Malewareanalysis

67 %
33 %
Information about Malewareanalysis
Engineering

Published on May 8, 2014

Author: ahmadabdelhafeez5

Source: slideshare.net

Malware Analysis Network Security 1AAST COMP ENG Dr Ashraf Tammam Supervised by Dr . Ashraf Tammam Presented by: • Ahmed Abd Elhafeez • Ahmed Elbohy • Moataz Ahmed 5/7/2014

Agenda 2AAST COMP ENG Dr Ashraf Tammam • Introduction to Malware • What is a Malware ? • Types of Malware • How do they infect hosts? • How to detect them? • Malware Analysis • Goals of Malware Analysis • Types of Malware Analysis • Tools for Malware Analysis • Malware Analysis Simulation Steps • Conclusion • Refrences 5/7/2014

• Introduction to malware • What is a malware ? • Types of malware • How do they infect hosts? • How to detect them • Malware Analysis • Goals of Malware Analysis • Types of Malware Analysis • Tools for Malware Analysis • Malware Analysis Simulation Steps • Conclusion • References AAST COMP ENG Dr Ashraf Tammam 35/7/2014

Introduction AAST COMP ENG Dr Ashraf Tammam 4 Mission Statement The purpose of this presentation is to give someone new to reverse engineering malware (REM) a place to start. At the end you should be familiar with the basic hardware, tools and Concepts needed to learn how begin to do REM. 5/7/2014

“But What Might Go Wrong If we Were To Begin To Try to Analyze Malware?” • You might get attacked by unhappy malware authors/users • Your system could get infected, and that might result in: -- Your system being used to spam people -- Your personally identifiable information getting stolen -- Your system getting used to distribute malware; pirated software, movies, music; child pornography; etc. -- Your system getting used as a stepping stone from which to attack government systems or critical infrastructure. • You might even end up being arrested. 55/7/2014 AAST COMP ENG Dr Ashraf Tammam

• Introduction to Malware • What is a Malware? • Types of malware • How do they infect hosts? • How to detect them • Malware Analysis • Goals of Malware Analysis • Types of Malware Analysis • Tools for Malware Analysis • Malware Analysis Simulation Steps • Conclusion • References AAST COMP ENG Dr Ashraf Tammam 65/7/2014

What is a Malware ? • Malware is a set of instructions that run on your computer and make your system do something that an attacker wants it to do. • Programming code that is capable of causing harm to availability , integrity of code or data, or confidentiality in a computing system encompasses Trojan horses, viruses, worms, and trapdoors. 7AAST COMP ENG Dr Ashraf Tammam5/7/2014

What Exactly is “Malware”? One possible definition: Malware is a software you don’t want. 8 • Steal personal information • Delete files • Steal software serial numbers • Use your computer as relay 5/7/2014 AAST COMP ENG Dr Ashraf Tammam

Distribution of malware 5/7/2014 AAST COMP ENG Dr Ashraf Tammam 9

• Introduction to Malware • What is a Malware? • Types of malware • How do they infect hosts? • How to detect them • Malware Analysis • Goals of Malware Analysis • Types of Malware Analysis • Tools for Malware Analysis • Malware Analysis Simulation Steps • Conclusion • References AAST COMP ENG Dr Ashraf Tammam 105/7/2014

Threat types AAST COMP ENG Dr Ashraf Tammam 115/7/2014

Types of Malware AAST COMP ENG Dr Ashraf Tammam 125/7/2014

Types of Malware • viruses :a computer program that is usually hidden within another seemingly innocuous program and that produces copies of itself and inserts them into other programs and usually performs a malicious action – Polymorphic : uses a polymorphic engine to mutate while keeping the original algorithm intact (packer) – Methamorphic : Change after each infection 13AAST COMP ENG Dr Ashraf Tammam5/7/2014

Types of Malware • Backdoor : Bypasses normal security controls to give an attacker unauthorized access. • Botnet : All infected computers receive instructions from the same Command-and- Control (C&C) server • Downloader :Malicious code that exists only to download other malicious code – Used when attacker first gains access 14AAST COMP ENG Dr Ashraf Tammam5/7/2014

Types of Malware • Scareware – Frightens user into buying something 15AAST COMP ENG Dr Ashraf Tammam5/7/2014

Types of Malware • Spam-sending malware – Attacker rents machine to spammers • Worms :a usually small self-contained and self- replicating computer program that invades computers on a network and usually performs a destructive action 16AAST COMP ENG Dr Ashraf Tammam5/7/2014

Types of Malware • Trojans Horse :a seemingly useful computer program that contains concealed instructions which when activated perform an illicit or malicious action 17AAST COMP ENG Dr Ashraf Tammam5/7/2014

Types of Malware • Sniffers : an application used to monitor and analyze network traffic. • Spyware :software that is installed on a computer without the user's knowledge and transmits information about the user's computer activities over the Internet 18AAST COMP ENG Dr Ashraf Tammam5/7/2014

Types of Malware 19AAST COMP ENG Dr Ashraf Tammam Adware : software installed that provides advertisers with information about the users browsing habits, thus allowing the advertiser to provide targeted ads 5/7/2014

Types of Malware • from pandalab blog 20AAST COMP ENG Dr Ashraf Tammam • E-Mail Generators. An e-mail generating program can be used to create and send large quantities of e-mail, such as malware, spyware, and spam, to other systems without the user’s permission or knowledge 5/7/2014

Types of Malware Ransomware To unlock you need to send an SMS with the text4121800286to the number3649Enter the resulting code:Any attempt to reinstall the system may lead to loss of important information and computer damage from pandalab blog 21AAST COMP ENG Dr Ashraf Tammam5/7/2014

Types of Malware • Keystroke Loggers. A keystroke logger monitors and records keyboard use – Some require the attacker to retrieve the data from the system – Actively transfer the data to another system through e-mail, file transfer, or other means AAST COMP ENG Dr Ashraf Tammam 225/7/2014

Types of Malware • Web Browser Plug-Ins A Web browser plug-in provides a way for certain types of content to be displayed or executed through a Web browser – E.g., Malicious Web browser plug-ins that act as spyware and monitor use of the browser AAST COMP ENG Dr Ashraf Tammam 235/7/2014

• Mass malware – Intended to infect as many machines as possible – Most common type • Targeted malware – Tailored to a specific target – Very difficult to detect, prevent, and remove – Requires advanced analysis – Ex: Stuxnet 24AAST COMP ENG Dr Ashraf Tammam Types of Malware 5/7/2014

• Introduction to malware • What is a malware? • Types of malware • How do they infect hosts? • How to detect them • Malware Analysis • Goals OF Malware Analysis • Types OF Malware Analysis • Tools For Malware Analysis • Malware Analysis Simulation Steps • Conclusion • References AAST COMP ENG Dr Ashraf Tammam 255/7/2014

What to Infect • Executable • Interpreted file • Kernel • Service • MBR (Master Boot Record) 26AAST COMP ENG Dr Ashraf Tammam5/7/2014

Overwriting malware Targeted Executable MalwareMalware 27AAST COMP ENG Dr Ashraf Tammam5/7/2014

prepending malware Targeted Executable Malware Infected host Executable Malware 28AAST COMP ENG Dr Ashraf Tammam5/7/2014

appending malware Targeted Executable Malware Infected host Executable Malware 29AAST COMP ENG Dr Ashraf Tammam5/7/2014

Cavity malware Targeted Executable Infected host Executable Malware Malware 30AAST COMP ENG Dr Ashraf Tammam5/7/2014

Multi-Cavity malware Targeted Executable Malware Malware Malware Malware 31AAST COMP ENG Dr Ashraf Tammam5/7/2014

Packers Malware Infected host Executable Packer Payload 32AAST COMP ENG Dr Ashraf Tammam Packers are software programs that compress and encrypt other executable files in a disk and restore the original executable images when the packed files are loaded into memories. 5/7/2014

Packer functionalities • Compress • Encrypt • Randomize (polymorphism) • Anti-debug technique (int / fake jmp) • Add-junk • Anti-VM (virtual machine) 33AAST COMP ENG Dr Ashraf Tammam5/7/2014

• Introduction to malware • What is a malware? • Types of malware • How do they infect hosts? • How to detect them? • Malware Analysis • Goals OF Malware Analysis • Types OF Malware Analysis • Tools FOR Malware Analysis • Malware Analysis Simulation Steps • Conclusion • REFRENCES AAST COMP ENG Dr Ashraf Tammam 345/7/2014

It is not possible to build a perfect virus/malware detector (Cohen) 35AAST COMP ENG Dr Ashraf Tammam5/7/2014

Anti-virus • Analyze system behavior • Analyze binary to decide if it a virus • Type : – Scanner – Real time monitor 36AAST COMP ENG Dr Ashraf Tammam5/7/2014

Anti-virus -Virus signature • Find a string that can identify the virus • Fingerprint like 37AAST COMP ENG Dr Ashraf Tammam5/7/2014

Anti-virus-Heuristics • Analyze program behavior Network access File open Attempt to delete file Attempt to modify the boot sector 38AAST COMP ENG Dr Ashraf Tammam5/7/2014

Anti-virus -Checksum • A checksum is a value used to verify the integrity of a file or a data transfer. In other words, it is a sum that checks the validity of data. Checksums are typically used to compare two sets of data to make sure they are the same. • Compute a checksum for – Good binary – Configuration file • Detect change by comparing checksum 39AAST COMP ENG Dr Ashraf Tammam5/7/2014

Anti-virus -Dealing with Packer • Launch the exe • Wait until it is unpack • Dump the memory 40AAST COMP ENG Dr Ashraf Tammam5/7/2014

Sandbox analysis • Provides file system, registry keys, and network traffic monitoring in controlled environment and produces a well formed report • Using a sandbox is more efficient and sometimes more effective • Running the executable in a VM • Observe it – File activity – Network – Memory 41AAST COMP ENG Dr Ashraf Tammam5/7/2014

• Introduction to malware • What is a malware? • Types of malware • How do they infect hosts? • How to detect them? • Malware Analysis • Goals of Malware Analysis • Types of Malware Analysis • Tools for Malware Analysis • Malware Analysis Simulation Steps • Conclusion • REFRENCES AAST COMP ENG Dr Ashraf Tammam 425/7/2014

Challenges in Malware analysis • Zero day attack prevention • Data analytic methods work like a black box • Abstraction of Infection and Propagation models • Computational Cost • Generic Disinfection AAST COMP ENG Dr Ashraf Tammam 435/7/2014

Malware Analysis • Dissecting malware to understand – How it works – How to identify it – How to defeat or eliminate it • A critical part of incident response 44AAST COMP ENG Dr Ashraf Tammam5/7/2014

Incident Response • After malware is found, you need to know – Did an attacker implant a rootkit or trojan on your systems? – Is the attacker really gone? – What did the attacker steal or add? – How did the attack get in • Root-cause analysis 45AAST COMP ENG Dr Ashraf Tammam5/7/2014

Three Areas 1- Visual Analysis: What you can deduce just by looking at the file, its strings , size, where it came from etc. 2- Behavioral Analysis : How the malware behaves when executed , who it talks to, what gets installed, how it runs, etc. 3-Code Analysis: The actual viewing of the code and walking through it to get a better understanding of the malware and what it's doing. AAST COMP ENG Dr Ashraf Tammam 465/7/2014

Analyzing the Threat • Capture Malware from attackers – Determine how they are getting in. – Who are they targeting • Run Malware in an isolated environment – What does the malware do? • Analyze the binary itself – Some malware can detect isolated environments or has hidden code. 5/7/2014 AAST COMP ENG Dr Ashraf Tammam 47

• Introduction to malware • What is a malware? • Types of malware • How do they infect hosts? • How to detect them? • malware Analysis • Goals of malware Analysis • Types of Malware Analysis • Tools for Malware Analysis • Malware Analysis Simulation Steps • Conclusion • References AAST COMP ENG Dr Ashraf Tammam 485/7/2014

Goals of Malware Analysis • The goal of malware analysis is to gain an understanding of how a specific piece of malware functions • so that defenses can be built to protect an organization’s network. • There are two key questions that must be answered. – The first: how did this machine become infected with this piece of malware? – The second: what exactly does this malware do? • After determining the specific type of malware, you will have to determine which question is more critical to your situation. AAST COMP ENG Dr Ashraf Tammam 495/7/2014

• Introduction to malware • What is a malware? • Types of malware • How do they infect hosts? • How to detect them? • malware Analysis • Goals of malware Analysis • Types of Malware Analysis • Tools for Malware Analysis • Malware Analysis Simulation Steps • Conclusion • REFRENCES AAST COMP ENG Dr Ashraf Tammam 505/7/2014

TYPES OF Malware Analysis • Code(static) Analysis :the actual viewing of code and walking through it to get a better understanding of the malware and what it is doing AAST COMP ENG Dr Ashraf Tammam 515/7/2014

Static Analysis techniques • Scanning with anti-virus software • File Signatures • Hashes • Performing A file’s strings, functions, and headers search • Portable Executable (PE) Headers + Resources • Unpacking the malware • Disassembling the malware like IDA Pro. AAST COMP ENG Dr Ashraf Tammam 525/7/2014

Signatures • Host-based signatures – Identify files or registry keys on a victim computer that indicate an infection – Focus on what the malware did to the system • Network signatures – Detect malware by analyzing network traffic – More effective when made using malware analysis 53AAST COMP ENG Dr Ashraf Tammam5/7/2014

• FILE SIGNATURE – Leveraging on the analysis of others – Anti-Viruses have their own analysis of Malware, based on • Signature • Heuristics AAST COMP ENG Dr Ashraf Tammam 545/7/2014 Signatures

Hashes • A fingerprint for malware • MD5 or SHA-1 • Condenses a file of any size down to a fixed- length fingerprint 55AAST COMP ENG Dr Ashraf Tammam5/7/2014

Hash Calc 56AAST COMP ENG Dr Ashraf Tammam5/7/2014

Hash Uses • Label a malware file • Share the hash with other analysts to identify malware • Search the hash online to see if someone else has already identified the file 57AAST COMP ENG Dr Ashraf Tammam5/7/2014

Strings • Any sequence of printable characters is a string • Strings are terminated by a null (0x00) • ASCII characters are 8 bits long – Now called ANSI • Unicode characters are 16 bits long – Microsoft calls them "wide characters" 58AAST COMP ENG Dr Ashraf Tammam5/7/2014

STRINGS • Strings are identified by a NULL terminating • Character AAST COMP ENG Dr Ashraf Tammam 595/7/2014

60AAST COMP ENG Dr Ashraf Tammam5/7/2014

TYPES OF Malware Analysis • Behavioral (Dynamic) Analysis :is how the malware behaves when executed, who it talks to, what gets installed, and how it runs AAST COMP ENG Dr Ashraf Tammam 615/7/2014

Dynamic Analysis techniques AAST COMP ENG Dr Ashraf Tammam 625/7/2014

Dynamic Analysis • Sometimes malware is sophisticated enough to detect that it is sandboxed or running in a limited environment • The good news: We have the machine code. • The bad news: All we have is the machine code. • We can then reverse engineer…. 5/7/2014 AAST COMP ENG Dr Ashraf Tammam 63

Reverse Engineering • Reverse engineering is always possible since the machine code is present in the malware sample. • This requires expert knowledge in assembly. • Only worthwhile if you are looking for odd behavior as it is slow and tedious work. 5/7/2014 AAST COMP ENG Dr Ashraf Tammam 64

Reversing malware • Set up a Virtual Environment. • Get the necessary tools ready. • Snapshot is your best friend. AAST COMP ENG Dr Ashraf Tammam 655/7/2014

Simple Reverse Engineering Tools in Linux • Objdump is a free open source linux disassembler. – Outputs assembly code – Useful to find strings in the binary • GDB the standard debugger for linux can debug without source file information. • Strace intercepts all system calls and notifications and prints them out for a running process. 5/7/2014 AAST COMP ENG Dr Ashraf Tammam 66

Reverse Engineering on Windows • Ida Pro is an interactive debugger which allows code to be disassembled and run at the same time – Breaks down the code into machine instructions – Interactively reverse engineers to C code – Allows interactive renaming of functions and variables as their function is discovered – Extremely useful  5/7/2014 AAST COMP ENG Dr Ashraf Tammam 67

Dynamic Analysis techniques • Network traffic analysis • File system, and other Windows features(services, processes, etc.).. AAST COMP ENG Dr Ashraf Tammam 685/7/2014

Dynamic Analysis techniques • Carefully let malware run on a (nearly) fully functional system. • Virtual machines are often useful – Take a clean snapshot – Run the malware – Observe results – Restore the clean snapshot 5/7/2014 AAST COMP ENG Dr Ashraf Tammam 69

Dynamic Analysis techniques • SysInternals Process Monitor allows complete monitoring of API calls. – Also has a special boot monitor to track all changes upon a reboot • Regshot takes a before and after snapshot of the registry to find changes. 5/7/2014 AAST COMP ENG Dr Ashraf Tammam 70

• Introduction to malware • What is a malware? • Types of malware • How do they infect hosts? • How to detect them? • malware Analysis • Goals OF malware Analysis • Types OF malware Analysis • Tools For malware Analysis • Malware Analysis Simulation Steps • Conclusion • References AAST COMP ENG Dr Ashraf Tammam 715/7/2014

Tools For malware analysis • It is critical to identify various tools that can be used to perform malware analysis. • This is not a comprehensive list of tools that one must use • We will mention some critical tools not all of them. AAST COMP ENG Dr Ashraf Tammam 725/7/2014

List of tools • Strings • PEView • Dependency Walker • Resource Hacker • Procmon • Procexp • Regshot • Capture • Wire shark • Netcat/Fakenet • FakeDNS/ApateDNS • PEID • UPX AAST COMP ENG Dr Ashraf Tammam 735/7/2014

Needed terminology • Reverse Code Engineering: the process of disassembling software to reveal how the software functions. • Disassemblers: programs that take a programs executable binary as input and generate textual files that contain the assembly language code for the entire program or parts of it. AAST COMP ENG Dr Ashraf Tammam 745/7/2014

Needed terminology • Debuggers :programs that allows software developers to observer their program while running it. • Decompiler :a program that take an executable binary file and attempts to produce readable high-level language code from it. AAST COMP ENG Dr Ashraf Tammam 755/7/2014

Tools For malware analysis • Using physical hardware or virtual machines (VM). AAST COMP ENG Dr Ashraf Tammam 765/7/2014

Setting up test environment • Computer Requirements: • At least 1GB of memory • A large hard drive: Allows you to keep images on the hard drive • Good Processor – Faster is better • NIC card • CDROM/DVD burner • Any Operating System AAST COMP ENG Dr Ashraf Tammam 775/7/2014

Setting up test environment • VMware workstation: Run and network multiple OSes on one platform • Storage media: For transferring malware and storing unused OS images AAST COMP ENG Dr Ashraf Tammam 785/7/2014

Setting up test environment • Internet Connectivity: Optional, but occasionally you might need it. • Collection of OSes: • You will need different operating systems for your testing • Base Image with no Patches • Base Image fully Patched • Configure as host-only or a network • Store on hard drive and/or burn to CD AAST COMP ENG Dr Ashraf Tammam 795/7/2014

Tools For malware analysis • Process Explorer : small application that find out what files, registry keys and other objects have open, which DLL’s they have loaded • Process Monitor : small application used to monitor file system, registry , process, thread and DLL activity in real-time. • PSfile : application that shows a list of files on a system that are opened remotely. AAST COMP ENG Dr Ashraf Tammam 805/7/2014

Tools For malware analysis • Rootkit Revealer :application that scans system for known rootkit-based malware. • Strings : application that searches for ANSI and UNICODE strings in binary images. • TCPView : application providing information about TCP and UDP connections , including the local and remote address and TCP connection state. AAST COMP ENG Dr Ashraf Tammam 815/7/2014

Tools For malware analysis • Windump :Windows version of the powerful and flexible tcpdump sniffer. • Fport :Identifies unknown ports and their associate applications. • Hfind (Part of the Forensic Toolkit) :application that will scan for the disk for hidden files. • BgInfo : small application providing import system information such as hostname, IP address, OS version, etc. AAST COMP ENG Dr Ashraf Tammam 825/7/2014

Tools For malware analysis • Vision : reports all open TCP and UDP ports and maps them to the owning process or application. • Filewatch :a file change monitor. • Attacker :a TCP/UDP port listener. • MD5sums : Generates signature or hashes for file integrity verification. – Before you launch the malware to have a baseline for comparison against other files the malware may create • Winalysis : monitors for changes to files, the registry, users, groups, security policies, services, shares, scheduled jobs, the system environment and more. AAST COMP ENG Dr Ashraf Tammam 835/7/2014

Tools For malware analysis • WinHex : Hex editor, you may choose any hex editor that you like. • IDA Pro : popular interactive, programmable, extendible, multi-processor debugger and disassembler. • Reverse Engineering Compiler : popular decompiler. • ProcDump 32 :unpacker application. AAST COMP ENG Dr Ashraf Tammam 845/7/2014

Tools For malware analysis • PE Explorer : provides tools for disassembly and inspection of unknown binaries. • Windbg : windows debugging applications. • Livekd : application that allows Windbg debugger to run locally on a live system. • Debugview : an application that monitors debug output on your local or a remote system. AAST COMP ENG Dr Ashraf Tammam 855/7/2014

Tools For malware analysis • OllyDbg: 32-bit assembler level analysis debugger for Microsoft Windows to work with the malware for tasks such as viewing the code and stepping through it. • RegShot: Tool that tells you what has changed on your system Before and after you launch your malware • Netcat: “Swiss army knife” for networks. When you need something to connect to or attempt a connection from AAST COMP ENG Dr Ashraf Tammam 865/7/2014

Tools For malware analysis • upx: Packer used a lot of compress and obfuscate code to uncompressed the code before analysis • WinRAR: Tool to compress large file(s) into one smaller file for safely transfer malware or information collect to keep things organized. Industry standard password is ‘infected’ • Ethereal: A protocol analyzer (aka: sniffer) – When launching the malware and while doing analysis. AAST COMP ENG Dr Ashraf Tammam 875/7/2014

• Introduction to malware • What is a malware? • Types of malware • How do they infect hosts? • How to detect them? • malware Analysis • Goals of malware Analysis • Types Of malware Analysis • Tools For malware Analysis • Malware Analysis Simulation Steps • Conclusion • References AAST COMP ENG Dr Ashraf Tammam 885/7/2014

Malware analysis main steps • Step1: Allocate physical or virtual systems for the analysis lab • Step 2: Isolate laboratory systems from the production environment • Step 3: Install behavioral analysis tools • Step 4: Install code-analysis tools • Step 5: Utilize online analysis tools • Next Steps 89 Moataz Ahmed Mahmoud , Ahmed Abdelhafez , Ahmed El bohy

Step 1: Allocate physical or virtual systems for the analysis lab • A common approach to examining malicious software involves infecting a system with the malware specimen and then using the appropriate monitoring tools to observe how it behaves. This requires a laboratory system you can infect without affecting your production environment. • The most popular and flexible way to set up such a lab system involves virtualization software, which allows you to use a single physical computer for hosting multiple virtual systems, each running a potentially different operating system. Free virtualization software options include: • VMware Server • Windows Virtual PC • Microsoft Virtual Server • Virtual Box Moataz Ahmed Mahmoud , Ahmed Abdelhafez , Ahmed El bohy 90

Step 2: Isolate laboratory systems from the production environment • You must take precautions to isolate the malware-analysis lab from the production network, to mitigate the risk that a malicious program will escape. You can separate the laboratory network from production using a firewall. Better yet, don't connect laboratory and production networks at all, to avoid firewall configuration issues that might allow malware to bypass filtering restrictions. Moataz Ahmed Mahmoud , Ahmed Abdelhafez , Ahmed El bohy 91

Step 3: Install behavioral analysis tools • Before you're ready to infect your laboratory system with the malware specimen, you need to install and activate the appropriate monitoring tools. Free utilities that will let you observe how Windows malware interacts with its environment include: • File system and registry monitoring: Process Monitor and Capture BAT offer a powerful way to observe in real time how local processes read, write, or delete registry entries and files. These tools can help you understand how malware attempts to embed into the system upon infection. • Process monitoring: Process Explorer and Process Hacker replace the built-in Windows Task Manager, helping you observe malicious processes, including local network ports they may attempt to open. • Network monitoring: Wireshark and SmartSniff are network sniffers, which can observe laboratory network traffic for malicious communication attempts, such as DNS resolution requests, bot traffic, or downloads. • Change detection: Regshot is a lightweight tool for comparing the system's state before and after the infection, to highlight the key changes malware made to the file system and the registry. Moataz Ahmed Mahmoud , Ahmed Abdelhafez , Ahmed El bohy 92

Step 4: Install code-analysis tools • Examining the code that comprises the specimen helps uncover characteristics that may be difficult to obtain through behavioral analysis. In the case of a malicious executable, you rarely will have the luxury of access to the source code from which it was created. Fortunately, the following free tools can help you reverse compiled Windows executables: • Disassembler and debugger: OllyDbg and IDA Pro Freeware can parse compiled Windows executables and, acting as disassemblers, display their code as Intel x86 assembly instructions. These tools also have debugging capabilities, which allow you to execute the most interesting parts of the malicious program slowly and under highly controlled conditions, so you can better understand the purpose of the code. • Memory dumper: LordPE and OllyDump help obtain protected code located in the lab system's memory and dump it to a file. This technique is particularly useful when analyzing packed executables, which are difficult to disassemble because they encode or encrypt their instructions, extracting them into RAM only during run-time. Moataz Ahmed Mahmoud , Ahmed Abdelhafez , Ahmed El bohy 93

Step 5: Utilize online analysis tools • To round off your malware-analysis toolkit, add to it some freely available online tools that may assist with the reverse engineering process. One category of such tools performs automated behavioral analysis of the executables you supply. These applications look similar at first glance, but use different technologies on the back end. Consider submitting your malware specimen to several of these sites; depending on the specimen, some sites will be more effective than others. Such tools include: • Anubis • CWSandbox • Joebox • Norman SandBox • ThreatExpert Moataz Ahmed Mahmoud , Ahmed Abdelhafez , Ahmed El bohy 94

Next Steps • With your initial toolkit assembled, start experimenting in the lab with malware you come across on the web, in your e-mail box, on your systems, and so on. Moataz Ahmed Mahmoud , Ahmed Abdelhafez , Ahmed El bohy 95

• Introduction to malware • What is a malware? • Types of malware • How do they infect hosts? • How to detect them? • Malware Analysis • Goals OF malware Analysis • Types Of malware Analysis • Tools For malware Analysis • Malware Analysis Simulation Steps • Conclusion • References AAST COMP ENG Dr Ashraf Tammam 965/7/2014

Conclusion • As you have seen there are various ways for an attacker to get malicious code to execute on remote computers • We have only scratched on the surface, there are much more to learn and discover 5/7/2014 AAST COMP ENG Dr Ashraf Tammam 97

• Introduction to malware • What is a malware? • Types of malware • How do they infect hosts? • How to detect them? • malware Analysis • Goals OF malware Analysis • Types Of malware Analysis • Tools For malware Analysis • Malware Analysis Simulation Steps • malware Defense • Conclusion • References AAST COMP ENG Dr Ashraf Tammam 985/7/2014

Refrences • [1] Ed Skoudis and Lenny Zeltser. Malware: Fighting Malicious Code. Prentice Hall, 2003. • [2] McGraw-Hill and Sybil P. Parker. McGraw-Hill Dictionary of Scientific and Technical Terms. McGraw-Hill Companies, Inc., 2003. • [3]Computer Economics, 2007 Malware Report: The Economic Impact of Viruses, Spyware,Adware, Botnets and Other Malicious Code, Retrieved 2007, November 23 – fromhttp://www.computereconomics.com/article.cfm?id=1225 • [4]Eldad Eilam, (2005). Reversing: Secrets of Reverse Engineering. Indianapolis, IN: Wiley Publishing. • [5]eWeek, Metasploit Creator Releases Malware Search Engine, retrieved 2007, November 24 – from http://www.eweek.com/article2/0,1759,1990158,00.asp • [6]GIAC, Analysis of the Incident Handling Six Step Process, Retrieved 2007, November 24 – from http://www2.giac.org/resources/whitepaper/network/17.php?id=17&cat=network • [7]Honeynet, Know Your Enemy: Malicious Web Servers, Retrieved 2007, November 24 from – http://www.honeynet.org/papers/mws/KYE-Malicious_Web_Servers.htm • [8]Lorna Hutcheson (2006), Malware Analysis The Basics, Retrieved 2007, November 24 from – http://isc.sans.org/presentations/cookie.pdf • [9]Merriam-Webster Online. Retrieved 2007, July 23rd, from www.m-w.com • [10]SANS, Retrieved 2007, November 24, from – https://www2.sans.org/training/description.php?cid=799 AAST COMP ENG Dr Ashraf Tammam 995/7/2014

Questions ? 5/7/2014 AAST COMP ENG Dr Ashraf Tammam 100

5/7/2014 AAST COMP ENG Dr Ashraf Tammam 101

Add a comment

Related presentations

Discrete element method modelling (DEM) has proven over many years to be a powerfu...

Segregation Testing to confirm packer isolation and well integrity. Monitor w...

A small presentation of History matching and a case study on it. Also on Gas mater...

Manual 2 pavco cad

Manual 2 pavco cad

November 2, 2014

CONSTRUCION

Tire sua duvidas a respeito da implementação da NR 12 Converse com um especialis...

Related pages

Reverse Engineering Malware Analysis Training | Malware ...

This malware analysis course prepares forensic investigators, incident responders and IT administrators to reverse-engineer malicious software using ...
Read more

Automated Malware Analysis - Cuckoo Sandbox

Tear it apart, discover its ins and outs and collect actionable threat data. Cuckoo is the leading open source automated malware analysis system.
Read more

Cheat Sheet for Analyzing Malicious Software

This is a cheat sheet of shortcuts and tips for analyzing and reverse-engineering malware. It covers the general malware analysis process, as well as ...
Read more

Free Automated Malware Analysis Sandboxes and Services

Free Automated Malware Analysis Sandboxes and Services. In the malware analysis course I teach at SANS, I explain how to reverse-engineer malicious software.
Read more

Comodo Instant Malware Analysis - Comodo Internet Security

Automated Analysis System. If you have a suspicious file, please submit it online by using the form below. Once the file is submitted, COMODO Automated ...
Read more

Labs - Running the Gauntlet | Tank and Siko's Security Blog

The Practical Malware Analysis labs can be downloaded using the link below. WARNING The lab binaries contain malicious code and you should not install or ...
Read more

Basic Malware Analysis - YouTube

SANS DFIR Webcast - APT Attacks Exposed: Network, Host, Memory, and Malware Analysis - Duration: 1:42:32. by SANS Digital Forensics 8,519 views.
Read more

RSA Security Analytics: Malware Analysis - EMC : Global ...

gauge the maliciousness of a file sample. The RSA Security Analytics platform includes a limited version of Malware Analysis and Dynamic analysis that is
Read more