Advanced Malware Analysis: Combating Exploit Kits

Cyber-crime is rampant, and it's only getting worse. This hands-on course will show you how to analyze the most difficult cyber intrusions so that you can understand and better protect your data from exploit kits, an advanced form of malware.
Course info
Rating
(35)
Level
Advanced
Updated
Jun 9, 2016
Duration
2h 23m
Table of contents
Course Overview
Introduction
Recognizing the Exploit Vector
Unraveling Exploit Obfuscation
Circumventing Exploit Kit Encryption
Understanding Moving Target Communications
Detecting Angler in the Wild
Performing Safe Dynamic Analysis
Analyzing Files Statically
Reversing Malware with Debugging Tools
Reversing Malware with IDA pro
Customizing Reports: From Researchers to CISOs
Description
Course info
Rating
(35)
Level
Advanced
Updated
Jun 9, 2016
Duration
2h 23m
Description

Cyber-criminals are innovating faster than ever, and the cyber-crime industry caused the loss of hundreds of billions of dollars last year across the US and Europe alone. In this course, Advanced Malware Analysis: Combating Exploit Kits, you'll learn the skills you need to pull apart and analyze exploit kits (an advanced form of malware) with Dr. DeMott. First, you'll explore the tools and techniques you'll be using as well as analyze events collected by Bromium micro-VMs. Next, you'll work on unraveling the exploit kits--figuring out which ones were used, what they look like, how to decrypt them, and how to detect them in "the wild." Finally, you'll learn how to conduct safe dynamic analysis of these exploit kits, detect CNC communication, and share your analyses so that these problems can be remedied. By the end of this course, you'll not only have a better understanding of what exploit kits are and how to detect them, but you'll be able to analyze how they work and report them so that your data is safer than ever from cyber-crime.

About the author
About the author

Dr. Jared DeMott is the founder of the security company, Vulnerability Discovery & Analysis (VDA) Labs. DeMott is a former NSA security analyst, Microsoft BlueHat Prize winner, and was the CTO and Binary Defense. He's frequently quoted in media, and invited to speak at security events.

More from the author
Security for Hackers and Developers: Fuzzing
Intermediate
2h 9m
Dec 14, 2016
More courses by Dr. Jared DeMott
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
Hello everyone, my name is Dr. DeMott, and welcome to my course, Advanced Malware Analysis: Combating Exploit Kits. I'm the CTO at Binary Defense Systems and have been a longtime security researcher, malware and vulnerability expert. Mentoring is also a core part of what I enjoy. Did you know that cybercrime is a multi-billion dollar industry? It's easy for the good guys to fall behind because of the flood in new attacks. In this course, we're going to turn the tide as I explain the details of how these threats operate. Some of the major topics that we will cover include using next-generation security tools, understanding exploit kits, reverse engineering ransomware, extracting malicious document internals. By the end of this course, you'll know how to defeat or at least dissect the latest threats. Before beginning the course, you should be at least somewhat familiar with security, malware, and exploit basics. After completing this training, you should feel comfortable diving into other security courses like exploit development, reverse engineering, incident response, penetration testing, and more. I hope you'll join me on this journey toward stopping cybercrime with the Advanced Malware Analysis: Combating Exploit Kits course, only at Pluralsight.

Introduction
Dr. DeMott here, and welcome to Advanced Malware Analysis. This course has a lot of great modules. Here's what we're going to cover. In this introduction, we'll talk about a commercial tool, and later we'll look at open source tools. As we get into the malware, we'll talk about how the exploit worked and how we have to take that apart and get through the obfuscation to figure out what's really going on. EKs, or exploit kits, are a nasty cybercrime tool that we're going to take a hard look at. They use a lot of tricks to avoid us, but we're wise to all of them. Angler has been the prevalent EK this year, who knows what we'll see next year, but either way, learning how to go deep on one attack pattern will give you the knowledge you need to go against future attacks. We'll learn how to analyze these threats safely. First, we'll start with the files. Then we'll go deep and debug the malware. Finally, we'll pull it apart statically with IDA Pro. By the time you're done with this class, you'll have learned more than you can imagine, and we'll learn how to share that with others. Nothing beats a good demo. Let's dive right into this to see what we're talking about. We're going to analyze a security alert, and we could use a number of open source or commercial tools. A few years back, we saw a lot of next-gen network tools hit the market, while more recently next-gen endpoint tools have become necessary. For example, an exciting company called Binary Defense Systems has released a tool called vision, which is part of the way they help protect their customers. But here I decided to use Bromium because of its protection and analysis features.

Circumventing Exploit Kit Encryption
Dr. DeMott here, and welcome back to Advanced Malware Analysis. We're going to continue pulling the layers of this onion apart. In particular, we'll discover some of the places where Angler uses encryption, and learn how to defeat it. So I don't always take the time to do this, but I wanted to show one possible quick solution to the DEVTS upgrade assignment from the last module, then we'll talk further about exploit kits, and, of course, we'll keep pushing on the primary components of the assignment, which is to continue the HTML analysis, as well as the Flash file analysis. So last time I asked you to include the five web files prior to the first file system event being reported by the analysis DEVTS script, and so by inserting a function, which I called is_web_attack, the first time we find a file event we can implement this idea. And we can see that function on line 583, and we pass it to the events data structure, as well as the index into that data. And again, there are lots of ways you could write this function, but for me this was the fastest. I simply find the first file events prior to this index, which end in either HTM, SWF, or JAR. Sure, the file extensions could be fake, but this is sufficient for now, especially considering to render oftentimes those file extensions need to be legit. But either way, then we simply print that list in reverse order, and that's it. And then we'd end up with something like this. So part of the point was just to make sure that as advanced analysts we have the ability to quickly programmatically prototype some quick changes to whatever tools we're working on, and then as well, it makes it so clear that it looks like this attack came from malvertising or from an ad, which is part of the Angler's go-to move. And we'll see that. We're about to jump right into the exploit kit talk now.

Understanding Moving Target Communications
Dr. DeMott here, and welcome back to Advanced Malware Analysis. We're going to talk about understanding moving target communications as it relates to malware. And first we're going to review the prior assignment, then we'll talk about obfuscation, then we'll talk about DGAs, and finally detection. In the prior module, we were asked to look at a landing page decoding script, and there are many ways we could modify, rewrite, or upgrade the landing. py. You could even cheat a little bit as shown here. For the most interesting bits, I just rewrite the JavaScript as Python, and you can do the decryption right there. I'll talk about this more later. Also, after we dump the outer Flash, we were asked to examine the inner Flash and see if it was indeed CVE-2015-0515. And if you do a quick internet search, you'll see that a researcher named Matt O. published a blog called Technical Analysis of this CVE, and it's pretty clear our SWF uses this same bug, not only from the VirusTotal and other online resources, but we see the exact byte sequence that is indicative of that bug in our file as well. Analyzing the rest of this SWF is left to you as further research if you'd like because I want to move on to other topics today.

Detecting Angler in the Wild
Welcome back to Advanced Malware Analysis. I'm Dr. DeMott, and in this module we'll discuss techniques and tools to detect the exploit kit known as Angler. As we've seen, exploit kits are more agile and diverse than any single, typical malware. Finding examples can be tricky, but we need those samples. Then we'll investigate tools such as YARA to detect the nefarious activities of malware. Finally, we'll complete a lab in which you learn to create such rules. First, let's look at another Angler communication again. I'll show you another capture from a different Bromium isolation event. So how should we look if you have a malicious URL, which I'll show you how to find in a second. Be sure that you browse in private mode, and watch those cookies. Delete any cookies that Angler might be looking for. And be careful about your IP address. Exploit kits might block certain IP addresses. For example, anonymizers like Tor are great because you can come from different IPs and come from different parts of the world. However, the list of TOR exit nodes is well known and published, so exploit kits could grab that list and block anyone coming from an exit node. In terms of where can we find more Angler samples, for one thing, I'll post another one along with this module. Also, you can search for #angler in VirusTotal, and you can try those URLS if you have a safe malware cage set up, like Bromium. You can even use retrohunt to try and search against prior malwares. But getting on a private list like YARA Exchange where people share URLs is a great source of live data because once URLs are in VirusTotal, the malware authors can easily detect that they're up and take those sites down.

Reversing Malware with Debugging Tools
Dr. DeMott here, and welcome back to Advanced Malware Analysis. We continue our examination of malware samples in this module. Typically, we lecture first, but for this module, I thought I'd just jump right into a demo, and let you see what it's going to take to unpack one of these malware samples. In this module, we're to a point in our analysis where we want to determine the details of the malware operation. To learn more, we could begin with either static or dynamic reversing, it just depends on the type of sample we're dealing with. So I'll teach how and when to start with dynamic versus static analysis. A big part of this module is going to be learning to reverse malware with a debugger, and I'll cover a variety of other tools and techniques that we can use to begin to pull these samples apart. But before we talk about the tools and techniques, let's just see how it gets done. That'll give us a feel for what dynamic analysis is all about.

Reversing Malware with IDA pro
Dr. DeMott here, and welcome back to Advanced Malware Analysis. In this module, we'll finish our investigation of the malware samples we've been pulling apart. It's finally time to dig in with the reverse engineering tool, IDA Pro. I won't be able to fully cover IDA and all of its features; that'll happen in another course, but I'll give us everything we need to know for doing malware analysis. So, just like in the last module, I'll start with a demo to tease you into following the lecture, and then I'll remind us that doing malware analysis is always a cyclic endeavor, and it's okay to go back and forth between debugging and other tools, whatever is needed during the static analysis. Then I'll remind us about why we're doing this; what exactly will the goal be? And we'll see the features of IDA, and whatever other tools we need to assist us in our goals. And as always, I'll give you a task to help you perfect the teaching of this module. So first, let's jump over to the demo.

Customizing Reports: From Researchers to CISOs
Dr. DeMott here, and welcome back to the final episode of Advanced Malware Analysis. In this module, we'll wrap up and talk about reporting. First, let's recap some highlights from this course, then we'll talk about why we report and how that data is consumed. Our efforts may end up as data in the threat intelligence feed, or perhaps, we'll produce a written report, or nowadays, probably both. If the report is written, it should have different key sections for different readers. Ransomware is so disruptive when it evades security controls. With early versions of most ransomware, it was possible to unlock without paying. For example, because of poor implementation, it was possible to decrypt Tesla versions 1 and 2. However, with versions 3 and 4 of Tesla, there could still be a weakness that hasn't been discovered yet, but it's not known, and it seems like the ransomware's getting pretty good for the A players. In this case, the encryption key is only in memory for a short time when the malware is first encrypting the files, and then it's destroyed. So even being on the box after the attack or having PCAPs or some of the other types of things that might have helped for other versions, not so helpful. The best recourse is good protection, or even better, offline or off-site backups.