00:04 Welcome to Cyber Bury. My name is Sean Pearson on the subject matter expert. From our analysis,

00:08 I'll be teaching a short introduction. Siri's of these videos

00:13 today I'm gonna be covering the first class, which is basic terminology and a quick, like, one minute triage of some malware.

00:22 So who am I?

00:24 Well, a zee. I said before, my name is Sean Pierce. I have a number of certifications.

00:30 Such a za si SSP

00:32 uh, my twitter handle.

00:34 If you need to email me, there's an email there. I've worked as Mauer analyst

00:39 for ah few years,

00:41 and I

00:44 I am not penetration tester. I'm not a developer, and my employer is a company called Eyesight.

00:51 Uh, and I am not a PR guy for them. And whatever opinions I have, they're mine,

00:57 not my companies.

00:59 So let's just jump right into it. So what exactly is malware analysis and why is it useful?

01:04 No.

01:06 This because mainly anti virus software can't be relied upon because it is a very difficult task to write a program or making algorithm to Terminus. Some software is malicious,

01:18 and some people say a V, the antivirus is dead. I wouldn't go so far as to say that,

01:25 because they do catch a lot of old stuff.

01:27 But statistics show that

01:30 when malware is released on Day zero or Day One,

01:34 uh,

01:36 it's only

01:38 detected about 17% of the time, on average, between all of the vendors. By Day 10 it's usually up to, like 32 80%. That's a huge range of detection, and most of that issue

01:53 is due to heuristics. So

01:57 the malware or the antivirus spender may not actually know of its malicious. It's just taking a guess.

02:05 So,

02:06 um,

02:07 why is it important that we pay so close attention to malware animals? Because 50 to 97% of the breach is involved might wear,

02:16 and that's a huge amount.

02:20 And

02:21 you might consider like, Okay, that's kind of obvious, but maybe not necessarily. Maybe there's SQL Injection and someone steals the database. Okay, New real malware was used, but

02:31 in most breaches, Mauer

02:35 is automating some task for a new tack er, or

02:39 instead of automation, they are increasing their capabilities there.

02:45 They're taking advantage of a vulnerability on the system. They're exploiting something they may be,

02:52 are increasing their foothold on the system. Maybe they use some hour to automatically create a new administrator of

03:00 user. May be

03:01 they wanna automate something like lower some security settings like firewall, preventing some security pop up warning toe.

03:12 Maybe they're preventing some security pop up

03:15 dialogues for appearing to the user. Maybe they wantto enable remote desktop or

03:21 a great many other number of things. But Mauer is quite essential to most Attackers and their tactics.

03:28 Now on the defender side,

03:30 I've worked in I t. For a few years, a CZ like Help Tusk and I remember the most typical reaction to an infection is that we go collect the machine. You know, just pull it off the network and re image it and give it back to the user as fast as we could

03:46 because it was a nuisance. And that's how most people react. Um,

03:52 but if some

03:54 some companies, governments, institutions, organizations have a rather more mature information security maturity program

04:02 and they go and have an incident response person or team or policy,

04:08 where they go through and look at the logs, network traffic processes, they figure out exactly what malware it is, and they try to trace where it came from, And how did it get there? And how can they prevent it in the future? Now? Ah, really mature organization would attempt to gather intelligence.

04:27 This is pretty common in government and financial.

04:30 Another

04:32 very influential industries.

04:34 No.

04:36 At that point, they would go to 1/3 party malware analyzing firm or forensics team our forensics company, Or maybe they have some people on staff, which is pretty common

04:50 to help them with unstinted.

04:54 No,

04:55 this is this is really important because, as um, our analyst, you know, people are going to rely on you. Your boss is going to say, What is the impact? What is the risk? And

05:08 this is something anti virus cannot health. Um, this is something that ah program will not be able to give them.

05:15 You would be ableto

05:16 tell your superior weed

05:18 a lot of resources on this because this is very important. Say, you found some malware on a computer and it had a little ticking time bomb and

05:28 24 hours the next day or something, it was about to go off and wipe the computer.

05:32 Well, now you need to know

05:35 more. You need to know who else is infected. You need to know who else is compromise. You go to your boss and you need to say we need to pull everyone off of everything else. We need to scan the whole organization. We need to find where this is and neutralize it. Or else our company could be under water tomorrow. We don't know.

05:50 So,

05:53 Mauer,

05:54 um, our analyst skills are just irreplaceable.

05:58 They're very important because software cannot do what humans can.

06:03 And

06:05 this is especially important in the big World

06:10 where attribution is really important.

06:14 Um,

06:15 because if you find some hour on machine, need to know if it was an insider threat. If it was hacktivism, if was opportunistic, was financially motivated. Or foods that big buzzword a p t for advanced, persistent threat. If it's some kind nation state,

06:30 if it's some kind of a very advanced group, you need to know

06:34 who they are, how to battle them. And

06:38 these are the things that our analysts

06:41 usually have a pretty good insight into.

06:46 Like many a PT groups use very common off the shelf malware,

06:50 um, like poison ivy dart Comment.

06:56 Z x shell. Whatever else you

07:00 you as a Mauer analyst could determine the difference between a

07:03 advanced, persistent threat group

07:06 or some scripted a some guy and, you know, 17 year old kid who barely knows what they're doing.

07:15 And

07:15 this is particularly important when you consider

07:17 the fact that false negatives are far, far worse than false positives.

07:25 If you think about that, you should much prefer that an anti virus software

07:31 would go off on

07:33 you, alert you on benign programs

07:38 that are

07:41 being labeled as malicious

07:44 rather than

07:46 it letting an actual malicious file through.

07:48 Unfortunately, there they aren't there.

07:54 No,

07:56 you can look at

07:58 breach reports like the Horizon data breach report. I think it's there fairly good, uh, reports. And you can see that

08:07 quotes like 70 to 90% of our samples are unique to an organization.

08:11 So

08:13 targeting does really happen. I promise you,

08:18 if you are in a

08:18 ah, high enough industry,

08:20 you have been or will be

08:24 targeted and will be compromised

08:26 if not

08:28 already.

08:31 So the scope of this is

08:33 a very basic introduction to malware analysis. Just to get your feet would just show you that it's not witchcraft. It's not black magic, So

08:43 malware analysis is really just Ah, subset of software analysis. If you want to figure out what a program is doing, what installer is doing what you know program like a zip programmer, winrow or whatever else

09:01 eyes doing?

09:03 Then

09:03 you have to use ah few tools to either say, Oh, no, it's using

09:09 these files. It's adding these registered keys, whatever else and my words a bit

09:16 interesting and that it's usually pretty small and much less noisy

09:20 than traditional software.

09:22 So

09:24 we'll show that analyze malware and actually sometimes easier than

09:28 analyzing regular software. And so you should know

09:33 some stuff about Mao already should know something about software, about networking, about how operating systems were. You know, you should probably know what a Colonel is. It's basically the operating system at its core.

09:50 You should probably know a bit about software vulnerabilities. So if I say Oh,

09:56 you know this malware is using

09:58 the stock base buffer overflow

10:00 to elevate its privileges

10:03 and be good to know that.

10:05 So, um,

10:07 your problems will probably know what

10:09 ah

10:11 de dos is like distributed denial of service. What a script kiddie is. I just referenced. It should probably know what Lennox is and be moderately comfortable with using it.

10:24 So

10:24 with these foundations were we will cover some of the basics of malware. Analysis of basic forensics on that response may be hunting some malware and some reverse engineering.

10:37 And if you don't know what that is, that's okay. We'll cover it in the future.

10:41 Like I was saying, What exactly is malware? Well, it's malicious software. It is something that executes with out your permission

10:52 or tricks you into thinking it's something else or it is something that is working against the user's wishes.

11:00 Um, it's a really abstract

11:03 thing I know, but once you get looking at it, you'll know it's malicious. And what's not

11:07 like I was saying earlier Malware is

11:11 software, and it suffers from all the same problems as regular software does. So I've seen lots malware out there that has compatibility issues. Have

11:22 bugs have customer service, you know,

11:26 I mean seriously, if you go on to some of the

11:30 um, forms on the underground and you say I want to buy this or I want to go with this,

11:35 you know, sometimes if you pay a little extra, you'll get better customer support or customer service. You'll get, um, updates. You'll get

11:45 you can put in helped us tickets. If something's not working right or, you know,

11:50 putting ticket for bugs to be fixed,

11:52 you know, you can say, Oh, I want the next version when it comes out in a few months. Um,

12:00 you know? And even then, like, um, our authors have issues maintaining, like source code. Sometimes they have issues with stuff getting leaked, proprietary stuff or even their their mouth or being Pirated. That's happened a number times like Zeus malware.

12:18 So

12:18 if you want to know more about this, which I think is a good

12:22 background for a lot of this stuff, I was

12:26 suggests that you look for Def Con 17 making fun of your malware.

12:31 Def Con 17 Mauer Freak show and Def Con 18. My Life is a spyware developer. Those air good talks that really give you insight and, uh, good perspective and how

12:43 the stuff works.

12:46 So

12:46 you've probably heard a lot of terms like Virus Trojan Worm and you know you'll get pretty generic descriptions of those, and I'll go through these really fast right now in that virus. Virgin Erik Lee is what most people refer to, but technically that's ah file infect er where

13:03 excusable code is inserted into an executed all file

13:07 like an e x c

13:09 the hijack, its execution.

13:13 Ah,

13:15 I've never seen one that in the wild, like

13:18 in the few years that I've been working,

13:20 Uh, I just don't

13:22 I just think they're very rare, like I've seen some before. Like to store cold things, Um, and some games that hackers play and some proof of concept stuff. But I've never seen a real malicious one. Trojans are much more common. They're usually bundled with games like

13:39 North Koreans did that. They took some,

13:43 ah, game developer and they said, Oh, you know, we'll insert this code and we'll distribute it for free or really cheap. And then one day they decided to start de dos ing the South Korean banks so that that's fairly common worms. Actually, on the Internet, there are some that are just still going, uh, but I find them

14:03 kind of rare.

14:05 They usually execute without your permission, and they don't try to trick you and executing them. Like trojans or viruses, worms are self propagating. They usually are exploiting some vulnerability in an operating system and then Suzie get killed. Execution Operates is

14:22 operates system. They scan

14:24 you know, the network or the Internet for more vulnerable systems and just repeat the process.

14:31 Bots are extremely common. They're the most common things I see.

14:35 Um, bots are usually financially motivated, the helping spamming. They sell personal information. They do deed off stuff. It's usually cybercrime type campaigns. Root kits are

14:50 is mount, where that usually corrupts and modifies the operating system most the time

14:56 they are hiding

15:00 files or processes

15:03 for any user land of programs. So hides deep in the operating system just to hide its other components. Rats are very common,

15:11 such a cz.

15:13 Our rats. I should find that as a remote access tool or remote Access Trojan

15:20 they are. There's legitimate ones. There's not so legitimate ones. They are

15:26 like. They're the most common, I think,

15:31 and they are very, um,

15:35 easy to find. I've seen rats that have been around for 10 years. They're still being used like that. Comment Z X shell.

15:46 So seven was the 1st 1 I ever saw, and

15:50 you know those air broad categories and there are there's malware that overlap so about could have a root kit attached to it. Um,

15:58 you know, a rat could be bundled with a Trojan. These are very broad descriptions, like I said, and you're his mom was certainly more specialized, like spyware, which just steals your information. Just scare where which just trying scares you into giving over some money. You know, adware, backdoors,

16:18 credential, theft like pony.

16:19 Ah, and there was, like, anti analysis code, sometimes baked into these things where

16:26 you know you as an analyst or trying to figure out what

16:29 some hours doing,

16:30 and they throw in some

16:32 weird tricks to try toe stop you or defeat

16:37 your goal, which is to figure out something about it. So I've seen Mauer out there that says, Oh, you know, if I think I'm being analyzed, do this. You open up a port and then, you know, start taking commands from it was basically a backdoor. But if it's not being analyzed,

16:55 I'll tell you exactly how these things work.

16:56 Then it would do its normal bought operations, would reach out to the correct I p address from or instructions. Um,

17:06 and really, the purpose depends on,

17:08 uh what industry?

17:11 The malware is that you might be thinking.

17:15 What do you mean, industry? I'm talking about there.

17:18 Pockets of

17:19 the underground economy where there's buyers and sellers, banks and s crows that support these economic systems, like paper install. So you can go and say I want this piece of malware that I'm gonna give you. I want it installed on 1000 computers. They will go and do that,

17:40 Um,

17:41 or you say I wanna buy credit card

17:44 information dumps as they call it, or I want to hire some hackers to get into this company or I want to, you know, whatever.

17:52 And there's other software that sometimes is considered malware with those industries like builders. This is some software that'll make malware for you

18:03 usually a rat or a Trojan, uh,

18:07 exploit kits. You know, these air

18:10 kind of websites that you can rent so you can say, Oh, I want to use this actually kit for two days,

18:18 and you will try to spam

18:21 that website link out as much as you can.

18:22 And as soon as someone clicks on that link, they will get compromised and

18:29 it will be loaded up through malware.

18:30 So you could, you know, go in with a couple $1000 by a Trojan, then you can configure it and then you can say OK, I want

18:40 by access to exploit Kit and I want to buy,

18:44 you know,

18:45 two days or five days on it. And then you say, OK, now I have a couple 100 people

18:52 that my mouth where is controlling on then you can say, Well, I want some more, So I'm gonna buy another 1000 computers.

18:57 Um,

19:00 and let's say the antivirus is quickly catching on. They're starting to detect malware. We can use a

19:04 packer or a crypt. ER, too.

19:08 Scramble its insides to encrypt your malware. And you can say, OK, I wantto change it out, like every day or even every hour. You can change out.

19:18 You're malware,

19:19 and packers and critters will help bad guys do that.

19:26 So you should be aware of how these things work and particularly packers and critters.

19:30 I mostly calling packers just that,

19:33 um, you should pay attention to that, and we will talk about that in the future because that definitely does hinder analysis.

19:42 When I talk about analysis, I'm saying usually one of two things dynamic analysis, which is where we just takes him out, were executed in a virtual machine and to what happens.

19:56 Usually it's

19:56 pretty telling, you know, you can get some network information. We get the

20:00 command control servers we can get the I P addresses, speaking out to network information, all sorts of stuff.

20:08 But it is easy to miss things. For instance, if there is a killed eight baked into the malware

20:15 like I know of one instance where there is a

20:21 payment gateway that was compromised with some malware and

20:26 they couldn't get it off and they couldn't restart it. And they said they would lose a lot of money if they ever took it off line,

20:33 and it would cost a lot to try.

20:36 No, replace it.

20:37 So they decided to just firewall it off that Onley that it couldn't talk to the Internet and then on Lee a certain computers could talk to could Senate information.

20:48 And they said, Okay, well, it's not gonna do anything. It's not going to

20:53 you know, reboot is not going to the malware is not gonna

20:57 you kill it, so we'll just make sure you never contact home, and the hackers can never

21:03 said that information

21:06 I said, Well, that that's good, I guess I said, that is Ah, creative solution. However, what? It has a killed eight in it in the at some point in the future,

21:15 ill wipe the computer.

21:18 They're just like, what? Was that common? No, certainly not.

21:22 Not usually ever. But it could happen. And the only way to figure something out like that.

21:29 You know, other than saying the clock far ahead in the future

21:33 would be something called static analysis where you don't execute the malware, but you slowly step through it. You say one instruction at a time. What is this doing? What is this doing? What is this doing? You know, and then you can identify capabilities in the mall where you pick out a lot more information.

21:51 And

21:52 this technique requires a very deep technical knowledge.

21:56 Um, and it can take a long time, especially with anything

22:00 that has a lot of information in it. That's it's particularly sophisticated or or large,

22:07 and it's important to note that most

22:10 of what we say our analysis is actually hybrid is where you are using a virtual machine to execute the smile. We're safely or some kind of sand box or,

22:22 you know, whatever reporting feature. And then you also verify this with a static approach where you say Okay, yeah, that that I p address is in there And, yes, being decrypted like this. And yeah, the network works like this and supports these commands. And then you can also do things like

22:40 in memory, like volatile forensics, where

22:44 you can

22:45 you execute this malware

22:47 and then dump whatever is in memory and you look at it statically like that, you just pause it effectively.

22:53 And then you look at what is in memory of the time. This is useful for packers. So packers

23:02 usually, you know, well, encrypt the malware

23:04 and then you won't be able to see anything from a static perspective, so you can execute it. It will load up in the memory. It'll decrypt the original malware and then begin executing it. So if you dump that and from memory, you can see what the original thing waas that it was trying to protect. Now,