Topic 2. Fundamentals of Malware Analysis .pptx
khoiclever
17 views
20 slides
Mar 09, 2025
Slide 1 of 20
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
About This Presentation
tjtjae ewugfuegw oueguoowe pweihipwfpwf
Slide Content
Because teaching teaches teachers to teach Topic 2. Fundamentals of Malware Analysis
Key concept Reverse Engineering Malware Methodology Overview of MA Lab setup and configuration Behavioral Analysis Code Analysis Creating the Analysis Report Recommended Case Study
Reverse Engineering Malware Methodology 1. Investigation Characteristics: MA as Part of the Forensic Investigation: need to be conducted as part of both the incident response and forensic analysis processes. Common Malware Characteristics: Propagation, Infection, Self-defense, Capabilities(additionally: Exfiltration–can transmit data out of the affected environment, Command and Control –can receive updates and instructions) and some other to the program’s purpose. Dual-Phased Analysis Process: Incorporating both Behavioral Analysis, Code Analysis
Reverse Engineering Malware Methodology ( Cont ) 2. Investigative Approach: Malware Analysis Laboratory: typically requires an isolated laboratory environment, where malicious software will execute under controlled conditions. Behavioral Analysis: Real-Time Monitoring of the System, Identifying Important Changes to the System, Monitoring the Network, Interacting with Malware, Automated Behavioral Analysis, Code Analysis: Structure of the Executable File, Embedded Strings, References to External Functions, The Executable’s Instructions. Creating the Analysis Report
Overview of MA Lab setup and configuration An MA Lab: usually the form of several computers connected to an isolated network. The computers are designed to mimic the configuration of commonly targeted systems and may run various versions and patch levels of operating systems relevant to the investigator. Among the computers may be one or more systems that run network services which malware may attempt accessing. The investigator infects these systems during the analysis. The setup must allow the investigator to simulate the presence of the Internet and other networks that malware may seek.
Overview of MA Lab setup and configuration ( Cont ) A flexible and frugal way of setting up: using virtualization software to run multiple “virtual” systems on a smaller number of physical computers. Use both free and commercial products, allowing simultaneously running multiple instances of laboratory systems that operate independently, yet exist on t he same physical host: - VMware Workstation, Server, vSphere, Fusion, … - Microsoft Virtual PC and Virtual Server - Sun Virtual Box - Parallels Desktop, Server, and Virtuozzo Containers Minimize the number of physically distinct systems: saves money, while benefiting from the small physical footprint and flexibility offered
Overview of MA Lab setup and configuration ( Cont ) Virtualization software allows implementing multiple laboratory systems on a single physical computer
Overview of MA Lab setup and configuration ( Cont ) One of the most convenient virtualization technologies: the simulated network. The ability to take instant (multiple) snapshots of the lab system’s state: the investigator to repeat behavioral experiments without restarting the analysis from the beginning. A biggest drawbacks of using physical systems : just a single snapshot.
Overview of MA Lab setup and configuration ( Cont ) With physical systems: a possibility is to use system state-restoring software such as Windows SteadyState or Faronics Deep Freeze , or a more reliable alternative -hardware-based “snapshot” products Centurion Guard , Reborn PCI Card The biggest advantage of using physical hardware: stronger isolation of the laboratory environment. Isolating the Malware Laboratory: mitigate the risk of malware escaping the laboratory sandbox by regularly applying security patches to the virtualization software and by following hardening guidelines. avoid connecting the physical system hosting the virtualized lab to non-laboratory networks.
Overview of MA Lab setup and configuration ( Cont ) Real-Time Monitoring of the System: File System, Registry, Process, Network Process Monitor generates an extensive log file, recording one event per line. Process Monitor can generate summary reports. A comprehensive tool CaptureBAT -observing the specimen’s interactions with its environment.
Behavioral Analysis Identifying Important Changes to the System: Using tools (Process Monitor, CaptureBAT ): a large log file ⇒an important event may be missed. ⇒ add a change-detection tool to the behavioral analysis toolkit, e.g. Regshot , SpyMeTools , InstallWatchand other commercial utilities. A popular tool for examining this aspect of the specimen’s behavior is Autoruns .
Behavioral Analysis ( Cont ) Monitoring the Network: CaptureBAT saves the capture file in the common PCAP format, which most network sniffers can parse. ⇒a full-featured network sniffer is the freely available Wireshark . A lightweight alternative to Wireshark is SmartSniff . tcpdump can both capture network traffic and parse the data via a command-line interface. More sophisticated examples of network traffic capture are from Network Forensics.
Behavioral Analysis ( Cont ) Interacting with Malware: Monitoring the laboratory network ⇒discover which network resources the specimen attempts to access, e.g. the sniffer may show an attempt to resolve a hostname by connecting to a DNS server. Tools for redirecting DNS-based network connections: traditional DNS server software, specialized free tools (such as the MiniFake DNS Python script), the compiled Windows program fakeDNS . Some network worms use hardcoded IP addresses ⇒honeypot tools such as Honeyd . Use the freely available INetSim suite of tools, Netcat to emulate many popular services
Code Analysis Structure of the Executable File : Portable Executable (PE) format: The executable’s data structure (PE Header) contains “meta” information, e.g. address of the instruction (the OS executes first => Entry Point), the general layout of the executable’s components, the list of dynamically linked libraries (DLLs) that the executable uses (Import Table). Examining the PE header helps reversing packed executables (Handling Self-Defending Malware). Free Tools: xPELister , PEiD , PE Tools.
Code Analysis ( Cont ) Embedded Strings: When a program refers to static strings, such sequences of ASCII or Unicode characters, they will often be embedded in clear text within the executable file. ⇒ the investigator can sometimes get a sense of the program’s capabilities, and can identify potential functionality that may need to be examined further based on the visible function names, section names, potential commands, URLs, IP addresses, ... A malicious executable may be written to prevent important strings from being visible in their plain text form. Further, t he malware author may embed false strings to throw the investigator off course. Specialized free tools can extract strings from executables include the numerous variations of the command-line “strings” utility: BinText26, TextScan .
Code Analysis ( Cont ) References to External Functions: malware authors can compile it to be standalone, including in the executable all the libraries upon which it depends -static linking. In dynamic linking(reference external libraries and the relevant functions within those libraries dynamically, without embedding them directly in the executable) ⇒significantly decreases the size of the executable and improves its portability across various versions of Windows.
Code Analysis ( Cont ) The Executable’s Instructions: the most important element of the code analysis process is the examination of the actual instructions that comprise the malicious executable. The instructions, which CPU can understand and execute, are stored in the file as binary form opcodes that human cannot understand without disassembling. A traditional disassembler allows to examine the code statically by reading the assembly instructions and looking at how they attempt to interact with data. A debugger is helpful to examine, while slowing down the execution of the more “interesting” portions of the code – stepping through the executable, in one step, then pausing, looking around at the changes to the registers, the stack, RAM, and so on ⇒ dynamic analysis . Popular debuggers used for Reverse-Engineering Malware: OllyDbg (free),IDA Pro, Hex-Rays Decompiler (commercial)
Creating the Analysis Repor A typical malware analysis report covers the following areas: Summary of the analysis : regarding the specimen’s nature, origin, capabilities, and other relevant characteristics. Identification : The type of the file, its name, size, hashes (MD5, SHA1, ssdeep35, …), malware names (if known), and current anti-virus detection capabilities. Characteristics : The specimen’s capabilities for infecting files, self-preservation, spreading, leaking data, interacting with the attacker, … Dependencies : Files, network resources related to the specimen’s functionality-OS versions, required initialization files, custom DLLs, executables, URLs, and scripts. Behavioral and code analysis findings: static and dynamic, code analysis observations Supporting figures : Logs, screenshots, string excerpts, function listings, … Incident recommendations : and possibilities for eradication steps.
Recommended Case Study https://www.malware-traffic-analysis.net/2024/index.html
Q&A
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 17
- Slides 20
- Age 267 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views