Day by day, we store more and more confidential information on our computers, from sites account credentials to our bank account. Every day, malware becomes more and more silent, they don’t want you to be suspicious, they just want to stay into your device to do something …that you don’t really want.
The document aims to analyze in detail the main phases of a penetration test, in particular: how to become silent, how to performe information gathering and service information gathering, how to find exploits and how you can actually use them.
By the way … the platform used to perform the penetration test is Kali (not Kali 2.0 because at the moment it works but not perfectly)..
Il documento si propone di analizzare in dettaglio le fasi di un penetration test (information gathering, ricerca exploit, client side attack, password cracking, backdoor).
La distribuzione GNU/Linux utilizzata come piattaforma di base per eseguire i penetration test è BackTrack.
Introduction to Memory Exploitation (CppEurope 2021)Patricia Aas
Stack based exploitation has gotten all the fame, but many platform and compiler mitigations have made it very hard to exploit stack vulnerabilities. Heap based exploits are still very relevant, and since this is black magic for most developers I will here give an introduction to the field.
Ведущие: Дмитрий Частухин и Дмитрий Юдин
Бла-бла-бла SAP. Бла-бла-бла крупные компании. Бла-бла-бла взлом на миллионы долларов. Вот так обычно начинается любой доклад о SAP. Но в этот раз все будет по-другому. Давненько не было рассказов о жестокой эксплуатации и необычных уязвимостях. Пришло время пуститься во все тяжкие! Докладчики расскажут (и покажут), как получить полный контроль над системой, используя ряд незначительных уязвимостей в службах SAP.
The document aims to analyze in detail the main phases of a penetration test, in particular: how to become silent, how to performe information gathering and service information gathering, how to find exploits and how you can actually use them.
By the way … the platform used to perform the penetration test is Kali (not Kali 2.0 because at the moment it works but not perfectly)..
Il documento si propone di analizzare in dettaglio le fasi di un penetration test (information gathering, ricerca exploit, client side attack, password cracking, backdoor).
La distribuzione GNU/Linux utilizzata come piattaforma di base per eseguire i penetration test è BackTrack.
Introduction to Memory Exploitation (CppEurope 2021)Patricia Aas
Stack based exploitation has gotten all the fame, but many platform and compiler mitigations have made it very hard to exploit stack vulnerabilities. Heap based exploits are still very relevant, and since this is black magic for most developers I will here give an introduction to the field.
Ведущие: Дмитрий Частухин и Дмитрий Юдин
Бла-бла-бла SAP. Бла-бла-бла крупные компании. Бла-бла-бла взлом на миллионы долларов. Вот так обычно начинается любой доклад о SAP. Но в этот раз все будет по-другому. Давненько не было рассказов о жестокой эксплуатации и необычных уязвимостях. Пришло время пуститься во все тяжкие! Докладчики расскажут (и покажут), как получить полный контроль над системой, используя ряд незначительных уязвимостей в службах SAP.
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Positive Hack Days
Ведущий: Асука Накадзима (Asuka Nakajima)
Практика повторного использования исходного кода позволяет сократить расходы на разработку программного обеспечения. Тем не менее, если в оригинальном исходном коде кроется уязвимость, она будет перенесена и в новое приложение. Докладчик расскажет о необычном способе обнаружения «наследуемых» уязвимостей в бинарных файлах без необходимости обращаться к исходному коду или символьным файлам.
Powershella lubią admini, programiści, a najbardziej hakerzy. Będąc natywną powłoką systemów Windows nie rzuca się w oczy, jednocześnie dając ogromne możliwości ofensywne. Podczas prelekcji Paweł zaprezentuje zarówno skuteczne one-linery jak i wielolinijkowe skrypty, które mogą siać spustoszenie w nieprzygotowanej organizacji. Pojawią się ciekawe kanały C2, malware napisany w całości w Powershellu, wyszukiwanie i eksploitacja słabo skonfigurowanych serwerów MSSQL etc.100% mięsa.
Linux Security APIs and the Chromium SandboxPatricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context.
The Chromium Sandbox is used in the Vivaldi, Brave, Chrome and Opera browsers among others. It has a very platform specific implementation, using the platform APIs available to construct it. In this talk we will describe the requirements of the Chromium Sandbox and go through the steps and APIs used to construct it on Linux.
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections. This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, JavaScript, Wget and cURL. The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.
Being a very fundamental problem that exists in built-in libraries, sophisticated web applications such as WordPress (27% of the Web), vBulletin, MyBB and GitHub can also suffer, and 0days have been discovered in them via this technique. This general technique can also adapt to various code contexts and lead to protocol smuggling and SSRF bypassing. Several scenarios will be demonstrated to illustrate how URL parsers can be exploited to bypass SSRF protection and achieve RCE (Remote Code Execution), which is the case in our GitHub Enterprise demo.
Understanding the basics of this technique, the audience won’t be surprised to know that more than 20 vulnerabilities have been found in famous programming languages and web applications aforementioned via this technique.
OpenSSH is a FREE version of the SSH connectivity tools that technical users of the Internet rely on.
This talk will explain the most interesting features of ssh and some info about future developments.
Cisco network equipment has always been an attractive attack target due to its prevalence and the key role that it plays in network structure and security.
This equipment is based on a wide variety of OS (firmware) architectures, types, and versions, so it is much harder to develop a universal shellcode. Publicly available Cisco IOS shellcodes are tailored to specific equipment, have narrow functionality, and are not exactly useful for penetration testing.
This talk is the presentation of a research initiated by our research center to create a shellcode which is as easily portable between different IOS firmwares as possible and which provides a lot of pentesting features because it can dynamically change the shellcode destination at the stage of post-exploitation.
We will also consider the possibility of creating a worm which could spread across the infrastructure, from firewall to router, from router to switch, etc.
Экспресс-анализ вредоносов / Crowdsourced Malware TriagePositive Hack Days
Ведущие: Сергей Франкофф и Шон Уилсон
Сортировка вредоносного ПО представляет собой процесс быстрого анализа потенциально опасных файлов или URL. Любая тщательно продуманная система реагирования на инциденты безопасности обладает этой важной функцией. Но что, если у вас не установлена программа реагирования на инциденты? Как быть, если вы только начали ее настраивать? А вдруг у вас нет программных средств для проведения анализа? Грамотно выбранный бесплатный онлайн-инструмент, веб-браузер и блокнот — вот все, что вам пригодится. На мастер-классе участники самостоятельно будут заниматься сортировкой вредоносного ПО. Ведущий предоставит информацию о необходимых инструментах.
Il documento si rivolge a chi ha già buone conoscenze relative alle tecniche con cui si realizza un buffer overflow e spiega più in dettaglio come realizzare shellcode e lo shatter attack.
Il documento contiene la descrizione delle dieci regole di base più importanti per poter iniziare a utilizzare in maniera effettiva le Regular Expression.
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Positive Hack Days
Ведущий: Асука Накадзима (Asuka Nakajima)
Практика повторного использования исходного кода позволяет сократить расходы на разработку программного обеспечения. Тем не менее, если в оригинальном исходном коде кроется уязвимость, она будет перенесена и в новое приложение. Докладчик расскажет о необычном способе обнаружения «наследуемых» уязвимостей в бинарных файлах без необходимости обращаться к исходному коду или символьным файлам.
Powershella lubią admini, programiści, a najbardziej hakerzy. Będąc natywną powłoką systemów Windows nie rzuca się w oczy, jednocześnie dając ogromne możliwości ofensywne. Podczas prelekcji Paweł zaprezentuje zarówno skuteczne one-linery jak i wielolinijkowe skrypty, które mogą siać spustoszenie w nieprzygotowanej organizacji. Pojawią się ciekawe kanały C2, malware napisany w całości w Powershellu, wyszukiwanie i eksploitacja słabo skonfigurowanych serwerów MSSQL etc.100% mięsa.
Linux Security APIs and the Chromium SandboxPatricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context.
The Chromium Sandbox is used in the Vivaldi, Brave, Chrome and Opera browsers among others. It has a very platform specific implementation, using the platform APIs available to construct it. In this talk we will describe the requirements of the Chromium Sandbox and go through the steps and APIs used to construct it on Linux.
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections. This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, JavaScript, Wget and cURL. The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.
Being a very fundamental problem that exists in built-in libraries, sophisticated web applications such as WordPress (27% of the Web), vBulletin, MyBB and GitHub can also suffer, and 0days have been discovered in them via this technique. This general technique can also adapt to various code contexts and lead to protocol smuggling and SSRF bypassing. Several scenarios will be demonstrated to illustrate how URL parsers can be exploited to bypass SSRF protection and achieve RCE (Remote Code Execution), which is the case in our GitHub Enterprise demo.
Understanding the basics of this technique, the audience won’t be surprised to know that more than 20 vulnerabilities have been found in famous programming languages and web applications aforementioned via this technique.
OpenSSH is a FREE version of the SSH connectivity tools that technical users of the Internet rely on.
This talk will explain the most interesting features of ssh and some info about future developments.
Cisco network equipment has always been an attractive attack target due to its prevalence and the key role that it plays in network structure and security.
This equipment is based on a wide variety of OS (firmware) architectures, types, and versions, so it is much harder to develop a universal shellcode. Publicly available Cisco IOS shellcodes are tailored to specific equipment, have narrow functionality, and are not exactly useful for penetration testing.
This talk is the presentation of a research initiated by our research center to create a shellcode which is as easily portable between different IOS firmwares as possible and which provides a lot of pentesting features because it can dynamically change the shellcode destination at the stage of post-exploitation.
We will also consider the possibility of creating a worm which could spread across the infrastructure, from firewall to router, from router to switch, etc.
Экспресс-анализ вредоносов / Crowdsourced Malware TriagePositive Hack Days
Ведущие: Сергей Франкофф и Шон Уилсон
Сортировка вредоносного ПО представляет собой процесс быстрого анализа потенциально опасных файлов или URL. Любая тщательно продуманная система реагирования на инциденты безопасности обладает этой важной функцией. Но что, если у вас не установлена программа реагирования на инциденты? Как быть, если вы только начали ее настраивать? А вдруг у вас нет программных средств для проведения анализа? Грамотно выбранный бесплатный онлайн-инструмент, веб-браузер и блокнот — вот все, что вам пригодится. На мастер-классе участники самостоятельно будут заниматься сортировкой вредоносного ПО. Ведущий предоставит информацию о необходимых инструментах.
Il documento si rivolge a chi ha già buone conoscenze relative alle tecniche con cui si realizza un buffer overflow e spiega più in dettaglio come realizzare shellcode e lo shatter attack.
Il documento contiene la descrizione delle dieci regole di base più importanti per poter iniziare a utilizzare in maniera effettiva le Regular Expression.
Il documento si rivolge a chi già conosce le regole degli scacchi e i movimenti dei pezzi e si propone di esporre alcune tattiche di base che si possono applicare ai vari pezzi durante una partita.
Il documento si propone di analizzare le tecniche di base per effettuare il reverse engineering. Verranno inoltre prese in esame le caratteristiche principali di alcuni dei tool utilizzati nel reverse engineering .
This was a workshop I conducted at Black Hat Europe'12. The workshop explains how to program a USB HID, Teensy++ in this case, for usage in offensive security.
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3IJERA Editor
Linux Operating System is being reverenced by many professionals because of its versatile nature. As many network security professionals ,particularly those of ethical hackers use linux in an extensive way, did we ever observe how and why the number of hackers were enhancing day to day. Not only professionals ,every one are unleashing their hacking potentials with the help of Backtrack5R3 operating system which is a comprehensive tool kit for security auditing. This paper emphasizes on the so called SET (Social Engineering Toolkit).In a pen-testing scenario, alongside uncovering vulnerabilities in the hardware and software systems and exploiting them ,the most effective of all is penetrating the human mind to extract the desire information. Such devious technics are known as social engineering ,and computer based software tools to facilitate this form the basis of Social Engineering Toolkit
Abstract: The exponential growth of the internet and new technology lead today's world in a hectic situation both positive as well as the negative module. Cybercriminals gamble in the dark net using numerous techniques. This leads to cybercrime. Cyber threats like Malware attempt to infiltrate the computer or mobile device offline or internet, chat(online), and anyone can be a potential target. Malware is also known as malicious software is often used by cybercriminals to achieve their goal by tracking internet activity, capturing sensitive information, or blocking computer access. Reverse engineering is one of the best ways to prevent and is a powerful tool to keep the fight against cyber attacks. Most people in the cyber world see it as a black hat—It is said as being used to steal data and intellectual property. But when it is in the hands of cybersecurity experts, reverse engineering dons the white hat of the hero. Looking at the program from the outside in –often by a third party that had no hand in writing the code. It allows those who practice it to understand how a given program or system works when no source code is available. Reverse engineering accomplishing several tasks related to cybersecurity: finding system vulnerabilities, researching malware &analyzing the complexity of restoring core software algorithms that can further protect against theft. It is hard to hack certain software.
Keywords: Malware, threat, vulnerablity, detection, reverse engineering, analysis.
Title: Malware analysis and detection using reverse Engineering
Author: B.Rashmitha, J. Alwina Beauty Angelin, E.R. Ramesh
International Journal of Computer Science and Information Technology Research
ISSN 2348-1196 (print), ISSN 2348-120X (online)
Vol. 10, Issue 2, Month: April 2022 - June 2022
Page: (1-4)
Published Date: 01-April-2022
Research Publish Journals
Available at: www.researchpublish.com
You can Direct download full research paper at given below link:
https://www.researchpublish.com/papers/malware-analysis-and-detection-using-reverse-engineering
Academia Link: https://www.academia.edu/76069664/Malware_analysis_and_detection_using_reverse_Engineering_Available_at_www_researchpublish_com_journal_name_International_Journal_of_Computer_Science_and_Information_Technology_Research
The project entitled with “Network Security System” is related to hacking attacks in computer systems over internet. In today’s world many of the computer systems and servers are not secure because of increasing the hacking attacks or hackers with growing information, so information security specialist’s requirement has gone high.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Accelerate your Kubernetes clusters with Varnish Caching
Cutting out Malware
1. LUIGI CAPUZZELLO
Cutting out Malware
Integrated malware analysis.
Versione: 1.0
Luigi Capuzzello
11/01/2014
http://www.linkedin.com/pub/luigi-capuzzello/7/561/12a
http://www.slideshare.net/luigicapuzzello
@FisherKasparov
luigi.capuzzello
A good introduction to malware analysis, offering detailed coverage of all the essential skills required to
understand the specific challenges presented by modern malware.
2. Introduction.2
Sommario
Introduction..........................................................................................................................................3
What you will learn..........................................................................................................................3
What you should know.....................................................................................................................3
Basic Static Analysis............................................................................................................................3
Hashing: [winMD5free]...................................................................................................................3
String: [strings].................................................................................................................................3
Packed software [PEiD / exeinfope].................................................................................................4
PE Header [Dependency Walker / PEView / Resource Hacker Tool].............................................5
Basic Dynamic Analysis......................................................................................................................7
Monitor malware activity [procmon / regshot / Process Explorer]..................................................7
Go deep into network traffic.............................................................................................................9
So what the hell can we do ?..............................................................................................................11
Summary............................................................................................................................................11
On the Web.........................................................................................................................................11
About the author.................................................................................................................................12
Other Specification.............................................................................................................................12
Luigi Capuzzello
3. Introduction.3
Introduction.
An email arrives in your inbox; it’s your girlfriend Ann. She invites you to see her in a very funny picture. -Click !“But! What? This picture is not really funny, and …she is not Ann”.
Day by day we store more and more confidential information on our computers, from sites account credentials to our
bank account.
Day by day malware becomes more and more silent, they don’t want you to be suspicious, they just want to stay into
your device to do something …that you don’t want.
What you will learn...
-
Configuring a malware analysis lab
Assembling a really toolkit for malware forensics
Performing behavioral analysis of malicious Windows executables
Performing static and dynamic code analysis of malicious Windows executables
-
What is a PE Header
Knowledge about network protocol
Basic knowledge about windows registry and processes
What you should know...
Basic Static Analysis.
Static Analysis describes the process of analyzing the code and the structure of a program to determine its main
feautures.
In this phase of your analysis the program itself is not running; we are just analyzing a file, a sequence of bytes.
We have to find as many information as possible. All the information, even the ones apparently trivial, are actually
extremely important, above all when you go deep into the malware analysis
You can find several tools to implement static analysis but just a few of them are really interesting.
In the next section I will describe all the most juicy tools and I show to you how you can use them.
Hashing: [winMD5free].
First of all it could be a good idea to get the a fingerprint of the malware.
Hashing is a common method used to uniquely identify malware; the Message Digest Algorithm 5 (MD5) and Secure
Hash Algorithm (SHA-1) are the method most commonly used.
For example we can use winMD5Free to get the hash and then we can search for it online.
If the malware is a well known one you will find all about it; if you know what malware is able to do then it can not
hurt you anymore.
This is an example of winMD5Tool; it can calculate MD5 Hash of a particular program
Once you have the identity card of the malware you can use it on google to discover all about it.
String: [strings].
Another method to find some usefull hints about a malware is to get all the strings from the malware
Luigi Capuzzello
4. Introduction.4
Strings program can anlyze a file to extract both ASCII and UNICODE (indeed the windows implementation of unicode
string also well-known as wide character string); this program ignore the context and formatting, it just analyze all the
bytes one by one. Because of this mechanism it could be find characters or strings when they are not.
You can use strings from command line:
E:>strings.exe Lab01-01.exe
Strings v2.51
Copyright (C) 1999-2013 Mark Russinovich
Sysinternals - www.sysinternals.com
!This program cannot be run in DOS mode.
Richm
.text
`.rdata
@.data
_^[
UVWj
@jjj
D$0
_controlfp
_stricmp
kerne132.dll
Kernel32.
Lab01-01.dll
C:WindowsSystem32Kernel32.dll
WARNING_THIS_WILL_DESTROY_YOUR_MACHINE
Error Messages and IP addresses are the most interesting information we can found on a file.
In the above example I have highlighted some important strings
Packed software [PEiD / exeinfope]
Sometime the malware we are analyzing could be packed. This is a problem because the packer hide us a lot of
information, so that static analysis becomes almost useless.
There are many software that could help us to find the packer used. For example:
PEiD: it is a detector for PE (Portable Executable - Exe/Dll) files, similar to an anti-virus except it detects what
a file is, not what it does.
Mostly it detects packer and protector programs like UPX, PECompact, Armadillo etc but has a customisable
database to add your own detections
Be careful because of this has been disconnected from April 2011 and because many PEiD plugins will run the
executable without warning. Despite of this, it is the best tool available for packer detection.
-
exeinfope is another good tool.
Here is an example of PEiD interface
Luigi Capuzzello
5. Introduction.5
PE Header [Dependency Walker / PEView / Resource Hacker
Tool]
PE Header can give us many information about executable behaviuor.
Using Dependency Walker program we can find information about:
dinamically linked functions;
imported dll;
For example in the above image, at pane 3, we can find all the imported function of the kernl32.dll. If we know which
function are used, we can deduce the malware behavior.
There is also a way to import function ‘on the fly’, using some important function:
LoadLibrary
GetProcAddress
LdrGetProcAddress
LdrLoadDll
So if you find this functions, it means that the malware is going to hide you what is its intention. If you want to
understand more in details its behavior you have to debug it (but this is a story that will relate you another time).
As just said, we can find information about the all dll imported into the executable file and each of them can tell us
something.
Dll
Description
Advapi32.dll
This DLL provides access to the Service Manager and Registry.
User32.dll
This DLL contains all the user-interface components, such as buttons, scrollbars, and
components for controlling and responding to user actions.
Gdi32.dll
This DLL contains functions for displaying and manipulating graphics
Kernel32.dll
This is a very common DLL that contains core functionality, such as access and manipulation of
memory, files, and hardware.
Shell32.dll
Tell us that the program can launch other program.
Ntdll.dll
This DLL is the interface to the Windows kernel. Executables generally do not import this file
directly, although it is always imported indirectly by Kernel32.dll. If an executable imports this file,
it means that the author intended to use functionality not normally available to Windows
programs. Some tasks, such as hiding functionality or manipulating processes, will use this
interface.
WSock32.dll - Ws2_32.dll
These are networking DLLs. A program that accesses either of these most
likely connects to a network or performs network-related tasks.
Wininet.dll
This DLL contains higher-level networking functions that implement protocols such as FTP,
HTTP, and NTP.
Luigi Capuzzello
6. Introduction.6
We can also get information about PE header using PEView tool. Sections are very important because we can see if
there are only standard section (as listed below) or also custom sections, in this case we are dealing with a packer.
Section
Description
.text
Contains the executable code
.rdata
Holds read-only global data that is accessible within the program
.data
Stores global data accessed throughout the program
.idata
Sometimes present and stores the import function information; if this section is not present, the import function
information is stored in the .rdata section
.edata
Sometimes present and stores the export function information; if this section is not present, the export function
information is stored in the .rdata section
.pdata
Present only in 64-bit executables and stores exception-handling information
.rsrc
Stores resources needed by the executable
.reloc
Contains information for relocation of library files
We can also look at .rsrc section (looking for interesting string) using the free Resource Hacker tool.
Luigi Capuzzello
7. Introduction.7
Basic Dynamic Analysis.
Dynamic analysis techniques are the second step in the malware analysis process. Dynamic analysis is typically
performed after basic static analysis has reached a dead end, whether due to obfuscation, packing, or the analyst
having exhausted the available static analysis techniques.
Monitor malware activity [procmon / regshot / Process Explorer]
Process Monitor, or procmon, is an advanced monitoring tool for Windows that provides a way to monitor certain
registry, file system, network, process, and thread activity. It combines and enhances the functionality of two legacy
tools: FileMon and RegMon.
If you want to filter the activity of a particoular file you have to choose the “Filter Filter” Menu option and you have
to spacify the filename you are looking for.
There are also four important filter on the menu side bar that allow to filter:
Registry
File system
Process activity
Network: attention this logging not work consistently across Microsoft Windows version.
It is very usefull to use promon because it is very usefull to know what our target is doing with the external
environment (registry, file system and network).
Sometime our target generates many operation especially on registry. So it could be very usefull to have a tool that
compare two snapshots and give us just the differences between them.
Regshot is an open source registry comparison tool that allows you to take and compare two registry snapshots.
It is very simple to use regshot. There are only three operation you have to do:
Click on ‘1st shot’ button;
Execute malware ;
Click on ‘2nd shot’ button when you think malware has finished its activity
Click on ‘cOmpare’ button
At the end the software will give you a list of the operations the malware has implemented on the registry.
This type of information could be very usefull because it is not a simple log, it is an elaborated one.
Here is an example of the regshot output:
====================================================================
Regshot 1.9.0 x86 ANSI
Comments:
Datetime: 2014/2/1 21:12:14 , 2014/2/1 21:13:07
Computer: TESTXP , TESTXP
Username: admin , admin
---------------------------------Keys added: 1
---------------------------------HKUS-1-5-21-725345543-73586283-682003330-1003SoftwareMicrosoftMultimediaWaveOwner
---------------------------------Values added: 19
Luigi Capuzzello
8. Introduction.8
---------------------------------HKUS-1-5-21-725345543-73586283-682003330-1003SoftwareMicrosoftWindowsShellBags1DesktopScrollPos1313x932(1).x: 0x00000000
HKUS-1-5-21-725345543-73586283-682003330-1003SoftwareMicrosoftWindowsShellBags1DesktopScrollPos1313x932(1).y: 0x00000000
HKUS-1-5-21-725345543-73586283-682003330-1003SoftwareMicrosoftWindowsShellNoRoamBags381ShellMinPos1313x932(1).x
:…
HKUS-1-5-21-725345543-73586283-682003330-1003SoftwareMicrosoftWindowsShellNoRoamMUICache@shell32.dll,-31237: "Crea una
nuova cartella, vuota, nella cartella aperta."
---------------------------------Values modified: 18
---------------------------------HKLMSYSTEMControlSet001ControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Left: 0xFFFFF729
HKLMSYSTEMControlSet001ControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Left: 0xFFFFF566
HKLMSYSTEMControlSet001ControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Right: 0xFFFFF729
HKLMSYSTEMControlSet001ControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Right: 0xFFFFF566
HKLMSYSTEMControlSet001ControlDeviceClasses{6994AD04-93EF-11D0-A3CC-00A0C9223196}##?
#PCI#VEN_1274&DEV_1371&SUBSYS_13711274&REV_02#4&47B7341&0&0888#{6994ad04-93ef-11d0-a3cc
…
HKLMSYSTEMCurrentControlSetControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Left: 0xFFFFF729
HKLMSYSTEMCurrentControlSetControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Left: 0xFFFFF566
HKLMSYSTEMCurrentControlSetControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Right: 0xFFFFF729
HKLMSYSTEMCurrentControlSetControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Right: 0xFFFFF566
====================================================================
Another important tool is Process Explorer. This tool monitors the processes running on a system and shows them in a
tree structure that displays child and parent relationships.
Process Explorer could also be usefull in detecting if a file is Microsoft signed.
You can achive this task in many way:
-
Click on verify button to verify that the image on disk is, in fact, the Microsoft signed binary. Because
Microsoft uses digital signatures for most of its core executables, when Process Explorer verifies that a
signature is valid, you can be sure that the file is actually the executable from Microsoft.
-
Comparing in memory string and string in the disk executable image.
Luigi Capuzzello
9. Introduction.9
Go deep into network traffic.
Malware, often, needs to connect to a remote server for many reasons. For example it needs to provide information to
that remote host or it need to get commands from that remote host.
So it is very important to understand which sort of traffic is generated from and to the malware.
To achive this hint we have to implement a sort of MITM (Man In The Middle) attack against the malware.
First of all we have to use ApateDNS (a free tool from Mandiant) to see the DNS request made by malware.
To use ApateDNS you have to set:
DNS Reply IP: the IP address ypu want sent in DNS response;
# of NXDOMAIN’s: this is an option that can help us to find all the domain the malware will loop through;
Selected interface: the ethernet interface we want to use
We can set ‘DNS Reply IP’ to localhost (as in the above example) or we can set it to redirect all the traffic to another
machine, for example a linux machine, or better, a virtual linux machine.
On the linux machine we can install INetSim, a free, Linux-based software suite for simulating common Internet
services. INetSim does its best to look like a real server.
And because INetSim is built with malware analysis in mind, it offers many unique features, such as its Dummy
service, a feature that logs all data received from the client, regardless of the port. The Dummy service is most
useful for capturing all traffic sent from the client to ports not bound to any other service module. You can use it to
record all ports to which the malware connects and the corresponding data that is sent.
Here is an example of all the port the tool is going to start up.
*
*
*
*
*
*
*
*
*
*
*
dns 53/udp/tcp - started (PID 9992)
http 80/tcp - started (PID 9993)
https 443/tcp - started (PID 9994)
smtp 25/tcp - started (PID 9995)
irc 6667/tcp - started (PID 10002)
smtps 465/tcp - started (PID 9996)
ntp 123/udp - started (PID 10003)
pop3 110/tcp - started (PID 9997)
finger 79/tcp - started (PID 10004)
syslog 514/udp - started (PID 10006)
tftp 69/udp - started (PID 10001)
Luigi Capuzzello
10. Introduction.10
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
pop3s 995/tcp - started (PID 9998)
time 37/tcp - started (PID 10007)
ftp 21/tcp - started (PID 9999)
ident 113/tcp - started (PID 10005)
time 37/udp - started (PID 10008)
ftps 990/tcp - started (PID 10000)
daytime 13/tcp - started (PID 10009)
daytime 13/udp - started (PID 10010)
echo 7/tcp - started (PID 10011)
echo 7/udp - started (PID 10012)
discard 9/udp - started (PID 10014)
discard 9/tcp - started (PID 10013)
quotd 17/tcp - started (PID 10015)
quotd 17/udp - started (PID 10016)
chargen 19/tcp - started (PID 10017)
dummy 1/udp - started (PID 10020)
chargen 19/udp - started (PID 10018)
dummy 1/tcp - started (PID 10019)
There is another very interesting tool we must use to monitor the network traffic: wireshark.
Wireshark is a network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer
network. It has a reach and powerful feauture set.The most common and useful one is the possibility to let you view
the contents of a TCP session; you have just to right-click any TCP packet and select ‘Follow TCP Stream’.
Attention:
wireshark is known to have many security vulnerabilities, so be sure to run it in a safe envronment.
Luigi Capuzzello
11. Introduction.11
So what the hell can we do ?
We have analyze all the principal tool we need to performe a dynamic analysis; so how can we put all these software
together to maximize our analysis ?
We have a windows machine and we have to make some things on it:
1. We have to start procmon, making a filter on the malware name
2. We have to start the Process Explorer
3. We have to get the first snapshot with regshot
4. We have to configure our virtual network (ApateDNS – INetSim)
5. We have to start wireshark to get all the network traffic.
We also have a linux machine with INetSim installed on it.
So this is the situation:
Windows Virtual Machine
IP: 192.168.110.1
Tool:
ApateDNS
Procmon
regShot
process Explorer
wireshark
Linux Virtual Machine
IP: 192.168.110.2
Target
Malware
DNS 53:
ApateDNS redirect
192.168.110.2
Tool:
INetSim
HTTP: 80
HTTPS: 443
FTP: 21
SMTP: 25
ecc..
At this point we can run the malware and we can look at our tool to find as many information as we need.
1.
2.
3.
4.
5.
We can analyzed ApateDNS to see which DNS request were performed;
We can look at procmon to find which file and folder our malwere has modified or created;
We can compare the snapshots of regshot to see what malware has done on our registry
We can see on Process Explorer to see if the malware has generated threads
We can also see the wireshark traffic according to the information we have obtained from ApateDNS and
INetSim.
Summary
Static and dynamic malware analysis help us to understand in detail what behavior was implemented into malware. If
we know which register keys/values it has modified, which file it has created, if we know what the malware has
notified to a remote server and which command it has recived from that host, thenwe can safely think that it is
possible, and not so tricky, to cut out the malware from our pc.
However sometimes it is necessary to go mach more deeper; for example, what can we do if the malware comunicate
to the remote host using a cripted custom comunication ? In this case, and in some others, we need to make a reverse
engineering of the malware code.
This will be the subject of next episode ‘Inside Windows Malicious Software’.
On the Web
●
●
●
●
●
●
●
http://bit.ly/ic4plL - strings tool
http://woodmann.com/BobSoft/Pages/Programs/PEiD - PEiD tool
http://www.woodmann.com/collaborative/tools/index.php/ExeInfo_PE - exeinfope tool
http://www.dependencywalker.com/ - Dependency Walker tool
http://peview.sourceforge.net/ - PEView tool
http://www.angusj.com/resourcehacker/ - Resource Hacker tool
http://download.sysinternals.com/files/ProcessMonitor.zip - procmon tool
Luigi Capuzzello
12. Introduction.12
●
●
●
●
●
http://sourceforge.net/projects/regshot/ - regshot tool
http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx - Process Explorer tool
https://www.mandiant.com/resources/download/research-tool-mandiant-apatedns - ApateDNS tool
http://www.inetsim.org/downloads.html - INetSim tool
http://www.wireshark.org/download.html - wireshark tool
About the author
Luigi Capuzzello has started with informatics in late 1986 (with a beautiful Apple IIe) when he was thirteen years old.
After taking a degree in robotics he has working for more than fifteen years in several areas of IT, but now he is strong
focused on IT security.
His main tasks are related to test applications safety (especially web application) and in reverse engineering
techniques.
Specialties: Project Managment, Information Security, Vulnerability Analysis, Penetration Testing, Ethical Hacking, Web
Application Security
You can find him on http://www.linkedin.com/pub/luigi-capuzzello/7/561/12a
Other Specification
- Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code [Paperback]
- The Hands-On Guide to Dissecting Malicious Software
by Michael Sikorski and Andrew Honig
Luigi Capuzzello