• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Basic Malware Analysis
 

Basic Malware Analysis

on

  • 4,427 views

Introduction to beginning malware analysis.

Introduction to beginning malware analysis.

Statistics

Views

Total Views
4,427
Views on SlideShare
4,397
Embed Views
30

Actions

Likes
5
Downloads
0
Comments
1

4 Embeds 30

http://www.slideshare.net 15
http://www.linkedin.com 12
http://www.lmodules.com 2
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution-NonCommercial-ShareAlike LicenseCC Attribution-NonCommercial-ShareAlike LicenseCC Attribution-NonCommercial-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Basic Malware Analysis Basic Malware Analysis Presentation Transcript

    • Basic Malware Analysis
      Albert Hui, GCFA, CISA
      albert.hui@gmail.com
    • Goals
      Present tools and techniques for preliminary malware analysis
      Introduce the model and mindset for beginning reverse engineering
      Does NOT cover intermediate/advanced techniques such as hooking, DLL attachment, code injection, detour patching, DKOM, ring-0 debugging, entropy analysis and so on
      Copyright © 2007 Albert Hui
    • Terminology
      Malware – malicious software
      Virus – infect a host program to reproduce
      Worm – self-replicating program (e.g. NIMDA, Code Red, SQL Slammer, MyDoom)
      Trojan – malicious program disguised as harmless
      木馬(China usage) != trojan, but == Backdoor
      Backdoor – remote control software
      Rootkit – cover up backdoor and forensic evidence (e.g. Sony XCP Rootkit)
      Spyware – calls home
      Copyright © 2007 Albert Hui
    • Black-Box Examination
      Snapshot Observation
      Behavioral Tracing
      Sandboxing
      Copyright © 2007 Albert Hui
    • Snapshot Observation
      Includes static analysis (executable image examination, program code disassembly, filesystem forensics, memory dump, running states, etc.)
      Pros:
      Gather consistent big picture
      Some info only uncovered by static analysis
      Cons:
      Can lose sight of small/transient changes
      Difficult to cover every avenues
      Copyright © 2007 Albert Hui
    • Snapshot Observation Tools (runtime)
      Process/Thread:
      Process Explorer
      Windows Objects:
      WinObj
      OpenedFilesView
      Copyright © 2007 Albert Hui
    • Snapshot Observation Tools (static)
      Executable:
      XN Resource Editor
      File:
      hexplorer
      FileAlyzer
      Copyright © 2007 Albert Hui
    • Snapshot Observation Tools (executable)
      PEBrowse
      Dependency Walker
      PEiD
      Dumper:
      LordPE
      Universal Extractor
      RL!depacker
      Decompiler/Disassembler:
      IDA Pro
      OllyDbg/OllyICE
      JAD
      Spices.Decompiler
      Copyright © 2007 Albert Hui
    • Behavioral Tracing
      Includes debugging, tracing, network traffic analysis, etc.
      Pros:
      Detailed time-domain info
      Can drill down to system call level
      Cons:
      Can lose sight of the big picture
      Difficult to cover every avenues
      Copyright © 2007 Albert Hui
    • Behavioral Tracing Tools
      Process/Thread/File/Registry Tracing:
      ProcMon
      Network Tracing:
      TCPView
      TDImon
      Wireshark
      Debugger:
      OllyDbg/OllyICE
      SoftICE
      Copyright © 2007 Albert Hui
    • Sandboxing
      Containment of execution in protected environment
      One kind of virtualization, techniques in common with virtual machine, honeypot/tarpit, and forceful uninstallers
      Sandboxing can occur at various levels: network, application, OS, down to bare metal
      Pros:
      Total coverage possible
      Local containment of harms
      Cons:
      Difficult to discern incremental changes
      Copyright © 2007 Albert Hui
    • Sandboxing Tools
      Machine Level:
      VMware
      OS Level:
      Altiris SVS
      PowerShadow
      ShadowUser
      Application Level:
      Sandboxie
      Network Level:
      Honeyd
      Copyright © 2007 Albert Hui
    • Demo
      Use FileAlyzer to determine file type.
      Rename to .exe, use Dependency Walker to determine functions.
      Use PEiD to detect signature – UPX packed.
      Use Universal Extractor to unpack file.
      Use Dependency Walker to determine functions.
      Use FileAlyzer to read embedded strings.
      Detach network, use Sandboxie to execute file.
      Use Wireshark and ProcMon, execute file again.
      Use OllyDbg to understand program flow – program connects to a server on port 6667.
      Set up our own IRC server, edit hosts file on guest to fool malware into connecting to it.
      Try out commands found in embedded strings.
      Copyright © 2007 Albert Hui
    • Process-Based Malware
      e.g. BO2K, Sub7, Netbus, 冰河, 灰鴿子
      Technically equivalent to VNC, Remote Desktop, PCAnyware etc.
      Copyright © 2007 Albert Hui
    • Tricks of Process-Based Malware
      Melting – deletes installer or deletes entirely from disk
      Sticky Process – multiple execution units reviving each other
      Sticky Image – reinstall itself upon system shutdown
      Antidetection/免殺:
      Polymorphism – packing/encryption or other superficial changes
      Metamorphism – radically changing the codes, includes 加花 (addition of fake signatures)
      Copyright © 2007 Albert Hui
    • Stealthy Malware
      The 2nd Generation
    • Processless (無進程) Malware
      Parasite Approach (exist only as threads)
      DLL attachment
      CreateRemoteThread
      Code injection, detour patching
      Rookit Approach (hide process)
      Hooking
      DKOM
      Copyright © 2007 Albert Hui
    • Vulnerabilities of Rootkits
      Communications can always be captured on external network links
      Always changes OS
      compare observation with known-good states
      compare observations from different approaches (e.g. Linux ls vs. opendir())
      Copyright © 2007 Albert Hui
    • Rootkit Detection Tools
      Rootkit Detection
      冰刃 IceSword
      DarkSpy
      GMER
      Copyright © 2007 Albert Hui
    • Conclusion
      First perform static analysis
      Then let malware loose in contained environment
      Drill down with expert knowledge to further fool the malware into doing more
      Copyright © 2007 Albert Hui