Presentation is loading. Please wait.

Presentation is loading. Please wait.

4. Basic Dynamic Analysis

Published byMadison Miller Modified over 5 years ago

Similar presentations

Presentation on theme: "4. Basic Dynamic Analysis"— Presentation transcript:

1 4. Basic Dynamic Analysis
Malware Analysis

2 What is Basic Dynamic Analysis?
Allowing the malware to run - executing the program binary It complements static analysis Makes analysis more efficient in some cases Helps us understand the program behavior

3 Various Types of Malware Analysis
Basic Static Analysis Examining target binary without execution (i.e., strings, hashing, signature) Advanced Static Analysis Understanding target binary using reverse engineering (i.e., disassembly) Basic Dynamic Analysis Executing target binary and observing its behavior Advanced Dynamic Analysis Executing target binary and using a debugger to analyze internal state

4 Basic Dynamic Analysis
Monitored execution of a program in order to perform analysis Often performed after static analysis is done Advantages Efficient way to determine program functionality Able to check file activity, process creation, network activity, etc. Disadvantage Not all functional paths may be explored

5 Executing the Malware In most cases, you can just double-click the “exe” file You may want to run it from the command-line as well (Why?) What if the extension is not “exe”? You can change it. Verify it is a PE file using a PE parser What if it is a DLL? You can run a DLL using the rundll32 program Format: C:\> rundll32.exe <name>.dll

6 Sandboxes What is Sandbox?
All-in-one software solutions to analyze the execution of a program Provides security mechanism for running untrusted programs in a safe environment Lets you monitor behavior/changes to the system The “real” system remains isolated – so, it does not get infected

7 Sandboxes Usually use virtual components
Simulates network services to allow program to execute as it ‘normally’ would Sandboxes for Malware Analysis There are many free and commercial versions available Some online and some you can download Lets you analyze a variety of file types: EXE, PDF, Office Documents, URLs, etc.

8 Sandboxes - Drawbacks May run the EXE w/o command line arguments
EXE may wait for response from C2 Malware may find out that it is running in a sandbox An anti-analysis technique In that case, the malware may change its behavior Often the environment is not properly setup

9 Sandbox – Example: malwr.com

10 Monitoring System Activity
Process Monitor (aka ProcMon) Tool that allows monitoring of registry, file system, network, process, and thread activities Not a reliable tool for network activities So other tools need to be used Monitors all system calls Captures a lot of data (> 50,000 events a minute) Uses RAM to capture events Can easily crash a VM - so, run for a limited amount of time

11 Running Malware: ProcMon

12 Running Malware: ProcMon
To narrow the result, use filtering You may want to filter on: Executables running on the system System call (such as RegSetValue, CreateFile, WriteFile, etc.) Note: Filtering does not prevent from consuming too much memory though

13 ProcMon Filtering

14 Process Explorer Windows task manager and system monitoring tool
It monitors all running processes Free Shows which program in the system has a specific file/directory open Provides insight into the processes that are running on a system Lists active processes, DLLs loaded by a process, process properties, system information

15 Process Explorer

16 Process Explorer Vs. Process Monitor
Shows current state of each process Shows files, registry keys and thread loaded by each running process Process Monitor In addition to monitoring, it logs process information – all events Logs show the files, registry, network etc. the process attempted to use – successful or not “Access Denied” events also appear

17 Monitoring Network Activities
Why? Most malware will need to communicate with external services/entities Download additional malware, files Exchange/obtain keys for encryption C2 – Command and Control: Receive instructions and check-in Extract data Infect other machines Question: Do we allow them access to network?

18 Faking a Network It is too risky to allow a malware to access the network Faking a network allows us to find out how/what is communicated Important: Faking requires that the malware does not realize it is executing on a virtualized environment

19 Faking a Network - ApateDNS
ApateDNS is a Free tool from Mandiant/Fire-Eye Allows to control DNS responses though GUI It listens on UDP port 53 on the local machine Spoofs DNS responses to a user-specified IP address One of the quickest and easiest ways to see DNS requests made on the system It redirects all requests though Typically redirects to localhost. But, you can also redirect to other IPs

20 Faking a Network - ApateDNS

21 FakeNet An open source tool
Allows users to intercept and redirect all or specific network traffic You can identify malware functionality and capture network signatures

22 Netcat Typically used for reading from and writing to network connections Handles both inbound and outbound connections

Download ppt "4. Basic Dynamic Analysis"

Similar presentations

Dean Carlson and Beth Anne Byrd CpSc 420.  What is reverse engineering?  Brief History  Usefulness  The process  Bagle Virus example.

Dean Carlson and Beth Anne Byrd CpSc 420.  What is reverse engineering?  Brief History  Usefulness  The process  Bagle Virus example.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
MIS 5211.001 Week 7 Site:

MIS Week 7 Site:
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Automated Malware Analysis

Automated Malware Analysis
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
Malware Fighting Spyware, Viruses, and Malware Ch 4.

Malware Fighting Spyware, Viruses, and Malware Ch 4.
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Computer & Information Tech BANGKOK CHRISTIAN COLLEGE English Immersion Program Mathayom Department Computer & Information Technology Class Teacher David.

Computer & Information Tech BANGKOK CHRISTIAN COLLEGE English Immersion Program Mathayom Department Computer & Information Technology Class Teacher David.
Honeypot and Intrusion Detection System

Honeypot and Intrusion Detection System
1 Chapter Overview Using the New Connection Wizard to configure network and Internet connections Using the New Connection Wizard to configure outbound.

1 Chapter Overview Using the New Connection Wizard to configure network and Internet connections Using the New Connection Wizard to configure outbound.
Database-Driven Web Sites, Second Edition1 Chapter 5 WEB SERVERS.

Database-Driven Web Sites, Second Edition1 Chapter 5 WEB SERVERS.
Sandbox Exploitations - ECE 4112 Group 12 - Gary Kao Jimmy Vuong.

Sandbox Exploitations - ECE 4112 Group 12 - Gary Kao Jimmy Vuong.

Similar presentations

Ads by Google