Techniques in Malware Avoidance With Open Source Software

myGOSSCON 2009, Malaysia
Welcome
Malware Avoidance with Open Source Software
Muhammad Najmi bin Ahmad Zabidi
Department of Computer Science

Kulliyyah of Information & Communication Technology
International Islamic University Malaysia
6th November 2009
najmi@kict.iiu.edu.my
Created with LATEX
Muhammad Najmi myGOSSCON 2009, Malaysia

Agenda
Agenda I
1 What this presentation covers. . .
2 Intro
3 Malware origin
4 Malware infection method
5 Malware behavior
6 Malware Communication
Robot network botnet
Vicious circle of evils
Logging communications
Logs
Graphviz diagram
Logs
Logs in a table
Some math stuffs
Agenda
Agenda II
Capabilities
Issues in malware containment
7 Selection of solutions
IDS
Antivirus and friends
Reporting sensors
8 Nepenthes Honeypot
Setup
Setup
Malware flow illustrated
9 Amun Honeypot
List of open connections
10 SurfIDS
Agenda
Agenda III
11 New honeypot
Dionaea
12 Toying with binaries

Analyst tools
Emulation
IDS
Nebula
13 Conclusion

What this presentation covers. . .
User’s perspective
Host level
IT admin perspective
Network level, policy level

Focus. . .
We’ll go on the malware origin

Later the problem they cause
Finally the containment/threat prevention method
I use the word avoidance since it is broad . . .

Intro
Agenda
2 Intro
3 Malware origin
5 Malware behavior
9 Amun Honeypot
10 SurfIDS
11 New honeypot
13 Conclusion

Intro
Intro to Malware
Malware is a shortform for Malicious Software

Motives :
Identity theft (privacy breach)
Financial loss (which may caused by above)
Denial of service
Information espionage
Underground economics

Malware origin
Agenda
2 Intro
3 Malware origin
5 Malware behavior
9 Amun Honeypot
10 SurfIDS
11 New honeypot
13 Conclusion

Malware origin
What is malware
It is a program, doing malicious activity

Also known as a binary, since it is in a compiled nature
Some actions that it can do after infection are:
Delete files
Lock command from user, say Ctrl+Alt+Del
Prevent connection to antivirus(AV) websites - e.g Conficker
did this
Remotely activate webcam - espionage purpose .. or perhaps
peeping
Remember ghostnet?
Affect mainly Windows, there’s existence on Linux too

Malware infection method
Agenda
2 Intro
3 Malware origin
5 Malware behavior
9 Amun Honeypot
10 SurfIDS
11 New honeypot
13 Conclusion

Malware infection method
How malware infect machines
It can infect a machine by. . .

Drive by downloads
Email attachments
File shares
Decoy (warez movies, free wallpaper and stuffs)

Malware behavior
Agenda
2 Intro
3 Malware origin
5 Malware behavior
9 Amun Honeypot
10 SurfIDS
11 New honeypot
13 Conclusion

Malware behavior
The behavior of malware
Pretend to be a normal system process

Current method - packing - more sophisticated, since it can
minimize its size while being an executable file
If it is a botnet, it starts to create communication to external
machines

Malware Communication
Agenda
2 Intro
3 Malware origin
5 Malware behavior
9 Amun Honeypot
10 SurfIDS
11 New honeypot
13 Conclusion

Robot network botnet
Botnets
Botnet, a robot network communicates to its herder

Known as C & C
Communication can be viewed by looking at open ports used

Vicious circle of evils
Decieved malware
1 9 2 . 1 6 8 . 2 . 8 2 −> 1 9 2 . 1 6 8 . 1 . 2 4 5 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 8 2 : 8 5 1 9 / s e t u p 4 2 2 7 8 . e x e
1 9 2 . 1 6 8 . 2 . 1 3 1 −> 1 9 2 . 1 6 8 . 1 . 2 5 1 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 1 3 1 : 1 3 5 5 2 / s e t u p 5 1 1 8 2 . e x e
1 9 2 . 1 6 8 . 2 . 8 2 −> 1 9 2 . 1 6 8 . 1 . 2 3 4 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 8 2 : 8 5 1 9 / s e t u p 6 0 0 5 8 . e x e
1 9 2 . 1 6 8 . 2 . 5 8 −> 1 9 2 . 1 6 8 . 1 . 2 4 8 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 5 8 : 5 3 9 9 / s e t u p 1 5 5 3 8 . e x e
1 9 2 . 1 6 8 . 2 . 1 3 1 −> 1 9 2 . 1 6 8 . 1 . 2 4 3 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 1 3 1 : 1 3 5 5 2 / s e t u p 1 4 4 4 5 . e x e
1 9 2 . 1 6 8 . 2 . 8 2 −> 1 9 2 . 1 6 8 . 1 . 2 3 1 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 8 2 : 8 5 1 9 / s e t u p 1 3 8 3 6 . e x e
1 9 2 . 1 6 8 . 2 . 1 3 1 −> 1 9 2 . 1 6 8 . 1 . 2 4 2 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 1 3 1 : 1 3 5 5 2 / e r a s e m e 2 2 4 0 2 . e x e
1 9 2 . 1 6 8 . 2 . 1 3 1 −> 1 9 2 . 1 6 8 . 1 . 2 4 2 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 1 3 1 : 1 3 5 5 2 / s e t u p 7 5 2 7 6 . e x e
1 9 2 . 1 6 8 . 2 . 8 8 −> 1 9 2 . 1 6 8 . 1 . 2 4 8 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 8 8 : 2 6 6 5 5 / s e t u p 1 7 7 8 8 . e x e
1 9 2 . 1 6 8 . 2 . 1 3 1 −> 1 9 2 . 1 6 8 . 1 . 2 3 1 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 1 3 1 : 1 3 5 5 2 / s e t u p 2 4 3 4 6 . e x e

Logs
Visualization program
Visualization can helps in term of data analyzing

Tools available - graphviz for example
Or you may just read log file. . . but don’t that hurts you in
any way?

Logs
Look at this illustrated sensor logs

Logs
Zoom in!

Logs
Zoom in!

Logs
Malware’s Name Originated IPs Submission attempt

Trojan.Kolabc.BFY 192.168.2.141 210
192.168.2.131 107
192.168.2.214 35
192.168.2.82 14
192.168.2.52 8
192.168.2.37 2
Trojan.SdBot-8638 192.168.2.100 92
Worm.Kolab-284 192.168.2.153 4
192.168.2.58 34
192.168.2.214 21
192.168.2.55 60
192.168.2.155 1
Trojan.DsBot-15 192.168.2.51 271

Some math stuffs
Malware propagation rate
da
= Ka(1a)
dt Explanation by (Goranin et. al,2008)
where K is the constant average compromise rate, which is de-

pendant on worm processor speed, network bandwidth and
location of the infected host
e K (t−T ) a(t) is the proportion of vulnerable machines which have
a= been compromised at the instant t,
1 + e K (t−T ) Na(t) is the number of infected hosts, each of which scans
other vulnerable machines at a rate K per unit of time.
Since a portion a(t) of the vulnerable machines is already
infected, only K(1-a(t)) new infections will be generated by
each infected host, per unit of time.
The number of infected The number n of machines that will be compromised in the
interval of time dt (in which a is assumed to be constant)
hosts at time t if K is
known. (Nazario)

Some math stuffs
Malware and ports

Malware’s Name Origin IP FTP No of time
ports used
Trojan.DsBot-15 192.168.2.51 15807 2
19735 2
23154 2
30487 2
10040 3
Trojan.SdBot-8638 192.168.2.100 4471 44
17747 44

Capabilities
What it does
Mass scanning
Find vulnerable machines
Since it’s a parasite, it start consumes its host resources
Processing power
Storage

Issues in malware containment
Issue
What make it so troublesome. . .

Malware also become open source, even some was GPL’ed!
Experienced, professional cyber criminal
Tools to create malware are also available
Botherders rent their malware for profit
Fastflux problem
Become a problem to crack down
Malware analysis is challenging
Malware become polymorphic, metamorphic
Use code obfuscation, anti disassembly, anti forensic, anti
sandbox etc
Some use encryption, even beta - md6!

Selection of solutions
Agenda
2 Intro
3 Malware origin
5 Malware behavior
9 Amun Honeypot
10 SurfIDS
11 New honeypot
13 Conclusion

IDS
Intrusion Detection/Prevention
Snort
Hogwash
Snort inline
SurfIDS

Antivirus and friends
AV related tools
WinPooch
ClamAV
seems abandoned
Currently under
hence
Sourcefire
abandonware
Sourcefire
it works side by
sponsors Snort
side with ClamAV
IDS too
or Bitdefender

Reporting sensors
How to obtain data for analysis
Methods
Deploy sensors
IDS/IPS
Honeypot
Network Management System, e.g : OpenNMS
Collect binaries
Nepenthes sensor for example, allow automated binary
submission to sandboxes
Turn on reporting
Analyze infected host
Clean up infected host

Reporting sensors
Honeypot
Honeypot emulates operating system (heavy) or services (light)

It can be either server (passive) or client (active
crawl)
Heavy interaction
Light interaction
A dedicated machine, which
Emulates potential emulates real machine and
vulnerable services i.e software
HTTP,FTP,SSH Difficult(relatively)
Most of the time attracts
Known to attract real
automated malware
attacker (human)

Reporting sensors
Comparison
Light interaction
Nepenthes
Glastopf
Labrea Heavy interaction
tinyhoneypot
Honeyd
Amun
Dionaea
Kojoney
Capture-HPC

Reporting sensors
Some other stuffs. . .
FFdetect
detects fast-flux domain
CaptureBAT
analyze outputs from CaptureHPC
Malzilla

Nepenthes Honeypot
Agenda
2 Intro
3 Malware origin
5 Malware behavior
9 Amun Honeypot
10 SurfIDS
11 New honeypot
13 Conclusion

Nepenthes Honeypot
Setup
Nepenthes setup
Since I was using Nepenthes so I’ll share my experience

Set virtual IPs.. either local IPs or public IPs
Only use unused IPs with permission, somebody may
complain later :—
Since Linux allow IP aliasing, you can simulate hundreds of
IPs, as if there’s a lot of machines
Nepenthes emulates Windows vulnerable services

Nepenthes Honeypot
Setup
Nepentes setup
Relatively easy . . . as easy as “apt-get install nepenthes”

Tune a little bit on config file, such as services that you plan
to emulate and your email address
Will generate a lot of alerts if you’re in polluted traffic
IP aliasing can be done by
for x in ‘seq in 230 254‘ ;
do ip addr add 192.168.1.$x/24 dev eth0;
done

Nepenthes Honeypot
Malware flow illustrated

Amun Honeypot
Agenda
2 Intro
3 Malware origin
5 Malware behavior
9 Amun Honeypot
10 SurfIDS
11 New honeypot
13 Conclusion

Amun Honeypot
Amun. . .
n a j m i @ n o t r e−dame : ˜ / D e s k t o p /amun$ s u d o . / a m u n s e r v e r . py
[ sudo ] password f o r najmi :
/ \
/ / \ \ / \| | \/ \
/ | \ Y Y \ | / | \
\ | / | | / /| | /
\/ \/ \/
s t a r t i n g Amun s e r v e r . . .
. : : [ Amun − Main ] a l l s e r v e r s l i s t e n i n g on : 0 . 0 . 0 . 0 : : .
. : : [ Amun − Main ] l o a d i n g v u l n e r a b i l i t y modul v u l n−ms08067 : : .
. : : [ Amun − Main ] l o a d i n g v u l n e r a b i l i t y modul v u l n−w i n s : : .
. : : [ Amun − Main ] l o a d i n g v u l n e r a b i l i t y modul v u l n−a x i g e n : : .
. : : [ Amun − Main ] l o a d i n g v u l n e r a b i l i t y modul v u l n−s l m a i l : : .
...........
. : : [ Amun − D e c o d e r ] c o m p i l i n g bonn x o r d e c o d e r : : .
. : : [ Amun − D e c o d e r ] c o m p i l i n g p l a i n 1 s h e l l c o d e : : .
. : : [ Amun − D e c o d e r ] c o m p i l i n g p l a i n 2 s h e l l c o d e : : .
. : : [ Amun − a m u n s e r v e r ] P o r t a l r e a d y i n u s e : I P : 0 . 0 . 0 . 0 P o r t : 25 : : .
. : : [ Amun − Main ] r e a d y f o r e v i l o r d e r s : : : .

Amun Honeypot
List of open connections
Open connections
Snipped output of list of open files (lsof)

r o o t @ n o t r e−dame:˜# l s o f −P n i | g r e p amun
.. .. .. .. ..
a m u n s e r v 22500 root 15 u IPv4 276034 TCP ∗ : 2 1 ( LISTEN )
a m u n s e r v 22500 root 16 u IPv4 276035 TCP ∗ : 2 3 ( LISTEN )
a m u n s e r v 22500 root 17 u IPv4 276036 TCP ∗ : 3 8 7 3 6 ( LISTEN )
a m u n s e r v 22500 root 30 u IPv4 276049 TCP ∗ : 1 0 2 5 ( LISTEN )
a m u n s e r v 22500 root 56 u IPv4 276075 TCP ∗ : 4 1 5 2 3 ( LISTEN )

SurfIDS
Agenda
2 Intro
3 Malware origin
5 Malware behavior
9 Amun Honeypot
10 SurfIDS
11 New honeypot
13 Conclusion

SurfIDS
What is SurfIDS
As the name suggests, it is an IDS

Development led by a group of researcher in Univ of
Amsterdam
Offers system install or USB as sensor

New honeypot
Agenda
2 Intro
3 Malware origin
5 Malware behavior
9 Amun Honeypot
10 SurfIDS
11 New honeypot
13 Conclusion

New honeypot
Dionaea
Dionaea
Currently developed by Markus Koetter as a part of GSoC,

Google Summer of Code
Suppose to be better than Nepenthes
Check http://dionaea.carnivore.it/

New honeypot
Dionaea
Before . . .
$nmap l o c a l h o s t
S t a r t i n g Nmap 4 . 7 6 ( h t t p : / / nmap . o r g ) a t 2009−10−31 1 2 : 4 2 MYT

Warning : Hostname l o c a l h o s t r e s o l v e s t o 2 I P s . U s i n g 1 2 7 . 0 . 0 . 1 .
I n t e r e s t i n g p o r t s on l o c a l h o s t ( 1 2 7 . 0 . 0 . 1 ) :
Not shown : 994 c l o s e d p o r t s
PORT STATE SERVICE
22/ t c p open ssh
25/ t c p open smtp
631/ t c p open ipp
9091/ t c p open unknown

New honeypot
Dionaea
Execute . . .
nmap l o c a l h o s t
/ o p t / d i o n a e a / b i n / d i o n a e a −l a l l ,−debug −L ’ ∗ ’
Dionaea V e r s i o n 0 . 1 . 0
C o m p i l e d on L i n u x / x86 a t Oct 31 2009 0 0 : 2 3 : 4 8 w i t h g c c 4 . 3 . 3
S t a r t e d on n o t r e−dame r u n n i n g L i n u x / i 6 8 6 r e l e a s e 2.6.28 −15 − g e n e r i c

New honeypot
Dionaea
After . . .
$nmap l o c a l h o s t
S t a r t i n g Nmap 4 . 7 6 ( h t t p : / / nmap . o r g ) a t 2009−10−31 1 2 : 4 6 MYT

Warning : Hostname l o c a l h o s t r e s o l v e s t o 2 I P s . U s i n g 1 2 7 . 0 . 0 . 1 .
I n t e r e s t i n g p o r t s on l o c a l h o s t ( 1 2 7 . 0 . 0 . 1 ) :
Not shown : 988 c l o s e d p o r t s
PORT STATE SERVICE
21/ t c p open ftp
22/ t c p open ssh
25/ t c p open smtp
42/ t c p open n a m e s e r v e r
80/ t c p open http
135/ t c p open msrpc
443/ t c p open https
445/ t c p open m i c r o s o f t −d s
631/ t c p open ipp

New honeypot
Dionaea
Check services . . .
dionaea 4590 root 8u I P v 4 176514 TCP 1 2 7 . 0 . 0 . 1 : 8 0 ( LISTEN )
dionaea 4590 root 9u I P v 4 176515 TCP 1 2 7 . 0 . 0 . 1 : 4 4 3 ( LISTEN )
dionaea 4590 root 10 u I P v 4 176518 UDP 1 2 7 . 0 . 0 . 1 : 6 9
dionaea 4590 root 11 u I P v 4 176519 TCP 1 2 7 . 0 . 0 . 1 : 2 1 ( LISTEN )
dionaea 4590 root 12 u I P v 4 176520 TCP 1 2 7 . 0 . 0 . 1 : 4 2 ( LISTEN )
dionaea 4590 root 13 u I P v 4 176521 TCP 1 2 7 . 0 . 0 . 1 : 4 4 5 ( LISTEN )
dionaea 4590 root 14 u I P v 4 176522 TCP 1 2 7 . 0 . 0 . 1 : 1 3 5 ( LISTEN )
dionaea 4590 root 15 u I P v 6 176523 TCP [ : : 1 ] : 8 0 ( LISTEN )
dionaea 4590 root 16 u I P v 6 176524 TCP [ : : 1 ] : 4 4 3 ( LISTEN )
dionaea 4590 root 17 u I P v 6 176529 UDP [ : : 1 ] : 6 9
dionaea 4590 root 22 u I P v 4 176534 TCP 1 9 2 . 1 6 8 . 2 . 2 : 8 0 ( LISTEN )
dionaea 4590 root 23 u I P v 4 176535 TCP 1 9 2 . 1 6 8 . 2 . 2 : 4 4 3 ( LISTEN )
dionaea 4590 root 24 u I P v 4 176542 UDP 1 9 2 . 1 6 8 . 2 . 2 : 6 9
dionaea 4590 root 29 u I P v 6 176549 TCP [ f e 8 0 : : 2 1 3 : c e f f : f e b a : c e d f ] : 8 0 ( LISTEN )
dionaea 4590 root 30 u I P v 6 176554 TCP [ f e 8 0 : : 2 1 3 : c e f f : f e b a : c e d f ] : 4 4 3 ( LISTEN )
dionaea 4590 root 31 u I P v 6 176567 UDP [ f e 8 0 : : 2 1 3 : c e f f : f e b a : c e d f ]:69

New honeypot
Dionaea
Ok, now we already got the binaries,

what is next?

Toying with binaries
Agenda
2 Intro
3 Malware origin
5 Malware behavior
9 Amun Honeypot
10 SurfIDS
11 New honeypot
13 Conclusion

Analyst tools
Analysis of binaries I
Static Analysis
*nix strings, strace, ltrace, lsof
Objdump
readelf
Ollydbg though is free, but yet to be open sourced

Analyst tools
Analysis of binaries II
Dynamic Analysis
Anubis
Open framework, but source code isn’t available
Running of Qemu
Wepawet
Service is free,handling Flash/JavaScript files
Bitblaze
Developed by Univ of Berkeley

Emulation
What to emulate?
Qemu and Virtualbox can be used as a sandbox as well
Since malware loaded on a virtual machine, chance is safer
than running on host machine
But for precautious purpose, plug it off from any networking
device
Apart from them, Wine can be used as a fishbowl as well
Unless it’s a wine-aware malware, you should be able to look
at the malware’s behavior on guest OS

IDS
IDS on sensing worms
IDS is Intrusion Detection System

Trigger alerts
Somehow a project such as snort inline includes firewall
reaction hence it’s known as an IPS - P for prevention
IDS can be used to trigger the existence of malicious attack
Remember Conficker?

IDS
IDS signature generator
Why automated signature generation?

Writing alert signature for IDS isn’t fun
Automation is good especially when there’s existence of
unknown/unclassified attack
Hence the automated signature is really helpful
Isn’t false positive free though . . .
Example
Nebula for example, creates signature from
honeytrap
argos

Nebula
Signature alert for Conficker A and B
The following alerts was created automatically by Nebula

a l e r t t c p any any −> $HOME NET 445 ( msg :
” c o n f i c k e r . a s h e l l c o d e ” ; c o n t e n t : ” | e8 f f f f f f f f c1 | ˆ | 8 d |N| 1 0
8 0 | 1 | c4 | Af | 8 1 | 9 EPu | f 5 ae c6 9d a0 |O| 8 5 ea |O| 8 4 c8 |O| 8 4 d8 |O| c4 |O| 9 c
c c | I r X | c4 c4 c4 | , | ed c4 c4 c4 94|&<O8 | 9 2 | \ ; | d3 |WG| 0 2 c3 | , | dc c4
c4 c4 f 7 16 96 9 6 |O| 0 8 a2 03 c5 bc ea 9 5 | \ ; | b3 c0 96 96 95 92
9 6 | \ ; | f 3 | \ ; | 2 4 | i | 95 9 2 |QO| 8 f f 8 |O| 8 8 c f bc c7 0 f f 7 | 2 I | d0 |w| c7 95
e4 |O| d6 c7 17 f 7 04 05 04 c3 f 6 c6 8 6 |D| f e c4 b1 | 1 | f f 01 b0 c2 82 f f b5
dc b6 1b |O| 9 5 e0 c7 17 cb | s | d0 b6 |O| 8 5 d8 c7 0 7 |O| c0 |T| c7 07 9 a 9d 07
a4 | fN | b2 e2 | Dh | 0 c b1 b6 a8 a9 ab aa c4 | ] | e7 99 1d ac b0 b0 b4 f e eb
eb | ” ; s i d : 2 0 0 0 0 0 1 ; r e v : 1 ; )
a l e r t t c p any any −> $HOME NET 445 ( msg : ” c o n f i c k e r . b s h e l l c o d e ” ;

c o n t e n t : ” | e8 f f f f f f f f c2 | | 8 d |O| 1 0 8 0 | 1 | c4 | Af | 8 1 | 9 MSu| f 5 | 8 | ae c6 9d
a0 |O| 8 5 ea |O| 8 4 c8 |O| 8 4 d8 |O| c4 |O| 9 c c c | I s e | c4 c4 c4 | , | ed c4 c4 c4
94|&<O8 | 9 2 | \ ; | d3 |WG| 0 2 c3 | , | dc c4 c4 c4 f 7 16 96 9 6 |O| 0 8 a2 03
c5 bc ea 9 5 | \ ; | b3 c0 96 96 95 92 9 6 | \ ; | f 3 | \ ; | 2 4 | i | 9 5 9 2 |QO| 8 f f 8 |O| 8 8
c f bc c7 0 f f 7 | 2 I | d0 |w| c7 95 e4 |O| d6 c7 17 cb c4 04 cb | { | 0 4 05 04 c3 f 6
c6 8 6 |D| f e c4 b1 | 1 | f f 01 b0 c2 82 f f b5 dc b6 1 f |O| 9 5 e0 c7 17 cb | s | d0
b6 |O| 8 5 d8 c7 0 7 |O| c0 |T| c7 07 9 a 9d 07 a4 | fN | b2 e2 | Dh | 0 c b1 b6 a8 a9 ab
aa c4 | ] | e7 99 1d ac b0 b0 b4 f e eb eb | ” ; s i d : 2 0 0 0 0 0 2 ; r e v : 1 ; )

Conclusion
Agenda
2 Intro
3 Malware origin
5 Malware behavior
9 Amun Honeypot
10 SurfIDS
11 New honeypot
13 Conclusion

Conclusion
Summary of everything . . .

Conclusion
fin()
najmi{at}kict.iiu.edu.my

Techniques in Malware Avoidance With Open Source Software

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Techniques in Malware Avoidance With Open Source Software

Enviado por

Direitos autorais:

Formatos disponíveis

myGOSSCON 2009, Malaysia

Malware Avoidance with Open Source Software

Muhammad Najmi bin Ahmad Zabidi

Department of Computer Science

6th November 2009

Muhammad Najmi myGOSSCON 2009, Malaysia

12 Toying with binaries

Muhammad Najmi myGOSSCON 2009, Malaysia

What this presentation covers. . .

Muhammad Najmi myGOSSCON 2009, Malaysia

We’ll go on the malware origin

Muhammad Najmi myGOSSCON 2009, Malaysia

Muhammad Najmi myGOSSCON 2009, Malaysia

Malware is a shortform for Malicious Software

Muhammad Najmi myGOSSCON 2009, Malaysia

Muhammad Najmi myGOSSCON 2009, Malaysia

It is a program, doing malicious activity

Muhammad Najmi myGOSSCON 2009, Malaysia

Muhammad Najmi myGOSSCON 2009, Malaysia

How malware infect machines

It can infect a machine by. . .

Muhammad Najmi myGOSSCON 2009, Malaysia

Muhammad Najmi myGOSSCON 2009, Malaysia

The behavior of malware

Pretend to be a normal system process

Muhammad Najmi myGOSSCON 2009, Malaysia

Muhammad Najmi myGOSSCON 2009, Malaysia

Botnet, a robot network communicates to its herder

Muhammad Najmi myGOSSCON 2009, Malaysia

Muhammad Najmi myGOSSCON 2009, Malaysia

Visualization can helps in term of data analyzing

Muhammad Najmi myGOSSCON 2009, Malaysia

Look at this illustrated sensor logs

Muhammad Najmi myGOSSCON 2009, Malaysia

Muhammad Najmi myGOSSCON 2009, Malaysia

Muhammad Najmi myGOSSCON 2009, Malaysia

Malware’s Name Originated IPs Submission attempt

Muhammad Najmi myGOSSCON 2009, Malaysia

Malware propagation rate

where K is the constant average compromise rate, which is de-

Muhammad Najmi myGOSSCON 2009, Malaysia

Malware and ports

Muhammad Najmi myGOSSCON 2009, Malaysia

Muhammad Najmi myGOSSCON 2009, Malaysia

What make it so troublesome. . .

Muhammad Najmi myGOSSCON 2009, Malaysia

Muhammad Najmi myGOSSCON 2009, Malaysia

Muhammad Najmi myGOSSCON 2009, Malaysia

Muhammad Najmi myGOSSCON 2009, Malaysia

How to obtain data for analysis

Muhammad Najmi myGOSSCON 2009, Malaysia

Honeypot emulates operating system (heavy) or services (light)

Muhammad Najmi myGOSSCON 2009, Malaysia

Muhammad Najmi myGOSSCON 2009, Malaysia

Some other stuffs. . .

Muhammad Najmi myGOSSCON 2009, Malaysia

Muhammad Najmi myGOSSCON 2009, Malaysia

Since I was using Nepenthes so I’ll share my experience

Muhammad Najmi myGOSSCON 2009, Malaysia

Relatively easy . . . as easy as “apt-get install nepenthes”

Muhammad Najmi myGOSSCON 2009, Malaysia

Muhammad Najmi myGOSSCON 2009, Malaysia