SlideShare uma empresa Scribd logo

Basic Malware Analysis

Albert Hui
Albert Hui

Introduction to beginning malware analysis.

1 de 20
Basic Malware Analysis Albert Hui, GCFA, CISA albert.hui@gmail.com
Goals Present tools and techniques for preliminary malware analysis Introduce the model and mindset for beginning reverse engineering Does NOT cover intermediate/advanced techniques such as hooking, DLL attachment, code injection, detour patching, DKOM, ring-0 debugging, entropy analysis and so on Copyright © 2007 Albert Hui
Terminology Malware – malicious software Virus – infect a host program to reproduce Worm – self-replicating program (e.g. NIMDA, Code Red, SQL Slammer, MyDoom) Trojan – malicious program disguised as harmless 木馬(China usage) != trojan, but == Backdoor Backdoor – remote control software Rootkit – cover up backdoor and forensic evidence (e.g. Sony XCP Rootkit) Spyware – calls home Copyright © 2007 Albert Hui
Black-Box Examination Snapshot Observation Behavioral Tracing Sandboxing Copyright © 2007 Albert Hui
Snapshot Observation Includes static analysis (executable image examination, program code disassembly, filesystem forensics, memory dump, running states, etc.) Pros: Gather consistent big picture Some info only uncovered by static analysis Cons: Can lose sight of small/transient changes Difficult to cover every avenues Copyright © 2007 Albert Hui
Snapshot Observation Tools (runtime) Process/Thread: Process Explorer Windows Objects: WinObj OpenedFilesView Copyright © 2007 Albert Hui
Snapshot Observation Tools (static) Executable: XN Resource Editor File: hexplorer FileAlyzer Copyright © 2007 Albert Hui
Snapshot Observation Tools (executable) PEBrowse Dependency Walker PEiD Dumper: LordPE Universal Extractor RL!depacker Decompiler/Disassembler: IDA Pro OllyDbg/OllyICE JAD Spices.Decompiler Copyright © 2007 Albert Hui
Behavioral Tracing Includes debugging, tracing, network traffic analysis, etc. Pros: Detailed time-domain info Can drill down to system call level Cons: Can lose sight of the big picture Difficult to cover every avenues Copyright © 2007 Albert Hui
Behavioral Tracing Tools Process/Thread/File/Registry Tracing: ProcMon Network Tracing: TCPView TDImon Wireshark Debugger: OllyDbg/OllyICE SoftICE Copyright © 2007 Albert Hui
Sandboxing Containment of execution in protected environment One kind of virtualization, techniques in common with virtual machine, honeypot/tarpit, and forceful uninstallers Sandboxing can occur at various levels: network, application, OS, down to bare metal Pros: Total coverage possible Local containment of harms Cons: Difficult to discern incremental changes Copyright © 2007 Albert Hui
Sandboxing Tools Machine Level: VMware OS Level: Altiris SVS PowerShadow ShadowUser Application Level: Sandboxie Network Level: Honeyd Copyright © 2007 Albert Hui
Demo Use FileAlyzer to determine file type. Rename to .exe, use Dependency Walker to determine functions. Use PEiD to detect signature – UPX packed. Use Universal Extractor to unpack file. Use Dependency Walker to determine functions. Use FileAlyzer to read embedded strings. Detach network, use Sandboxie to execute file. Use Wireshark and ProcMon, execute file again. Use OllyDbg to understand program flow – program connects to a server on port 6667. Set up our own IRC server, edit hosts file on guest to fool malware into connecting to it. Try out commands found in embedded strings. Copyright © 2007 Albert Hui
Process-Based Malware e.g. BO2K, Sub7, Netbus, 冰河, 灰鴿子 Technically equivalent to VNC, Remote Desktop, PCAnyware etc. Copyright © 2007 Albert Hui
Tricks of Process-Based Malware Melting – deletes installer or deletes entirely from disk Sticky Process – multiple execution units reviving each other Sticky Image – reinstall itself upon system shutdown Antidetection/免殺: Polymorphism – packing/encryption or other superficial changes Metamorphism – radically changing the codes, includes 加花 (addition of fake signatures) Copyright © 2007 Albert Hui
Stealthy Malware The 2nd Generation
Processless (無進程) Malware Parasite Approach (exist only as threads) DLL attachment CreateRemoteThread Code injection, detour patching Rookit Approach (hide process) Hooking DKOM Copyright © 2007 Albert Hui
Vulnerabilities of Rootkits Communications can always be captured on external network links Always changes OS compare observation with known-good states compare observations from different approaches (e.g. Linux ls vs. opendir()) Copyright © 2007 Albert Hui
Rootkit Detection Tools Rootkit Detection 冰刃 IceSword DarkSpy GMER Copyright © 2007 Albert Hui
Conclusion First perform static analysis Then let malware loose in contained environment Drill down with expert knowledge to further fool the malware into doing more Copyright © 2007 Albert Hui

Recomendados

Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysissecurityxploded
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 

Recomendados

Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysissecurityxploded
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
What is Ransomware
What is RansomwareWhat is Ransomware
What is Ransomwarejeetendra mandal
 
Malware
MalwareMalware
Malwareguest234d3a
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hackingleminhvuong
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessLeon Teale
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Malware
MalwareMalware
MalwareAnoushka Srivastava
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framworkDeepanshu Gajbhiye
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Cyber attacks 101
Cyber attacks 101Cyber attacks 101
Cyber attacks 101Rafel Ivgi
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharySaurav Chaudhary
 

Mais conteúdo relacionado

Mais procurados

Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hackingleminhvuong
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessLeon Teale
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 

Mais procurados (20)

Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 
What is Ransomware
What is RansomwareWhat is Ransomware
What is Ransomware
 
Malware
MalwareMalware
Malware
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hacking
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awareness
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Malware
MalwareMalware
Malware
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 

Semelhante a Basic Malware Analysis

Cyber attacks 101
Cyber attacks 101Cyber attacks 101
Cyber attacks 101Rafel Ivgi
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharySaurav Chaudhary
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threatsMartin Holovský
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxYasserOuda2
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploitdevilback
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101ysurer
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysissecurityxploded
 
Inception framework
Inception frameworkInception framework
Inception framework한익 주
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
 

Semelhante a Basic Malware Analysis (20)

Cyber attacks 101
Cyber attacks 101Cyber attacks 101
Cyber attacks 101
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudhary
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threats
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptx
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
 
Inception framework
Inception frameworkInception framework
Inception framework
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 

Mais de Albert Hui

Information Security from Risk Management and Design
Information Security from Risk Management and DesignInformation Security from Risk Management and Design
Information Security from Risk Management and DesignAlbert Hui
 
The Practice of Cyber Crime Investigations
The Practice of Cyber Crime InvestigationsThe Practice of Cyber Crime Investigations
The Practice of Cyber Crime InvestigationsAlbert Hui
 
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Albert Hui
 
Practical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank FraudstersPractical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank FraudstersAlbert Hui
 
New Frontiers in Cyber Forensics
New Frontiers in Cyber ForensicsNew Frontiers in Cyber Forensics
New Frontiers in Cyber ForensicsAlbert Hui
 
Laying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident InvestigationLaying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident InvestigationAlbert Hui
 
Cyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersCyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersAlbert Hui
 
Detecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an AttackerDetecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an AttackerAlbert Hui
 
(Mis)trust in the cyber era
(Mis)trust in the cyber era(Mis)trust in the cyber era
(Mis)trust in the cyber eraAlbert Hui
 
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation BypassUniversal DDoS Mitigation Bypass
Universal DDoS Mitigation BypassAlbert Hui
 
Cyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the CorporateCyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the CorporateAlbert Hui
 
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?Albert Hui
 
Incident Response Triage
Incident Response TriageIncident Response Triage
Incident Response TriageAlbert Hui
 
Insights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemInsights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemAlbert Hui
 

Mais de Albert Hui (14)

Information Security from Risk Management and Design
Information Security from Risk Management and DesignInformation Security from Risk Management and Design
Information Security from Risk Management and Design
 
The Practice of Cyber Crime Investigations
The Practice of Cyber Crime InvestigationsThe Practice of Cyber Crime Investigations
The Practice of Cyber Crime Investigations
 
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
 
Practical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank FraudstersPractical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank Fraudsters
 
New Frontiers in Cyber Forensics
New Frontiers in Cyber ForensicsNew Frontiers in Cyber Forensics
New Frontiers in Cyber Forensics
 
Laying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident InvestigationLaying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident Investigation
 
Cyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersCyber Fraud - The New Frontiers
Cyber Fraud - The New Frontiers
 
Detecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an AttackerDetecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an Attacker
 
(Mis)trust in the cyber era
(Mis)trust in the cyber era(Mis)trust in the cyber era
(Mis)trust in the cyber era
 
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation BypassUniversal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
 
Cyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the CorporateCyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the Corporate
 
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
 
Incident Response Triage
Incident Response TriageIncident Response Triage
Incident Response Triage
 
Insights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemInsights into the Cybercrime Ecosystem
Insights into the Cybercrime Ecosystem
 

Basic Malware Analysis

  • 1. Basic Malware Analysis Albert Hui, GCFA, CISA albert.hui@gmail.com
  • 2. Goals Present tools and techniques for preliminary malware analysis Introduce the model and mindset for beginning reverse engineering Does NOT cover intermediate/advanced techniques such as hooking, DLL attachment, code injection, detour patching, DKOM, ring-0 debugging, entropy analysis and so on Copyright © 2007 Albert Hui
  • 3. Terminology Malware – malicious software Virus – infect a host program to reproduce Worm – self-replicating program (e.g. NIMDA, Code Red, SQL Slammer, MyDoom) Trojan – malicious program disguised as harmless 木馬(China usage) != trojan, but == Backdoor Backdoor – remote control software Rootkit – cover up backdoor and forensic evidence (e.g. Sony XCP Rootkit) Spyware – calls home Copyright © 2007 Albert Hui
  • 4. Black-Box Examination Snapshot Observation Behavioral Tracing Sandboxing Copyright © 2007 Albert Hui
  • 5. Snapshot Observation Includes static analysis (executable image examination, program code disassembly, filesystem forensics, memory dump, running states, etc.) Pros: Gather consistent big picture Some info only uncovered by static analysis Cons: Can lose sight of small/transient changes Difficult to cover every avenues Copyright © 2007 Albert Hui
  • 6. Snapshot Observation Tools (runtime) Process/Thread: Process Explorer Windows Objects: WinObj OpenedFilesView Copyright © 2007 Albert Hui
  • 7. Snapshot Observation Tools (static) Executable: XN Resource Editor File: hexplorer FileAlyzer Copyright © 2007 Albert Hui
  • 8. Snapshot Observation Tools (executable) PEBrowse Dependency Walker PEiD Dumper: LordPE Universal Extractor RL!depacker Decompiler/Disassembler: IDA Pro OllyDbg/OllyICE JAD Spices.Decompiler Copyright © 2007 Albert Hui
  • 9. Behavioral Tracing Includes debugging, tracing, network traffic analysis, etc. Pros: Detailed time-domain info Can drill down to system call level Cons: Can lose sight of the big picture Difficult to cover every avenues Copyright © 2007 Albert Hui
  • 10. Behavioral Tracing Tools Process/Thread/File/Registry Tracing: ProcMon Network Tracing: TCPView TDImon Wireshark Debugger: OllyDbg/OllyICE SoftICE Copyright © 2007 Albert Hui
  • 11. Sandboxing Containment of execution in protected environment One kind of virtualization, techniques in common with virtual machine, honeypot/tarpit, and forceful uninstallers Sandboxing can occur at various levels: network, application, OS, down to bare metal Pros: Total coverage possible Local containment of harms Cons: Difficult to discern incremental changes Copyright © 2007 Albert Hui
  • 12. Sandboxing Tools Machine Level: VMware OS Level: Altiris SVS PowerShadow ShadowUser Application Level: Sandboxie Network Level: Honeyd Copyright © 2007 Albert Hui
  • 13. Demo Use FileAlyzer to determine file type. Rename to .exe, use Dependency Walker to determine functions. Use PEiD to detect signature – UPX packed. Use Universal Extractor to unpack file. Use Dependency Walker to determine functions. Use FileAlyzer to read embedded strings. Detach network, use Sandboxie to execute file. Use Wireshark and ProcMon, execute file again. Use OllyDbg to understand program flow – program connects to a server on port 6667. Set up our own IRC server, edit hosts file on guest to fool malware into connecting to it. Try out commands found in embedded strings. Copyright © 2007 Albert Hui
  • 14. Process-Based Malware e.g. BO2K, Sub7, Netbus, 冰河, 灰鴿子 Technically equivalent to VNC, Remote Desktop, PCAnyware etc. Copyright © 2007 Albert Hui
  • 15. Tricks of Process-Based Malware Melting – deletes installer or deletes entirely from disk Sticky Process – multiple execution units reviving each other Sticky Image – reinstall itself upon system shutdown Antidetection/免殺: Polymorphism – packing/encryption or other superficial changes Metamorphism – radically changing the codes, includes 加花 (addition of fake signatures) Copyright © 2007 Albert Hui
  • 16. Stealthy Malware The 2nd Generation
  • 17. Processless (無進程) Malware Parasite Approach (exist only as threads) DLL attachment CreateRemoteThread Code injection, detour patching Rookit Approach (hide process) Hooking DKOM Copyright © 2007 Albert Hui
  • 18. Vulnerabilities of Rootkits Communications can always be captured on external network links Always changes OS compare observation with known-good states compare observations from different approaches (e.g. Linux ls vs. opendir()) Copyright © 2007 Albert Hui
  • 19. Rootkit Detection Tools Rootkit Detection 冰刃 IceSword DarkSpy GMER Copyright © 2007 Albert Hui
  • 20. Conclusion First perform static analysis Then let malware loose in contained environment Drill down with expert knowledge to further fool the malware into doing more Copyright © 2007 Albert Hui