Introduction to IT and Cybersecurity
Time
3 hours 1 minute
Difficulty
Advanced
CEU/CPE
3
Video Description
Malware OSINT and Reverse Engineering This lesson discusses some of the open source tools which are available for intelligence gathering. These include: - Malware OSINT
- Metadefender
- VirSCAN
These sources are readily available on the Internet and offer a variety of tools for intelligence gathering. The instructor offers participants a brief introduction to these resources and shows some ways to use them. In addition to these tools on the Internet, analyzing malware configuration can also be utilized for threat intelligence. This can be accomplished via malware reverse engineering and/or using tools such as IDA Pro and OllyDbg.
Video Transcription
00:04
Okay, so let's talk now about some of the
00:07
open source tools for intelligence gathering that are freely available on the Internet.
00:12
There's ah lot of good variety out there, and
00:16
some of you may already be familiar with these sites.
00:19
Virus total in particular
00:22
is pretty good. And as you can see, it has very simple interface. I can upload a file if I've perhaps captured some malware
00:30
or suspected Now where I should say
00:33
I can upload a, um,
00:36
a file that I think is infected and have a multitude of scanners.
00:43
Do some checking I can also up submitted you are l or do a search for something like a hash or domain or I p address.
00:51
So for you, R l weaken type, type something. Uh, that should probably come up clean.
00:57
I would help. Comes up clean
00:59
week in.
01:00
All right, so it tells me this was already analyzed, but I could look at the most recent
01:06
analysis.
01:07
And as you'll see on the left here, I've got all these different. You are all scanners.
01:12
How many that is? It looks like over 30 or so.
01:17
This is amazing that it's free and you can look at this. Any time you need to do a quick check to see what all the major scanners think about a website or file or something else,
01:29
I can also look at information here. Show me an I p address
01:36
people that want a vote yes or no on these different results and so on. It's pretty handy.
01:42
I don't have a file that I can upload
01:46
at the moment, but
01:48
you get the basic idea. In any case, there's also met a defender.
01:53
Another threat. Intelligence platform.
01:57
So file's hash is or I p addresses.
02:01
I could go back to here and get my I P address.
02:13
I'll paste that in.
02:15
I didn't do a quick scan.
02:17
And this is not a bad idea in a general best practices manner, because I'm using one tool to do some checking and using another tool
02:27
to double check.
02:29
And this one doesn't have a CZ many scanning engines
02:32
to look at the
02:35
the I P address, but
02:37
it's still a good way to corroborate your results with another secondary tool. And then, lastly, we have
02:46
virus scanner veer scan so similar, very similar simple interface uploading files,
02:53
and it gives you the information on all the different scanners here. There's probably a decent amount of overlap between Veer Scan and
03:02
the, um,
03:04
virus total.
03:07
It's still very useful, and free
03:10
can't beat it when it's free,
03:13
all right. Another thing to consider
03:15
a super since we're talking about malware is some of the tools that can be used to do deeper analysis.
03:22
Sure, you can upload a file, as we just saw, to let you know that you do have a sample of malware.
03:30
But what if you want to actually get into the lower level functionality of the malware and you want to know, How does it actually work? How did it get into the environment?
03:39
How does it operate? What is this behavior? What kinds of
03:44
resource is doesn't try to use on the infected system, such as memory or network connections?
03:51
Doesn't try to make
03:52
new files and folders or move things around on the file system.
03:55
These are all questions that malware reverse engineering
04:00
attempts to answer.
04:01
As we can see here, we've got to ID a pro and Ali debug
04:05
screenshots. These are both very popular tools
04:10
for doing this kind of work.
04:12
It's obviously work that is not for the faint of heart. There you're looking at here is a similar language or assembly language,
04:19
and this is the lowest level, instruction said that you can use to program a computer.
04:26
Obviously, anyone who's writing malware is going to be interested in assembler because it gives you
04:31
the most complete control over the processor of the machine that you're trying to. In fact,
04:38
so with these tools allow you to do then is to step through the program
04:42
line by line
04:44
and monitor memory registers that we see here
04:47
as well as looking at other data. That's that's in the system's temporary storage,
04:54
the instruction pointer and all kinds of other aspect.
04:58
So as the code is executed line by line, the output can be examined, and the engineer could now get a better understanding of how this malware actually functions. The ultimate goal here would be to figure out okay, well, if we understand them our completely enough
05:13
now, the engineer can have a decent chance of defending against it.
05:17
By perhaps blocking any kind of
05:23
ports that were open that might have been taken advantage of
05:27
whatever. Whatever the vulnerability was that allowed the malware to propagate should be identified and remediated.
05:33
You always want to think about threats and vulnerabilities being paired up together for that reason. So if you're so inclined, there are plenty of videos online. YouTube, perhaps to look at Ali debug and I'd approach
05:48
He's a great
05:49
great tools to add your arsenal once you get to a more advanced age, where you really want to dig into the malware and see what's going up.
Up Next
Advanced Cyber Threat Intelligence
The Cyber Threat Intelligence (CTI) course is taught by Cybrary SME, Dean Pompilio. It consists of 12 modules and provides a comprehensive introduction to CTI. The subject is an important one, and in addition to discussing tactics and methods, quite a bit of focus is placed on operational matters including the various CTI analyst roles.
Instructed By
Dean Pompilio
Instructor