Hi. Welcome to several a money machine piers on subject matter export from malware analysis. Today we'll be covering Part two
of basic dynamic analysis where we'll be looking at networking.
So just a quick recap of what we covered last time we talked about what dynamic analysis is, which is just basically dropping to be some our into a BM and just executing it and seeing what it does. Like I said, this is very fast. It's easy, but there's a drawback
where code may not execute for a great
many number of reasons, like it's a V m aware or his past a certain date. Or
you just don't trigger that functionality because the environment is not right, like you don't have a certain piece of software or something like that. So it's easy to generate indicators of compromise
like path names or file hashes from files that air dropped by the Mauer.
Um, but it's a little more difficult for other kinds of indicators like attribution. That's where the human element comes into play because,
ah, there are plenty of sand boxes out there.
Plenty of malware analysis platforms, but they can't really tell you. Attribution, they can't really tell you risk,
um, or impact to your business organization. And that's really why you need a human,
Um, our analyst to do this kind of stuff. So today we're gonna be looking at indicators to compromise on the network level, which I think is very important because most Mauer every piece of mount where I've ever seen, um,
has always had some kind of network presence where it is spread via network that communicates with this command and control server over the network.
They're some tricky things out there that use, like, pure appear or
that uses tour or on IRC chat room or something like that. But most the time is going to
use a simple website like, um, a domain name, off like
update, hairdresser dot com or something like that. And
the commanding control Siro will be up for a little while we're here, then they'll change the remaining two point somewhere else.
So it's really easy. Oh, the pick us to felt pretty fast. And we're going to see an example of how we would do that with our current environment that we have set up before.
indicators of compromise or what you're really after. And there's plenty of those file hashes strings, path names, processes, names, registry keys. And since we're gonna be talking about networking, mainly, we're gonna be after domains. Domain names
I p addresses. Network traffic is pretty important if it's encrypted. If it's not, if it's if it's easy to decrypt. Um,
because some our has very lousy encryption that weaken break pretty trivially another malware. We cannot break tribute, Lior. They use https or something like that, in which case it would be, ah, pain to get at. And really,
if all we want is an indicator that someone is infected,
we don't necessarily need to break the crypto
or get at the information inside because usually it's some kind of beacon to the command and control server with basic information of the compromised host. Like
user name I P address both internal address, an external address or ah, time or date of the infection, usually campaign code
botnet herders know what campaigns air most effective at affecting people like via actually kids or spam or
some other method. So we saw some network traffic and we were able to make some indicators of compromise. Some IOC's. There are a few ways in which we can standardize this format.
Open. IOC, made by Mandiant, is on interesting project where they have gone to the trouble of categorizing
tons and tons of indicators like, here's some basic ones. I just throw up on the screen, um, like, process, name,
file, strings file owner.
No file path event long I d file name file hash violently. Five. You know, these things
ah, fantastic indicator. But when combined, they could be quite effective. Um, you know, like file name
doesn't really mean a whole lot because any file can change its name or any file can have any name. Pretty much, um,
except, you know, if we know this particular file name ah
is only used by this one piece of malware or this one version of a piece of malware that can help us identify stuff pretty quickly.
some public information about indicators that they have for the common malware families. Um, and they use thes indicators to scan
ah files on a computer or scan their holdings there, Mauer, repose or whatever else, and it is quite hopeful they're easy to make.
And I would like to point out that this is not an antivirus solution. You shouldn't just go grab a whole bunch of indicators of some open IOC files and scan your computer and say, Oh,
the smile right here, you know, has open IOC each alert of Zeus. It's like, Well, you know, there's a string in the file
that triggered this, but that's benign. So it is not an anti virus signature is really just to help Defenders of networks communicate threat data to each other in a standardized format, and I've seen some products out on the market start to support open Iasi.
But it's not very common. And,
it's it's a great idea, but it's not currently implemented. What's farm or implemented is Yara. Yara is very simple. It is basically what it looks like where you can describe
with open. I see you can describe lost of things, tons of things with the Yarra. It's more of a,
here is this. Here's this, you know,
you know it's hash is this, uh, metadata? You know, spinal name could be this strings might be a or B or C and down the bomb. You see there is little condition part where it's A or B or C, and you can actually make some complicated logic
It's like a end or B or C.
So this is a farm or implemented. But it is not an anti virus solution, either, and it's important to note that
this is useful and is supported by lots of things, but not very well. So some platforms search. You are signatures and memory, you know, 1000 times faster than other platforms, but
their detection aren't very good because they have some sloppy programming. So
it's just important to note that, you know, this is how
one would communicate threat data
in the real world between groups
like intelligence groups or
network defense groups or hunt teams or our analyst teams or network defender teams.
But it may not suit you in your enterprise. You should test this stuff.
So just a recap of what we covered today. We covered indicators of compromise. We covered some of their standards in the industry. I mentioned to major ones which is open IOC and Yara. We demonstrated basic dynamic analysis, looking for network indicators,
I want to show you three Web pages I think will be very useful Thio. And here they are. The 1st 1 is I get help Paige with
a lot of excellent malware analysis tools.
the network segment has some pretty good tools. I recognize them all and would suggest that you familiarize yourself with him. Um,
you know, a whole day per tool, but you should at least click through some demo videos.
Another good Web site
is malware dash analyzer dot com, and they list. Ah, good number of tools
I met Sim is what we use today
in Cat, uh, is different than Net cat. That cat is in C, and it's traditional. Lennox. Tool in Cat is tthe e upgrade,
and the third site is this open security training dot info that's put on by miter and it is fantastic, and they have hands on
labs, and they have lots of samples, and they have really smart people working for them.
It's really something. You should invest the whole
because they go pretty in depth.
It's good, but I've never made it more than a few days through similar stuff.
And they use the same book that,
uh, I have suggested before.
Thank you for watching
Hope to see you again.