Security: Malware Analysis

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

and this presentation we're going to have a look at some real malware analysis so an important element of this is really to understand all the different code types that are actually involved from high-level language into intermediate language and then into the machine code there aren't too many taxonomy is around for for malware analysis but we'll try and develop our own and see if we can actually try to classify different types of malware then from there but look at the basic methods that we can use to analyze our malware such as static analysis dynamic and also call the analysis then sometimes what we have to do is to look at your files and some detail so I have a look at Somerby politically analyze a file and for this we'll have a look at the flash file format then we'll look at some real malware as it runs and how we can actually identify the problems that it causes and finally have a look at our basic exploit kit to see how real malware is actually written okay so we have various different types of code that are that is used to run software but all of them will run some sort of executable code on the hardware unfortunately it's very difficult for us to be able to understand the ones and zeros that the Machine uses so we normally use a high-level saw record normally what we have is a high-level source code C++ fortran basic and then that's then compiled into our machine code and this is known as object code the object code can't be run on its own because it has gaps and it's such as being able to enter forced face to the keyboard or to the display but it's a small part of the code and then when linked together with some static libraries or other object code with a linker reducer portable executable which can be and run on the system we will run it it runs as a process and then we can debug that process with the debugger or from the exe if we need to reverse the code back again we can use a decompiler to get the original source code as we'll see you later malware writers like to scramble the code so it makes it very difficult to get the code back again often though and click on core increasingly what we have is that we have a lighter exe which doesn't have as much object code and calls the object code that requires or recorder it requires through a dynamic link library so this when the process runs hopes that it will be able to get access to a dll for the additional code that actually needs this honor when the system is often in the windows system32 folder so for that we can compile directly to dll and the dll can then we call by the process advantage with us is that we can update our dll's on the system without requiring the whole exe to be updated the problem with this though is that we can have what's called DLL hell where what certain exe doesn't bind very well to a new DLL another method that we can have to participation level or on assemble our mitts level with us we use an assembler to convert this assembly language level such as move ads and so on into our machine code see you later that sometimes malware writers write this level so they can always get to what they are actually doing and run code directly on the machine the other type of code that we have as a high-level source code which is interpreted selamat is such as basic COBOL less Python Ruby ESP PHP JavaScript and so on I'll use an interpreted method where the code is run at runtime on Templeton then it's up to the interpreter to produce the cord that's required to be run on the machine code bandaged with us is theirs it can be machine independent where this tends to be written for the machine the different types of code that we have this is the normal type of code high level called C++ is compiled into either 32-bit or 64-bit object code then is created as portable executable to run on this operating system problem with this is that a binds directly to the hardware into the operating system we can't really move it to another system without suicide without special software also we just need one piece of bad software and it can hog the CPU memory and so on another type of code that we have and one that's increasingly used is to be able to run our code with inside our framework such as the dotnet framework or the Java framework but this will install the framework into the operating system and it's up to the opposites the system to convert from an intermediate format and to that to a hardware requirement for the system so for this we have our high level chords G sharp the vb.net Java within compiled into an intermediate format which is a near machine ready format as possible the framework then converts this intermediate format into the format required for the hardware this will always be slower in this type of system but it means that the code can be checked and bad chords doesn't affect the rest of the system we also can make it portable or the same executable can run on different types of hardware such as we can install a dotnet framework onto Android or into micro s and on to Windows and then the same executable can run on each of the operating systems with inside their own dotnet framework overall in a Windows machine we have two levels two main levels of privilege ring zero as where oh the can kernel drivers are so when rootkit is installed it will be installed into this level which gives it the highest level of privilege most of our application programs and other dll's run and rank three increasingly what we do though is we run with inside of virtualized environment so the operating system doesn't run directly on the hardware we run at with inside of our virtualization infrastructure such as VMware as you see later this is where we run our mouth where with your malware analysis so that the system doesn't affect our own base system if we have code that's written for another type of hardware then we can use an emulator to be able to convert from the machine architecture that the code is run on such as for a cisco iOS device or for the ZX Spectrum even we can take those cutable here and the emulator will then convert this code into the required code for the hardware and the last type is when we have some scripting and with this we have an application which runs some scripts such as for VB with inside office JavaScript with inside a browser and a dog script with inside flash and PDF this can cause as many many problems as we'll see later as a malicious script can run with inside one of these privileged applications and it can cause a problem on the system so let's see if we can define the basic taxonomy for malware analysis okay so this is our quite a simple one but what we still allow us to be able to classify our malware and see if we can actually determine its operation so in this case a malware has a certain classification and is distributed by a certain method so the distribution method might be through JavaScript through flash or PDF or could be through a Trojan method and this will have certain observable events for the distribution as much as possible the malware writer will probably try to hide some of this so they will try to office key it could be changing the codes and so on for the distribution method and then that this will have some sort of system compromise to be able to stay resident or persistent on the system and we can then find the the malware using some observable persistence method so might be you in the registry might be files on the system might be processes that actually run but again the malware write to opera will try to office key it try to hide try to change so that the scanner doesn't pick it up and then the malware is then triggered by a certain event it can be by a user using a browser or pressing a certain key or or logging into the bank or something like that and then what we see then is observable attack methods might be to delete files to build steal data and so on so there will be a certain attack method which then results in some damage for certain objectives okay so this we can see here there's a classification we have some distribution method we have some way where it stays persistent on the machine it has some trigger it then has some attack doesn't which and this or usually some reason behind them are where and the first place so first let's look at some classifications of malware it's quite difficult to really classify them in any great detail because there are so many different types but let's see if we can put them into the same classes okay so one of the first ones that that were created where were viruses and with viruses the tenth they tended to replicate themselves and were there to really try and spread as much as well as possible but it was generally a piece of malicious software that did something bad on the system maybe tried to steal data or even delete it or change in some way then we have malevolent worms in this case a worm will try to exhaust the system such as using up too much CPU or network bandwidth and so on and we generally compromise the quality service of the overall network then we have the Trojan horses Trojan horses generally though the users are tricked into something that's thinking something is valid and then a piece of malicious software as then run in the background which can do damage then we can have byte doors and when the backdoor software has been written so that there is an intentional hook that someone can get into the software and compromise the system then we can have some sort of exploit so there might be a problem with inside the dough breeder or flash or even with like Windows or a browser and the malware will exploit the cyclist protocols compromise in the system and then also we're increasingly seeing what's called ransomware and in this case a MOBA writer does something to the system such as with acceptor Locker where it might take lots of files and then encrypt them and only by paying the malware writers back some money then they will be able to decrypt the files okay so this gives us a basic sort of classification of the different types of malware that we'll look at later on we'll look at an exploit on our system using Adobe Flash so let's have a look at some real malware analysis so often borders were analyzed in a while the malware statically then I'm a clean and then to look at the code okay so the flash method of use is to look at the basic signature of the of the malware to see if it is well known malware may be adizero or it may be a well known one so we usually use something like virustotal to be able to scan for a piece of malware to see if the if other scanners wireless scanner so I've actually picked up the other ways that we can look at the hex view to be able to see if I can see certain strings with insight they the malware okay so let's have a quick look here okay so I'll just choose our malware so we're running with inside XP here and we have our zip file with the malware and so just scan it it's been scanned before so for two - OH - 47 scanners have identified this as possible malware and we can see here's the antivirus scanners and each of them calls on something differently but this should be all the same type of file of Marwa some of these are not identified at all which is but one in the boards those are they scans them so we can take a hash signature offered to be able to identify a certain sin at file because it might change but it can still save let's do the same down to those execution I can see within sites there that's the file that we have identified okay so so this will give us some idea whether this is a problem then we can look at it with our X viewer to see if we cannot identify any strings within sighted okay so we can have a look through and see if we can identify anything the MZ as a as a standard file startup magic file number for an executable so that's not really giving us too much away them but we should be able to find a unique string that we can actually take off our hex string or an ASCII string to build identify if the file exists on the system and we might be able to scroll through and find some things sometimes the writer actual leaves that email address because some things here there's a version number and there there is a company name it's not really given too much away there and the product name again it's not really given too much but that's that might be enough to be able to identify the malware on its own okay so we can also look at the zip file with the Exe in there because we might want to detect this with our intrusion detection system or our email system so we could take a caption of that okay so that that defines our static analysis next thing we might do is we might want to do a dynamic analysis so with the dynamic analysis we've got a few different methods that we can use we can do a file integrity check so we can use something like our integrity checker we can check all the files on the system and see if they've been changed we might look at some file monitoring to see when we run them out where what files and add to the change so we can use proc mourn for that we might look at the registry to see what the keys are chains with inside the registry when we run the malware what processes might run when the malware runs and then we might want to monitor the network to see what network connections are actually created from the Lamar web so the first thing we'll do is we'll show how the file integrity checker can actually work which you're a basic example of that so in this case we've downloaded to the FC Ivy program from Microsoft and the salk did database of high signatures that we can check against so let's see if we can find our our VM again okay so we kept it kept quite simple just downloaded the sir FC IV package you see the very basic goodbye to file so we're going to create our database of shell one file signatures and we're going to scan the wall of the system - our Akash stuff here for old text files we can do it with any file but we just make a text files just now just to illustrate it then this will then list those vow signatures and then finally we'll change the file and then see if it detects this or this this this line won't actually run just now okay so let's generate them okay so that's found all the text files on the system okay then there's all the shower one signature for it okay so what we'll do is we'll go in and find one of these text files go and update it so this could be the malware that's doing this so if we change it now that hopefully this don't apply and then we just run this last line and hopefully it's detected that file been changed okay so this is a similar to tripwire where are we but we would create high signatures of all the files on our machine and then would look to put the detected by running again and looking at any changes that actually happened on the system so the other types of dynamic and also we can do is file monitoring look at files it's creating look at the registry keys or create or delete we can run snort and wire shot to look at network activity and we can also look at the process monitoring to see what processes and threads it starts up okay so let's run the real malware here so the first thing we're going to do is we're just going to check that we have no network connection and what we'll do is we'll make a private address okay so we'll make a 10.0 that 0.1 let's IP address gateways 8.2 and then the dns is it dot 3 so let's check that we have no network connection ok the ribbons find them and we'll just check the IP address again so it's not writable everything's fine so order is that will start up broke mom process name were looking for DQ dot exe okay so this is going to monitor our registry file activity network activity and processes hopefully for the program startup and will also come set up wireshark see if we can detect some network activity okay so everything's all ready to go okay so they malware that we have is here okay so it's our clean system so when I run it and we can see nothing really seems to happen although when we look over here los seems to have happened okay so this this is shown as the there's the process started create a thread okay and then it has a few things then it then tries to create a file and brief one two three fetch this is all its activity here so we can see then it starts to look a certain registry keys okay so quite a significant one is in this this one here we'll have a look at that in a little minute so as it runs through their sopping up a few their software make us off to having a look a lot of the keys then and here we go here is created file in there and here we go so tries to create this file here this path not found and then what it does is it goes and creates that folder then it actually creates the file afterwards so there you go so it's not easy to file and if you remember the name of that file we'll have a search for that in a little minute so first thing we'll do is we'll have a look at the red strip because that's obviously the place that I will go to to discover some things or to start themselv back up when the system is rebooted so we could search the prog Mon for this but actually we can usually go and find them in the current user software Microsoft Windows conversion run and there we go there is them so you can see there the program when it restarts will run from here we'll run this little program again which means they'll persist on the system so we can delete that registry key if we want it so let's have a look at the other file that essentially created so some recycle on and see there's nothing else in there so then we're going now I mean there's nothing there but if you look at these are hidden files can we erase them looks like the rays but they're not stole them and the reason for that is that they've been set to be system hidden and read-only so we're going to go in one hour time and change the attributes so that one we can now delete it I'll have one okay so that reducer this one - the same again so I won't come back we got the litter just now because it's read-only so what we've got to do is we've got to go and make the reset the ridge have to be honored and now we'll be able to do later okay so that's a deleted so let's have a look at some of our network traffic so we can see here this was really happening here as it's doing a name committee on this this domain here so we've seen a little minute that's what is that is try to do send spam so you can see there that they that the malware is trying to find the DNS server that was not three doesn't finder so it doesn't does an ARP does a lookup from the Microsoft name server to see if I can actually find them okay so it's continually trying to try to get out onto the internet to find this server here solders will just quit should be really quick cleaners but what's the one thing that we can do is we can go back and we can get our snapshot backs to go back to a clean image again so what we'll do now is we'll have a look at what this malware actually does so this is a capture of when the malware was out to the giving given a network connection okay so you can see here this is lead capture from it and there's what we seen before so this is when we have our network address of $10 0.021 so what we do is that we allow the bot the malware to be able to collect we should see that happening in a la minute okay so somewhere around here we are now connected back onto the Internet okay so there is a DNS query it is then able to find the IP address and then it does our connection so it's resolved it two to one 7.20 3.2 to one five nine okay so there's this in this is our first connection after our successful DNS so what we'll do is we'll follow that and we'll see what it tries to do okay so it's connecting to what it thinks is an SMTP server here so it's always looking to spam so doesn't know hoe do it this is the server that it's trying to spam but it does not it get connected it tries another one again doesn't get connected and so you can actually see that this is trying to spam just continually keep trying and trying until I can get a connection and send us spam okay so so that's shown an example of our malware analysis another thing we would often do is do the net stat - II to see the port's which were open up on the machine before and and after okay so this is white or clean image here let's that - II will actually give us which port and it could be that a new port as has been created another type of analysis that we might do is we might look at P Lord and ask because we obviously want to build that when a bot is or malware is actually arriving at our machine so let's look an example of an email coming in on SMTP port 25 and we can see here there is a the malware is in a zip file and with a zip file with an email message SMTP what we have is we have mine which which breaks it makes a message up into a number of different ad formats and what it does is it will take any binary and convert it in to be 64 so here we see zip converting them to be 64 format so if we wanted to let this and snort as an email we will detect this mess this as part of the appeal would because that's the be 64 so it's not the zip file the zip file is converted into a base64 format so if we want to build the detector remember that it's not the zip file signature were detecting for email is the base64 so what we'll do is we'll send it as an email attachment will run snore and we'll see if we can actually detect it so on snort we have alert or IDs and hopefully when we sand to the email will be able to detect them okay so what what we've got set up here is so this is one dose 2003 BM which is have a look to see what IP address us and this is this should have source 47 one two three four seven one two three four and we should find that this should have SMTP running as a house so run on the service and what we'll do is we'll connect the spike onto the network so now it should get its IP addresses from VMware and connect to the same network as the other VM okay so just see if the other VM is alive 47 dot 134 that's fine so we're going to send us an email message so if you want we can actually have a look at the washer trace so that we can also see the email message going out just to prove that let's be 64 all right so let's have a look and so I just created very simple rules file here so I've taken our example of the base64 and this is what it is so then let's have a look at the interfaces that we have to think we're on interface one okay so that's it now waiting so snarl is now detecting the network packets so then we'll create a new account okay so we don't really need pop but setup anyway let's SMTP that we really want okay so that's clearly an email message tesara malware then send it okay so you can see that I went through quite quickly there so there's a poor 25 there's the message okay so so that's a standard email message for sending and there we go there's the base64 of our message that's the whole of the zip file so hopefully gosh crossed when we look in our alert server something in there there we go okay so we can see that snore is actually B nib is able to detect the malware and an email message okay that is port 25 there's the Machine recoleta - and there are there are machine them okay so that's that's the Nutmeg analysis where we can actually use snort to be able to detect the malware okay so after static analysis and dynamic analysis we then might do some sort of cool analysis so with us what we're trying to do is we're trying to get back the original chord we'll try to analyze a way that it runs and to see what behavior of the core data is so officer a.net or a java application it's fairly easy for us to disassemble the code because it's in a form that we can actually get back again okay so let's run a disassembler let's see if we can open up a program this is the exe that will open it up and we should be able to find that all the details of the code are actually embedded into the exe so it's fairly easy for us to get the code back again and for us to be able to run it on a debugger we can also use a program if the programs written in C++ such as I da Pro and with this we can actually have a look at the registers and debug the code as it's actually running okay so let's run up and this is a malware here okay so we can add breakpoints and so for the we can actually have a look at the code and the way it branches into each the different areas but in this case with here's the first few lines of it and what I've done is I did a breakpoint them and then we might want to run the cord I can see it's broken here so those are the registers that have just been changed and these are all the registers here so from here we can actually have a look at the memory the threads that are generated and so on and then hopefully get some idea of how the court to the runs so graphical interface I can see where the cord actually runs to and what it's actually doing again another program we can use is visual studio where we can actually examine the cord as it runs look at memory and look at the December chord registers and slack and so on okay so this shows an example here we have a C++ chord and we can actually run it and put it on breakpoints and then we can look at the registers as the change we can look at this disassembly so for our exe this is the the Machine chord this emblem each chord and this is the chord the high level chord here we can also look at variables and things like that okay so this gives us some idea where the cord actually runs okay so when when the debugger runs we actually see any changes in and read yeah okay so this shows an example of our C++ code which has been converted into same language and we use instructions such as move that moves data from one place to the next interrupt will interrupt the processor and do something add and subtract push and pop we'll see in a little minute call allows us to call a function return returned from it then we have basic operation so just compare jump F equals and pinaki walk and jump non conditionally so you can see that each of the high-level commands that we have get converted into these machine code operations so as we go through the values at to change so the IP is what's called the instruction pointer and tells us where we should actually call the call execute code next so when we're here the IP says that we need to execute this line next as we go through then it says EC which means this line and so on so the instruction pointer is important it's part of the cord that tells us where we should be executing next the other important one is the stack pointer so that pointers will see is used to to put values up onto the stack and pick them off again okay so when we see the execution of this one this is the memory location of a memorization of B so 1 goes into medication of a 2 it goes into the medication of B we then take the member kitchen of a and be put into the e X register there is one now we're going to add up what Evers and B to e X so when I get a value of 3 okay so we can see here how the processor actually steps through the code so the registers that we have our AE X which is a general-purpose 32-bit register and then we have stack pointer s es ESI a solid instruction pointer and then the stack pointer okay e IP is instruction pointer an important concept is focus off the stack with the stack we push values onto the stack and then we pop them off source are lastin first-out type of approach so in this case we'll have some code what we do is that we push our values on to the stack stack we'll do with the function will perform some operation but what we want to make sure is that the values that we have back are the same as when we left the code so we should be able to jump to this code here we push the registers that we're going to use then go to use with inside the code onto the stack and then the end we pop them pop them back off to make sure that the all the registers are the same as as when the left to call the function okay so the push pushes on to the stack and then the politics of always back off again this should be taken off in the collect order okay so this shows the stack area the stack pointer our identifies where we are in the stack and then we push and pop the values back off we have a shared memory with inside our processor x86 architecture record and data share the same memory but have different and pointers so apart from examining Network traces and obviously the dynamic operation of the code often what we have to do is we have to analyze the files in great detail either as content the documents or is the fragments of data that are left behind so let's have a look at at one type of file and that will have a look at a flash file so that we can actually examine its content okay so when we examine any sort of document type file normally has an extension so a JPEG has a dot jpg extension gift with a dot gift each of these files is normally identified with this first starting few bytes known as the the magic number so I give will typically start with a 47 49 46 38 in hexadecimal or G I have 8 9 so if we have a look at this these are a number of magic numbers that we have so for example for the gift file and here's an example here okay so the first three bytes are these we'll have a look at the binary we see here there's the gif89a and then what follows is normally a standard format that we can actually analyze in this case the gift has things like the version number the height and the width are the values that come next so after the after these values and in this case we have two values for the width and so there's three values and then the line there and this is the these two values the width and the height so it's from these that we can actually determine some of the parameters of the of the files okay - typical files that that we often see on earth are used for Maya where our flash files as WF or SWF is fw s at the first three bytes and PDF so PDF and we'll have a % PDF at the start is these two type files files Falcon file types that actually used to compromise the systems in the files that we'll look at later okay so if we want to have a look at flash files oh yeah so the first three bytes are FWS okay so let's have a lot more looking in a bit more detail as to the things that come next because it's obviously important that we can understand things like the version number bar and what some of the tags are on the file content so when we've got a flash file we should see FWS at the start there is another type and that's when we have a compressed header so with a compressed header we have at the start CWS so we can see in this case we have CWS what happens is that after this we actually have a compressed header it is compressed with the zealot ZEB lip balm at compression format so in this case this this this webpage will actually decompress the desired format so it can be viewed in the same way as the other flash files can then the next byte that we have is the version number and that's very important in flash because certain compromises in flash relate to certain values of the of the flash content so in this case the fourth byte gives us our version number and then the next four bytes gives us our our file size and it's defined in a little endian format so this is the least significant byte next more significant byte and so on so if we actually run our calculator and we bring up hexadecimal so the value 1/2 is 0 0 0 0 2 3 0 5 convert that to decimal and we get value of 8 9 6 5 8 9 six-five okay so remember for the Intel its little endian format the little the smallest bytes of the 32 bit then integer comes first if we're dealing with the with the old Mac type format and it was a big Indian or the most significant byte was first but most of the times we deal with this little endian format the values that come next will then determine the number of bits that we have for the format so the and the next bites will actually define the minimum X and minimum Y and the maximum X and maximum Y so this whole line here is actually defined this it defines the number of bits that we have in each of the XY coordinates then if you want to see this in more detail then I've added the specification on the website after this we then get the frame rate so that's how fast the flame so flash this is a frame based system where we have a number of frames and then we'll move through the frames a certain speed so in this case 0 C is 12 so we have 12 frames per second and the next two numbers to find the number of frames that we actually have with inside the package after this we have what are called data tags and with us we have a 10 but identifier for the tag so it might be defining the font might be defining a line might be defining an image and so on and these these tags are well defined within the flash format and then the next bits to find the size of the number of bytes are used for that tag okay so a tag number 9 defines that the background color is set and in this case we're going to have 3 bytes so this is set background color and the red green and blue so that sets the background color to white so when we look at a file we can see there's the 12 frames right there's the count so if we can have a look at that one that's what that actually looks like and some so we can use a package to be able to deter reverse-engineer our code so we can also use our D compiler for flash and this case we have a package called wladim and we can disassemble our flash code so let's take this one and - D and see here that we can get all the basic script from the court so now as we saw before there's the frames frame rates and so on and then we have these tags with inside the code and then it's tagged as a set an ID and we can see we can reverse all the flash code from from there okay so as our strong skill to be able to be to look at the files file contents and then to examine the byte details one thing to notice here there here is a GFI F which is at a JPEG so there's actually a JPEG file wrapped and with inside this flash file and FF d 8 is a standard sign of our star offer of a flash of our JPEG file so let's look an example exploit kit so we using the Phoenix to exploit kit and we'll be looking at a couple of examples and how the malware writer creates the exploit ok so there's three key vulnerabilities that will actually have a look at and we'll see how they work the one of the stole one of the most pop well is a CV 2007 zero zero seven one and that exploits the uses an exploit in Flash Player eight and nine to be able to trigger a buffer overflow and compromise the system so we'll see that with the would flash script then we'll look at CVE 2006 0 0 0 3 and that exploits the height of X date object for M Dec 2.7 and 2.8 and allows attackers to run some code on the system and then the last one is CV 2010 zero eight zero six which crops the the memory on the system okay so we'll have a look now at the exploit kit and have her to the works but what we'll find is that it's all done in JavaScript there was a specially crafted PDFs and Flash content Flash content uses this ActionScript here a Dyson script runs with inside the flash and is able to load up the malicious JavaScript what happened is that certain websites will be actually shown when the user calls up the site okay so let's have a look look at the exploit kit to Google saw their set and content in there such as the Flash content but we're going to have a look at the first one here which is using flash to be able to load up certain URLs so we'll actually have a look at up here instead okay so here's the the main HTML file HTML but really it's all JavaScript so you can see from the start to the finish just one big JavaScript so the first exploit is is this one so when the script is run so run this run all these it won't run this yet because it's a function so it won't run any of these functions you'll get to the end and run this em DAC okay so that's how we read the JavaScript so the first thing it's doing is to creating an object so we have a look at that clears our with an idea of PDF we then have this data here so the first thing is doing is creating what's called shell shell called with a shell cord what happens is that this will execute an x86 op cords here so 50c I think is push 50 is push also and so on so just like when we looked before there sample image cord these are the opcodes so this is going to run some script actually on the machine okay so I so that woods up these three variables we then run this em DAC because as we've seen at the very bottom it runs em DAC as a function so when MDOC runs it will now create an object this is our ID here as we've done then for the object it now runs the shell cord we create shell code and out of the tries to to run the shell code on the system that doesn't work then we then also was trying to run trying to save that cordon to and an exe and to run it that doesn't work then I'll call up this SWF function here okay and this is where we're now calling up the flash so the first one was I was a shell script this one now is the one that will build up a link with inside the flash object in the browser so what's going to happen is that these will get passed into the flash object and we'll see how that that happens in a minute but but that's sad let's see what these are and actually these are over skated links so if we would pull up our security website and we'll look at pops let's let's do again and let's look according and then we'll do our conversion okay so this is the hexadecimal for this website so what's going to happen is that this is a they're going to load that website into the browser and let's see if that site exists doesn't exist anymore this is good and we'll have a look at the next one the next one this is a directory and there we go so there's a version another another website that will get called up it's obviously been closed down up okay and so we could do the same for all these things here 20 looks like lots of species and so on so this is going to create a new flash object okay so there's the F data getting set to these these values probably some sort of script that's going to happen with inside flash then what we do is load flash okay so this actually creates the flash object it's going to bring in flash okay so flash will be then created now what happens is that with inside flash someone has written a ActionScript this is nice in script 3 so what should happen on frame 1 it calls up the interface and then it will receive the the JavaScript code from the interface Fidelis there so so the flash itself then says okay call up JavaScript JavaScript then we'll then take this F data the FDA then gets passed and to the ActionScript and will compromise the flash and we'll show the the web browser page okay so that's the that's the second compromise that we have there okay so again it tries to run the Excel script again and then if it doesn't do that it'll try and do the flash and then the final vulnerability of this one is the is again it tries to run our shell script so again these are the this is the shell script that will compromise the memory of the of the do the browser okay so that's showing an example of our exploit kit and this is still one of the the most popular exploits and so so we've covered quite a lot of detail there we've looked to some different court types and malware analysis is very important that that really the analyzer can understand a whole range of software development environments from high level cords to low level debugging looked at some basic classifications and hopefully in other of the presentations you'll be able to see some of these and then we dived into the real-life malware we looked at some static analysis where we can actually copy signatures and then onto some dynamic analysis where we looked at the registers the memory the processes and so on and we could actually see what the malware actually did and then went on to look at some chord analysis where we can look at the Machine chord and how it actually runs and we can look at some disassembler and other modules would be looking at this in more detail and then we'll look to some of the techniques that we might use to be able to flans italy analyze some of the files that were looking at certainly to be able to look at the specifications for the file formats and then to pick off each byte one by one and try and understand how the file is being created and then we looked at an some real-life malware and we examined a real-life exploit kit okay so other modules in this series will actually look in more details at some of these things thank you

Info

Channel: Bill Buchanan OBE

Views: 39,027

Rating: 4.848485 out of 5

Keywords: Malware (Software Genre), Security (Quotation Subject), Computer Security (Industry), Security (Taxonomy Subject)

Id: D4pc63SeHxI

Channel Id: undefined

Length: 68min 15sec (4095 seconds)

Published: Fri Jan 03 2014