SlideShare ist ein Scribd-Unternehmen logo

Basic Malware Analysis

Albert Hui
Albert Hui

Introduction to beginning malware analysis.

1 von 20
Basic Malware Analysis Albert Hui, GCFA, CISA albert.hui@gmail.com
Goals Present tools and techniques for preliminary malware analysis Introduce the model and mindset for beginning reverse engineering Does NOT cover intermediate/advanced techniques such as hooking, DLL attachment, code injection, detour patching, DKOM, ring-0 debugging, entropy analysis and so on Copyright © 2007 Albert Hui
Terminology Malware – malicious software Virus – infect a host program to reproduce Worm – self-replicating program (e.g. NIMDA, Code Red, SQL Slammer, MyDoom) Trojan – malicious program disguised as harmless 木馬(China usage) != trojan, but == Backdoor Backdoor – remote control software Rootkit – cover up backdoor and forensic evidence (e.g. Sony XCP Rootkit) Spyware – calls home Copyright © 2007 Albert Hui
Black-Box Examination Snapshot Observation Behavioral Tracing Sandboxing Copyright © 2007 Albert Hui
Snapshot Observation Includes static analysis (executable image examination, program code disassembly, filesystem forensics, memory dump, running states, etc.) Pros: Gather consistent big picture Some info only uncovered by static analysis Cons: Can lose sight of small/transient changes Difficult to cover every avenues Copyright © 2007 Albert Hui
Snapshot Observation Tools (runtime) Process/Thread: Process Explorer Windows Objects: WinObj OpenedFilesView Copyright © 2007 Albert Hui
Snapshot Observation Tools (static) Executable: XN Resource Editor File: hexplorer FileAlyzer Copyright © 2007 Albert Hui
Snapshot Observation Tools (executable) PEBrowse Dependency Walker PEiD Dumper: LordPE Universal Extractor RL!depacker Decompiler/Disassembler: IDA Pro OllyDbg/OllyICE JAD Spices.Decompiler Copyright © 2007 Albert Hui
Behavioral Tracing Includes debugging, tracing, network traffic analysis, etc. Pros: Detailed time-domain info Can drill down to system call level Cons: Can lose sight of the big picture Difficult to cover every avenues Copyright © 2007 Albert Hui
Behavioral Tracing Tools Process/Thread/File/Registry Tracing: ProcMon Network Tracing: TCPView TDImon Wireshark Debugger: OllyDbg/OllyICE SoftICE Copyright © 2007 Albert Hui
Sandboxing Containment of execution in protected environment One kind of virtualization, techniques in common with virtual machine, honeypot/tarpit, and forceful uninstallers Sandboxing can occur at various levels: network, application, OS, down to bare metal Pros: Total coverage possible Local containment of harms Cons: Difficult to discern incremental changes Copyright © 2007 Albert Hui
Sandboxing Tools Machine Level: VMware OS Level: Altiris SVS PowerShadow ShadowUser Application Level: Sandboxie Network Level: Honeyd Copyright © 2007 Albert Hui
Demo Use FileAlyzer to determine file type. Rename to .exe, use Dependency Walker to determine functions. Use PEiD to detect signature – UPX packed. Use Universal Extractor to unpack file. Use Dependency Walker to determine functions. Use FileAlyzer to read embedded strings. Detach network, use Sandboxie to execute file. Use Wireshark and ProcMon, execute file again. Use OllyDbg to understand program flow – program connects to a server on port 6667. Set up our own IRC server, edit hosts file on guest to fool malware into connecting to it. Try out commands found in embedded strings. Copyright © 2007 Albert Hui
Process-Based Malware e.g. BO2K, Sub7, Netbus, 冰河, 灰鴿子 Technically equivalent to VNC, Remote Desktop, PCAnyware etc. Copyright © 2007 Albert Hui
Tricks of Process-Based Malware Melting – deletes installer or deletes entirely from disk Sticky Process – multiple execution units reviving each other Sticky Image – reinstall itself upon system shutdown Antidetection/免殺: Polymorphism – packing/encryption or other superficial changes Metamorphism – radically changing the codes, includes 加花 (addition of fake signatures) Copyright © 2007 Albert Hui
Stealthy Malware The 2nd Generation
Processless (無進程) Malware Parasite Approach (exist only as threads) DLL attachment CreateRemoteThread Code injection, detour patching Rookit Approach (hide process) Hooking DKOM Copyright © 2007 Albert Hui
Vulnerabilities of Rootkits Communications can always be captured on external network links Always changes OS compare observation with known-good states compare observations from different approaches (e.g. Linux ls vs. opendir()) Copyright © 2007 Albert Hui
Rootkit Detection Tools Rootkit Detection 冰刃 IceSword DarkSpy GMER Copyright © 2007 Albert Hui
Conclusion First perform static analysis Then let malware loose in contained environment Drill down with expert knowledge to further fool the malware into doing more Copyright © 2007 Albert Hui

Empfohlen

Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysissecurityxploded
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
malware analysis
malware analysismalware analysis
malware analysis20CS201AkashR
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 

Empfohlen

Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysissecurityxploded
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
malware analysis
malware analysismalware analysis
malware analysis20CS201AkashR
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessLeon Teale
 
System hacking
System hackingSystem hacking
System hackingCAS
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
Ethical Hacking Powerpoint
Ethical Hacking PowerpointEthical Hacking Powerpoint
Ethical Hacking PowerpointRen Tuazon
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Malware forensics
Malware forensicsMalware forensics
Malware forensicsSameera Amjad
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Ethical hacking ppt
Ethical hacking pptEthical hacking ppt
Ethical hacking ppthimanshujoshi238
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorSam Bowne
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware AnalysisPrashant Gupta
 
Malware forensic
Malware forensicMalware forensic
Malware forensicSumeraHangi
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
Sandboxing
SandboxingSandboxing
SandboxingNSConclave
 
Cyber attacks 101
Cyber attacks 101Cyber attacks 101
Cyber attacks 101Rafel Ivgi
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharySaurav Chaudhary
 

Weitere ähnliche Inhalte

Was ist angesagt?

Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessLeon Teale
 
System hacking
System hackingSystem hacking
System hackingCAS
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
Ethical Hacking Powerpoint
Ethical Hacking PowerpointEthical Hacking Powerpoint
Ethical Hacking PowerpointRen Tuazon
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorSam Bowne
 
Malware forensic
Malware forensicMalware forensic
Malware forensicSumeraHangi
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 

Was ist angesagt? (20)

Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awareness
 
System hacking
System hackingSystem hacking
System hacking
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
Ethical Hacking Powerpoint
Ethical Hacking PowerpointEthical Hacking Powerpoint
Ethical Hacking Powerpoint
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
Ethical hacking ppt
Ethical hacking pptEthical hacking ppt
Ethical hacking ppt
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware Behavior
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
Malware forensic
Malware forensicMalware forensic
Malware forensic
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
Sandboxing
SandboxingSandboxing
Sandboxing
 

Ähnlich wie Basic Malware Analysis

Cyber attacks 101
Cyber attacks 101Cyber attacks 101
Cyber attacks 101Rafel Ivgi
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharySaurav Chaudhary
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threatsMartin Holovský
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxYasserOuda2
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploitdevilback
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101ysurer
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysissecurityxploded
 
Inception framework
Inception frameworkInception framework
Inception framework한익 주
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniquesSymantec Security Response
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memorysecurityxploded
 

Ähnlich wie Basic Malware Analysis (20)

Cyber attacks 101
Cyber attacks 101Cyber attacks 101
Cyber attacks 101
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudhary
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threats
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptx
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
 
Inception framework
Inception frameworkInception framework
Inception framework
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memory
 

Mehr von Albert Hui

Information Security from Risk Management and Design
Information Security from Risk Management and DesignInformation Security from Risk Management and Design
Information Security from Risk Management and DesignAlbert Hui
 
The Practice of Cyber Crime Investigations
The Practice of Cyber Crime InvestigationsThe Practice of Cyber Crime Investigations
The Practice of Cyber Crime InvestigationsAlbert Hui
 
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Albert Hui
 
Practical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank FraudstersPractical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank FraudstersAlbert Hui
 
New Frontiers in Cyber Forensics
New Frontiers in Cyber ForensicsNew Frontiers in Cyber Forensics
New Frontiers in Cyber ForensicsAlbert Hui
 
Laying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident InvestigationLaying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident InvestigationAlbert Hui
 
Cyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersCyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersAlbert Hui
 
Detecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an AttackerDetecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an AttackerAlbert Hui
 
(Mis)trust in the cyber era
(Mis)trust in the cyber era(Mis)trust in the cyber era
(Mis)trust in the cyber eraAlbert Hui
 
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation BypassUniversal DDoS Mitigation Bypass
Universal DDoS Mitigation BypassAlbert Hui
 
Cyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the CorporateCyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the CorporateAlbert Hui
 
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?Albert Hui
 
Incident Response Triage
Incident Response TriageIncident Response Triage
Incident Response TriageAlbert Hui
 
Insights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemInsights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemAlbert Hui
 

Mehr von Albert Hui (14)

Information Security from Risk Management and Design
Information Security from Risk Management and DesignInformation Security from Risk Management and Design
Information Security from Risk Management and Design
 
The Practice of Cyber Crime Investigations
The Practice of Cyber Crime InvestigationsThe Practice of Cyber Crime Investigations
The Practice of Cyber Crime Investigations
 
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
 
Practical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank FraudstersPractical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank Fraudsters
 
New Frontiers in Cyber Forensics
New Frontiers in Cyber ForensicsNew Frontiers in Cyber Forensics
New Frontiers in Cyber Forensics
 
Laying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident InvestigationLaying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident Investigation
 
Cyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersCyber Fraud - The New Frontiers
Cyber Fraud - The New Frontiers
 
Detecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an AttackerDetecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an Attacker
 
(Mis)trust in the cyber era
(Mis)trust in the cyber era(Mis)trust in the cyber era
(Mis)trust in the cyber era
 
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation BypassUniversal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
 
Cyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the CorporateCyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the Corporate
 
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
 
Incident Response Triage
Incident Response TriageIncident Response Triage
Incident Response Triage
 
Insights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemInsights into the Cybercrime Ecosystem
Insights into the Cybercrime Ecosystem
 

Basic Malware Analysis

  • 1. Basic Malware Analysis Albert Hui, GCFA, CISA albert.hui@gmail.com
  • 2. Goals Present tools and techniques for preliminary malware analysis Introduce the model and mindset for beginning reverse engineering Does NOT cover intermediate/advanced techniques such as hooking, DLL attachment, code injection, detour patching, DKOM, ring-0 debugging, entropy analysis and so on Copyright © 2007 Albert Hui
  • 3. Terminology Malware – malicious software Virus – infect a host program to reproduce Worm – self-replicating program (e.g. NIMDA, Code Red, SQL Slammer, MyDoom) Trojan – malicious program disguised as harmless 木馬(China usage) != trojan, but == Backdoor Backdoor – remote control software Rootkit – cover up backdoor and forensic evidence (e.g. Sony XCP Rootkit) Spyware – calls home Copyright © 2007 Albert Hui
  • 4. Black-Box Examination Snapshot Observation Behavioral Tracing Sandboxing Copyright © 2007 Albert Hui
  • 5. Snapshot Observation Includes static analysis (executable image examination, program code disassembly, filesystem forensics, memory dump, running states, etc.) Pros: Gather consistent big picture Some info only uncovered by static analysis Cons: Can lose sight of small/transient changes Difficult to cover every avenues Copyright © 2007 Albert Hui
  • 6. Snapshot Observation Tools (runtime) Process/Thread: Process Explorer Windows Objects: WinObj OpenedFilesView Copyright © 2007 Albert Hui
  • 7. Snapshot Observation Tools (static) Executable: XN Resource Editor File: hexplorer FileAlyzer Copyright © 2007 Albert Hui
  • 8. Snapshot Observation Tools (executable) PEBrowse Dependency Walker PEiD Dumper: LordPE Universal Extractor RL!depacker Decompiler/Disassembler: IDA Pro OllyDbg/OllyICE JAD Spices.Decompiler Copyright © 2007 Albert Hui
  • 9. Behavioral Tracing Includes debugging, tracing, network traffic analysis, etc. Pros: Detailed time-domain info Can drill down to system call level Cons: Can lose sight of the big picture Difficult to cover every avenues Copyright © 2007 Albert Hui
  • 10. Behavioral Tracing Tools Process/Thread/File/Registry Tracing: ProcMon Network Tracing: TCPView TDImon Wireshark Debugger: OllyDbg/OllyICE SoftICE Copyright © 2007 Albert Hui
  • 11. Sandboxing Containment of execution in protected environment One kind of virtualization, techniques in common with virtual machine, honeypot/tarpit, and forceful uninstallers Sandboxing can occur at various levels: network, application, OS, down to bare metal Pros: Total coverage possible Local containment of harms Cons: Difficult to discern incremental changes Copyright © 2007 Albert Hui
  • 12. Sandboxing Tools Machine Level: VMware OS Level: Altiris SVS PowerShadow ShadowUser Application Level: Sandboxie Network Level: Honeyd Copyright © 2007 Albert Hui
  • 13. Demo Use FileAlyzer to determine file type. Rename to .exe, use Dependency Walker to determine functions. Use PEiD to detect signature – UPX packed. Use Universal Extractor to unpack file. Use Dependency Walker to determine functions. Use FileAlyzer to read embedded strings. Detach network, use Sandboxie to execute file. Use Wireshark and ProcMon, execute file again. Use OllyDbg to understand program flow – program connects to a server on port 6667. Set up our own IRC server, edit hosts file on guest to fool malware into connecting to it. Try out commands found in embedded strings. Copyright © 2007 Albert Hui
  • 14. Process-Based Malware e.g. BO2K, Sub7, Netbus, 冰河, 灰鴿子 Technically equivalent to VNC, Remote Desktop, PCAnyware etc. Copyright © 2007 Albert Hui
  • 15. Tricks of Process-Based Malware Melting – deletes installer or deletes entirely from disk Sticky Process – multiple execution units reviving each other Sticky Image – reinstall itself upon system shutdown Antidetection/免殺: Polymorphism – packing/encryption or other superficial changes Metamorphism – radically changing the codes, includes 加花 (addition of fake signatures) Copyright © 2007 Albert Hui
  • 16. Stealthy Malware The 2nd Generation
  • 17. Processless (無進程) Malware Parasite Approach (exist only as threads) DLL attachment CreateRemoteThread Code injection, detour patching Rookit Approach (hide process) Hooking DKOM Copyright © 2007 Albert Hui
  • 18. Vulnerabilities of Rootkits Communications can always be captured on external network links Always changes OS compare observation with known-good states compare observations from different approaches (e.g. Linux ls vs. opendir()) Copyright © 2007 Albert Hui
  • 19. Rootkit Detection Tools Rootkit Detection 冰刃 IceSword DarkSpy GMER Copyright © 2007 Albert Hui
  • 20. Conclusion First perform static analysis Then let malware loose in contained environment Drill down with expert knowledge to further fool the malware into doing more Copyright © 2007 Albert Hui