Video Converter
Audio Converter
Image Converter
PDF Converter
File Compressor
comparing malicious files

Comparing Malicious Files RVAsec May 22, 2019 Problem Statements - PowerPoint PPT Presentation

Oct 08, 2023 •222 likes •1.11k views

Comparing Malicious Files RVAsec May 22, 2019 Problem Statements AV Problem Many AV companies use their own unique nomenclature for malware and malware families @MalwareUtkonos Marketing Problem Marketing departments want to brand the

  1. Comparing Malicious Files RVAsec May 22, 2019

  2. Problem Statements

  3. AV Problem Many AV companies use their own unique nomenclature for malware and malware families @MalwareUtkonos

  4. Marketing Problem Marketing departments want to brand the malware families that their company has identified 🐽 🚁 🐲 🚁 🐼 🐽 🐼 🐲 @MalwareUtkonos

  5. WTF?????? ● APT28 ● Group-4127 ● Pawn Storm ● STRONTIUM ● Fancy Bear ● TAG_0700 ● Sednit ● Swallowtail ● TsarTeam ● IRON TWILIGHT ● TG-4127 ● Group 74 @MalwareUtkonos

  6. Missing Criteria @MalwareUtkonos

  7. Researcher’s Problem What am I looking at? Can I relate this to other samples that have already been identified? Is this a new attack? @MalwareUtkonos

  8. Incident Responder’s Problem What is this related to? Can I locate previous work around this malware, so I can save time? @MalwareUtkonos

  9. Solution Methods

  10. Sample Identification Determine malware family membership of sample @MalwareUtkonos

  11. Locating Associated Samples Within a set of samples, which are related? @MalwareUtkonos

  12. Identification Method: Anti-Virus Scanner Results

  13. Shared Engines Sample: 68119dd7fb9ecb099de50227162bd82f Scanner Result: Trojan.GenericKD.40437487 AV Companies: Ad-Aware, ALYac, BitDefender, Emsisoft, F-Secure, GData, MicroWorld-eScan @MalwareUtkonos

  14. http://www.beerdestroyer.com/wp-content/uploads/2013/05/dc_brau_corruption.jpg Specific Development Methods Generic http://who-really-cares-anyway.blogspot.com/2007/03/generic-food.html @MalwareUtkonos

  15. Vendors with Usable Results Microsoft ESET https://www.microsoft.com/en-us/wdsi/threats http://www.virusradar.com/en/threat_encyclopaedia Kaspersky Sophos https://www.sophos.com/en-us/threat-center/threat-analyses https://encyclopedia.kaspersky.com /viruses-and-spyware.aspx @MalwareUtkonos

  16. Boiling Down Results Sample: c3f9d80d11ab3671cd412e94de4141ad @MalwareUtkonos

  17. Boiling Down Results Remove clearly generic results Watch for sneaky generic results: Zeus, Zbot, Zusy, etc. @MalwareUtkonos

  18. Boiling Down Results ESET-NOD32 Win32/Adware.VrBrot Yandex Trojan.DR.PeBundle.A McAfee Artemis!C3F9D80D11AB VBA32 Trojan.Isbar Ad-Aware Gen:Variant.Symmi.89546 DrWeb Trojan.Isbar.863 ALYac Gen:Variant.Symmi.89546 Arcabit Trojan.Symmi.D15DCA BitDefender Gen:Variant.Symmi.89546 NANO-Antivirus Trojan.Win32.Isbar.fhgjim F-Secure Gen:Variant.Symmi.89546 ViRobot Trojan.Win32.Z.Symmi.954946 MicroWorld-eScan Gen:Variant.Symmi.89546 Avast Win32:VrBrothers-A [Adw] Emsisoft Gen:Variant.Symmi.89546 (B) AVG Win32:VrBrothers-A [Adw] Ikarus Trojan-Spy.Win32.Sincom GData Win32.Backdoor.Hupigon.B Microsoft Trojan:Win32/Occamy.C Kingsoft Win32.RiskWare.PEBundle.49152 @MalwareUtkonos

  19. Boiling Down Results ESET-NOD32 Win32/Adware.VrBrot Yandex Trojan.DR.PeBundle.A McAfee Artemis!C3F9D80D11AB VBA32 Trojan.Isbar Ad-Aware Gen:Variant.Symmi.89546 DrWeb Trojan.Isbar.863 ALYac Gen:Variant.Symmi.89546 Arcabit Trojan.Symmi.D15DCA BitDefender Gen:Variant.Symmi.89546 NANO-Antivirus Trojan.Win32.Isbar.fhgjim F-Secure Gen:Variant.Symmi.89546 ViRobot Trojan.Win32.Z.Symmi.954946 MicroWorld-eScan Gen:Variant.Symmi.89546 Avast Win32:VrBrothers-A [Adw] Emsisoft Gen:Variant.Symmi.89546 (B) AVG Win32:VrBrothers-A [Adw] Ikarus Trojan-Spy.Win32.Sincom GData Win32.Backdoor.Hupigon.B Microsoft Trojan:Win32/Occamy.C Kingsoft Win32.RiskWare.PEBundle.49152 @MalwareUtkonos

  20. Boiling Down Results ESET-NOD32 Win32/Adware.VrBrot Yandex Trojan.DR.PeBundle.A McAfee Artemis!C3F9D80D11AB VBA32 Trojan.Isbar Ad-Aware Gen:Variant.Symmi.89546 DrWeb Trojan.Isbar.863 ALYac Gen:Variant.Symmi.89546 Arcabit Trojan.Symmi.D15DCA BitDefender Gen:Variant.Symmi.89546 NANO-Antivirus Trojan.Win32.Isbar.fhgjim F-Secure Gen:Variant.Symmi.89546 ViRobot Trojan.Win32.Z.Symmi.954946 MicroWorld-eScan Gen:Variant.Symmi.89546 Avast Win32:VrBrothers-A [Adw] Emsisoft Gen:Variant.Symmi.89546 (B) AVG Win32:VrBrothers-A [Adw] Ikarus Trojan-Spy.Win32.Sincom GData Win32.Backdoor.Hupigon.B Microsoft Trojan:Win32/Occamy.C Kingsoft Win32.RiskWare.PEBundle.49152 @MalwareUtkonos

  21. Boiling Down Results Ad-Aware Gen:Variant.Symmi.89546 VBA32 Trojan.Isbar Arcabit Trojan.Symmi.D15DCA DrWeb Trojan.Isbar.863 ViRobot Trojan.Win32.Z.Symmi.954946 NANO-Antivirus Trojan.Win32.Isbar.fhgjim Win32.Trojan.Symmi Win32.Trojan.Isbar @MalwareUtkonos

  22. Boiling Down Results Ad-Aware Gen:Variant.Symmi.89546 VBA32 Trojan.Isbar Arcabit Trojan.Symmi.D15DCA DrWeb Trojan.Isbar.863 ViRobot Trojan.Win32.Z.Symmi.954946 NANO-Antivirus Trojan.Win32.Isbar.fhgjim Win32.Trojan.Symmi Win32.Trojan.Isbar @MalwareUtkonos

  23. Boiling Down Results Ad-Aware Gen:Variant.Symmi.89546 VBA32 Trojan.Isbar Arcabit Trojan.Symmi.D15DCA DrWeb Trojan.Isbar.863 ViRobot Trojan.Win32.Z.Symmi.954946 NANO-Antivirus Trojan.Win32.Isbar.fhgjim Win32.Trojan.Symmi Win32.Trojan.Isbar @MalwareUtkonos

  24. Automation: AVClass ● Family Rankings ● PUP Classification ● Ground Truth Evaluation ● Generic Token Detection ● Alias Detection https://github.com/malicialab/avclass @MalwareUtkonos

  25. Identification Method: MITRE ATT&CK

  26. ATT&CK ● Framework for categorization of adversary tactics and techniques ● Excellent first step ● Not yet ready for malware classification ● There is a better option! @MalwareUtkonos

  27. ATT&CK & Granularity https://steemit.com/reverseengineering/@utkonos/alphablend-campaign-part-2 @MalwareUtkonos

  28. ATT&CK & Granularity @MalwareUtkonos

  29. SEH Variation @MalwareUtkonos

  30. Contribute Sub-Techniques https://attack.mitre.org/resources/contribute/ @MalwareUtkonos

  31. 2FA Interception (T1111) ● SMS interception on the wire (SORM) ● SMS interception by number porting ● Code interception via phishing page (Nile Phish, Charming Kitten) ● Keylogger @MalwareUtkonos

  32. Better System

  33. The New MAEC Anti-Behavioral Analysis Execution Anti-Static Analysis Exfiltration Collection Impact Command and Control Lateral Movement Credential Access Persistence Defense Evasion Privilege Escalation Discovery https://github.com/MAECProject/malware-behaviors @MalwareUtkonos

  34. Identification Method: Malpedia

  35. Malpedia: FIN7, Carbanak https://malpedia.caad.fkie.fraunhofer.de/actor/anunak @MalwareUtkonos

  36. Malpedia Results @MalwareUtkonos

  37. Contribute!!!!! @MalwareUtkonos

  38. Identification Method: Google

  39. https://xkcd.com/627/ @MalwareUtkonos

  40. https://xkcd.com/627/ @MalwareUtkonos

  41. Proposal

  42. Proposal

  43. Association Method: Static Analysis

  44. Some Hashes ssdeep: Context triggered piecewise hash Import Hash (imphash): Calculated from PE file import table @MalwareUtkonos

  45. Exif Metadata @MalwareUtkonos

  46. Code Signing Certificate Signed by fake cert Signed by real/stolen cert Signed-ish: broken signature @MalwareUtkonos

  47. Abused Certificates @MalwareUtkonos

  48. PE Metadata Sections Imports / Exports Resources @MalwareUtkonos

  49. @MalwareUtkonos

  50. Sections Sample: 0a9545f9fc7a6d8596cf07a59f400fd3 Name: .reloc MD5: 3a64e2292f5eb1bbe70428c1c6ee22d5 @MalwareUtkonos

  51. Sections Sample: 0a9545f9fc7a6d8596cf07a59f400fd3 Name: .reloc MD5: 3a64e2292f5eb1bbe70428c1c6ee22d5 @MalwareUtkonos

  52. Resources Sample: c7577748e6e7c71cdf5a950655b2456e Name: RT_VERSION SHA256: 4df4bf2f6de1beb10586f49b4155fffb946279e8b0 a69d6fbbe695158bbb63ae @MalwareUtkonos

  53. ReversingLabs Hash Algorithm https://www.reversinglabs.com/technology/ reversinglabs-hash-algorithm.html @MalwareUtkonos

  54. VirusTotal similar-to: Proprietary black magic, but very effective @MalwareUtkonos

  55. Document Metadata Author Timestamps Language PDF Producer @MalwareUtkonos

  56. Association Method: Dynamic Analysis

  57. Filenames Boring: finding exactly the same filename More exciting: develop regex for a pattern of generated filenames. @MalwareUtkonos

  58. URL Structure: Download Related to the vulnerability in the CMS that was exploited to create the URL @MalwareUtkonos

  59. URL Structure: Download Example: http://terumoindonesia.com/wp-content/themes/twentysixteen/ Regex: wp-[a-z]+/themes/twenty(?:ten|eleven|twelve|thirteen|fourteen|fifteen|sixteen|seventeen|eighteen) @MalwareUtkonos

  60. URL Structure: C2 Directly related to the malware family @MalwareUtkonos

  61. URL Structure: C2 Example: http://dinttobogo.com/zapoy/gate.php @MalwareUtkonos

  62. Mutual Exclusion (Mutex) Prevents race conditions with multiple processes and multiple threads. https://en.wikipedia.org/wiki/Mutual_exclusion @MalwareUtkonos

  63. Registry Key Hierarchical database for low-level OS and application settings. https://en.wikipedia.org/wiki/Windows_Registry @MalwareUtkonos

  64. Association Method: Clustering Algorithms

  65. Standing on Shoulders of Giants “Python and Machine Learning: How to clusterize a malware dataset?” https://github.com/sebdraven/hack_lu_2017 And botconf! @MalwareUtkonos

  66. Algorithms K-Means DBScan @MalwareUtkonos

Recommend

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 10 March 2005 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

1.16k views • 94 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

707 views • 69 slides
Business Statistics CONTENTS Comparing two samples Comparing two unrelated samples Comparing

Business Statistics CONTENTS Comparing two samples Comparing two unrelated samples Comparing

TWO S OR MEDIANS: COMPARISONS Business Statistics CONTENTS Comparing two samples Comparing two unrelated samples Comparing the means of two unrelated samples Comparing the medians of two unrelated samples Old exam question Further study

399 views • 38 slides
Accessing Files in Python Learning Objectives Concepts about files in Python How to open

Accessing Files in Python Learning Objectives Concepts about files in Python How to open

Accessing Files in Python Learning Objectives Concepts about files in Python How to open files Different ways of reading files How to write out files How to read then search, count, etc. on files Concepts about

616 views • 26 slides
Interacting with Files Python Files Files Basic container of data in modern computing

Interacting with Files Python Files Files Basic container of data in modern computing

Interacting with Files Python Files Files Basic container of data in modern computing system Organized into a hierarchy of directories Files / /etc /Applications /var /tmp /Users /etc/Apache /etc/master.passwd

235 views • 19 slides
Using files ITEC 1630 We save data in files on disk or some Week 9: Files & Streams

Using files ITEC 1630 We save data in files on disk or some Week 9: Files & Streams

Using files ITEC 1630 We save data in files on disk or some Week 9: Files & Streams other media so that we dont lose it even if the computer is shut off Files can store more data than may fit in Yves Lesprance working memory

248 views • 4 slides
What is a Jar File? Java archive (jar) files are compressed files that can store one or many

What is a Jar File? Java archive (jar) files are compressed files that can store one or many

Creating Jar Files Based on slides by: Jin Hung, Gregory Olds, George Blank, Sun Java Web Site What is a Jar File? Java archive (jar) files are compressed files that can store one or many files. Jar files normally contain java or class

434 views • 22 slides
What is a Jar File? Java archive (jar) files are compressed files that can store one or many

What is a Jar File? Java archive (jar) files are compressed files that can store one or many

Creating Jar Files Based on slides by: Jin Hung, Gregory Olds, George Blank, Sun Java Web Site What is a Jar File? Java archive (jar) files are compressed files that can store one or many files. Jar files normally contain java or class

509 views • 19 slides
Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai Choudhuri Aarushi Goel Abhishek Jain EUROCRYPT 2019 Adversarial Model Adversarial Model Malicious Adversary Adversarial Model Malicious Adversary

1.11k views • 57 slides
Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer

Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer

Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer Vienna University of Technology Alessandro Di Federico Politecnico di Milano Federico Maggi Politecnico di Milano Paolo Milani Comparetti Vienna

570 views • 27 slides
Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

ITS335 Malicious Software Malicious Software Propagation Payload Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October

677 views • 30 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 29 March 2007 SYN Cookies (contd) SYN Cookies (contd) SYN cookies are particular choices of initial TCP sequence numbers

870 views • 62 slides
Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai Choudhuri Aarushi Goel Abhishek Jain TPMPC 2019 Adversarial Model Adversarial Model Malicious Adversary Adversarial Model Malicious Adversary

927 views • 69 slides
Manipulating Data Files in Python Learning Objectives Working with CSV files Reading

Manipulating Data Files in Python Learning Objectives Working with CSV files Reading

Manipulating Data Files in Python Learning Objectives Working with CSV files Reading and writing Moving into and out of data structures Accessing files in other folders JSON files Reading and writing Regular

523 views • 36 slides
Flat Files vs. DB Files So far, our PHP examples have

Flat Files vs. DB Files So far, our PHP examples have

Flat Files vs. DB Files So far, our PHP examples have used regular text files O>en called FLAT FILES These have a certain advantage,

558 views • 22 slides
Indexed Files : Outline ! Introduction ! Indexed Files ! Full Index Organization ! Indexed

Indexed Files : Outline ! Introduction ! Indexed Files ! Full Index Organization ! Indexed

Indexed Files : Outline ! Introduction ! Indexed Files ! Full Index Organization ! Indexed Sequential Files ! Multilevel Indexes ! Overflow Management ! Performance Analysis rasitjutrakul Indexed Files Ordered Random access sequential

537 views • 22 slides
Manifestations of Dark Matter and Variations of Fundamental Constants in Atoms and Astrophysical

Manifestations of Dark Matter and Variations of Fundamental Constants in Atoms and Astrophysical

Manifestations of Dark Matter and Variations of Fundamental Constants in Atoms and Astrophysical Phenomena Victor Flambaum, Yevgeny Stadnik, Benjamin Roberts, Vladimir Dzuba University of New South Wales, Sydney, Australia Physical Review D 89

810 views • 76 slides
statistical collaborators and consultants A. John Bailer baileraj@MiamiOH.edu Outline In

statistical collaborators and consultants A. John Bailer baileraj@MiamiOH.edu Outline In

Practical Experience for modeling work as statistical collaborators and consultants A. John Bailer baileraj@MiamiOH.edu Outline In my remarks, I will consider the general question of developing genuine statistical collaboration and

559 views • 36 slides
Fast and Accurate Inference for the Smoothing Parameter in Semiparametric Models Alex Trindade

Fast and Accurate Inference for the Smoothing Parameter in Semiparametric Models Alex Trindade

Fast and Accurate Inference for the Smoothing Parameter in Semiparametric Models Alex Trindade Dept. of Mathematics & Statistics, Texas Tech University Joint work with Rob Paige , Missouri University of Science and Technology Funded in part by

410 views • 19 slides
Literacy for Midcareer Journalists Jessica S Ancker, MPH, PhD, assistant professor, Weill Cornell

Literacy for Midcareer Journalists Jessica S Ancker, MPH, PhD, assistant professor, Weill Cornell

Evidence and Inference: Quantitative Literacy for Midcareer Journalists Jessica S Ancker, MPH, PhD, assistant professor, Weill Cornell Medical College 2 Evidence and Inference Advanced research techniques Gathering and assessing

401 views • 17 slides
1 2 Preparation and characterization of MWCNT/Zn 0.25 Co 0.75 Fe 2 O 4 nanocomposite and

1 2 Preparation and characterization of MWCNT/Zn 0.25 Co 0.75 Fe 2 O 4 nanocomposite and

1 2 Preparation and characterization of MWCNT/Zn 0.25 Co 0.75 Fe 2 O 4 nanocomposite and investigation of its microwave absorption properties at x-band by silicone rubber polymeric matrix Microwave absorption has attracted a considerable

315 views • 9 slides
( ) ( ) 9.8 m / s 2 0.35 kg F = kx k = = 28.58 N / m 0.12 m m 0.35 kg T = 2 k = 6.28

( ) ( ) 9.8 m / s 2 0.35 kg F = kx k = = 28.58 N / m 0.12 m m 0.35 kg T = 2 k = 6.28

1) When a mass of 0.350 kg is attached to a vertical spring and lowered slowly, the spring stretches 12.0 cm. The mass is now displaced from its equilibrium position and released, and undergoes simple harmonic oscillations. What is the period of

100 views • 6 slides
THE DISCOVERY OF ELEMENTS Dr. K. Guruswamy National Chemical Laboratory (NCL), Pune.

THE DISCOVERY OF ELEMENTS Dr. K. Guruswamy National Chemical Laboratory (NCL), Pune.

THE DISCOVERY OF ELEMENTS Dr. K. Guruswamy National Chemical Laboratory (NCL), Pune. http://www.excitingscience.org SUPPORTED BY: What are ELEMENTS? PURE chemical substances having ONE type of ATOM Examples: Hydrogen, Carbon, Iron, Gold,

808 views • 37 slides
OSS is changing the Security information sharing landscape. Focus on the MISP objects and other

OSS is changing the Security information sharing landscape. Focus on the MISP objects and other

OSS is changing the Security information sharing landscape. Focus on the MISP objects and other recent improvements on the platform Rapha el Vinot - TLP:WHITE info@circl.lu RMLL 2017 TL;DR Started in 2012 by Christophe Vandeplas (Belgian

793 views • 31 slides

More recommend

Explore More Topics

Stay informed with curated content and fresh updates.

animals pets art culture automotive transportation business finance computer internet construction architecture education-career electronics communication

Logo Sambuz

Unleash a World of Digital Possibilities—Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Contact

Newsletter

Stay Informed & Inspired—Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2026 SAMBUZ, All right reserved.