SlideShare une entreprise Scribd logo

Malware Detection With Multiple Features

Muhammad Najmi Ahmad Zabidi
Muhammad Najmi Ahmad Zabidi

slides presented at Univ of Cambridge, UK

1  sur  39
Télécharger pour lire hors ligne
Malware Analysis With Multiple Features Muhammad Najmi Ahmad Zabidi International Islamic University Malaysia UKSIM 2012 Emmanuel College University of Cambridge, United Kingdom 28-30th March 2012 Muhammad Najmi UKSIM 2012 1/39
About • I am a research grad student in Universiti Teknologi Malaysia, Skudai, Johor Bahru, Malaysia • My current employer is International Islamic University Malaysia, Kuala Lumpur • Research area - malware detection, narrowing on Windows executables Muhammad Najmi UKSIM 2012 2/39
Disclaimer This presentation is as extension of the previous industry talks that I presented in Hack In The Box 2011, Kuala Lumpur. Some contents are based from the previous talk. Muhammad Najmi UKSIM 2012 3/39
Malware in short • is a software • maliciousness is defined on the risks exposed to the user • sometimes, when in vague, the term ‘‘Potentially Unwanted Program/Application’’ (PUP/PUA) being used Muhammad Najmi UKSIM 2012 4/39
Methods of detections • Static analysis • Dynamic analysis Muhammad Najmi UKSIM 2012 5/39
This talk is more static analysis Muhammad Najmi UKSIM 2012 6/39
Analysis of strings • Important, although not foolproof • Find interesting calls first • Considered static analysis, since no executing of the binary Muhammad Najmi UKSIM 2012 7/39
Methods to find interesting strings • Use strings command (on *NIX systems) • Editors • Checking with Import Address Table (IAT) Muhammad Najmi UKSIM 2012 8/39
Python • a scripting language • a robust, powerful programming language Muhammad Najmi UKSIM 2012 9/39
My Python scripts • Based from several existing Python scripts - malware analyzer, zerowine sandboxes,PE scanner • I merged them and modified some parts so that it will be able to produce single page of report • This tool is needed for my research work(bigger objective) - I am using Machine Learning method for malware detection. • Analysis of the binary while it is still packed Muhammad Najmi UKSIM 2012 10/39
Components of pi-ngaji Muhammad Najmi UKSIM 2012 11/39
Stuffs to look at • ‘‘Interesting’’ Application Programming Interface-API calls • Virtual Machine(VM) detector • Outbound connect, especiall Internet Relay Chat-IRC commands. Possibbly a member of botnets • XOR’ed values (addition from the previous talk in HITB KUL 2011) Muhammad Najmi UKSIM 2012 12/39
python-pefile module • Written by Ero Carrera • python-pe provides quite a number of functions • Everything can be dumped by print pe.dump_info() Muhammad Najmi UKSIM 2012 13/39
Regular Expression search using re import re provides regexp capability to find strings in the binary This array of calls INTERESTING_CALLS = ["CreateMutex"...], provides ranges of calls to be fetched The following fetched the represented strings for calls in INTERESTING_CALLS: if re.search(calls, line): if not calls in performed: print "[+] Found an Interesting call to: ",calls performed.append(calls) Muhammad Najmi UKSIM 2012 14/39
API calls • Application Programming Interface - API calls • We use and compare the original API calls embedded in the script by Joxean, and later use the API calls proposed by [Altaher et al., 2011] • used Information Gain for feature (API calls) ranking Muhammad Najmi UKSIM 2012 15/39
Looking at Dynamic Link Library -DLL Some DLLs are interesting to look at, they contain functions that me be used for malicious activities. For e.g: Kernel32.dll, provides ‘‘low-level operating system functions for memory management and resource handling" Muhammad Najmi UKSIM 2012 16/39
Contents of kernel32.dll 1. CopyFileA 2. CopyFileExA 3. CopyFileExW 4. CopyFileW 5. CreateFileA 6. CreateFileW 7. DeleteFileA 8. DeleteFileW 9. MoveFileA 10. MoveFileExA 11. MoveFileExW 12. MoveFileW 13. MoveFileWithProgressA 14. MoveFileWithProgressW 15. OpenFile 16. ReadFile 17. ReadFileEx 18. ReadFileScatter 19. ReplaceFile 20. ReplaceFileA 21. ReplaceFileW 22. WriteFile 23. WriteFileEx 24. WriteFileGather Source: [Marhusin et al., 2008] Muhammad Najmi UKSIM 2012 17/39
Using Python PE import hashlib import time import binascii import string import os, sys import commands import pefile import peutils import string pe = pefile.PE(sys.argv[1]) print "DLL tt API NAME" for imp in pe.DIRECTORY_ENTRY_IMPORT: print imp.dll for api in imp.imports: print "tt%s" %api.name Muhammad Najmi UKSIM 2012 18/39
najmi@vostro:~/rogue-av$ avgscan BestAntivirus2011.exe AVG command line Anti-Virus scanner Copyright (c) 2010 AVG Technologies CZ Virus database version: 271.1.1/3943 Virus database release date: Fri, 07 Oct 2011 14:34:00 +08:00 BestAntivirus2011.exe Trojan horse FakeAlert.ACN Files scanned : 1(1) Infections found : 1(1) PUPs found : 0 Files healed : 0 Warnings reported : 0 Errors reported : 0 najmi@vostro:~/rogue-av$ md5sum BestAntivirus2011.exe 7f0ba3e7f57327563f0ceacbd08f8385 BestAntivirus2011.exe Muhammad Najmi UKSIM 2012 19/39
$ python ../dll-scan.py BestAntivirus2011.exe DLL API NAME ADVAPI32.dll USER32.dll KERNEL32.dll ole32.dll OLEAUT32.dll GDI32.dll COMCTL32.dll SHELL32.dll WININET.dll WSOCK32.dll None None None None None None None None Muhammad Najmi UKSIM 2012 20/39
Anti Virtual Machine Malware "Red Pill":"x0fx01x0dx00x00x00x00xc3", "VirtualPc trick":"x0fx3fx07x0b", "VMware trick":"VMXh", "VMCheck.dll":"x45xC7x00x01", "VMCheck.dll for VirtualPC":"x0fx3fx07x0bxc7x45xfcxffxffxffxff", "Xen":"XenVMM", # Or XenVMMXenVMM "Bochs & QEmu CPUID Trick":"x44x4dx41x63", "Torpig VMM Trick": "xE8xEDxFFxFFxFFx25x00x00x00xFF x33xC9x3Dx00x00x00x80x0Fx95xC1x8BxC1xC3", "Torpig (UPX) VMM Trick": "x51x51x0Fx01x27x00xC1xFBxB5xD5x35 x02xE2xC3xD1x66x25x32 xBDx83x7FxB7x4Ex3Dx06x80x0Fx95xC1x8BxC1xC3" Source: ZeroWine source code Muhammad Najmi UKSIM 2012 21/39
Strings detector Muhammad Najmi UKSIM 2012 22/39
Detect Anti VMs $python comp-detect.py vm-detect-malware/bfe00ca2aa27501cb4fd00655435555d DLL API NAME WS2_32.dll KERNEL32.dll USER32.dll GDI32.dll ole32.dll CoCreateInstance [+]Detecting Anti Debugger Tricks... ***Detected trick TWX (TRW detection) ***Detected trick isDebuggerPresent (Generic debugger detection) ***Detected trick TRW (TRW detection) [+]Detecting VM tricks.. ***Detected trick VirtualPc trick ***Detected trick VMCheck.dll for VirtualPC Analyzing registry... Check whether this binary is a bot... Analyzing interesting calls.. [+] Found an Interesting call to: CreateMutex [+] Found an Interesting call to: GetEnvironmentStrings [+] Found an Interesting call to: LoadLibraryA [+] Found an Interesting call to: GetProcAddress [+] Found an Interesting call to: IsDebuggerPresent Muhammad Najmi UKSIM 2012 23/39
Detect Bots, Detect Debugger Detector Analyzing 013a6dd86261acc7f9907740375ad9da DLL API NAME KERNEL32.dll USER32.dll ADVAPI32.dll MSVCRT.dll GDI32.dll ole32.dll SHELL32.dll DuplicateIcon Detecting VM existence... No trick detected. Analyzing registry... Check whether this binary is a bot... [+] Malware Seems to be IRC BOT: Verified By String : Port [+] Malware Seems to be IRC BOT: Verified By String : SERVICE [+] Malware Seems to be IRC BOT: Verified By String : Login Analyzing interesting calls.. [+] Found an Interesting call to: LoadLibraryA [+] Found an Interesting call to: GetProcAddress [+] Found an Interesting call to: IsDebuggerPresent [+] Found an Interesting call to: http:// Muhammad Najmi UKSIM 2012 24/39
With registry addition Analyzing e665297bf9dbb2b2790e4d898d70c9e9 Analyzing registry... [+] Malware is Adding a Key at Hive: HKEY_LOCAL_MACHINE ^G^@Label11^@^A^AÃˇ^Nreg add "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion R File Execution OptionsRx.exe" /v debugger /t REG_SZ /d %systemrot%repair1sass.exe /f^M .... [+] Malware Seems to be IRC BOT: Verified By String : ADMIN [+] Malware Seems to be IRC BOT: Verified By String : LIST [+] Malware Seems to be IRC BOT: Verified By String : QUIT [+] Malware Seems to be IRC BOT: Verified By String : VERSION Analyzing interesting calls.. [+] Found an Interesting call to: FindWindow [+] Found an Interesting call to: LoadLibraryA [+] Found an Interesting call to: CreateProcess [+] Found an Interesting call to: GetProcAddress [+] Found an Interesting call to: CopyFile [+] Found an Interesting call to: shdocvw Muhammad Najmi UKSIM 2012 25/39
Checking entropy • Looking at randomness in the binary • Entropy - referring to Shannon’s entropy[Lyda and Hamrock, 2007] • If the score is X>0 and X<1 or X>7, it is being denoted as suspicious • python-pefile modules provides get_entropy() function for this Muhammad Najmi UKSIM 2012 26/39
PE sections to look for TEXT DATA .idata .rdata .reloc .rsrc .tls Muhammad Najmi UKSIM 2012 27/39
Binary file structure Figure: Structure of a file[Pietrek, 1994] Muhammad Najmi UKSIM 2012 28/39
Figure: PE components, simplified Muhammad Najmi UKSIM 2012 29/39
print "n[+]Now check for binary entropy.." for sec in pe.sections: #s = "%-10s %-12s %-12s %-12s %-12f" % ( s = "%-10s %-12s" %( ’’.join([c for c in sec.Name if c in string.printable]), sec.get_entropy()) if sec.SizeOfRawData == 0 or (sec.get_entropy() > 0 and sec.get_entropy() < 1) or sec.get_entropy() > 7: s += "[SUSPICIOUS]" print "",s Muhammad Najmi UKSIM 2012 30/39
Checking entropy. . . [+]Now check for binary entropy.. %s .text 6.84045277182 %s rdata 0.0 [SUSPICIOUS] %s .data 7.99566735324[SUSPICIOUS] %s .ice 6.26849761461 Muhammad Najmi UKSIM 2012 31/39
Figure: pi-ngaji flow Muhammad Najmi UKSIM 2012 32/39
Results Table: API calls detection for pi-ngaji API calls Number of hits over 23 samples GetSystemTimeAsFileTime 1 SetUnhandledExceptionFilter 1 GetCurrentProcess 3 TerminateProcess 1 LoadLibraryExW 0 GetVersionExW 0 GetModuleFileNameW 0 GetTickCount 2 SetLastError 2 GetCurrentProcessId 2 GetModuleHandleW 2 LoadLibraryW 0 InterlockedExchange 1 UnhandledExceptionFilter 2 FreeLibrary 6 GetCurrentThreadId 3 QueryPerformanceCounter 1 CreateFileW 0 InterlockedCompareExchange 0 UnmapViewOfFile 0 GetProcAddress 12 Muhammad Najmi UKSIM 2012 33/39
Table: Anti VM and Anti Debugger Detection for pi-ngaji VM/Debugger Tricks Number of hits RedPill 1 VMCheck 2 VMWare trick 1 IsDebuggerPresent 1 TRW 4 TRX 3 Muhammad Najmi UKSIM 2012 34/39
Pro pi-ngaji strengths • Works offline, no need to submit to honeypot/dynamic analysis *yet* • Could be automated and generate reports - via UNIX pipe for e.g • Runs on relatively secure environment - *Linux - where win32 could not possibly execute Muhammad Najmi UKSIM 2012 35/39
Cons Weakness • Could not possibly handles obfuscated binaries.. too bad you have to execute it to get all the API/activities Muhammad Najmi UKSIM 2012 36/39
Get in touch! najmi.zabidi @ gmail.com http://mypacketstream.blogspot.com Muhammad Najmi UKSIM 2012 37/39
Special thanks Thanks to Joxean and Beenu Arora Muhammad Najmi UKSIM 2012 38/39
Bibliography Altaher, A., Ramadass, S., and Ali, A. (2011). Computer Virus Detection Using Features Ranking and Machine Learning. Australian Journal of Basic and Applied Sciences, 5(9):1482--1486. Lyda, R. and Hamrock, J. (2007). Using entropy analysis to find encrypted and packed malware. Security & Privacy, IEEE, 5(2):40--45. Marhusin, M. F., Larkin, H., Lokan, C., and Cornforth, D. (2008). An Evaluation of API Calls Hooking Performance. In Proc. Int. Conf. Computational Intelligence and Security CIS ’08, volume 1, pages 315--319. Pietrek, M. (1994). Peering Inside the PE: A Tour of the Win32 Portable Executable File Format. http://msdn.microsoft.com/en-us/library/ms809762.aspx. Muhammad Najmi UKSIM 2012 39/39

Recommandé

Challenges in High Accuracy of Malware Detection
Challenges in High Accuracy of Malware DetectionChallenges in High Accuracy of Malware Detection
Challenges in High Accuracy of Malware DetectionMuhammad Najmi Ahmad Zabidi
 
Malware Analysis on a Shoestring Budget
Malware Analysis on a Shoestring BudgetMalware Analysis on a Shoestring Budget
Malware Analysis on a Shoestring BudgetMichael Boman
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmTriển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmSecurity Bootcamp
 
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Ivan Piskunov
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisBrian Baskin
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 

Recommandé

Challenges in High Accuracy of Malware Detection
Challenges in High Accuracy of Malware DetectionChallenges in High Accuracy of Malware Detection
Challenges in High Accuracy of Malware DetectionMuhammad Najmi Ahmad Zabidi
 
Malware Analysis on a Shoestring Budget
Malware Analysis on a Shoestring BudgetMalware Analysis on a Shoestring Budget
Malware Analysis on a Shoestring BudgetMichael Boman
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmTriển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmSecurity Bootcamp
 
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Ivan Piskunov
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisBrian Baskin
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?HackIT Ukraine
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresShakacon
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данныхPositive Hack Days
 
Reversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisReversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisAbdulrahman Bassam
 
[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1
[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1
[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1ITAS VIETNAM
 
[FTP|SQL|Cache] Injections
[FTP|SQL|Cache] Injections[FTP|SQL|Cache] Injections
[FTP|SQL|Cache] InjectionsDavid Barroso
 
Understand study
Understand studyUnderstand study
Understand studyAntonio Costa aka Cooler_
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)FFRI, Inc.
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptDenis Kolegov
 
Automating Malware Analysis
Automating Malware AnalysisAutomating Malware Analysis
Automating Malware Analysissecurityxploded
 
Secure Programming With Static Analysis
Secure Programming With Static AnalysisSecure Programming With Static Analysis
Secure Programming With Static AnalysisConSanFrancisco123
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerJoxean Koret
 
Richard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingRichard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingPacSecJP
 
WAF protections and bypass resources
WAF protections and bypass resourcesWAF protections and bypass resources
WAF protections and bypass resourcesAntonio Costa aka Cooler_
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
Ensembled Based Categorization and Adaptive Learning Model for Malware Detection
Ensembled Based Categorization and Adaptive Learning Model for Malware DetectionEnsembled Based Categorization and Adaptive Learning Model for Malware Detection
Ensembled Based Categorization and Adaptive Learning Model for Malware DetectionMuhammad Najmi Ahmad Zabidi
 
MMW Anti-Sandbox Techniques
MMW Anti-Sandbox TechniquesMMW Anti-Sandbox Techniques
MMW Anti-Sandbox TechniquesCyphort
 
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)James Clause
 

Contenu connexe

Tendances

44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?HackIT Ukraine
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresShakacon
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данныхPositive Hack Days
 
Reversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisReversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisAbdulrahman Bassam
 
[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1
[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1
[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1ITAS VIETNAM
 
[FTP|SQL|Cache] Injections
[FTP|SQL|Cache] Injections[FTP|SQL|Cache] Injections
[FTP|SQL|Cache] InjectionsDavid Barroso
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)FFRI, Inc.
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptDenis Kolegov
 
Automating Malware Analysis
Automating Malware AnalysisAutomating Malware Analysis
Automating Malware Analysissecurityxploded
 
Secure Programming With Static Analysis
Secure Programming With Static AnalysisSecure Programming With Static Analysis
Secure Programming With Static AnalysisConSanFrancisco123
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerJoxean Koret
 
Richard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingRichard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingPacSecJP
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 

Tendances (19)

44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul Rascagneres
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данных
 
Reversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisReversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysis
 
[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1
[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1
[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1
 
[FTP|SQL|Cache] Injections
[FTP|SQL|Cache] Injections[FTP|SQL|Cache] Injections
[FTP|SQL|Cache] Injections
 
Understand study
Understand studyUnderstand study
Understand study
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 
Automating Malware Analysis
Automating Malware AnalysisAutomating Malware Analysis
Automating Malware Analysis
 
Secure Programming With Static Analysis
Secure Programming With Static AnalysisSecure Programming With Static Analysis
Secure Programming With Static Analysis
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполнения
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
 
Richard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingRichard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzing
 
WAF protections and bypass resources
WAF protections and bypass resourcesWAF protections and bypass resources
WAF protections and bypass resources
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
 

En vedette

Ensembled Based Categorization and Adaptive Learning Model for Malware Detection
Ensembled Based Categorization and Adaptive Learning Model for Malware DetectionEnsembled Based Categorization and Adaptive Learning Model for Malware Detection
Ensembled Based Categorization and Adaptive Learning Model for Malware DetectionMuhammad Najmi Ahmad Zabidi
 
MMW Anti-Sandbox Techniques
MMW Anti-Sandbox TechniquesMMW Anti-Sandbox Techniques
MMW Anti-Sandbox TechniquesCyphort
 
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)James Clause
 
Introduction to ida python
Introduction to ida pythonIntroduction to ida python
Introduction to ida pythongeeksec80
 
Applications of genetic algorithms to malware detection and creation
Applications of genetic algorithms to malware detection and creationApplications of genetic algorithms to malware detection and creation
Applications of genetic algorithms to malware detection and creationUltraUploader
 
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...Silvio Cesare
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareMyNOG
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...Carlos Laorden
 
IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed Great Bay Software
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseLuca Simonelli
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveChong-Kuan Chen
 
Control Flow Analysis
Control Flow AnalysisControl Flow Analysis
Control Flow AnalysisEdgar Barbosa
 
Malware Detection Using Machine Learning Techniques
Malware Detection Using Machine Learning TechniquesMalware Detection Using Machine Learning Techniques
Malware Detection Using Machine Learning TechniquesArshadRaja786
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
Data Science Driven Malware Detection
Data Science Driven Malware DetectionData Science Driven Malware Detection
Data Science Driven Malware DetectionVMware Tanzu
 

En vedette (20)

Ensembled Based Categorization and Adaptive Learning Model for Malware Detection
Ensembled Based Categorization and Adaptive Learning Model for Malware DetectionEnsembled Based Categorization and Adaptive Learning Model for Malware Detection
Ensembled Based Categorization and Adaptive Learning Model for Malware Detection
 
MMW Anti-Sandbox Techniques
MMW Anti-Sandbox TechniquesMMW Anti-Sandbox Techniques
MMW Anti-Sandbox Techniques
 
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
 
Introduction to ida python
Introduction to ida pythonIntroduction to ida python
Introduction to ida python
 
Android Custom Kernel/ROM design
Android Custom Kernel/ROM designAndroid Custom Kernel/ROM design
Android Custom Kernel/ROM design
 
Applications of genetic algorithms to malware detection and creation
Applications of genetic algorithms to malware detection and creationApplications of genetic algorithms to malware detection and creation
Applications of genetic algorithms to malware detection and creation
 
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
 
Seminar
SeminarSeminar
Seminar
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysis
 
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
 
IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and Defense
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning Perspective
 
Control Flow Analysis
Control Flow AnalysisControl Flow Analysis
Control Flow Analysis
 
Malware Detection Using Machine Learning Techniques
Malware Detection Using Machine Learning TechniquesMalware Detection Using Machine Learning Techniques
Malware Detection Using Machine Learning Techniques
 
Malware Detection using Machine Learning
Malware Detection using Machine Learning Malware Detection using Machine Learning
Malware Detection using Machine Learning
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 
Data Science Driven Malware Detection
Data Science Driven Malware DetectionData Science Driven Malware Detection
Data Science Driven Malware Detection
 
Model-checking for efficient malware detection
Model-checking for efficient malware detectionModel-checking for efficient malware detection
Model-checking for efficient malware detection
 

Similaire à Malware Detection With Multiple Features

Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtSecurity Bootcamp
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Rémi Jullian
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysissecurityxploded
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPLnitinscribd
 
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019Alexandre Borges
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptManjuAppukuttan2
 
Green Dam Analysis Valkyrie-X by Alnthony Lai
Green Dam Analysis Valkyrie-X by Alnthony LaiGreen Dam Analysis Valkyrie-X by Alnthony Lai
Green Dam Analysis Valkyrie-X by Alnthony LaiCharles Mok
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_enSunghun Kim
 
Functional and Behavioral Analysis of Different Type of Ransomware.pptx
Functional and Behavioral Analysis of Different Type of Ransomware.pptxFunctional and Behavioral Analysis of Different Type of Ransomware.pptx
Functional and Behavioral Analysis of Different Type of Ransomware.pptxtarkovtarkovski
 

Similaire à Malware Detection With Multiple Features (20)

Compiling Malware Features
Compiling Malware FeaturesCompiling Malware Features
Compiling Malware Features
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn Việt
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
 
Codeql Variant Analysis
Codeql Variant AnalysisCodeql Variant Analysis
Codeql Variant Analysis
 
Green Dam Analysis Valkyrie-X by Alnthony Lai
Green Dam Analysis Valkyrie-X by Alnthony LaiGreen Dam Analysis Valkyrie-X by Alnthony Lai
Green Dam Analysis Valkyrie-X by Alnthony Lai
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
 
Functional and Behavioral Analysis of Different Type of Ransomware.pptx
Functional and Behavioral Analysis of Different Type of Ransomware.pptxFunctional and Behavioral Analysis of Different Type of Ransomware.pptx
Functional and Behavioral Analysis of Different Type of Ransomware.pptx
 

Malware Detection With Multiple Features

  • 1. Malware Analysis With Multiple Features Muhammad Najmi Ahmad Zabidi International Islamic University Malaysia UKSIM 2012 Emmanuel College University of Cambridge, United Kingdom 28-30th March 2012 Muhammad Najmi UKSIM 2012 1/39
  • 2. About • I am a research grad student in Universiti Teknologi Malaysia, Skudai, Johor Bahru, Malaysia • My current employer is International Islamic University Malaysia, Kuala Lumpur • Research area - malware detection, narrowing on Windows executables Muhammad Najmi UKSIM 2012 2/39
  • 3. Disclaimer This presentation is as extension of the previous industry talks that I presented in Hack In The Box 2011, Kuala Lumpur. Some contents are based from the previous talk. Muhammad Najmi UKSIM 2012 3/39
  • 4. Malware in short • is a software • maliciousness is defined on the risks exposed to the user • sometimes, when in vague, the term ‘‘Potentially Unwanted Program/Application’’ (PUP/PUA) being used Muhammad Najmi UKSIM 2012 4/39
  • 5. Methods of detections • Static analysis • Dynamic analysis Muhammad Najmi UKSIM 2012 5/39
  • 6. This talk is more static analysis Muhammad Najmi UKSIM 2012 6/39
  • 7. Analysis of strings • Important, although not foolproof • Find interesting calls first • Considered static analysis, since no executing of the binary Muhammad Najmi UKSIM 2012 7/39
  • 8. Methods to find interesting strings • Use strings command (on *NIX systems) • Editors • Checking with Import Address Table (IAT) Muhammad Najmi UKSIM 2012 8/39
  • 9. Python • a scripting language • a robust, powerful programming language Muhammad Najmi UKSIM 2012 9/39
  • 10. My Python scripts • Based from several existing Python scripts - malware analyzer, zerowine sandboxes,PE scanner • I merged them and modified some parts so that it will be able to produce single page of report • This tool is needed for my research work(bigger objective) - I am using Machine Learning method for malware detection. • Analysis of the binary while it is still packed Muhammad Najmi UKSIM 2012 10/39
  • 11. Components of pi-ngaji Muhammad Najmi UKSIM 2012 11/39
  • 12. Stuffs to look at • ‘‘Interesting’’ Application Programming Interface-API calls • Virtual Machine(VM) detector • Outbound connect, especiall Internet Relay Chat-IRC commands. Possibbly a member of botnets • XOR’ed values (addition from the previous talk in HITB KUL 2011) Muhammad Najmi UKSIM 2012 12/39
  • 13. python-pefile module • Written by Ero Carrera • python-pe provides quite a number of functions • Everything can be dumped by print pe.dump_info() Muhammad Najmi UKSIM 2012 13/39
  • 14. Regular Expression search using re import re provides regexp capability to find strings in the binary This array of calls INTERESTING_CALLS = ["CreateMutex"...], provides ranges of calls to be fetched The following fetched the represented strings for calls in INTERESTING_CALLS: if re.search(calls, line): if not calls in performed: print "[+] Found an Interesting call to: ",calls performed.append(calls) Muhammad Najmi UKSIM 2012 14/39
  • 15. API calls • Application Programming Interface - API calls • We use and compare the original API calls embedded in the script by Joxean, and later use the API calls proposed by [Altaher et al., 2011] • used Information Gain for feature (API calls) ranking Muhammad Najmi UKSIM 2012 15/39
  • 16. Looking at Dynamic Link Library -DLL Some DLLs are interesting to look at, they contain functions that me be used for malicious activities. For e.g: Kernel32.dll, provides ‘‘low-level operating system functions for memory management and resource handling" Muhammad Najmi UKSIM 2012 16/39
  • 17. Contents of kernel32.dll 1. CopyFileA 2. CopyFileExA 3. CopyFileExW 4. CopyFileW 5. CreateFileA 6. CreateFileW 7. DeleteFileA 8. DeleteFileW 9. MoveFileA 10. MoveFileExA 11. MoveFileExW 12. MoveFileW 13. MoveFileWithProgressA 14. MoveFileWithProgressW 15. OpenFile 16. ReadFile 17. ReadFileEx 18. ReadFileScatter 19. ReplaceFile 20. ReplaceFileA 21. ReplaceFileW 22. WriteFile 23. WriteFileEx 24. WriteFileGather Source: [Marhusin et al., 2008] Muhammad Najmi UKSIM 2012 17/39
  • 18. Using Python PE import hashlib import time import binascii import string import os, sys import commands import pefile import peutils import string pe = pefile.PE(sys.argv[1]) print "DLL tt API NAME" for imp in pe.DIRECTORY_ENTRY_IMPORT: print imp.dll for api in imp.imports: print "tt%s" %api.name Muhammad Najmi UKSIM 2012 18/39
  • 19. najmi@vostro:~/rogue-av$ avgscan BestAntivirus2011.exe AVG command line Anti-Virus scanner Copyright (c) 2010 AVG Technologies CZ Virus database version: 271.1.1/3943 Virus database release date: Fri, 07 Oct 2011 14:34:00 +08:00 BestAntivirus2011.exe Trojan horse FakeAlert.ACN Files scanned : 1(1) Infections found : 1(1) PUPs found : 0 Files healed : 0 Warnings reported : 0 Errors reported : 0 najmi@vostro:~/rogue-av$ md5sum BestAntivirus2011.exe 7f0ba3e7f57327563f0ceacbd08f8385 BestAntivirus2011.exe Muhammad Najmi UKSIM 2012 19/39
  • 20. $ python ../dll-scan.py BestAntivirus2011.exe DLL API NAME ADVAPI32.dll USER32.dll KERNEL32.dll ole32.dll OLEAUT32.dll GDI32.dll COMCTL32.dll SHELL32.dll WININET.dll WSOCK32.dll None None None None None None None None Muhammad Najmi UKSIM 2012 20/39
  • 21. Anti Virtual Machine Malware "Red Pill":"x0fx01x0dx00x00x00x00xc3", "VirtualPc trick":"x0fx3fx07x0b", "VMware trick":"VMXh", "VMCheck.dll":"x45xC7x00x01", "VMCheck.dll for VirtualPC":"x0fx3fx07x0bxc7x45xfcxffxffxffxff", "Xen":"XenVMM", # Or XenVMMXenVMM "Bochs & QEmu CPUID Trick":"x44x4dx41x63", "Torpig VMM Trick": "xE8xEDxFFxFFxFFx25x00x00x00xFF x33xC9x3Dx00x00x00x80x0Fx95xC1x8BxC1xC3", "Torpig (UPX) VMM Trick": "x51x51x0Fx01x27x00xC1xFBxB5xD5x35 x02xE2xC3xD1x66x25x32 xBDx83x7FxB7x4Ex3Dx06x80x0Fx95xC1x8BxC1xC3" Source: ZeroWine source code Muhammad Najmi UKSIM 2012 21/39
  • 22. Strings detector Muhammad Najmi UKSIM 2012 22/39
  • 23. Detect Anti VMs $python comp-detect.py vm-detect-malware/bfe00ca2aa27501cb4fd00655435555d DLL API NAME WS2_32.dll KERNEL32.dll USER32.dll GDI32.dll ole32.dll CoCreateInstance [+]Detecting Anti Debugger Tricks... ***Detected trick TWX (TRW detection) ***Detected trick isDebuggerPresent (Generic debugger detection) ***Detected trick TRW (TRW detection) [+]Detecting VM tricks.. ***Detected trick VirtualPc trick ***Detected trick VMCheck.dll for VirtualPC Analyzing registry... Check whether this binary is a bot... Analyzing interesting calls.. [+] Found an Interesting call to: CreateMutex [+] Found an Interesting call to: GetEnvironmentStrings [+] Found an Interesting call to: LoadLibraryA [+] Found an Interesting call to: GetProcAddress [+] Found an Interesting call to: IsDebuggerPresent Muhammad Najmi UKSIM 2012 23/39
  • 24. Detect Bots, Detect Debugger Detector Analyzing 013a6dd86261acc7f9907740375ad9da DLL API NAME KERNEL32.dll USER32.dll ADVAPI32.dll MSVCRT.dll GDI32.dll ole32.dll SHELL32.dll DuplicateIcon Detecting VM existence... No trick detected. Analyzing registry... Check whether this binary is a bot... [+] Malware Seems to be IRC BOT: Verified By String : Port [+] Malware Seems to be IRC BOT: Verified By String : SERVICE [+] Malware Seems to be IRC BOT: Verified By String : Login Analyzing interesting calls.. [+] Found an Interesting call to: LoadLibraryA [+] Found an Interesting call to: GetProcAddress [+] Found an Interesting call to: IsDebuggerPresent [+] Found an Interesting call to: http:// Muhammad Najmi UKSIM 2012 24/39
  • 25. With registry addition Analyzing e665297bf9dbb2b2790e4d898d70c9e9 Analyzing registry... [+] Malware is Adding a Key at Hive: HKEY_LOCAL_MACHINE ^G^@Label11^@^A^AÃˇ^Nreg add "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion R File Execution OptionsRx.exe" /v debugger /t REG_SZ /d %systemrot%repair1sass.exe /f^M .... [+] Malware Seems to be IRC BOT: Verified By String : ADMIN [+] Malware Seems to be IRC BOT: Verified By String : LIST [+] Malware Seems to be IRC BOT: Verified By String : QUIT [+] Malware Seems to be IRC BOT: Verified By String : VERSION Analyzing interesting calls.. [+] Found an Interesting call to: FindWindow [+] Found an Interesting call to: LoadLibraryA [+] Found an Interesting call to: CreateProcess [+] Found an Interesting call to: GetProcAddress [+] Found an Interesting call to: CopyFile [+] Found an Interesting call to: shdocvw Muhammad Najmi UKSIM 2012 25/39
  • 26. Checking entropy • Looking at randomness in the binary • Entropy - referring to Shannon’s entropy[Lyda and Hamrock, 2007] • If the score is X>0 and X<1 or X>7, it is being denoted as suspicious • python-pefile modules provides get_entropy() function for this Muhammad Najmi UKSIM 2012 26/39
  • 27. PE sections to look for TEXT DATA .idata .rdata .reloc .rsrc .tls Muhammad Najmi UKSIM 2012 27/39
  • 28. Binary file structure Figure: Structure of a file[Pietrek, 1994] Muhammad Najmi UKSIM 2012 28/39
  • 29. Figure: PE components, simplified Muhammad Najmi UKSIM 2012 29/39
  • 30. print "n[+]Now check for binary entropy.." for sec in pe.sections: #s = "%-10s %-12s %-12s %-12s %-12f" % ( s = "%-10s %-12s" %( ’’.join([c for c in sec.Name if c in string.printable]), sec.get_entropy()) if sec.SizeOfRawData == 0 or (sec.get_entropy() > 0 and sec.get_entropy() < 1) or sec.get_entropy() > 7: s += "[SUSPICIOUS]" print "",s Muhammad Najmi UKSIM 2012 30/39
  • 31. Checking entropy. . . [+]Now check for binary entropy.. %s .text 6.84045277182 %s rdata 0.0 [SUSPICIOUS] %s .data 7.99566735324[SUSPICIOUS] %s .ice 6.26849761461 Muhammad Najmi UKSIM 2012 31/39
  • 32. Figure: pi-ngaji flow Muhammad Najmi UKSIM 2012 32/39
  • 33. Results Table: API calls detection for pi-ngaji API calls Number of hits over 23 samples GetSystemTimeAsFileTime 1 SetUnhandledExceptionFilter 1 GetCurrentProcess 3 TerminateProcess 1 LoadLibraryExW 0 GetVersionExW 0 GetModuleFileNameW 0 GetTickCount 2 SetLastError 2 GetCurrentProcessId 2 GetModuleHandleW 2 LoadLibraryW 0 InterlockedExchange 1 UnhandledExceptionFilter 2 FreeLibrary 6 GetCurrentThreadId 3 QueryPerformanceCounter 1 CreateFileW 0 InterlockedCompareExchange 0 UnmapViewOfFile 0 GetProcAddress 12 Muhammad Najmi UKSIM 2012 33/39
  • 34. Table: Anti VM and Anti Debugger Detection for pi-ngaji VM/Debugger Tricks Number of hits RedPill 1 VMCheck 2 VMWare trick 1 IsDebuggerPresent 1 TRW 4 TRX 3 Muhammad Najmi UKSIM 2012 34/39
  • 35. Pro pi-ngaji strengths • Works offline, no need to submit to honeypot/dynamic analysis *yet* • Could be automated and generate reports - via UNIX pipe for e.g • Runs on relatively secure environment - *Linux - where win32 could not possibly execute Muhammad Najmi UKSIM 2012 35/39
  • 36. Cons Weakness • Could not possibly handles obfuscated binaries.. too bad you have to execute it to get all the API/activities Muhammad Najmi UKSIM 2012 36/39
  • 37. Get in touch! najmi.zabidi @ gmail.com http://mypacketstream.blogspot.com Muhammad Najmi UKSIM 2012 37/39
  • 38. Special thanks Thanks to Joxean and Beenu Arora Muhammad Najmi UKSIM 2012 38/39
  • 39. Bibliography Altaher, A., Ramadass, S., and Ali, A. (2011). Computer Virus Detection Using Features Ranking and Machine Learning. Australian Journal of Basic and Applied Sciences, 5(9):1482--1486. Lyda, R. and Hamrock, J. (2007). Using entropy analysis to find encrypted and packed malware. Security & Privacy, IEEE, 5(2):40--45. Marhusin, M. F., Larkin, H., Lokan, C., and Cornforth, D. (2008). An Evaluation of API Calls Hooking Performance. In Proc. Int. Conf. Computational Intelligence and Security CIS ’08, volume 1, pages 315--319. Pietrek, M. (1994). Peering Inside the PE: A Tour of the Win32 Portable Executable File Format. http://msdn.microsoft.com/en-us/library/ms809762.aspx. Muhammad Najmi UKSIM 2012 39/39