malware forensics
play

Malware Forensics Sukwha Kyung The Center for Cybersecurity and - PowerPoint PPT Presentation

Dec 01, 2022 •289 likes •858 views

A RIZONA S TATE U NIVERSITY Malware Forensics Sukwha Kyung The Center for Cybersecurity and Digital Forensics A RIZONA S TATE U NIVERSITY Common Types of Attacks Phishing Malware SQLi XSS MITM DoS Brute-force &

  1. A RIZONA S TATE U NIVERSITY Malware Forensics Sukwha Kyung The Center for Cybersecurity and Digital Forensics

  2. A RIZONA S TATE U NIVERSITY Common Types of Attacks • Phishing • Malware • SQLi • XSS • MITM • DoS • Brute-force & Dictionary attacks • … 2 The Center for Cybersecurity and Digital Forensics

  3. A RIZONA S TATE U NIVERSITY Common Types of Attacks • Phishing • Malware • SQLi • XSS • MITM • DoS • Brute-force & Dictionary attacks • … 3 The Center for Cybersecurity and Digital Forensics

  4. A RIZONA S TATE U NIVERSITY Current Status 4 The Center for Cybersecurity and Digital Forensics

  5. A RIZONA S TATE U NIVERSITY Current Status 5 The Center for Cybersecurity and Digital Forensics

  6. A RIZONA S TATE U NIVERSITY Current Status 6 The Center for Cybersecurity and Digital Forensics

  7. A RIZONA S TATE U NIVERSITY Current Status 7 The Center for Cybersecurity and Digital Forensics

  8. A RIZONA S TATE U NIVERSITY Current Status 8 The Center for Cybersecurity and Digital Forensics

  9. A RIZONA S TATE U NIVERSITY Malware • A set of instructions (CPU instructions, commands/scripts) that run on victim’s computer and make the system do what an attacker wants it to do. 9 The Center for Cybersecurity and Digital Forensics

  10. A RIZONA S TATE U NIVERSITY Malware • A set of instructions (CPU instructions, commands/scripts) that run on victim’s computer and make the system do what an attacker wants it to do. • Purpose of malware: – Machine level: steal, delete files/information – Large scale: spam, relay 10 The Center for Cybersecurity and Digital Forensics

  11. A RIZONA S TATE U NIVERSITY Malware Forensics • Conducting forensic analysis on malicious code – Static Analysis: investigating of execution file without running – Dynamic Analysis: observing malware’s activities by running it 11 The Center for Cybersecurity and Digital Forensics

  12. A RIZONA S TATE U NIVERSITY Malware Forensics • Conducting forensic analysis on malicious code – Static Analysis: investigating of execution file without running – Dynamic Analysis: observing malware’s activities by running it • Not only WHAT, but also HOW: – Malware forensics often involves how the victim’s system got infected by malware (Network Forensics). 12 The Center for Cybersecurity and Digital Forensics

  13. A RIZONA S TATE U NIVERSITY History • Melissa (1999) • SQL Slammer (2003) • Mydoom (2004) • Zeus (2007) • Operation Aurora (2009) • Stuxnet (2010) • CryptoLocker (2013) • Sony Pictures hack (2014) • Mirai (2016) • WannaCry (2017) 13 The Center for Cybersecurity and Digital Forensics

  14. A RIZONA S TATE U NIVERSITY Types of Malware • Virus • Worm • Trojan • Backdoor • Rootkit • Adware • Browser Hijacker • Ransomware 14 The Center for Cybersecurity and Digital Forensics

  15. A RIZONA S TATE U NIVERSITY Mitigation • Anti-malware software – Intrusion Detection Systems (IDS): Detect & Report – Intrusion Prevention Systems (IPS): Detect, Block & Report • What is the most naïve way to create malware signature? 15 The Center for Cybersecurity and Digital Forensics

  16. A RIZONA S TATE U NIVERSITY Anti-Malware Software • What is the most naïve way to create malware signature? – MD5/SHA256sum? 16 The Center for Cybersecurity and Digital Forensics

  17. A RIZONA S TATE U NIVERSITY Anti-Malware Software • What is the most naïve way to create malware signature? – MD5/SHA256sum? – Attacker can create infinite number of the same malware with different signature by just changing one bit. 17 The Center for Cybersecurity and Digital Forensics

  18. A RIZONA S TATE U NIVERSITY My Advice 18 The Center for Cybersecurity and Digital Forensics

  19. A RIZONA S TATE U NIVERSITY Virus • A program that can infect other programs by modifying them to include a, possibly evolved, version of itself. – Fred Cohen (1983) 19 The Center for Cybersecurity and Digital Forensics

  20. A RIZONA S TATE U NIVERSITY Virus Example 20 The Center for Cybersecurity and Digital Forensics

  21. A RIZONA S TATE U NIVERSITY Virus Example 21 The Center for Cybersecurity and Digital Forensics

  22. A RIZONA S TATE U NIVERSITY Packers 22 The Center for Cybersecurity and Digital Forensics

  23. A RIZONA S TATE U NIVERSITY Packers • Not necessarily malicious • Compress • Encrypt • Randomize (Polymorphism) • Anti-debug T echnique (int / fake jmp) • Add-junk • Anti-VM • Virtualization 23 The Center for Cybersecurity and Digital Forensics

  24. A RIZONA S TATE U NIVERSITY Backdoor • A secret method to bypass normal authentication or encryption of a system. – Hidden part of a program – Separate program – Default passwords • E.g.) Clipper chip (1993) 24 The Center for Cybersecurity and Digital Forensics

  25. A RIZONA S TATE U NIVERSITY Backdoor 25 The Center for Cybersecurity and Digital Forensics

  26. A RIZONA S TATE U NIVERSITY Reverse Backdoor 26 The Center for Cybersecurity and Digital Forensics

  27. A RIZONA S TATE U NIVERSITY Trojan • The class of malware that appears to perform a desirable function but in fact performs undisclosed malicious functions that allow unauthorized access to the victim computer. 27 The Center for Cybersecurity and Digital Forensics

  28. A RIZONA S TATE U NIVERSITY Trojan • E.g.) “waterfalls.scr” – a free waterfall screensaver. • When run, it unloads hidden programs, commands, scripts, or any number of commands with or without the user’s knowledge or consent. 28 The Center for Cybersecurity and Digital Forensics

  29. A RIZONA S TATE U NIVERSITY Trojan • To what extent should one trust a statement that a program is free of Trojan horses? Perhaps it is more important to trust: the people who wrote the software. – Ken Thomson (Turing Award acceptance lecture, 1983) 29 The Center for Cybersecurity and Digital Forensics

  30. A RIZONA S TATE U NIVERSITY Rootkit • Any software that acquires and maintains privileged access to the operating system while hiding its presence by subverting normal OS behavior. – Symantec Report 30 The Center for Cybersecurity and Digital Forensics

  31. A RIZONA S TATE U NIVERSITY Rootkit • Kernel Rootkit 31 The Center for Cybersecurity and Digital Forensics

  32. A RIZONA S TATE U NIVERSITY Rootkit • Windows Kernel 32 The Center for Cybersecurity and Digital Forensics

  33. A RIZONA S TATE U NIVERSITY Rootkit • Kernel Device Driver 33 The Center for Cybersecurity and Digital Forensics

  34. A RIZONA S TATE U NIVERSITY Rootkit • Bootkit – infects the master boot record, volume boot record or boot section during computer startup. – can be used to avoid all protections of an OS, because OS consider that the system was in trusted stated at the moment the OS boot loader took control. 34 The Center for Cybersecurity and Digital Forensics

  35. A RIZONA S TATE U NIVERSITY 35 The Center for Cybersecurity and Digital Forensics

  36. A RIZONA S TATE U NIVERSITY Worm • Self-replicating program that uses a network to send copies of itself to other nodes and do so without any user intervention. • Typically exploit security flaws in widely used services, such as buffer overflow vulnerabilities in a network service. 36 The Center for Cybersecurity and Digital Forensics

  37. A RIZONA S TATE U NIVERSITY Worm • Morris worm (1988) – Infected approximately 6,000 machines • 10% of the entire internet – Cost ~$10 million 37 The Center for Cybersecurity and Digital Forensics

  38. A RIZONA S TATE U NIVERSITY Solution 38 The Center for Cybersecurity and Digital Forensics

  39. A RIZONA S TATE U NIVERSITY Worm • Code Red worm (2001) – Direct descendant of Morris’ worm – Infected more than 500,000 servers • Programmed to go into infinite sleep mode (July 28) – ~2.6 billion in damage • Love Bug worm – Email message with the subject line "ILOVEYOU" and the attachment "LOVE-LETTER-FOR-YOU.txt.vbs" – ~8.75 billion 39 The Center for Cybersecurity and Digital Forensics

  40. A RIZONA S TATE U NIVERSITY Virus vs Trojan vs Worm • Virus: code embedded in a file or program • Virus and Trojan horses rely on human intervention • Worms are self-contained and may spread autonomously 40 The Center for Cybersecurity and Digital Forensics

  41. A RIZONA S TATE U NIVERSITY Browser hijacking 41 The Center for Cybersecurity and Digital Forensics

  42. A RIZONA S TATE U NIVERSITY Adware 42 The Center for Cybersecurity and Digital Forensics

  43. A RIZONA S TATE U NIVERSITY Browser Toolbar 43 The Center for Cybersecurity and Digital Forensics

  44. A RIZONA S TATE U NIVERSITY Ransomware 44 The Center for Cybersecurity and Digital Forensics

  45. A RIZONA S TATE U NIVERSITY Ransomware 45 The Center for Cybersecurity and Digital Forensics

  46. A RIZONA S TATE U NIVERSITY Mobile Ransomware 46 The Center for Cybersecurity and Digital Forensics

  47. A RIZONA S TATE U NIVERSITY 47 The Center for Cybersecurity and Digital Forensics

  48. A RIZONA S TATE U NIVERSITY 48 The Center for Cybersecurity and Digital Forensics

Recommend

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking for: attribution, alibis and statements, intent, evaluation of source, document authentication File carving ( e.g. , bifragment gap carving)

630 views • 13 slides
FuncTracker Discovering Shared Code (to aid malware forensics) Presenter: Charles LeDoux

FuncTracker Discovering Shared Code (to aid malware forensics) Presenter: Charles LeDoux

FuncTracker Discovering Shared Code (to aid malware forensics) Presenter: Charles LeDoux University of Louisiana at Lafayette Shifting Focus of Malware Research New focus is on forensics tasks Old question: What? New questions:

523 views • 19 slides
Stealth Secrets of the Malware Ninjas By Nick Harbour Overview Intro Background Info

Stealth Secrets of the Malware Ninjas By Nick Harbour Overview Intro Background Info

Stealth Secrets of the Malware Ninjas By Nick Harbour Overview Intro Background Info Malware Forensics and Incident Response Anti-Forensics Executables Stealth Techniques Live System Anti-Forensics Process

907 views • 76 slides
Malware Detection in Memory Forensics: Current Issues and Challenges Ricardo J. Rodrguez

Malware Detection in Memory Forensics: Current Issues and Challenges Ricardo J. Rodrguez

Malware Detection in Memory Forensics: Current Issues and Challenges Ricardo J. Rodrguez All wrongs reversed under CC-BY-NC-SA license rjrodriguez@unizar.es @RicardoJRdez www.ricardojrodriguez.es Dept. of Computer Science and

540 views • 40 slides
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin TAKAHIRO HARUYAMA

Fast and Generic Malware Triage Using openioc_scan Volatility Plugin TAKAHIRO HARUYAMA

Fast and Generic Malware Triage Using openioc_scan Volatility Plugin TAKAHIRO HARUYAMA (@CCI_FORENSICS) INTERNET INITIATIVE JAPAN INC. Digital Forensics Research Conference Europe 2015 Who am I? 2 Forensic Investigator & Malware

796 views • 27 slides
Complex malware & forensic investigation RMLL 2016 Paul Rascagnres & Sebastien

Complex malware & forensic investigation RMLL 2016 Paul Rascagnres & Sebastien

Complex malware & forensic investigation RMLL 2016 Paul Rascagnres & Sebastien Larinier Complex malware & forensics investigation | about us Me: Paul Rascagnres Twitter account: @r00tbsd Senior threat researcher at CERT

501 views • 49 slides
investigation Hackito Ergo Sum 2015 Paul Rascagneres & Sebastien Larinier Complex malware

investigation Hackito Ergo Sum 2015 Paul Rascagneres & Sebastien Larinier Complex malware

Complex malware & forensic investigation Hackito Ergo Sum 2015 Paul Rascagneres & Sebastien Larinier Complex malware & forensics investigation | about us Me: Paul Rascagnres Twitter account: @r00tbsd Senior threat researcher

442 views • 43 slides
About this presentation : Learning : What is Digital Forensics ? Political : Digital

About this presentation : Learning : What is Digital Forensics ? Political : Digital

An introduction to digital forensics About this presentation : Learning : What is Digital Forensics ? Political : Digital Forensics and Open Sources licensing Tool time : Digital Forensics Framework Presented by Solal Jacob core dev.

444 views • 30 slides
CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to Forensics Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Digital Forensics You will learn in this module: The principals of

1.09k views • 34 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

570 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Forensics for Graphics Files Types of graphics file formats Type of data compression How to locate

362 views • 25 slides
2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York computer forensics firm found that 40% of the hard disk drives it recently purchased in bulk orders on eBay contained personal, private and sensitive

884 views • 70 slides
CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Overview of Mobile Forensics Originated in Europe and focused on the GSM SIM card. Roaming of Devices

694 views • 17 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics

Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics

Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics & Watermarking P. J. Bateman, A. T. S. Ho, and J. A. Briffa This research is sponsored by an EPSRC/Charteris CASE Award Image Forensics

703 views • 38 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class of students Teaching digital forensics in a large class Teaching forensics at of students UL FRI Generating customized disk images Gaper Fele-or University of Ljubljana, Faculty of

446 views • 23 slides
Android: forensics and reverse engineering Raphal Rigo - ANSSI 26/11/2010 Agence nationale de

Android: forensics and reverse engineering Raphal Rigo - ANSSI 26/11/2010 Agence nationale de

Android: forensics and reverse engineering Raphal Rigo - ANSSI 26/11/2010 Agence nationale de la A N S S I scurit des systmes dinformation Introduction Forensics: context Forensics: memory Forensics: filesystem Reverse

545 views • 36 slides

More recommend