Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Catch Me, If You Can

No description
by

Marion Marschalek

on 18 October 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Catch Me, If You Can

Catch Me
Malware Anti-Analysis
Escaping The Analyst
Neo, is this the Matrix?
Virtual Malware Analysis - Why?
Attacking the Simulator
On-The-Fly Behavior Analysis
Changing Outfits
Hinder Static Analysis
Anti-Everything
Hard to code - but why not just buy it...
If You Can
Anti-Disassembly
Anti-Simulation
Anti-Virtualization
Out-Of-The-Box
Hide and Seek: Malware vs. Reverse Engineer
Mocking the Analyst
Anti-Debugging
The Analyst:
Marion Marschalek
IKARUS Security Software GmbH
FH St. Pölten Graduate
Reverse Engineering Hobbyist
Nut Cracker by Heart
Full-Contact Martial Artist
Malware 2013
Malware Detection 2013
Windows
Android
MacOSX
Drive-By
Social Engineering
E-Mail
Hacking

Trojans
Spies, Backdoors, Keylogger
Ransomware & Fake AntiVirus
Bots
Rootkits / Bootkits
Worms
Viruses
Adware
Web-Threats
Exploits & Exploit-Kits
Infection
Platform
Multifunctional Malware
Multiple Components
Multi-Stage Attacks
Szenarien
visit of
infected website
execute
java exploit
on local machine
gain
execution rights

on system
execute

malware

download
malicious executable
infiltrate system
gain persistance
contact the
C&C Server
... do evil things...
At the moment:
More than 85 Mio. known Malware Samples.
Encryption & Runtime-Packing
Code Transformation
Code Obfuscation & Anti-Disassembly
Anti-Simulation
Anti-Debugging
...
Anti-What-Not?
Static Pattern Matching
"Weapons of Match Destruction"
IKARUS VDB Size
in Bytes
since 05/2006
Virus Data Base
Signature vs. CRC-32
Measures to prevent
Malware Detection & Analysis
87% of known Malware is detected using Pattern Matching
Behavior Patterns
Statistical Patterns
Pattern Optimizations
Simulation & Sandboxing
Entropy & Anomalies
Data Mining & Artificial Intelligence
Detection of Virtualized Environments
Old School: Registry
Classy: RedPill
EVERY Operating System has its dedicated IDT
Windows
Linux
VMWare
VirtualPC
0x80ffffff
0xc0ffffff
ca. 0xffxxxxxx
ca. 0xe8xxxxxx
SIDT instruction:
offset(IDT) > 0xd0xxxxxx ?
Simple: Analyst's Toolset
Analysis Tools running?
Analysis Tools installed?
Suspicious Machine
Name?
Intelligent Patterns & Runtime Unpacking
Time is Money err.. Detection
Time-Sensitivity per Definition
Nonsense Loops
Detonation at T-25min
Go Exotic?
Special Instruction Sets
Unusual API Calls
GetModuleHandleA
CreateFileA
VirtualAlloc
vs. SetTextColor -- ?
Modify Disassembly Output on-the-fly
Self-Modifying Code
Next Step: Poly- & Metamorphism
Detecting the Debugger
API-Calls like IsDebuggerPresent
Time is Money errr.. Detection (again)
Execution Path Confusion
Exception
Handler Code
New Entry Point
Exception
Handler Code
New Entry Point
Exception
Handler Code
New Entry Point
Exception
Handler Code
New Entry Point
Exception
Handler Code
New Entry Point
Malicious Code
GARBAGE
GARBAGE
GARBAGE
GARBAGE
GARBAGE
GARBAGE
GARBAGE
GARBAGE
GARBAGE
Runtime-Packer
Crypter
Obfuscators
All-In-One Solutions
Full transcript