comparing malicious files
play

Comparing Malicious Files RVAsec May 22, 2019 Problem Statements - PowerPoint PPT Presentation

Oct 08, 2023 β€’222 likes β€’1.1k views

Comparing Malicious Files RVAsec May 22, 2019 Problem Statements AV Problem Many AV companies use their own unique nomenclature for malware and malware families @MalwareUtkonos Marketing Problem Marketing departments want to brand the

  1. Comparing Malicious Files RVAsec May 22, 2019

  2. Problem Statements

  3. AV Problem Many AV companies use their own unique nomenclature for malware and malware families @MalwareUtkonos

  4. Marketing Problem Marketing departments want to brand the malware families that their company has identified 🐽 🚁 🐲 🚁 🐼 🐽 🐼 🐲 @MalwareUtkonos

  5. WTF?????? ● APT28 ● Group-4127 ● Pawn Storm ● STRONTIUM ● Fancy Bear ● TAG_0700 ● Sednit ● Swallowtail ● TsarTeam ● IRON TWILIGHT ● TG-4127 ● Group 74 @MalwareUtkonos

  6. Missing Criteria @MalwareUtkonos

  7. Researcher’s Problem What am I looking at? Can I relate this to other samples that have already been identified? Is this a new attack? @MalwareUtkonos

  8. Incident Responder’s Problem What is this related to? Can I locate previous work around this malware, so I can save time? @MalwareUtkonos

  9. Solution Methods

  10. Sample Identification Determine malware family membership of sample @MalwareUtkonos

  11. Locating Associated Samples Within a set of samples, which are related? @MalwareUtkonos

  12. Identification Method: Anti-Virus Scanner Results

  13. Shared Engines Sample: 68119dd7fb9ecb099de50227162bd82f Scanner Result: Trojan.GenericKD.40437487 AV Companies: Ad-Aware, ALYac, BitDefender, Emsisoft, F-Secure, GData, MicroWorld-eScan @MalwareUtkonos

  14. http://www.beerdestroyer.com/wp-content/uploads/2013/05/dc_brau_corruption.jpg Specific Development Methods Generic http://who-really-cares-anyway.blogspot.com/2007/03/generic-food.html @MalwareUtkonos

  15. Vendors with Usable Results Microsoft ESET https://www.microsoft.com/en-us/wdsi/threats http://www.virusradar.com/en/threat_encyclopaedia Kaspersky Sophos https://www.sophos.com/en-us/threat-center/threat-analyses https://encyclopedia.kaspersky.com /viruses-and-spyware.aspx @MalwareUtkonos

  16. Boiling Down Results Sample: c3f9d80d11ab3671cd412e94de4141ad @MalwareUtkonos

  17. Boiling Down Results Remove clearly generic results Watch for sneaky generic results: Zeus, Zbot, Zusy, etc. @MalwareUtkonos

  18. Boiling Down Results ESET-NOD32 Win32/Adware.VrBrot Yandex Trojan.DR.PeBundle.A McAfee Artemis!C3F9D80D11AB VBA32 Trojan.Isbar Ad-Aware Gen:Variant.Symmi.89546 DrWeb Trojan.Isbar.863 ALYac Gen:Variant.Symmi.89546 Arcabit Trojan.Symmi.D15DCA BitDefender Gen:Variant.Symmi.89546 NANO-Antivirus Trojan.Win32.Isbar.fhgjim F-Secure Gen:Variant.Symmi.89546 ViRobot Trojan.Win32.Z.Symmi.954946 MicroWorld-eScan Gen:Variant.Symmi.89546 Avast Win32:VrBrothers-A [Adw] Emsisoft Gen:Variant.Symmi.89546 (B) AVG Win32:VrBrothers-A [Adw] Ikarus Trojan-Spy.Win32.Sincom GData Win32.Backdoor.Hupigon.B Microsoft Trojan:Win32/Occamy.C Kingsoft Win32.RiskWare.PEBundle.49152 @MalwareUtkonos

  19. Boiling Down Results ESET-NOD32 Win32/Adware.VrBrot Yandex Trojan.DR.PeBundle.A McAfee Artemis!C3F9D80D11AB VBA32 Trojan.Isbar Ad-Aware Gen:Variant.Symmi.89546 DrWeb Trojan.Isbar.863 ALYac Gen:Variant.Symmi.89546 Arcabit Trojan.Symmi.D15DCA BitDefender Gen:Variant.Symmi.89546 NANO-Antivirus Trojan.Win32.Isbar.fhgjim F-Secure Gen:Variant.Symmi.89546 ViRobot Trojan.Win32.Z.Symmi.954946 MicroWorld-eScan Gen:Variant.Symmi.89546 Avast Win32:VrBrothers-A [Adw] Emsisoft Gen:Variant.Symmi.89546 (B) AVG Win32:VrBrothers-A [Adw] Ikarus Trojan-Spy.Win32.Sincom GData Win32.Backdoor.Hupigon.B Microsoft Trojan:Win32/Occamy.C Kingsoft Win32.RiskWare.PEBundle.49152 @MalwareUtkonos

  20. Boiling Down Results ESET-NOD32 Win32/Adware.VrBrot Yandex Trojan.DR.PeBundle.A McAfee Artemis!C3F9D80D11AB VBA32 Trojan.Isbar Ad-Aware Gen:Variant.Symmi.89546 DrWeb Trojan.Isbar.863 ALYac Gen:Variant.Symmi.89546 Arcabit Trojan.Symmi.D15DCA BitDefender Gen:Variant.Symmi.89546 NANO-Antivirus Trojan.Win32.Isbar.fhgjim F-Secure Gen:Variant.Symmi.89546 ViRobot Trojan.Win32.Z.Symmi.954946 MicroWorld-eScan Gen:Variant.Symmi.89546 Avast Win32:VrBrothers-A [Adw] Emsisoft Gen:Variant.Symmi.89546 (B) AVG Win32:VrBrothers-A [Adw] Ikarus Trojan-Spy.Win32.Sincom GData Win32.Backdoor.Hupigon.B Microsoft Trojan:Win32/Occamy.C Kingsoft Win32.RiskWare.PEBundle.49152 @MalwareUtkonos

  21. Boiling Down Results Ad-Aware Gen:Variant.Symmi.89546 VBA32 Trojan.Isbar Arcabit Trojan.Symmi.D15DCA DrWeb Trojan.Isbar.863 ViRobot Trojan.Win32.Z.Symmi.954946 NANO-Antivirus Trojan.Win32.Isbar.fhgjim Win32.Trojan.Symmi Win32.Trojan.Isbar @MalwareUtkonos

  22. Boiling Down Results Ad-Aware Gen:Variant.Symmi.89546 VBA32 Trojan.Isbar Arcabit Trojan.Symmi.D15DCA DrWeb Trojan.Isbar.863 ViRobot Trojan.Win32.Z.Symmi.954946 NANO-Antivirus Trojan.Win32.Isbar.fhgjim Win32.Trojan.Symmi Win32.Trojan.Isbar @MalwareUtkonos

  23. Boiling Down Results Ad-Aware Gen:Variant.Symmi.89546 VBA32 Trojan.Isbar Arcabit Trojan.Symmi.D15DCA DrWeb Trojan.Isbar.863 ViRobot Trojan.Win32.Z.Symmi.954946 NANO-Antivirus Trojan.Win32.Isbar.fhgjim Win32.Trojan.Symmi Win32.Trojan.Isbar @MalwareUtkonos

  24. Automation: AVClass ● Family Rankings ● PUP Classification ● Ground Truth Evaluation ● Generic Token Detection ● Alias Detection https://github.com/malicialab/avclass @MalwareUtkonos

  25. Identification Method: MITRE ATT&CK

  26. ATT&CK ● Framework for categorization of adversary tactics and techniques ● Excellent first step ● Not yet ready for malware classification ● There is a better option! @MalwareUtkonos

  27. ATT&CK & Granularity https://steemit.com/reverseengineering/@utkonos/alphablend-campaign-part-2 @MalwareUtkonos

  28. ATT&CK & Granularity @MalwareUtkonos

  29. SEH Variation @MalwareUtkonos

  30. Contribute Sub-Techniques https://attack.mitre.org/resources/contribute/ @MalwareUtkonos

  31. 2FA Interception (T1111) ● SMS interception on the wire (SORM) ● SMS interception by number porting ● Code interception via phishing page (Nile Phish, Charming Kitten) ● Keylogger @MalwareUtkonos

  32. Better System

  33. The New MAEC Anti-Behavioral Analysis Execution Anti-Static Analysis Exfiltration Collection Impact Command and Control Lateral Movement Credential Access Persistence Defense Evasion Privilege Escalation Discovery https://github.com/MAECProject/malware-behaviors @MalwareUtkonos

  34. Identification Method: Malpedia

  35. Malpedia: FIN7, Carbanak https://malpedia.caad.fkie.fraunhofer.de/actor/anunak @MalwareUtkonos

  36. Malpedia Results @MalwareUtkonos

  37. Contribute!!!!! @MalwareUtkonos

  38. Identification Method: Google

  39. https://xkcd.com/627/ @MalwareUtkonos

  40. https://xkcd.com/627/ @MalwareUtkonos

  41. Proposal

  42. Proposal

  43. Association Method: Static Analysis

  44. Some Hashes ssdeep: Context triggered piecewise hash Import Hash (imphash): Calculated from PE file import table @MalwareUtkonos

  45. Exif Metadata @MalwareUtkonos

  46. Code Signing Certificate Signed by fake cert Signed by real/stolen cert Signed-ish: broken signature @MalwareUtkonos

  47. Abused Certificates @MalwareUtkonos

  48. PE Metadata Sections Imports / Exports Resources @MalwareUtkonos

  49. @MalwareUtkonos

  50. Sections Sample: 0a9545f9fc7a6d8596cf07a59f400fd3 Name: .reloc MD5: 3a64e2292f5eb1bbe70428c1c6ee22d5 @MalwareUtkonos

  51. Sections Sample: 0a9545f9fc7a6d8596cf07a59f400fd3 Name: .reloc MD5: 3a64e2292f5eb1bbe70428c1c6ee22d5 @MalwareUtkonos

  52. Resources Sample: c7577748e6e7c71cdf5a950655b2456e Name: RT_VERSION SHA256: 4df4bf2f6de1beb10586f49b4155fffb946279e8b0 a69d6fbbe695158bbb63ae @MalwareUtkonos

  53. ReversingLabs Hash Algorithm https://www.reversinglabs.com/technology/ reversinglabs-hash-algorithm.html @MalwareUtkonos

  54. VirusTotal similar-to: Proprietary black magic, but very effective @MalwareUtkonos

  55. Document Metadata Author Timestamps Language PDF Producer @MalwareUtkonos

  56. Association Method: Dynamic Analysis

  57. Filenames Boring: finding exactly the same filename More exciting: develop regex for a pattern of generated filenames. @MalwareUtkonos

  58. URL Structure: Download Related to the vulnerability in the CMS that was exploited to create the URL @MalwareUtkonos

  59. URL Structure: Download Example: http://terumoindonesia.com/wp-content/themes/twentysixteen/ Regex: wp-[a-z]+/themes/twenty(?:ten|eleven|twelve|thirteen|fourteen|fifteen|sixteen|seventeen|eighteen) @MalwareUtkonos

  60. URL Structure: C2 Directly related to the malware family @MalwareUtkonos

  61. URL Structure: C2 Example: http://dinttobogo.com/zapoy/gate.php @MalwareUtkonos

  62. Mutual Exclusion (Mutex) Prevents race conditions with multiple processes and multiple threads. https://en.wikipedia.org/wiki/Mutual_exclusion @MalwareUtkonos

  63. Registry Key Hierarchical database for low-level OS and application settings. https://en.wikipedia.org/wiki/Windows_Registry @MalwareUtkonos

  64. Association Method: Clustering Algorithms

  65. Standing on Shoulders of Giants β€œPython and Machine Learning: How to clusterize a malware dataset?” https://github.com/sebdraven/hack_lu_2017 And botconf! @MalwareUtkonos

  66. Algorithms K-Means DBScan @MalwareUtkonos

Recommend

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

707 views β€’ 69 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 10 March 2005 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

1.16k views β€’ 94 slides
Malicious Websites on the Chinese Web Overview and Case Study MingHua Wang CNCERT/CC 0 China

Malicious Websites on the Chinese Web Overview and Case Study MingHua Wang CNCERT/CC 0 China

Malicious Websites on the Chinese Web Overview and Case Study MingHua Wang CNCERT/CC 0 China Internet Security Overview Internet Development Comparing the two graphs, it Netizen Website Online Host International Bandwidth is rather

498 views β€’ 22 slides
What is a Jar File? Java archive (jar) files are compressed files that can store one or many

What is a Jar File? Java archive (jar) files are compressed files that can store one or many

Creating Jar Files Based on slides by: Jin Hung, Gregory Olds, George Blank, Sun Java Web Site What is a Jar File? Java archive (jar) files are compressed files that can store one or many files. Jar files normally contain java or class

507 views β€’ 19 slides
What is a Jar File? Java archive (jar) files are compressed files that can store one or many

What is a Jar File? Java archive (jar) files are compressed files that can store one or many

Creating Jar Files Based on slides by: Jin Hung, Gregory Olds, George Blank, Sun Java Web Site What is a Jar File? Java archive (jar) files are compressed files that can store one or many files. Jar files normally contain java or class

434 views β€’ 22 slides
Interacting with Files Python Files Files Basic container of data in modern computing

Interacting with Files Python Files Files Basic container of data in modern computing

Interacting with Files Python Files Files Basic container of data in modern computing system Organized into a hierarchy of directories Files / /etc /Applications /var /tmp /Users /etc/Apache /etc/master.passwd

232 views β€’ 19 slides
Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

ITS335 Malicious Software Malicious Software Propagation Payload Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October

673 views β€’ 30 slides
Comparing Several Samples We are often interested in comparing measurements made under more than

Comparing Several Samples We are often interested in comparing measurements made under more than

ST 380 Probability and Statistics for the Physical Sciences Comparing Several Samples We are often interested in comparing measurements made under more than two different sets of conditions. Examples Strengths of concrete beams manufactured

436 views β€’ 15 slides
Using files ITEC 1630 We save data in files on disk or some Week 9: Files & Streams

Using files ITEC 1630 We save data in files on disk or some Week 9: Files & Streams

Using files ITEC 1630 We save data in files on disk or some Week 9: Files & Streams other media so that we dont lose it even if the computer is shut off Files can store more data than may fit in Yves Lesprance working memory

248 views β€’ 4 slides
Accessing Files in Python Learning Objectives Concepts about files in Python How to open

Accessing Files in Python Learning Objectives Concepts about files in Python How to open

Accessing Files in Python Learning Objectives Concepts about files in Python How to open files Different ways of reading files How to write out files How to read then search, count, etc. on files Concepts about

615 views β€’ 26 slides
Comparing Two Samples We are often interested in comparing measurements made under two different

Comparing Two Samples We are often interested in comparing measurements made under two different

ST 380 Probability and Statistics for the Physical Sciences Comparing Two Samples We are often interested in comparing measurements made under two different sets of conditions. Examples Water quality measurements below an effluent outfall,

384 views β€’ 22 slides
Flat Files vs. DB Files So far, our PHP examples have

Flat Files vs. DB Files So far, our PHP examples have

Flat Files vs. DB Files So far, our PHP examples have used regular text files O>en called FLAT FILES These have a certain advantage,

554 views β€’ 22 slides
Business Statistics CONTENTS Comparing two samples Comparing two unrelated samples Comparing

Business Statistics CONTENTS Comparing two samples Comparing two unrelated samples Comparing

TWO S OR MEDIANS: COMPARISONS Business Statistics CONTENTS Comparing two samples Comparing two unrelated samples Comparing the means of two unrelated samples Comparing the medians of two unrelated samples Old exam question Further study

397 views β€’ 38 slides
Business Statistics CONTENTS Comparing two s Comparing more than two s Analysis of

Business Statistics CONTENTS Comparing two s Comparing more than two s Analysis of

SEVERAL S: COMPARISON Business Statistics CONTENTS Comparing two s Comparing more than two s Analysis of variance Testing significance of ANOVA Performing ANOVA The statistical model Equal variances Old exam question Further

532 views β€’ 30 slides
Climate: What Is It Anyway Comparing Weather and Climate Climate Regions and Biomes Comparing

Climate: What Is It Anyway Comparing Weather and Climate Climate Regions and Biomes Comparing

Climate: What Is It Anyway Comparing Weather and Climate Climate Regions and Biomes Comparing Weather and Climate Directions 1. Watch the National Geographic Video Weather and Climate 2. In your lab book, construct a Venn Diagram comparing

50 views β€’ 3 slides
Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci

Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci

OWASP T urkey - Uygulama Gvenlii Gn Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci Siber Gvenlik Dernei ali@ikinci.info 9 June 2012 Turkey About Me Working on Malicious Web Sites

505 views β€’ 31 slides
Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer

Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer

Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer Vienna University of Technology Alessandro Di Federico Politecnico di Milano Federico Maggi Politecnico di Milano Paolo Milani Comparetti Vienna

566 views β€’ 27 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 29 March 2007 SYN Cookies (contd) SYN Cookies (contd) SYN cookies are particular choices of initial TCP sequence numbers

868 views β€’ 62 slides
Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai Choudhuri Aarushi Goel Abhishek Jain EUROCRYPT 2019 Adversarial Model Adversarial Model Malicious Adversary Adversarial Model Malicious Adversary

1.11k views β€’ 57 slides
Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai Choudhuri Aarushi Goel Abhishek Jain TPMPC 2019 Adversarial Model Adversarial Model Malicious Adversary Adversarial Model Malicious Adversary

925 views β€’ 69 slides
Loo ooking g into Ma o Malicious I Insider ers JPCERT/CC Koichiro Sparky Komiyama First

Loo ooking g into Ma o Malicious I Insider ers JPCERT/CC Koichiro Sparky Komiyama First

Loo ooking g into Ma o Malicious I Insider ers JPCERT/CC Koichiro Sparky Komiyama First Conference, Vienna Agenda Background Previous work Information leakage by malicious insider Our Research How to prevent 2 Insider

335 views β€’ 30 slides
Outline ! Introduction ! Basic

Outline ! Introduction ! Basic

File Structures An Introduction Outline ! Introduction ! Basic Concepts ! Secondary Storage ! Sequential Files ! Direct Files ! Indexed Files ! Tree-Based Files ! Multilist &

364 views β€’ 35 slides
A TOOL TO LINK THE MALICIOUS WEB Agenda Introduction Fireshark Details Web

A TOOL TO LINK THE MALICIOUS WEB Agenda Introduction Fireshark Details Web

Stephan Chenette Principal Security Researcher Websense Labs FIRESHARK A TOOL TO LINK THE MALICIOUS WEB Agenda Introduction Fireshark Details Web Communities Malicious Web Communities Mass Injection Analysis Redirection

1.49k views β€’ 99 slides
Indexed Files : Outline ! Introduction ! Indexed Files ! Full Index Organization ! Indexed

Indexed Files : Outline ! Introduction ! Indexed Files ! Full Index Organization ! Indexed

Indexed Files : Outline ! Introduction ! Indexed Files ! Full Index Organization ! Indexed Sequential Files ! Multilevel Indexes ! Overflow Management ! Performance Analysis rasitjutrakul Indexed Files Ordered Random access sequential

536 views β€’ 22 slides

More recommend