Chapter 2 Malware Analysis in Virtual Machines Chapter 3 Basic Dynamic Analysis Chapter 1 Basic Static Techniques Static analysis Examine payload without executing it to determine function and maliciousness ID: 807224
Download The PPT/PDF document "Part 1: Basic Analysis Chapter 1: Basic ..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Part 1: Basic Analysis
Chapter 1: Basic Static Techniques
Chapter 2: Malware Analysis in Virtual Machines
Chapter 3: Basic Dynamic Analysis
Slide2Chapter 1: Basic Static Techniques
Slide3Static analysis
Examine payload without executing it to determine function and maliciousness
Done via scanning content
Slide4File signatures
Common code or data used across malware instances
e.g. embedded URL strings,
decryptor
code
Examples
Strings search on metadata, errors, constants
Regular expression searches
Hashing (e.g. MD5, SHA)
Slide5Signatures generated via analysis
Artifacts revealed by binary
Tools for dumping linked libraries
Dependency Walker,
PEView
,
PEBrowse
, PE Explorer,
ldd
Look for common shared libraries (e.g. kernel32.dll, User32.dll, libc.so,
etc
)
Disassemblers
Slide6But…
Astronomical growth in signatures
Coverage
by a single tool is
difficult
Cloud-based anti-virus
http
://
www.virustotal.com
Bought by Google
But, public service that allows attacker to know when their malware has been uploaded and identified!Can use private malware sandbox analysis (VMRay)
Slide7Malware counter-measuresObfuscationCode execution is hidden by author to make static analysis difficultPacking
Code compressed and encrypted to completely thwart static analysis (Figure 1-4)
Code to unpack binaries is common, however
Some can
be identified (
PEiD
)
Polymorphism
and metamorphism
Code transformed into equivalent, but different form to thwart static signatures
Example: Mimikatz (Metasploit module to do weaponized credential theft on Windows)From 54/54 (100% detection) to 4/54 when replacing ‘mimikatz’ with ‘kitikatz’ and recompilingAV with signatures is now completely dead
Slide8Chapter 2: Malware Analysis on VMs
Chapter 3: Basic Dynamic Analysis
Slide9Malware and VMs
Most malware must be executed in order to analyze them
Requires a safe environment
VirtualBox
, VMware
Host-only networking to monitor network traffic
Snapshots and roll-back
Record and replay execution
Slide10Sandboxes
Simpler alternative to VMs
Behavior isolation and coarse-grained tracking of malware execution
File system activity
Registry activity
Network activity
Examples: GFI Sandbox, Norman
SandBox
Always use a sandbox or VM to analyze malware
Slide11Don’t be like…
Slide12Slide13But, can be subtleFireEye anti-virus (12/2015)Static analysis of Java byte-code via a Java decompiler (JODE)
so did not
run in a VM
But, did not realize
decompiler
executed byte code as well
Instant remote code execution
AV now *worse* than no AV
Slide14Malware executionBinariesExecuted via direct launch or via debuggerDLLsExecuted via wrappers such as rundll32.exe
Slide15Monitoring executionProcmon (Sysmon)www.sysinternals.com
Combines process, file, and registry monitoring to track execution behavior
Spits out XML on events, allows one to reconstruct process tree
Prochacker
(http://processhacker.sourceforge.net/)
Process (memory) monitoring
Process explorer
Verify running process against the disk executable image
Determine if malicious documents are launching new processes
Regshot
Flag changes in registry
Slide16Monitoring executionApateDNSCapture DNS requests and modify repliesMore comprehensive follow-on tool..Flare-NG
https://github.com/fireeye/flare-fakenet-ng/releases
Netcat
Proxying
and emulating connections
Wireshark
Packet capturing tool
INetSim
Simulate common Internet services
Slide17Tools in actionSee p. 57 in text (msts.exe)Setup tools (process/network/registry monitoring, setup VMs, server emulation) – Fig. 3-12Contacts web site (the textbook's) – ApateDNS
Creates new file (winhlp2.exe) –
procmon
Modifies registry to
autorun
–
regshot
Creates a
mutex
to ensure only a single execution – Process Explorer
Contacts a server over port 443 (https), but does not speak SSL – INetSimSpeaks a custom protocol – Wireshark
Slide18In-class exercisesLab 1-1, Lab 1-2Lab 3-2, Lab 3-4