SlideShare a Scribd company logo

Identifying, Monitoring, and Reporting Malware

Teodoro Cipresso
Teodoro Cipresso

CS266 Software Reverse Engineering (SRE) Identifying, Monitoring, and Reporting Malware Teodoro (Ted) Cipresso, teodoro.cipresso@sjsu.edu Department of Computer Science San José State University Spring 2015

Software
1 of 21
Download to read offline
CS266 Software Reverse Engineering (SRE) Identifying, Monitoring, and Reporting Malware Teodoro (Ted) Cipresso, teodoro.cipresso@sjsu.edu Department of Computer Science San José State University Spring 2015 The information in this presentation is taken from the thesis “Software reverse engineering education” available at http://scholarworks.sjsu.edu/etd_theses/3734/ where all citations can be found.
2 Identifying, Monitoring, and Reporting Malware What Qualifies as Malware?  Malware describes a category of software that doesn’t always operate in a way that benefits the user.  Of course, those of us who have ever used software might contend that this definition of malware will cause programs that we use every day to be categorized as malware.  So let's qualify it a bit: the malicious or annoying behaviors of malware are intentional, not the result of one or more bugs.
3 Identifying, Monitoring, and Reporting Malware Types of Malware  There are several types of malware that affect computer systems [6] [7]:  Viruses: require some deliberate action to help them spread.  Worms: similar to a virus but can spread by itself over computer networks.  Trojan Horses: performs hidden malicious or annoying operations.  Backdoor: a vulnerability purposely embedded in software.  Rabbit: a program that exhausts system resources.  Ransomware: lock computer files, victim has to pay to unlock.  Criminalware: Steal sensitive information.
4 Identifying, Monitoring, and Reporting Malware Prevalence of Malware Types  Malware usually isn't of just one type; for example, 4 of the top 10 malicious codes families reported in 2011 were Viruses with a Worm component.  Using the machine code and bytecode reversing experiences gained from the previous modules, one could attempt to reverse malware.  Using virtualization tools such as VMWare or Virtual Box to create secondary operating system images (Guests) on which to analyze malware can still result in infection of the primary operating system (Host).  Great care should be taken to isolate guest OSes from their host OS.  Networking, removeable storage, clipboard usage, etc…
5
6 Identifying, Monitoring, and Reporting Malware Safe & Practical Malware Reversing  We want to become familiar with using tools to identify, monitor, and report software that might be malicious.  Reversing malware directly is especially challenging because several anti- reversing techniques will have been applied to the code.  Given that unexpected catastrophes can arise when installing a virus, worm, backdoor, etc… for academic purposes; we could still learn something from working with contrived or benign “malware”.  In 1996, Mark Russinovich founded a company called “Winternals Software” where he was the chief software architect on a comprehensive suite of tools for diagnosing, debugging, and repairing Windows® systems and applications [9].
7 Identifying, Monitoring, and Reporting Malware Windows Sysinternals  Mark's company was purchased by Microsoft and the suite of tools have been rebranded as Windows Sysinternals which are are offered for free.  Mark's story is an interesting one because he is recognized as an expert on the internals of Windows even though he did not participate in its development—a true testament to what can be learned about software through reversing.  The Sysinternals suite contains 69 utilities, but we’ll focus on just one.
8 Identifying, Monitoring, and Reporting Malware Sysinternals Process Monitor  The Process Monitor can capture detailed information about a process in a Windows system including file system, registry, and network activity. Process Monitor session for the Password Vault CPP application. File system activity
9 Identifying, Monitoring, and Reporting Malware Sysinternals Process Monitor (cont’d)  The Process Monitor can capture detailed information about a process in a Windows system including file system, registry, and network activity. Process Monitor session for the Password Vault CPP application. Network activity
10 Identifying, Monitoring, and Reporting Malware Sysinternals Process Monitor (cont’d)  The Process Monitor can capture detailed information about a process in a Windows system including file system, registry, and network activity. Process Monitor session for the Password Vault CPP application. Registry Activity
11 Identifying, Monitoring, and Reporting Malware Sysinternals Process Monitor (cont’d)  Process Monitor itself does not detect or identify malware. It simply monitors and records what processes are doing.  With a little bit of ingenuity, one can identify a software Trojan by looking for activities that don't seem to fit with the advertised functionality of a program.  It's common practice to download free software from the Internet:  Some believe that open-source software, should have the fewest number of vulnerabilities. The more eyes the better, right?  Becoming familiar with the Sysinternals suite can help you evaluate whether the software on your Windows machine is acting in your best interest.
12 Identifying, Monitoring, and Reporting Malware Benign Malware Exercise  The Alarm Clock application is a benign software Trojan that, in addition to being a rudimentary alarm clock, performs unadvertised functions on background threads:  Logs information from the Windows® registry  Logs locations of “office” documents in the file system.  Scans for computers that respond to an ICMP ping.  Paced background threads are used.
13 Identifying, Monitoring, and Reporting Malware Benign Malware Exercise (cont’d) Background threads log information about the user’s system.
14 Identifying, Monitoring, and Reporting Malware Is Open Source More Trustworthy?  The data on the number of vulnerabilities found in the 5 most popular Internet browsers does not support the proposition that open source is more secure.  Big 5: Google Chrome, Mozilla Firefox, Internet Explorer, Opera and Safari.  Mozilla Firefox was affected by 270 new vulnerabilities in 2013, more than any other browser; 245 new vulnerabilities were found in Google Chrome, 126 in Internet Explorer, 75 in Apple Safari, 11 in Opera [Secunia].  The two browsers containing the most open source (Chrome based Chromium, Firefox based on Mozilla), have the most vulnerabilities…  Of course we need temper this judgement with the observation that popular software is targeted more often.
15 Identifying, Monitoring, and Reporting Malware Reporting Suspected Malware  If you suspect a particular program to be malware, it can be submitted to online threat analysis services such as ThreatExpert or Virus Total.  ThreatExpert and Virus Total are Web-based tools that support submission of suspicious executables or URLs to detect possible malware.  Both services match against databases of existing malware, however ThreatExpert (itself) attempts to execute binaries in an isolated environment to perform heuristic detection of malware.
16 http://www.threatexpert.com/submit.aspx http://www.threatexpert.com/report.aspx?md5=acdd4c2a377933d89139b5ee6eefc464 Heuristic anlaysis components
17 44 out of 56 antiviruses detect this as malware
18 Identifying, Monitoring, and Reporting Malware Setting up a Lab for Analyzing Malware  Each of you have been assigned your own VMWare image (info on Canvas).  The images are only accessible through VMWare’s built-in VNC server.  The images are on a virtual network and have no connectivity to the Internet or the Host’s network. This is to prevent:  Infection of the Host (primary OS), worms from spreading*  downloading of additional threats,  transmission of sensitive data to hacker sites.  Virtualized Network Isolation for a Malware Analysis Lab  https://zeltser.com/vmware-network-isolation-for-malware-analysis/
19
20
21

Recommended

Computer virus
Computer virusComputer virus
Computer virusFlora Runyenje
 
Malware and Anti-Malware Seminar by Benny Czarny
Malware and Anti-Malware Seminar by Benny CzarnyMalware and Anti-Malware Seminar by Benny Czarny
Malware and Anti-Malware Seminar by Benny CzarnyOPSWAT
 
Malware & Anti-Malware
Malware & Anti-MalwareMalware & Anti-Malware
Malware & Anti-MalwareArpit Mittal
 
What Is An Antivirus Software?
What Is An Antivirus Software?What Is An Antivirus Software?
What Is An Antivirus Software?culltdueet65
 
Antivirus software
Antivirus softwareAntivirus software
Antivirus softwareShreya Singireddy
 
Malware
MalwareMalware
MalwareAnoushka Srivastava
 
spyware
spywarespyware
spywareAkhil Kumar
 
Malewareanalysis
Malewareanalysis Malewareanalysis
Malewareanalysis ahmad abdelhafeez
 

Recommended

Computer virus
Computer virusComputer virus
Computer virusFlora Runyenje
 
Malware and Anti-Malware Seminar by Benny Czarny
Malware and Anti-Malware Seminar by Benny CzarnyMalware and Anti-Malware Seminar by Benny Czarny
Malware and Anti-Malware Seminar by Benny CzarnyOPSWAT
 
Malware & Anti-Malware
Malware & Anti-MalwareMalware & Anti-Malware
Malware & Anti-MalwareArpit Mittal
 
What Is An Antivirus Software?
What Is An Antivirus Software?What Is An Antivirus Software?
What Is An Antivirus Software?culltdueet65
 
Antivirus software
Antivirus softwareAntivirus software
Antivirus softwareShreya Singireddy
 
Malware
MalwareMalware
MalwareAnoushka Srivastava
 
spyware
spywarespyware
spywareAkhil Kumar
 
Malewareanalysis
Malewareanalysis Malewareanalysis
Malewareanalysis ahmad abdelhafeez
 
Computer viruses
Computer virusesComputer viruses
Computer virusesImran Khan
 
DEFINING A SPYWARE
DEFINING A SPYWAREDEFINING A SPYWARE
DEFINING A SPYWAREunnecessary34
 
Malware
MalwareMalware
MalwareHarshdeep Singh
 
Virus
VirusVirus
VirusMukul Kumar
 
Anti virus
Anti virusAnti virus
Anti virusMarlon San Luis
 
Spyware Adware
Spyware AdwareSpyware Adware
Spyware Adwarehaldia institute of technology
 
Virus, Worms And Antivirus
Virus, Worms And AntivirusVirus, Worms And Antivirus
Virus, Worms And AntivirusLokesh Kumar N
 
Spyware And Anti Virus Software Presentation
Spyware And Anti Virus Software PresentationSpyware And Anti Virus Software Presentation
Spyware And Anti Virus Software Presentationamy.covington215944
 
What is a virus and anti virus
What is a virus and anti virusWhat is a virus and anti virus
What is a virus and anti virusLeonor Costa
 
Presentation2
Presentation2Presentation2
Presentation2Jeslynn
 
Virus and worms
Virus and wormsVirus and worms
Virus and wormsVikas Sharma
 
Spyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeSpyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeMangesh wadibhasme
 
Malwares and ways to detect and prevent them
Malwares and ways to detect and prevent themMalwares and ways to detect and prevent them
Malwares and ways to detect and prevent themkrunal gandhi
 
Rajul computer presentation
Rajul computer presentationRajul computer presentation
Rajul computer presentationNeetu Jain
 
Computer virus
Computer virusComputer virus
Computer virusDark Side
 
Computer Virus And Antivirus-Sumon Chakraborty
Computer Virus And Antivirus-Sumon ChakrabortyComputer Virus And Antivirus-Sumon Chakraborty
Computer Virus And Antivirus-Sumon Chakrabortysankhadeep
 
Computer virus
Computer virusComputer virus
Computer virusAarya Khanal
 
10 Worst Computer Viruses of all time
10 Worst Computer Viruses of all time10 Worst Computer Viruses of all time
10 Worst Computer Viruses of all timeAlefyaM
 
Avoiding email viruses
Avoiding email virusesAvoiding email viruses
Avoiding email virusesSan Diego Continuing Education
 
Computer virus and anti virus presentation
Computer virus and anti virus presentationComputer virus and anti virus presentation
Computer virus and anti virus presentationSardar Kaukaz
 
Bitonic Sort in Shared SIMD Array Processor
Bitonic Sort in Shared SIMD Array ProcessorBitonic Sort in Shared SIMD Array Processor
Bitonic Sort in Shared SIMD Array ProcessorAsanka Dilruk
 
Reversing and Patching Java Bytecode
Reversing and Patching Java BytecodeReversing and Patching Java Bytecode
Reversing and Patching Java BytecodeTeodoro Cipresso
 

More Related Content

What's hot

Computer viruses
Computer virusesComputer viruses
Computer virusesImran Khan
 
Virus, Worms And Antivirus
Virus, Worms And AntivirusVirus, Worms And Antivirus
Virus, Worms And AntivirusLokesh Kumar N
 
Spyware And Anti Virus Software Presentation
Spyware And Anti Virus Software PresentationSpyware And Anti Virus Software Presentation
Spyware And Anti Virus Software Presentationamy.covington215944
 
What is a virus and anti virus
What is a virus and anti virusWhat is a virus and anti virus
What is a virus and anti virusLeonor Costa
 
Presentation2
Presentation2Presentation2
Presentation2Jeslynn
 
Spyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeSpyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeMangesh wadibhasme
 
Malwares and ways to detect and prevent them
Malwares and ways to detect and prevent themMalwares and ways to detect and prevent them
Malwares and ways to detect and prevent themkrunal gandhi
 
Rajul computer presentation
Rajul computer presentationRajul computer presentation
Rajul computer presentationNeetu Jain
 
Computer virus
Computer virusComputer virus
Computer virusDark Side
 
Computer Virus And Antivirus-Sumon Chakraborty
Computer Virus And Antivirus-Sumon ChakrabortyComputer Virus And Antivirus-Sumon Chakraborty
Computer Virus And Antivirus-Sumon Chakrabortysankhadeep
 
10 Worst Computer Viruses of all time
10 Worst Computer Viruses of all time10 Worst Computer Viruses of all time
10 Worst Computer Viruses of all timeAlefyaM
 
Computer virus and anti virus presentation
Computer virus and anti virus presentationComputer virus and anti virus presentation
Computer virus and anti virus presentationSardar Kaukaz
 

What's hot (20)

Computer viruses
Computer virusesComputer viruses
Computer viruses
 
DEFINING A SPYWARE
DEFINING A SPYWAREDEFINING A SPYWARE
DEFINING A SPYWARE
 
Malware
MalwareMalware
Malware
 
Virus
VirusVirus
Virus
 
Anti virus
Anti virusAnti virus
Anti virus
 
Spyware Adware
Spyware AdwareSpyware Adware
Spyware Adware
 
Virus, Worms And Antivirus
Virus, Worms And AntivirusVirus, Worms And Antivirus
Virus, Worms And Antivirus
 
Spyware And Anti Virus Software Presentation
Spyware And Anti Virus Software PresentationSpyware And Anti Virus Software Presentation
Spyware And Anti Virus Software Presentation
 
What is a virus and anti virus
What is a virus and anti virusWhat is a virus and anti virus
What is a virus and anti virus
 
Presentation2
Presentation2Presentation2
Presentation2
 
Virus and worms
Virus and wormsVirus and worms
Virus and worms
 
Spyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeSpyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasme
 
Malwares and ways to detect and prevent them
Malwares and ways to detect and prevent themMalwares and ways to detect and prevent them
Malwares and ways to detect and prevent them
 
Rajul computer presentation
Rajul computer presentationRajul computer presentation
Rajul computer presentation
 
Computer virus
Computer virusComputer virus
Computer virus
 
Computer Virus And Antivirus-Sumon Chakraborty
Computer Virus And Antivirus-Sumon ChakrabortyComputer Virus And Antivirus-Sumon Chakraborty
Computer Virus And Antivirus-Sumon Chakraborty
 
Computer virus
Computer virusComputer virus
Computer virus
 
10 Worst Computer Viruses of all time
10 Worst Computer Viruses of all time10 Worst Computer Viruses of all time
10 Worst Computer Viruses of all time
 
Avoiding email viruses
Avoiding email virusesAvoiding email viruses
Avoiding email viruses
 
Computer virus and anti virus presentation
Computer virus and anti virus presentationComputer virus and anti virus presentation
Computer virus and anti virus presentation
 

Viewers also liked

Bitonic Sort in Shared SIMD Array Processor
Bitonic Sort in Shared SIMD Array ProcessorBitonic Sort in Shared SIMD Array Processor
Bitonic Sort in Shared SIMD Array ProcessorAsanka Dilruk
 
Reversing and Patching Java Bytecode
Reversing and Patching Java BytecodeReversing and Patching Java Bytecode
Reversing and Patching Java BytecodeTeodoro Cipresso
 
Applying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine CodeApplying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine CodeTeodoro Cipresso
 
Why z/OS is a Great Platform for Developing and Hosting APIs
Why z/OS is a Great Platform for Developing and Hosting APIsWhy z/OS is a Great Platform for Developing and Hosting APIs
Why z/OS is a Great Platform for Developing and Hosting APIsTeodoro Cipresso
 
Make Your API Catalog Essential with z/OS Connect EE
Make Your API Catalog Essential with z/OS Connect EEMake Your API Catalog Essential with z/OS Connect EE
Make Your API Catalog Essential with z/OS Connect EETeodoro Cipresso
 
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...Teodoro Cipresso
 
Reengineering and Reuse of Legacy Software
Reengineering and Reuse of Legacy SoftwareReengineering and Reuse of Legacy Software
Reengineering and Reuse of Legacy SoftwareTeodoro Cipresso
 
Introduction to Software Reverse Engineering
Introduction to Software Reverse EngineeringIntroduction to Software Reverse Engineering
Introduction to Software Reverse EngineeringTeodoro Cipresso
 

Viewers also liked (10)

Bitonic Sort in Shared SIMD Array Processor
Bitonic Sort in Shared SIMD Array ProcessorBitonic Sort in Shared SIMD Array Processor
Bitonic Sort in Shared SIMD Array Processor
 
Reversing and Patching Java Bytecode
Reversing and Patching Java BytecodeReversing and Patching Java Bytecode
Reversing and Patching Java Bytecode
 
Applying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine CodeApplying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine Code
 
Why z/OS is a Great Platform for Developing and Hosting APIs
Why z/OS is a Great Platform for Developing and Hosting APIsWhy z/OS is a Great Platform for Developing and Hosting APIs
Why z/OS is a Great Platform for Developing and Hosting APIs
 
Make Your API Catalog Essential with z/OS Connect EE
Make Your API Catalog Essential with z/OS Connect EEMake Your API Catalog Essential with z/OS Connect EE
Make Your API Catalog Essential with z/OS Connect EE
 
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...
 
Reengineering and Reuse of Legacy Software
Reengineering and Reuse of Legacy SoftwareReengineering and Reuse of Legacy Software
Reengineering and Reuse of Legacy Software
 
Introduction to Software Reverse Engineering
Introduction to Software Reverse EngineeringIntroduction to Software Reverse Engineering
Introduction to Software Reverse Engineering
 
Array Processor
Array ProcessorArray Processor
Array Processor
 
CO Module 5
CO Module 5CO Module 5
CO Module 5
 

Similar to Identifying, Monitoring, and Reporting Malware

(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 
Common Malware Types Vulnerability Management
Common Malware Types Vulnerability ManagementCommon Malware Types Vulnerability Management
Common Malware Types Vulnerability ManagementMuhammad FAHAD
 
Viruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksViruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksDiane M. Metcalf
 
Type of Malware and its different analysis and its types !
Type of Malware and its different analysis and its types !Type of Malware and its different analysis and its types !
Type of Malware and its different analysis and its types !Mohammed Jaseem Tp
 
Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Satria Ady Pradana
 
Survey on Malware Detection Techniques
Survey on Malware Detection TechniquesSurvey on Malware Detection Techniques
Survey on Malware Detection TechniquesEditor IJMTER
 
Computer Virus ppt.pptx
Computer Virus ppt.pptxComputer Virus ppt.pptx
Computer Virus ppt.pptxPragatiKachhi1
 
CHAPTER 1 MALWARE ANALYSIS PRIMER.ppt
CHAPTER 1 MALWARE ANALYSIS PRIMER.pptCHAPTER 1 MALWARE ANALYSIS PRIMER.ppt
CHAPTER 1 MALWARE ANALYSIS PRIMER.pptManjuAppukuttan2
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & preventionPriSim
 
The Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityThe Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityLumension
 

Similar to Identifying, Monitoring, and Reporting Malware (20)

Module 5.pdf
Module 5.pdfModule 5.pdf
Module 5.pdf
 
Module 5.Malware
Module 5.MalwareModule 5.Malware
Module 5.Malware
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
 
IT viruses
IT viruses IT viruses
IT viruses
 
Common Malware Types Vulnerability Management
Common Malware Types Vulnerability ManagementCommon Malware Types Vulnerability Management
Common Malware Types Vulnerability Management
 
Viruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksViruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise Networks
 
virus
virusvirus
virus
 
Type of Malware and its different analysis and its types !
Type of Malware and its different analysis and its types !Type of Malware and its different analysis and its types !
Type of Malware and its different analysis and its types !
 
Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)
 
Survey on Malware Detection Techniques
Survey on Malware Detection TechniquesSurvey on Malware Detection Techniques
Survey on Malware Detection Techniques
 
Antivirus
AntivirusAntivirus
Antivirus
 
antivirus.pptx
antivirus.pptxantivirus.pptx
antivirus.pptx
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
 
Computer Virus ppt.pptx
Computer Virus ppt.pptxComputer Virus ppt.pptx
Computer Virus ppt.pptx
 
CHAPTER 1 MALWARE ANALYSIS PRIMER.ppt
CHAPTER 1 MALWARE ANALYSIS PRIMER.pptCHAPTER 1 MALWARE ANALYSIS PRIMER.ppt
CHAPTER 1 MALWARE ANALYSIS PRIMER.ppt
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & prevention
 
The Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityThe Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day Reality
 
Malware
MalwareMalware
Malware
 
Malware
MalwareMalware
Malware
 

Recently uploaded

why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....ShaimaaMohamedGalal
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 

Recently uploaded (20)

why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 

Identifying, Monitoring, and Reporting Malware

  • 1. CS266 Software Reverse Engineering (SRE) Identifying, Monitoring, and Reporting Malware Teodoro (Ted) Cipresso, teodoro.cipresso@sjsu.edu Department of Computer Science San José State University Spring 2015 The information in this presentation is taken from the thesis “Software reverse engineering education” available at http://scholarworks.sjsu.edu/etd_theses/3734/ where all citations can be found.
  • 2. 2 Identifying, Monitoring, and Reporting Malware What Qualifies as Malware?  Malware describes a category of software that doesn’t always operate in a way that benefits the user.  Of course, those of us who have ever used software might contend that this definition of malware will cause programs that we use every day to be categorized as malware.  So let's qualify it a bit: the malicious or annoying behaviors of malware are intentional, not the result of one or more bugs.
  • 3. 3 Identifying, Monitoring, and Reporting Malware Types of Malware  There are several types of malware that affect computer systems [6] [7]:  Viruses: require some deliberate action to help them spread.  Worms: similar to a virus but can spread by itself over computer networks.  Trojan Horses: performs hidden malicious or annoying operations.  Backdoor: a vulnerability purposely embedded in software.  Rabbit: a program that exhausts system resources.  Ransomware: lock computer files, victim has to pay to unlock.  Criminalware: Steal sensitive information.
  • 4. 4 Identifying, Monitoring, and Reporting Malware Prevalence of Malware Types  Malware usually isn't of just one type; for example, 4 of the top 10 malicious codes families reported in 2011 were Viruses with a Worm component.  Using the machine code and bytecode reversing experiences gained from the previous modules, one could attempt to reverse malware.  Using virtualization tools such as VMWare or Virtual Box to create secondary operating system images (Guests) on which to analyze malware can still result in infection of the primary operating system (Host).  Great care should be taken to isolate guest OSes from their host OS.  Networking, removeable storage, clipboard usage, etc…
  • 5. 5
  • 6. 6 Identifying, Monitoring, and Reporting Malware Safe & Practical Malware Reversing  We want to become familiar with using tools to identify, monitor, and report software that might be malicious.  Reversing malware directly is especially challenging because several anti- reversing techniques will have been applied to the code.  Given that unexpected catastrophes can arise when installing a virus, worm, backdoor, etc… for academic purposes; we could still learn something from working with contrived or benign “malware”.  In 1996, Mark Russinovich founded a company called “Winternals Software” where he was the chief software architect on a comprehensive suite of tools for diagnosing, debugging, and repairing Windows® systems and applications [9].
  • 7. 7 Identifying, Monitoring, and Reporting Malware Windows Sysinternals  Mark's company was purchased by Microsoft and the suite of tools have been rebranded as Windows Sysinternals which are are offered for free.  Mark's story is an interesting one because he is recognized as an expert on the internals of Windows even though he did not participate in its development—a true testament to what can be learned about software through reversing.  The Sysinternals suite contains 69 utilities, but we’ll focus on just one.
  • 8. 8 Identifying, Monitoring, and Reporting Malware Sysinternals Process Monitor  The Process Monitor can capture detailed information about a process in a Windows system including file system, registry, and network activity. Process Monitor session for the Password Vault CPP application. File system activity
  • 9. 9 Identifying, Monitoring, and Reporting Malware Sysinternals Process Monitor (cont’d)  The Process Monitor can capture detailed information about a process in a Windows system including file system, registry, and network activity. Process Monitor session for the Password Vault CPP application. Network activity
  • 10. 10 Identifying, Monitoring, and Reporting Malware Sysinternals Process Monitor (cont’d)  The Process Monitor can capture detailed information about a process in a Windows system including file system, registry, and network activity. Process Monitor session for the Password Vault CPP application. Registry Activity
  • 11. 11 Identifying, Monitoring, and Reporting Malware Sysinternals Process Monitor (cont’d)  Process Monitor itself does not detect or identify malware. It simply monitors and records what processes are doing.  With a little bit of ingenuity, one can identify a software Trojan by looking for activities that don't seem to fit with the advertised functionality of a program.  It's common practice to download free software from the Internet:  Some believe that open-source software, should have the fewest number of vulnerabilities. The more eyes the better, right?  Becoming familiar with the Sysinternals suite can help you evaluate whether the software on your Windows machine is acting in your best interest.
  • 12. 12 Identifying, Monitoring, and Reporting Malware Benign Malware Exercise  The Alarm Clock application is a benign software Trojan that, in addition to being a rudimentary alarm clock, performs unadvertised functions on background threads:  Logs information from the Windows® registry  Logs locations of “office” documents in the file system.  Scans for computers that respond to an ICMP ping.  Paced background threads are used.
  • 13. 13 Identifying, Monitoring, and Reporting Malware Benign Malware Exercise (cont’d) Background threads log information about the user’s system.
  • 14. 14 Identifying, Monitoring, and Reporting Malware Is Open Source More Trustworthy?  The data on the number of vulnerabilities found in the 5 most popular Internet browsers does not support the proposition that open source is more secure.  Big 5: Google Chrome, Mozilla Firefox, Internet Explorer, Opera and Safari.  Mozilla Firefox was affected by 270 new vulnerabilities in 2013, more than any other browser; 245 new vulnerabilities were found in Google Chrome, 126 in Internet Explorer, 75 in Apple Safari, 11 in Opera [Secunia].  The two browsers containing the most open source (Chrome based Chromium, Firefox based on Mozilla), have the most vulnerabilities…  Of course we need temper this judgement with the observation that popular software is targeted more often.
  • 15. 15 Identifying, Monitoring, and Reporting Malware Reporting Suspected Malware  If you suspect a particular program to be malware, it can be submitted to online threat analysis services such as ThreatExpert or Virus Total.  ThreatExpert and Virus Total are Web-based tools that support submission of suspicious executables or URLs to detect possible malware.  Both services match against databases of existing malware, however ThreatExpert (itself) attempts to execute binaries in an isolated environment to perform heuristic detection of malware.
  • 17. 17 44 out of 56 antiviruses detect this as malware
  • 18. 18 Identifying, Monitoring, and Reporting Malware Setting up a Lab for Analyzing Malware  Each of you have been assigned your own VMWare image (info on Canvas).  The images are only accessible through VMWare’s built-in VNC server.  The images are on a virtual network and have no connectivity to the Internet or the Host’s network. This is to prevent:  Infection of the Host (primary OS), worms from spreading*  downloading of additional threats,  transmission of sensitive data to hacker sites.  Virtualized Network Isolation for a Malware Analysis Lab  https://zeltser.com/vmware-network-isolation-for-malware-analysis/
  • 19. 19
  • 20. 20
  • 21. 21