Techniques, Tools, and Research Issues

Slides:



Advertisements
Similar presentations
Dean Carlson and Beth Anne Byrd CpSc 420.  What is reverse engineering?  Brief History  Usefulness  The process  Bagle Virus example.
Advertisements

Operating-System Structures
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools.
Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
VMware is a registered trademark of VMware, Inc. (an EMC company).
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Hands-on: Capturing an Image with AccessData FTK Imager
About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter objectives are listed in the beginning.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Hands-On Virtual Computing
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
CHAPTER FOUR COMPUTER SOFTWARE.
Live Forensics Investigations Computer Forensics 2013.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
Chapter 2: Operating-System Structures. 2.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 2: Operating-System Structures Operating.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
INTRODUCTION TO VIRTUALIZATION KRISTEN WILLIAMS MOSES IKE.
Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.
Analyzing Malicious Code Nicolas Brulez Ryan Russell Disassembly with a time constraint Recon 2005.
Mastering Windows Network Forensics and Investigation Chapter 10: Tool Analysis.
FTP File Transfer Protocol Graeme Strachan. Agenda  An Overview  A Demonstration  An Activity.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.
Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.
Hands-On Virtual Computing
Virtual Machines Module 2. Objectives Define virtual machine Define common terminology Identify advantages and disadvantages Determine what software is.
Course 03 Basic Concepts assist. eng. Jánó Rajmond, PhD
IST 201 Chapter 11 Lecture 2. Ports Used by TCP & UDP Keep track of different types of transmissions crossing the network simultaneously. Combination.
The purpose of a CPU is to process data Custom written software is created for a user to meet exact purpose Off the shelf software is developed by a software.
Lesson 9: SOFTWARE ICT Fundamentals 2nd Semester SY
Nat 4/5 Computing Science Software
Chapter 2. Malware Analysis in VMs
Lab assignments Follow each lab walkthrough in textbook
CHAPTER 4 Methodology.
Topic 7 Malware Analysis Basics
Techniques, Tools, and Research Issues
Techniques, Tools, and Research Issues
資料通訊與網路 教授: 吳照輝 助教: 鄺福全.
Techniques, Tools, and Research Issues
Techniques, Tools, and Research Issues
Dynamic Analysis ddaa.
SECURING NETWORK TRAFFIC WITH IPSEC
Chapter 2: System Structures
Techniques, Tools, and Research Issues
Traffic Analysis with Ethereal
Operating System Structure
Introduction to Operating System (OS)
Malware Incident Response  Dynamic Analysis - 2
What is an Operating System?
Part 1: Basic Analysis Chapter 1: Basic Static Techniques
Intercept X for Server Early Access Program Sophos Tester
Chapter 2. Malware Analysis in VMs
Digital Pacman: Firewall Edition
Information Security Session October 24, 2005
Chapter 3. Basic Dynamic Analysis
Chap 10 Malicious Software.
CHAPTER 2: OPERATING SYSTEMS (Part 2) COMPUTER SKILLS.
Malware Incident Response  Dynamic Analysis - I
Types of Software.
Chapter 2: Operating-System Structures
Chap 10 Malicious Software.
Network hardening Chapter 14.
Lecture9: Embedded Network Operating System: cisco IOS
Basic Dynamic Analysis VMs and Sandboxes
Chapter 2: Operating-System Structures
Talking Malware Analysis with MITRE
Lecture9: Embedded Network Operating System: cisco IOS
Presentation transcript:

Techniques, Tools, and Research Issues Virus Analysis Techniques, Tools, and Research Issues Part II: Tools Michael Venable Arun Lakhotia University of Louisiana at Lafayette, USA

Analysis Environment & Tools AV Lab and Procedures Virus Analysis Process Static Analysis Tools Process Observation Tools Network Observation Tools

Anti-Virus Lab Key Requirements Should not spread contamination Should be easy to revert to clean state Support storage and exchange of malware

Procedures for handling malware Restrict access Save only disassembled files Rename file extensions Protect against accidental double click Zip/compress and password protect Protects against misappropriation Be cautious about exchanging malware Preferably – Avoid sending malware Send zip/password files, with notes of caution

Lab Alternatives Physically separate machines and network Prevents accidental spread Difficult to setup and tear down Difficulty in accessing outside information during analysis Logically separate machines and network Using virtualization technologies Easy to setup and tear down Must adhere to procedures to secure against accidental spread Can create a sense of complacency

Example: Virtual Machines

VMWare Runs multiple operating systems simultaneously Creates network between host and guest systems

VMWare Snapshot Self-contained files Can save copy of good state Can transfer virtual machines to other PCs .vmx – configuration file .vmdk – image of hard disk

Virtualization Technologies Virtualizing a single host VMWare (www.vmware.com) USD 200/user Virtual PC (Microsoft) USD 129/user Bochs (bochs.sourceforge.net) Free. Emulates in software. Virtualizing a network DETER/Emulab (www.isi.edu/deter)

Attacking VMWare Detecting VMWare Emulator remnants Abnormalities Registry keys Directories/files Abnormalities Predetermined hardware info Possibly incorrectly emulated ports

Attacking VMWare Retaliation Act benign Communicate with VMWare Enable/disable virtual devices Spread to host (not yet seen)

Malware Analysis Process Reset Lab Environment Static Analysis Set up network observation tools Set up process observation tools Run program Observe network traffic Observe process actions Identify services requested Create/revise client on Linux Create DNS tables Run client Run services on Linux

Static Analysis Tools BinText (www.foundstone.com) Extracts strings from code Free IDA Pro (www.DataRescue.Com) Disassembler USD 399/user UPX (upx.sourceforge.net) UPX compression/decompression MD5 Checksum

BinText Extracts strings from executables Reveals clues: IRC Commands, SMTP commands, registry keys

IDA Pro Disassembles executables into assembly instructions Easy-to-use interface Separates subroutines, creates variable names, color-coded

UPX Decompression Executable packer commonly used by virus writers Can compress wide range of files Windows PE executables, DOS executables, DOS COM files, and many more To unpack: upx.exe -d -o dest.exe source.exe

Process Observation Tools Process Explorer Monitor processes FileMon Monitor file operations RegMon Monitor operations on registry Regshot Take snapshot of registry and files ProcDump Dump code from memory OllyDbg Debugger

Process Explorer Real-time monitoring Reports process name & id; Useful as filter with other tools Processes highlight in green when created Freely available from www.SysInternals.com

FileMon Records all file accesses Freely available from www.SysInternals.com

RegMon Records all registry accesses Freely available from www.SysInternals.com

RegShot Records modifications to registry and file system Does not detect read attempts Freely available from regshot.yeah.net

ProcDump Dumps process’ code from memory Useful for polymorphic viruses

OllyDbg Breakpoints Attach to process Can manipulate memory and registers Freely available at home.t-online.de/home/OllyDbg

Network Observation Tools TCPView Displays open network ports TDIMon Monitors network activity Ethereal Packet sniffer Snort

TCPView Displays all open TCP and UDP endpoints Also displays process name Freely available from www.SysInternals.com

TDIMon Logs all network activity Does not log packet contents Freely available from www.SysInternals.com

Ethereal Captures and displays packet contents Freely available from www.ethereal.com

Snort Captures and displays packets Usage: snort -vd | tee snort.out Sample packet A = Acknowledgement R = Reset connection P = Push data F = Finish S = Synchronize

Summary Creating an AV Lab Virus Analysis Process Tools Virtual environment Procedures for handling malware Virus Analysis Process Tools Static Analysis Process Observation Network Observation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.