Bipin Upadhyay, profile picture
Uploaded byBipin Upadhyay
PDF, PPTX2,347 views

'Malware Analysis' by PP Singh

The document provides a comprehensive overview of malware analysis, including theoretical frameworks and practical case studies. It discusses methodologies such as static and behavioral analysis, the importance of virtualization, and the use of specific tools and environments for effective malware research. The material emphasizes the complexities of modern malware and the necessity for automation and careful analysis to keep pace with evolving threats.

Embed presentation

Download as PDF, PPTX
AN OVERVIEW – PART I
OUR GAME PLAN  TODAY – A THEORETICAL OVERVIEW FOLLOWED BY A CASE STUDY  DETAILED PRESENTATIONS ABOUT EACH COMPONENT.  VIRTUALIZATION.  HONEYPOTS / HONEYNETS.  DEBUGGING  AND SO ON (HOPEFULLY)   
 CAPABILITY FOR ‘ABSTRACT MATHEMATICS’  ASSEMBLY LANGUAGE  LACK OF SOCIAL LIFE  ADEQUATE ‘BEHAVIOR MODIFICATION’ OR ‘TRANCE INDUCING’ MATERIALS.
 BASICS  SETTING UP A LAB ENVIRONMENT  ANALYSIS o NETWORK TRAFFIC o DISK IMAGE / FILE SYSTEM o MEMORY IMAGE o STATIC ANALYSIS
 TRADITIONALLY WE HAD – SOURCE CODE AUDITING – PRIME REQUIREMENT WAS SAFETY OF CODE.  THEN CAME PROPRIETARY CODE AND WITH IT ‘BLACK BOX TESTING’  ALONG CAME MODULAR COMPONENTS AND WE GRADUATED TO ‘REVERSE ENGINEERING’
 WITH COTS PRODUCT CAME ISSUES OF TRUST – MICROSOFT IS SAFE  BUT WHAT ABOUT THE GUYS WHO MADE THE DLL.  SUGGESTED READING ‘WYSINWYX’ GOGUL BALAKRISHNAN’s PHD THESIS.  METHOD TO REVERSE ENGINEERING ALONG WITH ALL ASSOCIATED LIBRARIES ‘HOLISTIC REVERSE ENGINEERING’
 A FOCUSED APPLICATION– MALWARE ANALYSIS.  WHY – TRADITIONAL SIGNATURE BASED ANALYSIS IS FUTILE GIVEN THE EVOLVING MALWARE.  SAME LOGIC HAS MULTIPLE ‘SIGNATURES’  HENCE ‘BEHAVIORAL ANALYSIS’
 PROS & CONS OF BOTH STATIC ANALYSIS & BEHAVIORAL ANALYSIS.  LARGER VOLUMES OF SAMPLES NECESSITATE ‘AUTOMATION’.  ENTER CWSANDBOX, NORMAN SANDBOX & OTHERS  BUT WE NEED ‘MORE’
 OVERLAPPED WITH FORENSICS.  PRIVACY & POLICY ISSUES.  WISH TO LEARN  ‘LIVE’ EXERCISE – PART OF GROWING UP  FIELD OF WORK  REQUIREMENT OF CUSTOMIZED DATA  COMPLEXITIES IN THE MALWARE WORLD
 BASICS  SETTING UP A LAB ENVIRONMENT  ANALYSIS o STATIC ANALYSIS o NETWORK TRAFFIC o DISK IMAGE / FILE SYSTEM o MEMORY IMAGE
 A CONTROLLED ENVIRONMENT. ▪ MALWARE COLLECTION. MALWARE COLLECTION THROUGH SPAM TRAPS, HONEY POTS AND SHARED DATA. NEPENTHES AS AN EXAMPLE. ▪ VICTIM MACHINES. VIRTUALISATION OR REAL. VIRTUAL MACHINES ARE EASIER TO MANAGE BUT MALWARE INCREASINGLY BECOMING MORE AWARE OF THEM. VIRTUAL MACHINES LIKE VMWARE, PARALLELS, QEMU AND BOCHS ARE AVAILABLE.
▪ SUPPORT TOOLS. ▪ NETWORK SIMULATION. INTERNET CONNECTION, DNS CONNECTION, IRC, WEB, SMTP, SERVER ▪ ANALYSIS TOOLS. SUPPORT OF ONLINE RESOURCES LIKE VIRUS TOTAL.  IT SHOULD BE ISOLATED.  IT SHOULD PROVIDE A FULL SIMULATION.
 FRIENDS  ONLINE RESOURCES  HONEYPOTS o AMUN o NEPENTHES o ….
 WINDOWS OS   START – WINDOW IMAGE USING LINUX  THE RE-USABLE MALWARE ANALYSIS NET ‘TRUMAN’  VIRTUAL MACHINES  NORTON GHOST / UDPCAST / ACRONIS  HARDWARE – CORE RESTORE  MICROSOFT – STEADY STATE
 THIS MINI LINUX IMPLEMENTATION CONTAINS TOOLS LIKE PARTIMAGE, NTFSRESIZE, AND FDISK AND IS BASED AROUND THE FANTASTIC BUSYBOX.  IT ENABLES YOU TO PXE BOOT A PC INTO A LINUX CLIENT WHICH CAN CREATE AN NTFS PARTITION, GRAB A WINDOWS DISK IMAGE FROM THE NETWORK, WRITE IT TO A LOCAL DISK AND THEN RESIZE THAT PARTATION.
 TWO MINIMUM MACHINES.  LINUX BASED SERVER  TRUMAN MACHINE AS CLIENT (XP WITHOUT PATCHES). INSTALLATION FAQ ON NSMWIKI.  VIRTUAL NETWORK SIMULATION
 MAVMM: LIGHTWEIGHT AND PURPOSE BUILT VMM FOR MALWARE ANALYSIS  AUTHORS - ANH M. NGUYEN, NABIL SCHEAR, HEEDONG JUNG, APEKSHA GODIYAL, SAMUEL T. KING, HAI D. NGUYEN  A SPECIAL PURPOSE VIRTUAL MACHINE FOR MALWARE ANALYSIS
 ACADEMIC VERSION OF XP AVAILABLE.  INSTRUMENTATION OF CODE FEASIBLE  CREATION OF ‘SPECIAL WINDOWS’ BOXES
 BASICS  SETTING UP A LAB ENVIRONMENT  ANALYSIS o STATIC ANALYSIS o NETWORK TRAFFIC o DISK IMAGE / FILE SYSTEM o MEMORY IMAGE
 CREATE A CONTROLLED ENVIRONMENT. VIRTUAL OR REAL.  BASELINE THE ENVIRONMENT:- ▪ VICTIM MACHINE. FILE SYSTEM, REGISTRY, RUNNING PROCESSES, OPEN PORTS, USERS, GROUPS, NETWORK SHARES, SERVICES ETC. ▪ NETWORK TRAFFIC. ▪ EXTERNAL VIEW.
 INFORMATION COLLECTION. ▪ STATIC. STRINGS, RESOURCES, SCRIPTS, FILE PROPERTIES ETC ▪ DYNAMIC.  INFORMATION ANALYSIS. INVOLVES INFORMATION COLLATION, INTERNET SEARCHES, STARTUP METHODS, COMMUNICATION PROTOCOLS, SPREADING MECHANISMS ETC  RECONSTRUCTING THE BIG PICTURE.  DOCUMENTATION.
 PSEXEC – PART OF SYSINTERNALS PSTOOLS KIT.  MS REMOTE DESKTOP   VIRTUAL NETWORK COMPUTING (VNC)  ULTRAVNC – SOURCEFORGE  IF YOU ARE COMFORTABLE WITH REMOTE COMMAND LINE – PSEXEC
 BASELINE INFORMATION o NETWORK TRAFFIC o FILE SYSTEM o REGISTRY o MEMORY IMAGE
 REMEMBER IT IS ‘MALWARE’  USE PKZIP TO HANDLE THE SAMPLE  COMMAND LINE METHOD  IF YOU ARE SUBMITTING SAMPLES ONLINE PASSWORD = ‘infected’
 DISK IMAGE ANALYSIS ADVANCED INTRUSION DETECTION ENVIRONMENT FOR COMPARING DISK IMAGES BEFORE AND AFTER.  NTFS-3G DRIVERS & GETFATTR FOR ADS STREAMS.  REGISTRY USING DUMPHIVE  COMPARE REGISTRY DUMP BEFORE AND AFTER USING LINUX DIFF –U COMMAND  MEMORY IMAGE ANALYSIS. PMODUMP.PL MODIFIED TO HANDLE PEB RANDOMISATIONS, VOLATILITY FRAMEWORK USED FOR ANALYSIS.  OUTPUTS OF MULTIPLE TOOLS USED TO COMPARE AND ANALYSE.
 FILE SYSTEM AND REGISTRY MONITORING: PROCESS MONITOR AND CAPTURE BAT  PROCESS MONITORING: PROCESS EXPLORER AND PROCESS HACKER  NETWORK MONITORING: WIRESHARK AND SMARTSNIFF  CHANGE DETECTION: REGSHOT
 A GOOD WAY TO SEE CHANGES TO THE NETWORK IS WITH A TOOL CALLED NDIFF.  NDIFF IS A TOOL THAT UTILIZES NMAP OUTPUT TO IDENTIFY THE DIFFERENCES, OR CHANGES THAT HAVE OCCURRED IN YOUR ENVIRONMENT.  NDIFF CAN BE DOWNLOADED FROM http://www.vinecorp.com/ndiff/.
 TCPDUMP – CONSOLE  WINDUMP – CONSOLE  WIRESHARK – GUI
 THE OPTIONS OFFERED IN NDIFF INCLUDE: ndiff [-b|-baseline <file-or-:tag>] [-o|-observed <file-or-:tag>] [-op|-output-ports <ocufx>] [-of|-output-hosts <nmc>] [-fmt|-format <terse | minimal | verbose | machine | html | htmle>]  NDIFF OUTPUT MAY BE REDIRECTED TO A WEB PAGE: ndiff –b base-line.txt –o tested.txt –fmt machine | ndiff2html > differences.html  THE OUTPUT FILE, “DIFFERENCES.HTML”, MAY BE DISPLAYED IN A WEB BROWSER. THIS WILL SEPARATE HOSTS INTO THREE MAIN CATEGORIES: o NEW HOSTS, o MISSING HOSTS, AND o CHANGED HOSTS.
 NETSTAT  FPORT  TCPVcon – CONSOLE  TCPView – GUI  HANDLE – CONSOLE  PROCESS EXPLORER – GUI USE PID TO CORRELATE OUTPUTS
 HASHING FUNCTIONS o MD5DEEP – JESSE KORNBLUM  FUZZY HASHING o SSDEEP – AGAIN JESSE  ONLINE HASHES OF GOOD FILES – NIST
 A GOOD START  VIRUSTOTAL  VIRUSSCAN  AND MANY MORE  HELP RETAIN FOCUS
 virus@ca.com  sample@nod32.com  samples@f-secure.com  newvirus@kaspersky.com  VIRUSTOTAL, JOTTI, VIRUS.ORG  MANY MORE
 PEID  POLYUNPACK RENOVO – PART OF BIT BLAZE BASED ON MEMORY UNPACKING  AND MANY MORE
 TOOLS:- o PEVIEW o DEPENDS o PE BROWSE PRO o OBJ DUMP o RESOURCE HACKER o STRINGS  DETERMINE THE DATE/ TIME OF COMPILATION, FUNCTIONS IMPORTED BY THE PROGRAM, ICONS, MENUS, VERSION, INFO AND STRINGS EMBEDDED IN THE RESOURCES.
 STRINGS  VIP UTILITY – www.freespaceinternetsecurity.com  InCtrl5  SANDBOXIE  FILEMON  REGMON  AUTORUNS  HIJACK THIS  ……..
 PE FORMAT  NEED I SAY MORE.  LORD PE  CAN ALSO DO MEMORY DUMPS  PETOOLS  PEID  TO FIND PACKER DETAILS
 WINDBG  OLLYDBG  IDA PRO  SYSRDBG – KERNEL LEVEL ?  KERNEL DEBUGGER FROM MS  KNOWLEDGE OF ASSEMBLY LANGUAGE CRITICAL  TRAP – API EMULATION
 JAVASCRIPT OBFUSCATION – SPIDER MONKEY.  TOOLS FOR MS OFFICE FORMATS:-  OFFICEMALSCANNER  OFFVIS  OFFICE BINARY TRANSLATOR (INCLUDES BIFFVIEW TOOL).  OFFICECAT.  FILEHEX AND FILEINSIGHT HEX EDITORS CAN PARSE AND EDIT OLE STRUCTURES.  SIMILARLY TOOLS FOR PDF, FLASH ETC
 EXTENSIVE FEATURES ≠ GOOD TOOL  REQUIREMENT TO SCRIPT & PARSE OUTPUTS INTO A ‘READABLE REPORT’  COMMAND LINE / GUI OPTIONS  COMPARISON OF MULTIPLE TOOLS AS VERIFICATION
 RAPID ASSESSMENT & POTENTIAL INCIDENT EXAMINATION REPORT  RAPIER IS A SECURITY TOOL BUILT TO FACILITATE FIRST RESPONSE PROCEDURES FOR INCIDENT HANDLING.  OVERLAP BETWEEN FORENSICS AND MALWARE ANALYSIS.  TO ILLUSTRATE THE REQUIREMENT TO ‘SCRIPT AROUND GUI TOOLS’
 AS PART OF ANALYSIS, TRY TO IDENTIFY THE SOURCE.  BLOCK LISTS OF SUSPECTED MALICIOUS IPS AND URLS  LOOKING UP POTENTIALLY MALICIOUS WEBSITES  INITIAL VECTOR – BROWSER HISTORY, EMAIL LOGS
 SIMILARITY STUDIES:-  http://code.google.com/p/yara-project/  GENOME BASED CLASSIFICATION  MALWARE SIMILARITY ANALYSIS – BLACK HAT 09 - DANIEL RAYGOZA  BLAST: BASIC LOCAL ALIGNMENT SEARCH TOOL BASED CLASSIFICATION  FUZZY CLARITY – DIGITAL NINJA
 RESEARCH IS ON FOR CLASSIFICATION ACCORDING TO:- o OPCODE DISTRIBUTION o API CALLS MADE o COMPILER PARAMETER o …… o WILL GIVE THE ‘HEURISTICS'
 ALWAYS CORRELATE THE ANALYSIS:- o ANUBIS (FORMERLY TTANALYSE) o BIT BLAZE ( COUSIN OF WEB BLAZE PROJECT) o COMODO o CWSANDBOX o EUREKA o JOEBOX o NORMAN SANDBOX o THREAT EXPERT o XANDORA
 SUGGESTED READING o WILDCAT: AN INTEGRATED STEALTH ENVIRONMENT FOR DYNAMIC MALWARE ANALYSIS – AMIT VASUDEVAN o ‘WYSINWYX’ WHAT YOU SEE IS NOT WHAT YOU EXECUTE - GOGUL BALAKRISHNAN o LARGE-SCALE DYNAMIC MALWARE ANALYSIS - ULRICH BAYER
'Malware Analysis' by PP Singh

More Related Content

PPT
Malware Analysis Made Simple
byPaul Melson
 
PPTX
Introduction to Malware Analysis
byAndrew McNicol
 
PPTX
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
bygrecsl
 
PPTX
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
bygrecsl
 
PPTX
Tcpdump hunter
byAndrew McNicol
 
PPTX
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
bygrecsl
 
PPTX
Hunting for APT in network logs workshop presentation
byOlehLevytskyi1
 
PPTX
Invoke-Obfuscation DerbyCon 2016
byDaniel Bohannon
 
Malware Analysis Made Simple
byPaul Melson
 
Introduction to Malware Analysis
byAndrew McNicol
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
bygrecsl
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
bygrecsl
 
Tcpdump hunter
byAndrew McNicol
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
bygrecsl
 
Hunting for APT in network logs workshop presentation
byOlehLevytskyi1
 
Invoke-Obfuscation DerbyCon 2016
byDaniel Bohannon
 

What's hot

PPTX
Hiding in plain sight
byRob Gillen
 
PDF
Internal Pentest: from z3r0 to h3r0
bymarcioalma
 
PPTX
Malware analysis
byPrakashchand Suthar
 
PDF
Extending Zeek for ICS Defense
byJames Dickenson
 
PPTX
DC612 Day - Hands on Penetration Testing 101
bydc612
 
PDF
Automatic tool for static analysis
byChong-Kuan Chen
 
PDF
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
byTI Safe
 
PPTX
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
bygrecsl
 
PPT
BSidesJXN 2017 - Improving Vulnerability Management
byAndrew McNicol
 
PPTX
Outlook and Exchange for the bad guys
byNick Landers
 
PPTX
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
byLane Huff
 
PPTX
BSides_Charm2015_Info sec hunters_gathers
byAndrew McNicol
 
PPTX
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
byCODE BLUE
 
PDF
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
byChong-Kuan Chen
 
PPTX
Basic Malware Analysis
byAlbert Hui
 
PDF
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
byPriyanka Aash
 
PPT
BSides Philly Finding a Company's BreakPoint
byAndrew McNicol
 
PPT
Penetration testing, What’s this?
byDmitry Evteev
 
PPTX
Introduction to Penetration Testing
byAndrew McNicol
 
PDF
Lateral Movement: How attackers quietly traverse your Network
byEC-Council
 
Hiding in plain sight
byRob Gillen
 
Internal Pentest: from z3r0 to h3r0
bymarcioalma
 
Malware analysis
byPrakashchand Suthar
 
Extending Zeek for ICS Defense
byJames Dickenson
 
DC612 Day - Hands on Penetration Testing 101
bydc612
 
Automatic tool for static analysis
byChong-Kuan Chen
 
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
byTI Safe
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
bygrecsl
 
BSidesJXN 2017 - Improving Vulnerability Management
byAndrew McNicol
 
Outlook and Exchange for the bad guys
byNick Landers
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
byLane Huff
 
BSides_Charm2015_Info sec hunters_gathers
byAndrew McNicol
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
byCODE BLUE
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
byChong-Kuan Chen
 
Basic Malware Analysis
byAlbert Hui
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
byPriyanka Aash
 
BSides Philly Finding a Company's BreakPoint
byAndrew McNicol
 
Penetration testing, What’s this?
byDmitry Evteev
 
Introduction to Penetration Testing
byAndrew McNicol
 
Lateral Movement: How attackers quietly traverse your Network
byEC-Council
 

Viewers also liked

PPTX
PyTriage: A malware analysis framework
byYashin Mehaboobe
 
PDF
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
bySam Bowne
 
PDF
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
bySam Bowne
 
PDF
CNIT 126 4: A Crash Course in x86 Disassembly
bySam Bowne
 
PDF
CNIT 126 7: Analyzing Malicious Windows Programs
bySam Bowne
 
PDF
CNIT 127 14: Protection Mechanisms
bySam Bowne
 
PDF
CNIT 126 6: Recognizing C Code Constructs in Assembly
bySam Bowne
 
PDF
CNIT 126 8: Debugging
bySam Bowne
 
PDF
CNIT 126 5: IDA Pro
bySam Bowne
 
PDF
Practical Malware Analysis Ch12
bySam Bowne
 
PDF
Ch 13: Network Protection Systems
bySam Bowne
 
PPTX
Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly
bySam Bowne
 
PDF
Practical Malware Analysis: Ch 11: Malware Behavior
bySam Bowne
 
PDF
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
bySam Bowne
 
PDF
Practical Malware Analysis: Ch 15: Anti-Disassembly
bySam Bowne
 
PPTX
Client side attacks using PowerShell
byNikhil Mittal
 
PDF
CNIT 126 9: OllyDbg
bySam Bowne
 
PyTriage: A malware analysis framework
byYashin Mehaboobe
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
bySam Bowne
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
bySam Bowne
 
CNIT 126 4: A Crash Course in x86 Disassembly
bySam Bowne
 
CNIT 126 7: Analyzing Malicious Windows Programs
bySam Bowne
 
CNIT 127 14: Protection Mechanisms
bySam Bowne
 
CNIT 126 6: Recognizing C Code Constructs in Assembly
bySam Bowne
 
CNIT 126 8: Debugging
bySam Bowne
 
CNIT 126 5: IDA Pro
bySam Bowne
 
Practical Malware Analysis Ch12
bySam Bowne
 
Ch 13: Network Protection Systems
bySam Bowne
 
Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly
bySam Bowne
 
Practical Malware Analysis: Ch 11: Malware Behavior
bySam Bowne
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
bySam Bowne
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
bySam Bowne
 
Client side attacks using PowerShell
byNikhil Mittal
 
CNIT 126 9: OllyDbg
bySam Bowne
 

Similar to 'Malware Analysis' by PP Singh

PDF
H@dfex 2015 malware analysis
byCharles Lim
 
PDF
Project in malware analysis:C2C
byFabrizio Farinacci
 
PPTX
Malware analysis as a hobby (Owasp Göteborg)
byMichael Boman
 
PPTX
Malware 101 by saurabh chaudhary
bySaurav Chaudhary
 
PPTX
malware analysis three analysis ways.pptx
byflutterlyuser
 
PDF
CNIT 126: Ch 2 & 3
bySam Bowne
 
PDF
Modern malware and threats
byMartin Holovský
 
PDF
Malware Analysis on a Shoestring Budget
byMichael Boman
 
PDF
Cyber Defense Forensic Analyst - Real World Hands-on Examples
bySandeep Kumar Seeram
 
PDF
Intro2 malwareanalysisshort
byVincent Ohprecio
 
PPTX
Basic Dynamic Analysis of Malware
byNatraj G
 
ODP
Malware analysis
byxabean
 
PPTX
Malware Analysis as a Hobby - 44CON 2012
by44CON
 
PPTX
Malware Analysis as a Hobby
byMichael Boman
 
PPTX
Malware Classification and Analysis
byPrashant Chopra
 
PDF
Practical Incident Response - Work Guide
byEduardo Chavarro
 
PDF
Modern Malware and Threats
byMarketingArrowECS_CZ
 
PDF
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
byMalachi Jones
 
PPTX
Malware Analysis
byRamin Farajpour Cami
 
PDF
Reading Group Presentation: The Power of Procrastination
byMichael Rushanan
 
H@dfex 2015 malware analysis
byCharles Lim
 
Project in malware analysis:C2C
byFabrizio Farinacci
 
Malware analysis as a hobby (Owasp Göteborg)
byMichael Boman
 
Malware 101 by saurabh chaudhary
bySaurav Chaudhary
 
malware analysis three analysis ways.pptx
byflutterlyuser
 
CNIT 126: Ch 2 & 3
bySam Bowne
 
Modern malware and threats
byMartin Holovský
 
Malware Analysis on a Shoestring Budget
byMichael Boman
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
bySandeep Kumar Seeram
 
Intro2 malwareanalysisshort
byVincent Ohprecio
 
Basic Dynamic Analysis of Malware
byNatraj G
 
Malware analysis
byxabean
 
Malware Analysis as a Hobby - 44CON 2012
by44CON
 
Malware Analysis as a Hobby
byMichael Boman
 
Malware Classification and Analysis
byPrashant Chopra
 
Practical Incident Response - Work Guide
byEduardo Chavarro
 
Modern Malware and Threats
byMarketingArrowECS_CZ
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
byMalachi Jones
 
Malware Analysis
byRamin Farajpour Cami
 
Reading Group Presentation: The Power of Procrastination
byMichael Rushanan
 

More from Bipin Upadhyay

PDF
"Http protocol and other stuff" by Bipin Upadhyay
byBipin Upadhyay
 
PDF
Attack Simulation And Threat Modeling -Olu Akindeinde
byBipin Upadhyay
 
PPT
Php Development Stack
byBipin Upadhyay
 
PPT
Php Camp Open Social
byBipin Upadhyay
 
PPT
[Php Camp]Owasp Php Top5+Csrf
byBipin Upadhyay
 
PPT
[Phpcamp]Shindig An OpenSocial container
byBipin Upadhyay
 
PDF
"The Web Is Broken" by Bipin Upadhyay
byBipin Upadhyay
 
PPT
Paradigm Created
byBipin Upadhyay
 
"Http protocol and other stuff" by Bipin Upadhyay
byBipin Upadhyay
 
Attack Simulation And Threat Modeling -Olu Akindeinde
byBipin Upadhyay
 
Php Development Stack
byBipin Upadhyay
 
Php Camp Open Social
byBipin Upadhyay
 
[Php Camp]Owasp Php Top5+Csrf
byBipin Upadhyay
 
[Phpcamp]Shindig An OpenSocial container
byBipin Upadhyay
 
"The Web Is Broken" by Bipin Upadhyay
byBipin Upadhyay
 
Paradigm Created
byBipin Upadhyay
 

Recently uploaded

PPT
Telecommunication system introduction to wireless communication
by143irha
 
PDF
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 
PDF
Special Reeling Cable Specification _ Anhui Feichun Special Cable Co., Ltd_.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
PPTX
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
PDF
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
PPTX
Accelerate Innovation with Engineering R&D Services
byChetu
 
PPTX
Becoming Frontier for Dynamics 365 Finance PPT
byjonbravetti
 
PPTX
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
PDF
Best 10 Dedicated Servers in Amsterdam, Netherlands (2026 Enterprise Edition)...
byAtal Networks
 
PDF
Why Enterprises Are Moving to Dedicated Servers in the Netherlands
byAtal Networks
 
PDF
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
PDF
Implementing A Data Lakehouse Using Iceberg & Spark
byAnass Nabil
 
PDF
TopMate ES11 3-Wheel Electric Scooter: Comfortable, Stable Mobility for Every...
byTopmate
 
PDF
Pervasive Encryption - Keeping Data Secure.pdf
byPrecisely
 
PPTX
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
PDF
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
PDF
Français Patch Tuesday - Janvier
byIvanti
 
PDF
Lightweight, Travel-Ready Freedom for Adults and Seniors
byTopmate
 
PDF
Profiting from Technological Innovation: Managing Intellectual Property to Bu...
byDavid Teece
 
PPTX
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
Telecommunication system introduction to wireless communication
by143irha
 
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 
Special Reeling Cable Specification _ Anhui Feichun Special Cable Co., Ltd_.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
Accelerate Innovation with Engineering R&D Services
byChetu
 
Becoming Frontier for Dynamics 365 Finance PPT
byjonbravetti
 
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
Best 10 Dedicated Servers in Amsterdam, Netherlands (2026 Enterprise Edition)...
byAtal Networks
 
Why Enterprises Are Moving to Dedicated Servers in the Netherlands
byAtal Networks
 
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
Implementing A Data Lakehouse Using Iceberg & Spark
byAnass Nabil
 
TopMate ES11 3-Wheel Electric Scooter: Comfortable, Stable Mobility for Every...
byTopmate
 
Pervasive Encryption - Keeping Data Secure.pdf
byPrecisely
 
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
Français Patch Tuesday - Janvier
byIvanti
 
Lightweight, Travel-Ready Freedom for Adults and Seniors
byTopmate
 
Profiting from Technological Innovation: Managing Intellectual Property to Bu...
byDavid Teece
 
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 

'Malware Analysis' by PP Singh

  • 1.
  • 2.
    OUR GAME PLAN TODAY – A THEORETICAL OVERVIEW FOLLOWED BY A CASE STUDY  DETAILED PRESENTATIONS ABOUT EACH COMPONENT.  VIRTUALIZATION.  HONEYPOTS / HONEYNETS.  DEBUGGING  AND SO ON (HOPEFULLY)   
  • 3.
    CAPABILITY FOR ‘ABSTRACT MATHEMATICS’  ASSEMBLY LANGUAGE  LACK OF SOCIAL LIFE  ADEQUATE ‘BEHAVIOR MODIFICATION’ OR ‘TRANCE INDUCING’ MATERIALS.
  • 4.
    BASICS  SETTING UP A LAB ENVIRONMENT  ANALYSIS o NETWORK TRAFFIC o DISK IMAGE / FILE SYSTEM o MEMORY IMAGE o STATIC ANALYSIS
  • 5.
    TRADITIONALLY WE HAD – SOURCE CODE AUDITING – PRIME REQUIREMENT WAS SAFETY OF CODE.  THEN CAME PROPRIETARY CODE AND WITH IT ‘BLACK BOX TESTING’  ALONG CAME MODULAR COMPONENTS AND WE GRADUATED TO ‘REVERSE ENGINEERING’
  • 6.
    WITH COTS PRODUCT CAME ISSUES OF TRUST – MICROSOFT IS SAFE  BUT WHAT ABOUT THE GUYS WHO MADE THE DLL.  SUGGESTED READING ‘WYSINWYX’ GOGUL BALAKRISHNAN’s PHD THESIS.  METHOD TO REVERSE ENGINEERING ALONG WITH ALL ASSOCIATED LIBRARIES ‘HOLISTIC REVERSE ENGINEERING’
  • 7.
    A FOCUSED APPLICATION– MALWARE ANALYSIS.  WHY – TRADITIONAL SIGNATURE BASED ANALYSIS IS FUTILE GIVEN THE EVOLVING MALWARE.  SAME LOGIC HAS MULTIPLE ‘SIGNATURES’  HENCE ‘BEHAVIORAL ANALYSIS’
  • 8.
    PROS & CONS OF BOTH STATIC ANALYSIS & BEHAVIORAL ANALYSIS.  LARGER VOLUMES OF SAMPLES NECESSITATE ‘AUTOMATION’.  ENTER CWSANDBOX, NORMAN SANDBOX & OTHERS  BUT WE NEED ‘MORE’
  • 9.
    OVERLAPPED WITH FORENSICS.  PRIVACY & POLICY ISSUES.  WISH TO LEARN  ‘LIVE’ EXERCISE – PART OF GROWING UP  FIELD OF WORK  REQUIREMENT OF CUSTOMIZED DATA  COMPLEXITIES IN THE MALWARE WORLD
  • 10.
    BASICS  SETTING UP A LAB ENVIRONMENT  ANALYSIS o STATIC ANALYSIS o NETWORK TRAFFIC o DISK IMAGE / FILE SYSTEM o MEMORY IMAGE
  • 11.
     A CONTROLLEDENVIRONMENT. ▪ MALWARE COLLECTION. MALWARE COLLECTION THROUGH SPAM TRAPS, HONEY POTS AND SHARED DATA. NEPENTHES AS AN EXAMPLE. ▪ VICTIM MACHINES. VIRTUALISATION OR REAL. VIRTUAL MACHINES ARE EASIER TO MANAGE BUT MALWARE INCREASINGLY BECOMING MORE AWARE OF THEM. VIRTUAL MACHINES LIKE VMWARE, PARALLELS, QEMU AND BOCHS ARE AVAILABLE.
  • 12.
    ▪ SUPPORT TOOLS. ▪ NETWORK SIMULATION. INTERNET CONNECTION, DNS CONNECTION, IRC, WEB, SMTP, SERVER ▪ ANALYSIS TOOLS. SUPPORT OF ONLINE RESOURCES LIKE VIRUS TOTAL.  IT SHOULD BE ISOLATED.  IT SHOULD PROVIDE A FULL SIMULATION.
  • 13.
    FRIENDS  ONLINE RESOURCES  HONEYPOTS o AMUN o NEPENTHES o ….
  • 14.
    WINDOWS OS   START – WINDOW IMAGE USING LINUX  THE RE-USABLE MALWARE ANALYSIS NET ‘TRUMAN’  VIRTUAL MACHINES  NORTON GHOST / UDPCAST / ACRONIS  HARDWARE – CORE RESTORE  MICROSOFT – STEADY STATE
  • 15.
    THIS MINI LINUX IMPLEMENTATION CONTAINS TOOLS LIKE PARTIMAGE, NTFSRESIZE, AND FDISK AND IS BASED AROUND THE FANTASTIC BUSYBOX.  IT ENABLES YOU TO PXE BOOT A PC INTO A LINUX CLIENT WHICH CAN CREATE AN NTFS PARTITION, GRAB A WINDOWS DISK IMAGE FROM THE NETWORK, WRITE IT TO A LOCAL DISK AND THEN RESIZE THAT PARTATION.
  • 16.
    TWO MINIMUM MACHINES.  LINUX BASED SERVER  TRUMAN MACHINE AS CLIENT (XP WITHOUT PATCHES). INSTALLATION FAQ ON NSMWIKI.  VIRTUAL NETWORK SIMULATION
  • 19.
    MAVMM: LIGHTWEIGHT AND PURPOSE BUILT VMM FOR MALWARE ANALYSIS  AUTHORS - ANH M. NGUYEN, NABIL SCHEAR, HEEDONG JUNG, APEKSHA GODIYAL, SAMUEL T. KING, HAI D. NGUYEN  A SPECIAL PURPOSE VIRTUAL MACHINE FOR MALWARE ANALYSIS
  • 20.
    ACADEMIC VERSION OF XP AVAILABLE.  INSTRUMENTATION OF CODE FEASIBLE  CREATION OF ‘SPECIAL WINDOWS’ BOXES
  • 21.
    BASICS  SETTING UP A LAB ENVIRONMENT  ANALYSIS o STATIC ANALYSIS o NETWORK TRAFFIC o DISK IMAGE / FILE SYSTEM o MEMORY IMAGE
  • 22.
     CREATE ACONTROLLED ENVIRONMENT. VIRTUAL OR REAL.  BASELINE THE ENVIRONMENT:- ▪ VICTIM MACHINE. FILE SYSTEM, REGISTRY, RUNNING PROCESSES, OPEN PORTS, USERS, GROUPS, NETWORK SHARES, SERVICES ETC. ▪ NETWORK TRAFFIC. ▪ EXTERNAL VIEW.
  • 23.
     INFORMATION COLLECTION. ▪ STATIC. STRINGS, RESOURCES, SCRIPTS, FILE PROPERTIES ETC ▪ DYNAMIC.  INFORMATION ANALYSIS. INVOLVES INFORMATION COLLATION, INTERNET SEARCHES, STARTUP METHODS, COMMUNICATION PROTOCOLS, SPREADING MECHANISMS ETC  RECONSTRUCTING THE BIG PICTURE.  DOCUMENTATION.
  • 24.
    PSEXEC – PART OF SYSINTERNALS PSTOOLS KIT.  MS REMOTE DESKTOP   VIRTUAL NETWORK COMPUTING (VNC)  ULTRAVNC – SOURCEFORGE  IF YOU ARE COMFORTABLE WITH REMOTE COMMAND LINE – PSEXEC
  • 25.
    BASELINE INFORMATION o NETWORK TRAFFIC o FILE SYSTEM o REGISTRY o MEMORY IMAGE
  • 26.
    REMEMBER IT IS ‘MALWARE’  USE PKZIP TO HANDLE THE SAMPLE  COMMAND LINE METHOD  IF YOU ARE SUBMITTING SAMPLES ONLINE PASSWORD = ‘infected’
  • 27.
     DISK IMAGE ANALYSIS ADVANCED INTRUSION DETECTION ENVIRONMENT FOR COMPARING DISK IMAGES BEFORE AND AFTER.  NTFS-3G DRIVERS & GETFATTR FOR ADS STREAMS.  REGISTRY USING DUMPHIVE  COMPARE REGISTRY DUMP BEFORE AND AFTER USING LINUX DIFF –U COMMAND  MEMORY IMAGE ANALYSIS. PMODUMP.PL MODIFIED TO HANDLE PEB RANDOMISATIONS, VOLATILITY FRAMEWORK USED FOR ANALYSIS.  OUTPUTS OF MULTIPLE TOOLS USED TO COMPARE AND ANALYSE.
  • 28.
    FILE SYSTEM AND REGISTRY MONITORING: PROCESS MONITOR AND CAPTURE BAT  PROCESS MONITORING: PROCESS EXPLORER AND PROCESS HACKER  NETWORK MONITORING: WIRESHARK AND SMARTSNIFF  CHANGE DETECTION: REGSHOT
  • 29.
    A GOOD WAY TO SEE CHANGES TO THE NETWORK IS WITH A TOOL CALLED NDIFF.  NDIFF IS A TOOL THAT UTILIZES NMAP OUTPUT TO IDENTIFY THE DIFFERENCES, OR CHANGES THAT HAVE OCCURRED IN YOUR ENVIRONMENT.  NDIFF CAN BE DOWNLOADED FROM http://www.vinecorp.com/ndiff/.
  • 30.
    TCPDUMP – CONSOLE  WINDUMP – CONSOLE  WIRESHARK – GUI
  • 31.
     THEOPTIONS OFFERED IN NDIFF INCLUDE: ndiff [-b|-baseline <file-or-:tag>] [-o|-observed <file-or-:tag>] [-op|-output-ports <ocufx>] [-of|-output-hosts <nmc>] [-fmt|-format <terse | minimal | verbose | machine | html | htmle>]  NDIFF OUTPUT MAY BE REDIRECTED TO A WEB PAGE: ndiff –b base-line.txt –o tested.txt –fmt machine | ndiff2html > differences.html  THE OUTPUT FILE, “DIFFERENCES.HTML”, MAY BE DISPLAYED IN A WEB BROWSER. THIS WILL SEPARATE HOSTS INTO THREE MAIN CATEGORIES: o NEW HOSTS, o MISSING HOSTS, AND o CHANGED HOSTS.
  • 32.
    NETSTAT  FPORT  TCPVcon – CONSOLE  TCPView – GUI  HANDLE – CONSOLE  PROCESS EXPLORER – GUI USE PID TO CORRELATE OUTPUTS
  • 33.
    HASHING FUNCTIONS o MD5DEEP – JESSE KORNBLUM  FUZZY HASHING o SSDEEP – AGAIN JESSE  ONLINE HASHES OF GOOD FILES – NIST
  • 34.
    A GOOD START  VIRUSTOTAL  VIRUSSCAN  AND MANY MORE  HELP RETAIN FOCUS
  • 35.
    virus@ca.com  sample@nod32.com  samples@f-secure.com  newvirus@kaspersky.com  VIRUSTOTAL, JOTTI, VIRUS.ORG  MANY MORE
  • 36.
    PEID  POLYUNPACK RENOVO – PART OF BIT BLAZE BASED ON MEMORY UNPACKING  AND MANY MORE
  • 37.
    TOOLS:- o PEVIEW o DEPENDS o PE BROWSE PRO o OBJ DUMP o RESOURCE HACKER o STRINGS  DETERMINE THE DATE/ TIME OF COMPILATION, FUNCTIONS IMPORTED BY THE PROGRAM, ICONS, MENUS, VERSION, INFO AND STRINGS EMBEDDED IN THE RESOURCES.
  • 38.
    STRINGS  VIP UTILITY – www.freespaceinternetsecurity.com  InCtrl5  SANDBOXIE  FILEMON  REGMON  AUTORUNS  HIJACK THIS  ……..
  • 39.
    PE FORMAT  NEED I SAY MORE.  LORD PE  CAN ALSO DO MEMORY DUMPS  PETOOLS  PEID  TO FIND PACKER DETAILS
  • 40.
    WINDBG  OLLYDBG  IDA PRO  SYSRDBG – KERNEL LEVEL ?  KERNEL DEBUGGER FROM MS  KNOWLEDGE OF ASSEMBLY LANGUAGE CRITICAL  TRAP – API EMULATION
  • 41.
    JAVASCRIPT OBFUSCATION – SPIDER MONKEY.  TOOLS FOR MS OFFICE FORMATS:-  OFFICEMALSCANNER  OFFVIS  OFFICE BINARY TRANSLATOR (INCLUDES BIFFVIEW TOOL).  OFFICECAT.  FILEHEX AND FILEINSIGHT HEX EDITORS CAN PARSE AND EDIT OLE STRUCTURES.  SIMILARLY TOOLS FOR PDF, FLASH ETC
  • 42.
    EXTENSIVE FEATURES ≠ GOOD TOOL  REQUIREMENT TO SCRIPT & PARSE OUTPUTS INTO A ‘READABLE REPORT’  COMMAND LINE / GUI OPTIONS  COMPARISON OF MULTIPLE TOOLS AS VERIFICATION
  • 43.
    RAPID ASSESSMENT & POTENTIAL INCIDENT EXAMINATION REPORT  RAPIER IS A SECURITY TOOL BUILT TO FACILITATE FIRST RESPONSE PROCEDURES FOR INCIDENT HANDLING.  OVERLAP BETWEEN FORENSICS AND MALWARE ANALYSIS.  TO ILLUSTRATE THE REQUIREMENT TO ‘SCRIPT AROUND GUI TOOLS’
  • 44.
    AS PART OF ANALYSIS, TRY TO IDENTIFY THE SOURCE.  BLOCK LISTS OF SUSPECTED MALICIOUS IPS AND URLS  LOOKING UP POTENTIALLY MALICIOUS WEBSITES  INITIAL VECTOR – BROWSER HISTORY, EMAIL LOGS
  • 45.
    SIMILARITY STUDIES:-  http://code.google.com/p/yara-project/  GENOME BASED CLASSIFICATION  MALWARE SIMILARITY ANALYSIS – BLACK HAT 09 - DANIEL RAYGOZA  BLAST: BASIC LOCAL ALIGNMENT SEARCH TOOL BASED CLASSIFICATION  FUZZY CLARITY – DIGITAL NINJA
  • 46.
    RESEARCH IS ON FOR CLASSIFICATION ACCORDING TO:- o OPCODE DISTRIBUTION o API CALLS MADE o COMPILER PARAMETER o …… o WILL GIVE THE ‘HEURISTICS'
  • 47.
    ALWAYS CORRELATE THE ANALYSIS:- o ANUBIS (FORMERLY TTANALYSE) o BIT BLAZE ( COUSIN OF WEB BLAZE PROJECT) o COMODO o CWSANDBOX o EUREKA o JOEBOX o NORMAN SANDBOX o THREAT EXPERT o XANDORA
  • 49.
    SUGGESTED READING o WILDCAT: AN INTEGRATED STEALTH ENVIRONMENT FOR DYNAMIC MALWARE ANALYSIS – AMIT VASUDEVAN o ‘WYSINWYX’ WHAT YOU SEE IS NOT WHAT YOU EXECUTE - GOGUL BALAKRISHNAN o LARGE-SCALE DYNAMIC MALWARE ANALYSIS - ULRICH BAYER