170 likes | 301 Views
Homework tar file. 8 binaries (each in ELF and PE formats) Password binaries (*_p0, *_p1, *_p2, *_p3) Execute binary, enter in correct password to get solution Submit solution on corresponding D2L quiz Unlock code binaries (*_c0, *_c1, *_c2, *_c3)
E N D
Homework tar file 8 binaries (each in ELF and PE formats) Password binaries (*_p0, *_p1, *_p2, *_p3) Execute binary, enter in correct password to get solution Submit solution on corresponding D2L quiz Unlock code binaries (*_c0, *_c1, *_c2, *_c3) Execute binary with proper integer argument to get solution Submit solution on corresponding D2L quiz
Part 1: Basic Analysis Chapter 1: Basic Static Techniques Chapter 2: Malware Analysis in Virtual Machines Chapter 3: Basic Dynamic Analysis
Scanning Statically analyze payload to determine its maliciousness Recall Aitel 2011 USENIX Security talk
File signatures Common code or data used across malware instances e.g. embedded URL strings, decryptor code Signatures Hashing (e.g. MD5, SHA) Strings search on metadata, errors, constants Polymorphism and metamorphism easy for an adversary to deploy
Packing and obfuscation Obfuscation Code whose execution is hidden by author Packing Obfuscated code in which programs are compressed and encrypted to prevent static analysis (Figure 1-4) Prevents file signatures from working Example: UPX Code to unpack binaries is common, however Can be identified (PEiD)
Analyzing executables PE (Widows), ELF (Linux) Tools for dumping linked libraries Look for common shared libraries (e.g. kernel32.dll, User32.dll, libc.so, etc) Dependency Walker, PEView, PEBrowse, PE Explorer, ldd Function convention in Windows CreateWindowEx - “Ex” refers to new version CreateDirectoryW - “W” refers to wide character strings vs. ASCII See MSDN Note: a short function list is an indication of a packed binary
File signature coverage Astronomical growth in signatures Coverage by a single tool is difficult Cloud-based anti-virus http://www.virustotal.com
Chapter 2: Malware Analysis on VMs Chapter 3: Basic Dynamic Analysis
Malware and VMs Most malware must be executed in order to analyze them Requires a safe environment VMware Host-only networking to monitor network traffic Snapshots and roll-back Record and replay execution
Sandboxes Behavior isolation and coarse-grained tracking of malware execution File system activity Registry activity Network activity Examples: GFI Sandbox, Norman SandBox
Executing malware Executable Directly launching or via debugger Malicious DLLs rundll32.exe
Monitoring execution Procmon www.sysinternals.com Combines FileMon and RegMon to track execution behavior Process explorer Free tool from Microsoft to verify running process against the disk executable image Useful for determining if malicious documents are launching new processes Regshot Flag changes in registry
Monitoring execution ApateDNS Free tool from Mandiant to see DNS requests from malware and modify replies Netcat Useful for proxying and emulating connections to malware Wireshark Packet capturing tool INetSim Linux tool to simulate common Internet services
Tools in action See p. 57 in text msts.exe Contacts web site (the textbook's) – ApateDNS Creates new file (winhlp2.exe) – procmon Modifies registry to autorun – regshot Creates a mutex to ensure only a single execution – Process Explorer Contacts a server over port 443 (https), but does not speak SSL – INetSim Speaks a custom ASCII protocol – Wireshark
In-class exercises Lab 1-1 Show the results of virustotal.com In PEView, show the timestamps Show the list of imported system library calls. From these calls, what might this executable be doing? Show the list of imported calls from Lab01-01.dll. From these calls, what might this DLL be doing? Show where the malware is attempting to create its malicious file Lab 1-2 Show the results of virustotal.com In PEView, show the sections that contain the packed executable code Run UPX to unpack the code and load unpacked executable in PEView Show the functions imported from Wininet.dll. What might this executable be doing? Show the URL the malware connects to in memory
In-class exercises Lab 3-2 Find the functions this DLL exports (Figure 3-5L) Find the imported functions that are used to modify the registry, create services, and make network connections. Which DLLs are they loaded from? Use strings to reconstruct the URL being requested Set-up Regshot and Process Explorer before running rundll32 to install this malware's service. Using regshot, show whether or not the DLL installed its registry key. Lab 3-4 Copy binary to Desktop and run it. What happens? Examine the binary's strings using a tool of your choice to find the cmd.exe command used Use Process Monitor (procmon) to monitor events from this binary to generate Figure 3-11L