Part 1: Basic Analysis Chapter 1: Basic Static Techniques - PowerPoint Presentation

Slide1

Part 1: Basic Analysis

Chapter 1: Basic Static Techniques

Chapter 2: Malware Analysis in Virtual Machines

Chapter 3: Basic Dynamic Analysis

Chapter 1: Basic Static Techniques

Static analysis

Examine payload without executing it to determine function and maliciousness

Done via scanning content

File signatures

Common code or data used across malware instances

e.g. embedded URL strings,

decryptor

code

Examples

Strings search on metadata, errors, constants

Regular expression searches

Hashing (e.g. MD5, SHA)

Signatures generated via analysis

Artifacts revealed by binary

Tools for dumping linked libraries

Dependency Walker,

PEView

,

PEBrowse

, PE Explorer,

ldd

Look for common shared libraries (e.g. kernel32.dll, User32.dll, libc.so,

etc

)

Disassemblers

But…

Astronomical growth in signatures

Coverage

by a single tool is

difficult

Cloud-based anti-virus

http

://

www.virustotal.com

Bought by Google

But, public service that allows attacker to know when their malware has been uploaded and identified!Can use private malware sandbox analysis (VMRay)

Malware counter-measuresObfuscationCode execution is hidden by author to make static analysis difficultPacking

Code compressed and encrypted to completely thwart static analysis (Figure 1-4)

Code to unpack binaries is common, however

Some can

be identified (

PEiD

)

Polymorphism

and metamorphism

Code transformed into equivalent, but different form to thwart static signatures

Example: Mimikatz (Metasploit module to do weaponized credential theft on Windows)From 54/54 (100% detection) to 4/54 when replacing ‘mimikatz’ with ‘kitikatz’ and recompilingAV with signatures is now completely dead

Chapter 2: Malware Analysis on VMs

Chapter 3: Basic Dynamic Analysis

Malware and VMs

Most malware must be executed in order to analyze them

Requires a safe environment

VirtualBox

, VMware

Host-only networking to monitor network traffic

Snapshots and roll-back

Record and replay execution

Sandboxes

Simpler alternative to VMs

Behavior isolation and coarse-grained tracking of malware execution

File system activity

Registry activity

Network activity

Examples: GFI Sandbox, Norman

SandBox

Always use a sandbox or VM to analyze malware

Don’t be like…

But, can be subtleFireEye anti-virus (12/2015)Static analysis of Java byte-code via a Java decompiler (JODE)

so did not

run in a VM

But, did not realize

decompiler

executed byte code as well

Instant remote code execution

AV now *worse* than no AV

Malware executionBinariesExecuted via direct launch or via debuggerDLLsExecuted via wrappers such as rundll32.exe

Monitoring executionProcmon (Sysmon)www.sysinternals.com

Combines process, file, and registry monitoring to track execution behavior

Spits out XML on events, allows one to reconstruct process tree

Prochacker

(http://processhacker.sourceforge.net/)

Process (memory) monitoring

Process explorer

Verify running process against the disk executable image

Determine if malicious documents are launching new processes

Regshot

Flag changes in registry

Monitoring executionApateDNSCapture DNS requests and modify repliesMore comprehensive follow-on tool..Flare-NG

https://github.com/fireeye/flare-fakenet-ng/releases

Netcat

Proxying

and emulating connections

Wireshark

Packet capturing tool

INetSim

Simulate common Internet services

Tools in actionSee p. 57 in text (msts.exe)Setup tools (process/network/registry monitoring, setup VMs, server emulation) – Fig. 3-12Contacts web site (the textbook's) – ApateDNS

Creates new file (winhlp2.exe) –

procmon

Modifies registry to

autorun

–

regshot

Creates a

mutex

to ensure only a single execution – Process Explorer

Contacts a server over port 443 (https), but does not speak SSL – INetSimSpeaks a custom protocol – Wireshark

In-class exercisesLab 1-1, Lab 1-2Lab 3-2, Lab 3-4