Malewareanalysis presentation

Malware Analysis
Network Security
1AAST COMP ENG Dr Ashraf Tammam
Supervised by
Dr . Ashraf Tammam
Presented by:
• Ahmed Abd Elhafeez
• Ahmed Elbohy
• Moataz Ahmed
3/1/2015

Agenda
• Introduction to Malware
• What is a Malware ?
• Types of Malware
• How do they infect hosts?
• How to detect them?
• Malware Analysis
• Goals of Malware Analysis
• Types of Malware Analysis
• Tools for Malware Analysis
• Malware Analysis Simulation Steps
• Conclusion
• Refrences
3/1/2015

• Introduction to malware
• What is a malware ?
• Types of malware
• How to detect them
• Conclusion
• References
AAST COMP ENG Dr Ashraf Tammam 33/1/2015

Introduction
AAST COMP ENG Dr Ashraf Tammam 4
Mission Statement
The purpose of this presentation
is to give someone new to
reverse engineering malware
(REM) a place to start.
At the end you should be familiar
with the basic hardware, tools
and Concepts needed to learn
how begin to do REM.
3/1/2015

“But What Might Go Wrong If we Were To
Begin To Try to Analyze Malware?”
• You might get attacked by unhappy malware authors/users
• Your system could get infected, and that might result in:
-- Your system being used to spam people
-- Your personally identifiable information getting stolen
-- Your system getting used to distribute malware;
pirated software, movies, music; child pornography; etc.
-- Your system getting used as a stepping stone from
which to attack government systems or critical
infrastructure.
• You might even end up being arrested.
53/1/2015 AAST COMP ENG Dr Ashraf Tammam

• What is a Malware?
• Conclusion
• References

What is a Malware ?
• Malware is a set of instructions that run on
your computer and make your system do
something that an attacker wants it to do.
• Programming code that is capable of causing
harm to availability , integrity of code or data,
or confidentiality in a computing system
encompasses Trojan horses, viruses, worms,
and trapdoors.
7AAST COMP ENG Dr Ashraf Tammam3/1/2015

What Exactly is “Malware”?
One possible definition:
Malware is a software you don’t want.
8
• Steal personal information
• Delete files
• Steal software serial numbers
• Use your computer as relay
3/1/2015 AAST COMP ENG Dr Ashraf Tammam

Distribution of malware
3/1/2015 AAST COMP ENG Dr Ashraf Tammam 9

• What is a Malware?
• Conclusion
• References

Threat types

Types of Malware

Types of Malware
• viruses :a computer program that is usually
hidden within another seemingly innocuous
program and that produces copies of itself
and inserts them into other programs and
usually performs a malicious action
– Polymorphic : uses a polymorphic engine to
mutate while keeping the original algorithm
intact (packer)
– Methamorphic : Change after each infection

Types of Malware
• Backdoor : Bypasses normal security controls
to give an attacker unauthorized access.
• Botnet : All infected computers receive
instructions from the same Command-and-
Control (C&C) server
• Downloader :Malicious code that exists only
to download other malicious code
– Used when attacker first gains access

Types of Malware
• Scareware
– Frightens user into buying something

Types of Malware
• Spam-sending malware
– Attacker rents machine to spammers
• Worms :a usually small self-contained and self-
replicating computer program that invades
computers on a network and usually performs a
destructive action

Types of Malware
• Trojans Horse :a seemingly useful computer
program that contains concealed instructions
which when activated perform an illicit or
malicious action

Types of Malware
• Sniffers : an application used to monitor and analyze
network traffic.
• Spyware :software that is installed on a computer
without the user's knowledge and transmits
information about the user's computer activities over
the Internet

Types of Malware
Adware : software installed that provides advertisers
with information about the users browsing habits, thus
allowing the advertiser to provide targeted ads
3/1/2015

Types of Malware
• from pandalab blog
• E-Mail Generators. An e-mail generating program can be
used to create and send large quantities of e-mail, such
as malware, spyware, and spam, to other systems
without the user’s permission or knowledge
3/1/2015

Types of Malware
Ransomware
To unlock you need to send an SMS with the text4121800286to the
number3649Enter the resulting code:Any attempt to reinstall the
system may lead to loss of important information and computer
damage
from pandalab blog

Types of Malware
• Keystroke Loggers. A keystroke logger monitors and
records keyboard use
– Some require the attacker to retrieve the data
from the system
– Actively transfer the data to another system
through e-mail, file transfer, or other means

Types of Malware
• Web Browser Plug-Ins A Web browser plug-in
provides a way for certain types of content to be
displayed or executed through a Web browser
– E.g., Malicious Web browser plug-ins that act as
spyware and monitor use of the browser

• Mass malware
– Intended to infect as many machines as possible
– Most common type
• Targeted malware
– Tailored to a specific target
– Very difficult to detect, prevent, and remove
– Requires advanced analysis
– Ex: Stuxnet
Types of Malware
3/1/2015

• What is a malware?
• Goals OF Malware Analysis
• Types OF Malware Analysis
• Tools For Malware Analysis
• Conclusion
• References

What to Infect
• Executable
• Interpreted file
• Kernel
• Service
• MBR (Master Boot Record)

Overwriting malware
Targeted
Executable
MalwareMalware

prepending malware
Targeted
Executable
Malware
Infected host
Executable
Malware

appending malware
Targeted
Executable
Malware
Infected
host
Executable
Malware

Cavity malware
Targeted
Executable
Infected host
Executable
Malware
Malware

Multi-Cavity malware
Targeted
Executable
Malware
Malware
Malware
Malware

Packers
Malware
Infected host
Executable
Packer
Payload
Packers are software programs that compress and encrypt other
executable files in a disk and restore the original executable images when
the packed files are loaded into memories.
3/1/2015

Packer functionalities
• Compress
• Encrypt
• Randomize (polymorphism)
• Anti-debug technique (int / fake jmp)
• Add-junk
• Anti-VM (virtual machine)

• Goals OF Malware Analysis
• Types OF Malware Analysis
• Tools FOR Malware Analysis
• Conclusion
• REFRENCES

It is not possible to build a perfect
virus/malware detector (Cohen)

Anti-virus
• Analyze system behavior
• Analyze binary to decide if it a virus
• Type :
– Scanner
– Real time monitor

Anti-virus -Virus signature
• Find a string that can identify the virus
• Fingerprint like

Anti-virus-Heuristics
• Analyze program behavior
Network access
File open
Attempt to delete file
Attempt to modify the boot sector

Anti-virus -Checksum
• A checksum is a value used to verify the
integrity of a file or a data transfer. In other
words, it is a sum that checks the validity of
data. Checksums are typically used to compare
two sets of data to make sure they are the
same.
• Compute a checksum for
– Good binary
– Configuration file
• Detect change by comparing checksum

Anti-virus -Dealing with Packer
• Launch the exe
• Wait until it is unpack
• Dump the memory

Sandbox analysis
• Provides file system, registry keys, and network
traffic monitoring in controlled environment and
produces a well formed report
• Using a sandbox is more efficient and sometimes
more effective
• Running the executable in a VM
• Observe it
– File activity
– Network
– Memory

• Conclusion
• REFRENCES

Challenges in Malware analysis
• Zero day attack prevention
• Data analytic methods work like a black box
• Abstraction of Infection and Propagation
models
• Computational Cost
• Generic Disinfection

Malware Analysis
• Dissecting malware to understand
– How it works
– How to identify it
– How to defeat or eliminate it
• A critical part of incident response

Incident Response
• After malware is found, you need to know
– Did an attacker implant a rootkit or trojan on your
systems?
– Is the attacker really gone?
– What did the attacker steal or add?
– How did the attack get in
• Root-cause analysis

Three Areas
1- Visual Analysis: What you can deduce just by looking at the
file, its strings , size, where it came from etc.
2- Behavioral Analysis : How the malware behaves when
executed , who it talks to, what gets installed, how it runs, etc.
3-Code Analysis: The actual viewing of the code and walking
through it to get a better understanding of the malware and
what it's doing.

Analyzing the Threat
• Capture Malware from attackers
– Determine how they are getting in.
– Who are they targeting
• Run Malware in an isolated environment
– What does the malware do?
• Analyze the binary itself
– Some malware can detect isolated environments
or has hidden code.

• malware Analysis
• Goals of malware Analysis
• Conclusion
• References

Goals of Malware Analysis
• The goal of malware analysis is to gain an understanding
of how a specific piece of malware functions
• so that defenses can be built to protect an organization’s
network.
• There are two key questions that must be answered.
– The first: how did this machine become infected with this
piece of malware?
– The second: what exactly does this malware do?
• After determining the specific type of malware, you will
have to determine which question is more critical to
your situation.

• Conclusion
• REFRENCES

TYPES OF Malware Analysis
• Code(static) Analysis :the actual viewing of
code and walking through it to get a better
understanding of the malware and what it is
doing

Static Analysis techniques
• Scanning with anti-virus software
• File Signatures
• Hashes
• Performing A file’s strings, functions, and
headers search
• Portable Executable (PE) Headers + Resources
• Unpacking the malware
• Disassembling the malware like IDA Pro.

Signatures
• Host-based signatures
– Identify files or registry keys on a victim computer
that indicate an infection
– Focus on what the malware did to the system
• Network signatures
– Detect malware by analyzing network traffic
– More effective when made using malware analysis

• FILE SIGNATURE
– Leveraging on the analysis of others
– Anti-Viruses have their own analysis of Malware,
based on
• Signature
• Heuristics
Signatures

Hashes
• A fingerprint for malware
• MD5 or SHA-1
• Condenses a file of any size down to a fixed-
length fingerprint

Hash Calc

Hash Uses
• Label a malware file
• Share the hash with other analysts to identify
malware
• Search the hash online to see if someone else
has already identified the file

Strings
• Any sequence of printable characters is a
string
• Strings are terminated by a null (0x00)
• ASCII characters are 8 bits long
– Now called ANSI
• Unicode characters are 16 bits long
– Microsoft calls them "wide characters"

STRINGS
• Strings are identified by a NULL terminating
• Character

TYPES OF Malware Analysis
• Behavioral (Dynamic) Analysis :is how the
malware behaves when executed, who it talks
to, what gets installed, and how it runs

Dynamic Analysis techniques

Dynamic Analysis
• Sometimes malware is sophisticated enough
to detect that it is sandboxed or running in a
limited environment
• The good news: We have the machine code.
• The bad news: All we have is the machine
code.
• We can then reverse engineer….

Reverse Engineering
• Reverse engineering is always possible since
the machine code is present in the malware
sample.
• This requires expert knowledge in assembly.
• Only worthwhile if you are looking for odd
behavior as it is slow and tedious work.

Reversing malware
• Set up a Virtual Environment.
• Get the necessary tools ready.
• Snapshot is your best friend.

Simple Reverse Engineering Tools in Linux
• Objdump is a free open source linux
disassembler.
– Outputs assembly code
– Useful to find strings in the binary
• GDB the standard debugger for linux can
debug without source file information.
• Strace intercepts all system calls and
notifications and prints them out for a running
process.

Reverse Engineering on Windows
• Ida Pro is an interactive debugger which
allows code to be disassembled and run at the
same time
– Breaks down the code into machine instructions
– Interactively reverse engineers to C code
– Allows interactive renaming of functions and
variables as their function is discovered
– Extremely useful 

• Network traffic analysis
• File system, and other Windows
features(services, processes, etc.)..

• Carefully let malware run on a (nearly) fully
functional system.
• Virtual machines are often useful
– Take a clean snapshot
– Run the malware
– Observe results
– Restore the clean snapshot

• SysInternals Process Monitor allows complete
monitoring of API calls.
– Also has a special boot monitor to track all
changes upon a reboot
• Regshot takes a before and after snapshot of
the registry to find changes.

• Goals OF malware Analysis
• Types OF malware Analysis
• Tools For malware Analysis
• Conclusion
• References

Tools For malware analysis
• It is critical to identify various tools that can
be used to perform malware analysis.
• This is not a comprehensive list of tools that
one must use
• We will mention some critical tools not all of
them.

List of tools
• Strings
• PEView
• Dependency Walker
• Resource Hacker
• Procmon
• Procexp
• Regshot
• Capture
• Wire shark
• Netcat/Fakenet
• FakeDNS/ApateDNS
• PEID
• UPX

Needed terminology
• Reverse Code Engineering: the process of
disassembling software to reveal how the
software functions.
• Disassemblers: programs that take a programs
executable binary as input and generate
textual files that contain the assembly
language code for the entire program or parts
of it.

Needed terminology
• Debuggers :programs that allows software
developers to observer their program while
running it.
• Decompiler :a program that take an
executable binary file and attempts to
produce readable high-level language code
from it.

• Using physical hardware or virtual machines
(VM).

Setting up test environment
• Computer Requirements:
• At least 1GB of memory
• A large hard drive: Allows you to keep images
on the hard drive
• Good Processor – Faster is better
• NIC card
• CDROM/DVD burner
• Any Operating System

• VMware workstation: Run and network multiple
OSes on one platform
• Storage media: For transferring malware and
storing unused OS images

• Internet Connectivity: Optional, but occasionally
you might need it.
• Collection of OSes:
• You will need different operating systems for your
testing
• Base Image with no Patches
• Base Image fully Patched
• Configure as host-only or a network
• Store on hard drive and/or burn to CD

• Process Explorer : small application that find
out what files, registry keys and other objects
have open, which DLL’s they have loaded
• Process Monitor : small application used to
monitor file system, registry , process, thread
and DLL activity in real-time.
• PSfile : application that shows a list of files on
a system that are opened remotely.

• Rootkit Revealer :application that scans
system for known rootkit-based malware.
• Strings : application that searches for ANSI
and UNICODE strings in binary images.
• TCPView : application providing information
about TCP and UDP connections , including
the local and remote address and TCP
connection state.

• Windump :Windows version of the powerful
and flexible tcpdump sniffer.
• Fport :Identifies unknown ports and their
associate applications.
• Hfind (Part of the Forensic Toolkit) :application
that will scan for the disk for hidden files.
• BgInfo : small application providing import
system information such as hostname, IP
address, OS version, etc.

• Vision : reports all open TCP and UDP ports and maps
them to the owning process or application.
• Filewatch :a file change monitor.
• Attacker :a TCP/UDP port listener.
• MD5sums : Generates signature or hashes for file
integrity verification.
– Before you launch the malware to have a baseline for
comparison against other files the malware may create
• Winalysis : monitors for changes to files, the registry,
users, groups, security policies, services, shares,
scheduled jobs, the system environment and more.

• WinHex : Hex editor, you may choose any hex
editor that you like.
• IDA Pro : popular interactive, programmable,
extendible, multi-processor debugger and
disassembler.
• Reverse Engineering Compiler : popular
decompiler.
• ProcDump 32 :unpacker application.

• PE Explorer : provides tools for disassembly
and inspection of unknown binaries.
• Windbg : windows debugging applications.
• Livekd : application that allows Windbg
debugger to run locally on a live system.
• Debugview : an application that monitors
debug output on your local or a remote
system.

• OllyDbg: 32-bit assembler level analysis
debugger for Microsoft Windows to work with
the malware for tasks such as viewing the
code and stepping through it.
• RegShot: Tool that tells you what has changed
on your system Before and after you launch
your malware
• Netcat: “Swiss army knife” for networks.
When you need something to connect to
or attempt a connection from

• upx: Packer used a lot of compress and
obfuscate code to uncompressed the code
before analysis
• WinRAR: Tool to compress large file(s) into
one smaller file for safely transfer malware or
information collect to keep things organized.
Industry standard password is ‘infected’
• Ethereal: A protocol analyzer (aka: sniffer)
– When launching the malware and while doing
analysis.

• Types Of malware Analysis
• Conclusion
• References

Malware analysis main steps
• Step1: Allocate physical or virtual systems for
the analysis lab
• Step 2: Isolate laboratory systems from the
production environment
• Step 3: Install behavioral analysis tools
• Step 4: Install code-analysis tools
• Step 5: Utilize online analysis tools
• Next Steps
89
Moataz Ahmed Mahmoud , Ahmed
Abdelhafez , Ahmed El bohy

Step 1: Allocate physical or virtual
systems for the analysis lab
• A common approach to examining malicious software involves
infecting a system with the malware specimen and then using the
appropriate monitoring tools to observe how it behaves. This
requires a laboratory system you can infect without affecting your
production environment.
• The most popular and flexible way to set up such a lab system
involves virtualization software, which allows you to use a single
physical computer for hosting multiple virtual systems, each
running a potentially different operating system. Free virtualization
software options include:
• VMware Server
• Windows Virtual PC
• Microsoft Virtual Server
• Virtual Box
90

Step 2: Isolate laboratory systems
from the production environment
• You must take precautions to isolate the
malware-analysis lab from the production
network, to mitigate the risk that a malicious
program will escape. You can separate the
laboratory network from production using a
firewall. Better yet, don't connect laboratory
and production networks at all, to avoid
firewall configuration issues that might allow
malware to bypass filtering restrictions.
91

Step 3: Install behavioral analysis
tools
• Before you're ready to infect your laboratory system with the malware specimen,
you need to install and activate the appropriate monitoring tools. Free utilities that
will let you observe how Windows malware interacts with its environment include:
• File system and registry monitoring: Process Monitor and Capture BAT offer a
powerful way to observe in real time how local processes read, write, or delete
registry entries and files. These tools can help you understand how malware
attempts to embed into the system upon infection.
• Process monitoring: Process Explorer and Process Hacker replace the built-in
Windows Task Manager, helping you observe malicious processes, including local
network ports they may attempt to open.
• Network monitoring: Wireshark and SmartSniff are network sniffers, which can
observe laboratory network traffic for malicious communication attempts, such as
DNS resolution requests, bot traffic, or downloads.
• Change detection: Regshot is a lightweight tool for comparing the system's state
before and after the infection, to highlight the key changes malware made to the
file system and the registry.
92

Step 4: Install code-analysis tools
• Examining the code that comprises the specimen helps uncover
characteristics that may be difficult to obtain through behavioral analysis.
In the case of a malicious executable, you rarely will have the luxury of
access to the source code from which it was created. Fortunately, the
following free tools can help you reverse compiled Windows executables:
• Disassembler and debugger: OllyDbg and IDA Pro Freeware can parse
compiled Windows executables and, acting as disassemblers, display their
code as Intel x86 assembly instructions. These tools also have debugging
capabilities, which allow you to execute the most interesting parts of the
malicious program slowly and under highly controlled conditions, so you
can better understand the purpose of the code.
• Memory dumper: LordPE and OllyDump help obtain protected code
located in the lab system's memory and dump it to a file. This technique is
particularly useful when analyzing packed executables, which are difficult
to disassemble because they encode or encrypt their instructions,
extracting them into RAM only during run-time.
93

Step 5: Utilize online analysis tools
• To round off your malware-analysis toolkit, add to it some freely
available online tools that may assist with the reverse engineering
process. One category of such tools performs automated behavioral
analysis of the executables you supply. These applications look
similar at first glance, but use different technologies on the back
end. Consider submitting your malware specimen to several of
these sites; depending on the specimen, some sites will be more
effective than others. Such tools include:
• Anubis
• CWSandbox
• Joebox
• Norman SandBox
• ThreatExpert
94

Next Steps
• With your initial toolkit assembled, start
experimenting in the lab with malware you
come across on the web, in your e-mail box,
on your systems, and so on.
95

• Conclusion
• References

Conclusion
• As you have seen there are various ways
for an attacker to get malicious code to
execute on remote computers
• We have only scratched on the surface,
there are much more to learn and discover

• malware Defense
• Conclusion
• References

Refrences
• [1] Ed Skoudis and Lenny Zeltser. Malware: Fighting Malicious Code. Prentice Hall, 2003.
• [2] McGraw-Hill and Sybil P. Parker. McGraw-Hill Dictionary of Scientific and Technical Terms.
McGraw-Hill Companies, Inc., 2003.
• [3]Computer Economics, 2007 Malware Report: The Economic Impact of Viruses, Spyware,Adware,
Botnets and Other Malicious Code, Retrieved 2007, November 23
– fromhttp://www.computereconomics.com/article.cfm?id=1225
• [4]Eldad Eilam, (2005). Reversing: Secrets of Reverse Engineering. Indianapolis, IN: Wiley Publishing.
• [5]eWeek, Metasploit Creator Releases Malware Search Engine, retrieved 2007, November 24
– from http://www.eweek.com/article2/0,1759,1990158,00.asp
• [6]GIAC, Analysis of the Incident Handling Six Step Process, Retrieved 2007, November 24
– from http://www2.giac.org/resources/whitepaper/network/17.php?id=17&cat=network
• [7]Honeynet, Know Your Enemy: Malicious Web Servers, Retrieved 2007, November 24 from
– http://www.honeynet.org/papers/mws/KYE-Malicious_Web_Servers.htm
• [8]Lorna Hutcheson (2006), Malware Analysis The Basics, Retrieved 2007, November 24 from
– http://isc.sans.org/presentations/cookie.pdf
• [9]Merriam-Webster Online. Retrieved 2007, July 23rd, from www.m-w.com
• [10]SANS, Retrieved 2007, November 24, from
– https://www2.sans.org/training/description.php?cid=799

Questions ?

Malewareanalysis presentation

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Malewareanalysis presentation

Similar to Malewareanalysis presentation (20)

More from ahmad abdelhafeez

More from ahmad abdelhafeez (20)

Recently uploaded

Recently uploaded (20)

Malewareanalysis presentation

Editor's Notes