RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
The recorded version of 'Best Of The World Webcast Series' [Webinar] where Jacob Holcomb speaks on 'RIoT (Raiding Internet of Things)' is available on CISOPlatform.
Best Of The World Webcast Series are webinars where breakthrough/original security researchers showcase their study, to offer the CISO/security experts the best insights in information security.
For more signup(it's free): www.cisoplatform.com
Title: Hands on Penetration Testing 101 by Scott Sutherland & Karl Fosaaen
Abstract: The goal of this training is to introduce attendees to standard penetration test methodologies, tools, and techniques. Hands on labs will cover the basics of asset discovery, vulnerability enumeration, system penetration, privilege escalation, and bypassing end point protection. During the labs, common vulnerabilities will be leveraged to illustrate attack techniques, using freely available tools such as Nmap and Metasploit. This training will be valuable to anyone interested in gaining a better understanding of penetration testing or to system administrators trying to understand common attack approaches.
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...Jowin John Chemban
Seminar Report : Network Intrusion Detection using Supervised Machine Learning Technique with Feature Selection
By:
Jowin John Chemban (jowinchemban@gmail.com)
HGW16CS022 (2016-2020 Batch)
S7 B.Tech Computer Science Engineering
Holy Grace Academy of Engineering, Mala
Date : November 2019
Worst-Case Scenario: Being Detected without Knowing You are DetectedAshwini Almad
This presentation gives an overview of the requirements for hunting within enterprise networks. This talk will dive into details of how to think like an adversary and why being stealthy is mandatory to hunt for the sentient adversary.
The presentation explains the phases of penetration testing and gives an idea about basic tools to perform penetration testing. Penetration testing, also called pen testing or ethical hacking, is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit. Penetration testing can be automated with software applications or performed manually.
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
The recorded version of 'Best Of The World Webcast Series' [Webinar] where Jacob Holcomb speaks on 'RIoT (Raiding Internet of Things)' is available on CISOPlatform.
Best Of The World Webcast Series are webinars where breakthrough/original security researchers showcase their study, to offer the CISO/security experts the best insights in information security.
For more signup(it's free): www.cisoplatform.com
Title: Hands on Penetration Testing 101 by Scott Sutherland & Karl Fosaaen
Abstract: The goal of this training is to introduce attendees to standard penetration test methodologies, tools, and techniques. Hands on labs will cover the basics of asset discovery, vulnerability enumeration, system penetration, privilege escalation, and bypassing end point protection. During the labs, common vulnerabilities will be leveraged to illustrate attack techniques, using freely available tools such as Nmap and Metasploit. This training will be valuable to anyone interested in gaining a better understanding of penetration testing or to system administrators trying to understand common attack approaches.
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...Jowin John Chemban
Seminar Report : Network Intrusion Detection using Supervised Machine Learning Technique with Feature Selection
By:
Jowin John Chemban (jowinchemban@gmail.com)
HGW16CS022 (2016-2020 Batch)
S7 B.Tech Computer Science Engineering
Holy Grace Academy of Engineering, Mala
Date : November 2019
Worst-Case Scenario: Being Detected without Knowing You are DetectedAshwini Almad
This presentation gives an overview of the requirements for hunting within enterprise networks. This talk will dive into details of how to think like an adversary and why being stealthy is mandatory to hunt for the sentient adversary.
The presentation explains the phases of penetration testing and gives an idea about basic tools to perform penetration testing. Penetration testing, also called pen testing or ethical hacking, is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit. Penetration testing can be automated with software applications or performed manually.
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
a perfect example of your 6 weeks summer training ppt. Course-Ethical Hacking , its info and VAPT- Vulnerability Assessment n Penetration testing. about how vulnerability scanning , tools used , cracking password , etc.
Pentesting Tools to Find Bugs Before Hackers | CyberPro Magazinecyberprosocial
According to the latest updates, the annual cost of cybercrime globally is expected to reach $10.5 trillion by 2025. You can imagine how much danger your system is in. But, need not worry your system is safe! Pentesting tools are there for you.
With malware accounting for at least 40% of all breaches, knowing how malware works can be an extremely valuable asset in your threat detection cache – especially for the incident responder. According to Verizon’s 2013 Data Breach Investigations Report, “Malware and hacking still rank as the most common [threat] actions”. In general, malware can range from being simple annoyances like pop-up advertising to causing serious damage like stealing passwords and data or infecting other machines on the network.
Malware is as old as software itself and although there are new types of malware constantly under development, they generally fall into a few broad categories. Check out this SlideShare to learn how malware works, and what we believe are the most common types of malware you should be prepared for.
By learning how malware works and recognizing its different types, you’ll understand:
- How they find their way into your network
- How attackers control them remotely
- How they use your systems for nefarious purposes
- And most importantly, the security controls you need to effectively defend against and detect malware infections. (Hint: you need more than antivirus!)
This lecture includes introduction to computers security and privacy. This lecture include basic concepts of terminologies and technologies involve in current securities and privacy needs.
Robust Breast Cancer Diagnosis on Four Different Datasets Using Multi-Classif...ahmad abdelhafeez
The goal of this paper is to compare between different classifiers or multi-classifiers fusion with respect to accuracy in discovering breast cancer for four different data sets. We present an implementation among various classification techniques which represent the most known algorithms in this field on four different datasets of breast cancer two for diagnosis and two for prognosis. We present a fusion between classifiers to get the best multi-classifier fusion approach to each data set individually. By using confusion matrix to get classification accuracy which built in 10-fold cross validation technique. Also, using fusion majority voting (the mode of the classifier output). The experimental results show that no classification technique is better than the other if used for all datasets, since the classification task is affected by the type of dataset. By using multi-classifiers fusion the results show that accuracy improved in three datasets out of four.
Robust Breast Cancer Diagnosis on Four Different Datasets Using Multi-Classif...ahmad abdelhafeez
Abstract- The goal of this paper is to compare between different classifiers or multi-classifiers fusion with respect to accuracy in discovering breast cancer for four different data sets. We present an implementation among various classification techniques which represent the most known algorithms in this field on four different datasets of breast cancer two for diagnosis and two for prognosis. We present a fusion between classifiers to get the best multi-classifier fusion approach to each data set individually. By using confusion matrix to get classification accuracy which built in 10-fold cross validation technique. Also, using fusion majority voting (the mode of the classifier output). The experimental results show that no classification technique is better than the other if used for all datasets, since the classification task is affected by the type of dataset. By using multi-classifiers fusion the results show that accuracy improved in three datasets out of four.
Hierarchical Digital Twin of a Naval Power SystemKerry Sado
A hierarchical digital twin of a Naval DC power system has been developed and experimentally verified. Similar to other state-of-the-art digital twins, this technology creates a digital replica of the physical system executed in real-time or faster, which can modify hardware controls. However, its advantage stems from distributing computational efforts by utilizing a hierarchical structure composed of lower-level digital twin blocks and a higher-level system digital twin. Each digital twin block is associated with a physical subsystem of the hardware and communicates with a singular system digital twin, which creates a system-level response. By extracting information from each level of the hierarchy, power system controls of the hardware were reconfigured autonomously. This hierarchical digital twin development offers several advantages over other digital twins, particularly in the field of naval power systems. The hierarchical structure allows for greater computational efficiency and scalability while the ability to autonomously reconfigure hardware controls offers increased flexibility and responsiveness. The hierarchical decomposition and models utilized were well aligned with the physical twin, as indicated by the maximum deviations between the developed digital twin hierarchy and the hardware.
Welcome to WIPAC Monthly the magazine brought to you by the LinkedIn Group Water Industry Process Automation & Control.
In this month's edition, along with this month's industry news to celebrate the 13 years since the group was created we have articles including
A case study of the used of Advanced Process Control at the Wastewater Treatment works at Lleida in Spain
A look back on an article on smart wastewater networks in order to see how the industry has measured up in the interim around the adoption of Digital Transformation in the Water Industry.
Online aptitude test management system project report.pdfKamal Acharya
The purpose of on-line aptitude test system is to take online test in an efficient manner and no time wasting for checking the paper. The main objective of on-line aptitude test system is to efficiently evaluate the candidate thoroughly through a fully automated system that not only saves lot of time but also gives fast results. For students they give papers according to their convenience and time and there is no need of using extra thing like paper, pen etc. This can be used in educational institutions as well as in corporate world. Can be used anywhere any time as it is a web based application (user Location doesn’t matter). No restriction that examiner has to be present when the candidate takes the test.
Every time when lecturers/professors need to conduct examinations they have to sit down think about the questions and then create a whole new set of questions for each and every exam. In some cases the professor may want to give an open book online exam that is the student can take the exam any time anywhere, but the student might have to answer the questions in a limited time period. The professor may want to change the sequence of questions for every student. The problem that a student has is whenever a date for the exam is declared the student has to take it and there is no way he can take it at some other time. This project will create an interface for the examiner to create and store questions in a repository. It will also create an interface for the student to take examinations at his convenience and the questions and/or exams may be timed. Thereby creating an application which can be used by examiners and examinee’s simultaneously.
Examination System is very useful for Teachers/Professors. As in the teaching profession, you are responsible for writing question papers. In the conventional method, you write the question paper on paper, keep question papers separate from answers and all this information you have to keep in a locker to avoid unauthorized access. Using the Examination System you can create a question paper and everything will be written to a single exam file in encrypted format. You can set the General and Administrator password to avoid unauthorized access to your question paper. Every time you start the examination, the program shuffles all the questions and selects them randomly from the database, which reduces the chances of memorizing the questions.
Using recycled concrete aggregates (RCA) for pavements is crucial to achieving sustainability. Implementing RCA for new pavement can minimize carbon footprint, conserve natural resources, reduce harmful emissions, and lower life cycle costs. Compared to natural aggregate (NA), RCA pavement has fewer comprehensive studies and sustainability assessments.
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Dr.Costas Sachpazis
Terzaghi's soil bearing capacity theory, developed by Karl Terzaghi, is a fundamental principle in geotechnical engineering used to determine the bearing capacity of shallow foundations. This theory provides a method to calculate the ultimate bearing capacity of soil, which is the maximum load per unit area that the soil can support without undergoing shear failure. The Calculation HTML Code included.
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)MdTanvirMahtab2
This presentation is about the working procedure of Shahjalal Fertilizer Company Limited (SFCL). A Govt. owned Company of Bangladesh Chemical Industries Corporation under Ministry of Industries.
Literature Review Basics and Understanding Reference Management.pptxDr Ramhari Poudyal
Three-day training on academic research focuses on analytical tools at United Technical College, supported by the University Grant Commission, Nepal. 24-26 May 2024
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdffxintegritypublishin
Advancements in technology unveil a myriad of electrical and electronic breakthroughs geared towards efficiently harnessing limited resources to meet human energy demands. The optimization of hybrid solar PV panels and pumped hydro energy supply systems plays a pivotal role in utilizing natural resources effectively. This initiative not only benefits humanity but also fosters environmental sustainability. The study investigated the design optimization of these hybrid systems, focusing on understanding solar radiation patterns, identifying geographical influences on solar radiation, formulating a mathematical model for system optimization, and determining the optimal configuration of PV panels and pumped hydro storage. Through a comparative analysis approach and eight weeks of data collection, the study addressed key research questions related to solar radiation patterns and optimal system design. The findings highlighted regions with heightened solar radiation levels, showcasing substantial potential for power generation and emphasizing the system's efficiency. Optimizing system design significantly boosted power generation, promoted renewable energy utilization, and enhanced energy storage capacity. The study underscored the benefits of optimizing hybrid solar PV panels and pumped hydro energy supply systems for sustainable energy usage. Optimizing the design of solar PV panels and pumped hydro energy supply systems as examined across diverse climatic conditions in a developing country, not only enhances power generation but also improves the integration of renewable energy sources and boosts energy storage capacities, particularly beneficial for less economically prosperous regions. Additionally, the study provides valuable insights for advancing energy research in economically viable areas. Recommendations included conducting site-specific assessments, utilizing advanced modeling tools, implementing regular maintenance protocols, and enhancing communication among system components.
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Malewareanalysis
1. Malware Analysis
Network Security
1AAST COMP ENG Dr Ashraf Tammam
Supervised by
Dr . Ashraf Tammam
Presented by:
• Ahmed Abd Elhafeez
• Ahmed Elbohy
• Moataz Ahmed
5/7/2014
2. Agenda
2AAST COMP ENG Dr Ashraf Tammam
• Introduction to Malware
• What is a Malware ?
• Types of Malware
• How do they infect hosts?
• How to detect them?
• Malware Analysis
• Goals of Malware Analysis
• Types of Malware Analysis
• Tools for Malware Analysis
• Malware Analysis Simulation Steps
• Conclusion
• Refrences
5/7/2014
3. • Introduction to malware
• What is a malware ?
• Types of malware
• How do they infect hosts?
• How to detect them
• Malware Analysis
• Goals of Malware Analysis
• Types of Malware Analysis
• Tools for Malware Analysis
• Malware Analysis Simulation Steps
• Conclusion
• References
AAST COMP ENG Dr Ashraf Tammam 35/7/2014
4. Introduction
AAST COMP ENG Dr Ashraf Tammam 4
Mission Statement
The purpose of this presentation
is to give someone new to
reverse engineering malware
(REM) a place to start.
At the end you should be familiar
with the basic hardware, tools
and Concepts needed to learn
how begin to do REM.
5/7/2014
5. “But What Might Go Wrong If we Were To
Begin To Try to Analyze Malware?”
• You might get attacked by unhappy malware authors/users
• Your system could get infected, and that might result in:
-- Your system being used to spam people
-- Your personally identifiable information getting stolen
-- Your system getting used to distribute malware;
pirated software, movies, music; child pornography; etc.
-- Your system getting used as a stepping stone from
which to attack government systems or critical
infrastructure.
• You might even end up being arrested.
55/7/2014 AAST COMP ENG Dr Ashraf Tammam
6. • Introduction to Malware
• What is a Malware?
• Types of malware
• How do they infect hosts?
• How to detect them
• Malware Analysis
• Goals of Malware Analysis
• Types of Malware Analysis
• Tools for Malware Analysis
• Malware Analysis Simulation Steps
• Conclusion
• References
AAST COMP ENG Dr Ashraf Tammam 65/7/2014
7. What is a Malware ?
• Malware is a set of instructions that run on
your computer and make your system do
something that an attacker wants it to do.
• Programming code that is capable of causing
harm to availability , integrity of code or data,
or confidentiality in a computing system
encompasses Trojan horses, viruses, worms,
and trapdoors.
7AAST COMP ENG Dr Ashraf Tammam5/7/2014
8. What Exactly is “Malware”?
One possible definition:
Malware is a software you don’t want.
8
• Steal personal information
• Delete files
• Steal software serial numbers
• Use your computer as relay
5/7/2014 AAST COMP ENG Dr Ashraf Tammam
10. • Introduction to Malware
• What is a Malware?
• Types of malware
• How do they infect hosts?
• How to detect them
• Malware Analysis
• Goals of Malware Analysis
• Types of Malware Analysis
• Tools for Malware Analysis
• Malware Analysis Simulation Steps
• Conclusion
• References
AAST COMP ENG Dr Ashraf Tammam 105/7/2014
13. Types of Malware
• viruses :a computer program that is usually
hidden within another seemingly innocuous
program and that produces copies of itself
and inserts them into other programs and
usually performs a malicious action
– Polymorphic : uses a polymorphic engine to
mutate while keeping the original algorithm
intact (packer)
– Methamorphic : Change after each infection
13AAST COMP ENG Dr Ashraf Tammam5/7/2014
14. Types of Malware
• Backdoor : Bypasses normal security controls
to give an attacker unauthorized access.
• Botnet : All infected computers receive
instructions from the same Command-and-
Control (C&C) server
• Downloader :Malicious code that exists only
to download other malicious code
– Used when attacker first gains access
14AAST COMP ENG Dr Ashraf Tammam5/7/2014
15. Types of Malware
• Scareware
– Frightens user into buying something
15AAST COMP ENG Dr Ashraf Tammam5/7/2014
16. Types of Malware
• Spam-sending malware
– Attacker rents machine to spammers
• Worms :a usually small self-contained and self-
replicating computer program that invades
computers on a network and usually performs a
destructive action
16AAST COMP ENG Dr Ashraf Tammam5/7/2014
17. Types of Malware
• Trojans Horse :a seemingly useful computer
program that contains concealed instructions
which when activated perform an illicit or
malicious action
17AAST COMP ENG Dr Ashraf Tammam5/7/2014
18. Types of Malware
• Sniffers : an application used to monitor and analyze
network traffic.
• Spyware :software that is installed on a computer
without the user's knowledge and transmits
information about the user's computer activities over
the Internet
18AAST COMP ENG Dr Ashraf Tammam5/7/2014
19. Types of Malware
19AAST COMP ENG Dr Ashraf Tammam
Adware : software installed that provides advertisers
with information about the users browsing habits, thus
allowing the advertiser to provide targeted ads
5/7/2014
20. Types of Malware
• from pandalab blog
20AAST COMP ENG Dr Ashraf Tammam
• E-Mail Generators. An e-mail generating program can be
used to create and send large quantities of e-mail, such
as malware, spyware, and spam, to other systems
without the user’s permission or knowledge
5/7/2014
21. Types of Malware
Ransomware
To unlock you need to send an SMS with the text4121800286to the
number3649Enter the resulting code:Any attempt to reinstall the
system may lead to loss of important information and computer
damage
from pandalab blog
21AAST COMP ENG Dr Ashraf Tammam5/7/2014
22. Types of Malware
• Keystroke Loggers. A keystroke logger monitors and
records keyboard use
– Some require the attacker to retrieve the data
from the system
– Actively transfer the data to another system
through e-mail, file transfer, or other means
AAST COMP ENG Dr Ashraf Tammam 225/7/2014
23. Types of Malware
• Web Browser Plug-Ins A Web browser plug-in
provides a way for certain types of content to be
displayed or executed through a Web browser
– E.g., Malicious Web browser plug-ins that act as
spyware and monitor use of the browser
AAST COMP ENG Dr Ashraf Tammam 235/7/2014
24. • Mass malware
– Intended to infect as many machines as possible
– Most common type
• Targeted malware
– Tailored to a specific target
– Very difficult to detect, prevent, and remove
– Requires advanced analysis
– Ex: Stuxnet
24AAST COMP ENG Dr Ashraf Tammam
Types of Malware
5/7/2014
25. • Introduction to malware
• What is a malware?
• Types of malware
• How do they infect hosts?
• How to detect them
• Malware Analysis
• Goals OF Malware Analysis
• Types OF Malware Analysis
• Tools For Malware Analysis
• Malware Analysis Simulation Steps
• Conclusion
• References
AAST COMP ENG Dr Ashraf Tammam 255/7/2014
26. What to Infect
• Executable
• Interpreted file
• Kernel
• Service
• MBR (Master Boot Record)
26AAST COMP ENG Dr Ashraf Tammam5/7/2014
32. Packers
Malware
Infected host
Executable
Packer
Payload
32AAST COMP ENG Dr Ashraf Tammam
Packers are software programs that compress and encrypt other
executable files in a disk and restore the original executable images when
the packed files are loaded into memories.
5/7/2014
34. • Introduction to malware
• What is a malware?
• Types of malware
• How do they infect hosts?
• How to detect them?
• Malware Analysis
• Goals OF Malware Analysis
• Types OF Malware Analysis
• Tools FOR Malware Analysis
• Malware Analysis Simulation Steps
• Conclusion
• REFRENCES
AAST COMP ENG Dr Ashraf Tammam 345/7/2014
35. It is not possible to build a perfect
virus/malware detector (Cohen)
35AAST COMP ENG Dr Ashraf Tammam5/7/2014
36. Anti-virus
• Analyze system behavior
• Analyze binary to decide if it a virus
• Type :
– Scanner
– Real time monitor
36AAST COMP ENG Dr Ashraf Tammam5/7/2014
37. Anti-virus -Virus signature
• Find a string that can identify the virus
• Fingerprint like
37AAST COMP ENG Dr Ashraf Tammam5/7/2014
38. Anti-virus-Heuristics
• Analyze program behavior
Network access
File open
Attempt to delete file
Attempt to modify the boot sector
38AAST COMP ENG Dr Ashraf Tammam5/7/2014
39. Anti-virus -Checksum
• A checksum is a value used to verify the
integrity of a file or a data transfer. In other
words, it is a sum that checks the validity of
data. Checksums are typically used to compare
two sets of data to make sure they are the
same.
• Compute a checksum for
– Good binary
– Configuration file
• Detect change by comparing checksum
39AAST COMP ENG Dr Ashraf Tammam5/7/2014
40. Anti-virus -Dealing with Packer
• Launch the exe
• Wait until it is unpack
• Dump the memory
40AAST COMP ENG Dr Ashraf Tammam5/7/2014
41. Sandbox analysis
• Provides file system, registry keys, and network
traffic monitoring in controlled environment and
produces a well formed report
• Using a sandbox is more efficient and sometimes
more effective
• Running the executable in a VM
• Observe it
– File activity
– Network
– Memory
41AAST COMP ENG Dr Ashraf Tammam5/7/2014
42. • Introduction to malware
• What is a malware?
• Types of malware
• How do they infect hosts?
• How to detect them?
• Malware Analysis
• Goals of Malware Analysis
• Types of Malware Analysis
• Tools for Malware Analysis
• Malware Analysis Simulation Steps
• Conclusion
• REFRENCES
AAST COMP ENG Dr Ashraf Tammam 425/7/2014
43. Challenges in Malware analysis
• Zero day attack prevention
• Data analytic methods work like a black box
• Abstraction of Infection and Propagation
models
• Computational Cost
• Generic Disinfection
AAST COMP ENG Dr Ashraf Tammam 435/7/2014
44. Malware Analysis
• Dissecting malware to understand
– How it works
– How to identify it
– How to defeat or eliminate it
• A critical part of incident response
44AAST COMP ENG Dr Ashraf Tammam5/7/2014
45. Incident Response
• After malware is found, you need to know
– Did an attacker implant a rootkit or trojan on your
systems?
– Is the attacker really gone?
– What did the attacker steal or add?
– How did the attack get in
• Root-cause analysis
45AAST COMP ENG Dr Ashraf Tammam5/7/2014
46. Three Areas
1- Visual Analysis: What you can deduce just by looking at the
file, its strings , size, where it came from etc.
2- Behavioral Analysis : How the malware behaves when
executed , who it talks to, what gets installed, how it runs, etc.
3-Code Analysis: The actual viewing of the code and walking
through it to get a better understanding of the malware and
what it's doing.
AAST COMP ENG Dr Ashraf Tammam 465/7/2014
47. Analyzing the Threat
• Capture Malware from attackers
– Determine how they are getting in.
– Who are they targeting
• Run Malware in an isolated environment
– What does the malware do?
• Analyze the binary itself
– Some malware can detect isolated environments
or has hidden code.
5/7/2014 AAST COMP ENG Dr Ashraf Tammam 47
48. • Introduction to malware
• What is a malware?
• Types of malware
• How do they infect hosts?
• How to detect them?
• malware Analysis
• Goals of malware Analysis
• Types of Malware Analysis
• Tools for Malware Analysis
• Malware Analysis Simulation Steps
• Conclusion
• References
AAST COMP ENG Dr Ashraf Tammam 485/7/2014
49. Goals of Malware Analysis
• The goal of malware analysis is to gain an understanding
of how a specific piece of malware functions
• so that defenses can be built to protect an organization’s
network.
• There are two key questions that must be answered.
– The first: how did this machine become infected with this
piece of malware?
– The second: what exactly does this malware do?
• After determining the specific type of malware, you will
have to determine which question is more critical to
your situation.
AAST COMP ENG Dr Ashraf Tammam 495/7/2014
50. • Introduction to malware
• What is a malware?
• Types of malware
• How do they infect hosts?
• How to detect them?
• malware Analysis
• Goals of malware Analysis
• Types of Malware Analysis
• Tools for Malware Analysis
• Malware Analysis Simulation Steps
• Conclusion
• REFRENCES
AAST COMP ENG Dr Ashraf Tammam 505/7/2014
51. TYPES OF Malware Analysis
• Code(static) Analysis :the actual viewing of
code and walking through it to get a better
understanding of the malware and what it is
doing
AAST COMP ENG Dr Ashraf Tammam 515/7/2014
52. Static Analysis techniques
• Scanning with anti-virus software
• File Signatures
• Hashes
• Performing A file’s strings, functions, and
headers search
• Portable Executable (PE) Headers + Resources
• Unpacking the malware
• Disassembling the malware like IDA Pro.
AAST COMP ENG Dr Ashraf Tammam 525/7/2014
53. Signatures
• Host-based signatures
– Identify files or registry keys on a victim computer
that indicate an infection
– Focus on what the malware did to the system
• Network signatures
– Detect malware by analyzing network traffic
– More effective when made using malware analysis
53AAST COMP ENG Dr Ashraf Tammam5/7/2014
54. • FILE SIGNATURE
– Leveraging on the analysis of others
– Anti-Viruses have their own analysis of Malware,
based on
• Signature
• Heuristics
AAST COMP ENG Dr Ashraf Tammam 545/7/2014
Signatures
55. Hashes
• A fingerprint for malware
• MD5 or SHA-1
• Condenses a file of any size down to a fixed-
length fingerprint
55AAST COMP ENG Dr Ashraf Tammam5/7/2014
57. Hash Uses
• Label a malware file
• Share the hash with other analysts to identify
malware
• Search the hash online to see if someone else
has already identified the file
57AAST COMP ENG Dr Ashraf Tammam5/7/2014
58. Strings
• Any sequence of printable characters is a
string
• Strings are terminated by a null (0x00)
• ASCII characters are 8 bits long
– Now called ANSI
• Unicode characters are 16 bits long
– Microsoft calls them "wide characters"
58AAST COMP ENG Dr Ashraf Tammam5/7/2014
59. STRINGS
• Strings are identified by a NULL terminating
• Character
AAST COMP ENG Dr Ashraf Tammam 595/7/2014
61. TYPES OF Malware Analysis
• Behavioral (Dynamic) Analysis :is how the
malware behaves when executed, who it talks
to, what gets installed, and how it runs
AAST COMP ENG Dr Ashraf Tammam 615/7/2014
63. Dynamic Analysis
• Sometimes malware is sophisticated enough
to detect that it is sandboxed or running in a
limited environment
• The good news: We have the machine code.
• The bad news: All we have is the machine
code.
• We can then reverse engineer….
5/7/2014 AAST COMP ENG Dr Ashraf Tammam 63
64. Reverse Engineering
• Reverse engineering is always possible since
the machine code is present in the malware
sample.
• This requires expert knowledge in assembly.
• Only worthwhile if you are looking for odd
behavior as it is slow and tedious work.
5/7/2014 AAST COMP ENG Dr Ashraf Tammam 64
65. Reversing malware
• Set up a Virtual Environment.
• Get the necessary tools ready.
• Snapshot is your best friend.
AAST COMP ENG Dr Ashraf Tammam 655/7/2014
66. Simple Reverse Engineering Tools in Linux
• Objdump is a free open source linux
disassembler.
– Outputs assembly code
– Useful to find strings in the binary
• GDB the standard debugger for linux can
debug without source file information.
• Strace intercepts all system calls and
notifications and prints them out for a running
process.
5/7/2014 AAST COMP ENG Dr Ashraf Tammam 66
67. Reverse Engineering on Windows
• Ida Pro is an interactive debugger which
allows code to be disassembled and run at the
same time
– Breaks down the code into machine instructions
– Interactively reverse engineers to C code
– Allows interactive renaming of functions and
variables as their function is discovered
– Extremely useful
5/7/2014 AAST COMP ENG Dr Ashraf Tammam 67
68. Dynamic Analysis techniques
• Network traffic analysis
• File system, and other Windows
features(services, processes, etc.)..
AAST COMP ENG Dr Ashraf Tammam 685/7/2014
69. Dynamic Analysis techniques
• Carefully let malware run on a (nearly) fully
functional system.
• Virtual machines are often useful
– Take a clean snapshot
– Run the malware
– Observe results
– Restore the clean snapshot
5/7/2014 AAST COMP ENG Dr Ashraf Tammam 69
70. Dynamic Analysis techniques
• SysInternals Process Monitor allows complete
monitoring of API calls.
– Also has a special boot monitor to track all
changes upon a reboot
• Regshot takes a before and after snapshot of
the registry to find changes.
5/7/2014 AAST COMP ENG Dr Ashraf Tammam 70
71. • Introduction to malware
• What is a malware?
• Types of malware
• How do they infect hosts?
• How to detect them?
• malware Analysis
• Goals OF malware Analysis
• Types OF malware Analysis
• Tools For malware Analysis
• Malware Analysis Simulation Steps
• Conclusion
• References
AAST COMP ENG Dr Ashraf Tammam 715/7/2014
72. Tools For malware analysis
• It is critical to identify various tools that can
be used to perform malware analysis.
• This is not a comprehensive list of tools that
one must use
• We will mention some critical tools not all of
them.
AAST COMP ENG Dr Ashraf Tammam 725/7/2014
73. List of tools
• Strings
• PEView
• Dependency Walker
• Resource Hacker
• Procmon
• Procexp
• Regshot
• Capture
• Wire shark
• Netcat/Fakenet
• FakeDNS/ApateDNS
• PEID
• UPX
AAST COMP ENG Dr Ashraf Tammam 735/7/2014
74. Needed terminology
• Reverse Code Engineering: the process of
disassembling software to reveal how the
software functions.
• Disassemblers: programs that take a programs
executable binary as input and generate
textual files that contain the assembly
language code for the entire program or parts
of it.
AAST COMP ENG Dr Ashraf Tammam 745/7/2014
75. Needed terminology
• Debuggers :programs that allows software
developers to observer their program while
running it.
• Decompiler :a program that take an
executable binary file and attempts to
produce readable high-level language code
from it.
AAST COMP ENG Dr Ashraf Tammam 755/7/2014
76. Tools For malware analysis
• Using physical hardware or virtual machines
(VM).
AAST COMP ENG Dr Ashraf Tammam 765/7/2014
77. Setting up test environment
• Computer Requirements:
• At least 1GB of memory
• A large hard drive: Allows you to keep images
on the hard drive
• Good Processor – Faster is better
• NIC card
• CDROM/DVD burner
• Any Operating System
AAST COMP ENG Dr Ashraf Tammam 775/7/2014
78. Setting up test environment
• VMware workstation: Run and network multiple
OSes on one platform
• Storage media: For transferring malware and
storing unused OS images
AAST COMP ENG Dr Ashraf Tammam 785/7/2014
79. Setting up test environment
• Internet Connectivity: Optional, but occasionally
you might need it.
• Collection of OSes:
• You will need different operating systems for your
testing
• Base Image with no Patches
• Base Image fully Patched
• Configure as host-only or a network
• Store on hard drive and/or burn to CD
AAST COMP ENG Dr Ashraf Tammam 795/7/2014
80. Tools For malware analysis
• Process Explorer : small application that find
out what files, registry keys and other objects
have open, which DLL’s they have loaded
• Process Monitor : small application used to
monitor file system, registry , process, thread
and DLL activity in real-time.
• PSfile : application that shows a list of files on
a system that are opened remotely.
AAST COMP ENG Dr Ashraf Tammam 805/7/2014
81. Tools For malware analysis
• Rootkit Revealer :application that scans
system for known rootkit-based malware.
• Strings : application that searches for ANSI
and UNICODE strings in binary images.
• TCPView : application providing information
about TCP and UDP connections , including
the local and remote address and TCP
connection state.
AAST COMP ENG Dr Ashraf Tammam 815/7/2014
82. Tools For malware analysis
• Windump :Windows version of the powerful
and flexible tcpdump sniffer.
• Fport :Identifies unknown ports and their
associate applications.
• Hfind (Part of the Forensic Toolkit) :application
that will scan for the disk for hidden files.
• BgInfo : small application providing import
system information such as hostname, IP
address, OS version, etc.
AAST COMP ENG Dr Ashraf Tammam 825/7/2014
83. Tools For malware analysis
• Vision : reports all open TCP and UDP ports and maps
them to the owning process or application.
• Filewatch :a file change monitor.
• Attacker :a TCP/UDP port listener.
• MD5sums : Generates signature or hashes for file
integrity verification.
– Before you launch the malware to have a baseline for
comparison against other files the malware may create
• Winalysis : monitors for changes to files, the registry,
users, groups, security policies, services, shares,
scheduled jobs, the system environment and more.
AAST COMP ENG Dr Ashraf Tammam 835/7/2014
84. Tools For malware analysis
• WinHex : Hex editor, you may choose any hex
editor that you like.
• IDA Pro : popular interactive, programmable,
extendible, multi-processor debugger and
disassembler.
• Reverse Engineering Compiler : popular
decompiler.
• ProcDump 32 :unpacker application.
AAST COMP ENG Dr Ashraf Tammam 845/7/2014
85. Tools For malware analysis
• PE Explorer : provides tools for disassembly
and inspection of unknown binaries.
• Windbg : windows debugging applications.
• Livekd : application that allows Windbg
debugger to run locally on a live system.
• Debugview : an application that monitors
debug output on your local or a remote
system.
AAST COMP ENG Dr Ashraf Tammam 855/7/2014
86. Tools For malware analysis
• OllyDbg: 32-bit assembler level analysis
debugger for Microsoft Windows to work with
the malware for tasks such as viewing the
code and stepping through it.
• RegShot: Tool that tells you what has changed
on your system Before and after you launch
your malware
• Netcat: “Swiss army knife” for networks.
When you need something to connect to
or attempt a connection from
AAST COMP ENG Dr Ashraf Tammam 865/7/2014
87. Tools For malware analysis
• upx: Packer used a lot of compress and
obfuscate code to uncompressed the code
before analysis
• WinRAR: Tool to compress large file(s) into
one smaller file for safely transfer malware or
information collect to keep things organized.
Industry standard password is ‘infected’
• Ethereal: A protocol analyzer (aka: sniffer)
– When launching the malware and while doing
analysis.
AAST COMP ENG Dr Ashraf Tammam 875/7/2014
88. • Introduction to malware
• What is a malware?
• Types of malware
• How do they infect hosts?
• How to detect them?
• malware Analysis
• Goals of malware Analysis
• Types Of malware Analysis
• Tools For malware Analysis
• Malware Analysis Simulation Steps
• Conclusion
• References
AAST COMP ENG Dr Ashraf Tammam 885/7/2014
89. Malware analysis main steps
• Step1: Allocate physical or virtual systems for
the analysis lab
• Step 2: Isolate laboratory systems from the
production environment
• Step 3: Install behavioral analysis tools
• Step 4: Install code-analysis tools
• Step 5: Utilize online analysis tools
• Next Steps
89
Moataz Ahmed Mahmoud , Ahmed
Abdelhafez , Ahmed El bohy
90. Step 1: Allocate physical or virtual
systems for the analysis lab
• A common approach to examining malicious software involves
infecting a system with the malware specimen and then using the
appropriate monitoring tools to observe how it behaves. This
requires a laboratory system you can infect without affecting your
production environment.
• The most popular and flexible way to set up such a lab system
involves virtualization software, which allows you to use a single
physical computer for hosting multiple virtual systems, each
running a potentially different operating system. Free virtualization
software options include:
• VMware Server
• Windows Virtual PC
• Microsoft Virtual Server
• Virtual Box
Moataz Ahmed Mahmoud , Ahmed
Abdelhafez , Ahmed El bohy
90
91. Step 2: Isolate laboratory systems
from the production environment
• You must take precautions to isolate the
malware-analysis lab from the production
network, to mitigate the risk that a malicious
program will escape. You can separate the
laboratory network from production using a
firewall. Better yet, don't connect laboratory
and production networks at all, to avoid
firewall configuration issues that might allow
malware to bypass filtering restrictions.
Moataz Ahmed Mahmoud , Ahmed
Abdelhafez , Ahmed El bohy
91
92. Step 3: Install behavioral analysis
tools
• Before you're ready to infect your laboratory system with the malware specimen,
you need to install and activate the appropriate monitoring tools. Free utilities that
will let you observe how Windows malware interacts with its environment include:
• File system and registry monitoring: Process Monitor and Capture BAT offer a
powerful way to observe in real time how local processes read, write, or delete
registry entries and files. These tools can help you understand how malware
attempts to embed into the system upon infection.
• Process monitoring: Process Explorer and Process Hacker replace the built-in
Windows Task Manager, helping you observe malicious processes, including local
network ports they may attempt to open.
• Network monitoring: Wireshark and SmartSniff are network sniffers, which can
observe laboratory network traffic for malicious communication attempts, such as
DNS resolution requests, bot traffic, or downloads.
• Change detection: Regshot is a lightweight tool for comparing the system's state
before and after the infection, to highlight the key changes malware made to the
file system and the registry.
Moataz Ahmed Mahmoud , Ahmed
Abdelhafez , Ahmed El bohy
92
93. Step 4: Install code-analysis tools
• Examining the code that comprises the specimen helps uncover
characteristics that may be difficult to obtain through behavioral analysis.
In the case of a malicious executable, you rarely will have the luxury of
access to the source code from which it was created. Fortunately, the
following free tools can help you reverse compiled Windows executables:
• Disassembler and debugger: OllyDbg and IDA Pro Freeware can parse
compiled Windows executables and, acting as disassemblers, display their
code as Intel x86 assembly instructions. These tools also have debugging
capabilities, which allow you to execute the most interesting parts of the
malicious program slowly and under highly controlled conditions, so you
can better understand the purpose of the code.
• Memory dumper: LordPE and OllyDump help obtain protected code
located in the lab system's memory and dump it to a file. This technique is
particularly useful when analyzing packed executables, which are difficult
to disassemble because they encode or encrypt their instructions,
extracting them into RAM only during run-time.
Moataz Ahmed Mahmoud , Ahmed
Abdelhafez , Ahmed El bohy
93
94. Step 5: Utilize online analysis tools
• To round off your malware-analysis toolkit, add to it some freely
available online tools that may assist with the reverse engineering
process. One category of such tools performs automated behavioral
analysis of the executables you supply. These applications look
similar at first glance, but use different technologies on the back
end. Consider submitting your malware specimen to several of
these sites; depending on the specimen, some sites will be more
effective than others. Such tools include:
• Anubis
• CWSandbox
• Joebox
• Norman SandBox
• ThreatExpert
Moataz Ahmed Mahmoud , Ahmed
Abdelhafez , Ahmed El bohy
94
95. Next Steps
• With your initial toolkit assembled, start
experimenting in the lab with malware you
come across on the web, in your e-mail box,
on your systems, and so on.
Moataz Ahmed Mahmoud , Ahmed
Abdelhafez , Ahmed El bohy
95
96. • Introduction to malware
• What is a malware?
• Types of malware
• How do they infect hosts?
• How to detect them?
• Malware Analysis
• Goals OF malware Analysis
• Types Of malware Analysis
• Tools For malware Analysis
• Malware Analysis Simulation Steps
• Conclusion
• References
AAST COMP ENG Dr Ashraf Tammam 965/7/2014
97. Conclusion
• As you have seen there are various ways
for an attacker to get malicious code to
execute on remote computers
• We have only scratched on the surface,
there are much more to learn and discover
5/7/2014 AAST COMP ENG Dr Ashraf Tammam 97
98. • Introduction to malware
• What is a malware?
• Types of malware
• How do they infect hosts?
• How to detect them?
• malware Analysis
• Goals OF malware Analysis
• Types Of malware Analysis
• Tools For malware Analysis
• Malware Analysis Simulation Steps
• malware Defense
• Conclusion
• References
AAST COMP ENG Dr Ashraf Tammam 985/7/2014
99. Refrences
• [1] Ed Skoudis and Lenny Zeltser. Malware: Fighting Malicious Code. Prentice Hall, 2003.
• [2] McGraw-Hill and Sybil P. Parker. McGraw-Hill Dictionary of Scientific and Technical Terms.
McGraw-Hill Companies, Inc., 2003.
• [3]Computer Economics, 2007 Malware Report: The Economic Impact of Viruses, Spyware,Adware,
Botnets and Other Malicious Code, Retrieved 2007, November 23
– fromhttp://www.computereconomics.com/article.cfm?id=1225
• [4]Eldad Eilam, (2005). Reversing: Secrets of Reverse Engineering. Indianapolis, IN: Wiley Publishing.
• [5]eWeek, Metasploit Creator Releases Malware Search Engine, retrieved 2007, November 24
– from http://www.eweek.com/article2/0,1759,1990158,00.asp
• [6]GIAC, Analysis of the Incident Handling Six Step Process, Retrieved 2007, November 24
– from http://www2.giac.org/resources/whitepaper/network/17.php?id=17&cat=network
• [7]Honeynet, Know Your Enemy: Malicious Web Servers, Retrieved 2007, November 24 from
– http://www.honeynet.org/papers/mws/KYE-Malicious_Web_Servers.htm
• [8]Lorna Hutcheson (2006), Malware Analysis The Basics, Retrieved 2007, November 24 from
– http://isc.sans.org/presentations/cookie.pdf
• [9]Merriam-Webster Online. Retrieved 2007, July 23rd, from www.m-w.com
• [10]SANS, Retrieved 2007, November 24, from
– https://www2.sans.org/training/description.php?cid=799
AAST COMP ENG Dr Ashraf Tammam 995/7/2014