Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 20 views

    ch2 3

    Uploaded by

    chyon

    Copyright:

    © All Rights Reserved
    Download as KEY, PDF, TXT or read online from Scribd

    ch2 3

    Uploaded by

    chyon
    20 views45 pages

    Original Title

    ch2-3

    Copyright

    © © All Rights Reserved

    Available Formats

    KEY, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Copyright:

    © All Rights Reserved
    Download as KEY, PDF, TXT or read online from Scribd
    Download as key, pdf, or txt
    20 views45 pages

    ch2 3

    Uploaded by

    chyon

    Copyright:

    © All Rights Reserved
    Download as KEY, PDF, TXT or read online from Scribd
    Download as key, pdf, or txt
    of 45

    Practical Malware

    Analysis

    Ch 2: Malware Analysis in Virtual


    Machines

    Updated 2-2-21
    Dynamic Analysis
    Running malware deliberately, while
    monitoring the results
    Requires a safe environment
    Must prevent malware from spreading to
    production machines
    Real machines can be airgapped –no
    network connection to the Internet or to
    other machines
    Real Machines
    Disadvantages
    No Internet connection, so parts of the
    malware may not work
    Can be difficult to remove malware, so re-
    imaging the machine will be necessary
    Advantage
    Some malware detects virtual machines and
    won't run properly in one
    Virtual Machines
    The most common method
    We'll do it that way
    This protects the host machine from the
    malware
    Except for a few very rare cases of malware
    that escape the virtual machine and infect
    the host
    VMware Workstation Player/Fusion

    Free for education


    Cannot take snapshots
    You could also use VirtualBox, Hyper-V,
    Parallels, or Xen.
    Configuring VMware
    You can disable networking by
    disconnecting the virtual network
    adapter
    Host-only networking allows network
    traffic to the host but not the Internet
    Connecting Malware to the Internet
    NAT mode lets VMs see each other and
    the Internet, but puts a virtual router
    between the VM and the LAN
    Bridged networking connects the VM
    directly to the LAN
    Can allow malware to do some harm or
    spread – controversial
    You could send spam or participate in a
    DDoS attack
    Snapshots
    Risks of Using VMware for Malware
    Analysis
    Malware may detect that it is in a VM and
    run differently
    VMware has bugs: malware may crash or
    exploit it
    Malware may spread or affect the host –
    don't use a sensitive host machine
    All the textbook samples are harmless
    Practical Malware Analysis

    Ch 3: Basic Dynamic Analysis


    Why Perform Dynamic Analysis?
    Static analysis can reach a dead-end, due
    to
    Obfuscation
    Packing
    Examiner has exhausted the available static
    analysis techniques
    Dynamic analysis is efficient and will
    show you exactly what the malware does
    Sandboxes: The Quick-and-
    Dirty Approach
    Sandbox
    All-in-one software for basic dynamic
    analysis
    Virtualized environment that simulates
    network services
    Examples: Norman Sandbox, GFI Sandbox,
    Anubis, Joe Sandbox, ThreatExpert,
    BitBlaze, Comodo Instant Malware Analysis
    They are expensive but easy to use
    They produce a nice PDF report of results
    Running Malware
    Launching DLLs
    EXE files can be run directly, but DLLs
    can't
    Use Rundll32.exe (included in Windows)
    rundll32.exe DLLname, Export arguments
    The Export value is one of the exported
    functions you found in Dependency
    Walker, PEview, or PE Explorer.
    Launching DLLs
    Example
    rip.dll has these exports: Install and Uninstall
    rundll32.exe rip.dll, Install
    Some functions use ordinal values instead
    of names, like
    rundll32.exe xyzzy.dll, #5
    It's also possible to modify the PE header
    and convert a DLL into an EXE
    Monitoring with Process
    Monitor
    Process Monitor
    Monitors registry, file system, network,
    process, and thread activity
    All recorded events are kept, but you can
    filter the display to make it easier to find
    items of interest
    Don't run it too long or it will fill up all
    RAM and crash the machine
    Launching Calc.exe
    Many, many events recorded
    Process Monitor Toolbar

    Default Filters
    Start/Stop Erase Filter Registry, File system, Network, Processes
    Capture
    Filtering with Exclude
    One technique: hide normal activity
    before launching malware
    Right-click each Process Name and click
    Exclude
    Doesn't seem to work well with these
    samples
    Filtering with Include
    Most useful filters: Process Name,
    Operation, and Detail
    Viewing Processes with
    Process Explorer
    Coloring
    Services are pink
    Processes are blue
    New processes are green briefly
    Terminated processes are red
    DLL Mode
    Properties
    Shows DEP (Data
    Execution Prevention)
    and ASLR (Address
    Space Layout
    Randomization) status
    Verify button checks
    the disk file's
    Windows signature
    But not the RAM
    image, so it won't
    detect process
    replacement
    Strings
    Compare Image
    to Memory
    strings, if they
    are very
    different, it can
    indicate process
    replacement
    Detecting Malicious Documents
    Open the document (e.g. PDF) on a
    system with a vulnerable application
    Watch Process Explorer to see if it
    launches a process
    The Image tab of that process's
    Properties sheet will show where the
    malware is
    Comparing Registry Snapshots
    with Regshot
    Regshot
    Take 1st shot
    Run malware
    Take 2nd shot
    Compare them to
    see what registry
    keys were changed
    Faking a Network
    INetSim
    Included in Kali Linux
    Simulates the Internet, including
    HTTP / HTTPS
    SMTP, POP3
    DNS
    FTP
    Much more
    Ncat Listener
    Using Ncat.exe, you can listen on a single
    TCP port in Windows
    In Linux, use nc (netcat)
    This will allow malware to complete a TCP
    handshake, so you get some rudimentary
    information about its requests
    But it's not a real server, so it won't reply
    to requests after the handshake
    Monitoring with Ncat(included with
    Nmap)
    Packet Sniffing with Wireshark
    Follow TCP Stream
    Can
    save
    files
    from
    streams
    here too
    Using INetSim
    inetsim
    INetSim Fools a Browser
    INetSim
    Fools
    Nmap
    Basic Dynamic Tools in
    Practice
    Using the Tools
    Procmon
    Filter on the malware executable name and
    clear all events just before running it
    Process Explorer
    Regshot
    Virtual Network with INetSim
    Wireshark

    You might also like