Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Basic Malware Analysis

Albert Hui
Albert Hui

This document introduces tools and techniques for preliminary malware analysis. It discusses examining malware behavior through static analysis, behavioral tracing, and sandboxing. Specific tools are presented for observing malware snapshots, tracing its behavior, and containing it in a sandbox. Process-based and stealthy malware are discussed, along with vulnerabilities of rootkits and tools for rootkit detection. The goal is to present a model for beginning reverse engineering of malware through observation and experimentation in a contained environment.

Related slideshows

Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
1 of 20
Basic Malware AnalysisAlbert Hui, GCFA, CISAalbert.hui@gmail.com
GoalsPresent tools and techniques for preliminary malware analysisIntroduce the model and mindset for beginning reverse engineeringDoes NOT cover intermediate/advanced techniques such as hooking, DLL attachment, code injection, detour patching, DKOM, ring-0 debugging, entropy analysis and so onCopyright © 2007 Albert Hui
TerminologyMalware – malicious softwareVirus – infect a host program to reproduceWorm – self-replicating program (e.g. NIMDA, Code Red, SQL Slammer, MyDoom)Trojan – malicious program disguised as harmless木馬(China usage) != trojan, but == BackdoorBackdoor – remote control softwareRootkit – cover up backdoor and forensic evidence (e.g. Sony XCP Rootkit)Spyware – calls homeCopyright © 2007 Albert Hui
Black-Box ExaminationSnapshot ObservationBehavioral TracingSandboxingCopyright © 2007 Albert Hui
Snapshot ObservationIncludes static analysis (executable image examination, program code disassembly, filesystem forensics, memory dump, running states, etc.)Pros:Gather consistent big pictureSome info only uncovered by static analysisCons:Can lose sight of small/transient changesDifficult to cover every avenues Copyright © 2007 Albert Hui
Snapshot Observation Tools (runtime)Process/Thread:Process ExplorerWindows Objects:WinObjOpenedFilesViewCopyright © 2007 Albert Hui
Snapshot Observation Tools (static)Executable:XN Resource EditorFile:hexplorerFileAlyzerCopyright © 2007 Albert Hui
Snapshot Observation Tools (executable)PEBrowseDependency WalkerPEiDDumper:LordPEUniversal ExtractorRL!depackerDecompiler/Disassembler:IDA ProOllyDbg/OllyICEJADSpices.DecompilerCopyright © 2007 Albert Hui
Behavioral TracingIncludes debugging, tracing, network traffic analysis, etc.Pros:Detailed time-domain infoCan drill down to system call levelCons:Can lose sight of the big pictureDifficult to cover every avenuesCopyright © 2007 Albert Hui
Behavioral Tracing ToolsProcess/Thread/File/Registry Tracing:ProcMonNetwork Tracing:TCPViewTDImonWiresharkDebugger:OllyDbg/OllyICESoftICECopyright © 2007 Albert Hui
SandboxingContainment of execution in protected environmentOne kind of virtualization, techniques in common with virtual machine, honeypot/tarpit, and forceful uninstallersSandboxing can occur at various levels: network, application, OS, down to bare metalPros:Total coverage possibleLocal containment of harmsCons:Difficult to discern incremental changesCopyright © 2007 Albert Hui
Sandboxing ToolsMachine Level:VMwareOS Level:Altiris SVSPowerShadowShadowUserApplication Level:SandboxieNetwork Level:HoneydCopyright © 2007 Albert Hui
DemoUse FileAlyzer to determine file type.Rename to .exe, use Dependency Walker to determine functions.Use PEiD to detect signature – UPX packed.Use Universal Extractor to unpack file.Use Dependency Walker to determine functions.Use FileAlyzer to read embedded strings.Detach network, use Sandboxie to execute file.Use Wireshark and ProcMon, execute file again.Use OllyDbg to understand program flow – program connects to a server on port 6667.Set up our own IRC server, edit hosts file on guest to fool malware into connecting to it.Try out commands found in embedded strings.Copyright © 2007 Albert Hui
Process-Based Malwaree.g. BO2K, Sub7, Netbus, 冰河, 灰鴿子Technically equivalent to VNC, Remote Desktop, PCAnyware etc.Copyright © 2007 Albert Hui
Tricks of Process-Based MalwareMelting – deletes installer or deletes entirely from disk Sticky Process – multiple execution units reviving each otherSticky Image – reinstall itself upon system shutdownAntidetection/免殺:Polymorphism – packing/encryption or other superficial changesMetamorphism – radically changing the codes, includes 加花 (addition of fake signatures)Copyright © 2007 Albert Hui
Stealthy MalwareThe 2nd Generation
Processless (無進程) MalwareParasite Approach (exist only as threads)DLL attachmentCreateRemoteThreadCode injection, detour patchingRookit Approach (hide process)HookingDKOMCopyright © 2007 Albert Hui
Vulnerabilities of RootkitsCommunications can always be captured on external network linksAlways changes OScompare observation with known-good statescompare observations from different approaches (e.g. Linux ls vs. opendir())Copyright © 2007 Albert Hui
Rootkit Detection ToolsRootkit Detection冰刃 IceSwordDarkSpyGMERCopyright © 2007 Albert Hui
ConclusionFirst perform static analysisThen let malware loose in contained environmentDrill down with expert knowledge to further fool the malware into doing moreCopyright © 2007 Albert Hui

More Related Content

What's hot

Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Marco Morana
 
Security awareness
Security awarenessSecurity awareness
Security awareness
Josh Chandler
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Cyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightCyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to Insight
Deep Shankar Yadav
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security Vulnerabilities
Siemplify
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
 
Application security
Application securityApplication security
Application security
Hagar Alaa el-din
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
securityxploded
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
PECB
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
n|u - The Open Security Community
 

What's hot (20)

Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Security awareness
Security awarenessSecurity awareness
Security awareness
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Cyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightCyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to Insight
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security Vulnerabilities
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Application security
Application securityApplication security
Application security
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 

Similar to Basic Malware Analysis

Cyber attacks 101
Cyber attacks 101Cyber attacks 101
Cyber attacks 101
Rafel Ivgi
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudhary
Saurav Chaudhary
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threats
Martin Holovský
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptx
YasserOuda2
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
Stephan Chenette
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Shakacon
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
amiable_indian
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
ClubHack
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
MichaelM85042
 
Android_Malware_IOAsis_2014_Analysis.pdf
Android_Malware_IOAsis_2014_Analysis.pdfAndroid_Malware_IOAsis_2014_Analysis.pdf
Android_Malware_IOAsis_2014_Analysis.pdf
jjb117343
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
Linuxmalaysia Malaysia
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
devilback
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101
ysurer
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
Yury Chemerkin
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
securityxploded
 
Inception framework
Inception frameworkInception framework
Inception framework
한익 주
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Mobodexter
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
Symantec Security Response
 

Similar to Basic Malware Analysis (20)

Cyber attacks 101
Cyber attacks 101Cyber attacks 101
Cyber attacks 101
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudhary
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threats
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptx
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
Android_Malware_IOAsis_2014_Analysis.pdf
Android_Malware_IOAsis_2014_Analysis.pdfAndroid_Malware_IOAsis_2014_Analysis.pdf
Android_Malware_IOAsis_2014_Analysis.pdf
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
 
Inception framework
Inception frameworkInception framework
Inception framework
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
 

More from Albert Hui

Information Security from Risk Management and Design
Information Security from Risk Management and DesignInformation Security from Risk Management and Design
Information Security from Risk Management and Design
Albert Hui
 
The Practice of Cyber Crime Investigations
The Practice of Cyber Crime InvestigationsThe Practice of Cyber Crime Investigations
The Practice of Cyber Crime Investigations
Albert Hui
 
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Albert Hui
 
Practical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank FraudstersPractical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank Fraudsters
Albert Hui
 
New Frontiers in Cyber Forensics
New Frontiers in Cyber ForensicsNew Frontiers in Cyber Forensics
New Frontiers in Cyber Forensics
Albert Hui
 
Laying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident InvestigationLaying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident Investigation
Albert Hui
 
Cyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersCyber Fraud - The New Frontiers
Cyber Fraud - The New Frontiers
Albert Hui
 
Detecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an AttackerDetecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an Attacker
Albert Hui
 
(Mis)trust in the cyber era
(Mis)trust in the cyber era(Mis)trust in the cyber era
(Mis)trust in the cyber era
Albert Hui
 
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation BypassUniversal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Albert Hui
 
Cyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the CorporateCyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the Corporate
Albert Hui
 
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
Albert Hui
 
Incident Response Triage
Incident Response TriageIncident Response Triage
Incident Response Triage
Albert Hui
 
Insights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemInsights into the Cybercrime Ecosystem
Insights into the Cybercrime Ecosystem
Albert Hui
 

More from Albert Hui (14)

Information Security from Risk Management and Design
Information Security from Risk Management and DesignInformation Security from Risk Management and Design
Information Security from Risk Management and Design
 
The Practice of Cyber Crime Investigations
The Practice of Cyber Crime InvestigationsThe Practice of Cyber Crime Investigations
The Practice of Cyber Crime Investigations
 
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
 
Practical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank FraudstersPractical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank Fraudsters
 
New Frontiers in Cyber Forensics
New Frontiers in Cyber ForensicsNew Frontiers in Cyber Forensics
New Frontiers in Cyber Forensics
 
Laying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident InvestigationLaying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident Investigation
 
Cyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersCyber Fraud - The New Frontiers
Cyber Fraud - The New Frontiers
 
Detecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an AttackerDetecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an Attacker
 
(Mis)trust in the cyber era
(Mis)trust in the cyber era(Mis)trust in the cyber era
(Mis)trust in the cyber era
 
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation BypassUniversal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
 
Cyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the CorporateCyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the Corporate
 
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
 
Incident Response Triage
Incident Response TriageIncident Response Triage
Incident Response Triage
 
Insights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemInsights into the Cybercrime Ecosystem
Insights into the Cybercrime Ecosystem
 

Basic Malware Analysis

  • 1. Basic Malware AnalysisAlbert Hui, GCFA, CISAalbert.hui@gmail.com
  • 2. GoalsPresent tools and techniques for preliminary malware analysisIntroduce the model and mindset for beginning reverse engineeringDoes NOT cover intermediate/advanced techniques such as hooking, DLL attachment, code injection, detour patching, DKOM, ring-0 debugging, entropy analysis and so onCopyright © 2007 Albert Hui
  • 3. TerminologyMalware – malicious softwareVirus – infect a host program to reproduceWorm – self-replicating program (e.g. NIMDA, Code Red, SQL Slammer, MyDoom)Trojan – malicious program disguised as harmless木馬(China usage) != trojan, but == BackdoorBackdoor – remote control softwareRootkit – cover up backdoor and forensic evidence (e.g. Sony XCP Rootkit)Spyware – calls homeCopyright © 2007 Albert Hui
  • 4. Black-Box ExaminationSnapshot ObservationBehavioral TracingSandboxingCopyright © 2007 Albert Hui
  • 5. Snapshot ObservationIncludes static analysis (executable image examination, program code disassembly, filesystem forensics, memory dump, running states, etc.)Pros:Gather consistent big pictureSome info only uncovered by static analysisCons:Can lose sight of small/transient changesDifficult to cover every avenues Copyright © 2007 Albert Hui
  • 6. Snapshot Observation Tools (runtime)Process/Thread:Process ExplorerWindows Objects:WinObjOpenedFilesViewCopyright © 2007 Albert Hui
  • 7. Snapshot Observation Tools (static)Executable:XN Resource EditorFile:hexplorerFileAlyzerCopyright © 2007 Albert Hui
  • 8. Snapshot Observation Tools (executable)PEBrowseDependency WalkerPEiDDumper:LordPEUniversal ExtractorRL!depackerDecompiler/Disassembler:IDA ProOllyDbg/OllyICEJADSpices.DecompilerCopyright © 2007 Albert Hui
  • 9. Behavioral TracingIncludes debugging, tracing, network traffic analysis, etc.Pros:Detailed time-domain infoCan drill down to system call levelCons:Can lose sight of the big pictureDifficult to cover every avenuesCopyright © 2007 Albert Hui
  • 10. Behavioral Tracing ToolsProcess/Thread/File/Registry Tracing:ProcMonNetwork Tracing:TCPViewTDImonWiresharkDebugger:OllyDbg/OllyICESoftICECopyright © 2007 Albert Hui
  • 11. SandboxingContainment of execution in protected environmentOne kind of virtualization, techniques in common with virtual machine, honeypot/tarpit, and forceful uninstallersSandboxing can occur at various levels: network, application, OS, down to bare metalPros:Total coverage possibleLocal containment of harmsCons:Difficult to discern incremental changesCopyright © 2007 Albert Hui
  • 12. Sandboxing ToolsMachine Level:VMwareOS Level:Altiris SVSPowerShadowShadowUserApplication Level:SandboxieNetwork Level:HoneydCopyright © 2007 Albert Hui
  • 13. DemoUse FileAlyzer to determine file type.Rename to .exe, use Dependency Walker to determine functions.Use PEiD to detect signature – UPX packed.Use Universal Extractor to unpack file.Use Dependency Walker to determine functions.Use FileAlyzer to read embedded strings.Detach network, use Sandboxie to execute file.Use Wireshark and ProcMon, execute file again.Use OllyDbg to understand program flow – program connects to a server on port 6667.Set up our own IRC server, edit hosts file on guest to fool malware into connecting to it.Try out commands found in embedded strings.Copyright © 2007 Albert Hui
  • 14. Process-Based Malwaree.g. BO2K, Sub7, Netbus, 冰河, 灰鴿子Technically equivalent to VNC, Remote Desktop, PCAnyware etc.Copyright © 2007 Albert Hui
  • 15. Tricks of Process-Based MalwareMelting – deletes installer or deletes entirely from disk Sticky Process – multiple execution units reviving each otherSticky Image – reinstall itself upon system shutdownAntidetection/免殺:Polymorphism – packing/encryption or other superficial changesMetamorphism – radically changing the codes, includes 加花 (addition of fake signatures)Copyright © 2007 Albert Hui
  • 17. Processless (無進程) MalwareParasite Approach (exist only as threads)DLL attachmentCreateRemoteThreadCode injection, detour patchingRookit Approach (hide process)HookingDKOMCopyright © 2007 Albert Hui
  • 18. Vulnerabilities of RootkitsCommunications can always be captured on external network linksAlways changes OScompare observation with known-good statescompare observations from different approaches (e.g. Linux ls vs. opendir())Copyright © 2007 Albert Hui
  • 19. Rootkit Detection ToolsRootkit Detection冰刃 IceSwordDarkSpyGMERCopyright © 2007 Albert Hui
  • 20. ConclusionFirst perform static analysisThen let malware loose in contained environmentDrill down with expert knowledge to further fool the malware into doing moreCopyright © 2007 Albert Hui