尊敬的 微信汇率:1円 ≈ 0.046166 元 支付宝汇率:1円 ≈ 0.046257元 [退出登录]
SlideShare a Scribd company logo

Basic Malware Analysis

Albert Hui
Albert Hui

This document introduces tools and techniques for preliminary malware analysis. It discusses examining malware behavior through static analysis, behavioral tracing, and sandboxing. Specific tools are presented for observing malware snapshots, tracing its behavior, and containing it in a sandbox. Process-based and stealthy malware are discussed, along with vulnerabilities of rootkits and tools for rootkit detection. The goal is to present a model for beginning reverse engineering of malware through observation and experimentation in a contained environment.

1 of 20
Basic Malware Analysis Albert Hui, GCFA, CISA albert.hui@gmail.com
Goals Present tools and techniques for preliminary malware analysis Introduce the model and mindset for beginning reverse engineering Does NOT cover intermediate/advanced techniques such as hooking, DLL attachment, code injection, detour patching, DKOM, ring-0 debugging, entropy analysis and so on Copyright © 2007 Albert Hui
Terminology Malware – malicious software Virus – infect a host program to reproduce Worm – self-replicating program (e.g. NIMDA, Code Red, SQL Slammer, MyDoom) Trojan – malicious program disguised as harmless 木馬(China usage) != trojan, but == Backdoor Backdoor – remote control software Rootkit – cover up backdoor and forensic evidence (e.g. Sony XCP Rootkit) Spyware – calls home Copyright © 2007 Albert Hui
Black-Box Examination Snapshot Observation Behavioral Tracing Sandboxing Copyright © 2007 Albert Hui
Snapshot Observation Includes static analysis (executable image examination, program code disassembly, filesystem forensics, memory dump, running states, etc.) Pros: Gather consistent big picture Some info only uncovered by static analysis Cons: Can lose sight of small/transient changes Difficult to cover every avenues Copyright © 2007 Albert Hui
Snapshot Observation Tools (runtime) Process/Thread: Process Explorer Windows Objects: WinObj OpenedFilesView Copyright © 2007 Albert Hui
Snapshot Observation Tools (static) Executable: XN Resource Editor File: hexplorer FileAlyzer Copyright © 2007 Albert Hui
Snapshot Observation Tools (executable) PEBrowse Dependency Walker PEiD Dumper: LordPE Universal Extractor RL!depacker Decompiler/Disassembler: IDA Pro OllyDbg/OllyICE JAD Spices.Decompiler Copyright © 2007 Albert Hui
Behavioral Tracing Includes debugging, tracing, network traffic analysis, etc. Pros: Detailed time-domain info Can drill down to system call level Cons: Can lose sight of the big picture Difficult to cover every avenues Copyright © 2007 Albert Hui
Behavioral Tracing Tools Process/Thread/File/Registry Tracing: ProcMon Network Tracing: TCPView TDImon Wireshark Debugger: OllyDbg/OllyICE SoftICE Copyright © 2007 Albert Hui
Sandboxing Containment of execution in protected environment One kind of virtualization, techniques in common with virtual machine, honeypot/tarpit, and forceful uninstallers Sandboxing can occur at various levels: network, application, OS, down to bare metal Pros: Total coverage possible Local containment of harms Cons: Difficult to discern incremental changes Copyright © 2007 Albert Hui
Sandboxing Tools Machine Level: VMware OS Level: Altiris SVS PowerShadow ShadowUser Application Level: Sandboxie Network Level: Honeyd Copyright © 2007 Albert Hui
Demo Use FileAlyzer to determine file type. Rename to .exe, use Dependency Walker to determine functions. Use PEiD to detect signature – UPX packed. Use Universal Extractor to unpack file. Use Dependency Walker to determine functions. Use FileAlyzer to read embedded strings. Detach network, use Sandboxie to execute file. Use Wireshark and ProcMon, execute file again. Use OllyDbg to understand program flow – program connects to a server on port 6667. Set up our own IRC server, edit hosts file on guest to fool malware into connecting to it. Try out commands found in embedded strings. Copyright © 2007 Albert Hui
Process-Based Malware e.g. BO2K, Sub7, Netbus, 冰河, 灰鴿子 Technically equivalent to VNC, Remote Desktop, PCAnyware etc. Copyright © 2007 Albert Hui
Tricks of Process-Based Malware Melting – deletes installer or deletes entirely from disk Sticky Process – multiple execution units reviving each other Sticky Image – reinstall itself upon system shutdown Antidetection/免殺: Polymorphism – packing/encryption or other superficial changes Metamorphism – radically changing the codes, includes 加花 (addition of fake signatures) Copyright © 2007 Albert Hui
Stealthy Malware The 2nd Generation
Processless (無進程) Malware Parasite Approach (exist only as threads) DLL attachment CreateRemoteThread Code injection, detour patching Rookit Approach (hide process) Hooking DKOM Copyright © 2007 Albert Hui
Vulnerabilities of Rootkits Communications can always be captured on external network links Always changes OS compare observation with known-good states compare observations from different approaches (e.g. Linux ls vs. opendir()) Copyright © 2007 Albert Hui
Rootkit Detection Tools Rootkit Detection 冰刃 IceSword DarkSpy GMER Copyright © 2007 Albert Hui
Conclusion First perform static analysis Then let malware loose in contained environment Drill down with expert knowledge to further fool the malware into doing more Copyright © 2007 Albert Hui

Recommended

Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
malware analysis
malware analysismalware analysis
malware analysis
20CS201AkashR
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
Ankita Ganguly
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
NishaYadav177
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 

Recommended

Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
malware analysis
malware analysismalware analysis
malware analysis
20CS201AkashR
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
Ankita Ganguly
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
NishaYadav177
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
CAS
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
Touhami Kasbaoui
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
Hossein Yavari
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
Prashant Chopra
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Prakashchand Suthar
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
securityxploded
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
Chitpong Wuttanan
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
Akash Sarode
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
The Cyber Attack Lifecycle
The Cyber Attack LifecycleThe Cyber Attack Lifecycle
The Cyber Attack Lifecycle
Cybereason
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social Engineering
Sam Bowne
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
Steve Lodin
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Cyber attacks 101
Cyber attacks 101Cyber attacks 101
Cyber attacks 101
Rafel Ivgi
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudhary
Saurav Chaudhary
 

More Related Content

What's hot

Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
CAS
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
Touhami Kasbaoui
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
Hossein Yavari
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
Prashant Chopra
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Prakashchand Suthar
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
securityxploded
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
Chitpong Wuttanan
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
Akash Sarode
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
The Cyber Attack Lifecycle
The Cyber Attack LifecycleThe Cyber Attack Lifecycle
The Cyber Attack Lifecycle
Cybereason
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social Engineering
Sam Bowne
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
Steve Lodin
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 

What's hot (20)

Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
The Cyber Attack Lifecycle
The Cyber Attack LifecycleThe Cyber Attack Lifecycle
The Cyber Attack Lifecycle
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social Engineering
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 

Similar to Basic Malware Analysis

Cyber attacks 101
Cyber attacks 101Cyber attacks 101
Cyber attacks 101
Rafel Ivgi
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudhary
Saurav Chaudhary
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threats
Martin Holovský
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptx
YasserOuda2
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
Stephan Chenette
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Shakacon
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
amiable_indian
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
MichaelM85042
 
Android_Malware_IOAsis_2014_Analysis.pdf
Android_Malware_IOAsis_2014_Analysis.pdfAndroid_Malware_IOAsis_2014_Analysis.pdf
Android_Malware_IOAsis_2014_Analysis.pdf
jjb117343
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
Linuxmalaysia Malaysia
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
devilback
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101
ysurer
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
Yury Chemerkin
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
Natraj G
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
securityxploded
 
Inception framework
Inception frameworkInception framework
Inception framework
한익 주
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Mobodexter
 

Similar to Basic Malware Analysis (20)

Cyber attacks 101
Cyber attacks 101Cyber attacks 101
Cyber attacks 101
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudhary
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threats
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptx
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
Android_Malware_IOAsis_2014_Analysis.pdf
Android_Malware_IOAsis_2014_Analysis.pdfAndroid_Malware_IOAsis_2014_Analysis.pdf
Android_Malware_IOAsis_2014_Analysis.pdf
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
 
Inception framework
Inception frameworkInception framework
Inception framework
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 

More from Albert Hui

Information Security from Risk Management and Design
Information Security from Risk Management and DesignInformation Security from Risk Management and Design
Information Security from Risk Management and Design
Albert Hui
 
The Practice of Cyber Crime Investigations
The Practice of Cyber Crime InvestigationsThe Practice of Cyber Crime Investigations
The Practice of Cyber Crime Investigations
Albert Hui
 
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Albert Hui
 
Practical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank FraudstersPractical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank Fraudsters
Albert Hui
 
New Frontiers in Cyber Forensics
New Frontiers in Cyber ForensicsNew Frontiers in Cyber Forensics
New Frontiers in Cyber Forensics
Albert Hui
 
Laying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident InvestigationLaying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident Investigation
Albert Hui
 
Cyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersCyber Fraud - The New Frontiers
Cyber Fraud - The New Frontiers
Albert Hui
 
Detecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an AttackerDetecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an Attacker
Albert Hui
 
(Mis)trust in the cyber era
(Mis)trust in the cyber era(Mis)trust in the cyber era
(Mis)trust in the cyber era
Albert Hui
 
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation BypassUniversal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Albert Hui
 
Cyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the CorporateCyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the Corporate
Albert Hui
 
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
Albert Hui
 
Incident Response Triage
Incident Response TriageIncident Response Triage
Incident Response Triage
Albert Hui
 
Insights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemInsights into the Cybercrime Ecosystem
Insights into the Cybercrime Ecosystem
Albert Hui
 

More from Albert Hui (14)

Information Security from Risk Management and Design
Information Security from Risk Management and DesignInformation Security from Risk Management and Design
Information Security from Risk Management and Design
 
The Practice of Cyber Crime Investigations
The Practice of Cyber Crime InvestigationsThe Practice of Cyber Crime Investigations
The Practice of Cyber Crime Investigations
 
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
 
Practical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank FraudstersPractical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank Fraudsters
 
New Frontiers in Cyber Forensics
New Frontiers in Cyber ForensicsNew Frontiers in Cyber Forensics
New Frontiers in Cyber Forensics
 
Laying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident InvestigationLaying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident Investigation
 
Cyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersCyber Fraud - The New Frontiers
Cyber Fraud - The New Frontiers
 
Detecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an AttackerDetecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an Attacker
 
(Mis)trust in the cyber era
(Mis)trust in the cyber era(Mis)trust in the cyber era
(Mis)trust in the cyber era
 
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation BypassUniversal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
 
Cyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the CorporateCyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the Corporate
 
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
 
Incident Response Triage
Incident Response TriageIncident Response Triage
Incident Response Triage
 
Insights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemInsights into the Cybercrime Ecosystem
Insights into the Cybercrime Ecosystem
 

Basic Malware Analysis

  • 1. Basic Malware Analysis Albert Hui, GCFA, CISA albert.hui@gmail.com
  • 2. Goals Present tools and techniques for preliminary malware analysis Introduce the model and mindset for beginning reverse engineering Does NOT cover intermediate/advanced techniques such as hooking, DLL attachment, code injection, detour patching, DKOM, ring-0 debugging, entropy analysis and so on Copyright © 2007 Albert Hui
  • 3. Terminology Malware – malicious software Virus – infect a host program to reproduce Worm – self-replicating program (e.g. NIMDA, Code Red, SQL Slammer, MyDoom) Trojan – malicious program disguised as harmless 木馬(China usage) != trojan, but == Backdoor Backdoor – remote control software Rootkit – cover up backdoor and forensic evidence (e.g. Sony XCP Rootkit) Spyware – calls home Copyright © 2007 Albert Hui
  • 4. Black-Box Examination Snapshot Observation Behavioral Tracing Sandboxing Copyright © 2007 Albert Hui
  • 5. Snapshot Observation Includes static analysis (executable image examination, program code disassembly, filesystem forensics, memory dump, running states, etc.) Pros: Gather consistent big picture Some info only uncovered by static analysis Cons: Can lose sight of small/transient changes Difficult to cover every avenues Copyright © 2007 Albert Hui
  • 6. Snapshot Observation Tools (runtime) Process/Thread: Process Explorer Windows Objects: WinObj OpenedFilesView Copyright © 2007 Albert Hui
  • 7. Snapshot Observation Tools (static) Executable: XN Resource Editor File: hexplorer FileAlyzer Copyright © 2007 Albert Hui
  • 8. Snapshot Observation Tools (executable) PEBrowse Dependency Walker PEiD Dumper: LordPE Universal Extractor RL!depacker Decompiler/Disassembler: IDA Pro OllyDbg/OllyICE JAD Spices.Decompiler Copyright © 2007 Albert Hui
  • 9. Behavioral Tracing Includes debugging, tracing, network traffic analysis, etc. Pros: Detailed time-domain info Can drill down to system call level Cons: Can lose sight of the big picture Difficult to cover every avenues Copyright © 2007 Albert Hui
  • 10. Behavioral Tracing Tools Process/Thread/File/Registry Tracing: ProcMon Network Tracing: TCPView TDImon Wireshark Debugger: OllyDbg/OllyICE SoftICE Copyright © 2007 Albert Hui
  • 11. Sandboxing Containment of execution in protected environment One kind of virtualization, techniques in common with virtual machine, honeypot/tarpit, and forceful uninstallers Sandboxing can occur at various levels: network, application, OS, down to bare metal Pros: Total coverage possible Local containment of harms Cons: Difficult to discern incremental changes Copyright © 2007 Albert Hui
  • 12. Sandboxing Tools Machine Level: VMware OS Level: Altiris SVS PowerShadow ShadowUser Application Level: Sandboxie Network Level: Honeyd Copyright © 2007 Albert Hui
  • 13. Demo Use FileAlyzer to determine file type. Rename to .exe, use Dependency Walker to determine functions. Use PEiD to detect signature – UPX packed. Use Universal Extractor to unpack file. Use Dependency Walker to determine functions. Use FileAlyzer to read embedded strings. Detach network, use Sandboxie to execute file. Use Wireshark and ProcMon, execute file again. Use OllyDbg to understand program flow – program connects to a server on port 6667. Set up our own IRC server, edit hosts file on guest to fool malware into connecting to it. Try out commands found in embedded strings. Copyright © 2007 Albert Hui
  • 14. Process-Based Malware e.g. BO2K, Sub7, Netbus, 冰河, 灰鴿子 Technically equivalent to VNC, Remote Desktop, PCAnyware etc. Copyright © 2007 Albert Hui
  • 15. Tricks of Process-Based Malware Melting – deletes installer or deletes entirely from disk Sticky Process – multiple execution units reviving each other Sticky Image – reinstall itself upon system shutdown Antidetection/免殺: Polymorphism – packing/encryption or other superficial changes Metamorphism – radically changing the codes, includes 加花 (addition of fake signatures) Copyright © 2007 Albert Hui
  • 16. Stealthy Malware The 2nd Generation
  • 17. Processless (無進程) Malware Parasite Approach (exist only as threads) DLL attachment CreateRemoteThread Code injection, detour patching Rookit Approach (hide process) Hooking DKOM Copyright © 2007 Albert Hui
  • 18. Vulnerabilities of Rootkits Communications can always be captured on external network links Always changes OS compare observation with known-good states compare observations from different approaches (e.g. Linux ls vs. opendir()) Copyright © 2007 Albert Hui
  • 19. Rootkit Detection Tools Rootkit Detection 冰刃 IceSword DarkSpy GMER Copyright © 2007 Albert Hui
  • 20. Conclusion First perform static analysis Then let malware loose in contained environment Drill down with expert knowledge to further fool the malware into doing more Copyright © 2007 Albert Hui
  翻译: