Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter...
-
Upload
ursula-caldwell -
Category
Documents
-
view
218 -
download
0
Transcript of Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter...
Homework tar file
Download your course tarball from web page
– Named using your PSU ID
– Chapter labeled for each binary
Part 1: Basic Analysis
Chapter 1: Basic Static TechniquesChapter 2: Malware Analysis in Virtual Machines
Chapter 3: Basic Dynamic Analysis
Chapter 1: Basic Static Techniques
Scanning
Statically analyze payload to determine its maliciousness
– Recall Aitel 2011 USENIX Security talk
File signatures
Common code or data used across malware instances
– e.g. embedded URL strings, decryptor code Signatures
– Hashing (e.g. MD5, SHA)
– Strings search on metadata, errors, constants
– Polymorphism and metamorphism easy for an adversary to deploy
Analyzing executables PE (Widows), ELF (Linux) Tools for dumping linked libraries
– Look for common shared libraries (e.g. kernel32.dll, User32.dll, libc.so, etc)
– Dependency Walker, PEView, PEBrowse, PE Explorer, ldd
Function convention in Windows
– CreateWindowEx - “Ex” refers to new version
– CreateDirectoryW - “W” refers to wide character strings vs. ASCII
– See MSDN Note: a short function list is an indication of a packed binary
Packing and obfuscation Obfuscation
– Code whose execution is hidden by author Packing
– Obfuscated code in which programs are compressed and encrypted to prevent static analysis (Figure 1-4)
– Prevents file signatures from working
• Example: UPX
– Code to unpack binaries is common, however
• Can be identified (PEiD)
File signature coverage
Astronomical growth in signatures
Coverage by a single tool is difficult
– Cloud-based anti-virus
– http://www.virustotal.com
Chapter 2: Malware Analysis on VMsChapter 3: Basic Dynamic Analysis
Malware and VMs Most malware must be executed in order to analyze them Requires a safe environment VMware
– Host-only networking to monitor network traffic
– Snapshots and roll-back
– Record and replay execution
Sandboxes
Behavior isolation and coarse-grained tracking of malware execution
– File system activity
– Registry activity
– Network activity
– Examples: GFI Sandbox, Norman SandBox
Executing malware Executable
– Directly launching or via debugger Malicious DLLs
– rundll32.exe
Monitoring execution Procmon
– www.sysinternals.com
– Combines FileMon and RegMon to track execution behavior
Process explorer
– Free tool from Microsoft to verify running process against the disk executable image
– Useful for determining if malicious documents are launching new processes
Regshot
– Flag changes in registry
Monitoring execution ApateDNS
– Free tool from Mandiant to see DNS requests from malware and modify replies
Netcat
– Useful for proxying and emulating connections to malware
Wireshark
– Packet capturing tool INetSim
– Linux tool to simulate common Internet services
Tools in action See p. 57 in text
msts.exe
– Contacts web site (the textbook's) – ApateDNS
– Creates new file (winhlp2.exe) – procmon
– Modifies registry to autorun – regshot
– Creates a mutex to ensure only a single execution – Process Explorer
– Contacts a server over port 443 (https), but does not speak SSL – INetSim
– Speaks a custom ASCII protocol – Wireshark
In-class exercisesLab 1-1
– Show the results of virustotal.com
– In PEView, show the timestamps
– Show the list of imported system library calls. From these calls, what might this executable be doing?
– Show the list of imported calls from Lab01-01.dll. From these calls, what might this DLL be doing?
– Show where the malware is attempting to create its malicious file
Lab 1-2
– Show the results of virustotal.com
– In PEView, show the sections that contain the packed executable code
– Run UPX to unpack the code and load unpacked executable in PEView
– Show the functions imported from Wininet.dll. What might this executable be doing?
– Show the URL the malware connects to in memory
In-class exercisesLab 3-2
– Find the functions this DLL exports (Figure 3-5L)
– Find the imported functions that are used to modify the registry, create services, and make network connections. Which DLLs are they loaded from?
– Use strings to reconstruct the URL being requested
– Set-up Regshot and Process Explorer before running rundll32 to install this malware's service. Using regshot, show whether or not the DLL installed its registry key.
Lab 3-4
– Copy binary to Desktop and run it. What happens?
– Examine the binary's strings using a tool of your choice to find the cmd.exe command used
– Use Process Monitor (procmon) to monitor events from this binary to generate Figure 3-11L