Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9

Video Description

In this module, we will take a closer look at basic network dynamic analysis. In the real World, most malware generally has some kind of network presence. We'll begin with Indicators of Compromise (IOC's) such as file hashes, domain names, network traffic, strings, registry keys, files names, file paths, process names, URLs and IP addresses. We'll also cover how to use OpenIOC and segregate some indicators. Note that singularly any indicator may not be useful but when combined with other indicators, it is critical in dynamic analysis. You'll also learn about Yara that is used for identifying indicators. We'll also walkthrough three websites that'll help you understand these concepts better. These include: www.github.com, www.malware-analyzer.com and www.opensecuritytraining.info.

Video Transcription

00:04
Hi. Welcome to several a money machine piers on subject matter export from malware analysis. Today we'll be covering Part two
00:12
of basic dynamic analysis where we'll be looking at networking.
00:16
So just a quick recap of what we covered last time we talked about what dynamic analysis is, which is just basically dropping to be some our into a BM and just executing it and seeing what it does. Like I said, this is very fast. It's easy, but there's a drawback
00:34
where code may not execute for a great
00:37
many number of reasons, like it's a V m aware or his past a certain date. Or
00:45
you just don't trigger that functionality because the environment is not right, like you don't have a certain piece of software or something like that. So it's easy to generate indicators of compromise
00:59
like path names or file hashes from files that air dropped by the Mauer.
01:04
Um, but it's a little more difficult for other kinds of indicators like attribution. That's where the human element comes into play because,
01:15
ah, there are plenty of sand boxes out there.
01:18
Plenty of malware analysis platforms, but they can't really tell you. Attribution, they can't really tell you risk,
01:26
um, or impact to your business organization. And that's really why you need a human,
01:33
Um, our analyst to do this kind of stuff. So today we're gonna be looking at indicators to compromise on the network level, which I think is very important because most Mauer every piece of mount where I've ever seen, um,
01:47
in the real world
01:49
has always had some kind of network presence where it is spread via network that communicates with this command and control server over the network.
01:57
They're some tricky things out there that use, like, pure appear or
02:00
ah, the tour,
02:02
Um,
02:04
that uses tour or on IRC chat room or something like that. But most the time is going to
02:13
use a simple website like, um, a domain name, off like
02:19
update, hairdresser dot com or something like that. And
02:24
the commanding control Siro will be up for a little while we're here, then they'll change the remaining two point somewhere else.
02:31
So it's really easy. Oh, the pick us to felt pretty fast. And we're going to see an example of how we would do that with our current environment that we have set up before.
02:40
So, as I said, um,
02:44
indicators of compromise or what you're really after. And there's plenty of those file hashes strings, path names, processes, names, registry keys. And since we're gonna be talking about networking, mainly, we're gonna be after domains. Domain names
03:01
I p addresses. Network traffic is pretty important if it's encrypted. If it's not, if it's if it's easy to decrypt. Um,
03:12
because some our has very lousy encryption that weaken break pretty trivially another malware. We cannot break tribute, Lior. They use https or something like that, in which case it would be, ah, pain to get at. And really,
03:29
if all we want is an indicator that someone is infected,
03:31
we don't necessarily need to break the crypto
03:36
or get at the information inside because usually it's some kind of beacon to the command and control server with basic information of the compromised host. Like
03:46
user name I P address both internal address, an external address or ah, time or date of the infection, usually campaign code
03:58
s so that the
04:00
botnet herders know what campaigns air most effective at affecting people like via actually kids or spam or
04:10
some other method. So we saw some network traffic and we were able to make some indicators of compromise. Some IOC's. There are a few ways in which we can standardize this format.
04:26
Open. IOC, made by Mandiant, is on interesting project where they have gone to the trouble of categorizing
04:33
tons and tons of indicators like, here's some basic ones. I just throw up on the screen, um, like, process, name,
04:44
file, strings file owner.
04:47
No file path event long I d file name file hash violently. Five. You know, these things
04:55
aren't always
04:57
ah, fantastic indicator. But when combined, they could be quite effective. Um, you know, like file name
05:05
doesn't really mean a whole lot because any file can change its name or any file can have any name. Pretty much, um,
05:15
except, you know, if we know this particular file name ah
05:20
is only used by this one piece of malware or this one version of a piece of malware that can help us identify stuff pretty quickly.
05:29
So
05:30
they keep ah,
05:32
some public information about indicators that they have for the common malware families. Um, and they use thes indicators to scan
05:42
ah files on a computer or scan their holdings there, Mauer, repose or whatever else, and it is quite hopeful they're easy to make.
05:53
And I would like to point out that this is not an antivirus solution. You shouldn't just go grab a whole bunch of indicators of some open IOC files and scan your computer and say, Oh,
06:06
look, you know
06:08
the smile right here, you know, has open IOC each alert of Zeus. It's like, Well, you know, there's a string in the file
06:17
that triggered this, but that's benign. So it is not an anti virus signature is really just to help Defenders of networks communicate threat data to each other in a standardized format, and I've seen some products out on the market start to support open Iasi.
06:38
But it's not very common. And,
06:40
ah,
06:42
it's it's a great idea, but it's not currently implemented. What's farm or implemented is Yara. Yara is very simple. It is basically what it looks like where you can describe
06:57
a few things, Um,
06:59
with open. I see you can describe lost of things, tons of things with the Yarra. It's more of a,
07:06
you know,
07:08
here is this. Here's this, you know,
07:11
you know it's hash is this, uh, metadata? You know, spinal name could be this strings might be a or B or C and down the bomb. You see there is little condition part where it's A or B or C, and you can actually make some complicated logic
07:29
where it's a and B
07:30
uh
07:32
or C.
07:33
It's like a end or B or C.
07:39
So this is a farm or implemented. But it is not an anti virus solution, either, and it's important to note that
07:49
this is useful and is supported by lots of things, but not very well. So some platforms search. You are signatures and memory, you know, 1000 times faster than other platforms, but
08:05
their detection aren't very good because they have some sloppy programming. So
08:11
it's just important to note that, you know, this is how
08:15
one would communicate threat data
08:18
in the real world between groups
08:20
like intelligence groups or
08:24
network defense groups or hunt teams or our analyst teams or network defender teams.
08:35
But it may not suit you in your enterprise. You should test this stuff.
08:39
So just a recap of what we covered today. We covered indicators of compromise. We covered some of their standards in the industry. I mentioned to major ones which is open IOC and Yara. We demonstrated basic dynamic analysis, looking for network indicators,
08:58
and
09:01
I want to show you three Web pages I think will be very useful Thio. And here they are. The 1st 1 is I get help Paige with
09:11
a lot of excellent malware analysis tools.
09:16
In particular,
09:18
the network segment has some pretty good tools. I recognize them all and would suggest that you familiarize yourself with him. Um,
09:28
maybe not
09:28
taking,
09:31
you know, a whole day per tool, but you should at least click through some demo videos.
09:37
Another good Web site
09:39
is malware dash analyzer dot com, and they list. Ah, good number of tools
09:46
I met Sim is what we use today
09:52
in Cat, uh, is different than Net cat. That cat is in C, and it's traditional. Lennox. Tool in Cat is tthe e upgrade,
10:05
and the third site is this open security training dot info that's put on by miter and it is fantastic, and they have hands on
10:18
online learning
10:20
labs, and they have lots of samples, and they have really smart people working for them.
10:26
It's really something. You should invest the whole
10:30
week or two
10:33
because they go pretty in depth.
10:35
It's good, but I've never made it more than a few days through similar stuff.
10:41
And they use the same book that,
10:43
uh, I have suggested before.
10:46
Thank you for watching
10:48
the Sudbury video.
10:50
Hope to see you again.

Up Next

Intro to Malware Analysis and Reverse Engineering

In this malware analysis course you will learn how to perform dynamic and static analysis on all major files types, how to carve malicious executables from documents and how to recognize common malware tactics and debug and disassemble malicious binaries.

Instructed By

Instructor Profile Image
Sean Pierce
Instructor