2. Introduction
• Based in Montreal
• Studies in computer engineering at Ecole Polytechnique
• Malware analysis
• Focus on investigation and understanding trends
3. Labs’ Objectives
• Gain hands-on knowledge on malware analysis
• Obfuscation
• Persistence
• C&C traffic
• This case is *NOT* cutting edge but a good summary of common
things we see nowadays
4. Win32/Georbot
• One of our analyst reported an interesting string in a binary
(.gov.ge)
• Started investigation, we thought it was time sensitive and involved
3 guys for 3 days.
• Interesting feature
• Document stealing
• Audio / Video capture
• Etc
5. Win32/Georbot
• Further analysis showed thousands of variants
• We were able to track the evolution of the features
• Track AV evasion techniques
8. Workshop Outline
1. Data obfuscation
2. Control flow obfuscation
3. API call obfuscation
4. Answer basic malware analysis questions
5. C&C network protocol
9. Tools Required
1. IDA 6.x (you can use the demo)
2. Python interpreter w/ some modules for web server
3. Immunity Debugger / Olly Debugger
10. IDA Python
• Automate repetitive tasks in IDA
• Read data (Byte, Word, Dword, etc)
• Change data (PatchByte, PatchWord, PatchDword, etc)
• Add comments (MakeComm)
• Add cross references
• User interaction
• Etc.
11. Data Obfuscation
• Where’s all my data?!
• Debug the malware (in a controlled environment), do you see
something appear? (0x407afb)
• What happened? Find the procedure which decodes the data
• Understand obfuscation
• Implement deobfuscation with IDA Python
14. Control Flow Obfuscation
• Identify common obfuscation patterns
• Find a straight forward replacement
• Implement substitutions with IDA Python
• Reanalyze program, does it look better?
16. API Call Obfuscation
• Where are all my API calls?
• Find and understand hashing function
• Brute force API calls and add comments to IDB using IDA Python
18. Let’s understand what’s going on!
• Can multiple instances of the malware run at the same time?
• Is the malware persistent? How?
• What is the command and control server?
• What is the update mechanism for binaries?
• Is there a C&C fallback mechanism?
19. Additional work
• Write a detection mechanism for an infected system
• Implement a cleaner for this malware
• Kill the process
• Remove persistence
• At what time interval does the malware probe its C&C server?
21. C&C Protocol Analysis
• What’s the chain of event in the communication
• What is the information provided by the bot
• What type of answer is the bot expecting?
• What are the different actions?
25. GUID
• What is at 0x0040A03D, how is it used in program?
26. Conclusions
• The set of questions to answer is often similar.
• Don’t focus on details, remember your objective, its easy to get lost.
• A mix of dynamic and static analysis is often the best solution for
quick understanding of a new malware family.