1 / 17

Part 1: Basic Analysis

Part 1: Basic Analysis. Chapter 1: Basic Static Techniques Chapter 2: Malware Analysis in Virtual Machines Chapter 3: Basic Dynamic Analysis. Chapter 1: Basic Static Techniques. Static analysis. Examine payload without executing it to determine function and maliciousness

dianaj
Download Presentation

Part 1: Basic Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Part 1: Basic Analysis Chapter 1: Basic Static Techniques Chapter 2: Malware Analysis in Virtual Machines Chapter 3: Basic Dynamic Analysis

  2. Chapter 1: Basic Static Techniques

  3. Static analysis Examine payload without executing it to determine function and maliciousness • Done via scanning content

  4. File signatures Common code or data used across malware instances • e.g. embedded URL strings, decryptor code Examples • Strings search on metadata, errors, constants • Regular expression searches • Hashing (e.g. MD5, SHA)

  5. Signatures generated via analysis Artifacts revealed by binary • Tools for dumping linked libraries • Dependency Walker, PEView, PEBrowse, PE Explorer, ldd • Look for common shared libraries (e.g. kernel32.dll, User32.dll, libc.so, etc) • Disassemblers

  6. But… Astronomical growth in signatures Coverage by a single tool is difficult Cloud-based anti-virus • http://www.virustotal.com • Bought by Google • But, public service that allows attacker to know when their malware has been uploaded and identified! • Can use private malware sandbox analysis (VMRay)

  7. Malware counter-measures Obfuscation • Code execution is hidden by author to make static analysis difficult Packing • Code compressed and encrypted to completely thwart static analysis (Figure 1-4) • Code to unpack binaries is common, however • Some can be identified (PEiD) Polymorphism and metamorphism • Code transformed into equivalent, but different form to thwart static signatures • Example: Mimikatz (Metasploit module to do weaponized credential theft on Windows) • From 54/54 (100% detection) to 4/54 when replacing ‘mimikatz’ with ‘kitikatz’ and recompiling AV with signatures is now completely dead

  8. Chapter 2: Malware Analysis on VMsChapter 3: Basic Dynamic Analysis

  9. Malware and VMs Most malware must be executed in order to analyze them • Requires a safe environment VirtualBox, VMware • Host-only networking to monitor network traffic • Snapshots and roll-back • Record and replay execution

  10. Sandboxes Simpler alternative to VMs Behavior isolation and coarse-grained tracking of malware execution • File system activity • Registry activity • Network activity • Examples: GFI Sandbox, Norman SandBox Always use a sandbox or VM to analyze malware

  11. Don’t be like…

  12. But, can be subtle • FireEye anti-virus (12/2015) • Static analysis of Java byte-code via a Java decompiler (JODE) so did not run in a VM • But, did not realize decompiler executed byte code as well • Instant remote code execution • AV now *worse* than no AV

  13. Monitoring execution Procmon (Sysmon) • www.sysinternals.com • Combines process, file, and registry monitoring to track execution behavior • Spits out XML on events, allows one to reconstruct process tree Prochacker (http://processhacker.sourceforge.net/) • Process (memory) monitoring Process explorer • Verify running process against the disk executable image • Determine if malicious documents are launching new processes Regshot • Flag changes in registry

  14. Monitoring execution ApateDNS • Capture DNS requests and modify replies • More comprehensive follow-on tool.. • Flare-NG • https://github.com/fireeye/flare-fakenet-ng/releases Netcat • Proxying and emulating connections Wireshark • Packet capturing tool INetSim • Simulate common Internet services

  15. Tools in action See p. 57 in text (msts.exe) • Setup tools (process/network/registry monitoring, setup VMs, server emulation) – Fig. 3-12 • Contacts web site (the textbook's) – ApateDNS • Creates new file (winhlp2.exe) – procmon • Modifies registry to autorun – regshot • Creates a mutex to ensure only a single execution – Process Explorer • Contacts a server over port 443 (https), but does not speak SSL – INetSim • Speaks a custom protocol – Wireshark

  16. In-class exercises • Lab 1-1, Lab 1-2 • Lab 3-2, Lab 3-4

More Related