170 likes | 301 Views
Malware Analysis. Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel. Georgia Institute of Technology School of Electrical and Computer Engineering. Objectives. Analyzing a worm or a virus Provide a method to eliminate How to prevent from infection in future?. Overview. Introduction
E N D
Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering
Objectives • Analyzing a worm or a virus • Provide a method to eliminate • How to prevent from infection in future?
Overview • Introduction • Definition of Malware • Techniques • Lab Scenario • Hands-on analysis of Beagle.J
Introduction to Malware • How? • Forms of Malware • Detection Techniques
Forms of Malware • Virus • Trojans • Worms • Spyware • Adware
Detection Techniques • Integrity Checking • Static Anti-Virus (AV) Scanners • Signature-based • Strings • Regular expressions • Static behavior analyzer • Dynamic Anti-Virus Scanners • Behavior Monitors
Malware Analysis Techniques • VMWare • Multiple Operating System • Creates network between host and guest systems • Self-contained files • Can transfer virtual machines to other PCs • .vmx – configuration file • .vmdk – image of hard disk
Lab Scenario • Static Analysis • BinText • Extracts strings from code • IDA Pro • Dissembler • USD 399/user • UPX • UPX compression/decompression
BinText • Extracts strings from executables • Reveals clues: • IRC Commands, SMTP commands, registry keys
IDA Pro • Disassembles executables into assembly instructions • Easy-to-use interface • Separates subroutines, creates variable names, color-coded
UPX Decompression • Executable packer commonly used by virus writers • Can compress wide range of files • Windows PE executables, DOS executables, DOS COM files, and many more • To unpack: • upx.exe -d -o dest.exe source.exe
Process Explorer Monitor processes FileMon Monitor file operations RegMon Monitor operations on registry Regshot Take snapshot of registry and files ProcDump Dump code from memory Process Observation Tools
Beagle.J Capabilities • Registry/Run on startup • Copies into folders containing “shared” • Sends copies by email • Backdoor
Conclusion • As you have seen there are various ways for an attacker to get malicious code to execute on remote computers • We have only scratched on the surface, there are much more to learn and discover
Questions ? • References • Images • http://www.microsoft.com • http://www.symantec.com • Softwares • BinText – http://www.foundstone.com • IDA Pro – http://www.datarescue.com • UPX – http://upx.sourgeforce.net