Malware Analysis -an overview by PP Singh

2,490 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,490
On SlideShare
0
From Embeds
0
Number of Embeds
43
Actions
Shares
0
Downloads
70
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Malware Analysis -an overview by PP Singh

  1. 1. AN OVERVIEW – PART I
  2. 2. OUR GAME PLAN  TODAY – A THEORETICAL OVERVIEW FOLLOWED BY A CASE STUDY  DETAILED PRESENTATIONS ABOUT EACH COMPONENT.  VIRTUALIZATION.  HONEYPOTS / HONEYNETS.  DEBUGGING  AND SO ON (HOPEFULLY)   
  3. 3.  CAPABILITY FOR ‘ABSTRACT MATHEMATICS’  ASSEMBLY LANGUAGE  LACK OF SOCIAL LIFE  ADEQUATE ‘BEHAVIOR MODIFICATION’ OR ‘TRANCE INDUCING’ MATERIALS.
  4. 4.  BASICS  SETTING UP A LAB ENVIRONMENT  ANALYSIS o NETWORK TRAFFIC o DISK IMAGE / FILE SYSTEM o MEMORY IMAGE o STATIC ANALYSIS
  5. 5.  TRADITIONALLY WE HAD – SOURCE CODE AUDITING – PRIME REQUIREMENT WAS SAFETY OF CODE.  THEN CAME PROPRIETARY CODE AND WITH IT ‘BLACK BOX TESTING’  ALONG CAME MODULAR COMPONENTS AND WE GRADUATED TO ‘REVERSE ENGINEERING’
  6. 6.  WITH COTS PRODUCT CAME ISSUES OF TRUST – MICROSOFT IS SAFE  BUT WHAT ABOUT THE GUYS WHO MADE THE DLL.  SUGGESTED READING ‘WYSINWYX’ GOGUL BALAKRISHNAN’s PHD THESIS.  METHOD TO REVERSE ENGINEERING ALONG WITH ALL ASSOCIATED LIBRARIES ‘HOLISTIC REVERSE ENGINEERING’
  7. 7.  A FOCUSED APPLICATION– MALWARE ANALYSIS.  WHY – TRADITIONAL SIGNATURE BASED ANALYSIS IS FUTILE GIVEN THE EVOLVING MALWARE.  SAME LOGIC HAS MULTIPLE ‘SIGNATURES’  HENCE ‘BEHAVIORAL ANALYSIS’
  8. 8.  PROS & CONS OF BOTH STATIC ANALYSIS & BEHAVIORAL ANALYSIS.  LARGER VOLUMES OF SAMPLES NECESSITATE ‘AUTOMATION’.  ENTER CWSANDBOX, NORMAN SANDBOX & OTHERS  BUT WE NEED ‘MORE’
  9. 9.  OVERLAPPED WITH FORENSICS.  PRIVACY & POLICY ISSUES.  WISH TO LEARN  ‘LIVE’ EXERCISE – PART OF GROWING UP  FIELD OF WORK  REQUIREMENT OF CUSTOMIZED DATA  COMPLEXITIES IN THE MALWARE WORLD
  10. 10.  BASICS  SETTING UP A LAB ENVIRONMENT  ANALYSIS o STATIC ANALYSIS o NETWORK TRAFFIC o DISK IMAGE / FILE SYSTEM o MEMORY IMAGE
  11. 11.  A CONTROLLED ENVIRONMENT. ▪ MALWARE COLLECTION. MALWARE COLLECTION THROUGH SPAM TRAPS, HONEY POTS AND SHARED DATA. NEPENTHES AS AN EXAMPLE. ▪ VICTIM MACHINES. VIRTUALISATION OR REAL. VIRTUAL MACHINES ARE EASIER TO MANAGE BUT MALWARE INCREASINGLY BECOMING MORE AWARE OF THEM. VIRTUAL MACHINES LIKE VMWARE, PARALLELS, QEMU AND BOCHS ARE AVAILABLE.
  12. 12. ▪ SUPPORT TOOLS. ▪ NETWORK SIMULATION. INTERNET CONNECTION, DNS CONNECTION, IRC, WEB, SMTP, SERVER ▪ ANALYSIS TOOLS. SUPPORT OF ONLINE RESOURCES LIKE VIRUS TOTAL.  IT SHOULD BE ISOLATED.  IT SHOULD PROVIDE A FULL SIMULATION.
  13. 13.  FRIENDS  ONLINE RESOURCES  HONEYPOTS o AMUN o NEPENTHES o ….
  14. 14.  WINDOWS OS   START – WINDOW IMAGE USING LINUX  THE RE-USABLE MALWARE ANALYSIS NET ‘TRUMAN’  VIRTUAL MACHINES  NORTON GHOST / UDPCAST / ACRONIS  HARDWARE – CORE RESTORE  MICROSOFT – STEADY STATE
  15. 15.  THIS MINI LINUX IMPLEMENTATION CONTAINS TOOLS LIKE PARTIMAGE, NTFSRESIZE, AND FDISK AND IS BASED AROUND THE FANTASTIC BUSYBOX.  IT ENABLES YOU TO PXE BOOT A PC INTO A LINUX CLIENT WHICH CAN CREATE AN NTFS PARTITION, GRAB A WINDOWS DISK IMAGE FROM THE NETWORK, WRITE IT TO A LOCAL DISK AND THEN RESIZE THAT PARTATION.
  16. 16.  TWO MINIMUM MACHINES.  LINUX BASED SERVER  TRUMAN MACHINE AS CLIENT (XP WITHOUT PATCHES). INSTALLATION FAQ ON NSMWIKI.  VIRTUAL NETWORK SIMULATION
  17. 17.  MAVMM: LIGHTWEIGHT AND PURPOSE BUILT VMM FOR MALWARE ANALYSIS  AUTHORS - ANH M. NGUYEN, NABIL SCHEAR, HEEDONG JUNG, APEKSHA GODIYAL, SAMUEL T. KING, HAI D. NGUYEN  A SPECIAL PURPOSE VIRTUAL MACHINE FOR MALWARE ANALYSIS
  18. 18.  ACADEMIC VERSION OF XP AVAILABLE.  INSTRUMENTATION OF CODE FEASIBLE  CREATION OF ‘SPECIAL WINDOWS’ BOXES
  19. 19.  BASICS  SETTING UP A LAB ENVIRONMENT  ANALYSIS o STATIC ANALYSIS o NETWORK TRAFFIC o DISK IMAGE / FILE SYSTEM o MEMORY IMAGE
  20. 20.  CREATE A CONTROLLED ENVIRONMENT. VIRTUAL OR REAL.  BASELINE THE ENVIRONMENT:- ▪ VICTIM MACHINE. FILE SYSTEM, REGISTRY, RUNNING PROCESSES, OPEN PORTS, USERS, GROUPS, NETWORK SHARES, SERVICES ETC. ▪ NETWORK TRAFFIC. ▪ EXTERNAL VIEW.
  21. 21.  INFORMATION COLLECTION. ▪ STATIC. STRINGS, RESOURCES, SCRIPTS, FILE PROPERTIES ETC ▪ DYNAMIC.  INFORMATION ANALYSIS. INVOLVES INFORMATION COLLATION, INTERNET SEARCHES, STARTUP METHODS, COMMUNICATION PROTOCOLS, SPREADING MECHANISMS ETC  RECONSTRUCTING THE BIG PICTURE.  DOCUMENTATION.
  22. 22.  PSEXEC – PART OF SYSINTERNALS PSTOOLS KIT.  MS REMOTE DESKTOP   VIRTUAL NETWORK COMPUTING (VNC)  ULTRAVNC – SOURCEFORGE  IF YOU ARE COMFORTABLE WITH REMOTE COMMAND LINE – PSEXEC
  23. 23.  BASELINE INFORMATION o NETWORK TRAFFIC o FILE SYSTEM o REGISTRY o MEMORY IMAGE
  24. 24.  REMEMBER IT IS ‘MALWARE’  USE PKZIP TO HANDLE THE SAMPLE  COMMAND LINE METHOD  IF YOU ARE SUBMITTING SAMPLES ONLINE PASSWORD = ‘infected’
  25. 25.  DISK IMAGE ANALYSIS ADVANCED INTRUSION DETECTION ENVIRONMENT FOR COMPARING DISK IMAGES BEFORE AND AFTER.  NTFS-3G DRIVERS & GETFATTR FOR ADS STREAMS.  REGISTRY USING DUMPHIVE  COMPARE REGISTRY DUMP BEFORE AND AFTER USING LINUX DIFF –U COMMAND  MEMORY IMAGE ANALYSIS. PMODUMP.PL MODIFIED TO HANDLE PEB RANDOMISATIONS, VOLATILITY FRAMEWORK USED FOR ANALYSIS.  OUTPUTS OF MULTIPLE TOOLS USED TO COMPARE AND ANALYSE.
  26. 26.  FILE SYSTEM AND REGISTRY MONITORING: PROCESS MONITOR AND CAPTURE BAT  PROCESS MONITORING: PROCESS EXPLORER AND PROCESS HACKER  NETWORK MONITORING: WIRESHARK AND SMARTSNIFF  CHANGE DETECTION: REGSHOT
  27. 27.  A GOOD WAY TO SEE CHANGES TO THE NETWORK IS WITH A TOOL CALLED NDIFF.  NDIFF IS A TOOL THAT UTILIZES NMAP OUTPUT TO IDENTIFY THE DIFFERENCES, OR CHANGES THAT HAVE OCCURRED IN YOUR ENVIRONMENT.  NDIFF CAN BE DOWNLOADED FROM http://www.vinecorp.com/ndiff/.
  28. 28.  TCPDUMP – CONSOLE  WINDUMP – CONSOLE  WIRESHARK – GUI
  29. 29.  THE OPTIONS OFFERED IN NDIFF INCLUDE: ndiff [-b|-baseline <file-or-:tag>] [-o|-observed <file-or-:tag>] [-op|-output-ports <ocufx>] [-of|-output-hosts <nmc>] [-fmt|-format <terse | minimal | verbose | machine | html | htmle>]  NDIFF OUTPUT MAY BE REDIRECTED TO A WEB PAGE: ndiff –b base-line.txt –o tested.txt –fmt machine | ndiff2html > differences.html  THE OUTPUT FILE, “DIFFERENCES.HTML”, MAY BE DISPLAYED IN A WEB BROWSER. THIS WILL SEPARATE HOSTS INTO THREE MAIN CATEGORIES: o NEW HOSTS, o MISSING HOSTS, AND o CHANGED HOSTS.
  30. 30.  NETSTAT  FPORT  TCPVcon – CONSOLE  TCPView – GUI  HANDLE – CONSOLE  PROCESS EXPLORER – GUI USE PID TO CORRELATE OUTPUTS
  31. 31.  HASHING FUNCTIONS o MD5DEEP – JESSE KORNBLUM  FUZZY HASHING o SSDEEP – AGAIN JESSE  ONLINE HASHES OF GOOD FILES – NIST
  32. 32.  A GOOD START  VIRUSTOTAL  VIRUSSCAN  AND MANY MORE  HELP RETAIN FOCUS
  33. 33.  virus@ca.com  sample@nod32.com  samples@f-secure.com  newvirus@kaspersky.com  VIRUSTOTAL, JOTTI, VIRUS.ORG  MANY MORE
  34. 34.  PEID  POLYUNPACK RENOVO – PART OF BIT BLAZE BASED ON MEMORY UNPACKING  AND MANY MORE
  35. 35.  TOOLS:- o PEVIEW o DEPENDS o PE BROWSE PRO o OBJ DUMP o RESOURCE HACKER o STRINGS  DETERMINE THE DATE/ TIME OF COMPILATION, FUNCTIONS IMPORTED BY THE PROGRAM, ICONS, MENUS, VERSION, INFO AND STRINGS EMBEDDED IN THE RESOURCES.
  36. 36.  STRINGS  VIP UTILITY – www.freespaceinternetsecurity.com  InCtrl5  SANDBOXIE  FILEMON  REGMON  AUTORUNS  HIJACK THIS  ……..
  37. 37.  PE FORMAT  NEED I SAY MORE.  LORD PE  CAN ALSO DO MEMORY DUMPS  PETOOLS  PEID  TO FIND PACKER DETAILS
  38. 38.  WINDBG  OLLYDBG  IDA PRO  SYSRDBG – KERNEL LEVEL ?  KERNEL DEBUGGER FROM MS  KNOWLEDGE OF ASSEMBLY LANGUAGE CRITICAL  TRAP – API EMULATION
  39. 39.  JAVASCRIPT OBFUSCATION – SPIDER MONKEY.  TOOLS FOR MS OFFICE FORMATS:-  OFFICEMALSCANNER  OFFVIS  OFFICE BINARY TRANSLATOR (INCLUDES BIFFVIEW TOOL).  OFFICECAT.  FILEHEX AND FILEINSIGHT HEX EDITORS CAN PARSE AND EDIT OLE STRUCTURES.  SIMILARLY TOOLS FOR PDF, FLASH ETC
  40. 40.  EXTENSIVE FEATURES ≠ GOOD TOOL  REQUIREMENT TO SCRIPT & PARSE OUTPUTS INTO A ‘READABLE REPORT’  COMMAND LINE / GUI OPTIONS  COMPARISON OF MULTIPLE TOOLS AS VERIFICATION
  41. 41.  RAPID ASSESSMENT & POTENTIAL INCIDENT EXAMINATION REPORT  RAPIER IS A SECURITY TOOL BUILT TO FACILITATE FIRST RESPONSE PROCEDURES FOR INCIDENT HANDLING.  OVERLAP BETWEEN FORENSICS AND MALWARE ANALYSIS.  TO ILLUSTRATE THE REQUIREMENT TO ‘SCRIPT AROUND GUI TOOLS’
  42. 42.  AS PART OF ANALYSIS, TRY TO IDENTIFY THE SOURCE.  BLOCK LISTS OF SUSPECTED MALICIOUS IPS AND URLS  LOOKING UP POTENTIALLY MALICIOUS WEBSITES  INITIAL VECTOR – BROWSER HISTORY, EMAIL LOGS
  43. 43.  SIMILARITY STUDIES:-  http://code.google.com/p/yara-project/  GENOME BASED CLASSIFICATION  MALWARE SIMILARITY ANALYSIS – BLACK HAT 09 - DANIEL RAYGOZA  BLAST: BASIC LOCAL ALIGNMENT SEARCH TOOL BASED CLASSIFICATION  FUZZY CLARITY – DIGITAL NINJA
  44. 44.  RESEARCH IS ON FOR CLASSIFICATION ACCORDING TO:- o OPCODE DISTRIBUTION o API CALLS MADE o COMPILER PARAMETER o …… o WILL GIVE THE ‘HEURISTICS'
  45. 45.  ALWAYS CORRELATE THE ANALYSIS:- o ANUBIS (FORMERLY TTANALYSE) o BIT BLAZE ( COUSIN OF WEB BLAZE PROJECT) o COMODO o CWSANDBOX o EUREKA o JOEBOX o NORMAN SANDBOX o THREAT EXPERT o XANDORA
  46. 46.  SUGGESTED READING o WILDCAT: AN INTEGRATED STEALTH ENVIRONMENT FOR DYNAMIC MALWARE ANALYSIS – AMIT VASUDEVAN o ‘WYSINWYX’ WHAT YOU SEE IS NOT WHAT YOU EXECUTE - GOGUL BALAKRISHNAN o LARGE-SCALE DYNAMIC MALWARE ANALYSIS - ULRICH BAYER

×