SlideShare a Scribd company logo

Malware 101 by saurabh chaudhary

Download as PPTX, PDF
Saurav Chaudhary
Saurav Chaudhary

Malware Analysis it includes details about static and dynamic analysis with knowledge about tools of trade and additional resources

Technology
1 of 36
MALWARE ANALYSIS 101 Malware analysis and reverse engineering for newbies -Saurabh Chaudhary 4w4r44
WHAT WE ARE COVERING  BASICS OF MALWARE AND TYPES  NEED OF MALWARE ANALYSIS  SAFE ANALYSIS ENVIRONMENT  TYPES OF ANALYSIS  TOOLS OF TRADE  STATIC AND DYNAMIC ANALYSIS  ARMORED MALWARE  DEBUGGER  SOFTWARE BREAKPOINTS AND HARDWARE BREAKPOINTS  OPCODES AND TRACING  MEMORY ANALYSIS  ADDITIONAL RESOURCES
MALWARE  “Malware refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim.”  Malware is the term that represents all software whose purpose is malicious in nature. There are many different types of malware. Some of the common ones are virus, worms, trojans, backdoors, rootkits, bots and spyware
Types of Malware  Viruses  Worms  Spyware  Trojan  Ransomware  Bots  Adware  Rootkits etc
Why Analyzing Malware  To assess damage  To discover indicators of compromise  To determine sophistication level of an intruder  To identify a vulnerability  To catch the “bad guy”®  What did they steal?  Who is targeting us and how good are they?
SAFE ANALYSIS ENVIRONMENT  Do not run malware on the computer you are using  Use virtualization  Create disk images to run back to the initial state  Vmware runs cool  Perform analysis on different OS then your malware target
CREATING A SAFE ENVIRONMENT  Do not allow malware to touch the real network  Use the host-only networking feature of your virtualization platform  Establish real services (DNS, Web, etc) on your host OS or other virtual machines  Use netcat to create listening ports and interact with text-based client
LIMITS OF VIRTUALIZATION  Using a Virtual Machine helps, but…  Set up the “victim” with no network or host-only networking  Your virtualization software is not perfect  Malicious code can detect that it is running in a virtual machine  A 0-day worm that can exploit a listening service on your host OS will escape the sandbox Even if you are using host-only networking!
TYPES OF ANALYSIS  STATIC ANALYSIS VS DYNAMIC ANALYSIS  Static Analysis- Attempt to gather all possible evidence from the binary file without actually running it. Code is Not Executed Autopsy or Dissection of “Dead” Code  Dynamic Analysis Run the file and observe its behavior. Observing and Controlling Running (“live”) Code  Generally the combination of both static and dynamic analysis is used to get the ans.
STATIC ANALYSIS  IT IS WAY MORE SAFE BECAUSE WE ARE NOT ACTUALLY RUNNING THE LIVE CODE  AS THE FIRST STEP FINGER PRINT THE FILE YOU ARE EXAMNING  TOOLS OF TREDE – Md5Deep, PEiD, HexWorkshop etc  WHEN YOU HAVE COMPLETED YOUR ANALYSIS, OR AT VARIOUS POINTS ALONG THE WAY, YOU SHOULD GO BACK AND CHECK THE MD5SUMS TO ENSURE THE VALUES HAVE NOT CHANGED!
SCANNING  Always scan new malware with an up to date virus scanner.  Someone else may have already discovered and documented the program you are investigating  If the code is not sensitive, consider submitting to http://www.virustotal.com
PEiD  PEiD is a free program that will tell you details about windows executable files  Identifies signatures associated with over 600 different “packers” and compilers
IDENTIFY STRINGS  Sometimes things are easy strings can make your life easy  First look at the obvious – strings  TOOLS OF TRADE - Strings, Bintext, Hex Workshop, IDA Pro  knowledge of Unicode Would be better
STRINGS  Be careful about drawing conclusions  There is nothing stopping the attacker from planting strings meant to deceive the analyst  However, strings are a good first step and can sometimes even provide attribution
77
PE(PORTABLE EXECUTABLE) Executable File Formats  Windows: PE (Portable Executable)  Linux: ELF (Executable and Linking Format)  Useful Information Imports Exports Metadata Resources
Tools of The Trade EVERY REVERSE ENGINEER SHOULD HAVE THESE IN THEIR BAG:  Debugger - ollydbg, windbg, syser, IDA, immunity.  Disassembler – IDA, olly, immunity, windbg  System Monitoring tools - procmon, Process hacker  Misc tools - exeinfo, HookAnalyser, Cuckoo Sanbox, gmer, rootrepeal, wireshark, volatility, HXD, ilspy, jd-gui, p32dasm, cff explorer, winprefetch viewer, autoruns .
PEview
RESOURCE HACKER
DISASSEMBLY  Automated disassemblers can take machine code and “reverse” it to a slightly higher-level  Many tools can disassemble x86 code Objdump, Python w/ libdisassemble, IDA Pro  But, IDA Pro Is considered good for this
DYANIMIC ANALYSIS  Now we are running the live code into a suphosticated environment  Dynamic analysis is conducted by observing and manipulating malware as it runs  safe analytical environment is necessary  As soon as you run an unknown piece of code on your system, nothing that’s writable can be trusted
MONITORING THE SYSTEM  WHAT THINGS SHOULD BE MONITORED  Registry Activity  File Activity  Process Activity  Network Traffic  TOOLS OF TRADE -  SysInternals Process Monitor  Wireshark
PROCESS MONITOR  Process Monitor is a SysInternals tool that records information about File System, Registry, and Process/Thread activity
WIRESHARK  Wireshark is a protocol analyzer that captures and decodes network traffic  Wireshark is not aware of what process generates traffic  As with process monitor, the key is using filters to focus on what is relevant  USE PROCESS MONITOR AND WIRESHARK TO QUICKLY REVEAL THE BEHAVIOR OF A MALICIOUS PROGRAM
ARMORED MALWARE  Encryption  Compression  Obfuscation  Anti-Patching  CRC Checking  Anti-Tracing  SoftICE, ICEDump Detection Code.  Crashes OS if they are Found in Memory ARMOR FEATURES  Anti-Vmware  Polymorphic/Self- Mutating  Restrictive Dates  Password Protected  Configuration Files  Anti-Unpacking
DEBUGGER The Debugger Is Your Best Friend For Analyzing A Malware. Treat There Are 2 Kinds Of Debuggers - Kernel Debuggers And Usermode Debuggers. A Kernel Debugger Operates At Ring 0 - Essentially The Driver Level And Has Direct Access To The Kernel. A Usermode Debugger Is The Opposite, Having Only Access To The Usermode Space Of The Operating System. Most Of The Time, This Is Enough, But Not Always. In The Case Of Rootkits, Or Even Super Advanced Protection Schemes, Its Preferable To Step Into A Kernel Mode Debugger Instead As User Mode Would Then Become Untrustworthy.
POWER of DEBUGGER With a debugger you have total control over the program and you should never forget that. If you see a function that looks juicy in IDA, but see no plausible way to get there via xrefs, nothing is stopping you from jumping to it. Just modify the program's prolog to jmp 0xwherever. This works well especially if the function takes no arguments, otherwise except funky output or an app crash.
Immunity Debugger
Opcodes Opcodes are the hexadecimal representation of assembly instructions. The stuff you'll see if you were to view the executable in a hex editor. YARA rules match opcodes.
TRACING A run trace is an excellent debugging technique that allows a reverse engineer to “trace” execution flow based on certain parameters. Rather than going sequentially through a program, one can define a base line, and track backwards the flow of execution by tracing where and how a program will run.
Jump2self  One of those old school tricks any assembly guru will tell you where which you jump 2 bytes forward and the jump itself is 2 bytes. Jump to yourself. An infinite loop. In x86 asm, the opcodes are 0xEB 0xFE.  From time to time I use this trick, for example when a new process is created of the same program and I want to continue execution before the app is run.
Patching  Patching is the process of adding or removing assembly instructions in an exe without source code. It could be something as simple as changing conditional jmp to always return true/false, or it could be something complex such as hollowing out a piece of memory and injecting entire functions within and calling them.  Patching can be done with a hex editor, a debugger, or even via the WriteProcessMemory API which is how most video game trainers do it.
Memory Analysis  HookAnalyzer and Volatility are excellent memory analysis tools. HookAnalyzer will do it live, but Volatility requires a memory dump and has to be done post execution.  Process Hacker allows you to dump a running process’s memory for inspection and allows for filtering and searching. The same can be done via your debugger, but this isn’t always feasible.
Where Do I Get Malware?  http://www.offensivecomputing.net/  IRC  Reddit / 4chan / Tumblr  me (joe@gironsec.com),  Twitter #malwaremustdie  AV companies  http://syrianmalware.net  Torrents / cracked software / gnutella network.  Spam email
Additional Resources  https://code.google.com/p/corkami/  ^^ An excellent resource for info on reversing  http://www.woodmann.com/collaborative/tools/index. php/Category:RCE_Tools  ^^ huge resource for reverse engineering tools  http://reddit.com/r/ReverseEngineering/  ^^ Still better than /r/malware. Avoid /r/malware  http://gironsec.com/blog/  ^^ shameless self promotion? No, I got plenty of good guides!

Recommended

Artificial Intelligence Presentation
Artificial Intelligence PresentationArtificial Intelligence Presentation
Artificial Intelligence Presentation
Miraz Hossain
 
CS9222 ADVANCED OPERATING SYSTEMS
CS9222 ADVANCED OPERATING SYSTEMSCS9222 ADVANCED OPERATING SYSTEMS
CS9222 ADVANCED OPERATING SYSTEMS
Kathirvel Ayyaswamy
 
Deep learning
Deep learningDeep learning
Deep learning
AnimaSinghDhabal
 
PPT on Hadoop
PPT on HadoopPPT on Hadoop
PPT on Hadoop
Shubham Parmar
 
Introduction to Hadoop
Introduction to HadoopIntroduction to Hadoop
Introduction to Hadoop
Dr. C.V. Suresh Babu
 
AI and Cybersecurity - Food for Thought
AI and Cybersecurity - Food for ThoughtAI and Cybersecurity - Food for Thought
AI and Cybersecurity - Food for Thought
NUS-ISS
 
Foult Tolerence In Distributed System
Foult Tolerence In Distributed SystemFoult Tolerence In Distributed System
Foult Tolerence In Distributed System
Rajan Kumar
 
Hadoop Distributed File System
Hadoop Distributed File SystemHadoop Distributed File System
Hadoop Distributed File System
Rutvik Bapat
 

Recommended

Artificial Intelligence Presentation
Artificial Intelligence PresentationArtificial Intelligence Presentation
Artificial Intelligence Presentation
Miraz Hossain
 
CS9222 ADVANCED OPERATING SYSTEMS
CS9222 ADVANCED OPERATING SYSTEMSCS9222 ADVANCED OPERATING SYSTEMS
CS9222 ADVANCED OPERATING SYSTEMS
Kathirvel Ayyaswamy
 
Deep learning
Deep learningDeep learning
Deep learning
AnimaSinghDhabal
 
PPT on Hadoop
PPT on HadoopPPT on Hadoop
PPT on Hadoop
Shubham Parmar
 
Introduction to Hadoop
Introduction to HadoopIntroduction to Hadoop
Introduction to Hadoop
Dr. C.V. Suresh Babu
 
AI and Cybersecurity - Food for Thought
AI and Cybersecurity - Food for ThoughtAI and Cybersecurity - Food for Thought
AI and Cybersecurity - Food for Thought
NUS-ISS
 
Foult Tolerence In Distributed System
Foult Tolerence In Distributed SystemFoult Tolerence In Distributed System
Foult Tolerence In Distributed System
Rajan Kumar
 
Hadoop Distributed File System
Hadoop Distributed File SystemHadoop Distributed File System
Hadoop Distributed File System
Rutvik Bapat
 
Artificial Intelligence, Machine Learning and Deep Learning
Artificial Intelligence, Machine Learning and Deep LearningArtificial Intelligence, Machine Learning and Deep Learning
Artificial Intelligence, Machine Learning and Deep Learning
Sujit Pal
 
Artificial intelligence
Artificial intelligenceArtificial intelligence
Artificial intelligence
Pratik Tamgadge
 
Dos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle AttackDos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle Attack
marada0033
 
Artificial intelligence my ppt by hemant sankhla
Artificial intelligence my ppt by hemant sankhlaArtificial intelligence my ppt by hemant sankhla
Artificial intelligence my ppt by hemant sankhla
Hemant Sankhla
 
Fault Tolerance System
Fault Tolerance SystemFault Tolerance System
Fault Tolerance System
prakashjjaya
 
Artifical Intelligence
Artifical IntelligenceArtifical Intelligence
Artifical Intelligence
Harsha Varyani
 
Machine learning in Cyber Security
Machine learning in Cyber SecurityMachine learning in Cyber Security
Machine learning in Cyber Security
RajathV2
 
Map Reduce
Map ReduceMap Reduce
Map Reduce
Sri Prasanna
 
Deep learning with tensorflow
Deep learning with tensorflowDeep learning with tensorflow
Deep learning with tensorflow
Charmi Chokshi
 
Defending deep learning from adversarial attacks
Defending deep learning from adversarial attacksDefending deep learning from adversarial attacks
Defending deep learning from adversarial attacks
Svetlana Levitan, PhD
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Kuniyasu Suzaki
 
Shared memory
Shared memoryShared memory
Shared memory
Abhishek Khune
 
Hierarchical Memory System
Hierarchical Memory SystemHierarchical Memory System
Hierarchical Memory System
Jenny Galino
 
Face recognition a survey
Face recognition a surveyFace recognition a survey
Face recognition a survey
ieijjournal
 
Network sniffers & injection tools
Network sniffers & injection toolsNetwork sniffers & injection tools
Network sniffers & injection tools
vishalgohel12195
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles
OWASP
 
ADVANTAGES AND DISADVANTAGES OF ARTIFICIAL INTELLIGENCE AND MACHINE LEARNING ...
ADVANTAGES AND DISADVANTAGES OF ARTIFICIAL INTELLIGENCE AND MACHINE LEARNING ...ADVANTAGES AND DISADVANTAGES OF ARTIFICIAL INTELLIGENCE AND MACHINE LEARNING ...
ADVANTAGES AND DISADVANTAGES OF ARTIFICIAL INTELLIGENCE AND MACHINE LEARNING ...
Nat Rice
 
Handwritten digits recognition report
Handwritten digits recognition reportHandwritten digits recognition report
Handwritten digits recognition report
Swayamdipta Saha
 
Web Server Hardening
Web Server HardeningWeb Server Hardening
Web Server Hardening
n|u - The Open Security Community
 
Artificial Intelligence
Artificial IntelligenceArtificial Intelligence
Artificial Intelligence
Roslin Mahmud Joy
 
DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WP
Amr Thabet
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
Farouk2nd
 

More Related Content

What's hot

Fault Tolerance System
Fault Tolerance SystemFault Tolerance System
Fault Tolerance System
prakashjjaya
 

What's hot (20)

Artificial Intelligence, Machine Learning and Deep Learning
Artificial Intelligence, Machine Learning and Deep LearningArtificial Intelligence, Machine Learning and Deep Learning
Artificial Intelligence, Machine Learning and Deep Learning
 
Artificial intelligence
Artificial intelligenceArtificial intelligence
Artificial intelligence
 
Dos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle AttackDos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle Attack
 
Artificial intelligence my ppt by hemant sankhla
Artificial intelligence my ppt by hemant sankhlaArtificial intelligence my ppt by hemant sankhla
Artificial intelligence my ppt by hemant sankhla
 
Fault Tolerance System
Fault Tolerance SystemFault Tolerance System
Fault Tolerance System
 
Artifical Intelligence
Artifical IntelligenceArtifical Intelligence
Artifical Intelligence
 
Machine learning in Cyber Security
Machine learning in Cyber SecurityMachine learning in Cyber Security
Machine learning in Cyber Security
 
Map Reduce
Map ReduceMap Reduce
Map Reduce
 
Deep learning with tensorflow
Deep learning with tensorflowDeep learning with tensorflow
Deep learning with tensorflow
 
Defending deep learning from adversarial attacks
Defending deep learning from adversarial attacksDefending deep learning from adversarial attacks
Defending deep learning from adversarial attacks
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
 
Shared memory
Shared memoryShared memory
Shared memory
 
Hierarchical Memory System
Hierarchical Memory SystemHierarchical Memory System
Hierarchical Memory System
 
Face recognition a survey
Face recognition a surveyFace recognition a survey
Face recognition a survey
 
Network sniffers & injection tools
Network sniffers & injection toolsNetwork sniffers & injection tools
Network sniffers & injection tools
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles
 
ADVANTAGES AND DISADVANTAGES OF ARTIFICIAL INTELLIGENCE AND MACHINE LEARNING ...
ADVANTAGES AND DISADVANTAGES OF ARTIFICIAL INTELLIGENCE AND MACHINE LEARNING ...ADVANTAGES AND DISADVANTAGES OF ARTIFICIAL INTELLIGENCE AND MACHINE LEARNING ...
ADVANTAGES AND DISADVANTAGES OF ARTIFICIAL INTELLIGENCE AND MACHINE LEARNING ...
 
Handwritten digits recognition report
Handwritten digits recognition reportHandwritten digits recognition report
Handwritten digits recognition report
 
Web Server Hardening
Web Server HardeningWeb Server Hardening
Web Server Hardening
 
Artificial Intelligence
Artificial IntelligenceArtificial Intelligence
Artificial Intelligence
 

Similar to Malware 101 by saurabh chaudhary

Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
devilback
 
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
Wayne Huang
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av software
Joxean Koret
 
Breaking Antivirus Software
Breaking Antivirus SoftwareBreaking Antivirus Software
Breaking Antivirus Software
rahmanprojectd
 

Similar to Malware 101 by saurabh chaudhary (20)

DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WP
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
 
Security Handbook
Security Handbook Security Handbook
Security Handbook
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
 
Evading Antivirus software for fun and profit
Evading Antivirus software for fun and profitEvading Antivirus software for fun and profit
Evading Antivirus software for fun and profit
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion Techniques
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
 
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
 
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av software
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av software
 
Breaking Antivirus Software
Breaking Antivirus SoftwareBreaking Antivirus Software
Breaking Antivirus Software
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
 

Recently uploaded

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 

Recently uploaded (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

Malware 101 by saurabh chaudhary

  • 1. MALWARE ANALYSIS 101 Malware analysis and reverse engineering for newbies -Saurabh Chaudhary 4w4r44
  • 2. WHAT WE ARE COVERING  BASICS OF MALWARE AND TYPES  NEED OF MALWARE ANALYSIS  SAFE ANALYSIS ENVIRONMENT  TYPES OF ANALYSIS  TOOLS OF TRADE  STATIC AND DYNAMIC ANALYSIS  ARMORED MALWARE  DEBUGGER  SOFTWARE BREAKPOINTS AND HARDWARE BREAKPOINTS  OPCODES AND TRACING  MEMORY ANALYSIS  ADDITIONAL RESOURCES
  • 3. MALWARE  “Malware refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim.”  Malware is the term that represents all software whose purpose is malicious in nature. There are many different types of malware. Some of the common ones are virus, worms, trojans, backdoors, rootkits, bots and spyware
  • 4. Types of Malware  Viruses  Worms  Spyware  Trojan  Ransomware  Bots  Adware  Rootkits etc
  • 5. Why Analyzing Malware  To assess damage  To discover indicators of compromise  To determine sophistication level of an intruder  To identify a vulnerability  To catch the “bad guy”®  What did they steal?  Who is targeting us and how good are they?
  • 6. SAFE ANALYSIS ENVIRONMENT  Do not run malware on the computer you are using  Use virtualization  Create disk images to run back to the initial state  Vmware runs cool  Perform analysis on different OS then your malware target
  • 7. CREATING A SAFE ENVIRONMENT  Do not allow malware to touch the real network  Use the host-only networking feature of your virtualization platform  Establish real services (DNS, Web, etc) on your host OS or other virtual machines  Use netcat to create listening ports and interact with text-based client
  • 8. LIMITS OF VIRTUALIZATION  Using a Virtual Machine helps, but…  Set up the “victim” with no network or host-only networking  Your virtualization software is not perfect  Malicious code can detect that it is running in a virtual machine  A 0-day worm that can exploit a listening service on your host OS will escape the sandbox Even if you are using host-only networking!
  • 9. TYPES OF ANALYSIS  STATIC ANALYSIS VS DYNAMIC ANALYSIS  Static Analysis- Attempt to gather all possible evidence from the binary file without actually running it. Code is Not Executed Autopsy or Dissection of “Dead” Code  Dynamic Analysis Run the file and observe its behavior. Observing and Controlling Running (“live”) Code  Generally the combination of both static and dynamic analysis is used to get the ans.
  • 10. STATIC ANALYSIS  IT IS WAY MORE SAFE BECAUSE WE ARE NOT ACTUALLY RUNNING THE LIVE CODE  AS THE FIRST STEP FINGER PRINT THE FILE YOU ARE EXAMNING  TOOLS OF TREDE – Md5Deep, PEiD, HexWorkshop etc  WHEN YOU HAVE COMPLETED YOUR ANALYSIS, OR AT VARIOUS POINTS ALONG THE WAY, YOU SHOULD GO BACK AND CHECK THE MD5SUMS TO ENSURE THE VALUES HAVE NOT CHANGED!
  • 11. SCANNING  Always scan new malware with an up to date virus scanner.  Someone else may have already discovered and documented the program you are investigating  If the code is not sensitive, consider submitting to http://www.virustotal.com
  • 12. PEiD  PEiD is a free program that will tell you details about windows executable files  Identifies signatures associated with over 600 different “packers” and compilers
  • 13. IDENTIFY STRINGS  Sometimes things are easy strings can make your life easy  First look at the obvious – strings  TOOLS OF TRADE - Strings, Bintext, Hex Workshop, IDA Pro  knowledge of Unicode Would be better
  • 14. STRINGS  Be careful about drawing conclusions  There is nothing stopping the attacker from planting strings meant to deceive the analyst  However, strings are a good first step and can sometimes even provide attribution
  • 15. 77
  • 16. PE(PORTABLE EXECUTABLE) Executable File Formats  Windows: PE (Portable Executable)  Linux: ELF (Executable and Linking Format)  Useful Information Imports Exports Metadata Resources
  • 17. Tools of The Trade EVERY REVERSE ENGINEER SHOULD HAVE THESE IN THEIR BAG:  Debugger - ollydbg, windbg, syser, IDA, immunity.  Disassembler – IDA, olly, immunity, windbg  System Monitoring tools - procmon, Process hacker  Misc tools - exeinfo, HookAnalyser, Cuckoo Sanbox, gmer, rootrepeal, wireshark, volatility, HXD, ilspy, jd-gui, p32dasm, cff explorer, winprefetch viewer, autoruns .
  • 20. DISASSEMBLY  Automated disassemblers can take machine code and “reverse” it to a slightly higher-level  Many tools can disassemble x86 code Objdump, Python w/ libdisassemble, IDA Pro  But, IDA Pro Is considered good for this
  • 21. DYANIMIC ANALYSIS  Now we are running the live code into a suphosticated environment  Dynamic analysis is conducted by observing and manipulating malware as it runs  safe analytical environment is necessary  As soon as you run an unknown piece of code on your system, nothing that’s writable can be trusted
  • 22. MONITORING THE SYSTEM  WHAT THINGS SHOULD BE MONITORED  Registry Activity  File Activity  Process Activity  Network Traffic  TOOLS OF TRADE -  SysInternals Process Monitor  Wireshark
  • 23. PROCESS MONITOR  Process Monitor is a SysInternals tool that records information about File System, Registry, and Process/Thread activity
  • 24. WIRESHARK  Wireshark is a protocol analyzer that captures and decodes network traffic  Wireshark is not aware of what process generates traffic  As with process monitor, the key is using filters to focus on what is relevant  USE PROCESS MONITOR AND WIRESHARK TO QUICKLY REVEAL THE BEHAVIOR OF A MALICIOUS PROGRAM
  • 25. ARMORED MALWARE  Encryption  Compression  Obfuscation  Anti-Patching  CRC Checking  Anti-Tracing  SoftICE, ICEDump Detection Code.  Crashes OS if they are Found in Memory ARMOR FEATURES  Anti-Vmware  Polymorphic/Self- Mutating  Restrictive Dates  Password Protected  Configuration Files  Anti-Unpacking
  • 26. DEBUGGER The Debugger Is Your Best Friend For Analyzing A Malware. Treat There Are 2 Kinds Of Debuggers - Kernel Debuggers And Usermode Debuggers. A Kernel Debugger Operates At Ring 0 - Essentially The Driver Level And Has Direct Access To The Kernel. A Usermode Debugger Is The Opposite, Having Only Access To The Usermode Space Of The Operating System. Most Of The Time, This Is Enough, But Not Always. In The Case Of Rootkits, Or Even Super Advanced Protection Schemes, Its Preferable To Step Into A Kernel Mode Debugger Instead As User Mode Would Then Become Untrustworthy.
  • 27. POWER of DEBUGGER With a debugger you have total control over the program and you should never forget that. If you see a function that looks juicy in IDA, but see no plausible way to get there via xrefs, nothing is stopping you from jumping to it. Just modify the program's prolog to jmp 0xwherever. This works well especially if the function takes no arguments, otherwise except funky output or an app crash.
  • 29. Opcodes Opcodes are the hexadecimal representation of assembly instructions. The stuff you'll see if you were to view the executable in a hex editor. YARA rules match opcodes.
  • 30. TRACING A run trace is an excellent debugging technique that allows a reverse engineer to “trace” execution flow based on certain parameters. Rather than going sequentially through a program, one can define a base line, and track backwards the flow of execution by tracing where and how a program will run.
  • 31. Jump2self  One of those old school tricks any assembly guru will tell you where which you jump 2 bytes forward and the jump itself is 2 bytes. Jump to yourself. An infinite loop. In x86 asm, the opcodes are 0xEB 0xFE.  From time to time I use this trick, for example when a new process is created of the same program and I want to continue execution before the app is run.
  • 32. Patching  Patching is the process of adding or removing assembly instructions in an exe without source code. It could be something as simple as changing conditional jmp to always return true/false, or it could be something complex such as hollowing out a piece of memory and injecting entire functions within and calling them.  Patching can be done with a hex editor, a debugger, or even via the WriteProcessMemory API which is how most video game trainers do it.
  • 33.
  • 34. Memory Analysis  HookAnalyzer and Volatility are excellent memory analysis tools. HookAnalyzer will do it live, but Volatility requires a memory dump and has to be done post execution.  Process Hacker allows you to dump a running process’s memory for inspection and allows for filtering and searching. The same can be done via your debugger, but this isn’t always feasible.
  • 35. Where Do I Get Malware?  http://www.offensivecomputing.net/  IRC  Reddit / 4chan / Tumblr  me (joe@gironsec.com),  Twitter #malwaremustdie  AV companies  http://syrianmalware.net  Torrents / cracked software / gnutella network.  Spam email
  • 36. Additional Resources  https://code.google.com/p/corkami/  ^^ An excellent resource for info on reversing  http://www.woodmann.com/collaborative/tools/index. php/Category:RCE_Tools  ^^ huge resource for reverse engineering tools  http://reddit.com/r/ReverseEngineering/  ^^ Still better than /r/malware. Avoid /r/malware  http://gironsec.com/blog/  ^^ shameless self promotion? No, I got plenty of good guides!

Editor's Notes

  1. Nearly 360,000 new malware variants were detected each day in 2017, according to a security bulletin from Kaspersky Lab