Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: cert.at

DeepSEC: DYI malware analysis with Minibis

DYI malware analysis with Minibis Aaron Kaplan & Christian Wojner

Minibis 2.1b is available for download

Anubis = Analyzing unknown binaries

Problem: malware can check if it runs on the Anubis server (via IP addr)


actually it was a proof of concept to check if specific malware checked if it was running inside a VM


Minibis is a total rewrite (no code from Anubis used)

Take 5,000 samples and run them through to check what percentage detect if it’s running in a VM

Behavioral Analysis

  1. Prepare system (VM) with monitoring tools
  2. Transfer sample to VM
  3. Start up monitoring tools in the VM
  4. Run sample
  5. Gave sample some time to do its thing
  6. Save monitoring logs and transfer them back
  7. Analyze logs
  8. (revert VM)
  9. (repeat)


Started off with a simple host and virtualized system

Has evolved into a complex multi-system environment to transfer and run the required analysis

Allows for parallel running of malware samples to speed up processing

Minibis is a practical framework to simulate the process a malware analyst would perform.

It’s up to the user to customize to their specific needs.

Customization done using a simple bash script in several key locations

Toolset available with pre-built, customizable widgets.

GUI configuration of many aspects of the environment

Can be configured to run with VirtualBox (default) or VMware

Easy configuration of post/pre run actions, including a list of files to extract from the target after the malware has run.

New in version 2.1: Customized filetypes

Matching based on extension, FILE tool, or regex


Analyse results, classify (alert, warning, info)

Then quickly filter for those that are interesting (alert?)


2.1 is in beta

Next full version will be available in summer 2011

  • Parallelization
  • Diffs over different VM configurations
  • GUI for postminibis
  • Installer
  • Support for more VMs (VMware, QEMU)
  • 64big Linux support
  • OSX support
  • Support for physical machines (data recovery cards)
  • More sample based scripts
  • Community


[Plumbercon/Ninjacon] Visualization for IT-Security

Visualization for IT-Security

L. Aaron Kaplan


This talk will present visualization techniques for IT-security events and incidents.

Conficker demonstrated that sinkholing botnets and logging relevant IT-security events on a massive scale is a powerful weapon for mitigation and remediation. However, naturally these data collections quickly grow to sizes too large to understand or handle. Visualization can prove to be an invaluable tool for the IT security handler to gain insights into the dimensions of a problem as well as for management and even politicians.

Therefore this presentation will show – based on a concrete example – how we can extract understandable information out of a multitude of data sources. The concrete example will deal with DNS, DNScap and NFSen/NFDump visualizations. Since DNS is a hidden treasure box for IT Security and since DNS requests can hint to lots of problems (misconfiguration as well as abuse), visualizing DNS is in our opinion a promising fresh approach.

Finally, a list of practical tools will be presented, which participants can use in their own organizations and thus improve their own incident handling.

Talk from the recent FIRST.org conference in Miami, FL

“This talk is about making nice pictures….. any why we need that”

Last year CERT.AT did some work on tracking Conficker by sinkholing traffic heading to certain .AT domains and tracking them. The information was easy to gather, but the visualization effects presented was something people thought was amazing.

Google Spreadsheets now offers visualization tools to track and display information over time.


“A picture is worth 1000 log records” (R. Marty)

We have too much data, info explosion

Visualization can explain it all to your Grandpa/father/mother/partner…

Target Groups

  • Users
  • Management, Sales, Politicians
  • Operational Staff
  • Researchers

These users have different needs depending on what they need to do with the information

Visualization isn’t new however. Otto Neurath was doing it long before most of us where alive.

There’s not enough of this kind of visualization going on. Things need to improve.


  • Graphviz
  • Maxmind GeoIP
  • Logster
  • Gapminder (Google Gadget)
  • Google Earth
    • Import XML data to show placemarks
  • Unix Filters
    • (cut, sort, uniq -c, sort, gnuplot)
  • processing.org

Sometimes using a simple line graph shows nothing but a few large key spikes. Using other visualization techniques helps to show the full picture.

Do more visualization!

Links :

eport: Cyber Attacks Caused Power Outages in Brazil

  • Plumbercon/Ninjacon Synopsis -–> http://plumbercon.org/schedule/57
  • CERT.AT –> http://cert.at
  • Otoo Neurath –> http://en.wikipedia.org/wiki/Otto_Neurath
  • ISOTYPE –> http://en.wikipedia.org/wiki/Isotype
  • processing.org –> http://processing.org
  • DAVIX –> http://www.secviz.org/node/89