Presentation is loading. Please wait.

Presentation is loading. Please wait.

Topic 7 Malware Analysis Basics

Published byDeborah Garrison Modified over 6 years ago

Similar presentations

Presentation on theme: "Topic 7 Malware Analysis Basics"— Presentation transcript:

1 Topic 7 Malware Analysis Basics

2 Contents Goals of Malware Analysis Types of Malware
Malware Analysis Techniques Basic Static Analysis Basic Dynamic Analysis Operations of Antivirus Program

3 Goals of Malware Analysis
To develop signatures/indicators to detect malware infections on a network. Using the signatures to understand how a specific piece of malware functions so that defenses can be built to protect the network. Host-based signatures To detect malicious code on victim computers. Identify files created or modified by the malware or specific changes that it makes to the registry. Network signatures Used to detect malicious code by monitoring network traffic.

4 Types of Malware Backdoor - Malicious code that installs itself onto a computer to allow the attacker accesses and executes commands on the local system bypassing normal security controls. Botnet (zombie army) - A number of Internet computers infected by malicious code to receive the same instructions from a single command- and-control server. Downloader - Malicious code that exists only to download other malicious code.

5 Types of Malware Rootkit - Malicious code designed to hide the existence of certain processes or programs (e.g. backdoor) from normal methods of detection and enable continued privileged access to a computer. Worm - Self-replicating program that invades computers on a network. Virus - A self-replicating program that reproduces its code by attaching copies into other executable codes.

6 Malware Analysis Techniques
Two fundamental approaches to malware analysis: static and dynamic. Static (code) analysis involves analyzing the code or structure of a program to determine its function without running it. Dynamic (behavioral) analysis involves running the malware and observing its behavior on the system. Before running the malware safely, you must set up an environment that will allow you to study the running malware without damaging to your system or network.

7 Basic Static Analysis Typical techniques to gather information of malware: Using antivirus tools to confirm maliciousness Using hashes to fingerprint malware Unpack the packed malware Gathering information from a file’s string, functions, and headers

8 Basic Static Analysis - Antivirus Scanning
Rely on file signatures of known suspicious code, and behavioral and pattern-matching analysis (heuristics) to identify suspected files. Definition files contain file signatures for malware that have been encountered. Heuristics allow an antivirus program to identify new or modified types of malware, even without definition files. Because the various antivirus programs use different signatures and heuristics, it’s useful to run several different antivirus programs against the same piece of suspected malware.

9 Basic Static Analysis - Antivirus Scanning
VirusTotal allow you to upload a malware for scanning by multiple antivirus engines. Source:

10 BASIC STATIC ANALYSIS - HASHING
The malicious software is run through a hashing program that produces a unique hash (fingerprint) that identifies that malware. The hash may be regarded as fingerprint). Message-Digest Algorithm 5 (MD5, 128-bit) hash function is the one most commonly used for malware analysis. Secure Hash Algorithm 1 (SHA-1, 160-bit) hash function is also popular. Tools available: md5deep, WinMD5

11 BASIC STATIC ANALYSIS - HASHING
The unique hash of a malware can be used as: A label to identify the malware Share with other analysts to help them to identify malware Search for the hash online to see if the malware has already been identified Source:

12 BASIC STATIC ANALYSIS - HASHING
Source:

13 BASIC STATIC ANALYSIS - PACKED MALWARE
To bypass firewalls and antivirus scanners, malware authors use packing or obfuscation to make their files more difficult to detect or analyze. Packers are software programs that compress and encrypt other executable files in a disk and restore the original executable images when the packed files are loaded into memories. Example: UPX ( Before performing any analysis, the packed malware must be unpacked.

14 BASIC STATIC ANALYSIS - PACKED MALWARE
When the packed malware is run, a small wrapper program also runs to decompress the packed file and then run the unpacked file. Packed program often includes the functions: LoadLibary , GetProcAddress Original Executable (String, visible code and data) Wrapper Program Packed Executable

15 BASIC STATIC ANALYSIS - PACKED MALWARE
PEiD and ExeInfo PE are two popular packer detectors. Packed

16 BASIC STATIC ANALYSIS - STRING SEARCHING
Strings in an executable are typically stored in either ASCII (1 byte/character) or Unicode format (2 bytes/character). A program may contain strings if it prints a message, connects to a website (URL), copies a file to a specific location. Searching through the strings can be a simple way to get hints about the functionality of a program. Tool: Windows Sysinternals Utilities: Strings

17 BASIC STATIC ANALYSIS - STRING SEARCHING
Results of running Strings against a file:

18 BASIC STATIC ANALYSIS - PORTABLE EXECUTABLE FILE FORMAT
The Portable Executable (PE) format is a file format for executables, object code, DLLs, used in 32-bit and 64-bit versions of Windows operating systems. PE files begin with a header that includes information about the code, the type of application, required library functions, and space requirements. Nearly every file with executable code that is loaded by Windows is in the PE file format. So the information in the PE header is of great value to the malware analyst.

19 BASIC STATIC ANALYSIS - PORTABLE EXECUTABLE FILE FORMAT
PE header information: Field Information Imports Functions from other libraries that are used by the malware Exports Functions were called by other programs Time Date Stamp When the executable was compiled Sections Names of sections in the file and their sizes Resources Strings, icons, menus, and other information included in the malware

20 BASIC STATIC ANALYSIS - PORTABLE EXECUTABLE FILE FORMAT
Microsoft PE File Format Source:

21 BASIC STATIC ANALYSIS - PORTABLE EXECUTABLE FILE FORMAT
The most useful pieces of information about an executable is the list of functions that it imports. Imports are functions used by one program that are actually stored in a different program, such as code libraries that contain functionality common to many programs. Code libraries can be connected to the main executable by statically, at runtime, or dynamically linking. Dynamic linking is the most common.

22 BASIC STATIC ANALYSIS - PORTABLE EXECUTABLE FILE FORMAT
When libraries (DLL) are dynamically linked, the host OS searches for the necessary libraries when the program is loaded. Suppose a program imports the function URLDownloadToFile, one might guess that it connects to the Internet to download some file to the local system. Dependency Walker is a free utility that scans any 32-bit or 64-bit Windows module (exe, dll, ocx, sys, etc.) and builds a hierarchical tree diagram of all dependent modules.

23 BASIC STATIC ANALYSIS - PORTABLE EXECUTABLE FILE FORMAT
Using Dependency Walker to analyze malware KERNEL32.DLL imported functions e.g. CopyFile, FindFirstFile, FindNextFile

24 BASIC STATIC ANALYSIS - PORTABLE EXECUTABLE FILE FORMAT
Common DLLs DLL Description Kernel32.dll Memory management, input/output operations, process and thread creation, and synchronization functions Gdi32.dll Perform primitive drawing functions for output to video displays and printers User32.dll Creates and manipulates the standard elements of the Windows user interface, such as the desktop, windows, and menus Advapi32.dll Provide access to functionality including Windows registry, shutdown/restart the system (or abort), start/stop/create a Windows service, manage user accounts

25 BASIC STATIC ANALYSIS - PORTABLE EXECUTABLE FILE FORMAT
Searching for functions on MSDN online

26 BASIC STATIC ANALYSIS - PORTABLE EXECUTABLE FILE FORMAT
Using PEview to analyze malware Metadata about the PE file Sections contain useful information

27 BASIC STATIC ANALYSIS - PORTABLE EXECUTABLE FILE FORMAT
Common sections in a PE file Section Description .text Contains the executable code .rdata Import and export functions information .data Global data accessed throughout the program .rsrc Resources needed by the program such as icons, images, menus, and strings

28 BASIC STATIC ANALYSIS - PORTABLE EXECUTABLE FILE FORMAT
Using PEBrowse Professional to disassemble the .text section of a malware

29 BASIC STATIC ANALYSIS - PORTABLE EXECUTABLE FILE FORMAT
Using PEBrowse Professional to view the .rsrc section of a program

30 BASIC DYNAMIC ANALYSIS - PREPARATION
Using dedicated physical or virtual machines (VMs) to analyze malware. Preventing the malware from spreading, malware can be analyzed on air-gapped networks. Isolated networks with machines that are disconnected from the Internet or any other networks. Disadvantage: Lack of Internet connection as many pieces of malware depend on live Internet connection for functioning.

31 BASIC DYNAMIC ANALYSIS - PREPARATION
When using VMs, make sure all service packs, patches, hot fixes and any applications needed are installed before executing the malware. Make sure that VM networking is set to Host- Only networking. Otherwise, there is a great risk of spreading the malware to any connect networks.

32 BASIC DYNAMIC ANALYSIS - KEY TOOLS
Processor Monitor (procmon) Source: Microsoft An advanced monitoring tool for Windows that shows real-time file system, registry and process/thread activity.

33 BASIC DYNAMIC ANALYSIS - KEY TOOLS
Process Explorer Source: Microsoft List active processes, DLLs loaded by a process and overall system information.

34 BASIC DYNAMIC ANALYSIS - KEY TOOLS
Regshot An open source registry comparison tool that allows you to take and compare two registry snap-shots.

35 BASIC DYNAMIC ANALYSIS - KEY TOOLS
ApateDNS A free tool from Mandiant to capture DNS requests made by malware.

36 BASIC DYNAMIC ANALYSIS - KEY TOOLS
Wireshark An open source sniffer to intercept and log network traffic. Source:

37 BASIC DYNAMIC ANALYSIS - PRACTICAL STEPS
Basic dynamic analysis can assist and confirm the findings obtained from basic static analysis. Step 1: Baseline Before executing the malware, take a first snapshot of registry using Regshot. Step 2: System status During the running of malware, start Process Monitor and Process Explorer. Note any changes occurred.

38 BASIC DYNAMIC ANALYSIS - PRACTICAL STEPS
Step 3: Network traffic Using ApateDNS and Wireshark to log network traffic generated by the malware. Step 4: Comparison Waiting for the malware to finish making any system changes. Take a second snapshot using Regshot. Compare the differences between two snapshots.

39 OPERATIONS OF ANTIVIRUS PROGRAM
Anti-virus programs have two basic modes of operations. Static file scanning Scan a file or a volume to check to see if any of the files are currently infected with malware. Dynamic file scanning All files that the operating system opens or uses are scanned first before they are fully opened.

40 OPERATIONS OF ANTIVIRUS PROGRAM
For the infected files, anti-virus programs will first try to repair or disinfect them, if not possible, they will either quarantine the file for later treatment or simply delete the file.

41 References Practical Malware Analysis
Malware Analysis: An Introduction Malware Analysis the Basics Michael Sikorski and Andrew Honig, No Starch Press, 2012 Practical Guide to Enterprise Antivirus and Malware Prevention

Download ppt "Topic 7 Malware Analysis Basics"

Similar presentations

Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
No.24 Prerawat Denvutivorkarn M.2/2. Definition: antivirus is protective software designed to defend your computer against malicious software. Malicious.

No.24 Prerawat Denvutivorkarn M.2/2. Definition: "antivirus" is protective software designed to defend your computer against malicious software. Malicious.
R. FRANK NIMS MIDDLE SCHOOL A BRIEF INTRODUCTION TO VIRUSES.

R. FRANK NIMS MIDDLE SCHOOL A BRIEF INTRODUCTION TO VIRUSES.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Hacker Zombie Computer Reflectors Target.

Hacker Zombie Computer Reflectors Target.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.

Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.
Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.

Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.
Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.

Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.
Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.

Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.
n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.

n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.
W elcome to our Presentation. Presentation Topic Virus.

W elcome to our Presentation. Presentation Topic Virus.
Virtual Machines Module 2. Objectives Define virtual machine Define common terminology Identify advantages and disadvantages Determine what software is.

Virtual Machines Module 2. Objectives Define virtual machine Define common terminology Identify advantages and disadvantages Determine what software is.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.

Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.

Similar presentations

Ads by Google