Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering
Objectives Analyzing a worm or a virus Provide a method to eliminate How to prevent from infection in future?
Overview Introduction Definition of Malware Definition of MalwareTechniques Lab Scenario Hands-on analysis of Beagle.J Hands-on analysis of Beagle.J
Introduction to Malware How? Forms of Malware Detection Techniques
Forms of Malware VirusTrojansWormsSpywareAdware
Detection Techniques Integrity Checking Static Anti-Virus (AV) Scanners Signature-based Signature-basedStrings Regular expressions Static behavior analyzer Static behavior analyzer Dynamic Anti-Virus Scanners Behavior Monitors Behavior Monitors
Malware Analysis Techniques VMWare Multiple Operating System Multiple Operating System Creates network between host and guest systems Creates network between host and guest systems Self-contained files Self-contained files Can transfer virtual machines to other PCs.vmx – configuration file.vmdk – image of hard disk
Lab Scenario Static Analysis BinText BinText Extracts strings from code IDA Pro IDA ProDissembler USD 399/user UPX UPX UPX compression/decompression
BinText Extracts strings from executables Reveals clues: IRC Commands, SMTP commands, registry keys IRC Commands, SMTP commands, registry keys
IDA Pro Disassembles executables into assembly instructions Easy-to-use interface Separates subroutines, creates variable names, color- coded Separates subroutines, creates variable names, color- coded
UPX Decompression Executable packer commonly used by virus writers Can compress wide range of files Windows PE executables, DOS executables, DOS COM files, and many more Windows PE executables, DOS executables, DOS COM files, and many more To unpack: upx.exe -d -o dest.exe source.exe upx.exe -d -o dest.exe source.exe
Decompressed Output
Process Observation Tools Process Explorer Monitor processes Monitor processesFileMon Monitor file operations Monitor file operationsRegMon Monitor operations on registry Monitor operations on registryRegshot Take snapshot of registry and filesProcDump Dump code from memory
Beagle.J Capabilities Registry/Run on startup Copies into folders containing “shared” Sends copies by Backdoor
Conclusion As you have seen there are various ways for an attacker to get malicious code to execute on remote computers We have only scratched on the surface, there are much more to learn and discover
Questions ? References Images Images Softwares Softwares BinText – IDA Pro – UPX –