challenges of collaborative malware analysis
play

Challenges of collaborative malware analysis Polichombr S. Le Berre - PowerPoint PPT Presentation

Mar 09, 2023 •443 likes •790 views

Challenges of collaborative malware analysis Polichombr S. Le Berre A. Chevalier T. Pourcelot ANSSI/COSSI/DTO/BFS SOGETI ESEC SSTIC Rennes June 1, 2016 Introduction Plan Introduction 1 Needs and challenges 2 3 Polichombr 4

  1. Challenges of collaborative malware analysis Polichombr S. Le Berre A. Chevalier T. Pourcelot ANSSI/COSSI/DTO/BFS — SOGETI ESEC SSTIC — Rennes — June 1, 2016

  2. Introduction Plan Introduction 1 Needs and challenges 2 3 Polichombr 4 DEMO Conclusion 5 ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 2/30

  3. Introduction What is it about Operational malware analysis ◮ Malwares everywhere! ◮ Malware writers are more numerous than malware reversers ◮ Let’s work as a team to tackle them! ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 3/30

  4. Needs and challenges Plan Introduction 1 Needs and challenges 2 3 Polichombr 4 DEMO Conclusion 5 ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 4/30

  5. Needs and challenges Goals Why reverse malwares? ◮ Technical follow up on adversary tools ◮ Many adversaries, many tools ◮ Sample identification ◮ More effective incident response! . . . ◮ Produce detection elements ◮ Capitalization of experience ◮ Threat intelligence & know your adversary ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 5/30

  6. Needs and challenges Formalization Inputs ◮ Samples ◮ Context, associated documents, detection rules, . . . Output ◮ IOC and threat reports ◮ Adversary toolset knowledge Constraints ◮ DO IT QUICK! ◮ Don’t waste time ◮ Don’t forget anything ◮ Limited manpower ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 6/30

  7. Needs and challenges - Analysis cycle Analysis cycle ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 7/30

  8. Needs and challenges - Malware analysis challenges Storage and collection Challenges ◮ Collection ◮ Volume (many adversaries, many tools, many versions of these tools) Effective storage needs ◮ Browsable (metadata) ◮ Usable Problems ◮ Filer storage ◮ Storage on reverser’s laptop or drives ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 8/30

  9. Needs and challenges - Malware analysis challenges Classification Benefits ◮ Family identification ◮ Identification of similarities ◮ Sample triaging Current techniques ◮ Yara and dynamic execution signatures ◮ Mandiant ’s imphash ◮ Control Flow Graph comparison ◮ Metadata comparison ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 9/30

  10. Needs and challenges - Malware analysis challenges Analysis Benefits ◮ Answer technical questions about the sample ◮ Identify interesting points in the binary Methods ◮ Top-down: start from entry points ◮ Bottom-up: start from IAT or patterns Challenges ◮ Automated analysis: fast but incomplete ◮ Manual analysis : time consuming, prone to omissions ◮ Team work: whiteboards and meetings are not sufficient ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 10/30

  11. Needs and challenges - Malware analysis challenges Results production and capitalization Sample information ◮ Raw technical information ◮ Techniques used ◮ Code overview Family information ◮ Overview: sophistication, variants, etc ◮ Detection techniques ◮ Tools (unpacking scripts, etc.) Problems ◮ Lost reports, IDB corruption, . . . ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 11/30

  12. Needs and challenges - Malware analysis challenges Dissemination and feedback Benefits ◮ Propagation on existing dataset, ◮ Information shared: improved detection, actors knowledge, . . . ◮ Information gained: new samples, technical/context feedback, . . . Challenges ◮ Multiple types of interlocutors = multiple types of languages and channels ◮ Effective technical information sharing ◮ Both external (sensitivity) AND internal (experience) ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 12/30

  13. Needs and challenges - Malware analysis challenges Automation ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 13/30

  14. Polichombr Plan Introduction 1 Needs and challenges 2 3 Polichombr 4 DEMO Conclusion 5 ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 14/30

  15. Polichombr - Overview POLICHOMBR ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 15/30

  16. Polichombr - Overview Why this new tool? History ◮ Tool developped by BFS in 2014 ◮ Originally Ruby/PHP/Python for Windows (yes. . . ) ◮ Evolving since ;) Addressed challenges ◮ Storage! ◮ Information/Knowledge centralization ◮ Collaborative teamwork ◮ Automation ◮ Classification (introducing the MACHOC algorithm) ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 16/30

  17. Polichombr - Overview Bricks WebUI ◮ Macro overview ◮ Expose an API Analysis engine ◮ Run all the things! Disassembly engine ◮ METASM User’s endpoint ◮ IDA Python script ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 17/30

  18. Polichombr - Overview Datatypes Binaries ◮ PE/ELF/Shellcodes/. . . ◮ Associated metadata Families ◮ Store contexts, utilities, overview information ◮ Tree used to organize samples/threats Signatures ◮ Machoc ◮ Yara ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 18/30

  19. Polichombr - The Machoc algorithm Binary classification Problems ◮ MD5 , SHA* not adapted (by definition) ◮ SSDEEP , SDHash not adapted to executables Goals ◮ Act like a fingerprint of the program ◮ Lightweight (can be exchanged by mail) ◮ Resistant to recompilation ◮ Resistant to architecture change ( x86_64 ) ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 19/30

  20. Polichombr - The Machoc algorithm Machoc algorithm In a nutshell Control Flow Graph "snapshot" of a function Algorithm ◮ Blocks and call labelling ◮ Translate to text ◮ → 1:2;2:c,3,4;3:2;4:; ◮ Murmurhash3 ◮ → 0x94167eb0 ◮ For each function in sample, concatenate ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 20/30

  21. Polichombr - The Machoc algorithm Usages Sample classification ◮ Threshold = 80% (empiric) Information propagation ◮ Between samples ◮ Propagate all the names! ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 21/30

  22. Polichombr - Workflow Analyzing a new sample Submission WebUI, API or directly from IDA Automated analysis: plugins ◮ Metadata, strings, machoc extraction ◮ Add comments, renames, hints ◮ Output a brief text summary Classification ◮ Strong/automated identification: Yara (extended with Machoc ) ◮ Soft/suggested identification: imphash , Machoc_80 ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 22/30

  23. Polichombr - Workflow Results storage Sample documentation ◮ Analysts notes ◮ Checklist ◮ IDA actions Family documentation ◮ Analysts notes ◮ Detection items (SNORT rules, OpenIOC, etc.) ◮ Classification signatures ( Yara , Machoc ) ◮ Other elements: context, reports, tools ◮ Analysts ◮ Etc. ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 23/30

  24. Polichombr - Workflow Data export For analysts: Machex ◮ Can include any information about the sample ◮ Specifically information about functions, names and machoc hashes ◮ Can be imported back For consumers ◮ Reports, detection rules, IOC, samples archive ◮ Sensitivity management For tools ◮ Expose all the data with an API ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 24/30

  25. Polichombr - Workflow Team reversing Skelenox ◮ IDA Python script ◮ Synchronization between user’s IDA database and Polichombr ◮ Push/pull changes (including other user’s) ◮ Names, comments, types, . . . ◮ Realtime identification (using Machoc hashes) ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 25/30

  26. DEMO Plan Introduction 1 Needs and challenges 2 3 Polichombr 4 DEMO Conclusion 5 ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 26/30

  27. DEMO DEMO DEMO DEMO Automated analysis ◮ Sample metadata ◮ Classification ◮ Automated reverse! Bonus ◮ OpenIOC Export ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 27/30

  28. Conclusion Plan Introduction 1 Needs and challenges 2 3 Polichombr 4 DEMO Conclusion 5 ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 28/30

  29. Conclusion Conclusion What we try to achieve ◮ Quickly and efficiently produce information about malwares ◮ Provide a tool for automation and communication of analyses About the tool ◮ https://github.com/ANSSI-FR/polichombr ◮ Can be used for other collaborative reversing tasks =) ◮ Pull requests, feedback and suggestions are welcome! HR ◮ If you like malware analysis, ◮ If you were not lost in this presentation, ◮ BFS & Sogeti are hiring! ;-) ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 29/30

  30. Conclusion Q&A Thank you for your attention! Questions? ANSSI/COSSI/DTO/BFS — SOGETI ESEC Challenges of collaborative malware analysis 30/30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal and Wenke Lee College of Computing Georgia Institute of Technology Agenda l Background l Defeating Automated Malware Analysis Host

1.28k views • 28 slides
CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu February 22, 2018 Exploring the Online Ecosystem One nice aspect of malware analysis is that, since much of it originates online and

119 views • 10 slides
CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane kaneca@mail.uc.edu January 24, 2017 Why Classification is Important Malware classification helps us in multiple ways. Here are a couple key ways:

787 views • 16 slides
MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me Malware RE @ Trusteer, IBM, Seculert binary analysis automation sandbox development Now in vEYE Security on software container

591 views • 48 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
Netgator: Malware Detection Using Program Interactive Challenges Brian Schulte, Haris

Netgator: Malware Detection Using Program Interactive Challenges Brian Schulte, Haris

Netgator: Malware Detection Using Program Interactive Challenges Brian Schulte, Haris Andrianakis, Kun Sun, and Angelos Stavrou Intro Increase of stealthy malware in enterprises Obfuscation, polymorphic techniques Often uses

766 views • 25 slides
Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev

Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev

Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev Stuxnet (2009) Organization Core a large .dll file 2 encrypted configuration files Dropper component Core in a stub section

703 views • 43 slides
T owards Network Containment in Malware Analysis Systems Mariano Graziano, Corrado Leita, Davide

T owards Network Containment in Malware Analysis Systems Mariano Graziano, Corrado Leita, Davide

T owards Network Containment in Malware Analysis Systems Mariano Graziano, Corrado Leita, Davide Balzarotti ACSAC, Orlando, Florida, 3-7 December 2012 Malware Analysis Scenario Analysis based on Sandboxes (API Hooking, Emulation)

798 views • 23 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
Malware analysis using visualized images and entropy graphs Kyoung Soo Han Jae Hyun Lim

Malware analysis using visualized images and entropy graphs Kyoung Soo Han Jae Hyun Lim

Malware analysis using visualized images and entropy graphs Kyoung Soo Han Jae Hyun Lim Boojoong Kang Eul Gyu Im Presented by Ruikai Zheng CISC850 Cyber Analytics 1.Introduction Malware variants developed using automated tools

206 views • 20 slides
Consistency Maintenance: Propagation Consistency Maintenance: Propagation Con fl ict Resolution

Consistency Maintenance: Propagation Consistency Maintenance: Propagation Con fl ict Resolution

Consistency Maintenance: Propagation Consistency Maintenance: Propagation Con fl ict Resolution Challenges Activating inactive features Fix incompleteness 9 97 Con fi gurator Con fi guration GUI Con fi guration Language Code Con fi gurator Con

487 views • 31 slides
SciForum MOL2NET Person Re-identification by Null Space Marginal Fisher Analysis Husheng Dong 1, 2

SciForum MOL2NET Person Re-identification by Null Space Marginal Fisher Analysis Husheng Dong 1, 2

MOL2NET , 2016 , Vol. 2, J; http://sciforum.net/conference/MOL2NET-02/SUIWML-01 SciForum MOL2NET Person Re-identification by Null Space Marginal Fisher Analysis Husheng Dong 1, 2 , Shengrong Gong 3, 1, * , Chunping Liu 1, 4, 5, * , Yi Ji 1 ,

210 views • 3 slides
OEM brands manufactured (such as: SBS/Scandinavian Blue Steel, KV Zeulo). Viper is trusted

OEM brands manufactured (such as: SBS/Scandinavian Blue Steel, KV Zeulo). Viper is trusted

VIPER SCREENING BUCKETS Made in Finland by Ajutech Oy OEM brands manufactured (such as: SBS/Scandinavian Blue Steel, KV Zeulo). Viper is trusted partner both among AM and OEM customers Product range includes ten basic models of

412 views • 10 slides
Towards A New Type of Prover: On the Benefits of Discovering Sequences of Related Proofs

Towards A New Type of Prover: On the Benefits of Discovering Sequences of Related Proofs

Towards A New Type of Prover: On the Benefits of Discovering Sequences of Related Proofs David M. Cerna April 10 th , 2019 slide 1/29 State of this work Disclaimer: This investigation is in a very early stage. Essentially, we have

803 views • 38 slides
Approximating Submodular Functions Everywhere Nick Harvey February 16, 2008 Joint work with M.

Approximating Submodular Functions Everywhere Nick Harvey February 16, 2008 Joint work with M.

Approximating Submodular Functions Everywhere Nick Harvey February 16, 2008 Joint work with M. Goemans, S. Iwata and V. Mirrokni Nick Harvey Approximating Submodular Functions Everywhere Submodular Functions Definition f : 2 [ n ] R is

790 views • 50 slides
Natural language variants of universal quantification in first order modal logic D. Catta A.

Natural language variants of universal quantification in first order modal logic D. Catta A.

Natural language variants of universal quantification in first order modal logic D. Catta A. Mari M. Parigot C. Retor e LIRMM-Universit e de Montpellier, IJN-CNRS, IRIF-CNRS D. Catta, A. Mari, M. Parigot, C. Retor e Natural language

296 views • 18 slides
The endpoint multilinear Kakeya theorem via the BorsukUlam/LusternikSchnirelmann theorem

The endpoint multilinear Kakeya theorem via the BorsukUlam/LusternikSchnirelmann theorem

. . . . . . . . . . . . . . . . The endpoint multilinear Kakeya theorem via the BorsukUlam/LusternikSchnirelmann theorem After L. Guth, A. Carbery, I. Valdimarsson Pavel Zorin-Kranich University of Bonn Kopp, October 2017

327 views • 20 slides
Specific Aims The Most Important Page Becky Kinkead, PhD Director of Grants Development, OPE

Specific Aims The Most Important Page Becky Kinkead, PhD Director of Grants Development, OPE

Specific Aims The Most Important Page Becky Kinkead, PhD Director of Grants Development, OPE Associate Professor, Department of Psychiatry and Behavioral Sciences bkinkea@emory.edu OPE GRANTS Education, Resources, Support 13Jan2020 Overview

633 views • 49 slides

More recommend