|
http://www.hackerschool.org/HS_Boards/zboard.php?id=HS_Translate&no=79 [º¹»ç]
uh..I'm ryan russeil again
¶Ç ´Ù½Ã Àú ryan russeilÀÇ ¹ßÇ¥ÀÔ´Ï´Ù.
and this time I brought nichlas brulez, am I pronounciating your name correctly?
À̹ø¿£ nichlas brulez¿Í ÇÔ²² ³ª¿Ô½À´Ï´Ù. À̸§À» ÀÌ·¸°Ô ¹ßÀ½Çϴ°Š¸Â³ª¿ä?
ye, ok
¸Â¾Æ¿ä.
and we gonna show you how to do some malicaous code analysis
À̹ø ¹ßÇ¥¿¡¼± ¾Ç¼ºÄÚµå ºÐ¼®À» ¾î¶»°Ô ÇÏ´ÂÁö º¸¿©µå¸®°Ú½À´Ï´Ù.
uh.. just me time constraints..
±Ùµ¥ ½Ã°£ÀÌ Á» ºýºýÇϳ׿ä
we dont have enough time to present fully today
¿À´ÃÀÇ Àüü ¹ßÇ¥ ½Ã°£ÀÌ ºÎÁ·ÇÒ °Í °°½À´Ï´Ù.
we actually talking about when you are looking at the a malicious code
¾Ç¼º Äڵ带 ºÐ¼®ÇÒ ¶§ÀÇ °úÁ¤¿¡ ´ëÇØ ¼³¸íÇØ µå¸± °Ì´Ï´Ù.
so, uh.. quick quick poll to help attract talk my a little bit
°£´ÜÇÑ ¼³¹®Á¶»ç¸¦ Çϳª ÇÏ°Ú½À´Ï´Ù.
how many ida pro users in this room?
IDA PRO »ç¿ëÀÚÀ̽ŠºÐµé?
ok
¿¹
uh.. analysis .. ok. thank you
°¨»çÇÕ´Ï´Ù.
um.. I'm trying to go through the slides a little bit quickly
Á¶±Ý ºü¸£°Ô ÁøÇàÀ» ÇÏ°Ú½À´Ï´Ù.
'someone' gave us permission to go ahead make you guys late for lunch
Á¡½É ½Ã°£Àº Á» ´Ê¾îÁ®µµ ±¦Âú´Ù°í Çϳ׿ä.
no pressure there
±×·¯´Ï °ÆÁ¤ÇÏÁö ¸¶½Ã±¸¿ä.
and the at same time I'm gonna trying keep my english speaking speed to a low level
±×¸®°í À̹ø¿£ Á¦ ¸» ¼Óµµ¸¦ ´ÊÃßµµ·Ï ³ë·ÂÇÏ°Ú½À´Ï´Ù.
so that the, as nikolas was reminding me
nikolas°¡ ¿äûÇÑ´ë·Î¿ä.
um.. there are several major analysis methods you might use when you looking at piece of malicious code
¾Ç¼ºÄڵ带 ºÐ¼®ÇÒ ¶§ »ç¿ëÇÒ ¼ö ÀÖ´Â ´Ù¾çÇÑ ¹æ¹ýµéÀÌ Á¸ÀçÇÕ´Ï´Ù.
and our case today, we are focusing on windows
¿À´Ã ¿ì¸®´Â À©µµ¿ì ȯ°æ¿¡ ÁýÁßÇÒ °ÍÀÔ´Ï´Ù.
pretty much because if you see malicious code thats where vast majority of your samples are gonna be functioning
»ùÇÿ¡¼ äÁýÇÑ ¾Ç¼ºÄڵ尡 ÀÛµ¿Çϵµ·Ï ÇÒ ¶§,
so major analysis methods are using sacrificial lamb
º¸Åë °¡»ó ȯ°æ(Á¦¹°·Î ¹ÙÃÄÁø ¾ç)À» »ç¿ëÇÏ°Ô µË´Ï´Ù.
and by that I mean something in particular a box you are willing to infect
Áï, ¾Ç¼ºÄڵ带 °¨¿°½Ãų ƯÁ¤ ´ë»óÀÌ ÇÊ¿äÇÏ´Ü ¸»ÀÔ´Ï´Ù.
uh often times, vmware, or virtual pc
±×°ÍÀº vmware ȤÀº virtual pc°¡ µÉ ¼ö ÀÖ½À´Ï´Ù.
if you work actual real any virus company
¸¸¾à ¿©·¯ºÐÀÌ ½ÇÁ¦ ¹é½Å ¾÷ü¿¡ ´Ù´Ï°í ÀÖ´Ù¸é..
they are very very strict about the boxes that they use for research
¹ÙÀÌ·¯½º ¿¬±¸¸¦ À§ÇÑ È¯°æÀÌ ¸Å¿ì ¾ö°ÝÇÒ °ÍÀÔ´Ï´Ù.
they are disconnected network in different room
ƯÈ÷ ³×Æ®¿öÅ©°¡ °í¸³µÈ ȯ°æÀ» »ç¿ëÇÏ°Ô µË´Ï´Ù.
supposedly some of them are in a, you know, ..., fun stuff
¾Æ¸¶ ±×µéÁß ÀϺδÂ..
I dont think any of them have poisonous ....
ºÐ¸í ´©±º°¡´Â ÀÌ¹Ì °¨¿°ÀÌ µÇ¾úÀ» °Ì´Ï´Ù.
nice thing about sacrificial lamb, is that could be a big time saver
°¡»ó ȯ°æÀ» ÀÌ¿ëÇÏ¸é ºÐ¼® ½Ã°£À» Å©°Ô ÁÙÀÏ ¼ö ÀÖ½À´Ï´Ù.
later on we'll talk about things like unpackers, and ways to find out where malicous code talks to network
´ÙÀ½À¸·Î ¿ì¸®´Â unpacker °°Àº °ÍµéÀ̳ª ¾Ç¼ºÄڵ尡 ³×Æ®¿öÅ© Åë½ÅÇÏ´Â ºÎºÐÀ» ã´Â ¹æ¹ý¿¡ ´ëÇØ ¼³¸íÇÒ °Ì´Ï´Ù.
if you have a box that you are willing to infect .. ... that could sometimes give you very quick answer
¸¸¾à °¨¿°½Ãų °¡»ó PC°¡ ÀÖ´Ù¸é, ´äÀº ¸íÈ®ÇÒ °Ì´Ï´Ù.
it's like well maybe i'm not gonna .. figuring how file dumper works,
ÆÄÀÏ ´ýÆÛ°¡ ¾î¶»°Ô ÀÛµ¿ÇÏ´ÂÁö´Â ¼³¸íÇÏÁö ¾Ê°Ú½À´Ï´Ù.
i'm just gonna infect the virus, and grab the files off the disk when it's done
¹ÙÀÌ·¯½º¸¦ °¨¿°½ÃÅ°°í, ±×°Ô ³¡³ª¸é ÆÄÀϵéÀ» µð½ºÅ©¿¡¼ grab offÇÒ °ÍÀÔ´Ï´Ù.
i don't necessarily wanna disassemble the network ..,
³×Æ®¿öÅ© Åë½ÅÇÏ´Â ºÎºÐÀ» disassebleÇÏÁö´Â ¾ÊÀ» °Ì´Ï´Ù
i'm just gonna sniff it out after I infect the box and let it talk on the network
´ÜÁö °¨¿° ÈÄ¿¡ Åë½ÅÇÏ´Â ³»¿ëÀ» ÆÐŶ ½º´ÏÇÎ ÇÒ °Ì´Ï´Ù.
you are gonna see myself and nikolas do little bit of risky behaviors in terms of how we are analyzing this stuff,
¿©·¯ºÐÀº Àú¿Í nikolasÀÌ ºÐ¼®À» ÇÏ¸é¼ ¾à°£ À§ÇèÇÑ ÇൿÀ» ÇÏ´Â °ÍµéÀ» º¸°Ô µÉ °Ì´Ï´Ù.
this is my don't try this at work warning
****
because there are, we are doing a debugging of piece of malicious code,
¿Ö³ÄÇÏ¸é ¾Ç¼ºÄÚµå µð¹ö±ëÀ» ÇÏ´Â °ÍÀ̱⠶§¹®ÀÔ´Ï´Ù.
and there is also chance of infection so
±×·¡¼ °¨¿°µÉ °¡´É¼ºµµ ÀÖ½À´Ï´Ù.
other ways, determining what piece of malicious code does began
¹Ý¸é, ¾Ç¼ºÄÚµåÀÇ ¾î¶² ºÎºÐÀÌ ½ÇÇàµÉÁö¸¦ °áÁ¤ÇÕ´Ï´Ù.
this is when you are running on the box you don't necessarily care about,
ÀÌ°É °¡»ó pc¿¡¼ ½ÇÇàÇÏ¸é ±×·± °ÆÁ¤À» ÇÒ ÇÊ¿ä°¡ ¾ø½À´Ï´Ù.
you could restore back to original state if you running it on sacrificial lamb
´ÜÁö ÀÌÀü ¼³Á¤À¸·Î º¹¿øÇϱ⸸ÇÏ¸é µÇ±â ¶§¹®ÀÔ´Ï´Ù.
use might use some tools, filemon, regmon, from this sysinternals suites
¸î¸î ÅøÀ» ¾µ ¿¹Á¤ÀÔ´Ï´Ù. sysinternals¿¡¼ ¸¸µç filemon, regmon µîÀÔ´Ï´Ù.
those are tools that will tell you every registry access every file access that particilar prcocess is doing
ÀÌ ÅøµéÀº ƯÁ¤ ÇÁ·Î¼¼½ºÀÇ ¸ðµç ÆÄÀÏ Á¢±Ù ¹× ·¹Áö½ºÆ®¸® Á¢±Ù Á¤º¸¸¦ º¸¿©ÁÖ°Ô µË´Ï´Ù.
same thing with ethereal, monitor network
³×Æ®¿öÅ© ¸ð´ÏÅ͸µ¿¡ ÀÌ´õ¸®¾óÀ» ¾²´Â °Í°ú °°½À´Ï´Ù.
um.. the one we are gonna be actually demonstrating today is disassembly with some light debugging
¿À´Ã ¿ì¸®°¡ µ¥¸ð·Î º¸¿©µå¸± °ÍÀº light debuggingÀ» ÀÌ¿ëÇÑ µð½º¾î¼Àºí¸®ÀÔ´Ï´Ù.
oftentimes we are gonna use a debugger, in conjunction with disassembler, in order to get through some of difficult pieces of code
¾à°£ ¾î·Á¿î ºÎºÐÀ» ºÐ¼®ÇÒ ¶§¿£ µð¹ö°Å¿Í µð½º¾î¼Àºí·¯¸¦ ÇÔ²² »ç¿ëÇÒ °Ì´Ï´Ù.
and .. finally nikolas reminded me
±×¸®°í ¸¶Áö¸·À¸·Î nikolas°¡...
the.. halvar's bindiff uh.. programs commecial tool
halvar°¡ ¸¸µç »ó¿ëÅøÀÎ bindiffµµ »ç¿ëÇÏ°Ô µË´Ï´Ù.
has feature I didn't realize he added in there..
ÀÌ ¼³¸íÀÌ Ãß°¡µÆ´ÂÁö ¸ð¸£°Ú³×¿ä.
which is .. um.. you can actually, not only it will tell you differences of two binaries
bindiff´Â µÎ ¹ÙÀ̳ʸ® »óÀÇ Â÷ÀÌÁ¡À» º¸¿©ÁÝ´Ï´Ù.
for example .A version of worm .B version of worm
¿¹¸¦ µé¾î ¿ú ¹ÙÀÌ·¯½ºÀÇ A¹öÁ¯°ú B¹öÁ¯ÀÇ Â÷ÀÌÁ¡À» º¸¿©ÁÝ´Ï´Ù.
.. which are gonna be slightly different.. then we'll give you a dump of what the differences are beetween the two
ÀÌ µÑÀº ¾à°£ ´Ù¸¦ °Ì´Ï´Ù. ±× ´ÙÀ½¿£ ÀÌ µÑÀÌ ¾î¶»°Ô ´Ù¸¥Áö ´ýÇÁÇؼ º¸¿©µå¸®°Ú½À´Ï´Ù.
but also, it actually let you take all of the imports of .A version all the names the ... manually
±×¸®°í bindiff´Â A ¹öÁ¯ÀÇ ¸ðµç import¿Í ÇÔ¼ö À̸§µéÀ» º¸¿©ÁÝ´Ï´Ù.
automatically port those over to match the functions to .B version
±×¸®°í B ¹öÁ¯°ú ÀÚµ¿À¸·Î ºñ±³ÇØ ÁÝ´Ï´Ù.
which is something I didn't realize that could be a huge time saver if you are following a family of virus worm
¸¸¾à ¿©·¯ºÐÀÌ ÇϳªÀÇ ¿úÀ¸·ÎºÎÅÍ º¯ÇüµÈ ¿©·¯ ÆÄÀϵéÀ» ÀÌ ¹æ¹ýÀ¸·Î ºÐ¼®ÇÑ´Ù¸é ºÐ¼® ½Ã°£À» Å©°Ô ÁÙÀÏ ¼ö ÀÖ½À´Ï´Ù.
so we are gonna focus on disassembly specifically today
¿ì¸®´Â ¿À´Ã ƯÈ÷ µð½º¾î¼Àºí¸µ¿¡ ÃÊÁ¡À» ¸ÂÃç ÁøÇàÇÏ°Ú½À´Ï´Ù.
reasons for that it gives you most complete picture
¿Ö³ÄÇÏ¸é °¡Àå Á¤È®ÇÑ Á¤º¸¸¦ ¾òÀ» ¼ö Àֱ⠶§¹®ÀÔ´Ï´Ù.
you can go ahead run a piece of malicious code on sacrificial lamb..
¾Ç¼º Äڵ带 °¡»ó pc¿¡¼ ½ÇÇà ÇÒ ¼ö ÀÖÀ¸¸ç,
and observe its external behavors
±×°ÍÀÇ ÇàÀ§¸¦ ºÐ¼®ÇÒ ¼ö ÀÖ½À´Ï´Ù.
of course you are not gonna see everything,
¹°·Ð ¸ðµç °ÍÀ» ¿Ïº®ÇÏ°Ô ºÐ¼®ÇÒ ¼ö´Â ¾ø½À´Ï´Ù.
you'll find out some sites.. that it tries to talk to are down or don't exist yet,
¿¹¸¦ µé¾î ¾Ç¼ºÄڵ尡 ¾î¶² »çÀÌÆ®¿¡ Á¢¼ÓÀ» Çϴµ¥, ´Ù¿îµÇ¾ú°Å³ª ´õÀÌ»ó Á¸ÀçÇÏÁö ¾ÊÀ» ¼öµµ ÀÖ½À´Ï´Ù.
you'll find that they do things different days and months
ȤÀº ³¯Â¥¿¡ µû¶ó ´Ù¸¥ ÀÛµ¿À» ÇÏ´Â ¾Ç¼ºÄÚµåÀÏ ¼öµµ ÀÖ½À´Ï´Ù.
programmer would code, did things depending on what day and month it was
¾Ç¼ºÄÚµå °³¹ßÀÚ°¡ ³¯Â¥¸¦ üũÇؼ ´Ù¸¥ ÇൿÀ» Çϵµ·Ï Â¥³ùÀ» ¼öµµ Àֱ⠶§¹®ÀÔ´Ï´Ù.
sometimes it would spread, sometimes it would DoS some site, sometimes it will stay idle
¾î¶² ¶© ÆÛÁ® ³ª°¡±âµµ ÇÏ°í, ¾î¶² ¶© »çÀÌÆ®¿¡ DoS °ø°ÝÀ» Çϱ⵵Çϸç, ¾Æ¹«°Íµµ ÇÏÁö ¾Ê°í ´ë±âÇÒ ¶§µµ ÀÖ½À´Ï´Ù.
¿µ¾î½Å "Á¾Å©"´Ô²²¼ ´ëºÎºÐÀ» µµ¿ÍÁּ̽À´Ï´Ù.
|
Hit : 1890 Date : 2011/08/02 11:27
|
97, 
2/4 
¸Û¸Û
