Wednesday, October 19, 2011

My talks at the recent HITB 2011 Kuala Lumpur

Abstract:
Malware infects a host with exploiting known and unknown vulnerabilities. Among the list of current detections methods, one of them is by using malware signatures in which it is considered fast and works with acceptable computing overhead. The signature generation begins with analysis done by the malware analysts. Since most antiviruses are commercial, least known to the public the method being done for large scale malware signature detection.
One method of detecting malware is by using dynamic analysis, where the behaviour of malware being monitored. The other one is by using static analysis, where it involves the process of diassembling the binary. Here I will share how we can use Python, a powerful interpreted language to do a malicious call analysis.


Drop page: here
Slides: here

Wednesday, September 7, 2011

Parsing API calls in Windows binaries

Salaam,

Python could be my closest friend here, it helps a lot when you actually exposed to the richness of Pythonists out there!

Here is the example of getting API calls from calc.exe, a benign software in Windows

Here is the example of getting API calls from a Windows binary.


Next step, hooking the intended API calls using Python with pydbg in PaiMei framework.

This process proved to be working on both Windows 7 and Ubuntu 11.04





Tuesday, June 21, 2011

Malware Cookbook codes

If you aren't aware, there is a book dedicated to malware researchers/enthusiasts out there, namely "Malware Cookbook" . I haven't get the book in my hand, but the codes used in the book are already in google code, here

I tried several Python scripts written by the author, purposely in order to help my research in malware detection. One tool, pe_scanner.py considered outstanding, since it has support for malware entropy analysis, yara for malware classification and PEID support for PE identification.

I also managed to file bugreports and "patch".. since analyzing 30,000 malware sample is tedious, time consuming and possibly leads to migrain.

(not exactly bug report, but the problem faced when a given PE having corrupt header, and I have to segregate into different folder, unable to proceed with this kind of binary)

(F-prot AV having different line of reporting... so )

I am yet to commit my customized codes, possibly I'll put in github later on.

Wednesday, June 15, 2011

ClamAV on Cygwin

In case you're wondering, ClamAntiVirus (ClamAV) exists in Window's Cygwin too. And the update works as in other UNIX environment, $freshclam

Sunday, June 5, 2011

Gnuplot script in Dionaea honeypot

Ever use Gnuplot? The support for gnuplot is already in Dionaea, previously I used to parse the data manually before showing it out using gnuplot. Original reference, here








Options:


Usage: gnuplotsql [options]


Options:
  -h, --help            show this help message and exit
  -d DATABASE, --database=DATABASE
  -D DESTINATION, --destination=DESTINATION
  -t TEMPFILE, --tempfile=TEMPFILE
  -p PROTOCOLS, --protocol=PROTOCOLS
                        none




This will create the HTML reports with PNG generated graphs from gnuplot:


najmi@vostro:/opt/dionaea/bin$ sudo ./gnuplotsql -d /opt/dionaea/var/dionaea/logsql.sqlite -p smbd -p epmapper -p mssqld -p httpd -p ftpd

Friday, June 3, 2011

Read!

There are many magazines, e-mag, e-zine - you name it that could help you - or kill your boredom during your spare time. Well - what if you're in security domain and need one to flourish your knowledge?

I would suggest the following:

  1. Virus Bulletin, electronic version only, montly http://www.virusbtn.com/ . The appropriate readers would be industrial and academic security researchers.
  2. IEEE Security & Privacy, printed and online version, periodically, IEEE S & P . Academic researcher would fit this better.
The rest, for example Phrack underground magazine is Free of Charge. 

Wednesday, June 1, 2011

Crime-fighting coder - successful Malaysian undergrad in Purdue Univ




Crime-fighting coder

Name: Ahmad Mujahid Mohd Razip
Major: Electrical and computer engineering
Year: Senior

Hometown: Penang, Malaysia

Tracking crime: Ahmad developed an app for iPhone and iPad that displays local crime and traffic information. Using the GPS feature in the devices, a user can see what crimes have occurred in the area, by type and location, as well as trends for specific types of crime. Ahmad says the app could be used by police officers, attorneys, real estate agents, reporters or anyone interested in local crime.

Purdue programs: Ahmad began working on his crime analysis app while participating in Purdue’s Summer Internship Research Fellowship (SURF), which offers students an intensive research experience and a chance to work directly with graduate students and professors. He developed the app for a Purdue research center, Visual Analytics for Command, Control, and Interoperability (VACCINE), which is developing technology to assist police officers and homeland security personnel by turning massive amounts of data into actionable knowledge.

Rigorous academics: “My most challenging class was ECE 437, Computer Design and Prototyping,” Ahmad says. “You start by designing a single processor computer, then you design a dual core processor one. It was good, but not easy. Overall I prefer to write software.”

Staying active: When not studying or developing apps, Ahmad enjoys playing indoor soccer, which he does regularly. He is also active in the Purdue Malaysian Student Association and enjoys music and comedy.

Next steps: International student Ahmad hopes to get a job developing software either in his home country of Malaysia or in California. “Anywhere warm,” he says, admitting he never completely adapted to Indiana weather. “The snow is very interesting at first, but then less so.”

By Steve Tally

Tuesday, May 31, 2011

USENIX Security Symposium 2011

Usenix Security Symposium is an annual event which saw many top-notch researchers presented their novel works - and considered the top annual conference for computer security researchers. Usually hosted in the US, this year's accepted papers can be viewed here

Debugger

Need some background in Assembly, and Intel instructions .. biol.


Currently I am using IDAPro, free version for the so called "RE" purpose. This is tedious, some malware detect the debugger, packed bla bla. Basically this already been known - for preprocessing phase, three obstacles need to be overcome ; deobfuscation, packed binary, encrypted binary.

I wish I could have the plain ones.. yeah, a lot of them. Then concentrate to the first objective of my research - feature selection.

Friday, May 27, 2011

Extracting Features

Currently I'm in the process of getting malware samples. I got two methods, since I'm doing an academic research, as of now NO consensus on the "official" malware datasets as research in Intrusion Detection System (IDS) enjoys. They have KDD "something" and MIT Lincoln 1999 datasets for comparison. 

Fair enough. Well as for me - I just signed Non Disclosure Agreement (NDA) with CyberSecurityMalaysia(CSM) in order to get their sample. Actually I can get on my own using my honeypot, but since I don't want any dispute which regards to the sample that I have - to be safe - just use CSM sample for academic literatures. 

I read ClamAV website, finding info about the core engine and signature of ClamAV.. I never spend quite amount of time to read on ClamAV before, but having ClamAV as the only free and open source software which thoroughly described about their architecture, it's a pleasure to do so (I mean, reading the docs).

Now, for my research proposal, I need to extract the malicious features (strings) from the malware. I could use "strings" command, or XOR parts of the encrypted malware - but I could get a better way to do so, since the other researchers had done that before. Need to email them if they could help. The last time I emailed one of them the person never replied, although he did replied prior to that. I'm not sure why, may be that is their "trade secret" or they don't want to discuss that in detail.

Friday, March 25, 2011

Nepenthes on FreeBSD

I just installed FreeBSD 8.2 on my old laptop, since I can't find a buyer yet (it's cheap by the way, only RM500!, COD anywhere if you wanna buy from me). Basically I know that FreeBSD sockets work differently unlike Linux, so some of the works done on Dionaea honeypot can't be ported directly to FreeBSD. 

So now I use Nepenthes port on FreeBSD, the installation wasn't difficult if you're using prepackage pkg, just 
pkg_add -rv nepenthes

or go to /usr/ports and make search name=nepenthes for you to later run make install clean

In FreeBSD however, the Nepenthes will not work directly, since it cannot find /var directory within the /usr/local

So basically, you can simply

mkdir -p /usr/local/var/binaries
mkdir -p /usr/local/var/hexdumps

since in the etc/nepenthes.conf the configuration was stated as such.

For me, since I want to send my malware collection info to mwcollect Alliance, what I have to is to add the following line:


  "submitmwserv.so",               "submit-mwserv.conf",       ""

And your nepenthes should work. 
However this tutorial isn't complete by itself, unlucky for you since I am lazy.

Monday, March 7, 2011

CECOS V Kuala Lumpur, April 2011

Hi,

Anti Phishing Working Group (APWG) will be organizing an annual event called as CECOS (stands for Counter E-crime Operations Summit) in Kuala Lumpur. If you are a student, government staff, legal officer or an academician like me, there is significant discount for the entrance fee. If you're presenting a paper, that's better - the fee will be waived.


More info regarding the fee, here