Presentation is loading. Please wait.

Presentation is loading. Please wait.

Investigating Malicious Software Steve Romig The Ohio State University April 2002.

Published byRhoda Barber Modified over 9 years ago

Similar presentations

Presentation on theme: "Investigating Malicious Software Steve Romig The Ohio State University April 2002."— Presentation transcript:

1 Investigating Malicious Software Steve Romig The Ohio State University April 2002

2 Malware Analysis Got a piece of *something*, what does it do? In our case, an email attachment Not recognized by "usual" anti-virus scanners

3 Run UNIX "strings" Sometimes useful, sometimes misleading Do Google searches on what turns up Try to determine what it does by symbol names, included libraries, include files, etc. Nothing useful here, that I remember - self-extracting UPX file

4 Try Running It Danger, Danger!! It Might Do “Bad Things”(tm) –To the computer it is running on –To other computers –Tip off the perpetrators?

5 So, You Should... Create a clean test machine… Detached from network… Run malware there Don't reuse this for other tests –Hard to figure out what changes are due to what malware –Might screw up subsequent tests

6 VMWare! Create a virtual machine Install the host operating system, patches, applications as needed *Make a snapshot* of the virtual disk Squirrel your snapshots away somewhere

7 VMWare (continued) To create a clone: –make a directory –restore files –change config as needed –boot I use a read-only "airlock" with host-only access to pass files back and forth.

8 Run the Malware No net access, of course System, library call tracers lsof, handlex filemon, regmon (windows only) tcpdump, ethereal

9 In Our Case Malware makes some registry changes Installs something that starts at login Apparently checks a web site every minute

10 Create a Fake Network Attempts to resolve an IP Address –We create a fake DNS entry, try again Attempts to connect to tcp/80 at that IP –Web traffic? Create a fake web server, try again Attempts to Download nethief_connect.htm –Search the real web site (found it, but risky) –Search on web (Google)

11 Google, Babelfish are Your Friends! Got the zip file (finally) It has a readme! (let’s see) Install the application (let’s see) The application web site is down :-(

12 Google caching, Archive.org to the Rescue! Google caches pages that it has searched, which can be useful Archive.org caches pages (when?) It is (unfortunately) messy dealing with pages cached in archive.org that need to be translated

13 What Does This Thing Do - Attacker End Install, run application Configure –web site –ftp address, account, password for updating web site Updates web site once a minute with current IP Create the trojan Infect someone

14 What Does This Thing Do - Victim End Get infected :-) Runs at login Checks web site once a minute Sends "hey, I'm here" traffic to indicated IP address –Shows up on attacker's console

15 Attacker Selects a Target Click on it in list of active victims Inserts instructions on the web site Intended victim downloads the instructions, connects to tcp/80 on the host where the console is currently running Can now read, write, modify any file

16 Interesting Notes Works "just fine" behind firewalls There appear to be virus populations that are "known" to only parts of the Internet.

Download ppt "Investigating Malicious Software Steve Romig The Ohio State University April 2002."

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Mountain Lion Security Mac OS X 10.8. Strong Passwords Every Mac needs a login name and password Every user on every Mac should have their own account.

Mountain Lion Security Mac OS X Strong Passwords Every Mac needs a login name and password Every user on every Mac should have their own account.
The Malware Life Cycle. The Fascinating World of Infections.

The Malware Life Cycle. The Fascinating World of Infections.
Internet Safety Topic 2 Malware This presentation by Tim Fraser Malware is short for malicious software VirusesViruses SpywareSpyware AdwareAdware other.

Internet Safety Topic 2 Malware This presentation by Tim Fraser Malware is short for malicious software VirusesViruses SpywareSpyware AdwareAdware other.
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.

Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
Computer Viruses.

Computer Viruses.
James Tam Computer Security Concepts covered Malicious computer programs Malicious computer use Security measures.

James Tam Computer Security Concepts covered Malicious computer programs Malicious computer use Security measures.
Malicious Attacks Angela Ku Adeline Li Jiyoung You Selena Yuen.

Malicious Attacks Angela Ku Adeline Li Jiyoung You Selena Yuen.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
Protecting Yourself Online. VIRUSES, TROJANS, & WORMS Computer viruses are the common cold of modern technology. One e-mail in every 200 containing.

Protecting Yourself Online. VIRUSES, TROJANS, & WORMS Computer viruses are the "common cold" of modern technology. One in every 200 containing.
Format Scandisk Defragmentation Antivirus Compression Software

Format Scandisk Defragmentation Antivirus Compression Software
Teach a man (person) to Phish Recognizing email scams, spams and other personal security attacks July 17 th, 2013 High Tea at IT, Summer, 2013.

Teach a man (person) to Phish Recognizing scams, spams and other personal security attacks July 17 th, 2013 High Tea at IT, Summer, 2013.
Title: The Internet LO: Security risks. Security risks Types of risks: 1.Phishing 2.Pharming 3.Spamming 4.Spyware 5.Cookies 6.Virus.

Title: The Internet LO: Security risks. Security risks Types of risks: 1.Phishing 2.Pharming 3.Spamming 4.Spyware 5.Cookies 6.Virus.
Computer Viruses By Patsy Speer What is a Virus? Malicious programs that cause damage to your computer, files and information They slow down the internet.

Computer Viruses By Patsy Speer What is a Virus? Malicious programs that cause damage to your computer, files and information They slow down the internet.
Threats to I.T Internet security By Cameron Mundy.

Threats to I.T Internet security By Cameron Mundy.
Internet safety Viruses A computer virus is a program or piece of code that is loaded onto your computer without your knowledge and runs against your.

Internet safety Viruses A computer virus is a program or piece of code that is loaded onto your computer without your knowledge and runs against your.

Similar presentations

Ads by Google