1 / 55

Stealing Passwords Remotely & Malware Analysis

Stealing Passwords Remotely & Malware Analysis. PacITPros May 8, 2012. Bio. Summary. HTTP & HTTPS Passwords in RAM Windows Logon Passwords in RAM Java Attacks Evading Antivirus Malware Analysis Overview. HTTP & HTTPS Passwords in RAM. HTTP Authentication: Wikipedia. HTTP Web Login.

chelsea-levy
Download Presentation

Stealing Passwords Remotely & Malware Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Stealing Passwords Remotely&Malware Analysis PacITPros May 8, 2012

  2. Bio

  3. Summary • HTTP & HTTPS Passwords in RAM • Windows Logon Passwords in RAM • Java Attacks • Evading Antivirus • Malware Analysis Overview

  4. HTTP & HTTPS Passwords in RAM

  5. HTTP Authentication: Wikipedia HTTP Web Login

  6. Password is transmitted over the Internet in plaintext Wireshark capture on next slide Capture login Statistics, Conversations TCP tab Follow Stream (with 13 packets) HTTP Web Login

  7. Using HxD Freeware

  8. Password Found

  9. HTTPS Web Login

  10. Password Found!

  11. Windows Logon Passwords in RAM

  12. Windows Login Password

  13. Not Found • Windows doesn’t store login passwords in cleartext in RAM

  14. Windows Credential Editor Written by Hernan Ochoa, 2011

  15. Passwords are Encrypted • But the Keys are in RAM

  16. Java Attacks

  17. This Attack is Not Counted in Those Graphs • The attack I am demonstrating does not rely on any of those vulnerabilities • This is Java operating as intended • Works on fully updated Java • No patch can be expected

  18. Social-Engineer Toolkit • In BackTrack Linux

  19. User Sees This Warning

  20. Stolen Password!

  21. Evading Antivirus

  22. Effectiveness of AV Evasion

  23. Countermeasures • Disable Java • Don’t use Adobe products • Antivirus helps some • Antivirus + Deep Freeze helps a LOT • BUT DON’T TRUST ANY COUNTERMEASURE • They are all easily bypassed

  24. Malware Analysis

  25. Techniques • Basic Static Analysis: File, Strings, and AV • Basic Dynamic Analysis: RegShot, Wireshark, Process Monitor, LordPE • Advanced Static Analysis: IDA Pro • Advanced Dynamic Analysis: Debuggers (not included in this talk)

  26. Basic Static Analysis

  27. Harvesting Malware from Packet Captures with Wireshark

  28. Save As

  29. File

  30. Strings

  31. Basic Dynamic Analysis Run Malware in a Virtual Machine

  32. Process Monitor

  33. RegShot

  34. RegShot Results

  35. Process Monitor Results

  36. Packed Executables • .exe file lacks readable strings • When executed, the file unpacks itself into RAM and runs there • Solution: Analyze the RAM, not the hard disk file

  37. LordPE

  38. Advanced Static Analysis IDA Pro

  39. Disassembler

  40. Mind-Boggling Complexity

More Related