1 / 17

Homework tar file

Homework tar file. 8 binaries (each in ELF and PE formats) Password binaries (*_p0, *_p1, *_p2, *_p3) Execute binary, enter in correct password to get solution Submit solution on corresponding D2L quiz Unlock code binaries (*_c0, *_c1, *_c2, *_c3)

dareh
Download Presentation

Homework tar file

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Homework tar file 8 binaries (each in ELF and PE formats) Password binaries (*_p0, *_p1, *_p2, *_p3) Execute binary, enter in correct password to get solution Submit solution on corresponding D2L quiz Unlock code binaries (*_c0, *_c1, *_c2, *_c3) Execute binary with proper integer argument to get solution Submit solution on corresponding D2L quiz

  2. Part 1: Basic Analysis Chapter 1: Basic Static Techniques Chapter 2: Malware Analysis in Virtual Machines Chapter 3: Basic Dynamic Analysis

  3. Chapter 1: Basic Static Techniques

  4. Scanning Statically analyze payload to determine its maliciousness Recall Aitel 2011 USENIX Security talk

  5. File signatures Common code or data used across malware instances e.g. embedded URL strings, decryptor code Signatures Hashing (e.g. MD5, SHA) Strings search on metadata, errors, constants Polymorphism and metamorphism easy for an adversary to deploy

  6. Packing and obfuscation Obfuscation Code whose execution is hidden by author Packing Obfuscated code in which programs are compressed and encrypted to prevent static analysis (Figure 1-4) Prevents file signatures from working Example: UPX Code to unpack binaries is common, however Can be identified (PEiD)

  7. Analyzing executables PE (Widows), ELF (Linux) Tools for dumping linked libraries Look for common shared libraries (e.g. kernel32.dll, User32.dll, libc.so, etc) Dependency Walker, PEView, PEBrowse, PE Explorer, ldd Function convention in Windows CreateWindowEx - “Ex” refers to new version CreateDirectoryW - “W” refers to wide character strings vs. ASCII See MSDN Note: a short function list is an indication of a packed binary

  8. File signature coverage Astronomical growth in signatures Coverage by a single tool is difficult Cloud-based anti-virus http://www.virustotal.com

  9. Chapter 2: Malware Analysis on VMs Chapter 3: Basic Dynamic Analysis

  10. Malware and VMs Most malware must be executed in order to analyze them Requires a safe environment VMware Host-only networking to monitor network traffic Snapshots and roll-back Record and replay execution

  11. Sandboxes Behavior isolation and coarse-grained tracking of malware execution File system activity Registry activity Network activity Examples: GFI Sandbox, Norman SandBox

  12. Executing malware Executable Directly launching or via debugger Malicious DLLs rundll32.exe

  13. Monitoring execution Procmon www.sysinternals.com Combines FileMon and RegMon to track execution behavior Process explorer Free tool from Microsoft to verify running process against the disk executable image Useful for determining if malicious documents are launching new processes Regshot Flag changes in registry

  14. Monitoring execution ApateDNS Free tool from Mandiant to see DNS requests from malware and modify replies Netcat Useful for proxying and emulating connections to malware Wireshark Packet capturing tool INetSim Linux tool to simulate common Internet services

  15. Tools in action See p. 57 in text msts.exe Contacts web site (the textbook's) – ApateDNS Creates new file (winhlp2.exe) – procmon Modifies registry to autorun – regshot Creates a mutex to ensure only a single execution – Process Explorer Contacts a server over port 443 (https), but does not speak SSL – INetSim Speaks a custom ASCII protocol – Wireshark

  16. In-class exercises Lab 1-1 Show the results of virustotal.com In PEView, show the timestamps Show the list of imported system library calls. From these calls, what might this executable be doing? Show the list of imported calls from Lab01-01.dll. From these calls, what might this DLL be doing? Show where the malware is attempting to create its malicious file Lab 1-2 Show the results of virustotal.com In PEView, show the sections that contain the packed executable code Run UPX to unpack the code and load unpacked executable in PEView Show the functions imported from Wininet.dll. What might this executable be doing? Show the URL the malware connects to in memory

  17. In-class exercises Lab 3-2 Find the functions this DLL exports (Figure 3-5L) Find the imported functions that are used to modify the registry, create services, and make network connections. Which DLLs are they loaded from? Use strings to reconstruct the URL being requested Set-up Regshot and Process Explorer before running rundll32 to install this malware's service. Using regshot, show whether or not the DLL installed its registry key. Lab 3-4 Copy binary to Desktop and run it. What happens? Examine the binary's strings using a tool of your choice to find the cmd.exe command used Use Process Monitor (procmon) to monitor events from this binary to generate Figure 3-11L

More Related