Malewareanalysis

673 views
557 views

Published on

Published in: Engineering, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
673
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
47
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Malewareanalysis

  1. 1. Malware Analysis Network Security 1AAST COMP ENG Dr Ashraf Tammam Supervised by Dr . Ashraf Tammam Presented by: • Ahmed Abd Elhafeez • Ahmed Elbohy • Moataz Ahmed 5/7/2014
  2. 2. Agenda 2AAST COMP ENG Dr Ashraf Tammam • Introduction to Malware • What is a Malware ? • Types of Malware • How do they infect hosts? • How to detect them? • Malware Analysis • Goals of Malware Analysis • Types of Malware Analysis • Tools for Malware Analysis • Malware Analysis Simulation Steps • Conclusion • Refrences 5/7/2014
  3. 3. • Introduction to malware • What is a malware ? • Types of malware • How do they infect hosts? • How to detect them • Malware Analysis • Goals of Malware Analysis • Types of Malware Analysis • Tools for Malware Analysis • Malware Analysis Simulation Steps • Conclusion • References AAST COMP ENG Dr Ashraf Tammam 35/7/2014
  4. 4. Introduction AAST COMP ENG Dr Ashraf Tammam 4 Mission Statement The purpose of this presentation is to give someone new to reverse engineering malware (REM) a place to start. At the end you should be familiar with the basic hardware, tools and Concepts needed to learn how begin to do REM. 5/7/2014
  5. 5. “But What Might Go Wrong If we Were To Begin To Try to Analyze Malware?” • You might get attacked by unhappy malware authors/users • Your system could get infected, and that might result in: -- Your system being used to spam people -- Your personally identifiable information getting stolen -- Your system getting used to distribute malware; pirated software, movies, music; child pornography; etc. -- Your system getting used as a stepping stone from which to attack government systems or critical infrastructure. • You might even end up being arrested. 55/7/2014 AAST COMP ENG Dr Ashraf Tammam
  6. 6. • Introduction to Malware • What is a Malware? • Types of malware • How do they infect hosts? • How to detect them • Malware Analysis • Goals of Malware Analysis • Types of Malware Analysis • Tools for Malware Analysis • Malware Analysis Simulation Steps • Conclusion • References AAST COMP ENG Dr Ashraf Tammam 65/7/2014
  7. 7. What is a Malware ? • Malware is a set of instructions that run on your computer and make your system do something that an attacker wants it to do. • Programming code that is capable of causing harm to availability , integrity of code or data, or confidentiality in a computing system encompasses Trojan horses, viruses, worms, and trapdoors. 7AAST COMP ENG Dr Ashraf Tammam5/7/2014
  8. 8. What Exactly is “Malware”? One possible definition: Malware is a software you don’t want. 8 • Steal personal information • Delete files • Steal software serial numbers • Use your computer as relay 5/7/2014 AAST COMP ENG Dr Ashraf Tammam
  9. 9. Distribution of malware 5/7/2014 AAST COMP ENG Dr Ashraf Tammam 9
  10. 10. • Introduction to Malware • What is a Malware? • Types of malware • How do they infect hosts? • How to detect them • Malware Analysis • Goals of Malware Analysis • Types of Malware Analysis • Tools for Malware Analysis • Malware Analysis Simulation Steps • Conclusion • References AAST COMP ENG Dr Ashraf Tammam 105/7/2014
  11. 11. Threat types AAST COMP ENG Dr Ashraf Tammam 115/7/2014
  12. 12. Types of Malware AAST COMP ENG Dr Ashraf Tammam 125/7/2014
  13. 13. Types of Malware • viruses :a computer program that is usually hidden within another seemingly innocuous program and that produces copies of itself and inserts them into other programs and usually performs a malicious action – Polymorphic : uses a polymorphic engine to mutate while keeping the original algorithm intact (packer) – Methamorphic : Change after each infection 13AAST COMP ENG Dr Ashraf Tammam5/7/2014
  14. 14. Types of Malware • Backdoor : Bypasses normal security controls to give an attacker unauthorized access. • Botnet : All infected computers receive instructions from the same Command-and- Control (C&C) server • Downloader :Malicious code that exists only to download other malicious code – Used when attacker first gains access 14AAST COMP ENG Dr Ashraf Tammam5/7/2014
  15. 15. Types of Malware • Scareware – Frightens user into buying something 15AAST COMP ENG Dr Ashraf Tammam5/7/2014
  16. 16. Types of Malware • Spam-sending malware – Attacker rents machine to spammers • Worms :a usually small self-contained and self- replicating computer program that invades computers on a network and usually performs a destructive action 16AAST COMP ENG Dr Ashraf Tammam5/7/2014
  17. 17. Types of Malware • Trojans Horse :a seemingly useful computer program that contains concealed instructions which when activated perform an illicit or malicious action 17AAST COMP ENG Dr Ashraf Tammam5/7/2014
  18. 18. Types of Malware • Sniffers : an application used to monitor and analyze network traffic. • Spyware :software that is installed on a computer without the user's knowledge and transmits information about the user's computer activities over the Internet 18AAST COMP ENG Dr Ashraf Tammam5/7/2014
  19. 19. Types of Malware 19AAST COMP ENG Dr Ashraf Tammam Adware : software installed that provides advertisers with information about the users browsing habits, thus allowing the advertiser to provide targeted ads 5/7/2014
  20. 20. Types of Malware • from pandalab blog 20AAST COMP ENG Dr Ashraf Tammam • E-Mail Generators. An e-mail generating program can be used to create and send large quantities of e-mail, such as malware, spyware, and spam, to other systems without the user’s permission or knowledge 5/7/2014
  21. 21. Types of Malware Ransomware To unlock you need to send an SMS with the text4121800286to the number3649Enter the resulting code:Any attempt to reinstall the system may lead to loss of important information and computer damage from pandalab blog 21AAST COMP ENG Dr Ashraf Tammam5/7/2014
  22. 22. Types of Malware • Keystroke Loggers. A keystroke logger monitors and records keyboard use – Some require the attacker to retrieve the data from the system – Actively transfer the data to another system through e-mail, file transfer, or other means AAST COMP ENG Dr Ashraf Tammam 225/7/2014
  23. 23. Types of Malware • Web Browser Plug-Ins A Web browser plug-in provides a way for certain types of content to be displayed or executed through a Web browser – E.g., Malicious Web browser plug-ins that act as spyware and monitor use of the browser AAST COMP ENG Dr Ashraf Tammam 235/7/2014
  24. 24. • Mass malware – Intended to infect as many machines as possible – Most common type • Targeted malware – Tailored to a specific target – Very difficult to detect, prevent, and remove – Requires advanced analysis – Ex: Stuxnet 24AAST COMP ENG Dr Ashraf Tammam Types of Malware 5/7/2014
  25. 25. • Introduction to malware • What is a malware? • Types of malware • How do they infect hosts? • How to detect them • Malware Analysis • Goals OF Malware Analysis • Types OF Malware Analysis • Tools For Malware Analysis • Malware Analysis Simulation Steps • Conclusion • References AAST COMP ENG Dr Ashraf Tammam 255/7/2014
  26. 26. What to Infect • Executable • Interpreted file • Kernel • Service • MBR (Master Boot Record) 26AAST COMP ENG Dr Ashraf Tammam5/7/2014
  27. 27. Overwriting malware Targeted Executable MalwareMalware 27AAST COMP ENG Dr Ashraf Tammam5/7/2014
  28. 28. prepending malware Targeted Executable Malware Infected host Executable Malware 28AAST COMP ENG Dr Ashraf Tammam5/7/2014
  29. 29. appending malware Targeted Executable Malware Infected host Executable Malware 29AAST COMP ENG Dr Ashraf Tammam5/7/2014
  30. 30. Cavity malware Targeted Executable Infected host Executable Malware Malware 30AAST COMP ENG Dr Ashraf Tammam5/7/2014
  31. 31. Multi-Cavity malware Targeted Executable Malware Malware Malware Malware 31AAST COMP ENG Dr Ashraf Tammam5/7/2014
  32. 32. Packers Malware Infected host Executable Packer Payload 32AAST COMP ENG Dr Ashraf Tammam Packers are software programs that compress and encrypt other executable files in a disk and restore the original executable images when the packed files are loaded into memories. 5/7/2014
  33. 33. Packer functionalities • Compress • Encrypt • Randomize (polymorphism) • Anti-debug technique (int / fake jmp) • Add-junk • Anti-VM (virtual machine) 33AAST COMP ENG Dr Ashraf Tammam5/7/2014
  34. 34. • Introduction to malware • What is a malware? • Types of malware • How do they infect hosts? • How to detect them? • Malware Analysis • Goals OF Malware Analysis • Types OF Malware Analysis • Tools FOR Malware Analysis • Malware Analysis Simulation Steps • Conclusion • REFRENCES AAST COMP ENG Dr Ashraf Tammam 345/7/2014
  35. 35. It is not possible to build a perfect virus/malware detector (Cohen) 35AAST COMP ENG Dr Ashraf Tammam5/7/2014
  36. 36. Anti-virus • Analyze system behavior • Analyze binary to decide if it a virus • Type : – Scanner – Real time monitor 36AAST COMP ENG Dr Ashraf Tammam5/7/2014
  37. 37. Anti-virus -Virus signature • Find a string that can identify the virus • Fingerprint like 37AAST COMP ENG Dr Ashraf Tammam5/7/2014
  38. 38. Anti-virus-Heuristics • Analyze program behavior Network access File open Attempt to delete file Attempt to modify the boot sector 38AAST COMP ENG Dr Ashraf Tammam5/7/2014
  39. 39. Anti-virus -Checksum • A checksum is a value used to verify the integrity of a file or a data transfer. In other words, it is a sum that checks the validity of data. Checksums are typically used to compare two sets of data to make sure they are the same. • Compute a checksum for – Good binary – Configuration file • Detect change by comparing checksum 39AAST COMP ENG Dr Ashraf Tammam5/7/2014
  40. 40. Anti-virus -Dealing with Packer • Launch the exe • Wait until it is unpack • Dump the memory 40AAST COMP ENG Dr Ashraf Tammam5/7/2014
  41. 41. Sandbox analysis • Provides file system, registry keys, and network traffic monitoring in controlled environment and produces a well formed report • Using a sandbox is more efficient and sometimes more effective • Running the executable in a VM • Observe it – File activity – Network – Memory 41AAST COMP ENG Dr Ashraf Tammam5/7/2014
  42. 42. • Introduction to malware • What is a malware? • Types of malware • How do they infect hosts? • How to detect them? • Malware Analysis • Goals of Malware Analysis • Types of Malware Analysis • Tools for Malware Analysis • Malware Analysis Simulation Steps • Conclusion • REFRENCES AAST COMP ENG Dr Ashraf Tammam 425/7/2014
  43. 43. Challenges in Malware analysis • Zero day attack prevention • Data analytic methods work like a black box • Abstraction of Infection and Propagation models • Computational Cost • Generic Disinfection AAST COMP ENG Dr Ashraf Tammam 435/7/2014
  44. 44. Malware Analysis • Dissecting malware to understand – How it works – How to identify it – How to defeat or eliminate it • A critical part of incident response 44AAST COMP ENG Dr Ashraf Tammam5/7/2014
  45. 45. Incident Response • After malware is found, you need to know – Did an attacker implant a rootkit or trojan on your systems? – Is the attacker really gone? – What did the attacker steal or add? – How did the attack get in • Root-cause analysis 45AAST COMP ENG Dr Ashraf Tammam5/7/2014
  46. 46. Three Areas 1- Visual Analysis: What you can deduce just by looking at the file, its strings , size, where it came from etc. 2- Behavioral Analysis : How the malware behaves when executed , who it talks to, what gets installed, how it runs, etc. 3-Code Analysis: The actual viewing of the code and walking through it to get a better understanding of the malware and what it's doing. AAST COMP ENG Dr Ashraf Tammam 465/7/2014
  47. 47. Analyzing the Threat • Capture Malware from attackers – Determine how they are getting in. – Who are they targeting • Run Malware in an isolated environment – What does the malware do? • Analyze the binary itself – Some malware can detect isolated environments or has hidden code. 5/7/2014 AAST COMP ENG Dr Ashraf Tammam 47
  48. 48. • Introduction to malware • What is a malware? • Types of malware • How do they infect hosts? • How to detect them? • malware Analysis • Goals of malware Analysis • Types of Malware Analysis • Tools for Malware Analysis • Malware Analysis Simulation Steps • Conclusion • References AAST COMP ENG Dr Ashraf Tammam 485/7/2014
  49. 49. Goals of Malware Analysis • The goal of malware analysis is to gain an understanding of how a specific piece of malware functions • so that defenses can be built to protect an organization’s network. • There are two key questions that must be answered. – The first: how did this machine become infected with this piece of malware? – The second: what exactly does this malware do? • After determining the specific type of malware, you will have to determine which question is more critical to your situation. AAST COMP ENG Dr Ashraf Tammam 495/7/2014
  50. 50. • Introduction to malware • What is a malware? • Types of malware • How do they infect hosts? • How to detect them? • malware Analysis • Goals of malware Analysis • Types of Malware Analysis • Tools for Malware Analysis • Malware Analysis Simulation Steps • Conclusion • REFRENCES AAST COMP ENG Dr Ashraf Tammam 505/7/2014
  51. 51. TYPES OF Malware Analysis • Code(static) Analysis :the actual viewing of code and walking through it to get a better understanding of the malware and what it is doing AAST COMP ENG Dr Ashraf Tammam 515/7/2014
  52. 52. Static Analysis techniques • Scanning with anti-virus software • File Signatures • Hashes • Performing A file’s strings, functions, and headers search • Portable Executable (PE) Headers + Resources • Unpacking the malware • Disassembling the malware like IDA Pro. AAST COMP ENG Dr Ashraf Tammam 525/7/2014
  53. 53. Signatures • Host-based signatures – Identify files or registry keys on a victim computer that indicate an infection – Focus on what the malware did to the system • Network signatures – Detect malware by analyzing network traffic – More effective when made using malware analysis 53AAST COMP ENG Dr Ashraf Tammam5/7/2014
  54. 54. • FILE SIGNATURE – Leveraging on the analysis of others – Anti-Viruses have their own analysis of Malware, based on • Signature • Heuristics AAST COMP ENG Dr Ashraf Tammam 545/7/2014 Signatures
  55. 55. Hashes • A fingerprint for malware • MD5 or SHA-1 • Condenses a file of any size down to a fixed- length fingerprint 55AAST COMP ENG Dr Ashraf Tammam5/7/2014
  56. 56. Hash Calc 56AAST COMP ENG Dr Ashraf Tammam5/7/2014
  57. 57. Hash Uses • Label a malware file • Share the hash with other analysts to identify malware • Search the hash online to see if someone else has already identified the file 57AAST COMP ENG Dr Ashraf Tammam5/7/2014
  58. 58. Strings • Any sequence of printable characters is a string • Strings are terminated by a null (0x00) • ASCII characters are 8 bits long – Now called ANSI • Unicode characters are 16 bits long – Microsoft calls them "wide characters" 58AAST COMP ENG Dr Ashraf Tammam5/7/2014
  59. 59. STRINGS • Strings are identified by a NULL terminating • Character AAST COMP ENG Dr Ashraf Tammam 595/7/2014
  60. 60. 60AAST COMP ENG Dr Ashraf Tammam5/7/2014
  61. 61. TYPES OF Malware Analysis • Behavioral (Dynamic) Analysis :is how the malware behaves when executed, who it talks to, what gets installed, and how it runs AAST COMP ENG Dr Ashraf Tammam 615/7/2014
  62. 62. Dynamic Analysis techniques AAST COMP ENG Dr Ashraf Tammam 625/7/2014
  63. 63. Dynamic Analysis • Sometimes malware is sophisticated enough to detect that it is sandboxed or running in a limited environment • The good news: We have the machine code. • The bad news: All we have is the machine code. • We can then reverse engineer…. 5/7/2014 AAST COMP ENG Dr Ashraf Tammam 63
  64. 64. Reverse Engineering • Reverse engineering is always possible since the machine code is present in the malware sample. • This requires expert knowledge in assembly. • Only worthwhile if you are looking for odd behavior as it is slow and tedious work. 5/7/2014 AAST COMP ENG Dr Ashraf Tammam 64
  65. 65. Reversing malware • Set up a Virtual Environment. • Get the necessary tools ready. • Snapshot is your best friend. AAST COMP ENG Dr Ashraf Tammam 655/7/2014
  66. 66. Simple Reverse Engineering Tools in Linux • Objdump is a free open source linux disassembler. – Outputs assembly code – Useful to find strings in the binary • GDB the standard debugger for linux can debug without source file information. • Strace intercepts all system calls and notifications and prints them out for a running process. 5/7/2014 AAST COMP ENG Dr Ashraf Tammam 66
  67. 67. Reverse Engineering on Windows • Ida Pro is an interactive debugger which allows code to be disassembled and run at the same time – Breaks down the code into machine instructions – Interactively reverse engineers to C code – Allows interactive renaming of functions and variables as their function is discovered – Extremely useful  5/7/2014 AAST COMP ENG Dr Ashraf Tammam 67
  68. 68. Dynamic Analysis techniques • Network traffic analysis • File system, and other Windows features(services, processes, etc.).. AAST COMP ENG Dr Ashraf Tammam 685/7/2014
  69. 69. Dynamic Analysis techniques • Carefully let malware run on a (nearly) fully functional system. • Virtual machines are often useful – Take a clean snapshot – Run the malware – Observe results – Restore the clean snapshot 5/7/2014 AAST COMP ENG Dr Ashraf Tammam 69
  70. 70. Dynamic Analysis techniques • SysInternals Process Monitor allows complete monitoring of API calls. – Also has a special boot monitor to track all changes upon a reboot • Regshot takes a before and after snapshot of the registry to find changes. 5/7/2014 AAST COMP ENG Dr Ashraf Tammam 70
  71. 71. • Introduction to malware • What is a malware? • Types of malware • How do they infect hosts? • How to detect them? • malware Analysis • Goals OF malware Analysis • Types OF malware Analysis • Tools For malware Analysis • Malware Analysis Simulation Steps • Conclusion • References AAST COMP ENG Dr Ashraf Tammam 715/7/2014
  72. 72. Tools For malware analysis • It is critical to identify various tools that can be used to perform malware analysis. • This is not a comprehensive list of tools that one must use • We will mention some critical tools not all of them. AAST COMP ENG Dr Ashraf Tammam 725/7/2014
  73. 73. List of tools • Strings • PEView • Dependency Walker • Resource Hacker • Procmon • Procexp • Regshot • Capture • Wire shark • Netcat/Fakenet • FakeDNS/ApateDNS • PEID • UPX AAST COMP ENG Dr Ashraf Tammam 735/7/2014
  74. 74. Needed terminology • Reverse Code Engineering: the process of disassembling software to reveal how the software functions. • Disassemblers: programs that take a programs executable binary as input and generate textual files that contain the assembly language code for the entire program or parts of it. AAST COMP ENG Dr Ashraf Tammam 745/7/2014
  75. 75. Needed terminology • Debuggers :programs that allows software developers to observer their program while running it. • Decompiler :a program that take an executable binary file and attempts to produce readable high-level language code from it. AAST COMP ENG Dr Ashraf Tammam 755/7/2014
  76. 76. Tools For malware analysis • Using physical hardware or virtual machines (VM). AAST COMP ENG Dr Ashraf Tammam 765/7/2014
  77. 77. Setting up test environment • Computer Requirements: • At least 1GB of memory • A large hard drive: Allows you to keep images on the hard drive • Good Processor – Faster is better • NIC card • CDROM/DVD burner • Any Operating System AAST COMP ENG Dr Ashraf Tammam 775/7/2014
  78. 78. Setting up test environment • VMware workstation: Run and network multiple OSes on one platform • Storage media: For transferring malware and storing unused OS images AAST COMP ENG Dr Ashraf Tammam 785/7/2014
  79. 79. Setting up test environment • Internet Connectivity: Optional, but occasionally you might need it. • Collection of OSes: • You will need different operating systems for your testing • Base Image with no Patches • Base Image fully Patched • Configure as host-only or a network • Store on hard drive and/or burn to CD AAST COMP ENG Dr Ashraf Tammam 795/7/2014
  80. 80. Tools For malware analysis • Process Explorer : small application that find out what files, registry keys and other objects have open, which DLL’s they have loaded • Process Monitor : small application used to monitor file system, registry , process, thread and DLL activity in real-time. • PSfile : application that shows a list of files on a system that are opened remotely. AAST COMP ENG Dr Ashraf Tammam 805/7/2014
  81. 81. Tools For malware analysis • Rootkit Revealer :application that scans system for known rootkit-based malware. • Strings : application that searches for ANSI and UNICODE strings in binary images. • TCPView : application providing information about TCP and UDP connections , including the local and remote address and TCP connection state. AAST COMP ENG Dr Ashraf Tammam 815/7/2014
  82. 82. Tools For malware analysis • Windump :Windows version of the powerful and flexible tcpdump sniffer. • Fport :Identifies unknown ports and their associate applications. • Hfind (Part of the Forensic Toolkit) :application that will scan for the disk for hidden files. • BgInfo : small application providing import system information such as hostname, IP address, OS version, etc. AAST COMP ENG Dr Ashraf Tammam 825/7/2014
  83. 83. Tools For malware analysis • Vision : reports all open TCP and UDP ports and maps them to the owning process or application. • Filewatch :a file change monitor. • Attacker :a TCP/UDP port listener. • MD5sums : Generates signature or hashes for file integrity verification. – Before you launch the malware to have a baseline for comparison against other files the malware may create • Winalysis : monitors for changes to files, the registry, users, groups, security policies, services, shares, scheduled jobs, the system environment and more. AAST COMP ENG Dr Ashraf Tammam 835/7/2014
  84. 84. Tools For malware analysis • WinHex : Hex editor, you may choose any hex editor that you like. • IDA Pro : popular interactive, programmable, extendible, multi-processor debugger and disassembler. • Reverse Engineering Compiler : popular decompiler. • ProcDump 32 :unpacker application. AAST COMP ENG Dr Ashraf Tammam 845/7/2014
  85. 85. Tools For malware analysis • PE Explorer : provides tools for disassembly and inspection of unknown binaries. • Windbg : windows debugging applications. • Livekd : application that allows Windbg debugger to run locally on a live system. • Debugview : an application that monitors debug output on your local or a remote system. AAST COMP ENG Dr Ashraf Tammam 855/7/2014
  86. 86. Tools For malware analysis • OllyDbg: 32-bit assembler level analysis debugger for Microsoft Windows to work with the malware for tasks such as viewing the code and stepping through it. • RegShot: Tool that tells you what has changed on your system Before and after you launch your malware • Netcat: “Swiss army knife” for networks. When you need something to connect to or attempt a connection from AAST COMP ENG Dr Ashraf Tammam 865/7/2014
  87. 87. Tools For malware analysis • upx: Packer used a lot of compress and obfuscate code to uncompressed the code before analysis • WinRAR: Tool to compress large file(s) into one smaller file for safely transfer malware or information collect to keep things organized. Industry standard password is ‘infected’ • Ethereal: A protocol analyzer (aka: sniffer) – When launching the malware and while doing analysis. AAST COMP ENG Dr Ashraf Tammam 875/7/2014
  88. 88. • Introduction to malware • What is a malware? • Types of malware • How do they infect hosts? • How to detect them? • malware Analysis • Goals of malware Analysis • Types Of malware Analysis • Tools For malware Analysis • Malware Analysis Simulation Steps • Conclusion • References AAST COMP ENG Dr Ashraf Tammam 885/7/2014
  89. 89. Malware analysis main steps • Step1: Allocate physical or virtual systems for the analysis lab • Step 2: Isolate laboratory systems from the production environment • Step 3: Install behavioral analysis tools • Step 4: Install code-analysis tools • Step 5: Utilize online analysis tools • Next Steps 89 Moataz Ahmed Mahmoud , Ahmed Abdelhafez , Ahmed El bohy
  90. 90. Step 1: Allocate physical or virtual systems for the analysis lab • A common approach to examining malicious software involves infecting a system with the malware specimen and then using the appropriate monitoring tools to observe how it behaves. This requires a laboratory system you can infect without affecting your production environment. • The most popular and flexible way to set up such a lab system involves virtualization software, which allows you to use a single physical computer for hosting multiple virtual systems, each running a potentially different operating system. Free virtualization software options include: • VMware Server • Windows Virtual PC • Microsoft Virtual Server • Virtual Box Moataz Ahmed Mahmoud , Ahmed Abdelhafez , Ahmed El bohy 90
  91. 91. Step 2: Isolate laboratory systems from the production environment • You must take precautions to isolate the malware-analysis lab from the production network, to mitigate the risk that a malicious program will escape. You can separate the laboratory network from production using a firewall. Better yet, don't connect laboratory and production networks at all, to avoid firewall configuration issues that might allow malware to bypass filtering restrictions. Moataz Ahmed Mahmoud , Ahmed Abdelhafez , Ahmed El bohy 91
  92. 92. Step 3: Install behavioral analysis tools • Before you're ready to infect your laboratory system with the malware specimen, you need to install and activate the appropriate monitoring tools. Free utilities that will let you observe how Windows malware interacts with its environment include: • File system and registry monitoring: Process Monitor and Capture BAT offer a powerful way to observe in real time how local processes read, write, or delete registry entries and files. These tools can help you understand how malware attempts to embed into the system upon infection. • Process monitoring: Process Explorer and Process Hacker replace the built-in Windows Task Manager, helping you observe malicious processes, including local network ports they may attempt to open. • Network monitoring: Wireshark and SmartSniff are network sniffers, which can observe laboratory network traffic for malicious communication attempts, such as DNS resolution requests, bot traffic, or downloads. • Change detection: Regshot is a lightweight tool for comparing the system's state before and after the infection, to highlight the key changes malware made to the file system and the registry. Moataz Ahmed Mahmoud , Ahmed Abdelhafez , Ahmed El bohy 92
  93. 93. Step 4: Install code-analysis tools • Examining the code that comprises the specimen helps uncover characteristics that may be difficult to obtain through behavioral analysis. In the case of a malicious executable, you rarely will have the luxury of access to the source code from which it was created. Fortunately, the following free tools can help you reverse compiled Windows executables: • Disassembler and debugger: OllyDbg and IDA Pro Freeware can parse compiled Windows executables and, acting as disassemblers, display their code as Intel x86 assembly instructions. These tools also have debugging capabilities, which allow you to execute the most interesting parts of the malicious program slowly and under highly controlled conditions, so you can better understand the purpose of the code. • Memory dumper: LordPE and OllyDump help obtain protected code located in the lab system's memory and dump it to a file. This technique is particularly useful when analyzing packed executables, which are difficult to disassemble because they encode or encrypt their instructions, extracting them into RAM only during run-time. Moataz Ahmed Mahmoud , Ahmed Abdelhafez , Ahmed El bohy 93
  94. 94. Step 5: Utilize online analysis tools • To round off your malware-analysis toolkit, add to it some freely available online tools that may assist with the reverse engineering process. One category of such tools performs automated behavioral analysis of the executables you supply. These applications look similar at first glance, but use different technologies on the back end. Consider submitting your malware specimen to several of these sites; depending on the specimen, some sites will be more effective than others. Such tools include: • Anubis • CWSandbox • Joebox • Norman SandBox • ThreatExpert Moataz Ahmed Mahmoud , Ahmed Abdelhafez , Ahmed El bohy 94
  95. 95. Next Steps • With your initial toolkit assembled, start experimenting in the lab with malware you come across on the web, in your e-mail box, on your systems, and so on. Moataz Ahmed Mahmoud , Ahmed Abdelhafez , Ahmed El bohy 95
  96. 96. • Introduction to malware • What is a malware? • Types of malware • How do they infect hosts? • How to detect them? • Malware Analysis • Goals OF malware Analysis • Types Of malware Analysis • Tools For malware Analysis • Malware Analysis Simulation Steps • Conclusion • References AAST COMP ENG Dr Ashraf Tammam 965/7/2014
  97. 97. Conclusion • As you have seen there are various ways for an attacker to get malicious code to execute on remote computers • We have only scratched on the surface, there are much more to learn and discover 5/7/2014 AAST COMP ENG Dr Ashraf Tammam 97
  98. 98. • Introduction to malware • What is a malware? • Types of malware • How do they infect hosts? • How to detect them? • malware Analysis • Goals OF malware Analysis • Types Of malware Analysis • Tools For malware Analysis • Malware Analysis Simulation Steps • malware Defense • Conclusion • References AAST COMP ENG Dr Ashraf Tammam 985/7/2014
  99. 99. Refrences • [1] Ed Skoudis and Lenny Zeltser. Malware: Fighting Malicious Code. Prentice Hall, 2003. • [2] McGraw-Hill and Sybil P. Parker. McGraw-Hill Dictionary of Scientific and Technical Terms. McGraw-Hill Companies, Inc., 2003. • [3]Computer Economics, 2007 Malware Report: The Economic Impact of Viruses, Spyware,Adware, Botnets and Other Malicious Code, Retrieved 2007, November 23 – fromhttp://www.computereconomics.com/article.cfm?id=1225 • [4]Eldad Eilam, (2005). Reversing: Secrets of Reverse Engineering. Indianapolis, IN: Wiley Publishing. • [5]eWeek, Metasploit Creator Releases Malware Search Engine, retrieved 2007, November 24 – from http://www.eweek.com/article2/0,1759,1990158,00.asp • [6]GIAC, Analysis of the Incident Handling Six Step Process, Retrieved 2007, November 24 – from http://www2.giac.org/resources/whitepaper/network/17.php?id=17&cat=network • [7]Honeynet, Know Your Enemy: Malicious Web Servers, Retrieved 2007, November 24 from – http://www.honeynet.org/papers/mws/KYE-Malicious_Web_Servers.htm • [8]Lorna Hutcheson (2006), Malware Analysis The Basics, Retrieved 2007, November 24 from – http://isc.sans.org/presentations/cookie.pdf • [9]Merriam-Webster Online. Retrieved 2007, July 23rd, from www.m-w.com • [10]SANS, Retrieved 2007, November 24, from – https://www2.sans.org/training/description.php?cid=799 AAST COMP ENG Dr Ashraf Tammam 995/7/2014
  100. 100. Questions ? 5/7/2014 AAST COMP ENG Dr Ashraf Tammam 100
  101. 101. 5/7/2014 AAST COMP ENG Dr Ashraf Tammam 101

×