SlideShare a Scribd company logo

Identifying, Monitoring, and Reporting Malware

Teodoro Cipresso
Teodoro Cipresso

CS266 Software Reverse Engineering (SRE) Identifying, Monitoring, and Reporting Malware Teodoro (Ted) Cipresso, teodoro.cipresso@sjsu.edu Department of Computer Science San José State University Spring 2015

Software
1 of 21
Download to read offline
CS266 Software Reverse Engineering (SRE) Identifying, Monitoring, and Reporting Malware Teodoro (Ted) Cipresso, teodoro.cipresso@sjsu.edu Department of Computer Science San José State University Spring 2015 The information in this presentation is taken from the thesis “Software reverse engineering education” available at http://scholarworks.sjsu.edu/etd_theses/3734/ where all citations can be found.
2 Identifying, Monitoring, and Reporting Malware What Qualifies as Malware?  Malware describes a category of software that doesn’t always operate in a way that benefits the user.  Of course, those of us who have ever used software might contend that this definition of malware will cause programs that we use every day to be categorized as malware.  So let's qualify it a bit: the malicious or annoying behaviors of malware are intentional, not the result of one or more bugs.
3 Identifying, Monitoring, and Reporting Malware Types of Malware  There are several types of malware that affect computer systems [6] [7]:  Viruses: require some deliberate action to help them spread.  Worms: similar to a virus but can spread by itself over computer networks.  Trojan Horses: performs hidden malicious or annoying operations.  Backdoor: a vulnerability purposely embedded in software.  Rabbit: a program that exhausts system resources.  Ransomware: lock computer files, victim has to pay to unlock.  Criminalware: Steal sensitive information.
4 Identifying, Monitoring, and Reporting Malware Prevalence of Malware Types  Malware usually isn't of just one type; for example, 4 of the top 10 malicious codes families reported in 2011 were Viruses with a Worm component.  Using the machine code and bytecode reversing experiences gained from the previous modules, one could attempt to reverse malware.  Using virtualization tools such as VMWare or Virtual Box to create secondary operating system images (Guests) on which to analyze malware can still result in infection of the primary operating system (Host).  Great care should be taken to isolate guest OSes from their host OS.  Networking, removeable storage, clipboard usage, etc…
5
6 Identifying, Monitoring, and Reporting Malware Safe & Practical Malware Reversing  We want to become familiar with using tools to identify, monitor, and report software that might be malicious.  Reversing malware directly is especially challenging because several anti- reversing techniques will have been applied to the code.  Given that unexpected catastrophes can arise when installing a virus, worm, backdoor, etc… for academic purposes; we could still learn something from working with contrived or benign “malware”.  In 1996, Mark Russinovich founded a company called “Winternals Software” where he was the chief software architect on a comprehensive suite of tools for diagnosing, debugging, and repairing Windows® systems and applications [9].
7 Identifying, Monitoring, and Reporting Malware Windows Sysinternals  Mark's company was purchased by Microsoft and the suite of tools have been rebranded as Windows Sysinternals which are are offered for free.  Mark's story is an interesting one because he is recognized as an expert on the internals of Windows even though he did not participate in its development—a true testament to what can be learned about software through reversing.  The Sysinternals suite contains 69 utilities, but we’ll focus on just one.
8 Identifying, Monitoring, and Reporting Malware Sysinternals Process Monitor  The Process Monitor can capture detailed information about a process in a Windows system including file system, registry, and network activity. Process Monitor session for the Password Vault CPP application. File system activity
9 Identifying, Monitoring, and Reporting Malware Sysinternals Process Monitor (cont’d)  The Process Monitor can capture detailed information about a process in a Windows system including file system, registry, and network activity. Process Monitor session for the Password Vault CPP application. Network activity
10 Identifying, Monitoring, and Reporting Malware Sysinternals Process Monitor (cont’d)  The Process Monitor can capture detailed information about a process in a Windows system including file system, registry, and network activity. Process Monitor session for the Password Vault CPP application. Registry Activity
11 Identifying, Monitoring, and Reporting Malware Sysinternals Process Monitor (cont’d)  Process Monitor itself does not detect or identify malware. It simply monitors and records what processes are doing.  With a little bit of ingenuity, one can identify a software Trojan by looking for activities that don't seem to fit with the advertised functionality of a program.  It's common practice to download free software from the Internet:  Some believe that open-source software, should have the fewest number of vulnerabilities. The more eyes the better, right?  Becoming familiar with the Sysinternals suite can help you evaluate whether the software on your Windows machine is acting in your best interest.
12 Identifying, Monitoring, and Reporting Malware Benign Malware Exercise  The Alarm Clock application is a benign software Trojan that, in addition to being a rudimentary alarm clock, performs unadvertised functions on background threads:  Logs information from the Windows® registry  Logs locations of “office” documents in the file system.  Scans for computers that respond to an ICMP ping.  Paced background threads are used.
13 Identifying, Monitoring, and Reporting Malware Benign Malware Exercise (cont’d) Background threads log information about the user’s system.
14 Identifying, Monitoring, and Reporting Malware Is Open Source More Trustworthy?  The data on the number of vulnerabilities found in the 5 most popular Internet browsers does not support the proposition that open source is more secure.  Big 5: Google Chrome, Mozilla Firefox, Internet Explorer, Opera and Safari.  Mozilla Firefox was affected by 270 new vulnerabilities in 2013, more than any other browser; 245 new vulnerabilities were found in Google Chrome, 126 in Internet Explorer, 75 in Apple Safari, 11 in Opera [Secunia].  The two browsers containing the most open source (Chrome based Chromium, Firefox based on Mozilla), have the most vulnerabilities…  Of course we need temper this judgement with the observation that popular software is targeted more often.
15 Identifying, Monitoring, and Reporting Malware Reporting Suspected Malware  If you suspect a particular program to be malware, it can be submitted to online threat analysis services such as ThreatExpert or Virus Total.  ThreatExpert and Virus Total are Web-based tools that support submission of suspicious executables or URLs to detect possible malware.  Both services match against databases of existing malware, however ThreatExpert (itself) attempts to execute binaries in an isolated environment to perform heuristic detection of malware.
16 http://www.threatexpert.com/submit.aspx http://www.threatexpert.com/report.aspx?md5=acdd4c2a377933d89139b5ee6eefc464 Heuristic anlaysis components
17 44 out of 56 antiviruses detect this as malware
18 Identifying, Monitoring, and Reporting Malware Setting up a Lab for Analyzing Malware  Each of you have been assigned your own VMWare image (info on Canvas).  The images are only accessible through VMWare’s built-in VNC server.  The images are on a virtual network and have no connectivity to the Internet or the Host’s network. This is to prevent:  Infection of the Host (primary OS), worms from spreading*  downloading of additional threats,  transmission of sensitive data to hacker sites.  Virtualized Network Isolation for a Malware Analysis Lab  https://zeltser.com/vmware-network-isolation-for-malware-analysis/
19
20
21

Recommended

Computer virus
Computer virusComputer virus
Computer virusFlora Runyenje
 
Malware and Anti-Malware Seminar by Benny Czarny
Malware and Anti-Malware Seminar by Benny CzarnyMalware and Anti-Malware Seminar by Benny Czarny
Malware and Anti-Malware Seminar by Benny CzarnyOPSWAT
 
Malware & Anti-Malware
Malware & Anti-MalwareMalware & Anti-Malware
Malware & Anti-MalwareArpit Mittal
 
What Is An Antivirus Software?
What Is An Antivirus Software?What Is An Antivirus Software?
What Is An Antivirus Software?culltdueet65
 
Antivirus software
Antivirus softwareAntivirus software
Antivirus softwareShreya Singireddy
 
Malware
MalwareMalware
MalwareAnoushka Srivastava
 
spyware
spywarespyware
spywareAkhil Kumar
 
Malewareanalysis
Malewareanalysis Malewareanalysis
Malewareanalysis ahmad abdelhafeez
 

Recommended

Computer virus
Computer virusComputer virus
Computer virusFlora Runyenje
 
Malware and Anti-Malware Seminar by Benny Czarny
Malware and Anti-Malware Seminar by Benny CzarnyMalware and Anti-Malware Seminar by Benny Czarny
Malware and Anti-Malware Seminar by Benny CzarnyOPSWAT
 
Malware & Anti-Malware
Malware & Anti-MalwareMalware & Anti-Malware
Malware & Anti-MalwareArpit Mittal
 
What Is An Antivirus Software?
What Is An Antivirus Software?What Is An Antivirus Software?
What Is An Antivirus Software?culltdueet65
 
Antivirus software
Antivirus softwareAntivirus software
Antivirus softwareShreya Singireddy
 
Malware
MalwareMalware
MalwareAnoushka Srivastava
 
spyware
spywarespyware
spywareAkhil Kumar
 
Malewareanalysis
Malewareanalysis Malewareanalysis
Malewareanalysis ahmad abdelhafeez
 
Computer viruses
Computer virusesComputer viruses
Computer virusesImran Khan
 
DEFINING A SPYWARE
DEFINING A SPYWAREDEFINING A SPYWARE
DEFINING A SPYWAREunnecessary34
 
Malware
MalwareMalware
MalwareHarshdeep Singh
 
Virus
VirusVirus
VirusMukul Kumar
 
Anti virus
Anti virusAnti virus
Anti virusMarlon San Luis
 
Spyware Adware
Spyware AdwareSpyware Adware
Spyware Adwarehaldia institute of technology
 
Virus, Worms And Antivirus
Virus, Worms And AntivirusVirus, Worms And Antivirus
Virus, Worms And AntivirusLokesh Kumar N
 
Spyware And Anti Virus Software Presentation
Spyware And Anti Virus Software PresentationSpyware And Anti Virus Software Presentation
Spyware And Anti Virus Software Presentationamy.covington215944
 
What is a virus and anti virus
What is a virus and anti virusWhat is a virus and anti virus
What is a virus and anti virusLeonor Costa
 
Presentation2
Presentation2Presentation2
Presentation2Jeslynn
 
Virus and worms
Virus and wormsVirus and worms
Virus and wormsVikas Sharma
 
Spyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeSpyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeMangesh wadibhasme
 
Malwares and ways to detect and prevent them
Malwares and ways to detect and prevent themMalwares and ways to detect and prevent them
Malwares and ways to detect and prevent themkrunal gandhi
 
Rajul computer presentation
Rajul computer presentationRajul computer presentation
Rajul computer presentationNeetu Jain
 
Computer virus
Computer virusComputer virus
Computer virusDark Side
 
Computer Virus And Antivirus-Sumon Chakraborty
Computer Virus And Antivirus-Sumon ChakrabortyComputer Virus And Antivirus-Sumon Chakraborty
Computer Virus And Antivirus-Sumon Chakrabortysankhadeep
 
Computer virus
Computer virusComputer virus
Computer virusAarya Khanal
 
10 Worst Computer Viruses of all time
10 Worst Computer Viruses of all time10 Worst Computer Viruses of all time
10 Worst Computer Viruses of all timeAlefyaM
 
Avoiding email viruses
Avoiding email virusesAvoiding email viruses
Avoiding email virusesSan Diego Continuing Education
 
Computer virus and anti virus presentation
Computer virus and anti virus presentationComputer virus and anti virus presentation
Computer virus and anti virus presentationSardar Kaukaz
 
Bitonic Sort in Shared SIMD Array Processor
Bitonic Sort in Shared SIMD Array ProcessorBitonic Sort in Shared SIMD Array Processor
Bitonic Sort in Shared SIMD Array ProcessorAsanka Dilruk
 
Reversing and Patching Java Bytecode
Reversing and Patching Java BytecodeReversing and Patching Java Bytecode
Reversing and Patching Java BytecodeTeodoro Cipresso
 

More Related Content

What's hot

Computer viruses
Computer virusesComputer viruses
Computer virusesImran Khan
 
Virus, Worms And Antivirus
Virus, Worms And AntivirusVirus, Worms And Antivirus
Virus, Worms And AntivirusLokesh Kumar N
 
Spyware And Anti Virus Software Presentation
Spyware And Anti Virus Software PresentationSpyware And Anti Virus Software Presentation
Spyware And Anti Virus Software Presentationamy.covington215944
 
What is a virus and anti virus
What is a virus and anti virusWhat is a virus and anti virus
What is a virus and anti virusLeonor Costa
 
Presentation2
Presentation2Presentation2
Presentation2Jeslynn
 
Spyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeSpyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeMangesh wadibhasme
 
Malwares and ways to detect and prevent them
Malwares and ways to detect and prevent themMalwares and ways to detect and prevent them
Malwares and ways to detect and prevent themkrunal gandhi
 
Rajul computer presentation
Rajul computer presentationRajul computer presentation
Rajul computer presentationNeetu Jain
 
Computer virus
Computer virusComputer virus
Computer virusDark Side
 
Computer Virus And Antivirus-Sumon Chakraborty
Computer Virus And Antivirus-Sumon ChakrabortyComputer Virus And Antivirus-Sumon Chakraborty
Computer Virus And Antivirus-Sumon Chakrabortysankhadeep
 
10 Worst Computer Viruses of all time
10 Worst Computer Viruses of all time10 Worst Computer Viruses of all time
10 Worst Computer Viruses of all timeAlefyaM
 
Computer virus and anti virus presentation
Computer virus and anti virus presentationComputer virus and anti virus presentation
Computer virus and anti virus presentationSardar Kaukaz
 

What's hot (20)

Computer viruses
Computer virusesComputer viruses
Computer viruses
 
DEFINING A SPYWARE
DEFINING A SPYWAREDEFINING A SPYWARE
DEFINING A SPYWARE
 
Malware
MalwareMalware
Malware
 
Virus
VirusVirus
Virus
 
Anti virus
Anti virusAnti virus
Anti virus
 
Spyware Adware
Spyware AdwareSpyware Adware
Spyware Adware
 
Virus, Worms And Antivirus
Virus, Worms And AntivirusVirus, Worms And Antivirus
Virus, Worms And Antivirus
 
Spyware And Anti Virus Software Presentation
Spyware And Anti Virus Software PresentationSpyware And Anti Virus Software Presentation
Spyware And Anti Virus Software Presentation
 
What is a virus and anti virus
What is a virus and anti virusWhat is a virus and anti virus
What is a virus and anti virus
 
Presentation2
Presentation2Presentation2
Presentation2
 
Virus and worms
Virus and wormsVirus and worms
Virus and worms
 
Spyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeSpyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasme
 
Malwares and ways to detect and prevent them
Malwares and ways to detect and prevent themMalwares and ways to detect and prevent them
Malwares and ways to detect and prevent them
 
Rajul computer presentation
Rajul computer presentationRajul computer presentation
Rajul computer presentation
 
Computer virus
Computer virusComputer virus
Computer virus
 
Computer Virus And Antivirus-Sumon Chakraborty
Computer Virus And Antivirus-Sumon ChakrabortyComputer Virus And Antivirus-Sumon Chakraborty
Computer Virus And Antivirus-Sumon Chakraborty
 
Computer virus
Computer virusComputer virus
Computer virus
 
10 Worst Computer Viruses of all time
10 Worst Computer Viruses of all time10 Worst Computer Viruses of all time
10 Worst Computer Viruses of all time
 
Avoiding email viruses
Avoiding email virusesAvoiding email viruses
Avoiding email viruses
 
Computer virus and anti virus presentation
Computer virus and anti virus presentationComputer virus and anti virus presentation
Computer virus and anti virus presentation
 

Viewers also liked

Bitonic Sort in Shared SIMD Array Processor
Bitonic Sort in Shared SIMD Array ProcessorBitonic Sort in Shared SIMD Array Processor
Bitonic Sort in Shared SIMD Array ProcessorAsanka Dilruk
 
Reversing and Patching Java Bytecode
Reversing and Patching Java BytecodeReversing and Patching Java Bytecode
Reversing and Patching Java BytecodeTeodoro Cipresso
 
Applying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine CodeApplying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine CodeTeodoro Cipresso
 
Why z/OS is a Great Platform for Developing and Hosting APIs
Why z/OS is a Great Platform for Developing and Hosting APIsWhy z/OS is a Great Platform for Developing and Hosting APIs
Why z/OS is a Great Platform for Developing and Hosting APIsTeodoro Cipresso
 
Make Your API Catalog Essential with z/OS Connect EE
Make Your API Catalog Essential with z/OS Connect EEMake Your API Catalog Essential with z/OS Connect EE
Make Your API Catalog Essential with z/OS Connect EETeodoro Cipresso
 
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...Teodoro Cipresso
 
Reengineering and Reuse of Legacy Software
Reengineering and Reuse of Legacy SoftwareReengineering and Reuse of Legacy Software
Reengineering and Reuse of Legacy SoftwareTeodoro Cipresso
 
Introduction to Software Reverse Engineering
Introduction to Software Reverse EngineeringIntroduction to Software Reverse Engineering
Introduction to Software Reverse EngineeringTeodoro Cipresso
 

Viewers also liked (10)

Bitonic Sort in Shared SIMD Array Processor
Bitonic Sort in Shared SIMD Array ProcessorBitonic Sort in Shared SIMD Array Processor
Bitonic Sort in Shared SIMD Array Processor
 
Reversing and Patching Java Bytecode
Reversing and Patching Java BytecodeReversing and Patching Java Bytecode
Reversing and Patching Java Bytecode
 
Applying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine CodeApplying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine Code
 
Why z/OS is a Great Platform for Developing and Hosting APIs
Why z/OS is a Great Platform for Developing and Hosting APIsWhy z/OS is a Great Platform for Developing and Hosting APIs
Why z/OS is a Great Platform for Developing and Hosting APIs
 
Make Your API Catalog Essential with z/OS Connect EE
Make Your API Catalog Essential with z/OS Connect EEMake Your API Catalog Essential with z/OS Connect EE
Make Your API Catalog Essential with z/OS Connect EE
 
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...
 
Reengineering and Reuse of Legacy Software
Reengineering and Reuse of Legacy SoftwareReengineering and Reuse of Legacy Software
Reengineering and Reuse of Legacy Software
 
Introduction to Software Reverse Engineering
Introduction to Software Reverse EngineeringIntroduction to Software Reverse Engineering
Introduction to Software Reverse Engineering
 
Array Processor
Array ProcessorArray Processor
Array Processor
 
CO Module 5
CO Module 5CO Module 5
CO Module 5
 

Similar to Identifying, Monitoring, and Reporting Malware

(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 
Common Malware Types Vulnerability Management
Common Malware Types Vulnerability ManagementCommon Malware Types Vulnerability Management
Common Malware Types Vulnerability ManagementMuhammad FAHAD
 
Viruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksViruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksDiane M. Metcalf
 
Type of Malware and its different analysis and its types !
Type of Malware and its different analysis and its types !Type of Malware and its different analysis and its types !
Type of Malware and its different analysis and its types !Mohammed Jaseem Tp
 
Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Satria Ady Pradana
 
Survey on Malware Detection Techniques
Survey on Malware Detection TechniquesSurvey on Malware Detection Techniques
Survey on Malware Detection TechniquesEditor IJMTER
 
Computer Virus ppt.pptx
Computer Virus ppt.pptxComputer Virus ppt.pptx
Computer Virus ppt.pptxPragatiKachhi1
 
CHAPTER 1 MALWARE ANALYSIS PRIMER.ppt
CHAPTER 1 MALWARE ANALYSIS PRIMER.pptCHAPTER 1 MALWARE ANALYSIS PRIMER.ppt
CHAPTER 1 MALWARE ANALYSIS PRIMER.pptManjuAppukuttan2
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & preventionPriSim
 
The Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityThe Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityLumension
 

Similar to Identifying, Monitoring, and Reporting Malware (20)

Module 5.pdf
Module 5.pdfModule 5.pdf
Module 5.pdf
 
Module 5.Malware
Module 5.MalwareModule 5.Malware
Module 5.Malware
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
 
IT viruses
IT viruses IT viruses
IT viruses
 
Common Malware Types Vulnerability Management
Common Malware Types Vulnerability ManagementCommon Malware Types Vulnerability Management
Common Malware Types Vulnerability Management
 
Viruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksViruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise Networks
 
virus
virusvirus
virus
 
Type of Malware and its different analysis and its types !
Type of Malware and its different analysis and its types !Type of Malware and its different analysis and its types !
Type of Malware and its different analysis and its types !
 
Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)
 
Survey on Malware Detection Techniques
Survey on Malware Detection TechniquesSurvey on Malware Detection Techniques
Survey on Malware Detection Techniques
 
Antivirus
AntivirusAntivirus
Antivirus
 
antivirus.pptx
antivirus.pptxantivirus.pptx
antivirus.pptx
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
 
Computer Virus ppt.pptx
Computer Virus ppt.pptxComputer Virus ppt.pptx
Computer Virus ppt.pptx
 
CHAPTER 1 MALWARE ANALYSIS PRIMER.ppt
CHAPTER 1 MALWARE ANALYSIS PRIMER.pptCHAPTER 1 MALWARE ANALYSIS PRIMER.ppt
CHAPTER 1 MALWARE ANALYSIS PRIMER.ppt
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & prevention
 
The Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityThe Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day Reality
 
Malware
MalwareMalware
Malware
 
Malware
MalwareMalware
Malware
 

Recently uploaded

The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxnada99848
 

Recently uploaded (20)

The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptx
 

Identifying, Monitoring, and Reporting Malware

  • 1. CS266 Software Reverse Engineering (SRE) Identifying, Monitoring, and Reporting Malware Teodoro (Ted) Cipresso, teodoro.cipresso@sjsu.edu Department of Computer Science San José State University Spring 2015 The information in this presentation is taken from the thesis “Software reverse engineering education” available at http://scholarworks.sjsu.edu/etd_theses/3734/ where all citations can be found.
  • 2. 2 Identifying, Monitoring, and Reporting Malware What Qualifies as Malware?  Malware describes a category of software that doesn’t always operate in a way that benefits the user.  Of course, those of us who have ever used software might contend that this definition of malware will cause programs that we use every day to be categorized as malware.  So let's qualify it a bit: the malicious or annoying behaviors of malware are intentional, not the result of one or more bugs.
  • 3. 3 Identifying, Monitoring, and Reporting Malware Types of Malware  There are several types of malware that affect computer systems [6] [7]:  Viruses: require some deliberate action to help them spread.  Worms: similar to a virus but can spread by itself over computer networks.  Trojan Horses: performs hidden malicious or annoying operations.  Backdoor: a vulnerability purposely embedded in software.  Rabbit: a program that exhausts system resources.  Ransomware: lock computer files, victim has to pay to unlock.  Criminalware: Steal sensitive information.
  • 4. 4 Identifying, Monitoring, and Reporting Malware Prevalence of Malware Types  Malware usually isn't of just one type; for example, 4 of the top 10 malicious codes families reported in 2011 were Viruses with a Worm component.  Using the machine code and bytecode reversing experiences gained from the previous modules, one could attempt to reverse malware.  Using virtualization tools such as VMWare or Virtual Box to create secondary operating system images (Guests) on which to analyze malware can still result in infection of the primary operating system (Host).  Great care should be taken to isolate guest OSes from their host OS.  Networking, removeable storage, clipboard usage, etc…
  • 5. 5
  • 6. 6 Identifying, Monitoring, and Reporting Malware Safe & Practical Malware Reversing  We want to become familiar with using tools to identify, monitor, and report software that might be malicious.  Reversing malware directly is especially challenging because several anti- reversing techniques will have been applied to the code.  Given that unexpected catastrophes can arise when installing a virus, worm, backdoor, etc… for academic purposes; we could still learn something from working with contrived or benign “malware”.  In 1996, Mark Russinovich founded a company called “Winternals Software” where he was the chief software architect on a comprehensive suite of tools for diagnosing, debugging, and repairing Windows® systems and applications [9].
  • 7. 7 Identifying, Monitoring, and Reporting Malware Windows Sysinternals  Mark's company was purchased by Microsoft and the suite of tools have been rebranded as Windows Sysinternals which are are offered for free.  Mark's story is an interesting one because he is recognized as an expert on the internals of Windows even though he did not participate in its development—a true testament to what can be learned about software through reversing.  The Sysinternals suite contains 69 utilities, but we’ll focus on just one.
  • 8. 8 Identifying, Monitoring, and Reporting Malware Sysinternals Process Monitor  The Process Monitor can capture detailed information about a process in a Windows system including file system, registry, and network activity. Process Monitor session for the Password Vault CPP application. File system activity
  • 9. 9 Identifying, Monitoring, and Reporting Malware Sysinternals Process Monitor (cont’d)  The Process Monitor can capture detailed information about a process in a Windows system including file system, registry, and network activity. Process Monitor session for the Password Vault CPP application. Network activity
  • 10. 10 Identifying, Monitoring, and Reporting Malware Sysinternals Process Monitor (cont’d)  The Process Monitor can capture detailed information about a process in a Windows system including file system, registry, and network activity. Process Monitor session for the Password Vault CPP application. Registry Activity
  • 11. 11 Identifying, Monitoring, and Reporting Malware Sysinternals Process Monitor (cont’d)  Process Monitor itself does not detect or identify malware. It simply monitors and records what processes are doing.  With a little bit of ingenuity, one can identify a software Trojan by looking for activities that don't seem to fit with the advertised functionality of a program.  It's common practice to download free software from the Internet:  Some believe that open-source software, should have the fewest number of vulnerabilities. The more eyes the better, right?  Becoming familiar with the Sysinternals suite can help you evaluate whether the software on your Windows machine is acting in your best interest.
  • 12. 12 Identifying, Monitoring, and Reporting Malware Benign Malware Exercise  The Alarm Clock application is a benign software Trojan that, in addition to being a rudimentary alarm clock, performs unadvertised functions on background threads:  Logs information from the Windows® registry  Logs locations of “office” documents in the file system.  Scans for computers that respond to an ICMP ping.  Paced background threads are used.
  • 13. 13 Identifying, Monitoring, and Reporting Malware Benign Malware Exercise (cont’d) Background threads log information about the user’s system.
  • 14. 14 Identifying, Monitoring, and Reporting Malware Is Open Source More Trustworthy?  The data on the number of vulnerabilities found in the 5 most popular Internet browsers does not support the proposition that open source is more secure.  Big 5: Google Chrome, Mozilla Firefox, Internet Explorer, Opera and Safari.  Mozilla Firefox was affected by 270 new vulnerabilities in 2013, more than any other browser; 245 new vulnerabilities were found in Google Chrome, 126 in Internet Explorer, 75 in Apple Safari, 11 in Opera [Secunia].  The two browsers containing the most open source (Chrome based Chromium, Firefox based on Mozilla), have the most vulnerabilities…  Of course we need temper this judgement with the observation that popular software is targeted more often.
  • 15. 15 Identifying, Monitoring, and Reporting Malware Reporting Suspected Malware  If you suspect a particular program to be malware, it can be submitted to online threat analysis services such as ThreatExpert or Virus Total.  ThreatExpert and Virus Total are Web-based tools that support submission of suspicious executables or URLs to detect possible malware.  Both services match against databases of existing malware, however ThreatExpert (itself) attempts to execute binaries in an isolated environment to perform heuristic detection of malware.
  • 17. 17 44 out of 56 antiviruses detect this as malware
  • 18. 18 Identifying, Monitoring, and Reporting Malware Setting up a Lab for Analyzing Malware  Each of you have been assigned your own VMWare image (info on Canvas).  The images are only accessible through VMWare’s built-in VNC server.  The images are on a virtual network and have no connectivity to the Internet or the Host’s network. This is to prevent:  Infection of the Host (primary OS), worms from spreading*  downloading of additional threats,  transmission of sensitive data to hacker sites.  Virtualized Network Isolation for a Malware Analysis Lab  https://zeltser.com/vmware-network-isolation-for-malware-analysis/
  • 19. 19
  • 20. 20
  • 21. 21