SlideShare a Scribd company logo

Malware cryptomining uploadv3

S
Setia Juli Irzal Ismail

This document summarizes a presentation on malware analysis techniques. It discusses how malware spreads, common types of malware like ransomware and cryptomining malware, and approaches to analyzing malware both statically and dynamically. Static analysis techniques examined include scanning files, searching for strings, and analyzing file headers and dynamic linking. Dynamic analysis involves running malware in a controlled environment to observe its behaviors and network activity. Cryptomining malware is described as using victims' computers to mine cryptocurrency without permission.

Education
1 of 83
Downloaded 34 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
Malware, Cryptominer & other Threat Setia Juli Irzal Ismail Malware Analyst ID-CERT Telkom University
Introduction Malware Analysis Technique Cryptomining Malware Other Threat Discussion
Introduction • Setia Juli Irzal Ismail • Jul Ismail • Malware Analyst – ID-CERT • Lecturer – Telkom University www.cert.or.id/
ID-CERT • Indonesia Computer Emergency Response Team • 1998 – Dr. Budi Rahardjo • Community based • Incident Handling • Malware Lab • Research & Training about Malware • Tools: Malware Scanner • Founder AP-CERT: JP-CERT & AusCERT www.cert.or.id/
Malware
Wannacry www.cert.or.id/
Wannacry www.cert.or.id/ Eternal Blue exploit à SMBv1 Double Pulsar Backdoor Hospital 1 Million victim Lazarus? May 2017 March : Microsoft patch
Stuxnet
ATM - Malware www.cert.or.id/
Malware • Malicious Software
Classification • Virus l Worm l Trojan l Backdoor l Adware l Rootkit l Ransomware www.cert.or.id/
How does it Spread • Email • Flash Disk • File Sharing • Website • Pirated Software • Malicious apps
Why do people write malware Back then • Experiment • Fun • Alone Now • Money • Spionage • Steal Information • Cyberweapon • Cybercriminal group • government www.cert.or.id/
Malware Statistic l 250.000 new sample/day – Sophos l 800 million malware sample – AV Test l 52% Indonesia – Kaspersky l 17th l 86% Pirated Software– ESET l 97% Android malware
Malware Detection Technology l Signature based l Heuristik www.cert.or.id/
Malware Analysis
Why Analyze Malware To: • assess damage • discover indicator of compromise • identify Vulnerability • Catch the bad guy • Answer questions
Indicator of compromise? • Unusual Outbound Network Traffic • Anomalies in Privileged User Account Activity • Geographical Irregularities • Increases in Database Read Volume • HTML Response Sizes • Large Numbers of Requests for the Same File • Suspicious Registry or System File Changes • Unusual DNS Requests • Unexpected Patching of Systems • Mobile Device Profile Changes • Unusual Web Traffic • Signs of DDoS Activity www.cert.or.id/
IoC • Improve the IDS, Firewall, Antivirus
Basic Questions • What is the purpose of malware? • How did it get here? • Who are they and how good are they? • How to remove it? • What did they get? • How long has it been here? • Does it spread to other machine? • How do I prevent this from happening again? www.cert.or.id/
Technical Questions • Network Indicator? • Host Based Indicator? • Persistence Mechanism? • Date of compilation & installation? • What language was it written in? • Is it Packed? • Obfuscation technique? • Rootkit Functionality?
Safe Environment • Do not run Malware on your computer • Dedicated Malware Lab • Use Virtualization • Vmware, Vbox etc • Using different OS than your malware target (static Analysis) www.cert.or.id/
Safe Environment?? • The malware behaviour might change • Network, Conect to a C&C server? • Facing real battle • Our IP can become the target: consider using • Accidentally attack other people
Fake Network • Host Only networking feature on VM • Fake DNS tool • Listening ports and network activity • Build custom C&C Server www.cert.or.id/
Virtualization? • Reduce risk • Snapshot • Video recording, • Setup no network or host-only network • sharing functionality? • VM is not perfect • Malware can detect VM • Sometimes it can escape the sandbox (0 day worm)
Malware Analysis • Static Analysis • Dynamic Analysis www.cert.or.id/
Static • Code is not excuted • Reverse engineering • „Autopsy“ the code
Dynamic Analysis • Running the code on Controlled environment www.cert.or.id/
Static Analysis • Safer • But... • Sometimes it is not easy • Require good understanding programming • Packer • encrypt • Insert junk code • Anti analysis technique
Static Analysis
Steps • Fingerprinting (hash) • Scan with virus scanner; virustotal ; documentation • PEiD: signature about compiler and packer • Find Strings: strings, IDA Pro • Web research; be carefull www.cert.or.id/
Strings • Message, • URL address, IP • email • ASCII or Unicode format
Strings Example • Malware Sample send a message (probably through email). file mail system .dll • Check email log, find suspect traffic, find mail system dll • DLL: file yang berisi executable code yang sering dishare antara berbagai aplikasi. • DLL sendiri bukan malware. Namun sering dimanfaatkan oleh malware
No Strings? • Packer • Obfuscation www.cert.or.id/
Packed & obfuscated • Technique to make life hard for a malware analyst • Packed, source code program compressed à packer • Obfuscated, hiding function of a program • Packed & obfuscated will make the static analysis difficult à no string • Functions LoadLibrary dan GetProcAddress
Packed & obfuscated- packing Wrapper used to decompress running packed Only wrapper could be read www.cert.or.id/
Packed & obfuscated- Detection PEiD http:// upx.sourceforge.net/ upx -d PackedProgram.exe
Executables • Windows : PE (Portable Executable) • Linux: ELF (Executable and Linking Format) • MacOS: Mach-O www.cert.or.id/
PE • Import • Export • Metadata • Resources
PE Header • Imports: Funtion from other library used bymalware • Exports: function from malware that could be used by other program • Time Date Stamp: compile time • Sections : which section are there on the sample • Subsystem: are the sample GUI or command line? • Resources: String, icon, menu dll www.cert.or.id/
Dynamic Analysis
Dynamic Analysis • run the malware à observe its actions Monitor the interaction with the • file system • Registry • other processes • network www.cert.or.id/
Tools • Process Monitor • Process explorer • Regshot • Wireshark • ApateDNS • Netcat • Monitor whole system • filter out
Sandbox • Automated malware analysis tool • Special environment • Cuckoo Sandbox www.cert.or.id/
Malware cryptomining uploadv3
www.cert.or.id/
Cryptomining malware
Cryptocurrency • Digital currency generated by computer • Decentralized, no regulatory body; anonym • Produced by solving complex mathematical algorithm à mining • Miner process transaction –> recording blockchain; digital ledger • Miner rewarded in the form of digital coin www.cert.or.id/
Cryptomining Malware • Use victim computer to run mining application • Webste: use CPU power from visitor to mine coin • Code run in the background
Bitcoin (BTC) • 2009 • Market 700 Billion USD • Mining 1 bitcoin: require 215 kilowatt hours of electricity for each transaction • 1390 new cryptocurrency • Ethereum (ETH) , Monero (XMR), Litecoin (LTC), Ripple (XRP), Bitcoin Cash (BCH) www.cert.or.id/
Abuse • 2017: 7000 website compromised à mining (Sucuri) • Monero • algorithm does not favor GPU’s • can be mined by web browsers and normal computers • privacy features that make transactions and wallets more difficult to trace,
CoinHive • cryptocurrency mining service: javascript • small computer code designed to be installed on Web sites: API • Web site owners to earn an income without running intrusive or annoying advertisements • some or all of the computing power of any browser that visits • 32000 websites (publicwww.com) www.cert.or.id/
Coinhive case • Installed on hacked web sites • December: embedded in Wifi Hotspot at Starbuck in Buenos Aires • January: hidden inside Youtube advertisement • February: Browsealoud (service for visually impaired) • The Pirate Bay • IOC: 100% CPU Load • Conhive earn 30% • Kasperksy report stop 70 million web miner (2017)
• All major CMS platform • WordPress, Magento, Drupal and Joomla www.cert.or.id/
Hiding tactic • Encrypted • Packed • fake jQuery script name • non-dotted decimal notation for the host name • mimic Google Analytics parameters • Public repo: GitHub • distributing Javascript cryptominers • placing the script in hidden iframes
Wannamine Case • Mine Monero • PowerShell and Windows Management Instrumentation • EternalBlue exploit to spread www.cert.or.id/
Digmine Case • video file • Facebook Messenger • coded in AutoIt (a Windows scripting language) • only runs on Facebook Messenger’s desktop/web browser • send the fake video link out to all of their Facebook contacts • downloading from C&C server • installing an autostart mechanism in the registry • launches Chrome loaded with a malicious extension • CPU power to mining Monero.
Smominru & Adylkuzz • Botnet • Targeting Server • EternalBlue Exploit (CVE-2017-0144) • 24 Monero/day • Oracle’s WebLogic Server (CVE-2017-10271) www.cert.or.id/
Malware cryptomining uploadv3
Radiflow Water Treatment Facility www.cert.or.id/
Trickbot • Existing malware family • Add a coin miner module • Spam attachment • Steal credential from userà ewallet RIG EK • Exploit kits • Distributing miner
Mobile and Mac Android • Fake apps • Repackaging technique • Alternative market; not on Google Play • com.coinhiveminer.CoinHive Mac • MacUpdate hack • Modified OnyX, Firefox and Deeper • Embed shell script on the file • Launch miner www.cert.or.id/
Other Threat
Ransomware • 2017 Ransomware year • 400 varians • Wannacry - May • ExPetr - July • BadRabbit - Oktober www.cert.or.id
Wannacry • Eternal Blue exploit à SMB • Double Pulsar Backdoor • Hospital • 1 million victim • Lazarus? • Mei • Maret : microsoft patch
ExPetr • Ukraina, Russia • 5000 victim • Eternal Blue exploit • DoublePulsar backdoor • MeDoc – Update • News Website in Ukraine • 2 level encryption : victim file and MFT • BlackEnergy’s KillDisk? • July www.cert.or.id
Ransomware as a service • Malware kits : tools to make your own ransomware • Darkweb • Cerber, Satan, Philadelphia • Ransomware Android, Mac, Linux • Bitcoin à Monero • Target: Health Industry, Government, Critical Infrastructure, Education, Small & Medium Enterprises (SME)
Malware defense technique • Anti security : AV, Firewall • Anti sandbox : sandbox • Anti analyst : packer, obfuscation, RE • Machine learning evasion • Hardware based evasion www.cert.or.id
Timeline • 1980: Encryption: cascade virus • 1990: Polymorphic: Chameleon (encrypt,junk) • 1998: Metamorphism (instruction diacak) • 1999: Packer • 1999: Rootkit: • 2008: DGA: conficker worm • 2011: Darknet Market: Silkroad • 2015: Firmware : Equation Group, Hacking Team: IoT • 2015: Dridex: obfuscation: powershell, sandbox evasion • 2016: Fileless Malware • 2017: Machine learning detection: Cerber
Darknet Market • Cryptservice: $53 - FUD • Lazercrypter: free packer • Macro Exploit Crypt Service: Macro for spreading malware $53 • Crypter Source Code: $1,99 • Arctic Miner:cryptocurrency Miner: $3,2 • Betacrypt: Code mutation: $239 • BHGroup: crypter ASM & C: $35 • Tutorial FUD backdoor: $0,94 www.cert.or.id
Stegano Malware • Steganography? • 2011 Duqu: collecting information • Enkrip data-> Embed File-> server CnC • 2014: ZeusVM (Varian): image stegano, hide command • 2016: Lurk: Encrypted Url->BMP file->download payload • 2016: Stegoloader
Sundown Exploit Kit-case 1. User browsing: compromised web or malware ads 2. Redirected to exploit server 3. Download picture (PNG) -> blank image 4. Encoded exploit à URL for download the payload 5. Exploit vulnerability on IE www.cert.or.id
Stegano Malware - 2 • Cerber: Macro wordàdrop .vbs à download jpg • Vawtrak: download favicon.ico • Magento case: malware send the payment card information with image stegano • Network stegano: hiding the traffic to CnC server DNStraffic or Http Request à teslacrypt
Android • 2017: 10 million sampel malware android • Rootnik • Dloadr-ECZ • Axent-ED www.cert.or.id
King of Glory • Game China • Fake app – Ransomware • Lock screen & Crypto ransom • Lock Screen • Judy: 36 million victim • Xavir: 800 android apps • WireX botnet: 140000 victim à Ddos
Ghostclicker • 300 apps • Disguise google play service library • Facebook ads library • adware www.cert.or.id
Mac Malware
Mac Malware -2 • PUA • Optimizer: MacKeeper, Advanced Mac Cleaner , TuneUpMyMac, dll • MacRansom • MacSpy. www.cert.or.id
Microsoft - Malware • Office • Powershell • Zero Day Vulnerability
Botnet • Botnet? • IoT : Ip camera • Mirai Botnet à Tsunami Ddos • IP Camera and router • 620 Gbit/s : krebson security • 1 Tbit/s OVH www.cert.or.id
Other trend • Distribusi Software: CC-Cleaner, ExPetr • UEFI & BIOS attacks: hacking team • Wiper: Shamoon à aramco • Espionage malware & APT • Social media: fake akun & bot à hoax • Router & Modem hack
Beginner • Practical malware analysis- Honig & Sikorski • awesome malware analysis tools and resources • Open Courseware by RPISEC • Blog Lenny Zeltser • The SANS Digital Forensics Blog • Crackmes.de www.cert.or.id
Terima Kasih jul [at] tass.telkomuniversity.ac.id jul_ismail Blog: julismail.staff.telkomuniversity.ac.id www.cert.or.id/

More Related Content

PDF
Aes jul-upload
Setia Juli Irzal Ismail
 
PDF
Pa or die
Setia Juli Irzal Ismail
 
PDF
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Shakacon
 
PPTX
Weekend Malware Research 2012
Andrew Morris
 
PDF
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
Andrew Morris
 
PDF
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
veerababu penugonda(Mr-IoT)
 
PPTX
Firmware analysis 101
veerababu penugonda(Mr-IoT)
 
PPTX
Path of Cyber Security
Satria Ady Pradana
 
Aes jul-upload
Setia Juli Irzal Ismail
 
Pa or die
Setia Juli Irzal Ismail
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Shakacon
 
Weekend Malware Research 2012
Andrew Morris
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
Andrew Morris
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
veerababu penugonda(Mr-IoT)
 
Firmware analysis 101
veerababu penugonda(Mr-IoT)
 
Path of Cyber Security
Satria Ady Pradana
 

What's hot (20)

PPTX
2014: Mid-Year Threat Review
ESET
 
PDF
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
PPTX
2016 TTL Security Gap Analysis with Kali Linux
Jason Murray
 
PPTX
Ransomware - what is it, how to protect against it
Zoltan Balazs
 
PDF
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...
Edureka!
 
PPTX
Hacker bootcamp
Gregory Hanis
 
PDF
Hack Attack! An Introduction to Penetration Testing
Steve Phillips
 
PDF
Top 10 Threats to Cloud Security
SBWebinars
 
PDF
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
CanSecWest
 
PPTX
Kali presentation
Zain Ul abadin
 
PDF
Socially Acceptable Methods to Walk in the Front Door
Mike Felch
 
PPT
Anton Chuvakin on Honeypots
Anton Chuvakin
 
PDF
Kasza smashing the_jars
PacSecJP
 
PPT
[ENG] IPv6 shipworm + My little Windows domain pwnie
Zoltan Balazs
 
PDF
TeelTech - Advancing Mobile Device Forensics (online version)
Mike Felch
 
PPTX
Kali Linux - Falconer
Tony Godfrey
 
PPT
Attacking Automatic Wireless Network Selection
amiable_indian
 
PPTX
Kali Linux
Chanchal Dabriya
 
PDF
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
Aditya K Sood
 
PDF
penetration test using Kali linux ppt
AbhayNaik8
 
2014: Mid-Year Threat Review
ESET
 
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
2016 TTL Security Gap Analysis with Kali Linux
Jason Murray
 
Ransomware - what is it, how to protect against it
Zoltan Balazs
 
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...
Edureka!
 
Hacker bootcamp
Gregory Hanis
 
Hack Attack! An Introduction to Penetration Testing
Steve Phillips
 
Top 10 Threats to Cloud Security
SBWebinars
 
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
CanSecWest
 
Kali presentation
Zain Ul abadin
 
Socially Acceptable Methods to Walk in the Front Door
Mike Felch
 
Anton Chuvakin on Honeypots
Anton Chuvakin
 
Kasza smashing the_jars
PacSecJP
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
Zoltan Balazs
 
TeelTech - Advancing Mobile Device Forensics (online version)
Mike Felch
 
Kali Linux - Falconer
Tony Godfrey
 
Attacking Automatic Wireless Network Selection
amiable_indian
 
Kali Linux
Chanchal Dabriya
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
Aditya K Sood
 
penetration test using Kali linux ppt
AbhayNaik8
 
Ad

Similar to Malware cryptomining uploadv3 (20)

PPTX
Crypto Miners in the Cloud
2nd Sight Lab
 
PPTX
Botnets Attacks.pptx
MuhammadRehan856177
 
PPTX
Malware analysis
Prakashchand Suthar
 
PPTX
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
PPTX
Securing your Cloud Environment v2
ShapeBlue
 
PDF
Metasploitation part-1 (murtuja)
ClubHack
 
PPTX
Mobile platform security models
Prachi Gulihar
 
PDF
Workshop on Network Security
UC San Diego
 
PDF
Internet security
Antony Mathew
 
PPT
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
CASCouncil
 
PPT
10-malware and online safety preacuations
DarrenDonaire1
 
PDF
Ransomware- What you need to know to Safeguard your Data
Inderjeet Singh
 
PPTX
I haz you and pwn your maal
Harsimran Walia
 
PDF
Hacking your Android (slides)
Justin Hoang
 
PDF
Hacking your Droid (Aditya Gupta)
ClubHack
 
PPTX
Dealing with legacy code
Prachi Gulihar
 
PPTX
Hacktrikz - Introduction to Information Security & Ethical Hacking
Ravi Sankar
 
PDF
I haz you and pwn your maal
c0c0n - International Cyber Security and Policing Conference
 
PPTX
Web-App Remote Code Execution Via Scripting Engines
c0c0n - International Cyber Security and Policing Conference
 
PDF
Smart Bombs: Mobile Vulnerability and Exploitation
SecureState
 
Crypto Miners in the Cloud
2nd Sight Lab
 
Botnets Attacks.pptx
MuhammadRehan856177
 
Malware analysis
Prakashchand Suthar
 
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Securing your Cloud Environment v2
ShapeBlue
 
Metasploitation part-1 (murtuja)
ClubHack
 
Mobile platform security models
Prachi Gulihar
 
Workshop on Network Security
UC San Diego
 
Internet security
Antony Mathew
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
CASCouncil
 
10-malware and online safety preacuations
DarrenDonaire1
 
Ransomware- What you need to know to Safeguard your Data
Inderjeet Singh
 
I haz you and pwn your maal
Harsimran Walia
 
Hacking your Android (slides)
Justin Hoang
 
Hacking your Droid (Aditya Gupta)
ClubHack
 
Dealing with legacy code
Prachi Gulihar
 
Hacktrikz - Introduction to Information Security & Ethical Hacking
Ravi Sankar
 
I haz you and pwn your maal
c0c0n - International Cyber Security and Policing Conference
 
Web-App Remote Code Execution Via Scripting Engines
c0c0n - International Cyber Security and Policing Conference
 
Smart Bombs: Mobile Vulnerability and Exploitation
SecureState
 
Ad

More from Setia Juli Irzal Ismail (20)

PDF
Petunjuk assessmen Kajian 3 - Attack defense
Setia Juli Irzal Ismail
 
PDF
Minggu 2-2 Praktikum Instalasi RouterOS pada Virtualisasi-2.pdf
Setia Juli Irzal Ismail
 
PDF
Introduction to self-Supervised learning - kuliah machine learning STEI ITB
Setia Juli Irzal Ismail
 
PDF
Materi lanjutan Deep Learning S1 Telekomunikasi - STEI ITB
Setia Juli Irzal Ismail
 
PDF
Slide materi pengantar kuliah Deep Learning STEI ITB
Setia Juli Irzal Ismail
 
PDF
slide-share.pdf
Setia Juli Irzal Ismail
 
PDF
slide-lp3i-final.pdf
Setia Juli Irzal Ismail
 
PDF
society50-jul-share.pdf
Setia Juli Irzal Ismail
 
PDF
57 slide presentation
Setia Juli Irzal Ismail
 
PDF
Panduan Proyek Akhir D3 Teknologi Komputer Telkom University
Setia Juli Irzal Ismail
 
PDF
Sosialisasi kurikulum2020
Setia Juli Irzal Ismail
 
PDF
Welcoming maba 2020
Setia Juli Irzal Ismail
 
PDF
Slide jul apcert agm 2016
Setia Juli Irzal Ismail
 
PDF
Tugas besar MK Keamanan Jaringan
Setia Juli Irzal Ismail
 
PDF
05 wireless
Setia Juli Irzal Ismail
 
PDF
04 sniffing
Setia Juli Irzal Ismail
 
PDF
03 keamanan password
Setia Juli Irzal Ismail
 
PDF
02 teknik penyerangan
Setia Juli Irzal Ismail
 
PDF
01a pengenalan keamanan jaringan upload
Setia Juli Irzal Ismail
 
PDF
Kajian3 upload
Setia Juli Irzal Ismail
 
Petunjuk assessmen Kajian 3 - Attack defense
Setia Juli Irzal Ismail
 
Minggu 2-2 Praktikum Instalasi RouterOS pada Virtualisasi-2.pdf
Setia Juli Irzal Ismail
 
Introduction to self-Supervised learning - kuliah machine learning STEI ITB
Setia Juli Irzal Ismail
 
Materi lanjutan Deep Learning S1 Telekomunikasi - STEI ITB
Setia Juli Irzal Ismail
 
Slide materi pengantar kuliah Deep Learning STEI ITB
Setia Juli Irzal Ismail
 
slide-share.pdf
Setia Juli Irzal Ismail
 
slide-lp3i-final.pdf
Setia Juli Irzal Ismail
 
society50-jul-share.pdf
Setia Juli Irzal Ismail
 
57 slide presentation
Setia Juli Irzal Ismail
 
Panduan Proyek Akhir D3 Teknologi Komputer Telkom University
Setia Juli Irzal Ismail
 
Sosialisasi kurikulum2020
Setia Juli Irzal Ismail
 
Welcoming maba 2020
Setia Juli Irzal Ismail
 
Slide jul apcert agm 2016
Setia Juli Irzal Ismail
 
Tugas besar MK Keamanan Jaringan
Setia Juli Irzal Ismail
 
05 wireless
Setia Juli Irzal Ismail
 
04 sniffing
Setia Juli Irzal Ismail
 
03 keamanan password
Setia Juli Irzal Ismail
 
02 teknik penyerangan
Setia Juli Irzal Ismail
 
01a pengenalan keamanan jaringan upload
Setia Juli Irzal Ismail
 
Kajian3 upload
Setia Juli Irzal Ismail
 

Recently uploaded (20)

PDF
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
PDF
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PPTX
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
PDF
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PDF
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
PPTX
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PDF
Computing-Curriculum for Schools in Ghana
abigailanane203
 
PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
PPTX
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
PDF
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
PPTX
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
Computing-Curriculum for Schools in Ghana
abigailanane203
 
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 

Malware cryptomining uploadv3

  • 1. Malware, Cryptominer & other Threat Setia Juli Irzal Ismail Malware Analyst ID-CERT Telkom University
  • 3. Introduction • Setia Juli Irzal Ismail • Jul Ismail • Malware Analyst – ID-CERT • Lecturer – Telkom University www.cert.or.id/
  • 4. ID-CERT • Indonesia Computer Emergency Response Team • 1998 – Dr. Budi Rahardjo • Community based • Incident Handling • Malware Lab • Research & Training about Malware • Tools: Malware Scanner • Founder AP-CERT: JP-CERT & AusCERT www.cert.or.id/
  • 7. Wannacry www.cert.or.id/ Eternal Blue exploit à SMBv1 Double Pulsar Backdoor Hospital 1 Million victim Lazarus? May 2017 March : Microsoft patch
  • 11. Classification • Virus l Worm l Trojan l Backdoor l Adware l Rootkit l Ransomware www.cert.or.id/
  • 12. How does it Spread • Email • Flash Disk • File Sharing • Website • Pirated Software • Malicious apps
  • 13. Why do people write malware Back then • Experiment • Fun • Alone Now • Money • Spionage • Steal Information • Cyberweapon • Cybercriminal group • government www.cert.or.id/
  • 14. Malware Statistic l 250.000 new sample/day – Sophos l 800 million malware sample – AV Test l 52% Indonesia – Kaspersky l 17th l 86% Pirated Software– ESET l 97% Android malware
  • 15. Malware Detection Technology l Signature based l Heuristik www.cert.or.id/
  • 17. Why Analyze Malware To: • assess damage • discover indicator of compromise • identify Vulnerability • Catch the bad guy • Answer questions
  • 18. Indicator of compromise? • Unusual Outbound Network Traffic • Anomalies in Privileged User Account Activity • Geographical Irregularities • Increases in Database Read Volume • HTML Response Sizes • Large Numbers of Requests for the Same File • Suspicious Registry or System File Changes • Unusual DNS Requests • Unexpected Patching of Systems • Mobile Device Profile Changes • Unusual Web Traffic • Signs of DDoS Activity www.cert.or.id/
  • 19. IoC • Improve the IDS, Firewall, Antivirus
  • 20. Basic Questions • What is the purpose of malware? • How did it get here? • Who are they and how good are they? • How to remove it? • What did they get? • How long has it been here? • Does it spread to other machine? • How do I prevent this from happening again? www.cert.or.id/
  • 21. Technical Questions • Network Indicator? • Host Based Indicator? • Persistence Mechanism? • Date of compilation & installation? • What language was it written in? • Is it Packed? • Obfuscation technique? • Rootkit Functionality?
  • 22. Safe Environment • Do not run Malware on your computer • Dedicated Malware Lab • Use Virtualization • Vmware, Vbox etc • Using different OS than your malware target (static Analysis) www.cert.or.id/
  • 23. Safe Environment?? • The malware behaviour might change • Network, Conect to a C&C server? • Facing real battle • Our IP can become the target: consider using • Accidentally attack other people
  • 24. Fake Network • Host Only networking feature on VM • Fake DNS tool • Listening ports and network activity • Build custom C&C Server www.cert.or.id/
  • 25. Virtualization? • Reduce risk • Snapshot • Video recording, • Setup no network or host-only network • sharing functionality? • VM is not perfect • Malware can detect VM • Sometimes it can escape the sandbox (0 day worm)
  • 26. Malware Analysis • Static Analysis • Dynamic Analysis www.cert.or.id/
  • 27. Static • Code is not excuted • Reverse engineering • „Autopsy“ the code
  • 28. Dynamic Analysis • Running the code on Controlled environment www.cert.or.id/
  • 29. Static Analysis • Safer • But... • Sometimes it is not easy • Require good understanding programming • Packer • encrypt • Insert junk code • Anti analysis technique
  • 31. Steps • Fingerprinting (hash) • Scan with virus scanner; virustotal ; documentation • PEiD: signature about compiler and packer • Find Strings: strings, IDA Pro • Web research; be carefull www.cert.or.id/
  • 32. Strings • Message, • URL address, IP • email • ASCII or Unicode format
  • 33. Strings Example • Malware Sample send a message (probably through email). file mail system .dll • Check email log, find suspect traffic, find mail system dll • DLL: file yang berisi executable code yang sering dishare antara berbagai aplikasi. • DLL sendiri bukan malware. Namun sering dimanfaatkan oleh malware
  • 34. No Strings? • Packer • Obfuscation www.cert.or.id/
  • 35. Packed & obfuscated • Technique to make life hard for a malware analyst • Packed, source code program compressed à packer • Obfuscated, hiding function of a program • Packed & obfuscated will make the static analysis difficult à no string • Functions LoadLibrary dan GetProcAddress
  • 36. Packed & obfuscated- packing Wrapper used to decompress running packed Only wrapper could be read www.cert.or.id/
  • 37. Packed & obfuscated- Detection PEiD http:// upx.sourceforge.net/ upx -d PackedProgram.exe
  • 38. Executables • Windows : PE (Portable Executable) • Linux: ELF (Executable and Linking Format) • MacOS: Mach-O www.cert.or.id/
  • 39. PE • Import • Export • Metadata • Resources
  • 40. PE Header • Imports: Funtion from other library used bymalware • Exports: function from malware that could be used by other program • Time Date Stamp: compile time • Sections : which section are there on the sample • Subsystem: are the sample GUI or command line? • Resources: String, icon, menu dll www.cert.or.id/
  • 42. Dynamic Analysis • run the malware à observe its actions Monitor the interaction with the • file system • Registry • other processes • network www.cert.or.id/
  • 43. Tools • Process Monitor • Process explorer • Regshot • Wireshark • ApateDNS • Netcat • Monitor whole system • filter out
  • 44. Sandbox • Automated malware analysis tool • Special environment • Cuckoo Sandbox www.cert.or.id/
  • 48. Cryptocurrency • Digital currency generated by computer • Decentralized, no regulatory body; anonym • Produced by solving complex mathematical algorithm à mining • Miner process transaction –> recording blockchain; digital ledger • Miner rewarded in the form of digital coin www.cert.or.id/
  • 49. Cryptomining Malware • Use victim computer to run mining application • Webste: use CPU power from visitor to mine coin • Code run in the background
  • 50. Bitcoin (BTC) • 2009 • Market 700 Billion USD • Mining 1 bitcoin: require 215 kilowatt hours of electricity for each transaction • 1390 new cryptocurrency • Ethereum (ETH) , Monero (XMR), Litecoin (LTC), Ripple (XRP), Bitcoin Cash (BCH) www.cert.or.id/
  • 51. Abuse • 2017: 7000 website compromised à mining (Sucuri) • Monero • algorithm does not favor GPU’s • can be mined by web browsers and normal computers • privacy features that make transactions and wallets more difficult to trace,
  • 52. CoinHive • cryptocurrency mining service: javascript • small computer code designed to be installed on Web sites: API • Web site owners to earn an income without running intrusive or annoying advertisements • some or all of the computing power of any browser that visits • 32000 websites (publicwww.com) www.cert.or.id/
  • 53. Coinhive case • Installed on hacked web sites • December: embedded in Wifi Hotspot at Starbuck in Buenos Aires • January: hidden inside Youtube advertisement • February: Browsealoud (service for visually impaired) • The Pirate Bay • IOC: 100% CPU Load • Conhive earn 30% • Kasperksy report stop 70 million web miner (2017)
  • 54. • All major CMS platform • WordPress, Magento, Drupal and Joomla www.cert.or.id/
  • 55. Hiding tactic • Encrypted • Packed • fake jQuery script name • non-dotted decimal notation for the host name • mimic Google Analytics parameters • Public repo: GitHub • distributing Javascript cryptominers • placing the script in hidden iframes
  • 56. Wannamine Case • Mine Monero • PowerShell and Windows Management Instrumentation • EternalBlue exploit to spread www.cert.or.id/
  • 57. Digmine Case • video file • Facebook Messenger • coded in AutoIt (a Windows scripting language) • only runs on Facebook Messenger’s desktop/web browser • send the fake video link out to all of their Facebook contacts • downloading from C&C server • installing an autostart mechanism in the registry • launches Chrome loaded with a malicious extension • CPU power to mining Monero.
  • 58. Smominru & Adylkuzz • Botnet • Targeting Server • EternalBlue Exploit (CVE-2017-0144) • 24 Monero/day • Oracle’s WebLogic Server (CVE-2017-10271) www.cert.or.id/
  • 61. Trickbot • Existing malware family • Add a coin miner module • Spam attachment • Steal credential from userà ewallet RIG EK • Exploit kits • Distributing miner
  • 62. Mobile and Mac Android • Fake apps • Repackaging technique • Alternative market; not on Google Play • com.coinhiveminer.CoinHive Mac • MacUpdate hack • Modified OnyX, Firefox and Deeper • Embed shell script on the file • Launch miner www.cert.or.id/
  • 64. Ransomware • 2017 Ransomware year • 400 varians • Wannacry - May • ExPetr - July • BadRabbit - Oktober www.cert.or.id
  • 65. Wannacry • Eternal Blue exploit à SMB • Double Pulsar Backdoor • Hospital • 1 million victim • Lazarus? • Mei • Maret : microsoft patch
  • 66. ExPetr • Ukraina, Russia • 5000 victim • Eternal Blue exploit • DoublePulsar backdoor • MeDoc – Update • News Website in Ukraine • 2 level encryption : victim file and MFT • BlackEnergy’s KillDisk? • July www.cert.or.id
  • 67. Ransomware as a service • Malware kits : tools to make your own ransomware • Darkweb • Cerber, Satan, Philadelphia • Ransomware Android, Mac, Linux • Bitcoin à Monero • Target: Health Industry, Government, Critical Infrastructure, Education, Small & Medium Enterprises (SME)
  • 68. Malware defense technique • Anti security : AV, Firewall • Anti sandbox : sandbox • Anti analyst : packer, obfuscation, RE • Machine learning evasion • Hardware based evasion www.cert.or.id
  • 69. Timeline • 1980: Encryption: cascade virus • 1990: Polymorphic: Chameleon (encrypt,junk) • 1998: Metamorphism (instruction diacak) • 1999: Packer • 1999: Rootkit: • 2008: DGA: conficker worm • 2011: Darknet Market: Silkroad • 2015: Firmware : Equation Group, Hacking Team: IoT • 2015: Dridex: obfuscation: powershell, sandbox evasion • 2016: Fileless Malware • 2017: Machine learning detection: Cerber
  • 70. Darknet Market • Cryptservice: $53 - FUD • Lazercrypter: free packer • Macro Exploit Crypt Service: Macro for spreading malware $53 • Crypter Source Code: $1,99 • Arctic Miner:cryptocurrency Miner: $3,2 • Betacrypt: Code mutation: $239 • BHGroup: crypter ASM & C: $35 • Tutorial FUD backdoor: $0,94 www.cert.or.id
  • 71. Stegano Malware • Steganography? • 2011 Duqu: collecting information • Enkrip data-> Embed File-> server CnC • 2014: ZeusVM (Varian): image stegano, hide command • 2016: Lurk: Encrypted Url->BMP file->download payload • 2016: Stegoloader
  • 72. Sundown Exploit Kit-case 1. User browsing: compromised web or malware ads 2. Redirected to exploit server 3. Download picture (PNG) -> blank image 4. Encoded exploit à URL for download the payload 5. Exploit vulnerability on IE www.cert.or.id
  • 73. Stegano Malware - 2 • Cerber: Macro wordàdrop .vbs à download jpg • Vawtrak: download favicon.ico • Magento case: malware send the payment card information with image stegano • Network stegano: hiding the traffic to CnC server DNStraffic or Http Request à teslacrypt
  • 74. Android • 2017: 10 million sampel malware android • Rootnik • Dloadr-ECZ • Axent-ED www.cert.or.id
  • 75. King of Glory • Game China • Fake app – Ransomware • Lock screen & Crypto ransom • Lock Screen • Judy: 36 million victim • Xavir: 800 android apps • WireX botnet: 140000 victim à Ddos
  • 76. Ghostclicker • 300 apps • Disguise google play service library • Facebook ads library • adware www.cert.or.id
  • 78. Mac Malware -2 • PUA • Optimizer: MacKeeper, Advanced Mac Cleaner , TuneUpMyMac, dll • MacRansom • MacSpy. www.cert.or.id
  • 79. Microsoft - Malware • Office • Powershell • Zero Day Vulnerability
  • 80. Botnet • Botnet? • IoT : Ip camera • Mirai Botnet à Tsunami Ddos • IP Camera and router • 620 Gbit/s : krebson security • 1 Tbit/s OVH www.cert.or.id
  • 81. Other trend • Distribusi Software: CC-Cleaner, ExPetr • UEFI & BIOS attacks: hacking team • Wiper: Shamoon à aramco • Espionage malware & APT • Social media: fake akun & bot à hoax • Router & Modem hack
  • 82. Beginner • Practical malware analysis- Honig & Sikorski • awesome malware analysis tools and resources • Open Courseware by RPISEC • Blog Lenny Zeltser • The SANS Digital Forensics Blog • Crackmes.de www.cert.or.id
  • 83. Terima Kasih jul [at] tass.telkomuniversity.ac.id jul_ismail Blog: julismail.staff.telkomuniversity.ac.id www.cert.or.id/