1 / 46

CS 492/592: Malware (Reverse Engineering)

CS 492/592: Malware (Reverse Engineering). http://thefengs.com/wuchang/courses/cs492. About this course. Learn tools and techniques to analyze what malicious software does. Ethics. Explore only on your own systems or places you have permission to

jhunsucker
Download Presentation

CS 492/592: Malware (Reverse Engineering)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS 492/592: Malware(Reverse Engineering) http://thefengs.com/wuchang/courses/cs492

  2. About this course • Learn tools and techniques to analyze what malicious software does

  3. Ethics Explore only on your own systems or places you have permission to Do not break or break into other people's machines

  4. Format • Lectures followed by labs and homework

  5. Pre-requisite • Course assumes an understanding of how software executes on a system (e.g. CS 201) • Media Space channel available for review

  6. Syllabus

  7. VM for course • Vanilla Windows XP VM image located on D: drive • Also located on linuxlab at /stash/cs492/492_WinXP_x86.ova • All software from book installed • When importing the VM, store the disk in D:\cs492

  8. Installed software on your VM Install WinXP 32-bit instance with VirtualBox Guest Additions CD Install cygwin with sharutils, binutils, zip/unzip, and nc Install WinRAR or cygwin p7zip Install Sysinternals tools (Process Explorer, Process Monitor) (technet.microsoft.com) Install PEView (wjradburn.com) Install Resource Hacker (angusj.com) Install Dependency Walker (dependencywalker.com) Install IDA Pro 5.0 Freeware (hex-rays.com) Install Wireshark (wireshark.org) Install Apate DNS (mandiant.com) Install OllyDbg 1.10 (ollydbg.de) and its Phant0m plug-in (woodmann.com) Install WinHex (winhex.com) Install PEiD (softpedia.com) <= CAUTION, it is a zip file not an installer Install UPX (upx.sourceforge.net) Install Regshot (code.google.com/p/regshot/) Install labs from textbook (practicalmalwareanalysis.com)Encrypted zipfile (password: malware)Will set off Windows defender alarmsMake two copies, a working one and a read-only one

  9. Securing your VM • Always shut the VM down when not in use • Do *not* enable shared folders • To protect EB 325 hosts • Do *not* enable bridged networking mode • To protect the VM itself

  10. Motivation

  11. Motivation • What is malware? • Set of instructions that run on your computer and make your system do something that an attacker wants it to do • What is reverse-engineering? • The ability to understand what the software being run is doing • A useful skill to have (at both the source-code and binary level)

  12. Example #1: FBI Playpen 8/2014

  13. Example #2: Stuxnet

  14. Example #3: Shellshock

  15. Example #4: Good software gone bad • AvastCCleaner (2017)

  16. Example #4: Good software gone bad • AvastCCleaner

  17. Example #5: Amazon Echo Easter Egg • https://www.youtube.com/watch?v=dQw4w9WgXcQ

  18. Why is malware so prevalent? • Unprecedented connectivity • Vulnerable users • Homogenous software and hardware • Focus on time to market • Mature malicious software industry • Data and instruction mixing (see next)

  19. Data vs. code • Data is information that your CPU acts on • Code tells your CPU to take action (danger!)‏ • To a computer, what’s the difference between code and data? • Not much in a Von Neumann architecture where data and instructions share same memory/bus • Data & code are intermixed everywhere • ELF, .exe, .html, .docx …. • Adds flexibility (.docx), features (.html), and efficiency (.js)

  20. Types of malware • Viruses and worms • Self-replicating code that infects other systems manually (virus) or automatically (worm) • Botnets • Software that puts your computer under the command and control of an adversary to send spam or attack other systems • Backdoors • Code that bypasses normal security controls to provide continued, unauthorized access to an adversary • Trojans • Code that appears legitimate, but performs an unauthorized action

  21. Types of malware • Rootkits • Tools to hide the presence of an adversary • Information theft (data exfiltration) • Keystrokes, passwords, credit cards, browsing habits, webcams • Ransomware • Code that renders your computer or data inaccessable until payment received

  22. Course context • https://www.usenix.org/conference/usenix-security-11/three-cyber-war-fallacies • Edited version: https://youtu.be/oxTWKVNxGmM • Dave Aitel USENIX Security 2011 keynote • CEO of Immunity Inc. • daily-dave newsletter • Covers both technical and policy issues involved in cybersecurity • Why show such an old talk?

  23. Revisiting Aitel • Asymmetric • Kinetic • Attribution • Attacking ideology • Deterrence

  24. Kinetic

  25. Kinetic

  26. Kinetic

  27. Attribution • https://www.washingtonpost.com/world/national-security/new-details-emerge-about-2014-russian-hack-of-the-state-department-it-was-hand-to-hand-combat/2017/04/03/d89168e0-124c-11e7-833c-503e1f6394c9_story.html

  28. Attribution • The importance of being everywhere… • https://risky.biz/RB450/ (19:45 – 21:45) 4/4/2017

  29. Attacking ideology • Democracy is an ideology that threatens Russia (and China and North Korea and Iran and Syria and ISIS) • Attack a competing ideology to protect your own • Russian goal in 2016 election hacking • Shake the fundamental belief in the US democratic system and its ideology • "Cyberwar attacks ideology best"

  30. Expose its secrets • Aitel "A nation-state is a collection of secrets"

  31. Subvert its media

  32. Attack its voting infrastructure • Sow the seeds of distrust in the election system • Slow down voting systems in strategic locations • Compromise machines for counting votes and registering voters • https://www.bloomberg.com/news/articles/2017-06-13/russian-breach-of-39-states-threatens-future-u-s-elections

  33. Likely not the worst of it… • Election systems only now being considered critical infrastructure "One former senior U.S. official expressed concern that the Russians now have three years to build on their knowledge of U.S. voting systems before the next presidential election, and there is every reason to believe they will use what they have learned in future attacks."

  34. The new frontline • Gen. John Allen • https://www.lawfareblog.com/lawfare-podcast-brookings-panel-cybersecurity-us-elections"As a guy who has spent a lot of time overseas dealing with threats to America, I now recognize at the speed of light, the very heartland of America is under threat today. The enemy has moved beyond my reach. The first line of defense of American democracy and the last line of defense are in our states and counties."

  35. Looking ahead • Countries ramping up capabilities • North Korea, Unit 180, Lazarus • Syrian Electronic Army • Iran Cyber Army • ISIS's Digital Caliphate • Chinese PLA Unit 61398 (Shady RAT) • Russian Fancy Bear (APT 28) • How do we fight these threats? • Can we learn from conventional war?

  36. Lessons from deterrence • Deterrence theory of national security in a nuclear age • Mutual Assured Destruction prevents escalation into war • Requires • Maximizing offensive capability (e.g. aircraft carrier deckspace) • Minimizing defensive vulnerability (e.g. missile defense systems) • Is there a cyber-equivalent and how does the US stack up?

  37. Not well • Defensive vulnerability • US with the most to lose • Crap in a hurry gives us ant-level smarts in IoT devices • Weakens position in cyber-realm • Example: Iranian attacks on US Banks after Stuxnet • When the Obama administration was weighing a response to distributed denial-of-service attacks against U.S. banks in 2012 (by Iran), officials vetoed any retaliation because they were worried that the country’s digital infrastructure wouldn’t be able to deal with counterattacks. https://www.cyberscoop.com/hack-back-james-clapper-iran-north-korea/

  38. Is North Korea deterred? Why not?

  39. Does this help? Has the most to gain in building offensive capability

  40. Why we need to do more…

  41. Extra

  42. VM for course (linuxlab) • See handout • Vanilla Windows XP VM image located on MCECS file server /stash/cs492/492_WinXP_x86.ova • All software from book installed • Contact support@cat.pdx.edu if you are not in the “vagrant” group

  43. Deterrence and cyberwar • What constitutes an act of war between nation states in cyber? (Fred Kaplan, "Dark Territory") • Blowing up a power plant? (US) • Tampering with elections? (Russia) • Industrial espionage? (China) • Taking down the banking system? (Iran)

  44. Attacking ideology • You may not even need to hack anymore… • https://risky.biz/RB468/ (10:00-12:20)

  45. Cyber deterrence • Why does this make sense from a deterrence standpoint for N. Korea?

More Related