Presentation is loading. Please wait.

Presentation is loading. Please wait.

Techniques, Tools, and Research Issues

Published byLisa Shelton Modified over 6 years ago

Similar presentations

Presentation on theme: "Techniques, Tools, and Research Issues"— Presentation transcript:

1 Techniques, Tools, and Research Issues
Virus Analysis Techniques, Tools, and Research Issues Part III: Malware Analysis Techniques - Basic Michael Venable Arun Lakhotia University of Louisiana at Lafayette, USA

2 Malware Analysis Techniques - Basic
Demonstrate by Example Analyze Beagle.J Prepare the Lab Malware Analysis Process Static Analysis Process Observation Network observation

3 Prepare the Lab Create a shared folder for copying malware to guest OS

4 Prepare the Lab Navigate to \\.host\ from within guest OS to find malware sample Copy sample to guest OS

5 Prepare the Lab Secure the system Network type  Host-only
Shared Folders  Disabled Guest isolation  Disabled

6 Prepare the Lab Unzip malware sample Take snapshot of virtual system
Password: “malware” Take snapshot of virtual system

7 Malware Analysis Process
Reset Lab Environment Static Analysis Set up network observation tools Set up process observation tools Run program Observe network traffic Observe process actions Identify services requested Create/revise client on Linux Create DNS tables Run client Run services on Linux

8 Beagle.J Capabilities Registry/Run on startup
Copies into folders containing “shar” Sends copies by Backdoor

9 Static Analysis Guessing program behavior from its strings
Using BinText Detect UPX compression Using Disassembler UPX Decompression

10 String Extraction BinText reveals illegible strings

11 Dissassembly IDA Pro shows file is UPX compressed

12 UPX Decompression

13 String Analysis Analysis of the decompressed file reveals much more

14 String Analysis Results
“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” Registers itself to run on startup Suspicious EXE filenames (ex: “acdsee 9.exe”) Possibly for propagation “MAIL FROM:<%s>”, “RCPT TO:<%s>” Contains SMTP engine EXE filenames used by AV programs (ex: “update.exe”) Possibly kills processes belonging to AV programs

15 Dynamic Analysis: Host Side
Prepare process observation tools Processes spawned by malware Registry changes File system changes Prepare network observation tools Open ports Network traffic

16 Observe: Processes spawned
jjkxhbx.exe spawns irun4.exe

17 Observe: System Changes
RegShot output

18 Observe: System Changes
RegShot output File created called c:\winnt\system32\irun4.exe File created called c:\winnt\system32\irun4.exeopen c:\winnt\system32\irun4.exe configured to run on startup Several files added to c:\shared files

19 Observe: File System changes
jjkjxhbx.exe creates irun4.exe

20 Observe: Registry Changes
jjkjxhbx.exe adds c:\winnt\system32\irun4.exe to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run\ssate.exe

21 Observe: Compare Copies
c:\winnt\system32\irun4.exe and files placed in c:\shared files are identical copies of jjkjxhbx.exe c:\winnt\system32\irun4.exeopen is not a copy of jjkjxhbx.exe

22 Observe: Opening Backdoor
irun4.exe listens for a connection on TCP port 2745

23 Dynamic Analysis: Network
Detect propagation

24 Observe: Email Propagation
Set RedHat Linux system as DNS server in Windows Run malware while observing with Snort

25 Observe: Email Propagation
Communication over port 53 Port 53 is used for DNS lookup Performs DNS lookup on sysinternals.com, winternals.com, and others. (Why?)

26 Observe: Email Propagation
FileMon shows irun4.exe scans disk contents Perhaps the domain names were picked up from the hard disk

27 Observe: Email Propagation
A search through the files confirms our suspicions

28 Summary Lab Setup Analysis Process Virtual environments
Security procedures Analysis Process Guess behavior from strings Host side observations files and registry changes, processes spawned, backdoors Network side observations Services requested

Download ppt "Techniques, Tools, and Research Issues"

Similar presentations

What to expect.  Linux  Windows Server (2008 or 2012)

What to expect.  Linux  Windows Server (2008 or 2012)
Project – 564 Presented by Abu Sayeed Saifullah Student Id. 101876890.

Project – 564 Presented by Abu Sayeed Saifullah Student Id
Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools.

Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools.
Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.

Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.
Information Networking Security and Assurance Lab National Chung Cheng University Backdoors and Remote Access Tools INSA Laboratory.

Information Networking Security and Assurance Lab National Chung Cheng University Backdoors and Remote Access Tools INSA Laboratory.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Hands-on: Capturing an Image with AccessData FTK Imager

Hands-on: Capturing an Image with AccessData FTK Imager
Working with Workgroups and Domains

Working with Workgroups and Domains
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Guide to TCP/IP, Second Edition1 Guide To TCP/IP, Second Edition Chapter 6 Basic TCP/IP Services.

Guide to TCP/IP, Second Edition1 Guide To TCP/IP, Second Edition Chapter 6 Basic TCP/IP Services.
SMTP PROTOCOL CONFIGURATION AND MANAGEMENT Chapter 8.

SMTP PROTOCOL CONFIGURATION AND MANAGEMENT Chapter 8.
Module 6: Manage and Configure Messaging. Configuring Internet Mail Using Small Business Server (SBS) 2008 Console Configuring E-mail Protection Configuring.

Module 6: Manage and Configure Messaging. Configuring Internet Mail Using Small Business Server (SBS) 2008 Console Configuring Protection Configuring.
Hands-On Virtual Computing

Hands-On Virtual Computing
Section 2.2 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE

Section 2.2 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE
Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.

Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.
Simple Mail Transfer Protocol (SMTP)

Simple Mail Transfer Protocol (SMTP)
Home Media Network Hard Drive Training for Update to 2.0 By Erik Collett 6.03.09 Revised for Firmware Update.

Home Media Network Hard Drive Training for Update to 2.0 By Erik Collett Revised for Firmware Update.
Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research.

Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research.
Network Security SSH Tunneling David Funk Matt McLaughlin Systems Administrators Computer Systems Support COE, University of Iowa.

Network Security SSH Tunneling David Funk Matt McLaughlin Systems Administrators Computer Systems Support COE, University of Iowa.
Module 12: Routing Fundamentals. Routing Overview Configuring Routing and Remote Access as a Router Quality of Service.

Module 12: Routing Fundamentals. Routing Overview Configuring Routing and Remote Access as a Router Quality of Service.

Similar presentations

Ads by Google