Presentation is loading. Please wait.

Presentation is loading. Please wait.

Part 1: Basic Analysis Chapter 1: Basic Static Techniques

Published byMarianna Farmer Modified over 5 years ago

Similar presentations

Presentation on theme: "Part 1: Basic Analysis Chapter 1: Basic Static Techniques"— Presentation transcript:

1 Part 1: Basic Analysis Chapter 1: Basic Static Techniques
Chapter 2: Malware Analysis in Virtual Machines Chapter 3: Basic Dynamic Analysis

2 Chapter 1: Basic Static Techniques

3 Static analysis Examine payload without executing it to determine function and maliciousness Done via scanning content

4 File signatures Common code or data used across malware instances
e.g. embedded URL strings, decryptor code Examples Strings search on metadata, errors, constants Regular expression searches Hashing (e.g. MD5, SHA)

5 Signatures generated via analysis
Artifacts revealed by binary Tools for dumping linked libraries Dependency Walker, PEView, PEBrowse, PE Explorer, ldd Look for common shared libraries (e.g. kernel32.dll, User32.dll, libc.so, etc) Disassemblers

6 But… Astronomical growth in signatures
Coverage by a single tool is difficult Cloud-based anti-virus Bought by Google But, public service that allows attacker to know when their malware has been uploaded and identified! Can use private malware sandbox analysis (VMRay)

7 Malware counter-measures
Obfuscation Code execution is hidden by author to make static analysis difficult Packing Code compressed and encrypted to completely thwart static analysis (Figure 1-4) Code to unpack binaries is common, however Some can be identified (PEiD) Polymorphism and metamorphism Code transformed into equivalent, but different form to thwart static signatures Example: Mimikatz (Metasploit module to do weaponized credential theft on Windows) From 54/54 (100% detection) to 4/54 when replacing ‘mimikatz’ with ‘kitikatz’ and recompiling AV with signatures is now completely dead

8 Chapter 2: Malware Analysis on VMs Chapter 3: Basic Dynamic Analysis

9 Malware and VMs Most malware must be executed in order to analyze them
Requires a safe environment VirtualBox, VMware Host-only networking to monitor network traffic Snapshots and roll-back Record and replay execution

10 Sandboxes Simpler alternative to VMs
Behavior isolation and coarse-grained tracking of malware execution File system activity Registry activity Network activity Examples: GFI Sandbox, Norman SandBox Always use a sandbox or VM to analyze malware

11 Don’t be like…

12

13 But, can be subtle FireEye anti-virus (12/2015)
Static analysis of Java byte-code via a Java decompiler (JODE) so did not run in a VM But, did not realize decompiler executed byte code as well Instant remote code execution AV now *worse* than no AV

14 Monitoring execution Procmon (Sysmon)
Combines process, file, and registry monitoring to track execution behavior Spits out XML on events, allows one to reconstruct process tree Prochacker ( Process (memory) monitoring Process explorer Verify running process against the disk executable image Determine if malicious documents are launching new processes Regshot Flag changes in registry

15 Monitoring execution ApateDNS Netcat Wireshark INetSim
Capture DNS requests and modify replies More comprehensive follow-on tool.. Flare-NG Netcat Proxying and emulating connections Wireshark Packet capturing tool INetSim Simulate common Internet services

16 Tools in action See p. 57 in text (msts.exe)
Setup tools (process/network/registry monitoring, setup VMs, server emulation) – Fig. 3-12 Contacts web site (the textbook's) – ApateDNS Creates new file (winhlp2.exe) – procmon Modifies registry to autorun – regshot Creates a mutex to ensure only a single execution – Process Explorer Contacts a server over port 443 (https), but does not speak SSL – INetSim Speaks a custom protocol – Wireshark

17 In-class exercises Lab 1-1, Lab 1-2 Lab 3-2, Lab 3-4

Download ppt "Part 1: Basic Analysis Chapter 1: Basic Static Techniques"

Similar presentations

Scalable Parallel Intrusion Detection Fahad Zafar Advising Faculty: Dr. John Dorband and Dr. Yaacov Yeesha 1 University of Maryland Baltimore County.

Scalable Parallel Intrusion Detection Fahad Zafar Advising Faculty: Dr. John Dorband and Dr. Yaacov Yeesha 1 University of Maryland Baltimore County.
Detection Scenarios ReconWeaponizationDeliverExploitationInstallationC2 Act on Objectives File File - Name URI – Domain Name URI – URL HTTP - GET HTTP.

Detection Scenarios ReconWeaponizationDeliverExploitationInstallationC2 Act on Objectives File File - Name URI – Domain Name URI – URL HTTP - GET HTTP.
Web Communication Client attempts to “pull” information from server – http message sent across Internet by TCP/IP* – packet switching used to route message.

Web Communication Client attempts to “pull” information from server – http message sent across Internet by TCP/IP* – packet switching used to route message.
Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools.

Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
In-Band Detection of Virtual Machines Estefan Ortiz & Cory Hayes Computer Science and Engineering Graduate Operating Systems December 16, 2011 1.

In-Band Detection of Virtual Machines Estefan Ortiz & Cory Hayes Computer Science and Engineering Graduate Operating Systems December 16,
Automated Malware Analysis

Automated Malware Analysis
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,

Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,
Chapter 16 The World Wide Web. 2 The Web An infrastructure of information combined and the network software used to access it Web page A document that.

Chapter 16 The World Wide Web. 2 The Web An infrastructure of information combined and the network software used to access it Web page A document that.
16-1 The World Wide Web The Web An infrastructure of distributed information combined with software that uses networks as a vehicle to exchange that information.

16-1 The World Wide Web The Web An infrastructure of distributed information combined with software that uses networks as a vehicle to exchange that information.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:

Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.

Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.

Similar presentations

Ads by Google