Matthew Stephen csg.utdallas.edu

Similar documents
RIA SECURITY TECHNOLOGY

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

Shane Hartman CISSP, GCIA, GREM Suncoast Security Society

PE Explorer. Heaventools. Malware Code Analysis Made Easy

Sandy. The Malicious Exploit Analysis. Static Analysis and Dynamic exploit analysis. Garage4Hackers

Fighting Advanced Persistent Threats (APT) with Open Source Tools

PRACTICAL MALWARE ANALYSIS Kris Kendall

Fighting Advanced Persistent Threats (APT) with Open Source Tools

Detecting Malware With Memory Forensics. Hal Pomeranz SANS Institute

CHAD TILBURY.

Networks and Security Lab. Network Forensics

Penetration Testing with Kali Linux

Chapter 14 Analyzing Network Traffic. Ed Crowley

Malware Hunting with the Sysinternals Tools

Chapter 14: Links. Types of Links. 1 Chapter 14: Links

Redline Users Guide. Version 1.12

Redline User Guide. Release 1.14

The Value of Physical Memory for Incident Response

CAS : A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY

HoneyBOT User Guide A Windows based honeypot solution

TLP: GREEN FBI. FBI Liaison Alert System # A MW

MRG Effitas Real World Enterprise Security Exploit Prevention March Real World Enterprise Security Exploit Prevention Test.

MRG Effitas Real World Enterprise Security Exploit Prevention March Real World Enterprise Security Exploit Prevention Test.

IBM Protocol Analysis Module

F-Secure Internet Security 2014 Data Transfer Declaration

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Table Of Contents. iii

Persist It Using and Abusing Microsoft s Fix It Patches

Enterprise Application Security Workshop Series

FORBIDDEN - Ethical Hacking Workshop Duration

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Fiery E100 Color Server. Welcome

Vulnerability Assessment and Penetration Testing

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT

Analyzing and Detecting Malicious Flash Advertisements

Anti-Virus Evasion Techniques and Countermeasures

Loophole+ with Ethical Hacking and Penetration Testing

Windows Operating Systems. Basic Security

CA APM Cloud Monitor. Scripting Guide. Release 8.2

ASEC REPORT VOL AhnLab Monthly Security Report. Malicious Code Trend Security Trend Web Security Trend

Using the Acrobat X Pro Accessibility Checker

Optimized Mal-Ops Hack ad networks like a boss

Security Intelligence Services. Cybersecurity training.

5 Steps to Advanced Threat Protection

Shakambaree Technologies Pvt. Ltd.

Creating a More Secure Device with Windows Embedded Compact 7. Douglas Boling Boling Consulting Inc.

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

Adobe Systems Incorporated

Web Conferencing Version 8.3 Troubleshooting Guide

ADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper

External Network Penetration Test Report

Detecting the One Percent: Advanced Targeted Malware Detection

Fine-grained covert debugging using hypervisors and analysis via visualization

Storm Worm & Botnet Analysis

Copyright Lenny Zeltser 1

Web Tracking for You. Gregory Fleischer

Advancements in Botnet Attacks and Malware Distribution

Extracting an S/MIME certificate from a digital signature

Legal notices. Legal notices. For legal notices, see

Application Whitelisting - Extend your Security Arsenal? Mike Baldi Cyber Security Architect Honeywell Process Solutions

IBM Security QRadar Vulnerability Manager Version User Guide

Binonymizer A Two-Way Web-Browsing Anonymizer

Avalanche Remote Control User Guide. Version 4.1.3

PaperlessPrinter. Version 3.0. User s Manual

Real World Enterprise Security Exploit Prevention Test

INTRODUCTION TO MALWARE & MALWARE ANALYSIS

Siebel CRM Desktop for Microsoft Outlook Administration Guide. Version 8.0, Rev A June 2011

ExtraHop and AppDynamics Deployment Guide

Chapter 9 Firewalls and Intrusion Prevention Systems

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

ios Testing Tools David Lindner Director of Mobile and IoT Security

White Paper. No Signature Required: The Power of Emulation in Preventing Malware

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

A. USB Portable Storage Device (PSD) Encryption Procedure

SOLO NETWORK (11) (21) (31) (41) (48) (51) (61)

Kaseya 2. User Guide. Version R8. English

Search and Destroy the Unknown FROM MALWARE ANALYSIS TO INDICATIONS OF COMPROMISE

Tracking Anti-Malware Protection 2015

Security Evaluation CLX.Sentinel

Xtreeme Search Engine Studio Help Xtreeme

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Configure Posture. Note. Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.1 1

Custom Web ADI Integrators

VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE. Summary. Distribution and Installation

Getting Ahead of Malware

ACADEMIC TECHNOLOGY SUPPORT

WatchGuard SSL v3.2 Update 1 Release Notes. Introduction. Windows 8 and 64-bit Internet Explorer Support. Supported Devices SSL 100 and 560

A Day in the Life of a Cyber Tool Developer

13.1 Backup virtual machines running on VMware ESXi / ESX Server

Memory Forensics: Collecting & Analyzing Malware Artifacts from RAM

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

ESET Endpoint Security 6 ESET Endpoint Antivirus 6 for Windows

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

DoD Cyber Crime Center

Ethical Hacking and Information Security. Foundation of Information Security. Detailed Module. Duration. Lecture with Hands On Session: 90 Hours

Workshop on Network Traffic Capturing and Analysis IITG, DIT, CERT-In, C-DAC. Host based Analysis. {Himanshu Pareek,

Deep Discovery. Technical details

Kaseya 2. User Guide. Version 1.1

Kaseya 2. User Guide. Version 7.0. English

Transcription:

Matthew Stephen csg.utdallas.edu

Portable Executables (PEs) Java Apps/Applets Documents (PDF, DOC, etc) JavaScript Shellcode Flash (SWF)

Executables, object code, and DLLs Used in 32- and 64-bit Windows OS Several headers and sections.text,.data,.reloc, etc. Many file extensions.exe,.dll,.sys,.scr,.cpl,.ocx,.drv

Check against AV signatures VirusTotal.com Can upload file or search by hash Determine packing (if any) PEiD Detects several types of packing UPX One of the most common packers Strings/Look at Resources (Resource Hacker) Readable strings within a binary Program icons, menu bars, dialog windows, etc.

VirusTotal results

PE Viewers display header and section info PEview, PEBrowse, PE Explorer, PEframe, CFF Explorer Dependencies modules/libraries Dependency Walker shows which functions are actually being used from external modules

Registry view changes made in the Registry Regshot compare Registry snapshots Autoruns view startup applications Process PMDump, ProcDump create a dump for an active process Process Monitor shows file system, Registry, and process activity Process Explorer, Process Hacker shows trees of running processes

Registry changes recorded from RegShot

Process Monitor captures network, file, and Registry activity

Network Madiant ApateDNS control DNS responses WireShark capture/browse network traffic McAfee Attacker TCP/UDP port listener FakeNet simulates a network, fakes files CurrPorts lists open ports and processes TCPview Shows newly opened/closed endpoints SmartSniff, SocketSniff, Network Monitor, SuperScan, NetworkMiner, etc.

FakeNet captures network traffic

Memory Mandiant Memoryze create and analyze memory images Volatility shows open network sockets and connections, open files for each process, DLLs loaded for each process, etc. CaptureBAT behavioral analysis tool that monitors file, Registry, network, and process activity

CaptureBAT detects activity

Desktop Applications and Applets File extensions.jar,.class

Mostly the same as PE file analysis Differences: Obfuscation string building, bad variable names Decompilation JAD, JD-GUI

Both s and t are set to os.name

Differences with PE analysis: Process is java.exe or javaw.exe rather than something like SomeProgram.exe Use jps and jconsole to differentiate multiple java processes

Adobe files.pdf Microsoft files.doc,.ppt, etc. Embedded files or code

pdfid.py identify tags contained in file pdf-parser.py - can extract embedded objects Pyew.py search URLs, shellcode, etc swf_mastah.py flash file extraction JSunpack pdf.py JavaScript detection Peepdf.py encryption detection PDF Stream Dumper checks for known vulnerabilities

Using Pyew.py

OfficeMalScanner Scan for malicious traces (shellcode heuristics, PE files, or embedded OLE streams) Bruteforce detects encrypted files OffVis only looks for patched vulnerabilities pyolescanner.py Looks for shellcode, embedded executables, and API precence Can use bruteforce

Used in most web pages.js file extension if externally referenced Can be embedded in PDF documents

Deobfuscate - replace hexadecimal and escaped characters to a readable format Beautification insert white space Evaluate the evil eval() function

Malzilla Attempts to decode/deobfuscate and evaluate eval() calls without running code JSunpack JSBeautifier

Beautified JavaScript

Shellcode2exe embeds given shellcode into an executable file ConvertShellcode disassembles shellcode into x86 code

Used on most web pages.swf file extension Can be embedded in PDF files

Flare extract scripts from SWF file RABCDAsm (Robust ActionScript ByteCode Disassembler) extract and disassemble scripts SWFDump extract images, fonts, sounds, etc SWFStrings scans SWF for text data

http://practicalmalwareanalysis.com/ http://zeltser.com/ http://isc.sans.edu/ Many Free Tools: Mandiant.com McAfee.com Sysinternals.com NirSoft.net Also check out the tools listed in presentation

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information