Malware Analysis 101: N00b to Ninja in 60 Minutes

so what I'll do is I'll give you just another quick uh intro in about a minute okay I've got the uh 10 five and two minute uh signs and that's it [Applause]

okay we're going to get going here um again this is the malware analysis 101 talk newb to ninja in 60 minutes uh with grex and uh personally I've been looking forward to this talk because uh I'm definitely a newbie in this area so uh I'm going to pay attention to this and it's good to see we got a nice crowd in here so guys having fun so far all right good don't burn out we got a long week

ahead all right can I take this off or what have people been doing it really this is good man it's like perfect cup holders up here I got one for the drink it fits nicely and then one for the beer of course yeah it's not good to do that sort of stuff anyway um five years who has been to bsides all five years raise your hand one wow okay so we have two three folks what about four years okay one two what about three years this is me this is my third year on un fortunately missed the first year because like no one knew about it but but I would have been there had I

known about it um and then uh and then one year my company finally paid for me to go to black hat but I I think that was a m a mistake but anyway so I just want to you know this is just awesome that this has grown from some this organization has grown from being just this small uh little get together to this big event that's year over year and it all started here and it's all over the world now I mean there are cons I love it I go to bides all over the East Coast I even went to one on the west coast too uh just awesome I love the small community uh just great event so I

just wanted to say thank you for be to bides for continuing to put on these awesome conferences um so now what I'm going to talk a little bit about today is just doing some basic malware analysis the environment that I'm in now we have analysts that basically watch uh events pop up and then they look at those things and and and they decide is is this a true positive is it a false positive whatever and it's pretty boring job you know shift work but what I see a lot of is kind of your second tier team there's and then even beyond that there's Specialists doing malware analysis there's a lot of people at that first line that I think their

jobs could be a lot more exciting if we would give them more to do than than than just like watch this Dash this dashboard and and and look through aent and so one of the things that I'm trying to do is you know provide that first line of defense that we have in our security operations centers with just a little bit more knowledge um so that they can take their skills to the next level so that they can do just a little bit more thorough of an un and anal analysis and so that's what this talk is geared towards somebody that really hasn't done malware analysis previously and this is the talk that I try to to push is it's going to be just

the overall how to get started and then the second of all where to learn more because even though it's within 60 minutes right if you notice there's a little Aster there and then the little thing you know most listeners do not become ninjas in 60 minutes but um so the goal here is to you know give you the resources so that you can go take your skills to the next step and then I know a lot of folks that start out doing analysis work and then they start doing a little bit of malware analysis and then from that they get into reverse engineering and then forensics and so this could be kind of the first step of helping you know folks

that are new to the security World taking their skills to the next level all right so disclaimer opinions here do not express the the views or opinions of my employers customers wife kids parents in-laws my girlfriend in high school who's on the right there I wish right so if you see me this is me on Twitter just little Tic Tac Toe board thing does does anybody know where that's from war games right all right do you know how hard it was to get right to that moment when all the little things were set up like that anyway um all right so I'm from the Metro DC area anybody any Nova hackers here any any just people from the Metro DC area

cool good to see you guys here um so a long time ago in a land far far away I started doing security work and I basically cut my teeth doing uh web appc um so there were was just love the job there was a lot of cool stuff going on um you know I was around when I think like SQL injection was invented you know that's when it first came out so and it although you know one could argue that it's always sort of been there but um but whenever it started to get big probably like the late 2000s uh unfortunately so I had this awesome job um but in doing like this very technical

work you kind of limit your career at that time so I moved on and I started doing security engineering stuff and so that was fun I was producing a large amount of docum documentation we would basically go and we would build we would create lots of documents of how to build stuff and then somebody else would go build it um but it's a necessary evil then then my my life kind of got worse cuz they found out that I was cuz they found out that I was good at like writing and then they're like oh hey you you you can do this right right and then it just sank to a new level I I was really

screwed because here they made me lie that's what I hated about it okay um so I was producing to this you know by there was all this but there was all this great stuff going on and and I was just producing paper right so I was like maybe wanted to do that um I thought a little bit uh and so then I got uh I don't know probably a few years back I I basically said hey I want to do more Hands-On stuff I want to do more cool stuff so I started getting into trade studies and this is where I had to deal with vendors day in and day out trying to um deal with them love

vendors though if you know great thank you for sponsoring bides um so then what I've been doing the past few years is just it security training and so this is a job that I love um customers uh that we're mainly focusing on are uh basically in Security operation Center and trying to bring new a analysts in and get them spun up as fast as possible and and also doing some of the more advanced training as is an example mare analysis so that um to help them take their careers to the next level so I'm still producing some of this I drink better versions of this um I do uh so in the evening when I have

time I like to do Hands-On hacking or not really Hands-On but it's more or less like hey you know I'm I'm reading the news some something comes out on Twitter and it's like hey new tool bam you know and it's like all right so I'm going to try that out so I basically do stuff like that and I basically try to follow the news and write thoughts and opinions which I try to focus on this site which has been around for about I don't know it started in 2008 so it's been around for a while I put out like a few posts a week so that's that's kind of fun um a lot of you may know me from

smoon did the fire talks has anyone here been to smon okay wow okay good number folks anyway so one of the events SS fire talk and I run that each year so that's a great job fun fun con um so right now I'm a happy panda all right so enough about me so what we're going to do next is really talk about what you all came here for which is just basically how are we going to uh do this home hour analysis thing so just a little intro just to give you some background for those that really don't uh that are very new to this talk about the environment you need to do this in talk about the

methodology and last and then lastly is where to learn more so there's a lot of great sites out there where for minimal cost or for low cost you can definitely take your skills to the next level all right so kind of in the beginning of the talk I kind of addressed this but you know the audience for this particular talk is you know General Security practitioners that are interested in getting started in malware uh analysis so you definitely have to have at least you know some infos SEC type background uh or like I was talking about security analysts that are looking to expand their careers in the job that they're current currently in and and

obviously you know this big red thing here you know do not ever analyze malware on production systems so just good thought to you know definitely take heed that device there all right so what is malware analysis can anyone tell me what malware analysis is anybody analyzing malware let's see the well kind of yeah so I had the analysis of malware right no um but basically it's reverse engineering we have this malware and we are trying to figure out how it works you know what is it doing does anybody know why we want to do that what catch the bad guys yeah it's all about the bad guys right what to defeat it what figure indicators

figure out indicators oh my God okay indicators is this we're going to start ioc and cyber kill chain right and metrics dashboards pan of glass cyber all right all right so basically breaking this down so in doing malware analysis it's basically just is phased approach where you're first going to uh start out doing some triage so we get the malware these are the things that you're just going to do first and foremost next is some sort of dynamic analysis which I'm going to talk about later and lastly the really hard stuff which is static anal analysis where you actually decompile the code and you look at the assembly now a person that I respect tons and tons and tons in this

field is Lenny zeler um he kind of does the same thing but he breaks it down into four steps I sort of merged the fully automated analysis and the static properties analysis um into this triage step but basically the same thing all right so we talked about that so does anybody know what triage is sorting anybody else any thought initial assment an initial assessment yeah yeah sorting by severity and treating treating the worst all awesome let's see oh I didn't have a funny a funny one there but um anyway but I I mean just breaking down this is the quickie I mean all those answers were absolutely right this is the way that I said it you know just quickie analysis

to un understand as much as possible about the malware um so the goals here is are to really gain a gist of what the malware is and what it's going to going to do now some of the kind of substeps there is determine its basic runtime properties so a method of how we would do that is using automated analysis see if others found it right so we all know that so we get a hash and what do we do with that hash virus total right I heard somebody hey I'm going to loaded up the virus total and there's tons of other sites that what did any any other sites that I should uh pump up what thread expert

okay yeah so there's a lot there's a lot of great sites you know the favorite thing that I like to do Google I just put the hash into Google and usually works great so look at analyze the file properties such as the and and and in there're we're talking about the PE properties so and I mean and I mentioned like the type of file that it is the libraries that that it's importing but there's a whole bunch of other things that you can really do there and then last but not least is strings right strings is awesome you just take an executable you run strings on it and it basically chunks out any readable text and you can learn a lot

just by running strings all right is that enough no so one guy's shaking his head you think we should stop there are we done yeah well she read my interest no we need to go deeper okay so this is the Dream Within the dream right okay so next step is dynamic analysis okay can anybody give me a smartass answer of what dynamic analysis is no I said smartass come on like analyzing things dynamically okay all right while running analyze it while running all right so I didn't have a funny one here but it's basically just executing the malware and watching what it does right this stuff is very complicated okay so um you know the goals here are

just to get an understanding of how the malware acts and some things that we're going to be looking at or that we want to look at there are host changes you know and these are the big ones you know did anything in like did the registry change did Keys get added deleted did new registry um and entries get added same thing with files you know were there any files that were added removed changed um and then also look at logs you know there's tons of logs I you have your purely like things that are defined as logs that are in most computers but then there's a lot of other things that you can derive logs from that that I'm going

to talk about next is to you know uncover runtime properties so this is like the malware is running and so you can see what it's changing on the host but you but you can also see the processes that are being started up uh and then also maybe doing like some memory analysis there too so you can go in um using tools like volatility and actually pull stuff out and that's another that's another thing that we're going to cover too and then the last one is reveal network activity so we know all these things and then now we're going to see you know we're basically looking at any TCP UDP traffic and then at at the application Level you know

most of the that we're going to be seeing are like DNS followed by HTTP or https uh and there's some other neat you know you could see SMTP or whatever so there's a lot of other things that you could see at the application Level there so Dynamic analysis it's pretty simple we establish a baseline environment we have a set of tools that that were that were running in the background that monitors those things that we talked about on the previous slide um so we start those up we execute the malware and we watch our monitoring tools and it's sort of a it's sort of an art to know when to stop but at some point in time you you kill the malare

that's running you stop all your tools and then you an analyze the difference of you know the difference is between you know that base system and what the system looks like now and anything that you learned along the

way yes all right cool I'm done no is that enough right no you got to go deeper how deep do we want to go not that deep man I don't know all right so the next layer that we talked about is static analysis right so can anyone tell me what static analysis is beyond what I mean I basically just gave you the answer so someone here should at least know what static analysis what disassembly yeah code inspection yeah kind of yeah what the malware is not running ex exactly yeah so the way I kind of put it is this gentleman said here is we're basically going to disassemble the mware down to its basic computer instructions

assembly has anyone here worked with assembly previously what are your fa wow okay what are your basic uh assembly or what are your favorite assembly instructions here noop okay what all right that's it that's good so but so the goals here are we're going to reverse engineer this to figure out exactly what it does so we're basically going to take I mean and what I'm you know basically saying here is you know we write code right in C or whatever and we compil it and we get stuff that looks like that over on the right hand side it's very easy to do that but a lot of times it's really hard to go backwards um and so essentially

what we're doing is we we disassemble the malware and we end up with stuff that looks on the right and we're trying to get figure out you know what that malware is doing just by looking at its static properties you know and we're trying to kind of at least in our mind create something like that on the left- hand side now there's a lot of people I go to a lot of talks and you know cats get all the freaking attention right who's a cat lover here cats okay dog lovers oh yeah this is my audience all right I love you guys man all right I put little puppy pictures in there all right so the next area of the

talk that I want to touch on is so we kind of know a little bit about what malware an analysis is the parts that it breaks down to and just at a high level what we need to do there the next thing that we want to focus on is you know we really need to have an environment a lab set up so that we can do this and so what I'm going to touch on in the next few slides are you know the different types of platforms virtual and physical and also the different options so there's automated you know you and you can do things all your malware analysis on a single Buton box but there may be

times where you'll need another box too to maybe act as a server or a Gateway so first thing is the platform so I think pretty much everybody knows this you you can do things virtually using things like VMware virtual box whatever any other flavors of uh VM products that people like any hardcores and any what Zen okay Q what how do you say that qmu okay that's all right too complicated for me what Li okay lib vert wow okay um so there's uh you know and then we also have things that we can do the physical layer so a lot of times when you're doing malware analysis you will start out just doing things virtually and it

and it's just awesome because you can set up operating systems you you can snapshot them uh you can run the malware and then you can just revert back to that snapshot um so it's great the only downsides though is that a lot of the really good malware knows what to look for in Virtual or it knows the keys to look for in the operating system to detect whether it's running in a virtual environment or not so H Redfield blue pill oh yes I like the blue pill all right um exactly so now the interesting thing to contemplate there as we move forward or as our you know like we started out doing having these big clients or these big clients

and then or no no no we started out with main frames right so we had these very thin clients and then we went to thick clients and then a few years ago Oracle said that the network is the operating system right right and then I don't know so now we're just bouncing back and forth but what's the term here that they use it's vdi yeah so virtual desktops basically so you know so maybe it's not such a bad thing because if your system gets infected with malware it says oh I'm running in a virtual machine I'm going to kill [Music] myself so you know it could work in our favor too but if it does you know if

you're working in your sandbox um and it detects that then the obvious next step is to go back to a physical box now it's you know obviously VM detection isn't possible because you're running on a VM right uh but it's also re resource intensive this is a separate box it's a little like it's so easy to just snap back you know so but with a physical box maybe you like reinstall the operating system or if you're using something like ghost or whatever you you could set that up to make it easier but it's definitely a lot more uh re resource intensive like if you maybe you need to set up some sort of a Labs

another machine that acts as a Gateway so you know that's more stuff you have to do there um so the options here and and so obviously I'm pushing the way I'm sort of pushing here is to go the uh way of of doing a virtual environment at least to start out and then if you see maware is detecting that and changing its Behavior based on your virtual system then you can do the physical box um but regardless of the environment that you're in there's basically three different options so there's automated and so these are great I'm going to talk about cuckoo box you know it's op Source One and there's a bunch of other ones

there too but they do triage anal analysis so so they do all that and then they emulate you know the the user clicking on things and and opening up emails and running things right and then it just uh watches all that activity that goes on changes to the file system the registry network uh type stuff process type type stuff collects all that and gives it back to you so it's great because it does a lot of that stuff just submit submit the file to it you let it run and then you get this this stuff back or you get a basic quick analysis back so the other option is doing everything on a single box so you

basically have this environment set up and you have all your tools set up to monitor that uh and then you trick it you use certain tools to trick it so that the malware thinks it's on a network when it really isn't uh and so you run it but you're basically watching the malware uh and it's everything's being done on this single box now as I mentioned there there's there's the potential risk of you know the malware realizing this and sabotaging you know the data that your uh analysis tools are collecting so to mitigate that you know you can at least get some clean data by having another box that's acting as a Gateway so any network type stuff you

can pull off so you can do things like you know just doing basic Port scans Network traffic so there there's a lot of just basic things you can do there so those are your different options um another you know in terms maybe diving a little deeper in a in automated analysis there's several awesome tools that you can use so if you just want to get started in malware analysis find some malware which I'll show you and submit it to to these sites and look what they bring back and try to understand so that's an awesome way to get started so

malware.trace you know most sites whenever you use them like Norman sandbox GFI Anubis threat expert they all um you know they'll use anything that you submit to them to further their research so this is kind of nice that that we can upload stuff and that they're not going to share it with every with the potential adversary right um so obviously this can work using these online sites can work when you're just starting out when you're just trying to learn right but if you are working for a large corporation you know I don't know Google or Microsoft or whoever I don't think they management and Leadership staff their legal team they're whoever right I don't think they

would appreciate you uploading malware that you found on their Network to these sites so the other option is to you know you know those large companies can purchase uh products made by these some of these same companies here that they Bas they basically do the same thing but it's inhouse and any malware that's submitted to it doesn't get shared with anyone else so there's commercial products there's the open source tool which is cuckoo sandbox Has anyone used cuckoo here okay yeah I love it um and even at a minimum like if you can't get all this stuff set up like what's you know basic malware analysis 101 is basically create your own like virus total type thing so at least you know

that's at a minimum you could do something like [Music] that um so looking a little bit and I talked about cuckoo and maybe diving a little deep deeper there but this slide just basically talks about all the things that when you run malware on Cuckoo sandbox what it um tracks so it captures data associated with API calls all the network traffic screenshots so you can actually go in and you can see the malware actually running like if it's starting processes or or or o opening a command window uh files so any files that that were added deleted or modified and also L instruction so it'll basically capture all that a trace of that too cuckoo

sandbox it's getting EAS easier but it can be a little frustrating to set up so but it's definitely worth the you know if you're really good you probably do it in like a half hour but it's definitely worth it you know like if it's your first time and you're familiar with Linux I don't know you could probably do it in like two three hours so if you just head down and do it um so this is what cuckoo looks like so there's usually um so how the architecture is it's usually running so you have a host operating system and then you have a virtual guest which in this case is Windows XP and uh you submit stuff I don't know

if it's showing here but so you there's several ways to submit the malware to this uh it runs in the um the Windows XP box and then you get your output through here and you can either look at the output comes us usually in several different formats uh they have like uh you can start some local web servers like a local Mini web server and you can look at like HTML reports and it looks somewhat uh like like if you would go to malware.trace look at their it looks basically like that so lots of love for cuckoo right um so the next thing is so that's automated right and now just so the next Evolution here was with the sing the

single box and um so this is basically where we're going to be start looking at Dynamic analysis right so you're going to start with your ba base patched Windows XP Service Pack 2 or Service Pack 3 um I have some links here where you may be able to find stuff but essentially you know it's like well where do I get this right especially if I'm a new guy right and and and and I don't want to pay the hundreds of dollars to get a Windows XP license that's like 10 years old right but you know if you're willing to pay for it you know there's eBay New Egg whatever so you can go to the sites like that but

what's pretty awesome though is now you can't get Windows XP unfortunately but current and what is it last year Windows the uh previously there was the what is it it's like the M the msdn subscription TechNet yeah so that was fairly inexpensive and you would have basically free use of um all their software for a few hundred bucks

okay yeah just the basic stuff right but it it was a great deal right but now what they did is is they transitioned from well we have these evals so we don't need the techet right so what you can essentially do is go get evals of any of these products and usually by the first month they'll nag you to register it and then but overall they last 90 days which you know to install an operating system even Windows 7 or eight on like in a virtual environment like I just did it takes like 15 minutes so basically you know every 90 days you spend 15 minutes and reset up your stuff um so the EV vals are a great

place to to start they do kind of hide them cuz I've found them in a document them and then later I wanted to go back to it was like oh just Google it you know and couldn't find it and and so like definitely like write these down because Google doesn't index them um the other thing that you may want to look at is I think Microsoft does it is there's the modern IE and essentially what this is is it gives people it gives web designers and developers access to browser browsers that are only accessible on Windows XP so I guess like ie6 7 what whatever right but once again so you can get access to Windows XP and

once again these last these trials or evals if you want to call them that um are good for 90 days the last option right is AWS right so you can spin up your own machines in uh you know this is Amazon here right you can use the cloud oh that's that's a buzz word I forgot to use drink all right the only disadvantage there is that they are servers like they they usually don't have like um like workstation stuff but you know it's an option or you can just shell out the cash and buy you know you you can start out with a Windows 7 or Windows 8 eval and just you know when the expiration

comes up if you find you're really liking it then you can put up the h i I don't know how much does a Windows 7 I haven't bought one but few hundred bucks or something 400 what yeah yeah yeah enter Enterprise okay okay yeah so about 100 bucks but so you know it's usable but if you don't want to Shell out 100 bucks up front you have 90 days just to try it out right so it's it's great um so we get our basic operating system stood up and oh did you have a question sir okay yeah yes yes yeah so so previous operating systems that your um that your it maybe what one minute 10

minutes I thought I had like an hour okay okay so oh this is hilarious I thought it was like 50 minutes or something yeah what's what's what's up to get

is it really it was 30 minutes oh okay all right cool okay I see yeah that's illegal come on you know what speaking of that what was it my my son did this um he's like nine right and he did this invent it program for summer camp right so one of the things they did is they took apart old desktops right I'm thinking awesome so the one day I come home I'm searching through stuff on my desk and I see all these like Windows XP discs window seven dis and I'm like where' these come from so I asked him and he said oh well they were sitting there and I thought you would like them and I was like

you are awesome with like um keys and everything it was awesome so but anyway I digress so we end up we have this basic we have our basic operating system stood up right and so some these these are just some of the tools that you want to put on so there's strings and and there's several companies that put out windows strings tools there's be Studio which kind of does a little bit strings too but it also does a lot of just basic analysis type stuff uh static analysis uh so that's a tool that a lot of folks use and also file Insight so you definitely need a hex editor and there's lots of ones out there a lot of the good

ones you end up having to pay for but just to start out with this one by maffy it's a little older and the cool thing though is it it was specifically designed for malware analysis so so these these are just some suggestions but if you have like your your favorite uh hex editor that you would like to use then buy buy all means use what what works um so some other things that you would want to put on this single box that you would be doing analysis on are some of the CIS internals tools so we got process monitor which process monitor is just awesome you can set it up to monitor specific things you can filter

all the junk you don't care out uh that you don't care about out it's it's just awesome definitely a tool to learn and also process Explorer which is like task manager but awesome okay um it just you know there's lots of cool things you can do with it and of course wire shark right and if you're going to use wire shark you're going to get stuck doing wi peap too and also red shot I really like and although um it says red shot and you're thinking like oh it's going to track so it's basically like hey I'm going to take a snapshot of the picture of the registry B4 run a bunch of stuff take a snapshot afterwards and it show

shows you the dips there's actually an option there so that you can monitor file change changes too so you said oh I want a mile so so you check that and the files that you want to monitor you can just you just do c colon colon slash and it monitors all the file changes um so I got some links to that there some other things that you would want to install on this box for doing Dynamic analysis or TCP view just so that you can get um kind of so that you can watch just just different uh network connections that are going out going in and also there's a tool called faket so this is the thing that if the malware

requires internet to work or in order to um basically like do C2 or just to indicate that hey I'm I'm on a network and I can do stuff now so there's a cool tool that was called fake net um and so really awesome it basically starts up all these fake list like it changes your your Local Host files and then it starts up all these listeners for like DNS HTTP SSL and it basically acts as a it listens for stuff and then it kind of makes its best guess to kind of send stuff back so it's pretty cool tool um and you know and then the next thing is static analysis so probably want to

do some static analysis uh type tools to put on your box there so obviously you know there's there's Ida Pro so you can get the free version um but if you want to stay at low cost and you don't want to get pester to upgrade and um you you just start out with oi debug and one of the cool things too is the oi dump plug plugin because a lot of times you're if you're analyzing malware and you're looking at it statically and you're like I don't know what it's doing it's all like I scan it I run strings on it and it looks just like garbage right so what you can do is you can you know start

start up the malware uh attach it to the uh debugger and then basically pause it it put a break in and then extract the actual malware out of memory in its a decrypted state so some cool stuff there and then there's tons of tools out there like if you go to Lenny zel or site he has a link to him but um there are definitely for like if you're looking at PDFs or Flash or office files there's tons of tools out there that are specifically designed to work with um those formats um and then these are just some other ideas of you know some good stuff that I heard of um that you may want to check out

like here's here's some of the other hex editors usually you have to pay for them but um forensics and and and this is another thing too when you're doing malware analysis there's a whole another layer that you can add to it because you can run the malware but the and you can actually do forensics on that box too to even learn more so depending how deep you want to go right um all right so basically so you have this single box you've it's on a secluded Network and and I just have a note there you know just don't do host only because theoretically malware could spread from you know your victim box to your host

and so you definitely want to set up like a separate Network that that that isn't connected to your host there if you need and and then these are just ways of it's like well how do I get malware onto the box so you can do you you can temporarily turn on networking to download stuff turn it off whatever you can use media like if you're doing if you're in a physical environment and you're working with that like actual workstations you things like CDs or USB keys but at some point you basically snapshot the VM um depending on the type of mware you're analyzing there would be custom tools like like like if it's a PDF exploit then you know put a a

version of reader or if it's a Firefox exploit then then you would probably want to look at uh installing things like Firefox and stuff there too so and you basically so your whole thing set up you Baseline it you snapshot it and then depending on what you want to do because what a lot of people will do is they'll want to test a piece of malware like all right well does it work on XP service pack one Service Pack 2 Service Pack 3 and the cool thing about having everything done virtually is I can just you know I can you know have S service pack one and then I can update it to Service Pack two Snapshot it update it to

Service Pack three snapshot it and so you know I really don't have to have entire installed operating systems it's just these snapshots that are just the the Deltas between them um this is a little so usually you have your second box and so these are situations where you can't do stuff on a single box so usually have this second box uh you can call it like a fake gate Gateway so this is the second Gateway for the Target to connect to um you know it's basically you could set up any server like Linux and just install the server services that you need right the other thing is both both your victim and this Gateway probably want to use fixed

IP um just good recommendation and then down on the bottom here you know DNS HTTP IRC a bunch of other servers right that you could install there depending on the malware that you're looking at and once again this is there's a lot of cases where you'd have to do this if the malware is somehow sabotaging that that single box that you're actually running the malware on and then these are obviously like your network tools that you could put on your this this fake Gateway so wire shark nit cat and and map and if you want you know you can snapshot it and you can have different versions of that too so one tool has anyone heard of

remnux so it's like reverse engineer malware once again by Lenny zeler so this is something that he put out it's so you can install it from scratch or he has like a VMware version so you can just download that open up inside of VMware product and have access to it a lot of like pre-installed things that are awesome um so you you can put the malware on this Linux box and if it's Windows malware doesn't really matter right so there's a lot of um tools build into that dis row that allow you to do some of that Trio stuff maybe some of that static analysis stuff and from a dynamic analysis perspective it has all the most common

Services built in so if you need like a like a DNS server or um IRC or whatever you know it has all these basic Services already in and all you have to do is just he gives you commands to start them up and it's basically very easy so definitely something to to start out with this is what remex looks like um and and one of the coule thing things too like a lot of questions that you get is like all right I'm gonna do malware analysis like where do I get malware right so I mean if you're just starting out I mean I love the book practical malware analysis um you can go to the to their

website and you can download all their labs and so that's you know malare that you can work on there it's probably mostly I mean it's malware but it's you know it was with a book so it's probably less benign and say um real malware contagio dump has been around for years and years and years right you can get stuff from there virus share you have to re that's a newer site you have to request an invite but you know and also malware.trace

checks like hey I want to share my stuff you can grab stuff there too and then a new site that I've been tracking the past few months is malware trffic analysis. net now he gets a lot of his stuff from malware.trace

[Music]

okay I'm happy again right okay and then this is really quick it's just the methodology right so this is my Trio's checklist right because I'm in that world we have to have checklists um any anyway so it's pretty simple you know hey I'm going to run it through some automated type service you know it could be an external one like some of the sites that I showed there or it could be you you know your um the commercial versions of those that are locally hosted you can do your md5 hash thing right so you can get the hash of the fare see if any anyone's found it right now you can determine you know the real

file type so there's you know you can just you you can look at the PE head or you can look at file and there's some other sort of tricks that you can do there um analyze import so it's very these are the libraries that the malware is importing right so you can look at things and be like oh this is like this super advanced calculator you know but for some reason it's importing like a network library it's like huh that that that's interesting so you can look for stuff stuff like that and obviously run strings because strings rocks and as long as it's not officiated too bad uh you can you know clear most of stuff just by doing

strings unpack if it is off Fu skated so there are standard like if people just use this standard Packer then you can use the standard unpacker to to just extract it up clean it up but if it's you know they're using encryption or something like that you can use that oi dump trick or whatever you just pull it out of memory and then like I said there may be some specialized tools it put like a year or two years back and it's still in development there was this tool called Mastiff which takes a lot of these tools and it kind of does a lot of this stuff where you just submit the file to it and

then that's also part of the remn too so you could play with that there um and then this is just a quick checklist for dynamic analysis so we have our Baseline we start our apps execute the malware monitor the activities at some point we shut stuff down and then we look at the differences between um the beginning and the end and then static analysis do anybody do static analysis it's definitely a lot harder right so you know just kind of just stare at it and stare at it some more and then eventually after a few years you get really good at it and you don't know [Music] why um more puppies all right where to learn more so open

security trining doino this place is awesome I mean and they have this whole mware analysis curriculum here but just to get started you know you definitely want it like these classes here uh the intro to x86 reverse engineering maare static analysis and maare dynamic analysis and there's some other stuff there too like the lighter color stuff that that stuff that they're looking for content for but a lot of these have um so so I just kind of put quick links to them here CU it was it is sort of hard to find they don't really have it linked that well but so these are quick links to it and then obvious and then three out of four of them here they actually

have videos too so it's like more than just slide reading you can actually do the videos they come with Labs lot of great stuff there some other like security tube they have some reverse engineering stuff that you might want to check out out um I I I've um the hacker Academy I've they um um they have like like a good reverse engineering now this is a commercial thing and like I get a little Kickback but but there there's like a little deal there and it helps me come to cons like this and stuff so it's not like I'm making that much money on it um but and then they have some other things there but it's pretty cool because they have

uh they have these videos that you can can watch and they actually have Labs that you can download VMS and run stuff so some cool things that you can do there and there's a uh special deal package there that go towards my 2015 besides Las Vegas travel right uh zercom I mean he's just awesome so now annalysis toolkit just basically start there and just follow the links and you just learn so much um certifications right all right so you know Lenny works for Sans and he does the Grim so it's awesome if you can afford it you know there's there's EC Council has their version right there's probably some more out there uh and then

nist if you're in the government realm you know nist has their standard doc documents that you can read at night before you go to bed yeah and then and then me and then if anybody's interested like tomorrow maybe afternoon or whatever like if if you guys want to do like a workshop or something I don't know if anyone would be interested and doing stuff like that just out in the common area so okay cool well yeah I mean so we can just definitely I mean I don't I can't promise you know because we're limited with bandwidth and stuff here but you know that might be something that we can work with right um so may maybe like a

few hours but if you just follow me on Twitter or whatever I'll just kind of put stuff out there um and then kind of like in the last but not least this is just kind of like a little side project that I might be able to use tomorrow but cuckoo sandbox can be sort of a pain to set up so what I started doing was hey well I'm going to create this cuckoo uh like I'm going to get a Ubuntu VM and I'm going to set up cuckoo for it and I'm going to put like a Windows EV valve version and I'm going set set it all up and it's like this self enclosed thing

that you could just run so hopefully I'll have some you know I guess like literally version like I'm like last week I'm like hey this would be a great idea oh and I have to work like 60 hours too but all right I'm G to try to swing this um and then I have some ideas like some really cool stuff that you could do so it could be more than just cuckoo you could do additional snapshots and and and have different snapshots that focus on doing you know the automated analysis and also doing some of the dynamic analysis too so it runs a little slow it's about 20 gig right now so got to figure out how I'm going to distribute

that anyway so this is my conclusion slide anyway I'm so I'm not going to really talk to anything about that um so the presentation isn't posted yet but that's where it's going to be so please don't anybody take that beside that bitly link please that's me on Twitter if you need to contact me there's like through my website a contact form or it's basically just grex NOA infos docomo Academy thing grex hacker deal if you're interested in doing stuff like that and fortunately I don't need any of this did anybody see this holy crap anyway I probably don't have time for questions but we can chat out there anyway thank you