· 7 years ago · Jan 16, 2019, 06:40 PM
1malware analysis is a baffling field
2its come a long way since 15 years ago
3this class will not use real malware
4
54 types of analysis:
6basic static analysis
7 where you analyze a sample without running it and without looking at the code
8 looks at readale strings, hash values, and send it up to AV
9basic dynamic analysis
10 where you run the malware and let it infect a VM
11 then measure what happens to the VM
12advanced static analysis
13 where you print out all the assembly and try to read it
14 most difficult
15advanced dynamic analysis
16 run the sample in a debugger so you can modify how it runs and set breakpoint
17 very easy and used a lot
18
19
20goals of malware analysis
21
22incident response
23case history
24-a medical clinic with 10 offices found malware on one of their workstations
25-hired a consultant to clean and reimage that machine
26case closed?
27no
28you have no clue how the infection pivoted or what it could have already stolen
29
30after malware is found you need to know:
31 did an attacker implant a rootkit or trojan in your systems?
32 is the attacker really gone?
33 what did the attacker steal or add?
34 how did the attack get it?
35
36nobody knows how much it costs to fix a breach
37
38malware analysis
39dissecting malware to understand
40-how it works
41-how to identify it
42-how to defeat or eliminate it
43a critical part of incident response
44
45you dont want to spend forever analysing it so you need to limit your goals
46you will always be confronted with tons of info of immense complexity
47you will never figure out most of it
48the attackers are actively working against you
49so if anything is not working or confusing you just give up
50nothing will ever be 100%
51
52you dont want to know everything about the malware
53you just want to know what it did and how to get it off the machines and reverse what it did
54
55signatures
56host based signature
57 identify files or registry keys on a victim computer that indicate an infection
58 focus on what the malware did to the system not the malware itself
59 -different from AV signatures
60network signatures
61 detect malware by analyzing network traffic
62 more effective when made using malware analysis
63
64false positives
65"secret proprietary network forensics tool"
66found 200 windows viruses on a linux DNS server
67a total false positive
68many malware detection tools will have lots of false positives
69
70static vs dynamic
71static
72 examines malware without running it
73 tools: virustotal, strings (or bintext), a disassembler like IDA Pro
74dynamic analysis
75 run the malware in a VM
76 monitor its effects
77 tools: regshot, process monitor, process explorer, wireshark
78 ram analysis: volatility
79
80advanced
81static
82 reverse engineering with a disassembler
83 complex, requires understanding assembly code in depth
84advanced dynamic analysis
85 run code in a debugger
86 examines internal state of a running malicious exe
87
88types of malware
89backdoor
90 allows attacker to control the system
91botnet
92 all infected computers recieve instructions from the same command and control server
93downloader
94 malicious code that exists only to download other malicious code
95 used when attacker first gains access
96 also called stager
97info stealing malware
98 sniffers, keyloggers, password hash grabbers
99launcher
100 malicious program used to launch other malicious programs
101 often uses nontraditional techniques to ensure stealth or greater access to the system
102rootkit
103 malware that conceals the existance of other code
104 usually paired with a backdoor
105scareware
106 scares user into sending money
107spam sending malware
108 attacker rents machines to spammers
109worms or viruses
110 malicious code that can copy itself and infect additional computers
111
112mass vs targeted malware
113mass malware
114 intended to infect as many machines as possible
115 most common
116targeted malware
117 tailored to a specific target
118 very dificult to detect, prevent, and remove
119 requires qdvqnced analysis
120 ex: stuxnet
121
122
123general rules for malware analysis
124dont get caught in the details
125 you dont need to understand 100% of the code
126 just focus on key features
127try several tools
128 if one tool fails, try another
129 dont get stuck on a hard issue just move along
130malware authors are constantly raising the bar
131
132
133QUIZZES
134he forgot to put them up...moving on
135
136
137BASIC STATIC ANALYSIS
138
139TECHNIQUES
140AV scanning
141hashs
142a files strings, functions, and headers
143
144AV SCANNING
145malware can easily change its signature to fool AV
146virustotal is conveient but using it may alert attackers that theyve been caught
147do not send it up if youre afraid youre being targeted
148this can alert the attacker
149
150HASHING fingerprints of malware
151MD5 or SHA-1
152condenses a file of any size down to a fixed legnth fingerprint
153uniquely identifies a file well in practice
154-there are md5 collisions but theyre very uncommon
155-collision: wo different files with the same hash
156its possible to make a malicious file with the same hash as a valid file but its very hard
157
158HashCalc
159a windows tool that calculates hashes
160
161HASH USES
162labels the malware file
163share the hash with other analysts to identify the malware
164search the hash online to see if someone else has already identified the file
165
166STRINGS
167any sequence of printable characters is a string
168strings are terminated by a null character
169ascii characters are 8 bits long (now called ANSI)
170unicode characters are 16 bits long
171 microsoft calls them "wide characters"
172BinText is a mcafee tool that can see unicode
173
174the word BAD in ascii
17542414400
176in Unicode
1774200410044000000
178
179the strings command
180a linux command to find strings in files
181when run:
182 bold items can be ignored
183 getLayout and setLayout are Windows functions
184 GDI32.DLL is a DLL
185
186BinText is the preferred tool
187does ascii or unicode
188
189PACKED AND OBFUSICATED FILES
190packing files
191the code is compressed like a zip file
192this makes the strings and instructions unreadable
193all youll see is the wrapper-small code that unpacks the file when its run
194there are many kinds of packers
195
196detecting packers with PEiD
197it guesses what language a file is written in and some unpackers
198PEiD could accidentally run the malware
199
200malware can escape from the VM and infect the host sometimes
201spectre and meltdown do that
202it can also be done by finding defects in the vm software
203
204
205PORTABLE EXECUTABLE FILE FORMAT
206
207PE files
208used by windows executable files, object code, and dlls
209a data structure that contains the info necessary for windows to load a file
210almost every file executed on windows is in PE format
211
212PE header
213information about the code
214type of application
215required library fucntions
216space requirements
217
218LordPE
219one of many programs that can examine a files sections
220sections:
221 text (contains exxecutable code)
222 data
223 resource
224 relocation
225there can be many more sections
226but we dont need to worry about those as much right now
227
228
229QUIZZES
230still not ready
231
232
233
234LINKED LIBRARIES AND FUNCTIONS
235
236IMPORTS
237functions used by a program that are stored in a different program, such a a library
238connected to the main exe by linking
239can be linked 3 ways
240-statically
241-at runtime
242-dynamically
243
244static linking:
245 imports the library and adds it into the code
246 standard in most of linux
247 every time a new program is run it copies the library over to that program
248
249dynamic linking:
250 dlls use dynamic linking
251 when a program needs an import it loads the dll into memory
252 then if another program needs the library it attaches to the same library in ram that was already loaded
253 this means all the code being run in the program is not contained in the program
254 number one way malware works is to trick windows into loading your library or injecting into loaded libraries
255 thats called DLL injection
256
257RUNTIME LINKING
258unpopular in friendly programs
259common in malware especially packed or obfuscated malware
260connects to libraries only when needed not when the program starts
261most commonly done with the LoadLibrary and GetProcAddress functions
262
263DYNAMIC LINKING
264most common method
265host OS searches for necessary libraries when the program is loaded
266
267CLUES IN LIBRARIES
268the PE header lists every library and fucntion that will be loaded
269their names can reveal what the program does
270URLDownloadToFile indicates that the program downloads something
271most API calls are clear like this
272
273DEPENDANCY WALKER
274a programthat shows the dynamically linked functions
275normal programs usually have lots of dlls
276malware often has very few dlls
277
278imports and exports in dependancy walker
279these are the actual functions being used
280you dont get the exact command with the arguments but you do get the name of the funcitons
281
282common dlls
283kernel32.dll
284 very common dll that contains core functionality such as access and manipulation of memory, files, and hardware
285advapi32.dll
286 provides access to advanced core windows components such as the service manager and registry
287user32.dll
288 this dll contains all of the user-interface components such as buttons, scroll bars, and components for controlling and responding to user actions
289gdi32.dll
290 contains functions for displaying and manipulating graphics
291Ntdll.dll
292 the interface to the windows kernel
293 exes generally do not port this file directly but its always imported inderectly by kernel32
294 if an exe imports this file it means that the author intended to use functionality not normally available to win programs
295 some tasks such as hiding functionality or manipulating processes will use this interface
296WSock32.dll and ws2_32.dll
297 networking dlls
298 programs that access these most likely connect to a network or performs network related tasks
299wininet.dll
300 this dll contains higher level networking functions such as ftp, http, and ntp
301
302microsoft has lots of hidden functions that yorue not suppose to use
303many programs cheat like this
304microsoft tries to hide these api calls but they are usually leaked out
305
306EXPORTS
307dlls export functions
308exes import functions
309both exports and imports are listed in the PE header
310you can use PEview to see imports and exports
311
312EXAMPLE: keylogger
313imports user32.dll and uses the function SetWindowsHookEx which is a popular way that keyloggers recieve keyboard inputs
314it exports LowLevelKeyboardProc and LowLevelMouseProc to send data elsewhere
315it uses RegisterHotKey to define a special keystroke like ctrl+shift+p to harvest the collected data
316
317EX: a packed program
318has very few functions
319all you can see it importing is the unpacker tools
320
321
322IMPORT PE SECTIONS
323.text has instructions for the cpu to execute
324.rdata has imports and exports
325.data has gloal data
326.rsrc has strings, icons, images, ad menus
327
328TIME DATE STAMP
329you can use timestamps to guess what country files were compiled in and what files were compiled together
330shows when the PE was compiled
331older programs are more likely to be known to AV software
332but sometimes the date can be wrong
333-all Delphi programs show june 19th 1992
334-date can also be faked
335
336IMAGE_SECTION_HEADER
337this has virtual size in ram and raw size on disk
338normal programs .text section is usually similar size on disk as in ram
339packed exes show virtual size much larger than the raw size dor .text
340
341RESOURCE HACKER
342lets you browse the .rsrc section
343strings, icons, and menus
344
345QUIZZES
346still not prepared
347
348
349
350
351DEMONSTRATING PROJECTS
352its important you have the exact vm as he does, his already has lots of things preconfigured on it
353hes using win 2008
354(lol watch me not do that)
355
356open lab1.exe in peview
357under image_nt_headers>image_file_headers you can see the time date stamp
358under section .rdata>import address table you can see all the functions used by the program
359
360really look at these imports
361you can see its looking through the file system and manipulating the file system
362
363next open it in PEiD
364this will help you figure out which language it was written in
365it says its written in Microsoft Visual C++ 6.0
366now if you click to expand .text it shows the v side and r size
367theyre pretty much similar so a packer probably wasnt packed
368
369now use bintext to look at strings
370you can tell windows API calls because they have uppercased words and no spaces
371like CreateFileMappingA or FindFirstFileA
372you can also find dlls and other functions like malloc
373you can also find fake dll names sometimes
374like for instance theres a string called kerne132.dll (not kernel32.dll)
375this means when its run itll probably create a fake dll called that
376so when you run it you can look for that file
377you can also find urls that it connects to
378you can also find registry keys
379
380now use dependancy walker to see what functions come from which dlls and what dlls those dlls use
381lab01 uses 2 libraries
382kernel32.dll and msvcrt.dll
383if you expand them you can see that each library calls more libraries
384now if you click on the library youll be able to see the exact functions it uses from each library
385you can see in msvcrt it calls _stricmp
386this is a function that compares strings
387
388generally malware checks to see if a box has already been infected with it before running
389this helps you out because you can see what its looking for then check those areas
390
391now lets look at the dll used by the exe in DepWalker
392you can see its using WS2_32.dll which is a low level networking library
393the fact that its using a low level network interface instead of a high level one is suspicious
394this can be used to hide data and make it look like normal traffic
395like encrypting your data and sending it as a url path in https traffic
396
397
398UNPACKING
399if you look at lab01_02 theres only a few strings in bintext
400thats a sign that the exe is packed
401all youre seeing in the strings is the unpacker
402
403you can also use PEiD to see that its packed
404it cant find the language it was written in
405also where its suppose to say .text it says UPX1
406this is a fingerprint of the UPX packer
407
408you can use the upx unpacker to unpack it