Suche senden
Hochladen
Basic Malware Analysis
•
14 gefällt mir
•
4,410 views
Albert Hui
Folgen
Introduction to beginning malware analysis.
Weniger lesen
Mehr lesen
Melden
Teilen
Melden
Teilen
1 von 20
Empfohlen
Introduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
Natraj G
Malware analysis
Malware analysis
Prakashchand Suthar
Basic malware analysis
Basic malware analysis
securityxploded
Malware Static Analysis
Malware Static Analysis
Hossein Yavari
Footprinting and reconnaissance
Footprinting and reconnaissance
NishaYadav177
malware analysis
malware analysis
20CS201AkashR
Malware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
Empfohlen
Introduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
Natraj G
Malware analysis
Malware analysis
Prakashchand Suthar
Basic malware analysis
Basic malware analysis
securityxploded
Malware Static Analysis
Malware Static Analysis
Hossein Yavari
Footprinting and reconnaissance
Footprinting and reconnaissance
NishaYadav177
malware analysis
malware analysis
20CS201AkashR
Malware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awareness
Leon Teale
System hacking
System hacking
CAS
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
bartblaze
Ethical Hacking Powerpoint
Ethical Hacking Powerpoint
Ren Tuazon
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
Windowsforensics
Windowsforensics
Santosh Khadsare
Malware forensics
Malware forensics
Sameera Amjad
Windows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
Penetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
Ethical hacking ppt
Ethical hacking ppt
himanshujoshi238
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware Behavior
Sam Bowne
Malware Analysis
Malware Analysis
Prashant Gupta
Malware forensic
Malware forensic
SumeraHangi
Cyber security and demonstration of security tools
Cyber security and demonstration of security tools
Vicky Fernandes
OWASP Top 10 - 2017
OWASP Top 10 - 2017
HackerOne
Sandboxing
Sandboxing
NSConclave
Cyber attacks 101
Cyber attacks 101
Rafel Ivgi
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudhary
Saurav Chaudhary
Weitere ähnliche Inhalte
Was ist angesagt?
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awareness
Leon Teale
System hacking
System hacking
CAS
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
bartblaze
Ethical Hacking Powerpoint
Ethical Hacking Powerpoint
Ren Tuazon
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
Windowsforensics
Windowsforensics
Santosh Khadsare
Malware forensics
Malware forensics
Sameera Amjad
Windows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
Penetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
Ethical hacking ppt
Ethical hacking ppt
himanshujoshi238
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware Behavior
Sam Bowne
Malware Analysis
Malware Analysis
Prashant Gupta
Malware forensic
Malware forensic
SumeraHangi
Cyber security and demonstration of security tools
Cyber security and demonstration of security tools
Vicky Fernandes
OWASP Top 10 - 2017
OWASP Top 10 - 2017
HackerOne
Sandboxing
Sandboxing
NSConclave
Was ist angesagt?
(20)
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awareness
System hacking
System hacking
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
Ethical Hacking Powerpoint
Ethical Hacking Powerpoint
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Windowsforensics
Windowsforensics
Malware forensics
Malware forensics
Windows Threat Hunting
Windows Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Penetration testing reporting and methodology
Penetration testing reporting and methodology
Ethical hacking ppt
Ethical hacking ppt
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware Behavior
Malware Analysis
Malware Analysis
Malware forensic
Malware forensic
Cyber security and demonstration of security tools
Cyber security and demonstration of security tools
OWASP Top 10 - 2017
OWASP Top 10 - 2017
Sandboxing
Sandboxing
Ähnlich wie Basic Malware Analysis
Cyber attacks 101
Cyber attacks 101
Rafel Ivgi
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudhary
Saurav Chaudhary
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
Modern malware and threats
Modern malware and threats
Martin Holovský
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptx
YasserOuda2
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
Stephan Chenette
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Shakacon
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
ClubHack
Workshop on BackTrack live CD
Workshop on BackTrack live CD
amiable_indian
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
ClubHack
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
MichaelM85042
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
Linuxmalaysia Malaysia
Finalppt metasploit
Finalppt metasploit
devilback
Reverse Engineering 101
Reverse Engineering 101
ysurer
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
Yury Chemerkin
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
securityxploded
Inception framework
Inception framework
한익 주
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Mobodexter
Living off the land and fileless attack techniques
Living off the land and fileless attack techniques
Symantec Security Response
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memory
securityxploded
Ähnlich wie Basic Malware Analysis
(20)
Cyber attacks 101
Cyber attacks 101
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudhary
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Modern malware and threats
Modern malware and threats
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptx
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
Workshop on BackTrack live CD
Workshop on BackTrack live CD
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
Finalppt metasploit
Finalppt metasploit
Reverse Engineering 101
Reverse Engineering 101
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Inception framework
Inception framework
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Living off the land and fileless attack techniques
Living off the land and fileless attack techniques
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memory
Mehr von Albert Hui
Information Security from Risk Management and Design
Information Security from Risk Management and Design
Albert Hui
The Practice of Cyber Crime Investigations
The Practice of Cyber Crime Investigations
Albert Hui
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Albert Hui
Practical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank Fraudsters
Albert Hui
New Frontiers in Cyber Forensics
New Frontiers in Cyber Forensics
Albert Hui
Laying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident Investigation
Albert Hui
Cyber Fraud - The New Frontiers
Cyber Fraud - The New Frontiers
Albert Hui
Detecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an Attacker
Albert Hui
(Mis)trust in the cyber era
(Mis)trust in the cyber era
Albert Hui
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Albert Hui
Cyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the Corporate
Albert Hui
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
Albert Hui
Incident Response Triage
Incident Response Triage
Albert Hui
Insights into the Cybercrime Ecosystem
Insights into the Cybercrime Ecosystem
Albert Hui
Mehr von Albert Hui
(14)
Information Security from Risk Management and Design
Information Security from Risk Management and Design
The Practice of Cyber Crime Investigations
The Practice of Cyber Crime Investigations
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Practical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank Fraudsters
New Frontiers in Cyber Forensics
New Frontiers in Cyber Forensics
Laying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident Investigation
Cyber Fraud - The New Frontiers
Cyber Fraud - The New Frontiers
Detecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an Attacker
(Mis)trust in the cyber era
(Mis)trust in the cyber era
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Cyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the Corporate
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
Incident Response Triage
Incident Response Triage
Insights into the Cybercrime Ecosystem
Insights into the Cybercrime Ecosystem
Basic Malware Analysis
1.
Basic Malware Analysis
Albert Hui, GCFA, CISA albert.hui@gmail.com
2.
Goals Present tools
and techniques for preliminary malware analysis Introduce the model and mindset for beginning reverse engineering Does NOT cover intermediate/advanced techniques such as hooking, DLL attachment, code injection, detour patching, DKOM, ring-0 debugging, entropy analysis and so on Copyright © 2007 Albert Hui
3.
Terminology Malware –
malicious software Virus – infect a host program to reproduce Worm – self-replicating program (e.g. NIMDA, Code Red, SQL Slammer, MyDoom) Trojan – malicious program disguised as harmless 木馬(China usage) != trojan, but == Backdoor Backdoor – remote control software Rootkit – cover up backdoor and forensic evidence (e.g. Sony XCP Rootkit) Spyware – calls home Copyright © 2007 Albert Hui
4.
Black-Box Examination Snapshot
Observation Behavioral Tracing Sandboxing Copyright © 2007 Albert Hui
5.
Snapshot Observation Includes
static analysis (executable image examination, program code disassembly, filesystem forensics, memory dump, running states, etc.) Pros: Gather consistent big picture Some info only uncovered by static analysis Cons: Can lose sight of small/transient changes Difficult to cover every avenues Copyright © 2007 Albert Hui
6.
Snapshot Observation Tools
(runtime) Process/Thread: Process Explorer Windows Objects: WinObj OpenedFilesView Copyright © 2007 Albert Hui
7.
Snapshot Observation Tools
(static) Executable: XN Resource Editor File: hexplorer FileAlyzer Copyright © 2007 Albert Hui
8.
Snapshot Observation Tools
(executable) PEBrowse Dependency Walker PEiD Dumper: LordPE Universal Extractor RL!depacker Decompiler/Disassembler: IDA Pro OllyDbg/OllyICE JAD Spices.Decompiler Copyright © 2007 Albert Hui
9.
Behavioral Tracing Includes
debugging, tracing, network traffic analysis, etc. Pros: Detailed time-domain info Can drill down to system call level Cons: Can lose sight of the big picture Difficult to cover every avenues Copyright © 2007 Albert Hui
10.
Behavioral Tracing Tools
Process/Thread/File/Registry Tracing: ProcMon Network Tracing: TCPView TDImon Wireshark Debugger: OllyDbg/OllyICE SoftICE Copyright © 2007 Albert Hui
11.
Sandboxing Containment of
execution in protected environment One kind of virtualization, techniques in common with virtual machine, honeypot/tarpit, and forceful uninstallers Sandboxing can occur at various levels: network, application, OS, down to bare metal Pros: Total coverage possible Local containment of harms Cons: Difficult to discern incremental changes Copyright © 2007 Albert Hui
12.
Sandboxing Tools Machine
Level: VMware OS Level: Altiris SVS PowerShadow ShadowUser Application Level: Sandboxie Network Level: Honeyd Copyright © 2007 Albert Hui
13.
Demo Use FileAlyzer
to determine file type. Rename to .exe, use Dependency Walker to determine functions. Use PEiD to detect signature – UPX packed. Use Universal Extractor to unpack file. Use Dependency Walker to determine functions. Use FileAlyzer to read embedded strings. Detach network, use Sandboxie to execute file. Use Wireshark and ProcMon, execute file again. Use OllyDbg to understand program flow – program connects to a server on port 6667. Set up our own IRC server, edit hosts file on guest to fool malware into connecting to it. Try out commands found in embedded strings. Copyright © 2007 Albert Hui
14.
Process-Based Malware e.g.
BO2K, Sub7, Netbus, 冰河, 灰鴿子 Technically equivalent to VNC, Remote Desktop, PCAnyware etc. Copyright © 2007 Albert Hui
15.
Tricks of Process-Based
Malware Melting – deletes installer or deletes entirely from disk Sticky Process – multiple execution units reviving each other Sticky Image – reinstall itself upon system shutdown Antidetection/免殺: Polymorphism – packing/encryption or other superficial changes Metamorphism – radically changing the codes, includes 加花 (addition of fake signatures) Copyright © 2007 Albert Hui
16.
Stealthy Malware The
2nd Generation
17.
Processless (無進程) Malware
Parasite Approach (exist only as threads) DLL attachment CreateRemoteThread Code injection, detour patching Rookit Approach (hide process) Hooking DKOM Copyright © 2007 Albert Hui
18.
Vulnerabilities of Rootkits
Communications can always be captured on external network links Always changes OS compare observation with known-good states compare observations from different approaches (e.g. Linux ls vs. opendir()) Copyright © 2007 Albert Hui
19.
Rootkit Detection Tools
Rootkit Detection 冰刃 IceSword DarkSpy GMER Copyright © 2007 Albert Hui
20.
Conclusion First perform
static analysis Then let malware loose in contained environment Drill down with expert knowledge to further fool the malware into doing more Copyright © 2007 Albert Hui