Comprehensive Malware Analysis Techniques
This detailed guide covers basic static techniques, malware analysis in virtual machines, and basic dynamic analysis. It includes information on static analysis, such as examining payloads without execution, file signatures, and signatures generated via analysis. Additionally, it delves into counter-measures used by malware, such as obfuscation, packing, polymorphism, and metamorphism. The chapter also discusses the challenges in signature coverage and cloud-based antivirus solutions.
Uploaded on Sep 12, 2024 | 0 Views
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Part 1: Basic Analysis Chapter 1: Basic Static Techniques Chapter 2: Malware Analysis in Virtual Machines Chapter 3: Basic Dynamic Analysis
Static analysis Examine payload without executing it to determine function and maliciousness Done via scanning content
File signatures Common code or data used across malware instances e.g. embedded URL strings, decryptor code Examples Strings search on metadata, errors, constants Regular expression searches Hashing (e.g. MD5, SHA)
Signatures generated via analysis Artifacts revealed by binary Tools for dumping linked libraries Dependency Walker, PEView, PEBrowse, PE Explorer, ldd Look for common shared libraries (e.g. kernel32.dll, User32.dll, libc.so, etc) Disassemblers
But Astronomical growth in signatures Coverage by a single tool is difficult Cloud-based anti-virus http://www.virustotal.com Bought by Google But, public service that allows attacker to know when their malware has been uploaded and identified! Can use private malware sandbox analysis (VMRay)
Malware counter-measures Obfuscation Code execution is hidden by author to make static analysis difficult Packing Code compressed and encrypted to completely thwart static analysis (Figure 1-4) Code to unpack binaries is common, however Some can be identified (PEiD) Polymorphism and metamorphism Code transformed into equivalent, but different form to thwart static signatures Example: Mimikatz (Metasploit module to do weaponized credential theft on Windows) From 54/54 (100% detection) to 4/54 when replacing mimikatz with kitikatz and recompiling AV with signatures is now completely dead
Chapter 2: Malware Analysis on VMs Chapter 3: Basic Dynamic Analysis
Malware and VMs Most malware must be executed in order to analyze them Requires a safe environment VirtualBox, VMware Host-only networking to monitor network traffic Snapshots and roll-back Record and replay execution
Sandboxes Simpler alternative to VMs Behavior isolation and coarse-grained tracking of malware execution File system activity Registry activity Network activity Examples: GFI Sandbox, Norman SandBox Always use a sandbox or VM to analyze malware
But, can be subtle FireEye anti-virus (12/2015) Static analysis of Java byte-code via a Java decompiler (JODE) so did not run in a VM But, did not realize decompiler executed byte code as well Instant remote code execution AV now *worse* than no AV
Monitoring execution Procmon (Sysmon) www.sysinternals.com Combines process, file, and registry monitoring to track execution behavior Spits out XML on events, allows one to reconstruct process tree Prochacker (http://processhacker.sourceforge.net/) Process (memory) monitoring Process explorer Verify running process against the disk executable image Determine if malicious documents are launching new processes Regshot Flag changes in registry
Monitoring execution ApateDNS Capture DNS requests and modify replies More comprehensive follow-on tool.. Flare-NG https://github.com/fireeye/flare-fakenet-ng/releases Netcat Proxying and emulating connections Wireshark Packet capturing tool INetSim Simulate common Internet services
Tools in action See p. 57 in text (msts.exe) Setup tools (process/network/registry monitoring, setup VMs, server emulation) Fig. 3-12 Contacts web site (the textbook's) ApateDNS Creates new file (winhlp2.exe) procmon Modifies registry to autorun regshot Creates a mutex to ensure only a single execution Process Explorer Contacts a server over port 443 (https), but does not speak SSL INetSim Speaks a custom protocol Wireshark
In-class exercises Lab 1-1, Lab 1-2 Lab 3-2, Lab 3-4
