n|u - The Open Security Community, profile picture
Uploaded byn|u - The Open Security Community
1,758 views

Malware Analysis -an overview by PP Singh

This document provides an overview of a game plan for analyzing malware. It will include a theoretical overview today followed by detailed presentations on virtualization, honeypots/honeynets, debugging, and more. It discusses setting up a controlled lab environment for analysis including static analysis, network traffic analysis, disk/file system analysis, and memory analysis. It also discusses various tools that can be used for each part of the analysis process.

Embed presentation

Downloaded 74 times
AN OVERVIEW – PART I
OUR GAME PLAN  TODAY – A THEORETICAL OVERVIEW FOLLOWED BY A CASE STUDY  DETAILED PRESENTATIONS ABOUT EACH COMPONENT.  VIRTUALIZATION.  HONEYPOTS / HONEYNETS.  DEBUGGING  AND SO ON (HOPEFULLY)   
 CAPABILITY FOR ‘ABSTRACT MATHEMATICS’  ASSEMBLY LANGUAGE  LACK OF SOCIAL LIFE  ADEQUATE ‘BEHAVIOR MODIFICATION’ OR ‘TRANCE INDUCING’ MATERIALS.
 BASICS  SETTING UP A LAB ENVIRONMENT  ANALYSIS o NETWORK TRAFFIC o DISK IMAGE / FILE SYSTEM o MEMORY IMAGE o STATIC ANALYSIS
 TRADITIONALLY WE HAD – SOURCE CODE AUDITING – PRIME REQUIREMENT WAS SAFETY OF CODE.  THEN CAME PROPRIETARY CODE AND WITH IT ‘BLACK BOX TESTING’  ALONG CAME MODULAR COMPONENTS AND WE GRADUATED TO ‘REVERSE ENGINEERING’
 WITH COTS PRODUCT CAME ISSUES OF TRUST – MICROSOFT IS SAFE  BUT WHAT ABOUT THE GUYS WHO MADE THE DLL.  SUGGESTED READING ‘WYSINWYX’ GOGUL BALAKRISHNAN’s PHD THESIS.  METHOD TO REVERSE ENGINEERING ALONG WITH ALL ASSOCIATED LIBRARIES ‘HOLISTIC REVERSE ENGINEERING’
 A FOCUSED APPLICATION– MALWARE ANALYSIS.  WHY – TRADITIONAL SIGNATURE BASED ANALYSIS IS FUTILE GIVEN THE EVOLVING MALWARE.  SAME LOGIC HAS MULTIPLE ‘SIGNATURES’  HENCE ‘BEHAVIORAL ANALYSIS’
 PROS & CONS OF BOTH STATIC ANALYSIS & BEHAVIORAL ANALYSIS.  LARGER VOLUMES OF SAMPLES NECESSITATE ‘AUTOMATION’.  ENTER CWSANDBOX, NORMAN SANDBOX & OTHERS  BUT WE NEED ‘MORE’
 OVERLAPPED WITH FORENSICS.  PRIVACY & POLICY ISSUES.  WISH TO LEARN  ‘LIVE’ EXERCISE – PART OF GROWING UP  FIELD OF WORK  REQUIREMENT OF CUSTOMIZED DATA  COMPLEXITIES IN THE MALWARE WORLD
 BASICS  SETTING UP A LAB ENVIRONMENT  ANALYSIS o STATIC ANALYSIS o NETWORK TRAFFIC o DISK IMAGE / FILE SYSTEM o MEMORY IMAGE
 A CONTROLLED ENVIRONMENT. ▪ MALWARE COLLECTION. MALWARE COLLECTION THROUGH SPAM TRAPS, HONEY POTS AND SHARED DATA. NEPENTHES AS AN EXAMPLE. ▪ VICTIM MACHINES. VIRTUALISATION OR REAL. VIRTUAL MACHINES ARE EASIER TO MANAGE BUT MALWARE INCREASINGLY BECOMING MORE AWARE OF THEM. VIRTUAL MACHINES LIKE VMWARE, PARALLELS, QEMU AND BOCHS ARE AVAILABLE.
▪ SUPPORT TOOLS. ▪ NETWORK SIMULATION. INTERNET CONNECTION, DNS CONNECTION, IRC, WEB, SMTP, SERVER ▪ ANALYSIS TOOLS. SUPPORT OF ONLINE RESOURCES LIKE VIRUS TOTAL.  IT SHOULD BE ISOLATED.  IT SHOULD PROVIDE A FULL SIMULATION.
 FRIENDS  ONLINE RESOURCES  HONEYPOTS o AMUN o NEPENTHES o ….
 WINDOWS OS   START – WINDOW IMAGE USING LINUX  THE RE-USABLE MALWARE ANALYSIS NET ‘TRUMAN’  VIRTUAL MACHINES  NORTON GHOST / UDPCAST / ACRONIS  HARDWARE – CORE RESTORE  MICROSOFT – STEADY STATE
 THIS MINI LINUX IMPLEMENTATION CONTAINS TOOLS LIKE PARTIMAGE, NTFSRESIZE, AND FDISK AND IS BASED AROUND THE FANTASTIC BUSYBOX.  IT ENABLES YOU TO PXE BOOT A PC INTO A LINUX CLIENT WHICH CAN CREATE AN NTFS PARTITION, GRAB A WINDOWS DISK IMAGE FROM THE NETWORK, WRITE IT TO A LOCAL DISK AND THEN RESIZE THAT PARTATION.
 TWO MINIMUM MACHINES.  LINUX BASED SERVER  TRUMAN MACHINE AS CLIENT (XP WITHOUT PATCHES). INSTALLATION FAQ ON NSMWIKI.  VIRTUAL NETWORK SIMULATION
 MAVMM: LIGHTWEIGHT AND PURPOSE BUILT VMM FOR MALWARE ANALYSIS  AUTHORS - ANH M. NGUYEN, NABIL SCHEAR, HEEDONG JUNG, APEKSHA GODIYAL, SAMUEL T. KING, HAI D. NGUYEN  A SPECIAL PURPOSE VIRTUAL MACHINE FOR MALWARE ANALYSIS
 ACADEMIC VERSION OF XP AVAILABLE.  INSTRUMENTATION OF CODE FEASIBLE  CREATION OF ‘SPECIAL WINDOWS’ BOXES
 BASICS  SETTING UP A LAB ENVIRONMENT  ANALYSIS o STATIC ANALYSIS o NETWORK TRAFFIC o DISK IMAGE / FILE SYSTEM o MEMORY IMAGE
 CREATE A CONTROLLED ENVIRONMENT. VIRTUAL OR REAL.  BASELINE THE ENVIRONMENT:- ▪ VICTIM MACHINE. FILE SYSTEM, REGISTRY, RUNNING PROCESSES, OPEN PORTS, USERS, GROUPS, NETWORK SHARES, SERVICES ETC. ▪ NETWORK TRAFFIC. ▪ EXTERNAL VIEW.
 INFORMATION COLLECTION. ▪ STATIC. STRINGS, RESOURCES, SCRIPTS, FILE PROPERTIES ETC ▪ DYNAMIC.  INFORMATION ANALYSIS. INVOLVES INFORMATION COLLATION, INTERNET SEARCHES, STARTUP METHODS, COMMUNICATION PROTOCOLS, SPREADING MECHANISMS ETC  RECONSTRUCTING THE BIG PICTURE.  DOCUMENTATION.
 PSEXEC – PART OF SYSINTERNALS PSTOOLS KIT.  MS REMOTE DESKTOP   VIRTUAL NETWORK COMPUTING (VNC)  ULTRAVNC – SOURCEFORGE  IF YOU ARE COMFORTABLE WITH REMOTE COMMAND LINE – PSEXEC
 BASELINE INFORMATION o NETWORK TRAFFIC o FILE SYSTEM o REGISTRY o MEMORY IMAGE
 REMEMBER IT IS ‘MALWARE’  USE PKZIP TO HANDLE THE SAMPLE  COMMAND LINE METHOD  IF YOU ARE SUBMITTING SAMPLES ONLINE PASSWORD = ‘infected’
 DISK IMAGE ANALYSIS ADVANCED INTRUSION DETECTION ENVIRONMENT FOR COMPARING DISK IMAGES BEFORE AND AFTER.  NTFS-3G DRIVERS & GETFATTR FOR ADS STREAMS.  REGISTRY USING DUMPHIVE  COMPARE REGISTRY DUMP BEFORE AND AFTER USING LINUX DIFF –U COMMAND  MEMORY IMAGE ANALYSIS. PMODUMP.PL MODIFIED TO HANDLE PEB RANDOMISATIONS, VOLATILITY FRAMEWORK USED FOR ANALYSIS.  OUTPUTS OF MULTIPLE TOOLS USED TO COMPARE AND ANALYSE.
 FILE SYSTEM AND REGISTRY MONITORING: PROCESS MONITOR AND CAPTURE BAT  PROCESS MONITORING: PROCESS EXPLORER AND PROCESS HACKER  NETWORK MONITORING: WIRESHARK AND SMARTSNIFF  CHANGE DETECTION: REGSHOT
 A GOOD WAY TO SEE CHANGES TO THE NETWORK IS WITH A TOOL CALLED NDIFF.  NDIFF IS A TOOL THAT UTILIZES NMAP OUTPUT TO IDENTIFY THE DIFFERENCES, OR CHANGES THAT HAVE OCCURRED IN YOUR ENVIRONMENT.  NDIFF CAN BE DOWNLOADED FROM http://www.vinecorp.com/ndiff/.
 TCPDUMP – CONSOLE  WINDUMP – CONSOLE  WIRESHARK – GUI
 THE OPTIONS OFFERED IN NDIFF INCLUDE: ndiff [-b|-baseline <file-or-:tag>] [-o|-observed <file-or-:tag>] [-op|-output-ports <ocufx>] [-of|-output-hosts <nmc>] [-fmt|-format <terse | minimal | verbose | machine | html | htmle>]  NDIFF OUTPUT MAY BE REDIRECTED TO A WEB PAGE: ndiff –b base-line.txt –o tested.txt –fmt machine | ndiff2html > differences.html  THE OUTPUT FILE, “DIFFERENCES.HTML”, MAY BE DISPLAYED IN A WEB BROWSER. THIS WILL SEPARATE HOSTS INTO THREE MAIN CATEGORIES: o NEW HOSTS, o MISSING HOSTS, AND o CHANGED HOSTS.
 NETSTAT  FPORT  TCPVcon – CONSOLE  TCPView – GUI  HANDLE – CONSOLE  PROCESS EXPLORER – GUI USE PID TO CORRELATE OUTPUTS
 HASHING FUNCTIONS o MD5DEEP – JESSE KORNBLUM  FUZZY HASHING o SSDEEP – AGAIN JESSE  ONLINE HASHES OF GOOD FILES – NIST
 A GOOD START  VIRUSTOTAL  VIRUSSCAN  AND MANY MORE  HELP RETAIN FOCUS
 virus@ca.com  sample@nod32.com  samples@f-secure.com  newvirus@kaspersky.com  VIRUSTOTAL, JOTTI, VIRUS.ORG  MANY MORE
 PEID  POLYUNPACK RENOVO – PART OF BIT BLAZE BASED ON MEMORY UNPACKING  AND MANY MORE
 TOOLS:- o PEVIEW o DEPENDS o PE BROWSE PRO o OBJ DUMP o RESOURCE HACKER o STRINGS  DETERMINE THE DATE/ TIME OF COMPILATION, FUNCTIONS IMPORTED BY THE PROGRAM, ICONS, MENUS, VERSION, INFO AND STRINGS EMBEDDED IN THE RESOURCES.
 STRINGS  VIP UTILITY – www.freespaceinternetsecurity.com  InCtrl5  SANDBOXIE  FILEMON  REGMON  AUTORUNS  HIJACK THIS  ……..
 PE FORMAT  NEED I SAY MORE.  LORD PE  CAN ALSO DO MEMORY DUMPS  PETOOLS  PEID  TO FIND PACKER DETAILS
 WINDBG  OLLYDBG  IDA PRO  SYSRDBG – KERNEL LEVEL ?  KERNEL DEBUGGER FROM MS  KNOWLEDGE OF ASSEMBLY LANGUAGE CRITICAL  TRAP – API EMULATION
 JAVASCRIPT OBFUSCATION – SPIDER MONKEY.  TOOLS FOR MS OFFICE FORMATS:-  OFFICEMALSCANNER  OFFVIS  OFFICE BINARY TRANSLATOR (INCLUDES BIFFVIEW TOOL).  OFFICECAT.  FILEHEX AND FILEINSIGHT HEX EDITORS CAN PARSE AND EDIT OLE STRUCTURES.  SIMILARLY TOOLS FOR PDF, FLASH ETC
 EXTENSIVE FEATURES ≠ GOOD TOOL  REQUIREMENT TO SCRIPT & PARSE OUTPUTS INTO A ‘READABLE REPORT’  COMMAND LINE / GUI OPTIONS  COMPARISON OF MULTIPLE TOOLS AS VERIFICATION
 RAPID ASSESSMENT & POTENTIAL INCIDENT EXAMINATION REPORT  RAPIER IS A SECURITY TOOL BUILT TO FACILITATE FIRST RESPONSE PROCEDURES FOR INCIDENT HANDLING.  OVERLAP BETWEEN FORENSICS AND MALWARE ANALYSIS.  TO ILLUSTRATE THE REQUIREMENT TO ‘SCRIPT AROUND GUI TOOLS’
 AS PART OF ANALYSIS, TRY TO IDENTIFY THE SOURCE.  BLOCK LISTS OF SUSPECTED MALICIOUS IPS AND URLS  LOOKING UP POTENTIALLY MALICIOUS WEBSITES  INITIAL VECTOR – BROWSER HISTORY, EMAIL LOGS
 SIMILARITY STUDIES:-  http://code.google.com/p/yara-project/  GENOME BASED CLASSIFICATION  MALWARE SIMILARITY ANALYSIS – BLACK HAT 09 - DANIEL RAYGOZA  BLAST: BASIC LOCAL ALIGNMENT SEARCH TOOL BASED CLASSIFICATION  FUZZY CLARITY – DIGITAL NINJA
 RESEARCH IS ON FOR CLASSIFICATION ACCORDING TO:- o OPCODE DISTRIBUTION o API CALLS MADE o COMPILER PARAMETER o …… o WILL GIVE THE ‘HEURISTICS'
 ALWAYS CORRELATE THE ANALYSIS:- o ANUBIS (FORMERLY TTANALYSE) o BIT BLAZE ( COUSIN OF WEB BLAZE PROJECT) o COMODO o CWSANDBOX o EUREKA o JOEBOX o NORMAN SANDBOX o THREAT EXPERT o XANDORA
 SUGGESTED READING o WILDCAT: AN INTEGRATED STEALTH ENVIRONMENT FOR DYNAMIC MALWARE ANALYSIS – AMIT VASUDEVAN o ‘WYSINWYX’ WHAT YOU SEE IS NOT WHAT YOU EXECUTE - GOGUL BALAKRISHNAN o LARGE-SCALE DYNAMIC MALWARE ANALYSIS - ULRICH BAYER
Malware Analysis -an overview by PP Singh

More Related Content

PDF
SIEM Architecture
byNishanth Kumar Pathi
 
PDF
What is SIEM? A Brilliant Guide to the Basics
bySagar Joshi
 
PPT
Multimedia Database
byshaikh2016
 
PPT
Datawarehouse and OLAP
bySAS SNDP YOGAM COLLEGE,KONNI
 
PDF
Data mining
byR A Akerkar
 
PPT
4.3 multimedia datamining
byKrish_ver2
 
PDF
Skillshare - Introduction to Data Scraping
bySchool of Data
 
PPTX
Knowledge discovery process
byShuvra Ghosh
 
SIEM Architecture
byNishanth Kumar Pathi
 
What is SIEM? A Brilliant Guide to the Basics
bySagar Joshi
 
Multimedia Database
byshaikh2016
 
Datawarehouse and OLAP
bySAS SNDP YOGAM COLLEGE,KONNI
 
Data mining
byR A Akerkar
 
4.3 multimedia datamining
byKrish_ver2
 
Skillshare - Introduction to Data Scraping
bySchool of Data
 
Knowledge discovery process
byShuvra Ghosh
 

What's hot

PPTX
Security Information and Event Management (SIEM)
byhardik soni
 
PPTX
ETL Process
byRashmi Bhat
 
PPTX
Vsam
bykapa rohit
 
PDF
EDA-Unit 1.pdf
byNirmalavenkatachalam
 
PPTX
Power of Splunk Search Processing Language (SPL) ...
bySplunk
 
PPT
XSS and CSRF with HTML5
byShreeraj Shah
 
PPT
Multimedia Data Mining using Deep Learning
byBhagyashree Barde
 
PPTX
Machine learning
bymajunathkh
 
PPTX
Structured Vs, Object Oriented Analysis and Design
byMotaz Saad
 
PPSX
Entity beans in java
byAcp Jamod
 
PDF
Arcsight explained
byanilkumar484492
 
PPT
5.3 mining sequential patterns
byKrish_ver2
 
PDF
Active Directory in ICS: Lessons Learned From The Field
byDigital Bond
 
PDF
Web application security & Testing
byDeepu S Nath
 
PPTX
Fuzzing
byKhalegh Salehi
 
PPTX
Introduction to SIEM.pptx
byneoalt
 
PPTX
Database security
byBirju Tank
 
PPTX
Data mining , Knowledge Discovery Process, Classification
byDr. Abdul Ahad Abro
 
PPTX
SIEM : Security Information and Event Management
bySHRIYARAI4
 
PDF
Thick Client Penetration Testing.pdf
bySouvikRoy114738
 
Security Information and Event Management (SIEM)
byhardik soni
 
ETL Process
byRashmi Bhat
 
Vsam
bykapa rohit
 
EDA-Unit 1.pdf
byNirmalavenkatachalam
 
Power of Splunk Search Processing Language (SPL) ...
bySplunk
 
XSS and CSRF with HTML5
byShreeraj Shah
 
Multimedia Data Mining using Deep Learning
byBhagyashree Barde
 
Machine learning
bymajunathkh
 
Structured Vs, Object Oriented Analysis and Design
byMotaz Saad
 
Entity beans in java
byAcp Jamod
 
Arcsight explained
byanilkumar484492
 
5.3 mining sequential patterns
byKrish_ver2
 
Active Directory in ICS: Lessons Learned From The Field
byDigital Bond
 
Web application security & Testing
byDeepu S Nath
 
Fuzzing
byKhalegh Salehi
 
Introduction to SIEM.pptx
byneoalt
 
Database security
byBirju Tank
 
Data mining , Knowledge Discovery Process, Classification
byDr. Abdul Ahad Abro
 
SIEM : Security Information and Event Management
bySHRIYARAI4
 
Thick Client Penetration Testing.pdf
bySouvikRoy114738
 

Viewers also liked

PPTX
Dhbci diy ppt dash pres.(Final)
byASUHealthDesignClass
 
PPT
Hydration
byzthomps17
 
PPTX
Microsoft PowerPoint Ch. 2
bymalik1972
 
PPTX
Swot analysis
byGunjan Srivastava
 
PDF
6 SWOT Analysis Examples to Help You Write Your Own
byPalo Alto Software
 
PDF
Nine Pages You Should Optimize on Your Blog and How
byLeslie Samuel
 
PDF
How to Become a Thought Leader in Your Niche
byLeslie Samuel
 
Dhbci diy ppt dash pres.(Final)
byASUHealthDesignClass
 
Hydration
byzthomps17
 
Microsoft PowerPoint Ch. 2
bymalik1972
 
Swot analysis
byGunjan Srivastava
 
6 SWOT Analysis Examples to Help You Write Your Own
byPalo Alto Software
 
Nine Pages You Should Optimize on Your Blog and How
byLeslie Samuel
 
How to Become a Thought Leader in Your Niche
byLeslie Samuel
 

Similar to Malware Analysis -an overview by PP Singh

PPTX
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
bygrecsl
 
PPTX
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
bygrecsl
 
PDF
H@dfex 2015 malware analysis
byCharles Lim
 
PDF
Project in malware analysis:C2C
byFabrizio Farinacci
 
PPTX
Malware analysis as a hobby (Owasp Göteborg)
byMichael Boman
 
PPTX
Malware 101 by saurabh chaudhary
bySaurav Chaudhary
 
PPTX
malware analysis three analysis ways.pptx
byflutterlyuser
 
PDF
CNIT 126: Ch 2 & 3
bySam Bowne
 
PDF
Modern malware and threats
byMartin Holovský
 
PDF
Malware Analysis on a Shoestring Budget
byMichael Boman
 
PDF
Cyber Defense Forensic Analyst - Real World Hands-on Examples
bySandeep Kumar Seeram
 
PDF
Intro2 malwareanalysisshort
byVincent Ohprecio
 
PPTX
Basic Dynamic Analysis of Malware
byNatraj G
 
ODP
Malware analysis
byxabean
 
PDF
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
bySam Bowne
 
PPTX
Malware Analysis as a Hobby
byMichael Boman
 
PPTX
Malware Analysis as a Hobby - 44CON 2012
by44CON
 
PDF
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
bySam Bowne
 
PPTX
Malware Classification and Analysis
byPrashant Chopra
 
PDF
Practical Incident Response - Work Guide
byEduardo Chavarro
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
bygrecsl
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
bygrecsl
 
H@dfex 2015 malware analysis
byCharles Lim
 
Project in malware analysis:C2C
byFabrizio Farinacci
 
Malware analysis as a hobby (Owasp Göteborg)
byMichael Boman
 
Malware 101 by saurabh chaudhary
bySaurav Chaudhary
 
malware analysis three analysis ways.pptx
byflutterlyuser
 
CNIT 126: Ch 2 & 3
bySam Bowne
 
Modern malware and threats
byMartin Holovský
 
Malware Analysis on a Shoestring Budget
byMichael Boman
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
bySandeep Kumar Seeram
 
Intro2 malwareanalysisshort
byVincent Ohprecio
 
Basic Dynamic Analysis of Malware
byNatraj G
 
Malware analysis
byxabean
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
bySam Bowne
 
Malware Analysis as a Hobby
byMichael Boman
 
Malware Analysis as a Hobby - 44CON 2012
by44CON
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
bySam Bowne
 
Malware Classification and Analysis
byPrashant Chopra
 
Practical Incident Response - Work Guide
byEduardo Chavarro
 

More from n|u - The Open Security Community

PDF
Hardware security testing 101 (Null - Delhi Chapter)
byn|u - The Open Security Community
 
PDF
Osint primer
byn|u - The Open Security Community
 
PPTX
SSRF exploit the trust relationship
byn|u - The Open Security Community
 
PPTX
Nmap basics
byn|u - The Open Security Community
 
PDF
Metasploit primary
byn|u - The Open Security Community
 
PDF
Api security-testing
byn|u - The Open Security Community
 
PDF
Introduction to TLS 1.3
byn|u - The Open Security Community
 
PDF
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
byn|u - The Open Security Community
 
PDF
Talking About SSRF,CRLF
byn|u - The Open Security Community
 
PPTX
Building active directory lab for red teaming
byn|u - The Open Security Community
 
PPTX
Owning a company through their logs
byn|u - The Open Security Community
 
PPTX
Introduction to shodan
byn|u - The Open Security Community
 
PDF
Cloud security
byn|u - The Open Security Community
 
PDF
Detecting persistence in windows
byn|u - The Open Security Community
 
PPTX
Frida - Objection Tool Usage
byn|u - The Open Security Community
 
PDF
OSQuery - Monitoring System Process
byn|u - The Open Security Community
 
PDF
DevSecOps Jenkins Pipeline -Security
byn|u - The Open Security Community
 
PDF
Extensible markup language attacks
byn|u - The Open Security Community
 
PPTX
Linux for hackers
byn|u - The Open Security Community
 
PDF
Android Pentesting
byn|u - The Open Security Community
 
Hardware security testing 101 (Null - Delhi Chapter)
byn|u - The Open Security Community
 
Osint primer
byn|u - The Open Security Community
 
SSRF exploit the trust relationship
byn|u - The Open Security Community
 
Nmap basics
byn|u - The Open Security Community
 
Metasploit primary
byn|u - The Open Security Community
 
Api security-testing
byn|u - The Open Security Community
 
Introduction to TLS 1.3
byn|u - The Open Security Community
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
byn|u - The Open Security Community
 
Talking About SSRF,CRLF
byn|u - The Open Security Community
 
Building active directory lab for red teaming
byn|u - The Open Security Community
 
Owning a company through their logs
byn|u - The Open Security Community
 
Introduction to shodan
byn|u - The Open Security Community
 
Cloud security
byn|u - The Open Security Community
 
Detecting persistence in windows
byn|u - The Open Security Community
 
Frida - Objection Tool Usage
byn|u - The Open Security Community
 
OSQuery - Monitoring System Process
byn|u - The Open Security Community
 
DevSecOps Jenkins Pipeline -Security
byn|u - The Open Security Community
 
Extensible markup language attacks
byn|u - The Open Security Community
 
Linux for hackers
byn|u - The Open Security Community
 
Android Pentesting
byn|u - The Open Security Community
 

Recently uploaded

PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PPTX
Critique Prompting: The Secret to High-Quality AI Outputs
bySemantic SEO BD
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
final.pdf
byomarbishtawi04
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
Workflow and decision Automation with Flowable
bychakib ch
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
Critique Prompting: The Secret to High-Quality AI Outputs
bySemantic SEO BD
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
final.pdf
byomarbishtawi04
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 

Malware Analysis -an overview by PP Singh

  • 1.
  • 2.
    OUR GAME PLAN TODAY – A THEORETICAL OVERVIEW FOLLOWED BY A CASE STUDY  DETAILED PRESENTATIONS ABOUT EACH COMPONENT.  VIRTUALIZATION.  HONEYPOTS / HONEYNETS.  DEBUGGING  AND SO ON (HOPEFULLY)   
  • 3.
    CAPABILITY FOR ‘ABSTRACT MATHEMATICS’  ASSEMBLY LANGUAGE  LACK OF SOCIAL LIFE  ADEQUATE ‘BEHAVIOR MODIFICATION’ OR ‘TRANCE INDUCING’ MATERIALS.
  • 4.
    BASICS  SETTING UP A LAB ENVIRONMENT  ANALYSIS o NETWORK TRAFFIC o DISK IMAGE / FILE SYSTEM o MEMORY IMAGE o STATIC ANALYSIS
  • 5.
    TRADITIONALLY WE HAD – SOURCE CODE AUDITING – PRIME REQUIREMENT WAS SAFETY OF CODE.  THEN CAME PROPRIETARY CODE AND WITH IT ‘BLACK BOX TESTING’  ALONG CAME MODULAR COMPONENTS AND WE GRADUATED TO ‘REVERSE ENGINEERING’
  • 6.
    WITH COTS PRODUCT CAME ISSUES OF TRUST – MICROSOFT IS SAFE  BUT WHAT ABOUT THE GUYS WHO MADE THE DLL.  SUGGESTED READING ‘WYSINWYX’ GOGUL BALAKRISHNAN’s PHD THESIS.  METHOD TO REVERSE ENGINEERING ALONG WITH ALL ASSOCIATED LIBRARIES ‘HOLISTIC REVERSE ENGINEERING’
  • 7.
    A FOCUSED APPLICATION– MALWARE ANALYSIS.  WHY – TRADITIONAL SIGNATURE BASED ANALYSIS IS FUTILE GIVEN THE EVOLVING MALWARE.  SAME LOGIC HAS MULTIPLE ‘SIGNATURES’  HENCE ‘BEHAVIORAL ANALYSIS’
  • 8.
    PROS & CONS OF BOTH STATIC ANALYSIS & BEHAVIORAL ANALYSIS.  LARGER VOLUMES OF SAMPLES NECESSITATE ‘AUTOMATION’.  ENTER CWSANDBOX, NORMAN SANDBOX & OTHERS  BUT WE NEED ‘MORE’
  • 9.
    OVERLAPPED WITH FORENSICS.  PRIVACY & POLICY ISSUES.  WISH TO LEARN  ‘LIVE’ EXERCISE – PART OF GROWING UP  FIELD OF WORK  REQUIREMENT OF CUSTOMIZED DATA  COMPLEXITIES IN THE MALWARE WORLD
  • 10.
    BASICS  SETTING UP A LAB ENVIRONMENT  ANALYSIS o STATIC ANALYSIS o NETWORK TRAFFIC o DISK IMAGE / FILE SYSTEM o MEMORY IMAGE
  • 11.
     A CONTROLLEDENVIRONMENT. ▪ MALWARE COLLECTION. MALWARE COLLECTION THROUGH SPAM TRAPS, HONEY POTS AND SHARED DATA. NEPENTHES AS AN EXAMPLE. ▪ VICTIM MACHINES. VIRTUALISATION OR REAL. VIRTUAL MACHINES ARE EASIER TO MANAGE BUT MALWARE INCREASINGLY BECOMING MORE AWARE OF THEM. VIRTUAL MACHINES LIKE VMWARE, PARALLELS, QEMU AND BOCHS ARE AVAILABLE.
  • 12.
    ▪ SUPPORT TOOLS. ▪ NETWORK SIMULATION. INTERNET CONNECTION, DNS CONNECTION, IRC, WEB, SMTP, SERVER ▪ ANALYSIS TOOLS. SUPPORT OF ONLINE RESOURCES LIKE VIRUS TOTAL.  IT SHOULD BE ISOLATED.  IT SHOULD PROVIDE A FULL SIMULATION.
  • 13.
    FRIENDS  ONLINE RESOURCES  HONEYPOTS o AMUN o NEPENTHES o ….
  • 14.
    WINDOWS OS   START – WINDOW IMAGE USING LINUX  THE RE-USABLE MALWARE ANALYSIS NET ‘TRUMAN’  VIRTUAL MACHINES  NORTON GHOST / UDPCAST / ACRONIS  HARDWARE – CORE RESTORE  MICROSOFT – STEADY STATE
  • 15.
    THIS MINI LINUX IMPLEMENTATION CONTAINS TOOLS LIKE PARTIMAGE, NTFSRESIZE, AND FDISK AND IS BASED AROUND THE FANTASTIC BUSYBOX.  IT ENABLES YOU TO PXE BOOT A PC INTO A LINUX CLIENT WHICH CAN CREATE AN NTFS PARTITION, GRAB A WINDOWS DISK IMAGE FROM THE NETWORK, WRITE IT TO A LOCAL DISK AND THEN RESIZE THAT PARTATION.
  • 16.
    TWO MINIMUM MACHINES.  LINUX BASED SERVER  TRUMAN MACHINE AS CLIENT (XP WITHOUT PATCHES). INSTALLATION FAQ ON NSMWIKI.  VIRTUAL NETWORK SIMULATION
  • 19.
    MAVMM: LIGHTWEIGHT AND PURPOSE BUILT VMM FOR MALWARE ANALYSIS  AUTHORS - ANH M. NGUYEN, NABIL SCHEAR, HEEDONG JUNG, APEKSHA GODIYAL, SAMUEL T. KING, HAI D. NGUYEN  A SPECIAL PURPOSE VIRTUAL MACHINE FOR MALWARE ANALYSIS
  • 20.
    ACADEMIC VERSION OF XP AVAILABLE.  INSTRUMENTATION OF CODE FEASIBLE  CREATION OF ‘SPECIAL WINDOWS’ BOXES
  • 21.
    BASICS  SETTING UP A LAB ENVIRONMENT  ANALYSIS o STATIC ANALYSIS o NETWORK TRAFFIC o DISK IMAGE / FILE SYSTEM o MEMORY IMAGE
  • 22.
     CREATE ACONTROLLED ENVIRONMENT. VIRTUAL OR REAL.  BASELINE THE ENVIRONMENT:- ▪ VICTIM MACHINE. FILE SYSTEM, REGISTRY, RUNNING PROCESSES, OPEN PORTS, USERS, GROUPS, NETWORK SHARES, SERVICES ETC. ▪ NETWORK TRAFFIC. ▪ EXTERNAL VIEW.
  • 23.
     INFORMATION COLLECTION. ▪ STATIC. STRINGS, RESOURCES, SCRIPTS, FILE PROPERTIES ETC ▪ DYNAMIC.  INFORMATION ANALYSIS. INVOLVES INFORMATION COLLATION, INTERNET SEARCHES, STARTUP METHODS, COMMUNICATION PROTOCOLS, SPREADING MECHANISMS ETC  RECONSTRUCTING THE BIG PICTURE.  DOCUMENTATION.
  • 24.
    PSEXEC – PART OF SYSINTERNALS PSTOOLS KIT.  MS REMOTE DESKTOP   VIRTUAL NETWORK COMPUTING (VNC)  ULTRAVNC – SOURCEFORGE  IF YOU ARE COMFORTABLE WITH REMOTE COMMAND LINE – PSEXEC
  • 25.
    BASELINE INFORMATION o NETWORK TRAFFIC o FILE SYSTEM o REGISTRY o MEMORY IMAGE
  • 26.
    REMEMBER IT IS ‘MALWARE’  USE PKZIP TO HANDLE THE SAMPLE  COMMAND LINE METHOD  IF YOU ARE SUBMITTING SAMPLES ONLINE PASSWORD = ‘infected’
  • 27.
     DISK IMAGE ANALYSIS ADVANCED INTRUSION DETECTION ENVIRONMENT FOR COMPARING DISK IMAGES BEFORE AND AFTER.  NTFS-3G DRIVERS & GETFATTR FOR ADS STREAMS.  REGISTRY USING DUMPHIVE  COMPARE REGISTRY DUMP BEFORE AND AFTER USING LINUX DIFF –U COMMAND  MEMORY IMAGE ANALYSIS. PMODUMP.PL MODIFIED TO HANDLE PEB RANDOMISATIONS, VOLATILITY FRAMEWORK USED FOR ANALYSIS.  OUTPUTS OF MULTIPLE TOOLS USED TO COMPARE AND ANALYSE.
  • 28.
    FILE SYSTEM AND REGISTRY MONITORING: PROCESS MONITOR AND CAPTURE BAT  PROCESS MONITORING: PROCESS EXPLORER AND PROCESS HACKER  NETWORK MONITORING: WIRESHARK AND SMARTSNIFF  CHANGE DETECTION: REGSHOT
  • 29.
    A GOOD WAY TO SEE CHANGES TO THE NETWORK IS WITH A TOOL CALLED NDIFF.  NDIFF IS A TOOL THAT UTILIZES NMAP OUTPUT TO IDENTIFY THE DIFFERENCES, OR CHANGES THAT HAVE OCCURRED IN YOUR ENVIRONMENT.  NDIFF CAN BE DOWNLOADED FROM http://www.vinecorp.com/ndiff/.
  • 30.
    TCPDUMP – CONSOLE  WINDUMP – CONSOLE  WIRESHARK – GUI
  • 31.
     THEOPTIONS OFFERED IN NDIFF INCLUDE: ndiff [-b|-baseline <file-or-:tag>] [-o|-observed <file-or-:tag>] [-op|-output-ports <ocufx>] [-of|-output-hosts <nmc>] [-fmt|-format <terse | minimal | verbose | machine | html | htmle>]  NDIFF OUTPUT MAY BE REDIRECTED TO A WEB PAGE: ndiff –b base-line.txt –o tested.txt –fmt machine | ndiff2html > differences.html  THE OUTPUT FILE, “DIFFERENCES.HTML”, MAY BE DISPLAYED IN A WEB BROWSER. THIS WILL SEPARATE HOSTS INTO THREE MAIN CATEGORIES: o NEW HOSTS, o MISSING HOSTS, AND o CHANGED HOSTS.
  • 32.
    NETSTAT  FPORT  TCPVcon – CONSOLE  TCPView – GUI  HANDLE – CONSOLE  PROCESS EXPLORER – GUI USE PID TO CORRELATE OUTPUTS
  • 33.
    HASHING FUNCTIONS o MD5DEEP – JESSE KORNBLUM  FUZZY HASHING o SSDEEP – AGAIN JESSE  ONLINE HASHES OF GOOD FILES – NIST
  • 34.
    A GOOD START  VIRUSTOTAL  VIRUSSCAN  AND MANY MORE  HELP RETAIN FOCUS
  • 35.
    virus@ca.com  sample@nod32.com  samples@f-secure.com  newvirus@kaspersky.com  VIRUSTOTAL, JOTTI, VIRUS.ORG  MANY MORE
  • 36.
    PEID  POLYUNPACK RENOVO – PART OF BIT BLAZE BASED ON MEMORY UNPACKING  AND MANY MORE
  • 37.
    TOOLS:- o PEVIEW o DEPENDS o PE BROWSE PRO o OBJ DUMP o RESOURCE HACKER o STRINGS  DETERMINE THE DATE/ TIME OF COMPILATION, FUNCTIONS IMPORTED BY THE PROGRAM, ICONS, MENUS, VERSION, INFO AND STRINGS EMBEDDED IN THE RESOURCES.
  • 38.
    STRINGS  VIP UTILITY – www.freespaceinternetsecurity.com  InCtrl5  SANDBOXIE  FILEMON  REGMON  AUTORUNS  HIJACK THIS  ……..
  • 39.
    PE FORMAT  NEED I SAY MORE.  LORD PE  CAN ALSO DO MEMORY DUMPS  PETOOLS  PEID  TO FIND PACKER DETAILS
  • 40.
    WINDBG  OLLYDBG  IDA PRO  SYSRDBG – KERNEL LEVEL ?  KERNEL DEBUGGER FROM MS  KNOWLEDGE OF ASSEMBLY LANGUAGE CRITICAL  TRAP – API EMULATION
  • 41.
    JAVASCRIPT OBFUSCATION – SPIDER MONKEY.  TOOLS FOR MS OFFICE FORMATS:-  OFFICEMALSCANNER  OFFVIS  OFFICE BINARY TRANSLATOR (INCLUDES BIFFVIEW TOOL).  OFFICECAT.  FILEHEX AND FILEINSIGHT HEX EDITORS CAN PARSE AND EDIT OLE STRUCTURES.  SIMILARLY TOOLS FOR PDF, FLASH ETC
  • 42.
    EXTENSIVE FEATURES ≠ GOOD TOOL  REQUIREMENT TO SCRIPT & PARSE OUTPUTS INTO A ‘READABLE REPORT’  COMMAND LINE / GUI OPTIONS  COMPARISON OF MULTIPLE TOOLS AS VERIFICATION
  • 43.
    RAPID ASSESSMENT & POTENTIAL INCIDENT EXAMINATION REPORT  RAPIER IS A SECURITY TOOL BUILT TO FACILITATE FIRST RESPONSE PROCEDURES FOR INCIDENT HANDLING.  OVERLAP BETWEEN FORENSICS AND MALWARE ANALYSIS.  TO ILLUSTRATE THE REQUIREMENT TO ‘SCRIPT AROUND GUI TOOLS’
  • 44.
    AS PART OF ANALYSIS, TRY TO IDENTIFY THE SOURCE.  BLOCK LISTS OF SUSPECTED MALICIOUS IPS AND URLS  LOOKING UP POTENTIALLY MALICIOUS WEBSITES  INITIAL VECTOR – BROWSER HISTORY, EMAIL LOGS
  • 45.
    SIMILARITY STUDIES:-  http://code.google.com/p/yara-project/  GENOME BASED CLASSIFICATION  MALWARE SIMILARITY ANALYSIS – BLACK HAT 09 - DANIEL RAYGOZA  BLAST: BASIC LOCAL ALIGNMENT SEARCH TOOL BASED CLASSIFICATION  FUZZY CLARITY – DIGITAL NINJA
  • 46.
    RESEARCH IS ON FOR CLASSIFICATION ACCORDING TO:- o OPCODE DISTRIBUTION o API CALLS MADE o COMPILER PARAMETER o …… o WILL GIVE THE ‘HEURISTICS'
  • 47.
    ALWAYS CORRELATE THE ANALYSIS:- o ANUBIS (FORMERLY TTANALYSE) o BIT BLAZE ( COUSIN OF WEB BLAZE PROJECT) o COMODO o CWSANDBOX o EUREKA o JOEBOX o NORMAN SANDBOX o THREAT EXPERT o XANDORA
  • 49.
    SUGGESTED READING o WILDCAT: AN INTEGRATED STEALTH ENVIRONMENT FOR DYNAMIC MALWARE ANALYSIS – AMIT VASUDEVAN o ‘WYSINWYX’ WHAT YOU SEE IS NOT WHAT YOU EXECUTE - GOGUL BALAKRISHNAN o LARGE-SCALE DYNAMIC MALWARE ANALYSIS - ULRICH BAYER