Malware Analysis -an overview by PP Singh

OUR GAME PLAN
 TODAY – A THEORETICAL OVERVIEW
FOLLOWED BY A CASE STUDY
 DETAILED PRESENTATIONS ABOUT EACH
COMPONENT.
 VIRTUALIZATION.
 HONEYPOTS / HONEYNETS.
 DEBUGGING
 AND SO ON (HOPEFULLY)   

 CAPABILITY FOR ‘ABSTRACT MATHEMATICS’

 ASSEMBLY LANGUAGE

 LACK OF SOCIAL LIFE

 ADEQUATE ‘BEHAVIOR MODIFICATION’ OR
‘TRANCE INDUCING’ MATERIALS.

 BASICS
 SETTING UP A LAB ENVIRONMENT
 ANALYSIS
o NETWORK TRAFFIC
o DISK IMAGE / FILE SYSTEM
o MEMORY IMAGE
o STATIC ANALYSIS

 TRADITIONALLY WE HAD – SOURCE CODE
AUDITING – PRIME REQUIREMENT WAS
SAFETY OF CODE.
 THEN CAME PROPRIETARY CODE AND
WITH IT ‘BLACK BOX TESTING’
 ALONG CAME MODULAR COMPONENTS
AND WE GRADUATED TO ‘REVERSE
ENGINEERING’

 WITH COTS PRODUCT CAME ISSUES OF
TRUST – MICROSOFT IS SAFE  BUT WHAT
ABOUT THE GUYS WHO MADE THE DLL.
 SUGGESTED READING ‘WYSINWYX’ GOGUL
BALAKRISHNAN’s PHD THESIS.
 METHOD TO REVERSE ENGINEERING
ALONG WITH ALL ASSOCIATED LIBRARIES
‘HOLISTIC REVERSE ENGINEERING’

 A FOCUSED APPLICATION– MALWARE
ANALYSIS.
 WHY – TRADITIONAL SIGNATURE BASED
ANALYSIS IS FUTILE GIVEN THE EVOLVING
MALWARE.
 SAME LOGIC HAS MULTIPLE ‘SIGNATURES’
 HENCE ‘BEHAVIORAL ANALYSIS’

 PROS & CONS OF BOTH STATIC ANALYSIS &
BEHAVIORAL ANALYSIS.
 LARGER VOLUMES OF SAMPLES
NECESSITATE ‘AUTOMATION’.
 ENTER CWSANDBOX, NORMAN SANDBOX
& OTHERS
 BUT WE NEED ‘MORE’

 OVERLAPPED WITH FORENSICS.
 PRIVACY & POLICY ISSUES.
 WISH TO LEARN
 ‘LIVE’ EXERCISE – PART OF GROWING UP
 FIELD OF WORK
 REQUIREMENT OF CUSTOMIZED DATA
 COMPLEXITIES IN THE MALWARE WORLD

 BASICS
 SETTING UP A LAB ENVIRONMENT
 ANALYSIS
o STATIC ANALYSIS
o NETWORK TRAFFIC
o DISK IMAGE / FILE SYSTEM
o MEMORY IMAGE

 A CONTROLLED ENVIRONMENT.
▪ MALWARE COLLECTION. MALWARE COLLECTION
THROUGH SPAM TRAPS, HONEY POTS AND SHARED
DATA. NEPENTHES AS AN EXAMPLE.
▪ VICTIM MACHINES. VIRTUALISATION OR REAL.
VIRTUAL MACHINES ARE EASIER TO MANAGE BUT
MALWARE INCREASINGLY BECOMING MORE AWARE
OF THEM. VIRTUAL MACHINES LIKE VMWARE,
PARALLELS, QEMU AND BOCHS ARE AVAILABLE.

▪ SUPPORT TOOLS.
▪ NETWORK SIMULATION. INTERNET CONNECTION,
DNS CONNECTION, IRC, WEB, SMTP, SERVER
▪ ANALYSIS TOOLS. SUPPORT OF ONLINE RESOURCES
LIKE VIRUS TOTAL.
 IT SHOULD BE ISOLATED.
 IT SHOULD PROVIDE A FULL SIMULATION.

 FRIENDS

 ONLINE RESOURCES

 HONEYPOTS
o AMUN
o NEPENTHES
o ….

 WINDOWS OS 
 START – WINDOW IMAGE USING LINUX
 THE RE-USABLE MALWARE ANALYSIS NET
‘TRUMAN’
 VIRTUAL MACHINES
 NORTON GHOST / UDPCAST / ACRONIS
 HARDWARE – CORE RESTORE
 MICROSOFT – STEADY STATE

 THIS MINI LINUX IMPLEMENTATION
CONTAINS TOOLS LIKE PARTIMAGE,
NTFSRESIZE, AND FDISK AND IS BASED
AROUND THE FANTASTIC BUSYBOX.
 IT ENABLES YOU TO PXE BOOT A PC INTO A
LINUX CLIENT WHICH CAN CREATE AN NTFS
PARTITION, GRAB A WINDOWS DISK IMAGE
FROM THE NETWORK, WRITE IT TO A LOCAL
DISK AND THEN RESIZE THAT PARTATION.

 TWO MINIMUM MACHINES.
 LINUX BASED SERVER
 TRUMAN MACHINE AS CLIENT (XP
WITHOUT PATCHES). INSTALLATION FAQ
ON NSMWIKI.
 VIRTUAL NETWORK SIMULATION

 MAVMM: LIGHTWEIGHT AND PURPOSE
BUILT VMM FOR MALWARE ANALYSIS
 AUTHORS - ANH M. NGUYEN, NABIL
SCHEAR, HEEDONG JUNG, APEKSHA
GODIYAL, SAMUEL T. KING, HAI D. NGUYEN

 A SPECIAL PURPOSE VIRTUAL MACHINE
FOR MALWARE ANALYSIS

 ACADEMIC VERSION OF XP AVAILABLE.

 INSTRUMENTATION OF CODE FEASIBLE

 CREATION OF ‘SPECIAL WINDOWS’ BOXES

 CREATE A CONTROLLED ENVIRONMENT. VIRTUAL
OR REAL.
 BASELINE THE ENVIRONMENT:-
▪ VICTIM MACHINE. FILE SYSTEM, REGISTRY,
RUNNING PROCESSES, OPEN PORTS, USERS,
GROUPS, NETWORK SHARES, SERVICES ETC.
▪ NETWORK TRAFFIC.
▪ EXTERNAL VIEW.

 INFORMATION COLLECTION.
▪ STATIC. STRINGS, RESOURCES, SCRIPTS, FILE
PROPERTIES ETC
▪ DYNAMIC.
 INFORMATION ANALYSIS. INVOLVES INFORMATION
COLLATION, INTERNET SEARCHES, STARTUP
METHODS, COMMUNICATION PROTOCOLS,
SPREADING MECHANISMS ETC
 RECONSTRUCTING THE BIG PICTURE.
 DOCUMENTATION.

 PSEXEC – PART OF SYSINTERNALS
PSTOOLS KIT.
 MS REMOTE DESKTOP 
 VIRTUAL NETWORK COMPUTING (VNC)
 ULTRAVNC – SOURCEFORGE

 IF YOU ARE COMFORTABLE WITH REMOTE
COMMAND LINE – PSEXEC

 BASELINE INFORMATION
o NETWORK TRAFFIC
o FILE SYSTEM
o REGISTRY
o MEMORY IMAGE

 REMEMBER IT IS ‘MALWARE’

 USE PKZIP TO HANDLE THE SAMPLE

 COMMAND LINE METHOD

 IF YOU ARE SUBMITTING SAMPLES ONLINE
PASSWORD = ‘infected’

 DISK IMAGE ANALYSIS ADVANCED INTRUSION
DETECTION ENVIRONMENT FOR COMPARING DISK
IMAGES BEFORE AND AFTER.
 NTFS-3G DRIVERS & GETFATTR FOR ADS STREAMS.
 REGISTRY USING DUMPHIVE
 COMPARE REGISTRY DUMP BEFORE AND AFTER USING
LINUX DIFF –U COMMAND
 MEMORY IMAGE ANALYSIS. PMODUMP.PL MODIFIED
TO HANDLE PEB RANDOMISATIONS, VOLATILITY
FRAMEWORK USED FOR ANALYSIS.
 OUTPUTS OF MULTIPLE TOOLS USED TO COMPARE
AND ANALYSE.

 FILE SYSTEM AND REGISTRY MONITORING:
PROCESS MONITOR AND CAPTURE BAT
 PROCESS MONITORING: PROCESS
EXPLORER AND PROCESS HACKER
 NETWORK MONITORING: WIRESHARK AND
SMARTSNIFF
 CHANGE DETECTION: REGSHOT

 A GOOD WAY TO SEE CHANGES TO THE
NETWORK IS WITH A TOOL CALLED NDIFF.
 NDIFF IS A TOOL THAT UTILIZES NMAP
OUTPUT TO IDENTIFY THE DIFFERENCES,
OR CHANGES THAT HAVE OCCURRED IN
YOUR ENVIRONMENT.
 NDIFF CAN BE DOWNLOADED FROM
http://www.vinecorp.com/ndiff/.

 TCPDUMP – CONSOLE
 WINDUMP – CONSOLE

 WIRESHARK – GUI

 THE OPTIONS OFFERED IN NDIFF INCLUDE:
ndiff [-b|-baseline <file-or-:tag>] [-o|-observed <file-or-:tag>]
[-op|-output-ports <ocufx>] [-of|-output-hosts <nmc>]
[-fmt|-format <terse | minimal | verbose | machine | html | htmle>]
 NDIFF OUTPUT MAY BE REDIRECTED TO A WEB PAGE:
ndiff –b base-line.txt –o tested.txt –fmt machine | ndiff2html >
differences.html
 THE OUTPUT FILE, “DIFFERENCES.HTML”, MAY BE DISPLAYED
IN A WEB BROWSER. THIS WILL SEPARATE HOSTS INTO THREE
MAIN CATEGORIES:
o NEW HOSTS,
o MISSING HOSTS, AND
o CHANGED HOSTS.

 NETSTAT
 FPORT

 TCPVcon – CONSOLE
 TCPView – GUI

 HANDLE – CONSOLE
 PROCESS EXPLORER – GUI

USE PID TO CORRELATE OUTPUTS

 HASHING FUNCTIONS
o MD5DEEP – JESSE KORNBLUM

 FUZZY HASHING
o SSDEEP – AGAIN JESSE

 ONLINE HASHES OF GOOD FILES – NIST

 A GOOD START
 VIRUSTOTAL

 VIRUSSCAN

 AND MANY MORE

 HELP RETAIN FOCUS

 virus@ca.com
 sample@nod32.com
 samples@f-secure.com
 newvirus@kaspersky.com

 VIRUSTOTAL, JOTTI, VIRUS.ORG

 MANY MORE

 PEID

 POLYUNPACK

RENOVO – PART OF BIT BLAZE
BASED ON MEMORY UNPACKING

 AND MANY MORE

 TOOLS:-
o PEVIEW
o DEPENDS
o PE BROWSE PRO
o OBJ DUMP
o RESOURCE HACKER
o STRINGS
 DETERMINE THE DATE/ TIME OF COMPILATION,
FUNCTIONS IMPORTED BY THE PROGRAM, ICONS,
MENUS, VERSION, INFO AND STRINGS EMBEDDED
IN THE RESOURCES.

 STRINGS
 VIP UTILITY –
www.freespaceinternetsecurity.com
 InCtrl5
 SANDBOXIE
 FILEMON
 REGMON
 AUTORUNS
 HIJACK THIS
 ……..

 PE FORMAT  NEED I SAY MORE.
 LORD PE  CAN ALSO DO MEMORY
DUMPS
 PETOOLS
 PEID  TO FIND PACKER DETAILS

 WINDBG
 OLLYDBG
 IDA PRO
 SYSRDBG – KERNEL LEVEL ?
 KERNEL DEBUGGER FROM MS

 KNOWLEDGE OF ASSEMBLY LANGUAGE
CRITICAL
 TRAP – API EMULATION

 JAVASCRIPT OBFUSCATION – SPIDER MONKEY.
 TOOLS FOR MS OFFICE FORMATS:-
 OFFICEMALSCANNER
 OFFVIS
 OFFICE BINARY TRANSLATOR (INCLUDES BIFFVIEW
TOOL).
 OFFICECAT.
 FILEHEX AND FILEINSIGHT HEX EDITORS CAN PARSE
AND EDIT OLE STRUCTURES.
 SIMILARLY TOOLS FOR PDF, FLASH ETC

 EXTENSIVE FEATURES ≠ GOOD TOOL

 REQUIREMENT TO SCRIPT & PARSE
OUTPUTS INTO A ‘READABLE REPORT’

 COMMAND LINE / GUI OPTIONS

 COMPARISON OF MULTIPLE TOOLS AS
VERIFICATION

 RAPID ASSESSMENT & POTENTIAL
INCIDENT EXAMINATION REPORT
 RAPIER IS A SECURITY TOOL BUILT TO
FACILITATE FIRST RESPONSE PROCEDURES
FOR INCIDENT HANDLING.
 OVERLAP BETWEEN FORENSICS AND
MALWARE ANALYSIS.
 TO ILLUSTRATE THE REQUIREMENT TO
‘SCRIPT AROUND GUI TOOLS’

 AS PART OF ANALYSIS, TRY TO IDENTIFY
THE SOURCE.
 BLOCK LISTS OF SUSPECTED MALICIOUS
IPS AND URLS
 LOOKING UP POTENTIALLY MALICIOUS
WEBSITES

 INITIAL VECTOR – BROWSER HISTORY,
EMAIL LOGS

 SIMILARITY STUDIES:-

 http://code.google.com/p/yara-project/
 GENOME BASED CLASSIFICATION
 MALWARE SIMILARITY ANALYSIS – BLACK HAT
09 - DANIEL RAYGOZA
 BLAST: BASIC LOCAL ALIGNMENT SEARCH
TOOL BASED CLASSIFICATION
 FUZZY CLARITY – DIGITAL NINJA

 RESEARCH IS ON FOR CLASSIFICATION
ACCORDING TO:-
o OPCODE DISTRIBUTION
o API CALLS MADE
o COMPILER PARAMETER
o ……

o WILL GIVE THE ‘HEURISTICS'

 ALWAYS CORRELATE THE ANALYSIS:-
o ANUBIS (FORMERLY TTANALYSE)
o BIT BLAZE ( COUSIN OF WEB BLAZE PROJECT)
o COMODO
o CWSANDBOX
o EUREKA
o JOEBOX
o NORMAN SANDBOX
o THREAT EXPERT
o XANDORA

 SUGGESTED READING
o WILDCAT: AN INTEGRATED STEALTH
ENVIRONMENT FOR DYNAMIC MALWARE
ANALYSIS – AMIT VASUDEVAN
o ‘WYSINWYX’ WHAT YOU SEE IS NOT WHAT
YOU EXECUTE - GOGUL BALAKRISHNAN
o LARGE-SCALE DYNAMIC MALWARE ANALYSIS
- ULRICH BAYER

Malware Analysis -an overview by PP Singh

Malware Analysis -an overview by PP Singh

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (7)

Similar to Malware Analysis -an overview by PP Singh

Similar to Malware Analysis -an overview by PP Singh (20)

More from n|u - The Open Security Community

More from n|u - The Open Security Community (20)

Recently uploaded

Recently uploaded (20)

Malware Analysis -an overview by PP Singh