00:04
Okay, so let's talk now about some of the
00:07
open source tools for intelligence gathering that are freely available on the Internet.
00:12
There's ah lot of good variety out there, and
00:16
some of you may already be familiar with these sites.
00:19
Virus total in particular
00:22
is pretty good. And as you can see, it has very simple interface. I can upload a file if I've perhaps captured some malware
00:30
or suspected Now where I should say
00:36
a file that I think is infected and have a multitude of scanners.
00:43
Do some checking I can also up submitted you are l or do a search for something like a hash or domain or I p address.
00:51
So for you, R l weaken type, type something. Uh, that should probably come up clean.
00:57
I would help. Comes up clean
01:00
All right, so it tells me this was already analyzed, but I could look at the most recent
01:07
And as you'll see on the left here, I've got all these different. You are all scanners.
01:12
How many that is? It looks like over 30 or so.
01:17
This is amazing that it's free and you can look at this. Any time you need to do a quick check to see what all the major scanners think about a website or file or something else,
01:29
I can also look at information here. Show me an I p address
01:36
people that want a vote yes or no on these different results and so on. It's pretty handy.
01:42
I don't have a file that I can upload
01:48
you get the basic idea. In any case, there's also met a defender.
01:53
Another threat. Intelligence platform.
01:57
So file's hash is or I p addresses.
02:01
I could go back to here and get my I P address.
02:15
I didn't do a quick scan.
02:17
And this is not a bad idea in a general best practices manner, because I'm using one tool to do some checking and using another tool
02:29
And this one doesn't have a CZ many scanning engines
02:35
the I P address, but
02:37
it's still a good way to corroborate your results with another secondary tool. And then, lastly, we have
02:46
virus scanner veer scan so similar, very similar simple interface uploading files,
02:53
and it gives you the information on all the different scanners here. There's probably a decent amount of overlap between Veer Scan and
03:07
It's still very useful, and free
03:10
can't beat it when it's free,
03:13
all right. Another thing to consider
03:15
a super since we're talking about malware is some of the tools that can be used to do deeper analysis.
03:22
Sure, you can upload a file, as we just saw, to let you know that you do have a sample of malware.
03:30
But what if you want to actually get into the lower level functionality of the malware and you want to know, How does it actually work? How did it get into the environment?
03:39
How does it operate? What is this behavior? What kinds of
03:44
resource is doesn't try to use on the infected system, such as memory or network connections?
03:52
new files and folders or move things around on the file system.
03:55
These are all questions that malware reverse engineering
04:01
As we can see here, we've got to ID a pro and Ali debug
04:05
screenshots. These are both very popular tools
04:10
for doing this kind of work.
04:12
It's obviously work that is not for the faint of heart. There you're looking at here is a similar language or assembly language,
04:19
and this is the lowest level, instruction said that you can use to program a computer.
04:26
Obviously, anyone who's writing malware is going to be interested in assembler because it gives you
04:31
the most complete control over the processor of the machine that you're trying to. In fact,
04:38
so with these tools allow you to do then is to step through the program
04:44
and monitor memory registers that we see here
04:47
as well as looking at other data. That's that's in the system's temporary storage,
04:54
the instruction pointer and all kinds of other aspect.
04:58
So as the code is executed line by line, the output can be examined, and the engineer could now get a better understanding of how this malware actually functions. The ultimate goal here would be to figure out okay, well, if we understand them our completely enough
05:13
now, the engineer can have a decent chance of defending against it.
05:17
By perhaps blocking any kind of
05:23
ports that were open that might have been taken advantage of
05:27
whatever. Whatever the vulnerability was that allowed the malware to propagate should be identified and remediated.
05:33
You always want to think about threats and vulnerabilities being paired up together for that reason. So if you're so inclined, there are plenty of videos online. YouTube, perhaps to look at Ali debug and I'd approach
05:49
great tools to add your arsenal once you get to a more advanced age, where you really want to dig into the malware and see what's going up.