• Like
Malware Analysis -an overview by PP Singh
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Malware Analysis -an overview by PP Singh

  • 2,104 views
Published

 

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,104
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
65
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. AN OVERVIEW – PART I
  • 2. OUR GAME PLAN  TODAY – A THEORETICAL OVERVIEW FOLLOWED BY A CASE STUDY  DETAILED PRESENTATIONS ABOUT EACH COMPONENT.  VIRTUALIZATION.  HONEYPOTS / HONEYNETS.  DEBUGGING  AND SO ON (HOPEFULLY)   
  • 3.  CAPABILITY FOR ‘ABSTRACT MATHEMATICS’  ASSEMBLY LANGUAGE  LACK OF SOCIAL LIFE  ADEQUATE ‘BEHAVIOR MODIFICATION’ OR ‘TRANCE INDUCING’ MATERIALS.
  • 4.  BASICS  SETTING UP A LAB ENVIRONMENT  ANALYSIS o NETWORK TRAFFIC o DISK IMAGE / FILE SYSTEM o MEMORY IMAGE o STATIC ANALYSIS
  • 5.  TRADITIONALLY WE HAD – SOURCE CODE AUDITING – PRIME REQUIREMENT WAS SAFETY OF CODE.  THEN CAME PROPRIETARY CODE AND WITH IT ‘BLACK BOX TESTING’  ALONG CAME MODULAR COMPONENTS AND WE GRADUATED TO ‘REVERSE ENGINEERING’
  • 6.  WITH COTS PRODUCT CAME ISSUES OF TRUST – MICROSOFT IS SAFE  BUT WHAT ABOUT THE GUYS WHO MADE THE DLL.  SUGGESTED READING ‘WYSINWYX’ GOGUL BALAKRISHNAN’s PHD THESIS.  METHOD TO REVERSE ENGINEERING ALONG WITH ALL ASSOCIATED LIBRARIES ‘HOLISTIC REVERSE ENGINEERING’
  • 7.  A FOCUSED APPLICATION– MALWARE ANALYSIS.  WHY – TRADITIONAL SIGNATURE BASED ANALYSIS IS FUTILE GIVEN THE EVOLVING MALWARE.  SAME LOGIC HAS MULTIPLE ‘SIGNATURES’  HENCE ‘BEHAVIORAL ANALYSIS’
  • 8.  PROS & CONS OF BOTH STATIC ANALYSIS & BEHAVIORAL ANALYSIS.  LARGER VOLUMES OF SAMPLES NECESSITATE ‘AUTOMATION’.  ENTER CWSANDBOX, NORMAN SANDBOX & OTHERS  BUT WE NEED ‘MORE’
  • 9.  OVERLAPPED WITH FORENSICS.  PRIVACY & POLICY ISSUES.  WISH TO LEARN  ‘LIVE’ EXERCISE – PART OF GROWING UP  FIELD OF WORK  REQUIREMENT OF CUSTOMIZED DATA  COMPLEXITIES IN THE MALWARE WORLD
  • 10.  BASICS  SETTING UP A LAB ENVIRONMENT  ANALYSIS o STATIC ANALYSIS o NETWORK TRAFFIC o DISK IMAGE / FILE SYSTEM o MEMORY IMAGE
  • 11.  A CONTROLLED ENVIRONMENT. ▪ MALWARE COLLECTION. MALWARE COLLECTION THROUGH SPAM TRAPS, HONEY POTS AND SHARED DATA. NEPENTHES AS AN EXAMPLE. ▪ VICTIM MACHINES. VIRTUALISATION OR REAL. VIRTUAL MACHINES ARE EASIER TO MANAGE BUT MALWARE INCREASINGLY BECOMING MORE AWARE OF THEM. VIRTUAL MACHINES LIKE VMWARE, PARALLELS, QEMU AND BOCHS ARE AVAILABLE.
  • 12. ▪ SUPPORT TOOLS. ▪ NETWORK SIMULATION. INTERNET CONNECTION, DNS CONNECTION, IRC, WEB, SMTP, SERVER ▪ ANALYSIS TOOLS. SUPPORT OF ONLINE RESOURCES LIKE VIRUS TOTAL.  IT SHOULD BE ISOLATED.  IT SHOULD PROVIDE A FULL SIMULATION.
  • 13.  FRIENDS  ONLINE RESOURCES  HONEYPOTS o AMUN o NEPENTHES o ….
  • 14.  WINDOWS OS   START – WINDOW IMAGE USING LINUX  THE RE-USABLE MALWARE ANALYSIS NET ‘TRUMAN’  VIRTUAL MACHINES  NORTON GHOST / UDPCAST / ACRONIS  HARDWARE – CORE RESTORE  MICROSOFT – STEADY STATE
  • 15.  THIS MINI LINUX IMPLEMENTATION CONTAINS TOOLS LIKE PARTIMAGE, NTFSRESIZE, AND FDISK AND IS BASED AROUND THE FANTASTIC BUSYBOX.  IT ENABLES YOU TO PXE BOOT A PC INTO A LINUX CLIENT WHICH CAN CREATE AN NTFS PARTITION, GRAB A WINDOWS DISK IMAGE FROM THE NETWORK, WRITE IT TO A LOCAL DISK AND THEN RESIZE THAT PARTATION.
  • 16.  TWO MINIMUM MACHINES.  LINUX BASED SERVER  TRUMAN MACHINE AS CLIENT (XP WITHOUT PATCHES). INSTALLATION FAQ ON NSMWIKI.  VIRTUAL NETWORK SIMULATION
  • 17.  MAVMM: LIGHTWEIGHT AND PURPOSE BUILT VMM FOR MALWARE ANALYSIS  AUTHORS - ANH M. NGUYEN, NABIL SCHEAR, HEEDONG JUNG, APEKSHA GODIYAL, SAMUEL T. KING, HAI D. NGUYEN  A SPECIAL PURPOSE VIRTUAL MACHINE FOR MALWARE ANALYSIS
  • 18.  ACADEMIC VERSION OF XP AVAILABLE.  INSTRUMENTATION OF CODE FEASIBLE  CREATION OF ‘SPECIAL WINDOWS’ BOXES
  • 19.  BASICS  SETTING UP A LAB ENVIRONMENT  ANALYSIS o STATIC ANALYSIS o NETWORK TRAFFIC o DISK IMAGE / FILE SYSTEM o MEMORY IMAGE
  • 20.  CREATE A CONTROLLED ENVIRONMENT. VIRTUAL OR REAL.  BASELINE THE ENVIRONMENT:- ▪ VICTIM MACHINE. FILE SYSTEM, REGISTRY, RUNNING PROCESSES, OPEN PORTS, USERS, GROUPS, NETWORK SHARES, SERVICES ETC. ▪ NETWORK TRAFFIC. ▪ EXTERNAL VIEW.
  • 21.  INFORMATION COLLECTION. ▪ STATIC. STRINGS, RESOURCES, SCRIPTS, FILE PROPERTIES ETC ▪ DYNAMIC.  INFORMATION ANALYSIS. INVOLVES INFORMATION COLLATION, INTERNET SEARCHES, STARTUP METHODS, COMMUNICATION PROTOCOLS, SPREADING MECHANISMS ETC  RECONSTRUCTING THE BIG PICTURE.  DOCUMENTATION.
  • 22.  PSEXEC – PART OF SYSINTERNALS PSTOOLS KIT.  MS REMOTE DESKTOP   VIRTUAL NETWORK COMPUTING (VNC)  ULTRAVNC – SOURCEFORGE  IF YOU ARE COMFORTABLE WITH REMOTE COMMAND LINE – PSEXEC
  • 23.  BASELINE INFORMATION o NETWORK TRAFFIC o FILE SYSTEM o REGISTRY o MEMORY IMAGE
  • 24.  REMEMBER IT IS ‘MALWARE’  USE PKZIP TO HANDLE THE SAMPLE  COMMAND LINE METHOD  IF YOU ARE SUBMITTING SAMPLES ONLINE PASSWORD = ‘infected’
  • 25.  DISK IMAGE ANALYSIS ADVANCED INTRUSION DETECTION ENVIRONMENT FOR COMPARING DISK IMAGES BEFORE AND AFTER.  NTFS-3G DRIVERS & GETFATTR FOR ADS STREAMS.  REGISTRY USING DUMPHIVE  COMPARE REGISTRY DUMP BEFORE AND AFTER USING LINUX DIFF –U COMMAND  MEMORY IMAGE ANALYSIS. PMODUMP.PL MODIFIED TO HANDLE PEB RANDOMISATIONS, VOLATILITY FRAMEWORK USED FOR ANALYSIS.  OUTPUTS OF MULTIPLE TOOLS USED TO COMPARE AND ANALYSE.
  • 26.  FILE SYSTEM AND REGISTRY MONITORING: PROCESS MONITOR AND CAPTURE BAT  PROCESS MONITORING: PROCESS EXPLORER AND PROCESS HACKER  NETWORK MONITORING: WIRESHARK AND SMARTSNIFF  CHANGE DETECTION: REGSHOT
  • 27.  A GOOD WAY TO SEE CHANGES TO THE NETWORK IS WITH A TOOL CALLED NDIFF.  NDIFF IS A TOOL THAT UTILIZES NMAP OUTPUT TO IDENTIFY THE DIFFERENCES, OR CHANGES THAT HAVE OCCURRED IN YOUR ENVIRONMENT.  NDIFF CAN BE DOWNLOADED FROM http://www.vinecorp.com/ndiff/.
  • 28.  TCPDUMP – CONSOLE  WINDUMP – CONSOLE  WIRESHARK – GUI
  • 29.  THE OPTIONS OFFERED IN NDIFF INCLUDE: ndiff [-b|-baseline <file-or-:tag>] [-o|-observed <file-or-:tag>] [-op|-output-ports <ocufx>] [-of|-output-hosts <nmc>] [-fmt|-format <terse | minimal | verbose | machine | html | htmle>]  NDIFF OUTPUT MAY BE REDIRECTED TO A WEB PAGE: ndiff –b base-line.txt –o tested.txt –fmt machine | ndiff2html > differences.html  THE OUTPUT FILE, “DIFFERENCES.HTML”, MAY BE DISPLAYED IN A WEB BROWSER. THIS WILL SEPARATE HOSTS INTO THREE MAIN CATEGORIES: o NEW HOSTS, o MISSING HOSTS, AND o CHANGED HOSTS.
  • 30.  NETSTAT  FPORT  TCPVcon – CONSOLE  TCPView – GUI  HANDLE – CONSOLE  PROCESS EXPLORER – GUI USE PID TO CORRELATE OUTPUTS
  • 31.  HASHING FUNCTIONS o MD5DEEP – JESSE KORNBLUM  FUZZY HASHING o SSDEEP – AGAIN JESSE  ONLINE HASHES OF GOOD FILES – NIST
  • 32.  A GOOD START  VIRUSTOTAL  VIRUSSCAN  AND MANY MORE  HELP RETAIN FOCUS
  • 33.  virus@ca.com  sample@nod32.com  samples@f-secure.com  newvirus@kaspersky.com  VIRUSTOTAL, JOTTI, VIRUS.ORG  MANY MORE
  • 34.  PEID  POLYUNPACK RENOVO – PART OF BIT BLAZE BASED ON MEMORY UNPACKING  AND MANY MORE
  • 35.  TOOLS:- o PEVIEW o DEPENDS o PE BROWSE PRO o OBJ DUMP o RESOURCE HACKER o STRINGS  DETERMINE THE DATE/ TIME OF COMPILATION, FUNCTIONS IMPORTED BY THE PROGRAM, ICONS, MENUS, VERSION, INFO AND STRINGS EMBEDDED IN THE RESOURCES.
  • 36.  STRINGS  VIP UTILITY – www.freespaceinternetsecurity.com  InCtrl5  SANDBOXIE  FILEMON  REGMON  AUTORUNS  HIJACK THIS  ……..
  • 37.  PE FORMAT  NEED I SAY MORE.  LORD PE  CAN ALSO DO MEMORY DUMPS  PETOOLS  PEID  TO FIND PACKER DETAILS
  • 38.  WINDBG  OLLYDBG  IDA PRO  SYSRDBG – KERNEL LEVEL ?  KERNEL DEBUGGER FROM MS  KNOWLEDGE OF ASSEMBLY LANGUAGE CRITICAL  TRAP – API EMULATION
  • 39.  JAVASCRIPT OBFUSCATION – SPIDER MONKEY.  TOOLS FOR MS OFFICE FORMATS:-  OFFICEMALSCANNER  OFFVIS  OFFICE BINARY TRANSLATOR (INCLUDES BIFFVIEW TOOL).  OFFICECAT.  FILEHEX AND FILEINSIGHT HEX EDITORS CAN PARSE AND EDIT OLE STRUCTURES.  SIMILARLY TOOLS FOR PDF, FLASH ETC
  • 40.  EXTENSIVE FEATURES ≠ GOOD TOOL  REQUIREMENT TO SCRIPT & PARSE OUTPUTS INTO A ‘READABLE REPORT’  COMMAND LINE / GUI OPTIONS  COMPARISON OF MULTIPLE TOOLS AS VERIFICATION
  • 41.  RAPID ASSESSMENT & POTENTIAL INCIDENT EXAMINATION REPORT  RAPIER IS A SECURITY TOOL BUILT TO FACILITATE FIRST RESPONSE PROCEDURES FOR INCIDENT HANDLING.  OVERLAP BETWEEN FORENSICS AND MALWARE ANALYSIS.  TO ILLUSTRATE THE REQUIREMENT TO ‘SCRIPT AROUND GUI TOOLS’
  • 42.  AS PART OF ANALYSIS, TRY TO IDENTIFY THE SOURCE.  BLOCK LISTS OF SUSPECTED MALICIOUS IPS AND URLS  LOOKING UP POTENTIALLY MALICIOUS WEBSITES  INITIAL VECTOR – BROWSER HISTORY, EMAIL LOGS
  • 43.  SIMILARITY STUDIES:-  http://code.google.com/p/yara-project/  GENOME BASED CLASSIFICATION  MALWARE SIMILARITY ANALYSIS – BLACK HAT 09 - DANIEL RAYGOZA  BLAST: BASIC LOCAL ALIGNMENT SEARCH TOOL BASED CLASSIFICATION  FUZZY CLARITY – DIGITAL NINJA
  • 44.  RESEARCH IS ON FOR CLASSIFICATION ACCORDING TO:- o OPCODE DISTRIBUTION o API CALLS MADE o COMPILER PARAMETER o …… o WILL GIVE THE ‘HEURISTICS'
  • 45.  ALWAYS CORRELATE THE ANALYSIS:- o ANUBIS (FORMERLY TTANALYSE) o BIT BLAZE ( COUSIN OF WEB BLAZE PROJECT) o COMODO o CWSANDBOX o EUREKA o JOEBOX o NORMAN SANDBOX o THREAT EXPERT o XANDORA
  • 46.  SUGGESTED READING o WILDCAT: AN INTEGRATED STEALTH ENVIRONMENT FOR DYNAMIC MALWARE ANALYSIS – AMIT VASUDEVAN o ‘WYSINWYX’ WHAT YOU SEE IS NOT WHAT YOU EXECUTE - GOGUL BALAKRISHNAN o LARGE-SCALE DYNAMIC MALWARE ANALYSIS - ULRICH BAYER