Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Basic Malware Analysis<br />Albert Hui, GCFA, CISA<br />albert.hui@gmail.com<br />
Goals<br />Present tools and techniques for preliminary malware analysis<br />Introduce the model and mindset for beginnin...
Terminology<br />Malware – malicious software<br />Virus – infect a host program to reproduce<br />Worm – self-replicating...
Black-Box Examination<br />Snapshot Observation<br />Behavioral Tracing<br />Sandboxing<br />Copyright © 2007 Albert Hui<b...
Snapshot Observation<br />Includes static analysis (executable image examination, program code disassembly, filesystem for...
Snapshot Observation Tools (runtime)<br />Process/Thread:<br />Process Explorer<br />Windows Objects:<br />WinObj<br />Ope...
Snapshot Observation Tools (static)<br />Executable:<br />XN Resource Editor<br />File:<br />hexplorer<br />FileAlyzer<br ...
Snapshot Observation Tools (executable)<br />PEBrowse<br />Dependency Walker<br />PEiD<br />Dumper:<br />LordPE<br />Unive...
Behavioral Tracing<br />Includes debugging, tracing, network traffic analysis, etc.<br />Pros:<br />Detailed time-domain i...
Behavioral Tracing Tools<br />Process/Thread/File/Registry Tracing:<br />ProcMon<br />Network Tracing:<br />TCPView<br />T...
Sandboxing<br />Containment of execution in protected environment<br />One kind of virtualization, techniques in common wi...
Sandboxing Tools<br />Machine Level:<br />VMware<br />OS Level:<br />Altiris SVS<br />PowerShadow<br />ShadowUser<br />App...
Demo<br />Use FileAlyzer to determine file type.<br />Rename to .exe, use Dependency Walker to determine functions.<br />U...
Process-Based Malware<br />e.g. BO2K, Sub7, Netbus, 冰河, 灰鴿子<br />Technically equivalent to VNC, Remote Desktop, PCAnyware ...
Tricks of Process-Based Malware<br />Melting – deletes installer or deletes entirely from disk <br />Sticky Process – mult...
Stealthy Malware<br />The 2nd Generation<br />
Processless (無進程) Malware<br />Parasite Approach (exist only as threads)<br />DLL attachment<br />CreateRemoteThread<br />...
Vulnerabilities of Rootkits<br />Communications can always be captured on external network links<br />Always changes OS<br...
Rootkit Detection Tools<br />Rootkit Detection<br />冰刃 IceSword<br />DarkSpy<br />GMER<br />Copyright © 2007 Albert Hui<br />
Conclusion<br />First perform static analysis<br />Then let malware loose in contained environment<br />Drill down with ex...
Upcoming SlideShare
Loading in …5
×

Basic Malware Analysis

5,437 views

Published on

Introduction to beginning malware analysis.

Basic Malware Analysis

  1. 1. Basic Malware Analysis<br />Albert Hui, GCFA, CISA<br />albert.hui@gmail.com<br />
  2. 2. Goals<br />Present tools and techniques for preliminary malware analysis<br />Introduce the model and mindset for beginning reverse engineering<br />Does NOT cover intermediate/advanced techniques such as hooking, DLL attachment, code injection, detour patching, DKOM, ring-0 debugging, entropy analysis and so on<br />Copyright © 2007 Albert Hui<br />
  3. 3. Terminology<br />Malware – malicious software<br />Virus – infect a host program to reproduce<br />Worm – self-replicating program (e.g. NIMDA, Code Red, SQL Slammer, MyDoom)<br />Trojan – malicious program disguised as harmless<br />木馬(China usage) != trojan, but == Backdoor<br />Backdoor – remote control software<br />Rootkit – cover up backdoor and forensic evidence (e.g. Sony XCP Rootkit)<br />Spyware – calls home<br />Copyright © 2007 Albert Hui<br />
  4. 4. Black-Box Examination<br />Snapshot Observation<br />Behavioral Tracing<br />Sandboxing<br />Copyright © 2007 Albert Hui<br />
  5. 5. Snapshot Observation<br />Includes static analysis (executable image examination, program code disassembly, filesystem forensics, memory dump, running states, etc.)<br />Pros:<br />Gather consistent big picture<br />Some info only uncovered by static analysis<br />Cons:<br />Can lose sight of small/transient changes<br />Difficult to cover every avenues <br />Copyright © 2007 Albert Hui<br />
  6. 6. Snapshot Observation Tools (runtime)<br />Process/Thread:<br />Process Explorer<br />Windows Objects:<br />WinObj<br />OpenedFilesView<br />Copyright © 2007 Albert Hui<br />
  7. 7. Snapshot Observation Tools (static)<br />Executable:<br />XN Resource Editor<br />File:<br />hexplorer<br />FileAlyzer<br />Copyright © 2007 Albert Hui<br />
  8. 8. Snapshot Observation Tools (executable)<br />PEBrowse<br />Dependency Walker<br />PEiD<br />Dumper:<br />LordPE<br />Universal Extractor<br />RL!depacker<br />Decompiler/Disassembler:<br />IDA Pro<br />OllyDbg/OllyICE<br />JAD<br />Spices.Decompiler<br />Copyright © 2007 Albert Hui<br />
  9. 9. Behavioral Tracing<br />Includes debugging, tracing, network traffic analysis, etc.<br />Pros:<br />Detailed time-domain info<br />Can drill down to system call level<br />Cons:<br />Can lose sight of the big picture<br />Difficult to cover every avenues<br />Copyright © 2007 Albert Hui<br />
  10. 10. Behavioral Tracing Tools<br />Process/Thread/File/Registry Tracing:<br />ProcMon<br />Network Tracing:<br />TCPView<br />TDImon<br />Wireshark<br />Debugger:<br />OllyDbg/OllyICE<br />SoftICE<br />Copyright © 2007 Albert Hui<br />
  11. 11. Sandboxing<br />Containment of execution in protected environment<br />One kind of virtualization, techniques in common with virtual machine, honeypot/tarpit, and forceful uninstallers<br />Sandboxing can occur at various levels: network, application, OS, down to bare metal<br />Pros:<br />Total coverage possible<br />Local containment of harms<br />Cons:<br />Difficult to discern incremental changes<br />Copyright © 2007 Albert Hui<br />
  12. 12. Sandboxing Tools<br />Machine Level:<br />VMware<br />OS Level:<br />Altiris SVS<br />PowerShadow<br />ShadowUser<br />Application Level:<br />Sandboxie<br />Network Level:<br />Honeyd<br />Copyright © 2007 Albert Hui<br />
  13. 13. Demo<br />Use FileAlyzer to determine file type.<br />Rename to .exe, use Dependency Walker to determine functions.<br />Use PEiD to detect signature – UPX packed.<br />Use Universal Extractor to unpack file.<br />Use Dependency Walker to determine functions.<br />Use FileAlyzer to read embedded strings.<br />Detach network, use Sandboxie to execute file.<br />Use Wireshark and ProcMon, execute file again.<br />Use OllyDbg to understand program flow – program connects to a server on port 6667.<br />Set up our own IRC server, edit hosts file on guest to fool malware into connecting to it.<br />Try out commands found in embedded strings.<br />Copyright © 2007 Albert Hui<br />
  14. 14. Process-Based Malware<br />e.g. BO2K, Sub7, Netbus, 冰河, 灰鴿子<br />Technically equivalent to VNC, Remote Desktop, PCAnyware etc.<br />Copyright © 2007 Albert Hui<br />
  15. 15. Tricks of Process-Based Malware<br />Melting – deletes installer or deletes entirely from disk <br />Sticky Process – multiple execution units reviving each other<br />Sticky Image – reinstall itself upon system shutdown<br />Antidetection/免殺:<br />Polymorphism – packing/encryption or other superficial changes<br />Metamorphism – radically changing the codes, includes 加花 (addition of fake signatures)<br />Copyright © 2007 Albert Hui<br />
  16. 16. Stealthy Malware<br />The 2nd Generation<br />
  17. 17. Processless (無進程) Malware<br />Parasite Approach (exist only as threads)<br />DLL attachment<br />CreateRemoteThread<br />Code injection, detour patching<br />Rookit Approach (hide process)<br />Hooking<br />DKOM<br />Copyright © 2007 Albert Hui<br />
  18. 18. Vulnerabilities of Rootkits<br />Communications can always be captured on external network links<br />Always changes OS<br />compare observation with known-good states<br />compare observations from different approaches (e.g. Linux ls vs. opendir())<br />Copyright © 2007 Albert Hui<br />
  19. 19. Rootkit Detection Tools<br />Rootkit Detection<br />冰刃 IceSword<br />DarkSpy<br />GMER<br />Copyright © 2007 Albert Hui<br />
  20. 20. Conclusion<br />First perform static analysis<br />Then let malware loose in contained environment<br />Drill down with expert knowledge to further fool the malware into doing more<br />Copyright © 2007 Albert Hui<br />

×