Uploaded byflutterlyuser
PPTX, PDF4 views

malware analysis three analysis ways.pptx

malware analysis three analysis ways.pptx

Embed presentation

Download to read offline
3 Malware A software that was designed with the purpose of harming the victims CIA
2 Goals of Malware Analysis 1. Evaluate damages of the malware by understanding its functionalities. 2. Determine the compromised systems by studying its spreading techniques. 3. Determine vulnerabilities in our network and systems, and use them to harden our environment. 4. Create a list of Signatures and IOCs, to harden our environment. 5. Identify creator of the malware. 6. ANSWER AS MANY QUESTIONS in general
Indications of Compromise Host Based Signatures Indications of Compromise IOC 3
MSN Malware ( 1992 ) 6 https://zeltser.com/malware-sample- sources /
5  Malware can be complex programs. Avoid the details and focus on key features.  Utilize the different tools and approaches available depending on the type of analysis you intend to do.  Tools overlap in functionality, if you don’t get lucky with one try another.  Analyse the malware from different angles and using different approaches. To confirm your theories.  Malware programmers can be clever and can come up with techniques to hide their traces. General Rules of Malware Analysis
Malware Analysis Techniques How are we analyzing ? What we are analyzing ? Behavior Based Analysis Code Based Analysis Static Analysis Dynamic Analysis Automated Analysis 6
10 Business Impact.  Relying on existing tools that do the malware analysis in an automated manner.  Advantages: Saves time and workload.  Disadvantages:  Confidentiality concerns regarding using third parties rather than an in house analyst, especially since some malware sometimes collect private data.  Cost can be high for professional enterprise solutions.  Alot of existing tools still require an analyst to go threw the data log collected.  Does not usually take intoconsideration the Automated Analysis
▶ Does not usually take into consideration the Automated Solutions-Examples Virus Total Joe Sandbox Examples : Virustotal , Joe sandbox , and e mor . De m oAvaila ble 11 6b34cf6100ac5bf4479250048d61cc4d873dd84af74e5b2771b3205e2dbf0d 22
Static MalwareAnalysis-Introduction  Static Analysis is analyzing the software information without executing it by looking into: the fingerprints, strings, PE headers, etc.  Advantages  Safer since we are not executing code.  Faster, we are just examining basic static information of the code  Disadvantage  More primitive results than dynamic analysis.
Static Malware Analysis-Introduction  Fingerprints: Hash the suspicious software to uniquely identify it. Search and share with the malware analyst communities.  Strings: A program contains strings if it prints a message, connects to a URL, copies a file to a specific location, or error messages, etc.  Portable Executable (PE) file format is used by Windows executables, object code, and DLLs and includes information about the code, the type of application, required library functions, and space requirements.  Linked Libraries and Functions are Imports of code and functions used by the malware that are actually stored in an already known and existing library.
Static Analysis-PEStudio De m oAvaila ble
17 ▶ Isolated Environment: Not to perform our analysis directly on our machines or on a machine connected to our network. ▶ WE USED WINDOWS 8.1 VIRTUAL MACHINE Behavior Based Analysis ▶ Behavior-based malware is monitoring the behavior of a software for suspicious activities in an isolated environment referred to as a sandbox. ▶ Suspicious Activities: Attempts to perform actions that are clearly abnormal or unauthorized and they can be : ▶ System Based ▶ Network Based
e.g. Behavior Analysis Network Oriented ▶ Analyzing the network flows both (inbound/outbound) that may be caused by the malware. ▶ Malware try to connect to servers, urls, IP addresses for many reasons, sending/grabbing data, and/or discovery the network. ▶ IOC can show up on the network “weeks and even months” before malicious software is uncovered
Behavior Analysis Network Oriented Wireshark Fiddler Microsoft Network Analyzer
Behavior Analysis Network Oriented A DNS resolution query for gsmtp185.google.com as aresult of running MSN Live Messenger Malicious
Code BasedAnalysis ▶ Pre-Requisite: knowledge of disassembly, code constructs, and operating system concepts. ▶ Code Based Analysis: Understanding the internals of the malware by breaking it apart using software reverse engineering techniques. ▶ Tools: Hex Editor, Decompiler, Dissembler, Debugger (Ring0 Kernel Mode or Ring3 User Mode). ▶ We will use OllyDbg as an example.
Code Based Analysis ▶ Pre-Requisite: knowledge of disassembly, code constructs, and operating system concepts. ▶ Code Based Analysis: Understanding the internals of the malware by breaking it apart using software reverse engineering techniques. ▶ Tools: Hex Editor, Decompiler, Dissembler, Debugger (Ring0 Kernel Mode or Ring3 User Mode). ▶ We will use OllyDbg as an example.
Code Based Analysis-Ollydbg int main() { string Y; int rnd; printf("What is the secret word?"); getline(cin, Y); while(!(Y=="PASSWORD")){ printf("No, What is the secret word? "); getline(cin, Y); } printf("THAT IS CORRECT, Bye "); cin >> rnd; return 0; }
Code Based Analysis-Ollydbg Malware Author High Level Language CPU MACHINE CODE Compile Disassemble int main() { string Y; int rnd; printf("What is the secret word?"); getline(cin, Y); while(!(Y=="PASSWORD")){ printf("No, What is the secret word? "); getline(cin, Y); } printf("THAT IS CORRECT, Bye "); cin >> rnd; return 0; } Malware Author Low Level Language
Code Based Analysis-ollydbg 1 2 3 OllyDbg's main interface is split into 5 different regions as follows : 1 . Disassembler window: shows the disassembled code as it is executed . 2 . Registers window: shows the registers along with their value in real time (when a value is changed , it appears in red .) You can modify the value of these registers . 3 . Information window: brings information about the current line of code . 4 . Stack window: current state of the stack in memory . 5 . Memory dump window: dump of live memory for the debugged process . 4 5
Code Based Analysis-ollydbg 27 Debugging Commands 1 . Step into 2 . Step over 3 . Create break point 4 . Go to next reference 5 . Go to previous reference 6 . … Assembly Commands 1 . JMP , JNZ , JE , JZ <LOC> 2 . CALL , RETN <LOC> 3 . MOV <VALUE><VALUE > 4 . AND,OR,XOR > <VALUE><VALUE 5 . POP , PUSH <V ALU E > 6 . TEST 7 . NOP 8 . .…
Code BasedAnalysis int main() { string Y; int rnd; printf("What is the secret word?"); getline(cin, Y); while(!(Y=="PASSWORD")){ printf("No, What is the secret word? "); getline(cin, Y); } printf("THAT IS CORRECT, Bye "); cin >> rnd; return 0; } MSN Messenger Demo Goal: Tracing within the assembly code to understand the logic behind the file msnsetting.dat Goal: Understanding the assembly code and manipulating it to change the logical behavior of the program. Ollydbgsample.exe Demo
Analysis Summary for MSN Malware Static Based Analysis Found URL Ourgodfather<dot>com Behavior Based – Running Executable MSN tried accessing url Behavior System Based Analysis • Twofiles were written to HD • Parameters in the file included • Credentials in plaintext • Email : mastercleanex@gmail.com • DNS name : Gsmtp185.google.com Behavior Network Based Analysis • TwoDNS name resolution queries • Ourgodfather<dot>com • Gsmtp185.google.com Code Based Analysis Secret ConfigurationInterface • Contains parameters to send email to server
Questions  Importance of malware analysis.  Different ways ofAnalyzing a malware.  Behavior vs Code based.  Static vs Dynamic vsAutomatic based.  How to search for IOC on both the network and the systems.  How to reverse engineer a code and the benefits of that in malware analysis
IBM ICE (Innovation Centre for Education ) Welcome to: Malware Analysis
Analyzing Live Windows System for Malware IBM ICE (Innovation Centre •Dynamic analysis is an efficient way to identify malware functionality from a live windows system. •Although dynamic analysis techniques are extremely powerful, they should be performed only after basic static analysis has been completed, because dynamic analysis can put your network and system at risk. •Usually it is simple enough to run executable malware by double-clicking the executable or running the file from the command line, it can be tricky to launch malicious DLLs because Windows doesn’t know how to run them automatically. •Process Monitor, or procmon, is an advanced monitoring tool for Windows that provides a way to monitor certain registry, file system, network, process, and thread activity. •One way to recognize process replacement is to use the Strings tab in the Process Properties window to compare the strings contained in the disk executable (image) against the strings in memory for that same executable running in memory. •Regshot is an open source registry comparison tool that allows you to take and compare two registry snapshots. •Wireshark is an open source sniffer, a packet capture tool that intercepts and logs network traffic. Wireshark provides visualization, packet-stream analysis, and in-depth analysis of individual packets.
Analyzing Live Linux System for Malware •The hard drive of a Linux computer can contain traces of malware in various places and forms, including malicious files, configuration scripts, log files, Web browser history, and remnants of installation and execution such as system logs and command history. •Many intruders will use easily recognizable programs such as known rootkits, keystroke monitoring programs, sniffers, and anti-forensic tools . •Searching a forensic duplicate of a compromised system for hash values matching known malware may identify other files with the same data but different names. •Tools such as Rootkit Hunter1 and chkrootkit2 have been developed to look for known malicious code on Linux systems. •Using updated AntiVirus programs to scan files within a forensic duplicate of a compromised system may identify known malware. To increase the chances of detecting malware, multiple AntiVirus programs can be used with any heuristic capabilities enabled. •Malware on Linux systems is often simply a modified version of a legitimate system binary, making it more difficult to distinguish. •Look in all available log files on the compromised system for traces of malicious execution and associated activities such as creation of a new service.
Analyzing Physical and Process Memory Dumps for Malware IBM ICE (Innovation Centre •The advancement in malware, rootkit detection and digital forensics in the commercial products just discussed was due in large part to a resurgence of interest in a research area that has been around the digital forensics community for some time. •KNTList forensic tool can parse information from the memory dump, reconstruct evidence such as process listings and loaded DLLs, and analyze the memory dump to decipher the intrusion scenario. •Volatility is a memory analysis environment with an extensible underlying framework of tools based on research byAaron Walters of Volatile Systems. •Volatility provides basic information that it parses from the memory dump, including: •Running processes and threads •Open network sockets and connections •Loaded modules in user and kernel mode •The resources a process is using such as fi les, objects, registry keys and other data •The capability to dump a single process or any binary in the dump & use for analysis
Discovering and Extracting Malware from Windows Systems IBM ICE (Innovation Centre for Education) •Malware often uses the registry for persistence or configuration data. •Real malware code opens the Run key from the registry and adds a value so that the program runs each time Windows starts. •Malware commonly relies on network functions to do its dirty work, and there are many WindowsAPI functions for network communication. •There are many ways that malware can transfer execution in addition to the jump and call instructions . •Malware authors find it more advantageous to store malicious code in a DLL, rather than in an .exe file. •Nearly all malware uses the basic Windows DLLs found on every system. The Windows DLLs contain the functionality needed to interact with the OS. •Malware can also execute code outside the current program by creating a new process or modifying an existing one. •Malware can use CreateThread to load a new malicious library into a process, with CreateThread called and the address of LoadLibrary specified as the start address. •Another way for malware to execute additional code is by installing it as a service. •When analyzing malware that uses COM, you’ll need to be able to determine which code will be run as a result of a COM function call.
Discovering and Extracting Malware from Linux Systems IBM ICE (Innovation Centre •Explore the file system for traces left by malware. •Scour files associated with applications for traces of usage related to malware. •Search for distinctive keywords each time such an item is uncovered during forensic analysis. •Performing a comprehensive forensic reconstruction can provide digital investigators with a detailed understanding of the malware incident. Perform targeted remote scan of all hosts on the network for specific indicators
Rootkits and Rootkit Detection and Recovery IBM ICE (Innovation Centre •The predecessor of the first rootkit was actually not a rootkit at all but a set of applications that removed evidence of an intrusion from a machine. •The first-generation served one major purpose—execute commands for an attacker without being seen. •With the ability to log back into a server with full administrative privileges, the attacker can leverage the server for other attacks, store data, or host a malicious website. Rootkits maintain access by installing either local or remote backdoors. •Rootkits have the ability to conceal traces of their existence on the system •Network-based rootkits do not run on the network but are accessible via the hacked system’s web server. •The two types of rootkits: user-mode and kernel-mode. •One of the simplest and most used techniques, System Service Descriptor Table or SSDT hooking is fairly easy to detect, and almost every tool available detects SSDT hooks. •The method for detecting IRP hooking is the same as for detecting SSDT hooking. Each driver exports a set of 28 function pointers to handle I/O request packets.
Reverse Engineering Tools and Techniques IBM ICE (Innovation Centre •Machine code is the form of code that the computer can run quickly and efficiently. When we disassemble malware, we take the malware binary as input and generate assembly language code as output, usually with a disassembler. •Instructions are the building blocks of assembly programs. In x86 assembly, an instruction is made of a mnemonic and zero or more operands. •Each instruction corresponds to opcodes (operation codes) that tell the CPU which operation the program wants to perform. •All general registers are 32 bits in size and can be referenced as either 32 or 16 bits in assembly code. •The simplest and most common instruction is mov, which is used to move data from one location to another. •It is possible to read data from the stack without using the push or pop instructions. •All programming languages have the ability to make comparisons and make decisions based on those comparisons. Conditionals are instructions that perform the comparison. •The Interactive Disassembler Professional (IDA Pro) is an extremely powerful disassembler distributed by Hex-Rays.
Checkpoint •Which one of the following is not a malware? 1.Application software 2.Spam 3.Computer virus 4.Worm •What is the purpose of polyinstantiation? 1.To restrict lower-level subjects from accessing low-level information 2.To make a copy of an object and modify the attributes of the second copy 3.To create different objects that will react in different ways to the same input 4.To create different objects that will take on inheritance attributes from their class •Which of the following attack type best describes what commonly takes place to overwrite a return pointer memory segment? 1.Traversal attack 2.UNICODE attack 3.URLencoding attack 4.Buffer overflow attack

More Related Content

PDF
Cyber Defense Forensic Analyst - Real World Hands-on Examples
bySandeep Kumar Seeram
 
PPTX
Malware 101 by saurabh chaudhary
bySaurav Chaudhary
 
PPTX
Malware Analysis Techniques &Incident Response.pptx
byGol D Roger
 
PDF
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
bySam Bowne
 
PPTX
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
bySam Bowne
 
PPTX
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
bygrecsl
 
PPTX
Ch0 1
byTylerDerdun
 
PPTX
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
bygrecsl
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
bySandeep Kumar Seeram
 
Malware 101 by saurabh chaudhary
bySaurav Chaudhary
 
Malware Analysis Techniques &Incident Response.pptx
byGol D Roger
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
bySam Bowne
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
bySam Bowne
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
bygrecsl
 
Ch0 1
byTylerDerdun
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
bygrecsl
 

Similar to malware analysis three analysis ways.pptx

PDF
Malware Analysis for cyber security & Network Security
bysurajpatil318663
 
PPTX
Basic Dynamic Analysis of Malware
byNatraj G
 
PPTX
Topic 2. Fundamentals of Malware Analysis .pptx
bykhoiclever
 
PPTX
MALWARE ANALYSIS CHAPTER -2 PRESENTATION PPT
byhemoneshmaheshwarico
 
PPT
CHAPTER 1 MALWARE ANALYSIS PRIMER.ppt
byManjuAppukuttan2
 
PPTX
Static malware Analysis by using samples
byGuna Dhondwad
 
PPTX
Introduction to Malware Analysis
byAndrew McNicol
 
PDF
CHAPTER 1 MALWARE ANALYSIS PRIMER.pdf
byManjuAppukuttan2
 
PDF
Intro2 malwareanalysisshort
byVincent Ohprecio
 
PPTX
Building next gen malware behavioural analysis environment
byisc2-hellenic
 
PDF
CNIT 126: Ch 2 & 3
bySam Bowne
 
PDF
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
bySam Bowne
 
PDF
CH1- Introduction to malware analysis-v2.pdf
byWajdiElhamzi3
 
PDF
H@dfex 2015 malware analysis
byCharles Lim
 
PDF
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
byDaveEdwards12
 
PDF
Introduction to Malware analysis
byHusseinMuhaisen
 
PPTX
Malware analysis as a hobby (Owasp Göteborg)
byMichael Boman
 
PDF
Malware Analysis -an overview by PP Singh
byn|u - The Open Security Community
 
PDF
Analisis Estatico y de Comportamiento de un Binario Malicioso
byConferencias FIST
 
PDF
'Malware Analysis' by PP Singh
byBipin Upadhyay
 
Malware Analysis for cyber security & Network Security
bysurajpatil318663
 
Basic Dynamic Analysis of Malware
byNatraj G
 
Topic 2. Fundamentals of Malware Analysis .pptx
bykhoiclever
 
MALWARE ANALYSIS CHAPTER -2 PRESENTATION PPT
byhemoneshmaheshwarico
 
CHAPTER 1 MALWARE ANALYSIS PRIMER.ppt
byManjuAppukuttan2
 
Static malware Analysis by using samples
byGuna Dhondwad
 
Introduction to Malware Analysis
byAndrew McNicol
 
CHAPTER 1 MALWARE ANALYSIS PRIMER.pdf
byManjuAppukuttan2
 
Intro2 malwareanalysisshort
byVincent Ohprecio
 
Building next gen malware behavioural analysis environment
byisc2-hellenic
 
CNIT 126: Ch 2 & 3
bySam Bowne
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
bySam Bowne
 
CH1- Introduction to malware analysis-v2.pdf
byWajdiElhamzi3
 
H@dfex 2015 malware analysis
byCharles Lim
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
byDaveEdwards12
 
Introduction to Malware analysis
byHusseinMuhaisen
 
Malware analysis as a hobby (Owasp Göteborg)
byMichael Boman
 
Malware Analysis -an overview by PP Singh
byn|u - The Open Security Community
 
Analisis Estatico y de Comportamiento de un Binario Malicioso
byConferencias FIST
 
'Malware Analysis' by PP Singh
byBipin Upadhyay
 

More from flutterlyuser

PPTX
ch2-3parctical malware analysis and sandboxing.pptx
byflutterlyuser
 
PPTX
Distributed-Stream-Processing presentation.pptx
byflutterlyuser
 
PPTX
02 softeware devlopment life sycle.en.ar.pptx
byflutterlyuser
 
PDF
project management and characteristics of SDLC (System Development Life Cycl...
byflutterlyuser
 
PPTX
Lec1_Definition_and_Importance_of_Requirements_٠٦٥٩٤٥.en.ar.pptx
byflutterlyuser
 
PDF
Software Development Life Cycle (SDLC).pdf
byflutterlyuser
 
PDF
A Distributed Approach to Machine Learning.pdf
byflutterlyuser
 
PPT
designpatterns structural,functional,behavioral..ppt
byflutterlyuser
 
PPT
SEG3101-ch1-1 - Basics - purpose and nature of requirements.ppt
byflutterlyuser
 
PPT
M04_DesignPatterns structural,functional,behavioral.ppt
byflutterlyuser
 
PPTX
SEG3101-ch1-2 - Basics - the RE process_٠٦٥٥٣٥.en.ar.pptx
byflutterlyuser
 
PDF
Quality_Control_in_Clinical_Biochemistry presentation.pdf
byflutterlyuser
 
PPTX
Quality_Control_in_Clinical_Biochemistry_part2.pptx
byflutterlyuser
 
PPTX
Quality_Control_in_Clinical_Biochemistry.pptx
byflutterlyuser
 
ch2-3parctical malware analysis and sandboxing.pptx
byflutterlyuser
 
Distributed-Stream-Processing presentation.pptx
byflutterlyuser
 
02 softeware devlopment life sycle.en.ar.pptx
byflutterlyuser
 
project management and characteristics of SDLC (System Development Life Cycl...
byflutterlyuser
 
Lec1_Definition_and_Importance_of_Requirements_٠٦٥٩٤٥.en.ar.pptx
byflutterlyuser
 
Software Development Life Cycle (SDLC).pdf
byflutterlyuser
 
A Distributed Approach to Machine Learning.pdf
byflutterlyuser
 
designpatterns structural,functional,behavioral..ppt
byflutterlyuser
 
SEG3101-ch1-1 - Basics - purpose and nature of requirements.ppt
byflutterlyuser
 
M04_DesignPatterns structural,functional,behavioral.ppt
byflutterlyuser
 
SEG3101-ch1-2 - Basics - the RE process_٠٦٥٥٣٥.en.ar.pptx
byflutterlyuser
 
Quality_Control_in_Clinical_Biochemistry presentation.pdf
byflutterlyuser
 
Quality_Control_in_Clinical_Biochemistry_part2.pptx
byflutterlyuser
 
Quality_Control_in_Clinical_Biochemistry.pptx
byflutterlyuser
 

Recently uploaded

PDF
Building With Gemini: Hands-On AI for Developers
byhemish04082005
 
PPTX
How MathCo Solved Enterprise AI Validation Challenges
byIT IDOL Technologies
 
PPTX
Build Smarter with Google: A Workshop on MediaPipe, Firebase, Gemini and Anti...
byvanshikaprakash05
 
PDF
CodeFulcrum Company Profile - Engineering Scalable Software for High-Growth E...
byCodeFulcrum
 
PPTX
Inside An AI Powered ERP System for Process Manufacturers
byBatchMaster Software Pvt. Ltd.
 
PDF
REST in Peace (Laravel Senegal Meetup 2025)
byWendell Adriel
 
PDF
DSD-INT 2025 Modelling cold water infiltration with the Groundwater Energy (G...
byDeltares
 
PDF
Inside An AI Powered ERP System for Process Manufacturers
byBatchMaster Software Pvt. Ltd.
 
PPTX
EMR Software for Pulmonology Clinics Why EasyClinic Supports Accuracy, Contin...
byEasy Clinic
 
PDF
Prasenjit Bhaumik Plano - Specializing In Web Applications
byPrasenjit Bhaumik Plano
 
PPTX
How to Extract Google Maps Business Leads Efficiently
bywakasoftteam
 
PPTX
Aviation Fleet Management Software for Airlines & Operators
bySISGAIN
 
PDF
2026 Social Media Trends_ Must-Know Strategies for Dubai Business Owners.pdf
byMAQ MAQ
 
PDF
Salesforce Agentforce Service Agent​.pdf
byRobert Mark
 
PPTX
Testing Strategies for Agile Teams in 2026
byMatt Calder
 
PDF
DSD-INT 2025 Flexible quadtree submodelling with MODFLOW 6 - Case Hegewarren ...
byDeltares
 
PDF
IT Asset Lifecycle Management Solution | Infraon
byEverestIMS Technologies Pvt. Ltd
 
PDF
DSD-INT 2025 An Introduction to MODFLOW 6 Solver Settings (Without the Agoniz...
byDeltares
 
PPTX
Google Trips Data Scraping for Tourism & Demand Analysis.pptx
byWeb Data Crawler
 
PDF
AI Concepts - MCP Neurons - part of a series
byPhilip Schwarz
 
Building With Gemini: Hands-On AI for Developers
byhemish04082005
 
How MathCo Solved Enterprise AI Validation Challenges
byIT IDOL Technologies
 
Build Smarter with Google: A Workshop on MediaPipe, Firebase, Gemini and Anti...
byvanshikaprakash05
 
CodeFulcrum Company Profile - Engineering Scalable Software for High-Growth E...
byCodeFulcrum
 
Inside An AI Powered ERP System for Process Manufacturers
byBatchMaster Software Pvt. Ltd.
 
REST in Peace (Laravel Senegal Meetup 2025)
byWendell Adriel
 
DSD-INT 2025 Modelling cold water infiltration with the Groundwater Energy (G...
byDeltares
 
Inside An AI Powered ERP System for Process Manufacturers
byBatchMaster Software Pvt. Ltd.
 
EMR Software for Pulmonology Clinics Why EasyClinic Supports Accuracy, Contin...
byEasy Clinic
 
Prasenjit Bhaumik Plano - Specializing In Web Applications
byPrasenjit Bhaumik Plano
 
How to Extract Google Maps Business Leads Efficiently
bywakasoftteam
 
Aviation Fleet Management Software for Airlines & Operators
bySISGAIN
 
2026 Social Media Trends_ Must-Know Strategies for Dubai Business Owners.pdf
byMAQ MAQ
 
Salesforce Agentforce Service Agent​.pdf
byRobert Mark
 
Testing Strategies for Agile Teams in 2026
byMatt Calder
 
DSD-INT 2025 Flexible quadtree submodelling with MODFLOW 6 - Case Hegewarren ...
byDeltares
 
IT Asset Lifecycle Management Solution | Infraon
byEverestIMS Technologies Pvt. Ltd
 
DSD-INT 2025 An Introduction to MODFLOW 6 Solver Settings (Without the Agoniz...
byDeltares
 
Google Trips Data Scraping for Tourism & Demand Analysis.pptx
byWeb Data Crawler
 
AI Concepts - MCP Neurons - part of a series
byPhilip Schwarz
 

malware analysis three analysis ways.pptx

  • 1.
    3 Malware A software thatwas designed with the purpose of harming the victims CIA
  • 2.
    2 Goals of MalwareAnalysis 1. Evaluate damages of the malware by understanding its functionalities. 2. Determine the compromised systems by studying its spreading techniques. 3. Determine vulnerabilities in our network and systems, and use them to harden our environment. 4. Create a list of Signatures and IOCs, to harden our environment. 5. Identify creator of the malware. 6. ANSWER AS MANY QUESTIONS in general
  • 3.
    Indications of Compromise HostBased Signatures Indications of Compromise IOC 3
  • 4.
  • 5.
    5  Malware canbe complex programs. Avoid the details and focus on key features.  Utilize the different tools and approaches available depending on the type of analysis you intend to do.  Tools overlap in functionality, if you don’t get lucky with one try another.  Analyse the malware from different angles and using different approaches. To confirm your theories.  Malware programmers can be clever and can come up with techniques to hide their traces. General Rules of Malware Analysis
  • 6.
    Malware Analysis Techniques Howare we analyzing ? What we are analyzing ? Behavior Based Analysis Code Based Analysis Static Analysis Dynamic Analysis Automated Analysis 6
  • 7.
    10 Business Impact.  Relyingon existing tools that do the malware analysis in an automated manner.  Advantages: Saves time and workload.  Disadvantages:  Confidentiality concerns regarding using third parties rather than an in house analyst, especially since some malware sometimes collect private data.  Cost can be high for professional enterprise solutions.  Alot of existing tools still require an analyst to go threw the data log collected.  Does not usually take intoconsideration the Automated Analysis
  • 8.
    ▶ Does notusually take into consideration the Automated Solutions-Examples Virus Total Joe Sandbox Examples : Virustotal , Joe sandbox , and e mor . De m oAvaila ble 11 6b34cf6100ac5bf4479250048d61cc4d873dd84af74e5b2771b3205e2dbf0d 22
  • 9.
    Static MalwareAnalysis-Introduction  StaticAnalysis is analyzing the software information without executing it by looking into: the fingerprints, strings, PE headers, etc.  Advantages  Safer since we are not executing code.  Faster, we are just examining basic static information of the code  Disadvantage  More primitive results than dynamic analysis.
  • 10.
    Static Malware Analysis-Introduction Fingerprints: Hash the suspicious software to uniquely identify it. Search and share with the malware analyst communities.  Strings: A program contains strings if it prints a message, connects to a URL, copies a file to a specific location, or error messages, etc.  Portable Executable (PE) file format is used by Windows executables, object code, and DLLs and includes information about the code, the type of application, required library functions, and space requirements.  Linked Libraries and Functions are Imports of code and functions used by the malware that are actually stored in an already known and existing library.
  • 11.
  • 12.
    17 ▶ Isolated Environment:Not to perform our analysis directly on our machines or on a machine connected to our network. ▶ WE USED WINDOWS 8.1 VIRTUAL MACHINE Behavior Based Analysis ▶ Behavior-based malware is monitoring the behavior of a software for suspicious activities in an isolated environment referred to as a sandbox. ▶ Suspicious Activities: Attempts to perform actions that are clearly abnormal or unauthorized and they can be : ▶ System Based ▶ Network Based
  • 13.
    e.g. Behavior Analysis NetworkOriented ▶ Analyzing the network flows both (inbound/outbound) that may be caused by the malware. ▶ Malware try to connect to servers, urls, IP addresses for many reasons, sending/grabbing data, and/or discovery the network. ▶ IOC can show up on the network “weeks and even months” before malicious software is uncovered
  • 14.
    Behavior Analysis NetworkOriented Wireshark Fiddler Microsoft Network Analyzer
  • 15.
    Behavior Analysis NetworkOriented A DNS resolution query for gsmtp185.google.com as aresult of running MSN Live Messenger Malicious
  • 16.
    Code BasedAnalysis ▶ Pre-Requisite:knowledge of disassembly, code constructs, and operating system concepts. ▶ Code Based Analysis: Understanding the internals of the malware by breaking it apart using software reverse engineering techniques. ▶ Tools: Hex Editor, Decompiler, Dissembler, Debugger (Ring0 Kernel Mode or Ring3 User Mode). ▶ We will use OllyDbg as an example.
  • 17.
    Code Based Analysis ▶Pre-Requisite: knowledge of disassembly, code constructs, and operating system concepts. ▶ Code Based Analysis: Understanding the internals of the malware by breaking it apart using software reverse engineering techniques. ▶ Tools: Hex Editor, Decompiler, Dissembler, Debugger (Ring0 Kernel Mode or Ring3 User Mode). ▶ We will use OllyDbg as an example.
  • 18.
    Code Based Analysis-Ollydbg intmain() { string Y; int rnd; printf("What is the secret word?"); getline(cin, Y); while(!(Y=="PASSWORD")){ printf("No, What is the secret word? "); getline(cin, Y); } printf("THAT IS CORRECT, Bye "); cin >> rnd; return 0; }
  • 19.
    Code Based Analysis-Ollydbg MalwareAuthor High Level Language CPU MACHINE CODE Compile Disassemble int main() { string Y; int rnd; printf("What is the secret word?"); getline(cin, Y); while(!(Y=="PASSWORD")){ printf("No, What is the secret word? "); getline(cin, Y); } printf("THAT IS CORRECT, Bye "); cin >> rnd; return 0; } Malware Author Low Level Language
  • 20.
    Code Based Analysis-ollydbg 12 3 OllyDbg's main interface is split into 5 different regions as follows : 1 . Disassembler window: shows the disassembled code as it is executed . 2 . Registers window: shows the registers along with their value in real time (when a value is changed , it appears in red .) You can modify the value of these registers . 3 . Information window: brings information about the current line of code . 4 . Stack window: current state of the stack in memory . 5 . Memory dump window: dump of live memory for the debugged process . 4 5
  • 21.
    Code Based Analysis-ollydbg 27 DebuggingCommands 1 . Step into 2 . Step over 3 . Create break point 4 . Go to next reference 5 . Go to previous reference 6 . … Assembly Commands 1 . JMP , JNZ , JE , JZ <LOC> 2 . CALL , RETN <LOC> 3 . MOV <VALUE><VALUE > 4 . AND,OR,XOR > <VALUE><VALUE 5 . POP , PUSH <V ALU E > 6 . TEST 7 . NOP 8 . .…
  • 23.
    Code BasedAnalysis int main() { stringY; int rnd; printf("What is the secret word?"); getline(cin, Y); while(!(Y=="PASSWORD")){ printf("No, What is the secret word? "); getline(cin, Y); } printf("THAT IS CORRECT, Bye "); cin >> rnd; return 0; } MSN Messenger Demo Goal: Tracing within the assembly code to understand the logic behind the file msnsetting.dat Goal: Understanding the assembly code and manipulating it to change the logical behavior of the program. Ollydbgsample.exe Demo
  • 25.
    Analysis Summary forMSN Malware Static Based Analysis Found URL Ourgodfather<dot>com Behavior Based – Running Executable MSN tried accessing url Behavior System Based Analysis • Twofiles were written to HD • Parameters in the file included • Credentials in plaintext • Email : mastercleanex@gmail.com • DNS name : Gsmtp185.google.com Behavior Network Based Analysis • TwoDNS name resolution queries • Ourgodfather<dot>com • Gsmtp185.google.com Code Based Analysis Secret ConfigurationInterface • Contains parameters to send email to server
  • 26.
    Questions  Importance ofmalware analysis.  Different ways ofAnalyzing a malware.  Behavior vs Code based.  Static vs Dynamic vsAutomatic based.  How to search for IOC on both the network and the systems.  How to reverse engineer a code and the benefits of that in malware analysis
  • 27.
    IBM ICE (InnovationCentre for Education ) Welcome to: Malware Analysis
  • 28.
    Analyzing Live WindowsSystem for Malware IBM ICE (Innovation Centre •Dynamic analysis is an efficient way to identify malware functionality from a live windows system. •Although dynamic analysis techniques are extremely powerful, they should be performed only after basic static analysis has been completed, because dynamic analysis can put your network and system at risk. •Usually it is simple enough to run executable malware by double-clicking the executable or running the file from the command line, it can be tricky to launch malicious DLLs because Windows doesn’t know how to run them automatically. •Process Monitor, or procmon, is an advanced monitoring tool for Windows that provides a way to monitor certain registry, file system, network, process, and thread activity. •One way to recognize process replacement is to use the Strings tab in the Process Properties window to compare the strings contained in the disk executable (image) against the strings in memory for that same executable running in memory. •Regshot is an open source registry comparison tool that allows you to take and compare two registry snapshots. •Wireshark is an open source sniffer, a packet capture tool that intercepts and logs network traffic. Wireshark provides visualization, packet-stream analysis, and in-depth analysis of individual packets.
  • 29.
    Analyzing Live LinuxSystem for Malware •The hard drive of a Linux computer can contain traces of malware in various places and forms, including malicious files, configuration scripts, log files, Web browser history, and remnants of installation and execution such as system logs and command history. •Many intruders will use easily recognizable programs such as known rootkits, keystroke monitoring programs, sniffers, and anti-forensic tools . •Searching a forensic duplicate of a compromised system for hash values matching known malware may identify other files with the same data but different names. •Tools such as Rootkit Hunter1 and chkrootkit2 have been developed to look for known malicious code on Linux systems. •Using updated AntiVirus programs to scan files within a forensic duplicate of a compromised system may identify known malware. To increase the chances of detecting malware, multiple AntiVirus programs can be used with any heuristic capabilities enabled. •Malware on Linux systems is often simply a modified version of a legitimate system binary, making it more difficult to distinguish. •Look in all available log files on the compromised system for traces of malicious execution and associated activities such as creation of a new service.
  • 30.
    Analyzing Physical andProcess Memory Dumps for Malware IBM ICE (Innovation Centre •The advancement in malware, rootkit detection and digital forensics in the commercial products just discussed was due in large part to a resurgence of interest in a research area that has been around the digital forensics community for some time. •KNTList forensic tool can parse information from the memory dump, reconstruct evidence such as process listings and loaded DLLs, and analyze the memory dump to decipher the intrusion scenario. •Volatility is a memory analysis environment with an extensible underlying framework of tools based on research byAaron Walters of Volatile Systems. •Volatility provides basic information that it parses from the memory dump, including: •Running processes and threads •Open network sockets and connections •Loaded modules in user and kernel mode •The resources a process is using such as fi les, objects, registry keys and other data •The capability to dump a single process or any binary in the dump & use for analysis
  • 31.
    Discovering and ExtractingMalware from Windows Systems IBM ICE (Innovation Centre for Education) •Malware often uses the registry for persistence or configuration data. •Real malware code opens the Run key from the registry and adds a value so that the program runs each time Windows starts. •Malware commonly relies on network functions to do its dirty work, and there are many WindowsAPI functions for network communication. •There are many ways that malware can transfer execution in addition to the jump and call instructions . •Malware authors find it more advantageous to store malicious code in a DLL, rather than in an .exe file. •Nearly all malware uses the basic Windows DLLs found on every system. The Windows DLLs contain the functionality needed to interact with the OS. •Malware can also execute code outside the current program by creating a new process or modifying an existing one. •Malware can use CreateThread to load a new malicious library into a process, with CreateThread called and the address of LoadLibrary specified as the start address. •Another way for malware to execute additional code is by installing it as a service. •When analyzing malware that uses COM, you’ll need to be able to determine which code will be run as a result of a COM function call.
  • 32.
    Discovering and ExtractingMalware from Linux Systems IBM ICE (Innovation Centre •Explore the file system for traces left by malware. •Scour files associated with applications for traces of usage related to malware. •Search for distinctive keywords each time such an item is uncovered during forensic analysis. •Performing a comprehensive forensic reconstruction can provide digital investigators with a detailed understanding of the malware incident. Perform targeted remote scan of all hosts on the network for specific indicators
  • 33.
    Rootkits and RootkitDetection and Recovery IBM ICE (Innovation Centre •The predecessor of the first rootkit was actually not a rootkit at all but a set of applications that removed evidence of an intrusion from a machine. •The first-generation served one major purpose—execute commands for an attacker without being seen. •With the ability to log back into a server with full administrative privileges, the attacker can leverage the server for other attacks, store data, or host a malicious website. Rootkits maintain access by installing either local or remote backdoors. •Rootkits have the ability to conceal traces of their existence on the system •Network-based rootkits do not run on the network but are accessible via the hacked system’s web server. •The two types of rootkits: user-mode and kernel-mode. •One of the simplest and most used techniques, System Service Descriptor Table or SSDT hooking is fairly easy to detect, and almost every tool available detects SSDT hooks. •The method for detecting IRP hooking is the same as for detecting SSDT hooking. Each driver exports a set of 28 function pointers to handle I/O request packets.
  • 34.
    Reverse Engineering Toolsand Techniques IBM ICE (Innovation Centre •Machine code is the form of code that the computer can run quickly and efficiently. When we disassemble malware, we take the malware binary as input and generate assembly language code as output, usually with a disassembler. •Instructions are the building blocks of assembly programs. In x86 assembly, an instruction is made of a mnemonic and zero or more operands. •Each instruction corresponds to opcodes (operation codes) that tell the CPU which operation the program wants to perform. •All general registers are 32 bits in size and can be referenced as either 32 or 16 bits in assembly code. •The simplest and most common instruction is mov, which is used to move data from one location to another. •It is possible to read data from the stack without using the push or pop instructions. •All programming languages have the ability to make comparisons and make decisions based on those comparisons. Conditionals are instructions that perform the comparison. •The Interactive Disassembler Professional (IDA Pro) is an extremely powerful disassembler distributed by Hex-Rays.
  • 35.
    Checkpoint •Which one ofthe following is not a malware? 1.Application software 2.Spam 3.Computer virus 4.Worm •What is the purpose of polyinstantiation? 1.To restrict lower-level subjects from accessing low-level information 2.To make a copy of an object and modify the attributes of the second copy 3.To create different objects that will react in different ways to the same input 4.To create different objects that will take on inheritance attributes from their class •Which of the following attack type best describes what commonly takes place to overwrite a return pointer memory segment? 1.Traversal attack 2.UNICODE attack 3.URLencoding attack 4.Buffer overflow attack