1 / 52

Introduction to Malware Analysis Part (1)

The Republic of the Union of Myanmar Ministry of Transport and Communications Information Technology and Cyber Security Department National Cyber Security Center. Introduction to Malware Analysis Part (1). Presenter : mmCERT/cc. 1-11-2018. What is malware?.

december
Download Presentation

Introduction to Malware Analysis Part (1)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Republic of the Union of Myanmar Ministry of Transport and Communications Information Technology and Cyber Security Department National Cyber Security Center Introduction to Malware Analysis Part (1) Presenter: mmCERT/cc 1-11-2018

  2. What is malware? • Malware is a code that performs malicious actions; it can take the form of an executable, script, code, or any other software. Attackers use malware to steal sensitive information, spy on the infected system, or take control of the system. It typically gets into your system without your consent and can be delivered via various communication channels such as email, web, or USB drives. • The following are some of the malicious actions performed by malware: • Disrupting computer operations • Stealing sensitive information, including personal, business, and financial data • Unauthorized access to the victim's system • Spying on the victims • Sending spam emails • Engaging in distributed-denial-of-service attacks (DDOS) • Locking up the files on the computer and holding them for ransom

  3. Types of Malware • Virus or Worm: Malware that is capable of copying itself and spreading to other computers. A virus needs user intervention, whereas a worm can spread without user intervention. • Trojan: Malware that disguises itself as a regular program to trick users to install it on their systems. Once installed, it can perform malicious actions such as stealing sensitive data, uploading files to the attacker's server, or monitoring webcams. • Backdoor / Remote Access Trojan (RAT): This is a type of Trojan that enables the attacker to gain access to and execute commands on the compromised system. • Adware: Malware that presents unwanted advertisements (ads) to the user. They usually get delivered via free downloads and can forcibly install software on your system. • Botnet: This is a group of computers infected with the same malware (called bots), waiting to receive instructions from the command-and-control server controlled by the attacker. The attacker can then issue a command to these bots, which can perform malicious activities such as DDOS attacks or sending spam emails. • Information stealer: Malware designed to steal sensitive data such as banking credentials or typed keystrokes from the infected system. Some examples of these malicious programs include key loggers, spyware, sniffers, and form grabbers.

  4. Types of Malware (continued) • Ransomware: Malware that holds the system for ransom by locking users out of their computer or by encrypting their files. • Rootkit: Malware that provides the attacker with privileged access to the infected system and conceals its presence or the presence of other software. • Downloader or dropper: Malware designed to download or install additional malware components.

  5. History of Malware • 1949- Theories for self-replicating programs are first developed. • 1981- Apple Viruses 1, 2, and 3 are some of the first viruses that spread through pirated computer games. • 1983- Fred Cohen, while working on his dissertation, formally defines a computer virus as a computer program that can affect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself. • 1986- Pakistani Brain, the first boot sector virus, appears. • 1987- The Lehigh virus appears as one of the first viruses that infect command.com files. • 1988- Jerusalemis released into the wild to be activated every Friday the 13th, affecting.exe and .com files and deleting programs that run that day. • 1988- Cornell graduate student Robert Morris Jr. releases the now-called Morris Worm, which exploited a flaw in the UNIX operating system and spread within days to more than 6,000 computers (about 15% of the Internet at that time). • 1989 - A teenager in Sophia, Bulgaria, releases the Dark Avenger virus, which destroyed data and contained references to lyrics from metal rock band Iron Maiden.

  6. History of Malware • 1989- Several thousand floppy disks containing the AIDS Trojan, the first known ransomware, are mailed to subscribers of PC Business World magazine and a WHO AIDS conference mailing list. This DOS Trojan lies dormant for 90 boot cycles, then encrypts all filenames on the system, displaying a notice asking for $189 to be sent to a post office box in Panama in order to receive a decryption program. • 1991- Tequila, an early polymorphic virus, is launched. • 1992- The Dark Avenger Mutation Engine (DAME) is made available, which can turn almost any virus into a polymorphic virus. • 1994 - One of the first virus hoaxes appears warning of a malicious virus that will erase an entire hard drive just by opening an e-mail with the subject line Good Times. • 1995- The Word Concept virus spreads through Microsoft Word documents. • 1998 - The Chernobyl virus spreads through .exe files. • 1999- Explore.zipattacks Microsoft products. • 1999- The Melissa virus executes a macro in a document attached to an e-mail, which forwards the document to 50 people in the user’s Outlook address book.

  7. History of Malware • 2000 - The Love Bug, also known as the I Love You virus, sends itself out via Outlook and comes as a VBS attachment that overwrites files, including mp3, mp2, and .jpg files. • 2001 - The Anna Kournikova virus is released, which tricked email users into clicking on an attachment that purported to be a nude photo of Russian tennis star Kournikova. • 2001 - SirCamuses e-mail to spread across the Internet rapidly. • 2001- Code Red(s) worm their way onto hundreds of thousands of computers. • 2001- Shortly after the September 11th attacks, the Nimda virus infects hundreds of thousands of computers in the world. The virus is one of the most sophisticated to date, with as many as five different methods of replicating and infecting systems. • 2001 - BadTrans, which is designed to capture passwords and credit card information, hits the Internet. • 2002- There are more than 30,000 Web sites that provide virus programs and tools for launching attacks. • 2003- Slammerbecomes the fastest spreading worm to date, infecting 75,000 computers in approximately 10 minutes and doubling in size every 8.5 seconds.

  8. History of Malware • 2003 - Blaster and Sobig break speed records for infection rates. • 2004 - MyDoom and other viruses plague the Internet at unprecedented speeds. • 2007 - Storm Worm identified as a fast spreading email spamming threat to Microsoft systems. It begins gathering infected computers into the Storm botnet. By around June 30 it had infected 1.7 million computers, and it had compromised between 1 and 10 million computers by September. • 2008 - Computer worm Conficker infects anywhere from 9 to 15 million Microsoft server systems running everything from Windows 2000 to the Windows 7 Beta. Microsoft sets a bounty of US$250,000 for information leading to the capture of the worm's author(s). • 2012- Flame – also known as Flamer, sKyWIper, and Skywiper – a modular computer malware that attacks computers running Microsoft Windows. Used for targeted cyber espionage in Middle Eastern countries. Its discovery was announced on 28 May 2012 by MAHER Center of Iranian National Computer Emergency Response Team (CERT), Kaspersky Lab and CrySyS Lab of the Budapest University of Technology and Economics. CrySyS stated in their report that "sKyWIper is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found"

  9. History of Malware • 2012 - Shamoon is a computer virus designed to target computers running Microsoft Windows in the energy sector and was apparently intended for cyberwarfare. • 2013 - Linux.Darllozworm targets the Internet of things and infects routers, security cameras, set-top boxes by exploiting a PHP vulnerability. • 2016 - Mirai creates headlines by launching some of the most powerful and disruptive DDoS attacks seen to date by infecting the Internet of Things. Mirai ends up being used in the DDoS attack on 20 September 2016 on the Krebs on Security site which reached 620 Gbit/s. Ars Technica also reported a 1 Tbit/s attack on French web host OVH. On 21 October 2016 multiple major DDoS attacks in DNS services of DNS service provider Dyn occurred using Mirai malware installed on a large number of IoT devices, resulting in the inaccessibility of several high-profile websites such as GitHub, Twitter, Reddit, Netflix, Airbnb and many others. • 2017 - The WannaCry ransomware attack spreads globally. Exploits revealed in the NSA hacking toolkit leak of late 2016 were used to enable the propagation of the malware. • 2018 - SonicWall Capture Labs researchers recorded a total of 5.99 billion malware attacks in the first two quarters of 2018.

  10. What is Malware Analysis? • Malware analysis is the study of malware's behavior. The objective of malware analysis is to understand the working of malware and how to detect and eliminate it. It involves analyzing the suspect binary in a safe environment to identify its characteristics and functionalities so that better defenses can be built to protect an organization's network.

  11. Why Malware Analysis? • To determine the nature and purpose of the malware. For example, it can help you determine whether malware is an information stealer, HTTP bot, spam bot, rootkit, keylogger, or RAT, and so on. • To gain an understanding of how the system was compromised and its impact. • To identify the network indicators associated with the malware, which can then be used to detect similar infections using network monitoring. For example, during your analysis, if you determine that a malware contacts a particular domain/IP address, then you can use this domain/IP address to create a signature and monitor the network traffic to identify all the hosts contacting that domain/IP address. • To extract host-based indicators such as filenames, and registry keys, which, in turn, can be used to determine similar infection using host-based monitoring. For instance, if you learn that a malware creates a registry key, you can use this registry key as an indicator to create a signature, or scan your network to identify the hosts that have the same registry key. • To determine the attacker's intention and motive. For instance, during your analysis, if you find that the malware is stealing banking credentials, then you can deduce that the motive of the attacker is monetary gain.

  12. Types of Malware Analysis • Static analysis: This is the process of analyzing a binary without executing it. It is easiest to perform and allows you to extract the metadata associated with the suspect binary. Static analysis might not reveal all the required information, but it can sometimes provide interesting information that helps in determining where to focus your subsequent analysis efforts.  • Dynamic analysis (Behavioral Analysis): This is the process of executing the suspect binary in an isolated environment and monitoring its behavior. This analysis technique is easy to perform and gives valuable insights into the activity of the binary duringits execution. This analysis technique is useful but does not reveal all the functionalities of the hostile program.  • Code analysis: It is an advanced technique that focuses on analyzing the code to understand the inner workings of the binary. This technique reveals information that is not possible to determine just from static and dynamic analysis. Code analysis is further divided into Static code analysis and Dynamic code analysis. Static code analysis involves disassembling the suspect binary and looking at the code to understand the program's behavior, whereas Dynamic code analysis involves debugging the suspect binary in a controlled manner to understand its functionality. Code analysis requires an understanding of the programming language and operating system concepts.

  13. Types of Malware Analysis • Memory analysis (Memory forensics): This is the technique of analyzing the computer's RAM for forensic artifacts. It is typically a forensic technique, but integrating it into your malware analysis will assist in gaining an understanding of the malware's behavior after infection. Memory analysis is especially useful to determine the stealth and evasive capabilities of the malware.

  14. Malware Lab • Analysis of a hostile program requires a safe and secure lab environment, as you do not want to infect your system or the production system. A malware lab can be very simple or complex depending on the resources available to you (hardware, virtualization software, Windows license, and so on). • To build malware lab, need to a physical system running a base operating system of Linux, Windows, or macOS X, and installed with virtualization software (such as VMware or VirtualBox). When analyzing the malware, you will be executing the malware on a Windows-based virtual machine (Windows VM). The advantage of using a virtual machine is that after you finish analyzing the malware, you can revert it to a clean state. • Virtual Box you can download at: https://www.virtualbox.org/wiki/Downloads

  15. Important Notes when setting up Malware Lab • Keep your virtualization software up to date. This is necessary because it might be possible for malware to exploit a vulnerability in the virtualization software, escape from the virtual environment, and infect your host system. • Install a fresh copy of the operating system inside the virtual machine (VM), and do not keep any sensitive information in the virtual machine. • While analyzing a malware, if you don't want the malware to reach out to the Internet, then you should consider using host-only network configuration mode or restrict your network traffic within your lab environment using simulated services. • Since you will be analyzing Windows malware (typically Executable or DLL), it is recommended to choose a base operating system such as Linux or macOS X for your host machine instead of Windows. This is because, even if a Windows malware escapes from the virtual machine, it will still not be able to infect your host machine.

  16. Malware Sources • Hybrid Analysis: https://www.hybrid-analysis.com/ • KernelMode.info: http://www.kernelmode.info/forum/viewforum.php?f=16 • VirusBay: https://beta.virusbay.io/ • Contagio malware dump: http://contagiodump.blogspot.com/ • AVCaesar: https://avcaesar.malware.lu/ • Malwr: https://malwr.com/ • VirusShare: https://virusshare.com/ • theZoo: http://thezoo.morirt.com/ • Lenny Zeltser's blog: https://zeltser.com/malware-sample-sources/

  17. StaticAnalysis • Static analysis is the technique of analyzing the suspect file without executing it. It is an initial analysis method that involves extracting useful information from the suspect binary to make an informed decision on how to classify or analyze it and where to focus your subsequent analysis efforts.

  18. StaticAnalysis • Identifying the malware's target architecture • Fingerprinting the malware • Scanning the suspect binary with anti-virus engines • Extracting strings, functions, and metadata associated with the file • Identifying the obfuscation techniques used to thwart analysis • Classifying and comparing the malware samples

  19. Determining the File types • During your analysis, determining the file type of a suspect binary will help you identify the malware's target operating system (Windows, Linux, and so on) and architecture (32-bit or 64-bit platforms). For example, if the suspect binary has a file type of Portable Executable (PE), which is the file format for Windows executable files (.exe, .dll, .sys, .drv, .com, .ocx, and so on), then you can deduce that the file is designed to target the Windows operating system. • Most Windows-based malware are executable files ending with extensions such as .exe, .dll, .sys, and so on. But relying on file extensions alone is not recommended. File extension is not the sole indicator of file type. Attackers use different tricks to hide their file by modifying the file extension and changing its appearance to trick users into executing it. Instead of relying on file extension, File signature can be used to determine the file type. • A file signature is a unique sequence of bytes that is written to the file's header. Different files have different signatures, which can be used to identify the type of file. The Windows executable files, also called PE files (such as the files ending with .exe, .dll, .com, .drv, .sys, and so on), have a file signature of MZ or hexadecimal characters 4D 5A in the first two bytes of the file.

  20. Identifying File Type Using Manual Method • The manual method of determining the file type is to look for the file signature by opening it in a hex editor. A hex editor is a tool that allows an examiner to inspect each byte of the file; most hex editors provide many functionalities that help in the analysis of a file. The following screenshot shows the file signature of MZ in the first two bytes when an executable file is opened with the 010 hex editor(http://www.010editor.com ):

  21. Identifying File Type Using Manual Method • On Linux systems, to look for the file signature, the xxd command can be used, which generates a hex dump of the file as shown here:

  22. Identifying File Type Using Tools • The other convenient method of determining the file type is to use file identification tools. On Linux systems, this can be achieved using the file utility. In the following example, the file command was run on two different files. From the output, it can be seen that even though the first file does not have any extension, it is detected as a 32-bit executable file (PE32) and the second file is a 64-bit (PE32+) executable: • $ file secret

  23. Identifying File Type Using Tools • $ file notepad.exe • On Windows, CFF Explorer, part of Explorer Suite (http://www.ntcore.com/exsuite.php), can be used to determine the file type; it is not just limited to determining file type. It is also a great tool for inspecting executable files (both 32-bit and 64-bit) and allows you to examine the PE internal structure, modify fields, and extract resources.

  24. FingerprintingtheMalware Fingerprinting involves generating the cryptographic hash values for the suspect binary based on its file content. The cryptographic hashing algorithms such as MD5, SHA1 or SHA256 are considered the de facto standard for generating file hashes for the malware specimens. The following list outlines the use of cryptographic hashes: • Identifying a malware specimen based on filename is ineffective because the same malware sample can use different filenames, but the cryptographic hash that is calculated based on the file content will remain the same. Hence, a cryptographic hash for your suspect file serves as a unique identifier throughout the course of analysis. • During dynamic analysis, when malware is executed, it can copy itself to a different location or drop another piece of malware. Having the cryptographic hash of the sample can help in identifying whether the newly dropped/copied sample is the same as the original sample or a different one. This information can assist you in deciding whether the analysis needs to be performed on a single sample or multiple samples.

  25. FingerprintingtheMalware • File hash is frequently used as an indicator to share with other security researchers to help them identify the sample. • File hash can be used to determine whether the sample has been previously detected by searching online or searching the database of multi Anti-virus scanning service like VirusTotal.

  26. Generating Cryptographic Hash Using Tools • On a Linux system, file hashes can be generated using the md5sum, sha256sum, and sha1sum utilities: • $ md5sum notepad.exe $ sha256sum notepad.exe $ sha1sum notepad.exe For Windows, various tools for generating file hashes can be found online. HashMyFiles (http://www.nirsoft.net/utils/hash_my_files.html) is one such tool that generates hash values for single or multiple files, and it also highlights identical hashes with same colors. In the following screenshot, it can be seen that log.exe and bunny.exe are the same samples based on their hash values:

  27. Scanning the Suspect Binary with VirusTotal • VirusTotal (http://www.virustotal.com) is a popular web-based malware scanning service. It allows you to upload a file, which is then scanned with various anti-virus scanners, and the scan results are presented in real time on the web page. In addition to uploading files for scanning, the VirusTotal web interface provides you the ability to search their database using hash, URL, domain, or IP address. VirusTotal offers another useful feature called VirusTotal Graph, built on top of the VirusTotal dataset. Using VirusTotal Graph, you can visualize the relationship between the file that you submit and its associated indicators such as domains, IP addresses, and URLs. It also allows you to pivot and navigate over each indicator; this feature is extremely useful if you want to quickly determine the indicators associated with a malicious binary. For more information on VirusTotal Graph, refer to the documentation:  https://www.virustotal.com/graph//drawer/node-summary/node/ned01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa/1540883908767 • File size limitation of VirusTotal is 256MB.

  28. Scanning with PEStudio Note: Indicators, Strings, Overlay, Virustotals

  29. Scanning with PPEE Note: AppManifest, Registry, Suspicious, UNICODE, URL

  30. Few factors/risksto consider when scanning a binary with Anti-Virus scanners • If a suspect binary does not get detected by the Anti-Virus scanning engines, it does not necessarily mean that the suspect binary is safe. These anti-virus engines rely on signatures and heuristics to detect malicious files. The malware authors can easily modify their code and use obfuscation techniques to bypass these detections. • When you upload a binary to a public site, the binary you submit may be shared with third parties and vendors. The suspect binary may contain sensitive, personal, or proprietaryinformation specific to your organization, so it is not advisable to submit a binary that is part of a confidential investigation to public anti-virus scanning services. Most web-based antivirus scanning services allow you to search their existing database of scanned files using cryptographic hash values (MD5, SHA1, or SHA256). • When you submit a binary to the online antivirus scanning engines, the scan results are stored in their database, and most of the scan data is publicly available and can be queried later. Attackers can use the search feature to querythe hash of their sample to check whether their binary has been detected. Detection of their sample may cause the attackers to change their tactics to avoid detection.

  31. Extracting Strings • Strings are ASCII and Unicode-printable sequences of characters embedded within a file. Extracting strings can give clues about the program functionality and indicators associated with a suspect binary. For example, if a malware creates a file, the filename is stored as a string in the binary. Or, if a malware resolves a domain name controlled by the attacker, then the domain name is stored as a string. Strings extracted from the binary can contain references to filenames, URLs, domain names, IP addresses, attack commands, registry keys, and so on. Although strings do not give a clear picture of the purpose and capability of a file, they can give a hint about what malware is capable of doing.

  32. String Extraction Using Tools • The strings command, by default, extracts the ASCII strings that are at least four characters long. • With the -a option it is possible to extract strings from the entire file. • To extract Unicode strings using the strings command, use the -el option. • PEStudio and PPEE can extract strings.

  33. Decoding Obfuscated Strings Using FLOSS • Most of the times, malware authors use simple string obfuscation techniques to avoid detection. In such cases, those obfuscated strings will not show up in the strings utility and other string extraction tools. FireEye Labs Obfuscated String Solver (FLOSS) is a tool designed to identify and extract obfuscated strings from malware automatically. It can help you determine the strings that malware authors want to hide from string extraction tools. FLOSS can also be used just like the strings utility to extract human-readable strings (ASCII and Unicode). You can download FLOSS for Windows or Linux from https://github.com/fireeye/flare-floss.. • If you are only interested in the decoded/stack strings and want to exclude the static strings • (ASCII and Unicode) from the FLOSS output, then provide it the --no-static-stringsswitch.

  34. Determining File Obfuscation • Even though string extraction is an excellent technique to harvest valuable information, often malware authors obfuscate or armor their malware binary. Obfuscationis used by malware authors to protect the inner workings of the malware from security researchers, malware analysts, and reverse engineers. These obfuscation techniques make it difficult to detect/analyze the binary; extracting the strings from such binary results in very fewer strings, and most of the strings are obscure. Malware authors often use programs such as Packersand Cryptorsto obfuscate their file to evade detection from security products such as anti-virus and to thwart analysis.

  35. Packers and Cryptors • A Packer is a program that takes the executable as input, and it uses compression to obfuscate the executable's content. This obfuscated content is then stored within the structure of a new executable file; the result is a new executable file (packed program) with obfuscated content on the disk. Upon execution of the packed program, it executes a decompression routine, which extracts the original binary in memory during runtime and triggers the execution. • A Cryptor is similar to a Packer, but instead of using compression, it uses encryption to obfuscate the executable's content, and the encrypted content is stored in the new executable file. Upon execution of the encrypted program, it runs a decryption routine to extract the original binary in the memory and then triggers the execution.

  36. Detecting File Obfuscation Using Exeinfo PE • Most legitimate executables do not obfuscate content, but some executables may do it to prevent others from examining their code. When you come across a sample that is packed, there is a high chance of it being malicious. To detect packers on Windows, you can use a freeware tool such as Exeinfo PE 0.51(http://www.exeinfo.xn.pl/); it has an easy-to-use GUI. It uses more than 4,526 signatures (stored in userdb.txt in the same directory) to detect various compilers, packers, or cryptors utilized to build the program. In addition to detecting Packers, another interesting feature of Exeinfo PE is that it gives information/references on how to unpack the sample. RDG Packer Detector Detect it Easy PEiD Protection ID TrID

  37. PE Header/Structure • Windows executables must conform to the PE/COFF (Portable Executable/ Common Object File Format). The PE file format is used by the Windows executable files (such as .exe, .dll, .sys, .ocx, and .drv) and such files are generally called Portable Executable (PE) files. The PE file is a series of structures and sub-components that contain the information required by the operating system to load it into memory. • When an executable is compiled, it includes a header (PE header), which describes its structure. When the binary is executed, the operating system loader reads the information from the PE header and then loads the binary content from the file into the memory. The PE header contains information such as wherethe executable needs to be loaded into memory, the address where the execution starts, the list of libraries/functions on which the application relies on, and the resourcesused by the binary. • An In-Depth Look into the Win32 Portable Executable File Format – Part 1: • http://www.delphibasics.info/home/delphibasicsarticles/anin-depthlookintothewin32portableexecutablefileformat-part1 • An In-Depth Look into the Win32 Portable Executable File Format – Part 2: • http://www.delphibasics.info/home/delphibasicsarticles/anin-depthlookintothewin32portableexecutablefileformat-part2

  38. Tools to examine and modify the PE structure • CFF Explorer: • http://www.ntcore.com/exsuite.php • PE Internals: • http://www.andreybazhan.com/pe-internals.html • PPEE(puppy): • https://www.mzrst.com/ • PEBrowse Professional: • http://www.smidgeonsoft.prohosting.com/pebrowse-pro-file-viewer.html

  39. Inspecting File Dependencies and Imports • Usually, malware interacts with the file, registry, network, and so on. To perform such interactions, malware frequently depends on the functions exposed by the operating system. Windows exports most of its functions, called Application Programming Interfaces (API), required for these interactions in Dynamic Link Libary (DLL) files. Executables import and call these functions typically from various DLLs that provide different functionality. The functions that an executable imports from other files (mostly DLLs) are called imported functions (or imports). • For example, if a malware executable wants to create a file on disk, on Windows, it can use an API CreateFile(), which is exported in kernel32.dll. To call the API, it first has to load kernel32.dll into its memory and then call the CreateFile() function.

  40. Inspecting File Dependencies and Imports

  41. Inspecting File Dependencies and Imports • The malware imports network related API functions (such as connect, socket, listen, send, and so on) from wsock32.dll, indicating that the malware, upon execution, will most likely connect to the Internet or perform some network activity. pestudio highlights the API functions that are frequently used by malwares in the blacklisted column. • Sometimes, malware can load a DLL explicitly during runtime using API calls such as LoadLibrary() or LdrLoadDLL(), and it can resolve the function address using the GetProcessAdress() API. Information about the DLLs loaded during runtime will not be present in the import table of the PE file and therefore will not be displayed by the tools.

  42. Inspecting Exports • The executable and DLL can export functions, which can be used by other programs. Typically, a DLL exports functions (exports) that are imported by the executable. A DLL cannot run on its own and depends on a host process for executing its code. An attacker often creates a DLL that exports functions containing malicious functionality. To run the malicious functions within the DLL, it is somehow made to be loaded by a process that calls these malicious functions. DLLs can also import functions from other libraries (DLLs) to perform system operations.

  43. Examining PE Section Table And Sections • The section representing code contains instructions that will be executed by the processor, whereas the section containing data can represent different types of data, such as read/write program data (global variables), import/export tables, resources, and so on. Each section has a distinct name that conveys the purpose of the section. • For example, a section with name .text indicates code and has an attribute of read-execute; a section with name .data indicates global data and has an attribute of read-write.

  44. Examining PE Section Table And Sections

  45. Examining PE Section Table And Sections

  46. Examining PE Section Table And Sections

  47. Examining the Compilation Timestamp • The PE header contains information that specifies when the binary was compiled; examining this field can give an idea of when the malware was first created. This information can be useful in building a timeline of the attack campaign. It is also possible that an attacker modifies the timestamp to prevent an analyst from knowing the actual timestamp.

  48. Examining PE Resources • The resources required by the executable file such as icons, menu, dialog, and stringsare stored in the resource section (.rsrc) of an executable file. Often, attackers store information such as additional binary, and decoy documents, configuration data in the resource section, so examining the resource can reveal valuable information about a binary. Resource Hacker (www.angusj.com/resourcehacker) is a great tool to examine, view, and extract the resource from a suspect binary.

  49. Comparing And Classifying The Malware • During your malware investigation, when you come across a malware sample, you may want to know whether the malware sample belongs to a particular malware family or if it has characteristics that match with the previously analyzed samples. Comparing the suspect binary with previously analyzed samples or the samples stored in a public or private repository can give an understanding of the malware family, its characteristics, and the similarity with the previously analyzed samples. • While cryptographic hashing (MD5/SHA1/SHA256) is a great technique to detect identical samples, it does not help in identifying similar samples. Very often, malware authors change minute aspects of malware, which changes the hash value completely.

  50. Comparing And Classifying The Malware • Fuzzy hashing is a great method to compare files for similarity. ssdeep (http://ssdeep.sourceforge.net) is a useful tool to generate the fuzzy hash for a sample, and it also helps in determining percentage similarity between the samples. This technique is useful in comparing a suspect binary with the samples in a repository to identify the samples that are similar; this can help in identifying the samples that belong to the same malware family or the same actor group.

More Related