challenges of collaborative malware analysis
play

Challenges of collaborative malware analysis Polichombr S. Le Berre - PowerPoint PPT Presentation

Mar 09, 2023 •443 likes •790 views

Challenges of collaborative malware analysis Polichombr S. Le Berre A. Chevalier T. Pourcelot ANSSI/COSSI/DTO/BFS SOGETI ESEC SSTIC Rennes June 1, 2016 Introduction Plan Introduction 1 Needs and challenges 2 3 Polichombr 4

  1. Challenges of collaborative malware analysis Polichombr S. Le Berre A. Chevalier T. Pourcelot ANSSI/COSSI/DTO/BFS — SOGETI ESEC SSTIC — Rennes — June 1, 2016

  2. Introduction Plan Introduction 1 Needs and challenges 2 3 Polichombr 4 DEMO Conclusion 5 ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 2/30

  3. Introduction What is it about Operational malware analysis ◮ Malwares everywhere! ◮ Malware writers are more numerous than malware reversers ◮ Let’s work as a team to tackle them! ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 3/30

  4. Needs and challenges Plan Introduction 1 Needs and challenges 2 3 Polichombr 4 DEMO Conclusion 5 ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 4/30

  5. Needs and challenges Goals Why reverse malwares? ◮ Technical follow up on adversary tools ◮ Many adversaries, many tools ◮ Sample identification ◮ More effective incident response! . . . ◮ Produce detection elements ◮ Capitalization of experience ◮ Threat intelligence & know your adversary ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 5/30

  6. Needs and challenges Formalization Inputs ◮ Samples ◮ Context, associated documents, detection rules, . . . Output ◮ IOC and threat reports ◮ Adversary toolset knowledge Constraints ◮ DO IT QUICK! ◮ Don’t waste time ◮ Don’t forget anything ◮ Limited manpower ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 6/30

  7. Needs and challenges - Analysis cycle Analysis cycle ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 7/30

  8. Needs and challenges - Malware analysis challenges Storage and collection Challenges ◮ Collection ◮ Volume (many adversaries, many tools, many versions of these tools) Effective storage needs ◮ Browsable (metadata) ◮ Usable Problems ◮ Filer storage ◮ Storage on reverser’s laptop or drives ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 8/30

  9. Needs and challenges - Malware analysis challenges Classification Benefits ◮ Family identification ◮ Identification of similarities ◮ Sample triaging Current techniques ◮ Yara and dynamic execution signatures ◮ Mandiant ’s imphash ◮ Control Flow Graph comparison ◮ Metadata comparison ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 9/30

  10. Needs and challenges - Malware analysis challenges Analysis Benefits ◮ Answer technical questions about the sample ◮ Identify interesting points in the binary Methods ◮ Top-down: start from entry points ◮ Bottom-up: start from IAT or patterns Challenges ◮ Automated analysis: fast but incomplete ◮ Manual analysis : time consuming, prone to omissions ◮ Team work: whiteboards and meetings are not sufficient ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 10/30

  11. Needs and challenges - Malware analysis challenges Results production and capitalization Sample information ◮ Raw technical information ◮ Techniques used ◮ Code overview Family information ◮ Overview: sophistication, variants, etc ◮ Detection techniques ◮ Tools (unpacking scripts, etc.) Problems ◮ Lost reports, IDB corruption, . . . ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 11/30

  12. Needs and challenges - Malware analysis challenges Dissemination and feedback Benefits ◮ Propagation on existing dataset, ◮ Information shared: improved detection, actors knowledge, . . . ◮ Information gained: new samples, technical/context feedback, . . . Challenges ◮ Multiple types of interlocutors = multiple types of languages and channels ◮ Effective technical information sharing ◮ Both external (sensitivity) AND internal (experience) ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 12/30

  13. Needs and challenges - Malware analysis challenges Automation ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 13/30

  14. Polichombr Plan Introduction 1 Needs and challenges 2 3 Polichombr 4 DEMO Conclusion 5 ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 14/30

  15. Polichombr - Overview POLICHOMBR ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 15/30

  16. Polichombr - Overview Why this new tool? History ◮ Tool developped by BFS in 2014 ◮ Originally Ruby/PHP/Python for Windows (yes. . . ) ◮ Evolving since ;) Addressed challenges ◮ Storage! ◮ Information/Knowledge centralization ◮ Collaborative teamwork ◮ Automation ◮ Classification (introducing the MACHOC algorithm) ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 16/30

  17. Polichombr - Overview Bricks WebUI ◮ Macro overview ◮ Expose an API Analysis engine ◮ Run all the things! Disassembly engine ◮ METASM User’s endpoint ◮ IDA Python script ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 17/30

  18. Polichombr - Overview Datatypes Binaries ◮ PE/ELF/Shellcodes/. . . ◮ Associated metadata Families ◮ Store contexts, utilities, overview information ◮ Tree used to organize samples/threats Signatures ◮ Machoc ◮ Yara ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 18/30

  19. Polichombr - The Machoc algorithm Binary classification Problems ◮ MD5 , SHA* not adapted (by definition) ◮ SSDEEP , SDHash not adapted to executables Goals ◮ Act like a fingerprint of the program ◮ Lightweight (can be exchanged by mail) ◮ Resistant to recompilation ◮ Resistant to architecture change ( x86_64 ) ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 19/30

  20. Polichombr - The Machoc algorithm Machoc algorithm In a nutshell Control Flow Graph "snapshot" of a function Algorithm ◮ Blocks and call labelling ◮ Translate to text ◮ → 1:2;2:c,3,4;3:2;4:; ◮ Murmurhash3 ◮ → 0x94167eb0 ◮ For each function in sample, concatenate ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 20/30

  21. Polichombr - The Machoc algorithm Usages Sample classification ◮ Threshold = 80% (empiric) Information propagation ◮ Between samples ◮ Propagate all the names! ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 21/30

  22. Polichombr - Workflow Analyzing a new sample Submission WebUI, API or directly from IDA Automated analysis: plugins ◮ Metadata, strings, machoc extraction ◮ Add comments, renames, hints ◮ Output a brief text summary Classification ◮ Strong/automated identification: Yara (extended with Machoc ) ◮ Soft/suggested identification: imphash , Machoc_80 ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 22/30

  23. Polichombr - Workflow Results storage Sample documentation ◮ Analysts notes ◮ Checklist ◮ IDA actions Family documentation ◮ Analysts notes ◮ Detection items (SNORT rules, OpenIOC, etc.) ◮ Classification signatures ( Yara , Machoc ) ◮ Other elements: context, reports, tools ◮ Analysts ◮ Etc. ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 23/30

  24. Polichombr - Workflow Data export For analysts: Machex ◮ Can include any information about the sample ◮ Specifically information about functions, names and machoc hashes ◮ Can be imported back For consumers ◮ Reports, detection rules, IOC, samples archive ◮ Sensitivity management For tools ◮ Expose all the data with an API ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 24/30

  25. Polichombr - Workflow Team reversing Skelenox ◮ IDA Python script ◮ Synchronization between user’s IDA database and Polichombr ◮ Push/pull changes (including other user’s) ◮ Names, comments, types, . . . ◮ Realtime identification (using Machoc hashes) ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 25/30

  26. DEMO Plan Introduction 1 Needs and challenges 2 3 Polichombr 4 DEMO Conclusion 5 ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 26/30

  27. DEMO DEMO DEMO DEMO Automated analysis ◮ Sample metadata ◮ Classification ◮ Automated reverse! Bonus ◮ OpenIOC Export ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 27/30

  28. Conclusion Plan Introduction 1 Needs and challenges 2 3 Polichombr 4 DEMO Conclusion 5 ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 28/30

  29. Conclusion Conclusion What we try to achieve ◮ Quickly and efficiently produce information about malwares ◮ Provide a tool for automation and communication of analyses About the tool ◮ https://github.com/ANSSI-FR/polichombr ◮ Can be used for other collaborative reversing tasks =) ◮ Pull requests, feedback and suggestions are welcome! HR ◮ If you like malware analysis, ◮ If you were not lost in this presentation, ◮ BFS & Sogeti are hiring! ;-) ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 29/30

  30. Conclusion Q&A Thank you for your attention! Questions? ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 30/30

Recommend

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal and Wenke Lee College of Computing Georgia Institute of Technology Agenda l Background l Defeating Automated Malware Analysis Host

1.28k views • 28 slides
CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu February 22, 2018 Exploring the Online Ecosystem One nice aspect of malware analysis is that, since much of it originates online and

119 views • 10 slides
CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane kaneca@mail.uc.edu January 24, 2017 Why Classification is Important Malware classification helps us in multiple ways. Here are a couple key ways:

787 views • 16 slides
MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me Malware RE @ Trusteer, IBM, Seculert binary analysis automation sandbox development Now in vEYE Security on software container

591 views • 48 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
Netgator: Malware Detection Using Program Interactive Challenges Brian Schulte, Haris

Netgator: Malware Detection Using Program Interactive Challenges Brian Schulte, Haris

Netgator: Malware Detection Using Program Interactive Challenges Brian Schulte, Haris Andrianakis, Kun Sun, and Angelos Stavrou Intro Increase of stealthy malware in enterprises Obfuscation, polymorphic techniques Often uses

766 views • 25 slides
Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev

Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev

Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev Stuxnet (2009) Organization Core a large .dll file 2 encrypted configuration files Dropper component Core in a stub section

703 views • 43 slides
T owards Network Containment in Malware Analysis Systems Mariano Graziano, Corrado Leita, Davide

T owards Network Containment in Malware Analysis Systems Mariano Graziano, Corrado Leita, Davide

T owards Network Containment in Malware Analysis Systems Mariano Graziano, Corrado Leita, Davide Balzarotti ACSAC, Orlando, Florida, 3-7 December 2012 Malware Analysis Scenario Analysis based on Sandboxes (API Hooking, Emulation)

798 views • 23 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
Malware analysis using visualized images and entropy graphs Kyoung Soo Han Jae Hyun Lim

Malware analysis using visualized images and entropy graphs Kyoung Soo Han Jae Hyun Lim

Malware analysis using visualized images and entropy graphs Kyoung Soo Han Jae Hyun Lim Boojoong Kang Eul Gyu Im Presented by Ruikai Zheng CISC850 Cyber Analytics 1.Introduction Malware variants developed using automated tools

206 views • 20 slides
Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

PUBLIC Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger Malware analysis Static RE with IDA pro Arme suisse EPFL 2019 2 Base daide au commandement BAC Applied Cyber Threat Intelligence

765 views • 63 slides
Helping Johnny To Analyze Malware : A Usability-Optimized Decompiler and Malware Analysis User

Helping Johnny To Analyze Malware : A Usability-Optimized Decompiler and Malware Analysis User

Helping Johnny To Analyze Malware : A Usability-Optimized Decompiler and Malware Analysis User Study Khaled Yakdan Sergej Dechand Matthew Smith Elmar Gerhards-Padilla Fraunhofer FKIE University of Bonn University of Bonn University of Bonn

426 views • 19 slides
A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web Alexei Bulazel & Blent Yener River Loop Security Rensselaer Polytechnic Institute (RPI) Introduction Automated dynamic malware analysis is

684 views • 33 slides
Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al [FSE 14] Presented by Maaz Ahmad The Malware Problem (Feb, 2015) Motive Security Labs estimates 16 million infected mobile devices. [1]

828 views • 30 slides
Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is

Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is

Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is Malware? - Software intended to cause harm or inflict damage on computer systems - Many different kinds: - Adware/Spyware - Backdoors - Viruses

383 views • 26 slides
Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is

Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is

Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is Malware? - Software intended to cause harm or inflict damage on computer systems - Many different kinds: - Viruses - Adware/Spyware - Backdoors -

904 views • 30 slides
Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius, Carsten Willems, Thorsten Holz Peng Su CISC850 Cyber Analytics CISC850 Cyber Analytics Automatic Analysis of Malware Behavior Malware threaten

451 views • 25 slides
Malware Analysis Using Visualized Image Matrices Tzu-Ming Huang CISC850 Cyber Analy@cs CISC850

Malware Analysis Using Visualized Image Matrices Tzu-Ming Huang CISC850 Cyber Analy@cs CISC850

Malware Analysis Using Visualized Image Matrices Tzu-Ming Huang CISC850 Cyber Analy@cs CISC850 Cyber Analy@cs Overview malware visual analysis method convert binary files into images Reduce computa@on major block

805 views • 22 slides

More recommend