2012 Preiskovanje škodljive kode

287 views
145 views

Published on

Kako analizirati virus

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
287
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

2012 Preiskovanje škodljive kode

  1. 1. Preiskovanje škodljive kode tadej.hren@cert.si
  2. 2. ZAKAJ?
  3. 3. KAKO? • Statična analiza – antivirus – strings – PE struktura • header • sekcije – dissasembler • Dinamična analiza – sandbox – zagon v varnem okolju – razhroščevalnik Foto: Ampelmann, Loozrboy@Flickr
  4. 4. NASLEDNJA PROSOJNICA JE NAMENOMA V CELOTI BELA
  5. 5. Compilation timedatestamp.....: 2012-10-03 12:11:18 Target machine................: 0x14C (Intel 386 or later processors and compatible Entry point address...........: 0x00001240 PE Sections...................: Name Virtual Address Virtual Size Raw Size Entropy MD5 .text 4096 10516 10752 5.91 4312d7434a3372946eba3 .data 16384 288 512 2.09 bfb575c0474c82e26c00f .rdata 20480 7744 8192 5.38 07de6b1763094129fea2a .bss 28672 512 0 0.00 d41d8cd98f00b204e9800 .idata 32768 2196 2560 3.94 dafc70a44d21553fd6780 aqylxyp 36864 4096 512 0.00 bf619eac0cdf3f68d496e aqylxyp 40960 8192 6144 5.29 492ef1fa20f3508b61318 emtbmpa 49152 40960 38400 7.80 b67ff3c94dfdbb663f91c qdoevxg 90112 4096 512 0.00 bf619eac0cdf3f68d496e PE Imports....................: [[KERNEL32.dll]] GetAtomNameA, GetFileSize, AddAtomA, WriteFile, ReadFile, SetUnhandledExceptionFilt CloseHandle, CreateFileA, SetFilePointer, GetModuleFileNameA, VirtualAlloc, GetModu [[msvcrt.dll]] _cexit, __p__fmode, malloc, __p__environ, signal, free, _onexit, atexit, abort, _se fflush, _iob, strcmp, __set_app_type [[ws2_32.dll]] listen, htonl, WSAConnect, getpeername, ntohl, inet_addr, getprotobyname, ioctlsock getsockname, inet_ntoa, htons, recv, gethostbyaddr, getsockopt
  6. 6. Category: Write Process Name: svchost.exe, PID 148 Operation: CreateFile Path: "C:Documents and SettingsttApplication Datamsconfig.dat" Process Name: svchost.exe, PID 148 Operation: WriteFile Path: "C:Documents and SettingsttApplication Datamsconfig.dat" Process_Name: svchost.exe, PID 148 Operation: RegSetValue Path: "HKU...Windows NTCurrentVersionWinlogonshell„ Details: "C:Documents and SettingsttApplication Datamsconfig.dat“
  7. 7. Operation: Process Create Process_Name: Explorer.EXE, PID: 1848 Path: C:users...ttvke9443gcw8q7l.exe Detail: PID: 680, Command line: "C:users...ttvke9443gcw8q7l.exe" Process_Name: ttvke9443gcw8q7l.exe, PID: 680 Path: C:users...ttvke9443gcw8q7l.exe Detail: PID: 1124, Command line: "C:users...ttvke9443gcw8q7l.exe" Process_Name: ttvke9443gcw8q7l.exe, PID 1124 Path: C:WINDOWSexplorer.exe Detail: PID: 2012, Command line: "C:WINDOWSexplorer.exe" Process_Name: Explorer.EXE, PID: 1848 Path: C:WINDOWSsystem32svchost.exe Detail: PID: 148, Command line: "C:WINDOWSsystem32svchost.exe";
  8. 8. Operation: Process Create Process_Name: Explorer.EXE, PID: 1848 Path: C:users...ttvke9443gcw8q7l.exe Detail: PID: 680, Command line: "C:users...ttvke9443gcw8q7l.exe" Process_Name: ttvke9443gcw8q7l.exe, PID: 680 Path: C:users...ttvke9443gcw8q7l.exe Detail: PID: 1124, Command line: "C:users...ttvke9443gcw8q7l.exe" Process_Name: ttvke9443gcw8q7l.exe, PID 1124 Path: C:WINDOWSexplorer.exe Detail: PID: 2012, Command line: "C:WINDOWSexplorer.exe" Process_Name: Explorer.EXE, PID: 1848 Path: C:WINDOWSsystem32svchost.exe Detail: PID: 148, Command line: "C:WINDOWSsystem32svchost.exe";
  9. 9. 1. CreateProcess(…,CREATE_SUSPENDED,…) 2. ZwUnmapViewOfSection() 3. VirtualAllocEx() 4. WriteProcessMemory() 5. ResumeThread()
  10. 10. Operation: Process Create Process_Name: Explorer.EXE, PID: 1848 Path: C:users...ttvke9443gcw8q7l.exe Detail: PID: 680, Command line: "C:users...ttvke9443gcw8q7l.exe" Process_Name: ttvke9443gcw8q7l.exe, PID: 680 Path: C:users...ttvke9443gcw8q7l.exe Detail: PID: 1124, Command line: "C:users...ttvke9443gcw8q7l.exe" Process_Name: ttvke9443gcw8q7l.exe, PID 1124 Path: C:WINDOWSexplorer.exe Detail: PID: 2012, Command line: "C:WINDOWSexplorer.exe" Process_Name: Explorer.EXE, PID: 1848 Path: C:WINDOWSsystem32svchost.exe Detail: PID: 148, Command line: "C:WINDOWSsystem32svchost.exe";

×