Professional Documents
Culture Documents
Digital Malware Analysis - V2
Digital Malware Analysis - V2
Digital Malware Analysis - V2
Prelude
Welcome to the course - Malware Analysis. Let's see the topics
that you will see in this course.
What is Malware?
Malware or Malicious software is a program/code that runs as
an executable file such as script, code, or any other software.
Attackers can use malware to steal sensitive data, spy on the
infected systems and take control of the devices and even
destroy the data in the systems. They quickly get into the
system/network via several communication channels such as
email, web, or USB drives.
Malware Symptoms
Some Symptoms of Malware:
Types of Malware
When performing Malware Analysis, one has to understand the
types of malware which help to speed up the analysis by
selecting the appropriate analysis method and tools based on
the malware type identified. So let's look into some of the
leading types of malware in the below cards.
Backdoor
Malicious code will install itself onto a computer to allow the
attacker access. Backdoors usually will enable the attacker to
connect the computer with little (or) no authentication and
execute the commands into the local system.
f you have trouble playing this video, please click here for help.
Trojan
This malware hides as a regular program to trick users into
installing it on their systems. Once done, it can perform
malicious activities such as (stealing sensitive data, uploading
files to the attacker's server (or) monitoring webcams).
Downloader or Dropper
Once the attacker gains access to a system, an attacker can
easily install the downloaders. This malicious code survives
only to download other additional malicious codes with the help
of the attacker.
Adware or Spyware
This malware displays unwanted ads to the user. They mostly
take place via free downloads and can forcibly install software
on the system.
Botnet
Similar to a backdoor, which allows the attacker to access a
group of computers to get infected with the same
malware called bots waits to receive instructions from the
command-and-control server controlled by the attacker.
Information Stealing
Ransomware
This malware holds the system for Ransom by locking users
files of their computer (or) by encrypting their files.
RootKit
This malware that provides the attacker with privileged access
to the infected system and hides its presence (or) the presence
of other software. They are usually paired with other malware,
like a backdoor to let remote access to the attacker and enable
the code difficult for the victim to detect.
Worm or Virus
This malware is capable of replicating itself and spreading to
other computers.
Lab Requirements
A virtual machine is a software program which exhibits the
behavior of a separate computer with the capability of
performing tasks such as running applications, etc. Multiple
virtual machines are available for different operating
systems (Windows, Linux, macOS).
A controlled virtual environment is suggested when performing
the dynamic analysis, where a malware sample is executed. To
set up a controlled lab environment, the installation of a virtual
machine with appropriate malware analysis tools is
recommended. The virtual machine can be reset to the original
state after the completion of analysis.
Download Links:
VMware - Windows / Linux and Mac.
Virtual Box - All Operating Systems
Reversing code takes much time, and the required skill set is
relatively rare, where an investigator needs to know the
assembly language. For this reason, many of the malware
investigations don’t dig into the code much. However, reversing
some code will increases the analyst's view on the malicious
program.
Automated Analysis
Using automated tools is one of the easiest ways to access the
suspicious files. These tools quickly evaluate and produce
reports with details such as registry keys used by
the malicious program, mutex values, file activity, and network
traffic.
However, these tools will not provide many insights as a human
analyst would obtain. However, it helps in the incident response
process in a vast amount of malware, which allows humans to
put their effects on the human attention needed cases.
VirusTotal Tool
VirusTotal is an online malware analysis tools which provide a
web-based malware scanning service. We can upload the files,
and it scans the suspicious file using multiple antivirus
scanners, and the results will be published in real time on the
webpage. VirusTotal also provides you the ability to search their
database using a hash, URL, domain, and IP address.
Here is also VirusTotal Graph built on top of the VirusTotal
dataset. It helps with visualizing the relationship between the
submitted file provides associated indicators such as domains,
IP addresses, and URLs, which to navigate and gain additional
details.
Reference: VirusTotal Online Scanner, VirusTotal
Documentation
$ md5sum sample.exe
6e4e030fbd2ee786e1b6b758d5897316 sample.exe
$ sha256sum sample.exe
01636faaae739655bf88b39d21834b7dac923386d2b52efb4142cb278061f97f
sample.exe
$ sha1sum sample.exe
625644bacf83a889038e4a283d29204edc0e9b65 sample.exe
Tools for Hashing - Windows
For Windows system, file hashes can be generated using
the md5deep as shown below.
C:\>md5deep c:\WINDOWS\system32\sample.exe
373e7a863a1a345c60edb9e20ec32311 c:\WINDOWS\system32\sample.exe
There are many tools available to generate hashing you can find
via this Reference link and pick the best after a careful review.
Extracting Strings
Strings are both ASCII and Unicode sequences of characters
embedded within a file. (ASCII strings use 1 byte per character,
and Unicode uses 2 bytes per character). By extracting strings,
we get clues about the functionality of the suspect binary.
From the extracted strings, we can find binary references
contains such as URLs, IP addresses, attack commands,
filenames, domain names, and registry keys. Although strings
may not give a better understanding of the scope and ability of
the file. They also share a hint about the capability of the
malware.
Explore these tools to extra strings: Pestudio, PPEE
(Puppy) and String From Microsoft.
Finding Strings
Most invalid strings are obvious because they do not represent
legitimate text. e.g., the following section shows the result of
running Strings against the file bb6.ex_:
C:>strings bb6.ex_
98.134.24.1 --❹
e-@Get
Layout --❶
GDD32.DLL --❸
SetLayout --❷
M}C
Mail system DLL is invalid. Send Mail failed to send message. --❺
Finding Strings
❸ - (GDD32.DLL) is meaningful because it is the name of a
common Windows dynamic link library (DLL) used by graphics
programs. (DLL files contain executable code that is shared
among multiple applications.)
PE Header Information
The PE (Portable Executable) file includes a header followed
by a series of sections. The header contains metadata files.
Following header are the actual sections of the files, each
contains useful information.
e.g., Visual Studio uses .text for executable code. Windows do
not care about the actual name since it uses other information
in the PE header to determine how a section is used. Moreover,
the section names are sometimes obfuscated to make analysis
more difficult.
The following link reference: PE File Headers and Sections.
INetSim
INetSim will work as a real server. As they are built into its
HTTP and HTTPS server simulation and it serves what
requested. e.g., if the malware requests a PNG from/for the
website to carry out its operation, INetSim will respond with the
same PNG format. Although the PNG file might not be the right
file which malware looks for, the server will not return any
errors such as 404 and help with the response to keep the
malware running.
INetSim can also record all inbound requests and connections,
which will be useful to determine whether the malware is
connected to standard service and to see the requests making.
Conclusion
Basic dynamic analysis of malware can assist and confirm the
basic static analysis findings.
Disassembly
Malware on a disk is in a binary form which is called machine
code. Disassembly converts the binary form to assembly
language. Hence, we can view the malware code and figure out
what it does.
Malware disassembly helps in reverse engineering the malware
binaries to understand various functions of its code and identify
the instructions embedded in it. Tools such as IDA Pro helps in
disassembling and decompiling the malware code.
IDA Pro
Interactive Disassembler Professional (IDA Pro) is an
extremely powerful disassembler distributed by Hex-Rays. It is
used by reverse engineers, malware analysts, and vulnerability
researchers. It also runs on various platforms like (Windows,
Linux, and macOS) and supports analysis of different file
formats, including the PE/ELF/Macho-O formats.
Download Link for IDA Pro.
Disassembly Window
After the executable has been loaded, you will be presented
with the disassembly window, which is also known as IDA-view
window and it displays the disassembled code.
IDA shows the disassembled code in two display modes:
Graph view
Text view
Conclusion
IDA Pro is a useful disassembler application to examine and
analyze code in which the malware program is designed. This
helps in understanding its purpose and mode of execution.
Browse this link for Reference IDA Pro.
Debugging
Malware debugging analysis helps to examine more of the code
by executing each instruction separately. In this course, we will
be looking into tools OllyDbg and WinDbg, which helps in
debugging.
OllyDbg
OllyDbg is developed by Oleh Yuschuk. It provides the ability to
analyze malware while it is running. OllyDbg is commonly used
by malware analysis and reverse engineers because it is free. It
is easy to use, and it has many plug-ins that extend its
capabilities.
Download OllyDbg.
OllyDbg Interface
Conclusion
OllyDbg is a popular debugger for malware analysis, and it has
advanced features to perform dynamic analysis and to debug
the malware. Mainly OllyDbg is useful for including conditional
breakpoints, which is used to break the parameters of function
calls (or) while accessing a particular region of memory.
Security logs
We can detect compilers used for building an exe using
_________.
True
Regshot
md5deep
Course Summary
Finally, you have arrived at the end of the course. Let's see
what you have grasped from the course so far.
Rootkit
DDoS attack
Payload
Regshot
Rootkit
WinDbg
Botnet
Ransomware
.exe
Debugger
Security logs
PROVA FINAL
True
Adware- ERRADA