Malware Forensics Sukwha Kyung The Center for Cybersecurity and - - PowerPoint PPT Presentation

malware forensics
SMART_READER_LITE
LIVE PREVIEW

Malware Forensics Sukwha Kyung The Center for Cybersecurity and - - PowerPoint PPT Presentation

Dec 01, 2022 289 likes •858 views

A RIZONA S TATE U NIVERSITY Malware Forensics Sukwha Kyung The Center for Cybersecurity and Digital Forensics A RIZONA S TATE U NIVERSITY Common Types of Attacks Phishing Malware SQLi XSS MITM DoS Brute-force &

slide-1
SLIDE 1

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Malware Forensics

Sukwha Kyung

slide-2
SLIDE 2

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Common Types of Attacks

  • Phishing
  • Malware
  • SQLi
  • XSS
  • MITM
  • DoS
  • Brute-force & Dictionary attacks

2

slide-3
SLIDE 3

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Common Types of Attacks

  • Phishing
  • Malware
  • SQLi
  • XSS
  • MITM
  • DoS
  • Brute-force & Dictionary attacks

3

slide-4
SLIDE 4

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Current Status

4

slide-5
SLIDE 5

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Current Status

5

slide-6
SLIDE 6

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Current Status

6

slide-7
SLIDE 7

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Current Status

7

slide-8
SLIDE 8

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Current Status

8

slide-9
SLIDE 9

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Malware

  • A set of instructions (CPU instructions,

commands/scripts) that run on victim’s computer and make the system do what an attacker wants it to do.

9

slide-10
SLIDE 10

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Malware

  • A set of instructions (CPU instructions,

commands/scripts) that run on victim’s computer and make the system do what an attacker wants it to do.

  • Purpose of malware:

– Machine level: steal, delete files/information – Large scale: spam, relay

10

slide-11
SLIDE 11

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Malware Forensics

  • Conducting forensic analysis on malicious code

– Static Analysis: investigating of execution file without running – Dynamic Analysis: observing malware’s activities by running it

11

slide-12
SLIDE 12

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Malware Forensics

  • Conducting forensic analysis on malicious code

– Static Analysis: investigating of execution file without running – Dynamic Analysis: observing malware’s activities by running it

  • Not only WHAT, but also HOW:

– Malware forensics often involves how the victim’s system got infected by malware (Network Forensics).

12

slide-13
SLIDE 13

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

History

  • Melissa (1999)
  • SQL Slammer (2003)
  • Mydoom (2004)
  • Zeus (2007)
  • Operation Aurora (2009)
  • Stuxnet (2010)
  • CryptoLocker (2013)
  • Sony Pictures hack (2014)
  • Mirai (2016)
  • WannaCry (2017)

13

slide-14
SLIDE 14

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Types of Malware

  • Virus
  • Worm
  • Trojan
  • Backdoor
  • Rootkit
  • Adware
  • Browser Hijacker
  • Ransomware

14

slide-15
SLIDE 15

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Mitigation

  • Anti-malware software

– Intrusion Detection Systems (IDS): Detect & Report – Intrusion Prevention Systems (IPS): Detect, Block & Report

  • What is the most naïve way to create malware

signature?

15

slide-16
SLIDE 16

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Anti-Malware Software

  • What is the most naïve way to create malware

signature?

– MD5/SHA256sum?

16

slide-17
SLIDE 17

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Anti-Malware Software

  • What is the most naïve way to create malware

signature?

– MD5/SHA256sum? – Attacker can create infinite number of the same malware with different signature by just changing one bit.

17

slide-18
SLIDE 18

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

My Advice

18

slide-19
SLIDE 19

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Virus

  • A program that can infect other programs by

modifying them to include a, possibly evolved, version

  • f itself.

– Fred Cohen (1983)

19

slide-20
SLIDE 20

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Virus Example

20

slide-21
SLIDE 21

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Virus Example

21

slide-22
SLIDE 22

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Packers

22

slide-23
SLIDE 23

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Packers

  • Not necessarily malicious
  • Compress
  • Encrypt
  • Randomize (Polymorphism)
  • Anti-debug T

echnique (int / fake jmp)

  • Add-junk
  • Anti-VM
  • Virtualization

23

slide-24
SLIDE 24

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Backdoor

  • A secret method to bypass normal authentication or

encryption of a system.

– Hidden part of a program – Separate program – Default passwords

  • E.g.) Clipper chip (1993)

24

slide-25
SLIDE 25

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Backdoor

25

slide-26
SLIDE 26

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Reverse Backdoor

26

slide-27
SLIDE 27

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Trojan

  • The class of malware that appears to perform a

desirable function but in fact performs undisclosed malicious functions that allow unauthorized access to the victim computer.

27

slide-28
SLIDE 28

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Trojan

  • E.g.) “waterfalls.scr” – a free waterfall screensaver.
  • When run, it unloads hidden programs, commands,

scripts, or any number of commands with or without the user’s knowledge or consent.

28

slide-29
SLIDE 29

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Trojan

  • To what extent should one trust a statement that

a program is free of Trojan horses? Perhaps it is more important to trust: the people who wrote the software.

– Ken Thomson (Turing Award acceptance lecture, 1983)

29

slide-30
SLIDE 30

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Rootkit

  • Any software that acquires and maintains privileged

access to the operating system while hiding its presence by subverting normal OS behavior.

– Symantec Report

30

slide-31
SLIDE 31

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Rootkit

  • Kernel Rootkit

31

slide-32
SLIDE 32

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Rootkit

  • Windows Kernel

32

slide-33
SLIDE 33

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Rootkit

  • Kernel Device Driver

33

slide-34
SLIDE 34

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Rootkit

  • Bootkit

– infects the master boot record, volume boot record or boot section during computer startup. – can be used to avoid all protections of an OS, because OS consider that the system was in trusted stated at the moment the OS boot loader took control.

34

slide-35
SLIDE 35

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

35

slide-36
SLIDE 36

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Worm

  • Self-replicating program that uses a network to send

copies of itself to other nodes and do so without any user intervention.

  • Typically exploit security flaws in widely used

services, such as buffer overflow vulnerabilities in a network service.

36

slide-37
SLIDE 37

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Worm

  • Morris worm (1988)

– Infected approximately 6,000 machines

  • 10% of the entire internet

– Cost ~$10 million

37

slide-38
SLIDE 38

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Solution

38

slide-39
SLIDE 39

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Worm

  • Code Red worm (2001)

– Direct descendant of Morris’ worm – Infected more than 500,000 servers

  • Programmed to go into infinite sleep mode (July 28)

– ~2.6 billion in damage

  • Love Bug worm

– Email message with the subject line "ILOVEYOU" and the attachment "LOVE-LETTER-FOR-YOU.txt.vbs" – ~8.75 billion

39

slide-40
SLIDE 40

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Virus vs Trojan vs Worm

  • Virus: code embedded in a file or program
  • Virus and Trojan horses rely on human intervention
  • Worms are self-contained and may spread

autonomously

40

slide-41
SLIDE 41

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Browser hijacking

41

slide-42
SLIDE 42

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Adware

42

slide-43
SLIDE 43

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Browser Toolbar

43

slide-44
SLIDE 44

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Ransomware

44

slide-45
SLIDE 45

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Ransomware

45

slide-46
SLIDE 46

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Mobile Ransomware

46

slide-47
SLIDE 47

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

47

slide-48
SLIDE 48

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

48

slide-49
SLIDE 49

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Botnet

  • Collection of compromised hosts

– Network of ‘bots’ (or ‘zombies’) – Spread like worm and virus – Respond to remote commands

49

slide-50
SLIDE 50

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Botnet

  • One of the major threats:

– Consist of a large pool (millions) of compromised computers (a.k.a., Zombie Armies) – Carry out sophisticated attacks to disrupt, gather sensitive data, or increase the armies

  • Spam forwarding (~70% of all spam)
  • Key logging
  • DDoS

– Vint Cerf: 25% of hosts connected to the Internet

50

slide-51
SLIDE 51

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Malware Analysis

  • A malware sample is executed in a controlled

environment, which makes it possible to observe the traffic that is exchanged between the bot and its command and control (C&C) server(s).

  • Involves reverse engineering
  • Researchers join a botnet to perform analysis from

the inside.

51

slide-52
SLIDE 52

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Windows PE format

  • PE classification

– Portable executable (PE) classification based on common

  • bject file format (COFF) for

Windows 3.1 and later – EXE – DLL – SYS/VXD – SCR – OCX

52

slide-53
SLIDE 53

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Static Analysis

  • Manual investigation

– Debugging: OllyDbg, IDA pro – VM-based memory analysis

53

slide-54
SLIDE 54

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Dynamic Analysis

  • Monitors process, file access, DLL, registry, network

connection, etc.

  • T
  • ols:

– Anubis – CW Sandbox – Norman Sandbox – Joebox – VirusTotal

54

slide-55
SLIDE 55

ARIZONA STATE UNIVERSITY

The Center for Cybersecurity and Digital Forensics

Demo

55