2. WHAT WE ARE COVERING
BASICS OF MALWARE AND TYPES
NEED OF MALWARE ANALYSIS
SAFE ANALYSIS ENVIRONMENT
TYPES OF ANALYSIS
TOOLS OF TRADE
STATIC AND DYNAMIC ANALYSIS
ARMORED MALWARE
DEBUGGER
SOFTWARE BREAKPOINTS AND HARDWARE BREAKPOINTS
OPCODES AND TRACING
MEMORY ANALYSIS
ADDITIONAL RESOURCES
3. MALWARE
“Malware refers to a program that is inserted into a
system, usually covertly, with the intent of
compromising the confidentiality, integrity, or
availability of the victim’s data, applications, or
operating system (OS) or of otherwise annoying or
disrupting the victim.”
Malware is the term that represents all software whose
purpose is malicious in nature. There are many different
types of malware. Some of the common ones are virus,
worms, trojans, backdoors, rootkits, bots and spyware
5. Why Analyzing Malware
To assess damage
To discover indicators of compromise
To determine sophistication level of an intruder
To identify a vulnerability
To catch the “bad guy”®
What did they steal?
Who is targeting us and how good are they?
6. SAFE ANALYSIS ENVIRONMENT
Do not run malware on the computer you are
using
Use virtualization
Create disk images to run back to the initial state
Vmware runs cool
Perform analysis on different OS then your
malware target
7. CREATING A SAFE
ENVIRONMENT
Do not allow malware to touch the real
network
Use the host-only networking feature of
your virtualization platform
Establish real services (DNS, Web, etc) on
your host OS or other virtual machines
Use netcat to create listening ports and
interact with text-based client
8. LIMITS OF VIRTUALIZATION
Using a Virtual Machine helps, but…
Set up the “victim” with no network or host-only
networking
Your virtualization software is not perfect
Malicious code can detect that it is running in a virtual
machine
A 0-day worm that can exploit a listening service on
your host OS will escape the sandbox Even if you are
using host-only networking!
9. TYPES OF ANALYSIS
STATIC ANALYSIS VS DYNAMIC ANALYSIS
Static Analysis-
Attempt to gather all possible evidence from the binary file without
actually running it.
Code is Not Executed
Autopsy or Dissection of “Dead” Code
Dynamic Analysis
Run the file and observe its behavior.
Observing and Controlling Running (“live”) Code
Generally the combination of both static and dynamic analysis is used to get the
ans.
10. STATIC ANALYSIS
IT IS WAY MORE SAFE BECAUSE WE ARE NOT ACTUALLY
RUNNING THE LIVE CODE
AS THE FIRST STEP FINGER PRINT THE FILE YOU ARE
EXAMNING
TOOLS OF TREDE – Md5Deep, PEiD, HexWorkshop etc
WHEN YOU HAVE COMPLETED YOUR ANALYSIS, OR AT
VARIOUS POINTS ALONG THE WAY, YOU SHOULD GO
BACK AND CHECK THE MD5SUMS TO ENSURE THE
VALUES HAVE NOT CHANGED!
11. SCANNING
Always scan new malware with an up to date virus
scanner.
Someone else may have already discovered and
documented the program you are investigating
If the code is not sensitive, consider submitting to
http://www.virustotal.com
12. PEiD
PEiD is a free program that will tell you details
about windows executable files
Identifies signatures associated with over
600 different “packers” and compilers
13. IDENTIFY STRINGS
Sometimes things are easy strings can
make your life easy
First look at the obvious – strings
TOOLS OF TRADE - Strings, Bintext,
Hex Workshop, IDA Pro
knowledge of Unicode Would be better
14. STRINGS
Be careful about drawing conclusions
There is nothing stopping the attacker from
planting strings meant to deceive the
analyst
However, strings are a good first step
and can sometimes even provide
attribution
20. DISASSEMBLY
Automated disassemblers
can take machine code and
“reverse” it to a slightly
higher-level
Many tools can disassemble
x86 code
Objdump, Python w/
libdisassemble, IDA Pro
But, IDA Pro Is considered
good for this
21. DYANIMIC ANALYSIS
Now we are running the live code into a
suphosticated environment
Dynamic analysis is conducted by observing and
manipulating malware as it runs
safe analytical environment is necessary
As soon as you run an unknown piece of code on
your system, nothing that’s writable can be
trusted
22. MONITORING THE SYSTEM
WHAT THINGS SHOULD BE
MONITORED
Registry Activity
File Activity
Process Activity
Network Traffic
TOOLS OF TRADE -
SysInternals Process Monitor
Wireshark
23. PROCESS MONITOR
Process Monitor is a SysInternals tool that records
information about File System, Registry, and
Process/Thread activity
24. WIRESHARK
Wireshark is a protocol analyzer that
captures and decodes network traffic
Wireshark is not aware of what process
generates traffic
As with process monitor, the key is using filters
to focus on what is relevant
USE PROCESS MONITOR AND WIRESHARK TO
QUICKLY REVEAL THE BEHAVIOR OF A MALICIOUS
PROGRAM
25. ARMORED MALWARE
Encryption
Compression
Obfuscation
Anti-Patching
CRC Checking
Anti-Tracing
SoftICE, ICEDump
Detection Code.
Crashes OS if they are
Found in Memory
ARMOR FEATURES
Anti-Vmware
Polymorphic/Self-
Mutating
Restrictive Dates
Password Protected
Configuration Files
Anti-Unpacking
26. DEBUGGER
The Debugger Is Your Best Friend For Analyzing A Malware. Treat
There Are 2 Kinds Of Debuggers - Kernel Debuggers And Usermode
Debuggers.
A Kernel Debugger Operates At Ring 0 - Essentially The Driver
Level And Has Direct Access To The Kernel.
A Usermode Debugger Is The Opposite, Having Only Access To The
Usermode Space Of The Operating System. Most Of The Time,
This Is Enough, But Not Always. In The Case Of Rootkits, Or Even
Super Advanced Protection Schemes, Its Preferable To Step Into A
Kernel Mode Debugger Instead As User Mode Would Then Become
Untrustworthy.
27. POWER of DEBUGGER
With a debugger you have total
control over the program and
you should never forget that. If
you see a function that looks
juicy in IDA, but see no
plausible way to get there via
xrefs, nothing is stopping you
from jumping to it. Just modify
the program's prolog to jmp
0xwherever. This works well
especially if the function takes
no arguments, otherwise
except funky output or an app
crash.
30. TRACING
A run trace is an excellent
debugging technique that
allows a reverse engineer to
“trace” execution flow based
on certain parameters. Rather
than going sequentially
through a program, one can
define a base line, and track
backwards the flow of
execution by tracing where
and how a program will run.
31. Jump2self
One of those old school tricks any assembly guru will
tell you where which you jump 2 bytes forward and the
jump itself is 2 bytes. Jump to yourself. An infinite
loop. In x86 asm, the opcodes are 0xEB 0xFE.
From time to time I use this trick, for example when a
new process is created of the same program and I want
to continue execution before the app is run.
32. Patching
Patching is the process of adding or removing assembly
instructions in an exe without source code. It could be
something as simple as changing conditional jmp to
always return true/false, or it could be something
complex such as hollowing out a piece of memory and
injecting entire functions within and calling them.
Patching can be done with a hex editor, a debugger, or
even via the WriteProcessMemory API which is how most
video game trainers do it.
33.
34. Memory Analysis
HookAnalyzer and Volatility are excellent memory
analysis tools. HookAnalyzer will do it live, but
Volatility requires a memory dump and has to be
done post execution.
Process Hacker allows you to dump a running
process’s memory for inspection and allows for
filtering and searching. The same can be done via
your debugger, but this isn’t always feasible.
35. Where Do I Get Malware?
http://www.offensivecomputing.net/
IRC
Reddit / 4chan / Tumblr
me (joe@gironsec.com),
Twitter #malwaremustdie
AV companies
http://syrianmalware.net
Torrents / cracked software / gnutella network.
Spam email
36. Additional Resources
https://code.google.com/p/corkami/
^^ An excellent resource for info on reversing
http://www.woodmann.com/collaborative/tools/index.
php/Category:RCE_Tools
^^ huge resource for reverse engineering tools
http://reddit.com/r/ReverseEngineering/
^^ Still better than /r/malware. Avoid /r/malware
http://gironsec.com/blog/
^^ shameless self promotion? No, I got plenty of good
guides!
Editor's Notes
Nearly 360,000 new malware variants were detected each day in 2017, according to a security bulletin from Kaspersky Lab