SlideShare une entreprise Scribd logo

Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares

Télécharger en tant que PPTX, PDF
securityxploded
securityxploded

This presentation is part of our Advanced Malware Analysis Training Series program. For more details refer our Security Training page http://securityxploded.com/security-training.php

Technologie
1  sur  54
Advanced Malware Analysis Training Series www.SecurityXploded.com
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the Trainer nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here. www.SecurityXploded.com
Acknowledgement  Special thanks to Null community for their extended support and co-operation.  Special thanks to ThoughtWorks for the beautiful venue.  Thanks to all the trainers who have devoted their precious time and countless hours to make it happen. www.SecurityXploded.com
Advanced Malware Analysis Training This presentation is part of our Advanced Malware Analysis Training program. Currently it is delivered only during our local meets for FREE of cost. For complete details of this course, visit our Security Training page. www.SecurityXploded.com
Who Are We? Nagareshwar  Founder of SecurityXploded  Reversing, Malware Analysis, Crypto, Secure Coding  Twitter: @tnagareshwar Monnappa  Info Security Investigator @ Cisco  Member of SecurityXploded (SX)  Reverse Engineering, Malware Analysis, Memory Forensics  Twitter: @monnappa22 www.SecurityXploded.com
Part I The Trailer (by Nagareshwar) www.SecurityXploded.com
Contents of Part 1  What is Virus/Malware/Worm  Symptoms of Infection  Agent in Action  Last Resort  Anti-Malware Tips www.SecurityXploded.com
What is Virus/Malware/Worm ?  Malware: Software written for malicious purposes - destroy data, steal money, annoy users  Virus: Malware which requires human intervention to spread - require user to click on the exe, open a document or visit a website  Worm: Malware which can spread automatically - automatically infect other systems in the network - spreads through plug & play devices www.SecurityXploded.com
Symptoms of Infection  Unusual Behaviour in Applications  System Slowdown  (Suddenly) Laptop Getting Heated Heavily  Password Change/Reset Emails for your Bank or Online Accounts  Surprise Financial Transactions on your Credit Cards  www.SecurityXploded.com
Agent in Action  Full Anti-virus Scan (manual) - detect known malwares if any  Rootkit Scan - GMER, SpyDLLRemover (helps in removal of malware DLLs)  Scan the Infected or Suspicious file with VirusTotal - Get the name of virus/malware family - Use VirusTotal Scanner Tool for quick scan  Check with AV sites like McAfee, Symantec for the detected Malware - to understand infection details or for any removal steps www.SecurityXploded.com
Agent in Action (contd)  BHO Scan (System Slowdown) - Run SpyBHORemover and disable unusable BHOs  Delete Locked/Hidden/Protected Malware Files - Use GMER to delete Hidden Files/Registry Keys - Boot with BackTrack, mount your drives and delete the files/registry keys  Change Passwords of Bank & other important accounts - Facebook, Google, Twitter, PayPal etc. www.SecurityXploded.com
Rootkit Scan using GMER www.SecurityXploded.com
Remove Malware DLLs using SpyDLLRemover www.SecurityXploded.com
VirusTotal Scanner Tool www.SecurityXploded.com
Remove BHOs using SpyBHORemover www.SecurityXploded.com
Threat Report on Virus www.SecurityXploded.com
Last Resort In case of full system or widespread infections,  System Restore to ‘Right Restore Point’ - look at the dates of infected files and it should give you right date to restore from  Format and Re-install OS - clean-up other drives if necessary  Scan other systems/devices in your Network - Your laptops, office systems or friends system may be infected as well www.SecurityXploded.com
Anti-Malware Tips  Never Trust your AntiVirus for Full Protection - It cannot detect advanced virus especially rootkit oriented ones, - Smart virus can disable AV auto protection silently giving you false sense of security  Always Scan any EXE with VirusTotal - scan files downloaded from Internet and even files sent by close friends - Use VirusTotal Scanner for quick scan  Disable AutoRun - most malwares use this mechanism spread very effectively - prevent getting infected through USB stick and stop it from spreading www.SecurityXploded.com
Anti-Malware Tips (contd)  Keep tab on your Startup programs - Use HijackThis or AutoRuns from SysInternals  Monitor Worms coming through Network - Use NetShareMonitor  Backup your Critical Files Periodically - One who Laughs last is the one who had the backup :) www.SecurityXploded.com
Part II The Real Show (by Monnappa) www.SecurityXploded.com
Contents of Part 2  Detection and Removal  Persistent Mechanism  Demo 1  Demo 2  Demo 3  Demo 4 www.SecurityXploded.com
Detection and Removal 1) Isolate the system from the rest of the network 2) Look for suspicious file, process, network and registry values 3) Identify the file generating the suspicious activity 4) Isolate the suspicious file 5) verify if the file is malicious 6) Identify the persistence mechanism 7) Break its persistence mechanism 8) Delete the malicious files from the system 9) monitor for suspicious activities (repeat step 2 to step 8) www.SecurityXploded.com
Persistent mechanism Below are some of the persistent mechanism used by malware: 1) Run Registry key 2) Appinit_DLL’s 3) WinLogon Notify 4) Runs as Service 5) Service DLL 6) BHO www.SecurityXploded.com
Suspicious Network Activity Packet capture shows suspicious activity from 192.168.1.100 www.SecurityXploded.com
Suspicious Process Process explorer shows suspicious process on192.168.1.100 www.SecurityXploded.com
Persistence Mechanism Registers the malicious executable in the “Run” registry key, to survive reboot www.SecurityXploded.com
VirusTotal Results Suspicious file was confirmed to be malicious www.SecurityXploded.com
Breaking the Persistence Deleting the registry value removes the persistence mechanism used by the malware www.SecurityXploded.com
Removal Deleting the malicious file to remove the malware from the system www.SecurityXploded.com
Suspicious Network Activity Packet capture shows suspicious activity from 192.168.1.100 www.SecurityXploded.com
Suspicious Process Process explorer shows suspicious process on192.168.1.100 www.SecurityXploded.com
Persistence Mechanism Malware runs as service which is set to auto-start www.SecurityXploded.com
VirusTotal Results Suspicious file was confirmed to be malicious www.SecurityXploded.com
Breaking the Persistence Deleting the registry value removes the persistence mechanism used by the malware www.SecurityXploded.com
Removal Deleting the malicious file to remove the malware from the system www.SecurityXploded.com
Suspicious Network Activity Packet capture shows suspicious activity from 192.168.1.100 www.SecurityXploded.com
Suspicious Process Below screenshot shows svchost.exe (pid 1052) making connections on port 80 www.SecurityXploded.com
Persistence Mechanism Malware installs a service DLL under the “netsvcs” svchost group www.SecurityXploded.com
VirusTotal Results Suspicious file was confirmed to be malicious www.SecurityXploded.com
Breaking the Persistence Deleting the registry key removes the persistence mechanism used by the malware www.SecurityXploded.com
Removal Deleting the malicious file to remove the malware from the system www.SecurityXploded.com
Suspicious Network Activity Packet capture shows suspicious activity from 192.168.1.100 www.SecurityXploded.com
Suspicious Process Activity Shows iexplore.exe making connections on port 80 (even though iexplore.exe was not run manually) www.SecurityXploded.com
Persistence Mechanism Malware installs Appinit DLL which loads the DLL into all the process which loads user32.dll www.SecurityXploded.com
Persistence Mechanism (contd) Malware hooks to the winlogon event www.SecurityXploded.com
VirusTotal Results Suspicious files were confirmed to be malicious www.SecurityXploded.com
Breaking the Persistence Deleting the registry key removes the persistence mechanism used by the malware www.SecurityXploded.com
Removal Deleting both the malicious files to remove the malware from the system www.SecurityXploded.com
Reference Complete Reference Guide for Advanced Malware Analysis Training [Include links for all the Demos & Tools] www.SecurityXploded.com
Thank You ! www.SecurityXploded.com www.SecurityXploded.com

Recommandé

Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
securityxploded
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
securityxploded
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
securityxploded
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
securityxploded
 
Advanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing AutomationAdvanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing Automation
securityxploded
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
securityxploded
 
Primer on password security
Primer on password securityPrimer on password security
Primer on password security
securityxploded
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
securityxploded
 

Recommandé

Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
securityxploded
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
securityxploded
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
securityxploded
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
securityxploded
 
Advanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing AutomationAdvanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing Automation
securityxploded
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
securityxploded
 
Primer on password security
Primer on password securityPrimer on password security
Primer on password security
securityxploded
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
securityxploded
 
Advanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to AndroidAdvanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to Android
securityxploded
 
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
securityxploded
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internals
securityxploded
 
Anti-Virus Evasion Techniques and Countermeasures
Anti-Virus Evasion Techniques and CountermeasuresAnti-Virus Evasion Techniques and Countermeasures
Anti-Virus Evasion Techniques and Countermeasures
n|u - The Open Security Community
 
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
securityxploded
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis TechniquesAdvanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
securityxploded
 
Reversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basicsReversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basics
securityxploded
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmap
securityxploded
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memory
securityxploded
 
Advanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsAdvanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensics
Cysinfo Cyber Security Community
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
Cysinfo Cyber Security Community
 
Reverse Engineering Malware
Reverse Engineering MalwareReverse Engineering Malware
Reverse Engineering Malware
securityxploded
 
Application Virtualization
Application VirtualizationApplication Virtualization
Application Virtualization
securityxploded
 
Advanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwaresAdvanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwares
Cysinfo Cyber Security Community
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to android
Cysinfo Cyber Security Community
 
Anatomy of Exploit Kits
Anatomy of Exploit KitsAnatomy of Exploit Kits
Anatomy of Exploit Kits
securityxploded
 
Reversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basicsReversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basics
Cysinfo Cyber Security Community
 
Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)
securityxploded
 
Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysis
Abdulrahman Bassam
 
Return address
Return addressReturn address
Return address
Cysinfo Cyber Security Community
 
Advanced Malware Analysis Training - Detection and Removal of Malwares
Advanced Malware Analysis Training - Detection and Removal of MalwaresAdvanced Malware Analysis Training - Detection and Removal of Malwares
Advanced Malware Analysis Training - Detection and Removal of Malwares
n|u - The Open Security Community
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
securityxploded
 

Contenu connexe

Tendances

Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysis
Abdulrahman Bassam
 

Tendances (20)

Advanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to AndroidAdvanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to Android
 
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internals
 
Anti-Virus Evasion Techniques and Countermeasures
Anti-Virus Evasion Techniques and CountermeasuresAnti-Virus Evasion Techniques and Countermeasures
Anti-Virus Evasion Techniques and Countermeasures
 
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis TechniquesAdvanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
 
Reversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basicsReversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basics
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmap
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memory
 
Advanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsAdvanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensics
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
 
Reverse Engineering Malware
Reverse Engineering MalwareReverse Engineering Malware
Reverse Engineering Malware
 
Application Virtualization
Application VirtualizationApplication Virtualization
Application Virtualization
 
Advanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwaresAdvanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwares
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to android
 
Anatomy of Exploit Kits
Anatomy of Exploit KitsAnatomy of Exploit Kits
Anatomy of Exploit Kits
 
Reversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basicsReversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basics
 
Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)
 
Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysis
 
Return address
Return addressReturn address
Return address
 

Similaire à Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares

Reversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensicsReversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensics
Abdulrahman Bassam
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal
 

Similaire à Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares (20)

Advanced Malware Analysis Training - Detection and Removal of Malwares
Advanced Malware Analysis Training - Detection and Removal of MalwaresAdvanced Malware Analysis Training - Detection and Removal of Malwares
Advanced Malware Analysis Training - Detection and Removal of Malwares
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Automating malware analysis
Automating malware analysis Automating malware analysis
Automating malware analysis
 
Module 5.Malware
Module 5.MalwareModule 5.Malware
Module 5.Malware
 
Module 5.pdf
Module 5.pdfModule 5.pdf
Module 5.pdf
 
Reversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensicsReversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensics
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
Malware
MalwareMalware
Malware
 
Types of malicious software and remedies
Types of malicious software and remediesTypes of malicious software and remedies
Types of malicious software and remedies
 
Null mumbai Session on ransomware by_Aditya Jamkhande
Null mumbai Session on ransomware by_Aditya JamkhandeNull mumbai Session on ransomware by_Aditya Jamkhande
Null mumbai Session on ransomware by_Aditya Jamkhande
 
Reversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysisReversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysis
 
Setup Your Personal Malware Lab
Setup Your Personal Malware LabSetup Your Personal Malware Lab
Setup Your Personal Malware Lab
 
Computer Virus ppt.pptx
Computer Virus ppt.pptxComputer Virus ppt.pptx
Computer Virus ppt.pptx
 
How To Uninstall Masksearch.com
How To Uninstall Masksearch.comHow To Uninstall Masksearch.com
How To Uninstall Masksearch.com
 
List of Malwares
List of MalwaresList of Malwares
List of Malwares
 
Remove Clickhoofind.com
Remove Clickhoofind.com Remove Clickhoofind.com
Remove Clickhoofind.com
 
Virus and types of antivirus
Virus and types of antivirusVirus and types of antivirus
Virus and types of antivirus
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
DEFINING A SPYWARE
DEFINING A SPYWAREDEFINING A SPYWARE
DEFINING A SPYWARE
 

Plus de securityxploded

Plus de securityxploded (19)

Fingerprinting healthcare institutions
Fingerprinting healthcare institutionsFingerprinting healthcare institutions
Fingerprinting healthcare institutions
 
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive TacticsHollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learning
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Study
 
Linux Malware Analysis using Limon Sandbox
Linux Malware Analysis using Limon SandboxLinux Malware Analysis using Limon Sandbox
Linux Malware Analysis using Limon Sandbox
 
Introduction to SMPC
Introduction to SMPCIntroduction to SMPC
Introduction to SMPC
 
Breaking into hospitals
Breaking into hospitalsBreaking into hospitals
Breaking into hospitals
 
Bluetooth [in]security
Bluetooth [in]securityBluetooth [in]security
Bluetooth [in]security
 
Automating Malware Analysis
Automating Malware AnalysisAutomating Malware Analysis
Automating Malware Analysis
 
DLL Preloading Attack
DLL Preloading AttackDLL Preloading Attack
DLL Preloading Attack
 
Partial Homomorphic Encryption
Partial Homomorphic EncryptionPartial Homomorphic Encryption
Partial Homomorphic Encryption
 
Return Address – The Silver Bullet
Return Address – The Silver BulletReturn Address – The Silver Bullet
Return Address – The Silver Bullet
 
Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)
 
Hunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory ForensicsHunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory Forensics
 
Malicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine LearningMalicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine Learning
 
MalwareNet Project
MalwareNet ProjectMalwareNet Project
MalwareNet Project
 
Dissecting BetaBot
Dissecting BetaBotDissecting BetaBot
Dissecting BetaBot
 
Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14
Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14
Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14
 

Dernier

Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
Hiroshi SHIBATA
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
UXDXConf
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
Femke de Vroome
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
UK Journal
 

Dernier (20)

Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 

Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares

  • 1. Advanced Malware Analysis Training Series www.SecurityXploded.com
  • 2. Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the Trainer nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here. www.SecurityXploded.com
  • 3. Acknowledgement  Special thanks to Null community for their extended support and co-operation.  Special thanks to ThoughtWorks for the beautiful venue.  Thanks to all the trainers who have devoted their precious time and countless hours to make it happen. www.SecurityXploded.com
  • 4. Advanced Malware Analysis Training This presentation is part of our Advanced Malware Analysis Training program. Currently it is delivered only during our local meets for FREE of cost. For complete details of this course, visit our Security Training page. www.SecurityXploded.com
  • 5. Who Are We? Nagareshwar  Founder of SecurityXploded  Reversing, Malware Analysis, Crypto, Secure Coding  Twitter: @tnagareshwar Monnappa  Info Security Investigator @ Cisco  Member of SecurityXploded (SX)  Reverse Engineering, Malware Analysis, Memory Forensics  Twitter: @monnappa22 www.SecurityXploded.com
  • 6. Part I The Trailer (by Nagareshwar) www.SecurityXploded.com
  • 7. Contents of Part 1  What is Virus/Malware/Worm  Symptoms of Infection  Agent in Action  Last Resort  Anti-Malware Tips www.SecurityXploded.com
  • 8. What is Virus/Malware/Worm ?  Malware: Software written for malicious purposes - destroy data, steal money, annoy users  Virus: Malware which requires human intervention to spread - require user to click on the exe, open a document or visit a website  Worm: Malware which can spread automatically - automatically infect other systems in the network - spreads through plug & play devices www.SecurityXploded.com
  • 9. Symptoms of Infection  Unusual Behaviour in Applications  System Slowdown  (Suddenly) Laptop Getting Heated Heavily  Password Change/Reset Emails for your Bank or Online Accounts  Surprise Financial Transactions on your Credit Cards  www.SecurityXploded.com
  • 10. Agent in Action  Full Anti-virus Scan (manual) - detect known malwares if any  Rootkit Scan - GMER, SpyDLLRemover (helps in removal of malware DLLs)  Scan the Infected or Suspicious file with VirusTotal - Get the name of virus/malware family - Use VirusTotal Scanner Tool for quick scan  Check with AV sites like McAfee, Symantec for the detected Malware - to understand infection details or for any removal steps www.SecurityXploded.com
  • 11. Agent in Action (contd)  BHO Scan (System Slowdown) - Run SpyBHORemover and disable unusable BHOs  Delete Locked/Hidden/Protected Malware Files - Use GMER to delete Hidden Files/Registry Keys - Boot with BackTrack, mount your drives and delete the files/registry keys  Change Passwords of Bank & other important accounts - Facebook, Google, Twitter, PayPal etc. www.SecurityXploded.com
  • 12. Rootkit Scan using GMER www.SecurityXploded.com
  • 13. Remove Malware DLLs using SpyDLLRemover www.SecurityXploded.com
  • 14. VirusTotal Scanner Tool www.SecurityXploded.com
  • 15. Remove BHOs using SpyBHORemover www.SecurityXploded.com
  • 16. Threat Report on Virus www.SecurityXploded.com
  • 17. Last Resort In case of full system or widespread infections,  System Restore to ‘Right Restore Point’ - look at the dates of infected files and it should give you right date to restore from  Format and Re-install OS - clean-up other drives if necessary  Scan other systems/devices in your Network - Your laptops, office systems or friends system may be infected as well www.SecurityXploded.com
  • 18. Anti-Malware Tips  Never Trust your AntiVirus for Full Protection - It cannot detect advanced virus especially rootkit oriented ones, - Smart virus can disable AV auto protection silently giving you false sense of security  Always Scan any EXE with VirusTotal - scan files downloaded from Internet and even files sent by close friends - Use VirusTotal Scanner for quick scan  Disable AutoRun - most malwares use this mechanism spread very effectively - prevent getting infected through USB stick and stop it from spreading www.SecurityXploded.com
  • 19. Anti-Malware Tips (contd)  Keep tab on your Startup programs - Use HijackThis or AutoRuns from SysInternals  Monitor Worms coming through Network - Use NetShareMonitor  Backup your Critical Files Periodically - One who Laughs last is the one who had the backup :) www.SecurityXploded.com
  • 20. Part II The Real Show (by Monnappa) www.SecurityXploded.com
  • 21. Contents of Part 2  Detection and Removal  Persistent Mechanism  Demo 1  Demo 2  Demo 3  Demo 4 www.SecurityXploded.com
  • 22. Detection and Removal 1) Isolate the system from the rest of the network 2) Look for suspicious file, process, network and registry values 3) Identify the file generating the suspicious activity 4) Isolate the suspicious file 5) verify if the file is malicious 6) Identify the persistence mechanism 7) Break its persistence mechanism 8) Delete the malicious files from the system 9) monitor for suspicious activities (repeat step 2 to step 8) www.SecurityXploded.com
  • 23. Persistent mechanism Below are some of the persistent mechanism used by malware: 1) Run Registry key 2) Appinit_DLL’s 3) WinLogon Notify 4) Runs as Service 5) Service DLL 6) BHO www.SecurityXploded.com
  • 24.
  • 25. Suspicious Network Activity Packet capture shows suspicious activity from 192.168.1.100 www.SecurityXploded.com
  • 26. Suspicious Process Process explorer shows suspicious process on192.168.1.100 www.SecurityXploded.com
  • 27. Persistence Mechanism Registers the malicious executable in the “Run” registry key, to survive reboot www.SecurityXploded.com
  • 28. VirusTotal Results Suspicious file was confirmed to be malicious www.SecurityXploded.com
  • 29. Breaking the Persistence Deleting the registry value removes the persistence mechanism used by the malware www.SecurityXploded.com
  • 30. Removal Deleting the malicious file to remove the malware from the system www.SecurityXploded.com
  • 31.
  • 32. Suspicious Network Activity Packet capture shows suspicious activity from 192.168.1.100 www.SecurityXploded.com
  • 33. Suspicious Process Process explorer shows suspicious process on192.168.1.100 www.SecurityXploded.com
  • 34. Persistence Mechanism Malware runs as service which is set to auto-start www.SecurityXploded.com
  • 35. VirusTotal Results Suspicious file was confirmed to be malicious www.SecurityXploded.com
  • 36. Breaking the Persistence Deleting the registry value removes the persistence mechanism used by the malware www.SecurityXploded.com
  • 37. Removal Deleting the malicious file to remove the malware from the system www.SecurityXploded.com
  • 38.
  • 39. Suspicious Network Activity Packet capture shows suspicious activity from 192.168.1.100 www.SecurityXploded.com
  • 40. Suspicious Process Below screenshot shows svchost.exe (pid 1052) making connections on port 80 www.SecurityXploded.com
  • 41. Persistence Mechanism Malware installs a service DLL under the “netsvcs” svchost group www.SecurityXploded.com
  • 42. VirusTotal Results Suspicious file was confirmed to be malicious www.SecurityXploded.com
  • 43. Breaking the Persistence Deleting the registry key removes the persistence mechanism used by the malware www.SecurityXploded.com
  • 44. Removal Deleting the malicious file to remove the malware from the system www.SecurityXploded.com
  • 45.
  • 46. Suspicious Network Activity Packet capture shows suspicious activity from 192.168.1.100 www.SecurityXploded.com
  • 47. Suspicious Process Activity Shows iexplore.exe making connections on port 80 (even though iexplore.exe was not run manually) www.SecurityXploded.com
  • 48. Persistence Mechanism Malware installs Appinit DLL which loads the DLL into all the process which loads user32.dll www.SecurityXploded.com
  • 49. Persistence Mechanism (contd) Malware hooks to the winlogon event www.SecurityXploded.com
  • 50. VirusTotal Results Suspicious files were confirmed to be malicious www.SecurityXploded.com
  • 51. Breaking the Persistence Deleting the registry key removes the persistence mechanism used by the malware www.SecurityXploded.com
  • 52. Removal Deleting both the malicious files to remove the malware from the system www.SecurityXploded.com
  • 53. Reference Complete Reference Guide for Advanced Malware Analysis Training [Include links for all the Demos & Tools] www.SecurityXploded.com
  • 54. Thank You ! www.SecurityXploded.com www.SecurityXploded.com