Visual malware forensics

Ankur Tyagi (Qualys)

A typical approach towards intrusion investigation is to collect residue files from the incident site. These files could be extracted from network traffic or if we are lucky they could be obtained from the compromised system itself. An analyst can then use his/her expertise to re-create the attack scenario and understand possible vectors. Depending on the analyst's skills and the complexity of the incident, this process might prove easy or extremely difficult. This talk will introduce a framework that provides a common ground for forensic analysis of network traffic and malware files using intuitive visualization techniques. These techniques will highlight the structural and behavioural properties of network traffic along with generic heuristics created during analysis of real-world intrusions.

The primary focus of this talk is to help users understand how to visually analyse malware samples, classify streaming data such as a network traffic buffer or chunked data read from a file on disk. These objects are fed into an analysis chain that collects details about structural and behavioural properties that are then visualized to assist with clustering and classification. The primary emphasis is on the fact that the most important aspect of the analysis process is to quickly correlate attributes and identify patterns. The proposed approach is to minimize noise and highlight significant behaviour using heuristics targeted specifically towards structural pattern identification. The visual representation of the binary object provides a concise overview of its data patterns and the way they are grouped together. One glimpse of this visual representation is enough to quickly classify a file as suspicious.

This talk will focus on presenting the concepts behind visual forensics and a framework that can help users with analysis of intrusion artifacts using the visual analysis approach. This framework could be used to create standalone utilities via its plug-in mechanism or to enhance in-house analysis tools using native APIs. For quick analysis, users could also consume the framework's output directly through the packaged command-line tool or via an external log analytic tool of choice.



Ankur Tyagi

Ankur Tyagi works as a sr. malware research engineer at Qualys Inc., where he analyses malicious code and applies statistical modelling to identify suspicious patterns and evolving trends. His research interests include developing algorithms and analysis tools that help with classifying large sets of unlabelled content collected via network and host-based monitoring tools. He is the author of Flowinspect, a network inspection tool, and Rudra, a visual malware forensics framework.













Other VB2017 papers

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…

Mariachis and jackpotting: ATM malware from Latin America

Thiago Marques (Kaspersky Lab)

Fabio Assolini (Kaspersky Lab)

Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…

XAgent: APT28 cyber espionage on macOS

Tiberius Axinte (Bitdefender)

This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…