Download
1 / 46
460 likes | 587 Views
Explore tools and techniques for dissecting malware behavior ethically. Learn reverse engineering basics. Set up required software and secure your system. Examples and context provided.
E N D
CS 492/592: Malware(Reverse Engineering) http://thefengs.com/wuchang/courses/cs492
About this course • Learn tools and techniques to analyze what malicious software does
Ethics Explore only on your own systems or places you have permission to Do not break or break into other people's machines
Format • Lectures followed by labs and homework
Pre-requisite • Course assumes an understanding of how software executes on a system (e.g. CS 201) • Media Space channel available for review
VM for course • Vanilla Windows XP VM image located on D: drive • Also located on linuxlab at /stash/cs492/492_WinXP_x86.ova • All software from book installed • When importing the VM, store the disk in D:\cs492
Installed software on your VM Install WinXP 32-bit instance with VirtualBox Guest Additions CD Install cygwin with sharutils, binutils, zip/unzip, and nc Install WinRAR or cygwin p7zip Install Sysinternals tools (Process Explorer, Process Monitor) (technet.microsoft.com) Install PEView (wjradburn.com) Install Resource Hacker (angusj.com) Install Dependency Walker (dependencywalker.com) Install IDA Pro 5.0 Freeware (hex-rays.com) Install Wireshark (wireshark.org) Install Apate DNS (mandiant.com) Install OllyDbg 1.10 (ollydbg.de) and its Phant0m plug-in (woodmann.com) Install WinHex (winhex.com) Install PEiD (softpedia.com) <= CAUTION, it is a zip file not an installer Install UPX (upx.sourceforge.net) Install Regshot (code.google.com/p/regshot/) Install labs from textbook (practicalmalwareanalysis.com)Encrypted zipfile (password: malware)Will set off Windows defender alarmsMake two copies, a working one and a read-only one
Securing your VM • Always shut the VM down when not in use • Do *not* enable shared folders • To protect EB 325 hosts • Do *not* enable bridged networking mode • To protect the VM itself
Motivation • What is malware? • Set of instructions that run on your computer and make your system do something that an attacker wants it to do • What is reverse-engineering? • The ability to understand what the software being run is doing • A useful skill to have (at both the source-code and binary level)
Example #1: FBI Playpen 8/2014
Example #4: Good software gone bad • AvastCCleaner (2017)
Example #4: Good software gone bad • AvastCCleaner
Example #5: Amazon Echo Easter Egg • https://www.youtube.com/watch?v=dQw4w9WgXcQ
Why is malware so prevalent? • Unprecedented connectivity • Vulnerable users • Homogenous software and hardware • Focus on time to market • Mature malicious software industry • Data and instruction mixing (see next)
Data vs. code • Data is information that your CPU acts on • Code tells your CPU to take action (danger!) • To a computer, what’s the difference between code and data? • Not much in a Von Neumann architecture where data and instructions share same memory/bus • Data & code are intermixed everywhere • ELF, .exe, .html, .docx …. • Adds flexibility (.docx), features (.html), and efficiency (.js)
Types of malware • Viruses and worms • Self-replicating code that infects other systems manually (virus) or automatically (worm) • Botnets • Software that puts your computer under the command and control of an adversary to send spam or attack other systems • Backdoors • Code that bypasses normal security controls to provide continued, unauthorized access to an adversary • Trojans • Code that appears legitimate, but performs an unauthorized action
Types of malware • Rootkits • Tools to hide the presence of an adversary • Information theft (data exfiltration) • Keystrokes, passwords, credit cards, browsing habits, webcams • Ransomware • Code that renders your computer or data inaccessable until payment received
Course context • https://www.usenix.org/conference/usenix-security-11/three-cyber-war-fallacies • Edited version: https://youtu.be/oxTWKVNxGmM • Dave Aitel USENIX Security 2011 keynote • CEO of Immunity Inc. • daily-dave newsletter • Covers both technical and policy issues involved in cybersecurity • Why show such an old talk?
Revisiting Aitel • Asymmetric • Kinetic • Attribution • Attacking ideology • Deterrence
Attribution • https://www.washingtonpost.com/world/national-security/new-details-emerge-about-2014-russian-hack-of-the-state-department-it-was-hand-to-hand-combat/2017/04/03/d89168e0-124c-11e7-833c-503e1f6394c9_story.html
Attribution • The importance of being everywhere… • https://risky.biz/RB450/ (19:45 – 21:45) 4/4/2017
Attacking ideology • Democracy is an ideology that threatens Russia (and China and North Korea and Iran and Syria and ISIS) • Attack a competing ideology to protect your own • Russian goal in 2016 election hacking • Shake the fundamental belief in the US democratic system and its ideology • "Cyberwar attacks ideology best"
Expose its secrets • Aitel "A nation-state is a collection of secrets"
Attack its voting infrastructure • Sow the seeds of distrust in the election system • Slow down voting systems in strategic locations • Compromise machines for counting votes and registering voters • https://www.bloomberg.com/news/articles/2017-06-13/russian-breach-of-39-states-threatens-future-u-s-elections
Likely not the worst of it… • Election systems only now being considered critical infrastructure "One former senior U.S. official expressed concern that the Russians now have three years to build on their knowledge of U.S. voting systems before the next presidential election, and there is every reason to believe they will use what they have learned in future attacks."
The new frontline • Gen. John Allen • https://www.lawfareblog.com/lawfare-podcast-brookings-panel-cybersecurity-us-elections"As a guy who has spent a lot of time overseas dealing with threats to America, I now recognize at the speed of light, the very heartland of America is under threat today. The enemy has moved beyond my reach. The first line of defense of American democracy and the last line of defense are in our states and counties."
Looking ahead • Countries ramping up capabilities • North Korea, Unit 180, Lazarus • Syrian Electronic Army • Iran Cyber Army • ISIS's Digital Caliphate • Chinese PLA Unit 61398 (Shady RAT) • Russian Fancy Bear (APT 28) • How do we fight these threats? • Can we learn from conventional war?
Lessons from deterrence • Deterrence theory of national security in a nuclear age • Mutual Assured Destruction prevents escalation into war • Requires • Maximizing offensive capability (e.g. aircraft carrier deckspace) • Minimizing defensive vulnerability (e.g. missile defense systems) • Is there a cyber-equivalent and how does the US stack up?
Not well • Defensive vulnerability • US with the most to lose • Crap in a hurry gives us ant-level smarts in IoT devices • Weakens position in cyber-realm • Example: Iranian attacks on US Banks after Stuxnet • When the Obama administration was weighing a response to distributed denial-of-service attacks against U.S. banks in 2012 (by Iran), officials vetoed any retaliation because they were worried that the country’s digital infrastructure wouldn’t be able to deal with counterattacks. https://www.cyberscoop.com/hack-back-james-clapper-iran-north-korea/
Is North Korea deterred? Why not?
Does this help? Has the most to gain in building offensive capability
VM for course (linuxlab) • See handout • Vanilla Windows XP VM image located on MCECS file server /stash/cs492/492_WinXP_x86.ova • All software from book installed • Contact support@cat.pdx.edu if you are not in the “vagrant” group
Deterrence and cyberwar • What constitutes an act of war between nation states in cyber? (Fred Kaplan, "Dark Territory") • Blowing up a power plant? (US) • Tampering with elections? (Russia) • Industrial espionage? (China) • Taking down the banking system? (Iran)
Attacking ideology • You may not even need to hack anymore… • https://risky.biz/RB468/ (10:00-12:20)
Cyber deterrence • Why does this make sense from a deterrence standpoint for N. Korea?
