Transcript ppt 895.00 KiB application/vnd.ms-powerpoint

Malware Reverse Engineering Process
1. Acquire Malware
Specimen
Physical Memory
Remote Memory Snapshot
Live REcon Session
Static Binary
Forensic Binary Journal
2. Automated Reverse
Engineering
Responder Pro 2.0
Digital DNA
REcon
3. Review Automated
RE Report
Report contains suspicious
behaviors and malicious
characteristics exhibited by
code and ranked by severity
Goal: Gain the lowest level of diagnostic visibility in order
to detect unknown malware and malicious behaviors
4. Manual Reverse
Engineering
If needed, an analyst
can examine
the suspicious code
objects and conduct
additional reverse
engineering
5. Document Findings
Analyst documents findings
in malware report:
Processes and Drivers
Loaded Modules
Network Socket Info
Passwords
Encryption Keys
Decrypted files
Order of execution
Runtime State Information
Rootkits
Configuration Information
Logged in Users
NDIS buffers
Open Files
Unsaved Documents
Live Registry
Video Buffers – screen shots
BIOS Memory
VOIP Phone calls
Instant Messenger chat
To obtain our goal we created the latest advances in
memory forensics & reverse engineering technology. The
result was Digital DNA.
HBGary Malware Reverse Engineering Process
Malware Reverse Engineering Process: Acquire Malware Specimen
1. Acquire Malware
Specimen
2. Automated Reverse
Engineering
3. Review Automated
RE Report
4. Manual Reverse
Engineering
5. Document Findings
1. Create Responder project, a container for all the
files necessary to analyze, annotate and interpret
a memory image or static binary
2. Malware specimens can be analyzed using
Responder Pro 2.0 from:
1. Physical Memory Snapshot
1. Virtual Machine infection
2. Regular host infection
2. Live REcon Session in Virtual Machine
3. REcon Session on regular host
4. Static Disassembly Analysis
5. Combinations of 1 - 4
3. For enterprises, Digital DNA for McAffee EPO
enables rapid scanning of network, agent runs on
hosts, sends results back to server for further
analysis in Responder.
HBGary Malware Reverse Engineering Process
Malware Reverse Engineering Process: Automated Reverse Engineering
1. Acquire Malware
Specimen
2. Automated
Reverse Engineering
3. Review Automated
RE Report
4. Manual Reverse
Engineering
5. Document Findings
1. Responder 2.0 with Digital DNA automatically reverse engineers the malware specimen.
2. Live REcon launches malware safely in virtual machine, executes code, creates forensic binary
journal for analysis in Responder Pro.
3. Responder automatically analyzes and ranks module behavior.
4. Responder automatically scans suspicious binaries and creates Report entries for further analysis.
HBGary Malware Reverse Engineering Process
Malware Reverse Engineering Process: Review Automated RE Report
1. Acquire Malware
Specimen
2. Automated Reverse
Engineering
3. Review Automated
RE Report
4. Manual Reverse
Engineering
5. Document Findings
1. The Report Tab stores the human-readable results of an analysis and allows the user to quickly
create report items from interesting pieces of data.
2. Identifies any SDT entries that contain hooks.
3. Identifies any IDT entries that contain hooks.
4. Identifies many suspicious behaviors such as hidden objects, keywords, ip addresses, API usage,
etc.
HBGary Malware Reverse Engineering Process
Malware Reverse Engineering Process: Manual Reverse Engineering
1. Acquire Malware
Specimen
2. Automated Reverse
Engineering
3. Review Automated
RE Report
4. Manual Reverse
Engineering
5. Document Findings
1. Responder Pro 2.0 provides Analysts with a framework
and logical workflow for malware reverse engineering:
1. Malware installation & deployment factors
2. Communication factors
3. Information security factors
4. Defensive factors
5. Development factors
6. Command & control factors
2. Using the Object Tab as a guide, the Analyst performs
manual reverse engineering to answer questions about
the malware's behavior such as...
HBGary Malware Reverse Engineering Process
Malware Reverse Engineering Process: Manual Reverse Engineering (Cont)
1. Acquire Malware
Specimen
2. Automated Reverse
Engineering
Development Factors
In what country was the malware created?
Was it professionally developed?
Are there multiple versions?
Is there a platform involved?
Is the a toolkit involved?
Are there multiple parts developed by different groups or
developers?
Command & Control Factors
How is the malware controlled by its master?
Do commands come from a cutout site?
What commands are supported?
Sniffing, logging, search file system, Attack
Poison Pill - Self-destruct?
Defensive Factors
Signs of packing or obfuscation
AV Sabotage
Does it have self-defense?
Does it use rootkit techniques/stealth?
Does it bypass the operating system?
3. Review Automated
RE Report
4. Manual Reverse
Engineering
5. Document Findings
Communication Factors
Where does it connect to on the Internet?
Drop points, Update Sites, C&C,
IP addresses or DNS names
incoming or outbound connections?
Does it use encryption?
Does it use Steganography?
Installation & Deployment Factors
Does it use the registry?
Does it drop any files?
Autorun.inf? USB? Open shares?
Does it sleep and awaken later?
JavaScript? Flash?
Infection Point/Attack Vector
Information Security Factors
Identify the risks associated with the binary
What does it steal?
Does it sniff keystrokes, passwords, 2 factor authentication
tokens?
Can it destroy data?
Can it alter or inject data?
Does it download additional tools?
HBGary Malware Reverse Engineering Process
Malware Reverse Engineering Process: Manual Reverse Engineering (Cont)
1. Acquire Malware
Specimen
2. Automated Reverse
Engineering
3. Review Automated
RE Report
4. Manual Reverse
Engineering
5. Document Findings
3. Responder Pro 2.0 provides an organized view into malware
behavior and traits:
1. Interrupt Descriptor Table Panel
2. Network Sockets Panel
3. Registry Keys Panel
4. Drivers Panel
5. Keys & Passwords Panel
6. Processes Panel
7. System Descriptor Tables Panel
4. Responder Canvas Tool provides graphical representations of code
and data so an analyst can rapidly identify relationships, view control
flow of modules, program dependancies and interactions.
HBGary Malware Reverse Engineering Process
Malware Reverse Engineering Process: Document Findings
1. Acquire Malware
Specimen
2. Automated Reverse
Engineering
3. Review Automated
RE Report
4. Manual Reverse
Engineering
5. Document
Findings
1. The Analyst documents the malware in the Report Tab
1. Processes and Drivers
2. Loaded Modules
3. Network Socket Info
4. Passwords
5. Encryption Keys
6. Decrypted files
7. Order of execution
8. Runtime State Information
2. Reports can be exported in several formats
1. Adobe (PDF)
2. Microsoft Excel (XLS)
3. Comma-separated Value File (CSV)
4. HTML page
5. Text file
6. Rich Text Format file (RTF)
3. Results are incorporated into a formal deliverable
HBGary Malware Reverse Engineering Process