Homework tar file

Download your course tarball from web page

– Named using your PSU ID

– Chapter labeled for each binary

Part 1: Basic Analysis

Chapter 1: Basic Static TechniquesChapter 2: Malware Analysis in Virtual Machines

Chapter 3: Basic Dynamic Analysis

Chapter 1: Basic Static Techniques

Scanning

Statically analyze payload to determine its maliciousness

– Recall Aitel 2011 USENIX Security talk

File signatures

Common code or data used across malware instances

– e.g. embedded URL strings, decryptor code Signatures

– Hashing (e.g. MD5, SHA)

– Strings search on metadata, errors, constants

– Polymorphism and metamorphism easy for an adversary to deploy

Analyzing executables PE (Widows), ELF (Linux) Tools for dumping linked libraries

– Look for common shared libraries (e.g. kernel32.dll, User32.dll, libc.so, etc)

– Dependency Walker, PEView, PEBrowse, PE Explorer, ldd

Function convention in Windows

– CreateWindowEx - “Ex” refers to new version

– CreateDirectoryW - “W” refers to wide character strings vs. ASCII

– See MSDN Note: a short function list is an indication of a packed binary

Packing and obfuscation Obfuscation

– Code whose execution is hidden by author Packing

– Obfuscated code in which programs are compressed and encrypted to prevent static analysis (Figure 1-4)

– Prevents file signatures from working

• Example: UPX

– Code to unpack binaries is common, however

• Can be identified (PEiD)

File signature coverage

Astronomical growth in signatures

Coverage by a single tool is difficult

– Cloud-based anti-virus

– http://www.virustotal.com

Chapter 2: Malware Analysis on VMsChapter 3: Basic Dynamic Analysis

Malware and VMs Most malware must be executed in order to analyze them Requires a safe environment VMware

– Host-only networking to monitor network traffic

– Snapshots and roll-back

– Record and replay execution

Sandboxes

Behavior isolation and coarse-grained tracking of malware execution

– File system activity

– Registry activity

– Network activity

– Examples: GFI Sandbox, Norman SandBox

Executing malware Executable

– Directly launching or via debugger Malicious DLLs

– rundll32.exe

Monitoring execution Procmon

– www.sysinternals.com

– Combines FileMon and RegMon to track execution behavior

Process explorer

– Free tool from Microsoft to verify running process against the disk executable image

– Useful for determining if malicious documents are launching new processes

Regshot

– Flag changes in registry

Monitoring execution ApateDNS

– Free tool from Mandiant to see DNS requests from malware and modify replies

Netcat

– Useful for proxying and emulating connections to malware

Wireshark

– Packet capturing tool INetSim

– Linux tool to simulate common Internet services

Tools in action See p. 57 in text

msts.exe

– Contacts web site (the textbook's) – ApateDNS

– Creates new file (winhlp2.exe) – procmon

– Modifies registry to autorun – regshot

– Creates a mutex to ensure only a single execution – Process Explorer

– Contacts a server over port 443 (https), but does not speak SSL – INetSim

– Speaks a custom ASCII protocol – Wireshark

In-class exercisesLab 1-1

– Show the results of virustotal.com

– In PEView, show the timestamps

– Show the list of imported system library calls. From these calls, what might this executable be doing?

– Show the list of imported calls from Lab01-01.dll. From these calls, what might this DLL be doing?

– Show where the malware is attempting to create its malicious file

Lab 1-2

– Show the results of virustotal.com

– In PEView, show the sections that contain the packed executable code

– Run UPX to unpack the code and load unpacked executable in PEView

– Show the functions imported from Wininet.dll. What might this executable be doing?

– Show the URL the malware connects to in memory

In-class exercisesLab 3-2

– Find the functions this DLL exports (Figure 3-5L)

– Find the imported functions that are used to modify the registry, create services, and make network connections. Which DLLs are they loaded from?

– Use strings to reconstruct the URL being requested

– Set-up Regshot and Process Explorer before running rundll32 to install this malware's service. Using regshot, show whether or not the DLL installed its registry key.

Lab 3-4

– Copy binary to Desktop and run it. What happens?

– Examine the binary's strings using a tool of your choice to find the cmd.exe command used

– Use Process Monitor (procmon) to monitor events from this binary to generate Figure 3-11L