ppt - Thefengs.com
Download
Report
Transcript ppt - Thefengs.com
Homework tar file
Download your course tarball from web page
–
Named using your PSU ID
–
Chapter labeled for each binary
Part 1: Basic Analysis
Chapter 1: Basic Static Techniques
Chapter 2: Malware Analysis in Virtual Machines
Chapter 3: Basic Dynamic Analysis
Chapter 1: Basic Static Techniques
Scanning
Statically analyze payload to determine its
maliciousness
–
Recall Aitel 2011 USENIX Security talk
File signatures
Common code or data used across malware
instances
–
e.g. embedded URL strings, decryptor code
Signatures
–
Hashing (e.g. MD5, SHA)
–
Strings search on metadata, errors, constants
–
Polymorphism and metamorphism easy for an
adversary to deploy
Analyzing executables
PE (Widows), ELF (Linux)
Tools for dumping linked libraries
–
Look for common shared libraries (e.g. kernel32.dll,
User32.dll, libc.so, etc)
–
Dependency Walker, PEView, PEBrowse, PE Explorer,
ldd
Function convention in Windows
–
CreateWindowEx - “Ex” refers to new version
–
CreateDirectoryW - “W” refers to wide character
strings vs. ASCII
–
See MSDN
Note: a short function list is an indication of a packed binary
Packing and obfuscation
Obfuscation
–
Code whose execution is hidden by author
Packing
–
Obfuscated code in which programs are compressed
and encrypted to prevent static analysis (Figure 1-4)
–
Prevents file signatures from working
–
• Example: UPX
Code to unpack binaries is common, however
•
Can be identified (PEiD)
File signature coverage
Astronomical growth in signatures
Coverage by a single tool is difficult
–
Cloud-based anti-virus
–
http://www.virustotal.com
Chapter 2: Malware Analysis on VMs
Chapter 3: Basic Dynamic Analysis
Malware and VMs
Most malware must be executed in order to analyze them
Requires a safe environment
VMware
–
Host-only networking to monitor network traffic
–
Snapshots and roll-back
–
Record and replay execution
Sandboxes
Behavior isolation and coarse-grained tracking
of malware execution
–
File system activity
–
Registry activity
–
Network activity
–
Examples: GFI Sandbox, Norman SandBox
Executing malware
Executable
–
Directly launching or via debugger
Malicious DLLs
–
rundll32.exe
Monitoring execution
Procmon
–
www.sysinternals.com
–
Combines FileMon and RegMon to track
execution behavior
Process explorer
–
Free tool from Microsoft to verify running process
against the disk executable image
–
Useful for determining if malicious documents are
launching new processes
Regshot
–
Flag changes in registry
Monitoring execution
ApateDNS
–
Netcat
–
Useful for proxying and emulating connections to
malware
Wireshark
–
Free tool from Mandiant to see DNS requests
from malware and modify replies
Packet capturing tool
INetSim
–
Linux tool to simulate common Internet services
Tools in action
See p. 57 in text
msts.exe
–
Contacts web site (the textbook's) – ApateDNS
–
Creates new file (winhlp2.exe) – procmon
–
Modifies registry to autorun – regshot
–
Creates a mutex to ensure only a single execution
– Process Explorer
–
Contacts a server over port 443 (https), but does
not speak SSL – INetSim
–
Speaks a custom ASCII protocol – Wireshark
In-class exercises
Lab 1-1
–
Show the results of virustotal.com
–
In PEView, show the timestamps
–
Show the list of imported system library calls. From these calls, what
might this executable be doing?
–
Show the list of imported calls from Lab01-01.dll. From these calls, what
might this DLL be doing?
–
Show where the malware is attempting to create its malicious file
–
Show the results of virustotal.com
–
In PEView, show the sections that contain the packed executable code
–
Run UPX to unpack the code and load unpacked executable in PEView
–
Show the functions imported from Wininet.dll. What might this
executable be doing?
–
Show the URL the malware connects to in memory
Lab 1-2
In-class exercises
Lab 3-2
–
Find the functions this DLL exports (Figure 3-5L)
–
Find the imported functions that are used to modify the registry, create
services, and make network connections. Which DLLs are they loaded
from?
–
Use strings to reconstruct the URL being requested
–
Set-up Regshot and Process Explorer before running rundll32 to install
this malware's service. Using regshot, show whether or not the DLL
installed its registry key.
–
Copy binary to Desktop and run it. What happens?
–
Examine the binary's strings using a tool of your choice to find the
cmd.exe command used
–
Use Process Monitor (procmon) to monitor events from this binary to
generate Figure 3-11L
Lab 3-4