Techniques, Tools, and Research Issues

Slides:



Advertisements
Similar presentations
Caf é Net Management System … Prepared By : Shereen Atallah Shereen Atallah Elham AL_Yaseen Elham AL_Yaseen.
Advertisements

Socket Programming. Basics Socket is an interface between application and network – Application creates a socket – Socket type dictates the style of communication.
The IDE (Integrated Development Environment) provides a DEBUGGER for locating and correcting errors in program logic (logic errors not syntax errors) The.
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
Visual Basic Debugging Tools Appendix D 6/27/20151Dr. Monther Aldwairi.
TCP connection my Computertelnet client web server remote computer 1 character per transmission * Telnet uses TCP connection * but Nagle's algorithm modifies.
OllyDbg Debuger.
Setting up in Outlook Express. Select “Tools” from the toolbar menu.
Installing a DHCP Server role on Windows Server 2008 R2 in a home network. This is intended as a guide to install the DHCP role on a Domain Controller.
Server Load Balancing. Introduction Why is load balancing of servers needed? If there is only one web server responding to all the incoming HTTP requests.
Practical Malware Analysis Ch 8: Debugging Rev
INFS 752 Summer Juan Salazar Please right click the symbol in the lower right corner, and then press preview, to hear the presentation for each page.
Section 2.2 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE
Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.
Learningcomputer.com SQL Server 2008 Configuration Manager.
Vintage Computer Hardware 101 Featuring the MITS Altair 680b Bill Degnan.
Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.
Our Environment We will exercise on Microsoft Visual C++ v.6 We will exercise on Microsoft Visual C++ v.6 because that is what we have in the univ. because.
® IBM Software Group © 2011 IBM Corporation RDz Workbench – Debugging z/OS COBOL Applications Batch COBOL Debugging Workshop Jon Sayles, Rational System.
Jump to first page (C) 1998, Arun Lakhotia 1 Quality Assurance: Reviews and Walkthroughs Arun Lakhotia University of Southwestern Louisiana Po Box
VB – Debugging Tools Appendix D. Why do we need debugging? Every program has errors, and the process of finding these errors is debugging Types of errors.
NIOS II Ethernet Communication Final Presentation
Logging into a Remote Desktop Connection. Connecting to ‘Remote Desktop Connection’ through the application.
PDA Program Install Manual IT Team. 1. Execute Internet Explorer 2. Connect Website 3. Download 4. Installation 5. Run 6. Setting 1. Execute.
Proxy Installer for Windows Squid: Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response.
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Integration Framework: QRadar 7.2 MR1.
Memory & Storage Architecture Seoul National University PuTTY Usage Hyeon-gyu School of Computer Science and Engineering.
Networking in Linux. ♦ Introduction A computer network is defined as a number of systems that are connected to each other and exchange information across.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline.
© 2000 Morgan Kaufman Overheads for Computers as Components Host/target design  Use a host system to prepare software for target system: target system.
Case study: Data Provider setup Sergey Sukhonosov National Oceanographic Data Centre, Russia Expert training on the Ocean Data Portal technology, Buenos.
Go to Start >> Programs >> Outlook Express ( as shown)
1 Tips for the assignment. 2 Socket: a door between application process and end- end-transport protocol (UDP or TCP) TCP service: reliable transfer of.
Chapter 27 Getting “Web-ified” (Web Applications) Clearly Visual Basic: Programming with Visual Basic nd Edition.
Debugging tools in Flash CIS 126. Debugging Flash provides several tools for testing ActionScript in your SWF files. –The Debugger, lets you find errors.
Simple ALU How to perform this C language integer operation in the computer C=A+B; ? The arithmetic/logic unit (ALU) of a processor performs integer arithmetic.
Lecture 11 Example Rootkit. Intel internship Intel CTG (Corporate Technology Group) –Advanced research & development –System integrity services using.
Troubleshooting. Why Troubleshoot? What Can Go Wrong? –Misconfigured zone –Misconfigured server –Misconfigured host –Misconfigured network.
Debugging and Testing Hussein Suleman March 2007 UCT Department of Computer Science Computer Science 1015F.
The LC-3 – Chapter 6 COMP 2620 Dr. James Money COMP
Debugging RTC CLI in Eclipse
Networks Problem Set 3 Due Nov 10 Bonus Date Nov 9
Interrupt Processing Sequence
Chapter 7: Identifying Advanced Attacks
Live Phishing Attack Authentication Activity from a Foreign Address.
Techniques, Tools, and Research Issues
Binary Lesson 4 Classful IP Addresses
FORTINET Network Security NSE8 Dumps - 100% Success
Techniques, Tools, and Research Issues
Techniques, Tools, and Research Issues
Dynamic Analysis ddaa.
Techniques, Tools, and Research Issues
Networks Problem Set 3 Due Oct 29 Bonus Date Oct 26
Techniques, Tools, and Research Issues
Malware Incident Response  Dynamic Analysis - 2
Socket Programming Cal Poly Pomona Young CS380.
CHAPTER 8 ELEMENTARY UDP SOCKETS
Unit 27 - Web Server Scripting
Information Security Session October 24, 2005
Chap 10 Malicious Software.
Configuration Of A Pull Network.
Our Environment We will exercise on Microsoft Visual C++ v.6
Tracing What, How, and Why Copyright © Curt Hill,
Chap 10 Malicious Software.
Microprocessor and Assembly Language
46 to 1500 bytes TYPE CODE CHECKSUM IDENTIFIER SEQUENCE NUMBER OPTIONAL DATA ICMP Echo message.
Read this to find out how the internet works!
Crisis and Aftermath Morris worm.
Basic Dynamic Analysis VMs and Sandboxes
Presentation transcript:

Techniques, Tools, and Research Issues Virus Analysis Techniques, Tools, and Research Issues Part IV: Analysis Techniques - Advanced Michael Venable Arun Lakhotia University of Louisiana at Lafayette, USA

Malware Analysis Techniques: Advanced Client-Server Interaction

Debugging the Backdoor Locate the Backdoor Set Breakpoints Prepare Client Run Worm in Debugger Run Client

Locate the Backdoor Use IDAPro’s “Jump To function…” option to find functions of interest

Locate the Backdoor Look for network-related functions

Locate the Backdoor Use “Jump to xref to operand…” to find calls to the selected function

Locate the Backdoor Make note of the function call addresses

Set Breakpoints Locate the function calls in OllyDbg using “Go to Expression”

Set Breakpoints Press F2 to set a breakpoint

Prepare Client Retrieve IP address of infected machine

Prepare Client Configure port number & IP address in client

Sending Data to Worm Run the worm and client Send input to worm

Debugging Make note of how the worm processes the input

Debugging Control the flow of the worm by modifying register and flag values

Debugging Press F7 to execute one instruction Press F8 to execute a function, without entering it Press CTRL+F9 to jump to end of current function

Debugging First 8 bytes are read

Debugging First four bytes must be 0x43 FF FF FF

Debugging 9th byte is read

Debugging 9th byte is compared to 0x0 and 0x0B Must be greater than 0x0 Must be less to 0x0B

Debugging Up to 200 bytes are read or until 0x0 is read

Debugging Address 0x004025A8 calls a function that hashes previously read bytes If hash value is incorrect, connection closes

Debugging Beagle responds with 8 byte sequence if hash value is correct

Debugging 9th byte is used as option number Option numbers are 2, 3, 4, 8, and 10

Exercise How does Beagle.J behave with option numbers 2, 3, 4, 8, 10? Why is Beagle.J contacting websites? What’s a/the password for the backdoor?

Summary Analyzing backdoor opened by virus Need to work on both sides: Client and server Locate backdoor Create client to connect to backdoor Use debugger to trap connection trace execution alter execution

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.