2. #WHOAMI
o Head, Icarus Labs (CSPF)
o Author of PyTriage
o Found a DoS bug in Android
o Spoke at Defcon Kerala and Defcon Bangalore
o Other contributions include a static file based web application fingerprinter for nmap
• Interests: Hardware Hacking, Reverse Engineering, Malware Analysis and Open Source Contribution
3. WHY ANALYZE MALWARE?
AKA
PLAYING WITH FIRE
• Deduce the origin and intent of the code
• Reduce and contain the damage caused
• Prevent further infections
• Identify how it got in and how it can further spread
• Sheer curiosity!
4. STATIC VS DYNAMIC
• Static analysis would be obtaining the hashes, the import and export table as well as just
plain disassembly.
• Dynamic analysis would be running a debugger on it, checking the registry for changes
and finding memory artifacts.
• Static is safer but reasonable conclusions cannot be made with high precision.
• Dynamic possesses a higher degree of danger to the system but gives a more accurate
view of how the malware functions
5. PRECAUTIONS
• Use a VM.
• Better yet, use a dedicated workstation which is reimaged constantly.
• Do not connect the analysis system to any production networks.
• Malware sandboxes are fine too.
• Use a sneakernet ;)
6. INTRODUCING PYTRIAGE
• Quickly analyze malware
• Find what sort of file it is
• Identify the PE sections , their sizes and their hashes
• Find out what DLLs and functions are imported and exported
• Automatically generate signatures for ClamAV and YARA
• Check if the file is infected against VirusTotal
7. WHY PYTRIAGE?
• Other option would be to run an array of tools
• Some are available only on certain platforms
• PyTriage lets you run most static analysis tools within one tool
• Easily extendible
• Automated signature generation