anything
22:00
that has a lot of information in it. That's it's particularly sophisticated or or large,
22:07
and it's important to note that most
22:10
of what we say our analysis is actually hybrid is where you are using a virtual machine to execute the smile. We're safely or some kind of sand box or,
22:22
you know, whatever reporting feature. And then you also verify this with a static approach where you say Okay, yeah, that that I p address is in there And, yes, being decrypted like this. And yeah, the network works like this and supports these commands. And then you can also do things like
22:40
in memory, like volatile forensics, where
22:44
you can
22:45
you execute this malware
22:47
and then dump whatever is in memory and you look at it statically like that, you just pause it effectively.
22:53
And then you look at what is in memory of the time. This is useful for packers. So packers
23:02
usually, you know, well, encrypt the malware
23:04
and then you won't be able to see anything from a static perspective, so you can execute it. It will load up in the memory. It'll decrypt the original malware and then begin executing it. So if you dump that and from memory, you can see what the original thing waas that it was trying to protect. Now,
23:23
don't worry. If this doesn't make too much, since you will cover in the future

Up Next

Intro to Malware Analysis and Reverse Engineering

In this malware analysis course you will learn how to perform dynamic and static analysis on all major files types, how to carve malicious executables from documents and how to recognize common malware tactics and debug and disassemble malicious binaries.

Instructed By

Instructor Profile Image
Sean Pierce
Instructor