Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Identifying and
Removing
Malwares
FOR BEGINNERS
n|uNullMeetDharamsala
1
July2014
Agenda
 @me
 Light
 Operating System
 User Mode
 Kernel Mode
 Camera
 Malware
 History
 Types
 Properties
 &Act...
@me
 Malware Analyst
 Can protect my Web Applications.
 Know of: C, C++, Java, Ruby, Python
 I “google” a lot.
 badbo...
Light, Camera, Action
 Light
 Relevant Information about OS
 Some historical information
 Camera
 Statistics
 Predic...
“Ware”
n|u Null Meet Dharamsala
5
July 2014
Malware
A software that
performs
unintended actions
without user
consent.
n|u Null Meet Dharamsala
6
July 2014
Operating System
n|u Null Meet Dharamsala
7
July 2014
Operating System
Hardware
Operating
System
Application
User
Command
n|u Null Meet Dharamsala
8
July 2014
Operating System
Hardware
Device
Driver
Kernel
Programs
n|u Null Meet Dharamsala
9
July 2014
Memory Model
Real Memory
 Exact amount of installed
H/W RAM.
 Fixed size.
 Shared among everything
running in system.
...
Memory Model
User Mode
 Unprotected
 Program code/data
 Un-privileged
 Exclusive for process
 Swappable
 Libraries(....
Windows Access Levels
July 2014n|u Null Meet Dharamsala
12
•Own Processes
•Other User’s Processes
User
•User Access
•Other...
Windows Registry
 Configuration Database.
 Key  [Key] Value[or Default] = [Data]
 Permanent and Transient Keys
 Deri...
Windows Executables
 PE (based on COFF) file format.
 File starts with “MZ”
 Entry point defined in header.
 Typically...
Malware
 Software programs designed to damage or do
unwanted actions on a computer system. In
Spanish, "mal" is a prefix ...
Malware Evolution
1948
Self-
Reproducing
Automata
-John Von Neumann
1970Creeper
-PDP-10
-Bob Thomas
-Reaper
1975
The
Shock...
Malware Evolution
1981
Elk-
Cloner
•Apple DOS 3.3
• 15 year old
1986
Brain
•PC-DOS
• Alvi Brothers
1988
Morris
• UNIX Fing...
Malware Evolution
2000
I LOVE
YOU
•VBScript
• Reomel
Lamores
2004
Cabir
•Symbian OS
2007-2008
Zeus
Conficker
2010
Stuxnet
...
Malware Evolution
2011
Duqu,
Anti
Spyware
2011
2012
Flame
2013
Cyptolocker
BlackPOS
Dexter
vSkimmer
2014
Dragonfly
July 20...
Malware Statistics
 Categories that Delivered Malicious Code, 2013 : Symantec
July 2014n|u Null Meet Dharamsala
20
Malware Statistics
July 2014n|u Null Meet Dharamsala
21
Malware Statistics
July 2014n|u Null Meet Dharamsala
22
Malware Predictions
 More attack binaries will use stolen or valid code
signature.
 Browser vulnerabilities may be more ...
Malware Classification
 Worm
 Propagates by itself on different machine.
 Virus
 Attaches itself to targets. Infects o...
Malware Classification
 Ransomware
 Locks access to your systems or files and demands ransom for
further access.
 Backd...
Malware Lifecycle
 Infection
 It has to infect the target. First run.
 Persistence
 It has to persist. Cannot be downl...
&Action
 Almost at every stage malwares leave clues.
 Identify Clues.
 Identify Malware.
 Remove Malware.
July 2014n|u...
Infection
 Exploitation:
 Using vulnerabilities to achieve code execution.
 Vulnerable program crashes/restarts most of...
Persistence
 Files
 Stored as files.
 Cryptic file names.
 Known file names in unexpected locations.
 Misspelled file...
Run & Hide
 Hiding in plain sight.
 An entry in process list.
 Unknown process name.
 Unexpected Process.
 Process bi...
Detection Difficulty
Hardware
Kernel
Device Driver
User Programs
July 2014n|u Null Meet Dharamsala
31
Sysinternal Tools
 Sysinternal Suite
 Autoruns
 ListDll
 Handle
 Process Explorer
 Process Monitor
 RootkitRevealer...
Autoruns
July 2014n|u Null Meet Dharamsala
33
ListDLLs
July 2014n|u Null Meet Dharamsala
34
Handle
July 2014n|u Null Meet Dharamsala
35
Process Explorer
July 2014n|u Null Meet Dharamsala
36
Process Monitor
July 2014n|u Null Meet Dharamsala
37
Rootkit Revealer
July 2014n|u Null Meet Dharamsala
38
Strings
July 2014n|u Null Meet Dharamsala
39
Other Tools
 GMER
 Redline
 Kaspersky Virus Fighting Utilities
 TDSS Killer
 McAfee Stinger
 Sophos Anti-Rootkit
 N...
GMER
 By default downloads
with random file name.
 Similar to Rootkit Revealer
 More signature and
parameters to look i...
Redline
 Separate data
collection and
analysis system.
 Collector can run
from removable
media.
 Verifies against
hashe...
Take
 Antivirus Not Enough
 Understand
 Be Updated
 Be Paranoid
 Don’t Trust
 Protect
 Backup
July 2014n|u Null Mee...
The END
 All the images, statistics, data belong to their respective owners (including me).
July 2014n|u Null Meet Dharam...
Prochain SlideShare
Chargement dans…5
×

Identifying and Removing Malwares

null Dharmashala Chapter - July 2014 Meet

  • Identifiez-vous pour voir les commentaires

Identifying and Removing Malwares

  1. 1. Identifying and Removing Malwares FOR BEGINNERS n|uNullMeetDharamsala 1 July2014
  2. 2. Agenda  @me  Light  Operating System  User Mode  Kernel Mode  Camera  Malware  History  Types  Properties  &Action  Take n|u Null Meet Dharamsala 2 July 2014
  3. 3. @me  Malware Analyst  Can protect my Web Applications.  Know of: C, C++, Java, Ruby, Python  I “google” a lot.  badboy16a@gmail.com  @_badbot  *PC Gamer* n|u Null Meet Dharamsala 3 July 2014
  4. 4. Light, Camera, Action  Light  Relevant Information about OS  Some historical information  Camera  Statistics  Predictions  Action  Finding and acting on clues  Take  Recommendations July 2014n|u Null Meet Dharamsala 4
  5. 5. “Ware” n|u Null Meet Dharamsala 5 July 2014
  6. 6. Malware A software that performs unintended actions without user consent. n|u Null Meet Dharamsala 6 July 2014
  7. 7. Operating System n|u Null Meet Dharamsala 7 July 2014
  8. 8. Operating System Hardware Operating System Application User Command n|u Null Meet Dharamsala 8 July 2014
  9. 9. Operating System Hardware Device Driver Kernel Programs n|u Null Meet Dharamsala 9 July 2014
  10. 10. Memory Model Real Memory  Exact amount of installed H/W RAM.  Fixed size.  Shared among everything running in system.  Backed by H/W  Protected by OS Virtual Memory  Amount of RAM perceived by every process.  Variable size.  Owned exclusively.  Backed by OS Memory Management.  Mixed Protection. July 2014n|u Null Meet Dharamsala 10
  11. 11. Memory Model User Mode  Unprotected  Program code/data  Un-privileged  Exclusive for process  Swappable  Libraries(.dll, .so, …) Kernel Mode  Protected  Kernel code/data  Privileged  Shared in real space  Mostly not-swappable  Drivers(.drv, .sys, .ko,…) July 2014n|u Null Meet Dharamsala 11 0x00000000-0x7FFFFFFF 0X80000000 – 0xFFFFFFFF
  12. 12. Windows Access Levels July 2014n|u Null Meet Dharamsala 12 •Own Processes •Other User’s Processes User •User Access •Other User’s Processes •Unrestricted Access Administrator •Administrative Access. •Unrestricted Access to Local System. NT_AUTHORITY SYSTEM
  13. 13. Windows Registry  Configuration Database.  Key  [Key] Value[or Default] = [Data]  Permanent and Transient Keys  Derived Keys  Root Keys:  CLASSES_ROOT  LOCAL_MACHINE  USERS  CURRENT_USER  CURRENT_CONFIG July 2014n|u Null Meet Dharamsala 13
  14. 14. Windows Executables  PE (based on COFF) file format.  File starts with “MZ”  Entry point defined in header.  Typically used extensions  EXE: Normal Executable  DLL: Dynamic link library  LIB: Static Library  SYS: Driver  OCX: ActiveX Controls (special purpose DLL) July 2014n|u Null Meet Dharamsala 14
  15. 15. Malware  Software programs designed to damage or do unwanted actions on a computer system. In Spanish, "mal" is a prefix that means "bad," making the term "badware“. July 2014n|u Null Meet Dharamsala 15 Malware Malicious Software
  16. 16. Malware Evolution 1948 Self- Reproducing Automata -John Von Neumann 1970Creeper -PDP-10 -Bob Thomas -Reaper 1975 The Shockwave Rider -Xerox - John Shock & John Hepps July 2014n|u Null Meet Dharamsala 16
  17. 17. Malware Evolution 1981 Elk- Cloner •Apple DOS 3.3 • 15 year old 1986 Brain •PC-DOS • Alvi Brothers 1988 Morris • UNIX Finger service • Robert Morris 1995 Concept • MS Word • Macro Virus July 2014n|u Null Meet Dharamsala 17
  18. 18. Malware Evolution 2000 I LOVE YOU •VBScript • Reomel Lamores 2004 Cabir •Symbian OS 2007-2008 Zeus Conficker 2010 Stuxnet • SCADA Systems July 2014n|u Null Meet Dharamsala 18
  19. 19. Malware Evolution 2011 Duqu, Anti Spyware 2011 2012 Flame 2013 Cyptolocker BlackPOS Dexter vSkimmer 2014 Dragonfly July 2014n|u Null Meet Dharamsala 19
  20. 20. Malware Statistics  Categories that Delivered Malicious Code, 2013 : Symantec July 2014n|u Null Meet Dharamsala 20
  21. 21. Malware Statistics July 2014n|u Null Meet Dharamsala 21
  22. 22. Malware Statistics July 2014n|u Null Meet Dharamsala 22
  23. 23. Malware Predictions  More attack binaries will use stolen or valid code signature.  Browser vulnerabilities may be more common.  Cybercrime gets personal.  More targeted attacks.  More stealthier techniques for C&C.  Expect more malicious code in BIOS and firmware updates.  64bit Malwares.  Malware Diversifies and Specializes.  Sandbox Evasion. July 2014n|u Null Meet Dharamsala 23
  24. 24. Malware Classification  Worm  Propagates by itself on different machine.  Virus  Attaches itself to targets. Infects other systems when target moves.  Trojan  Masquerades itself as legitimate/useful software.  Spyware  Spies on your data and send it to controller.  Adware  Displays unwanted/unsolicited advertisements. July 2014n|u Null Meet Dharamsala 24
  25. 25. Malware Classification  Ransomware  Locks access to your systems or files and demands ransom for further access.  Backdoor(Remote Administration Toolkit):  Allows unauthorized remote user connect to and control your system.  Downloader  Primary payload for exploits. Download/Installs other malwares.  Rootkit  Interferes with kernel to hide itself from user and security tools. July 2014n|u Null Meet Dharamsala 25
  26. 26. Malware Lifecycle  Infection  It has to infect the target. First run.  Persistence  It has to persist. Cannot be downloaded every time.  Run  It has to run. Preferably without user action e.g. Boot, Timed…  Hide  Hide itself from naked eye. July 2014n|u Null Meet Dharamsala 26
  27. 27. &Action  Almost at every stage malwares leave clues.  Identify Clues.  Identify Malware.  Remove Malware. July 2014n|u Null Meet Dharamsala 27
  28. 28. Infection  Exploitation:  Using vulnerabilities to achieve code execution.  Vulnerable program crashes/restarts most of the time.  External Media  Carried to the target system using external media e.g. USB Stick.  Un-mounting the media usually fails.  E-mail Attachments  Sent via email attachment.  Grammatical/Spelling mistakes. Duplicate e-mail. Attachments with double extension, wrong extension. July 2014n|u Null Meet Dharamsala 28
  29. 29. Persistence  Files  Stored as files.  Cryptic file names.  Known file names in unexpected locations.  Misspelled file name.  Streams  Data is stored as NTFS alternate stream.  Pathname containing ‘:’ character. July 2014n|u Null Meet Dharamsala 29
  30. 30. Run & Hide  Hiding in plain sight.  An entry in process list.  Unknown process name.  Unexpected Process.  Process binary at unusual location.  Process with unexpected user account/privilege.  Hiding deep inside  No entry in process list.  Unexpected library.  Unusual usage of system resources.  Re-appearance of some files after deletion. July 2014n|u Null Meet Dharamsala 30
  31. 31. Detection Difficulty Hardware Kernel Device Driver User Programs July 2014n|u Null Meet Dharamsala 31
  32. 32. Sysinternal Tools  Sysinternal Suite  Autoruns  ListDll  Handle  Process Explorer  Process Monitor  RootkitRevealer  Strings July 2014n|u Null Meet Dharamsala 32
  33. 33. Autoruns July 2014n|u Null Meet Dharamsala 33
  34. 34. ListDLLs July 2014n|u Null Meet Dharamsala 34
  35. 35. Handle July 2014n|u Null Meet Dharamsala 35
  36. 36. Process Explorer July 2014n|u Null Meet Dharamsala 36
  37. 37. Process Monitor July 2014n|u Null Meet Dharamsala 37
  38. 38. Rootkit Revealer July 2014n|u Null Meet Dharamsala 38
  39. 39. Strings July 2014n|u Null Meet Dharamsala 39
  40. 40. Other Tools  GMER  Redline  Kaspersky Virus Fighting Utilities  TDSS Killer  McAfee Stinger  Sophos Anti-Rootkit  Norton Power Eraser  Trend Micro House Call July 2014n|u Null Meet Dharamsala 40
  41. 41. GMER  By default downloads with random file name.  Similar to Rootkit Revealer  More signature and parameters to look into. July 2014n|u Null Meet Dharamsala 41
  42. 42. Redline  Separate data collection and analysis system.  Collector can run from removable media.  Verifies against hashes of known good modules.  Reporting July 2014n|u Null Meet Dharamsala 42
  43. 43. Take  Antivirus Not Enough  Understand  Be Updated  Be Paranoid  Don’t Trust  Protect  Backup July 2014n|u Null Meet Dharamsala 43
  44. 44. The END  All the images, statistics, data belong to their respective owners (including me). July 2014n|u Null Meet Dharamsala 44

×