Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.

Slides:



Advertisements
Similar presentations
Investigating Malicious Software Steve Romig The Ohio State University April 2002.
Advertisements

For Removal Info: visit
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Web Communication Client attempts to “pull” information from server – http message sent across Internet by TCP/IP* – packet switching used to route message.
Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools.
14.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Automated Malware Analysis
11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.
Hands-on: Capturing an Image with AccessData FTK Imager
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
INTRODUCTION TO WEB DATABASE PROGRAMMING
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter objectives are listed in the beginning.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
One wrong click… Techniques to analyze malicious code Tyler Hudak.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.
Live Forensics Investigations Computer Forensics 2013.
Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.
9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Types of Electronic Infection
Overview of Microsoft ISA Server. Introducing ISA Server New Product—Proxy Server In 1996, Netscape had begun to sell a web proxy product, which optimized.
Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
Hands-On Microsoft Windows Server Implementing Microsoft Internet Information Services Microsoft Internet Information Services (IIS) –Software included.
MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
Module 7: Advanced Application and Web Filtering.
Mastering Windows Network Forensics and Investigation Chapter 10: Tool Analysis.
Mastering Windows Network Forensics and Investigation Chapter 10: Introduction to Malware.
Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Hands-On Virtual Computing
Powerpoint presentation on Drive-by download attack -By Yogita Goyal.
11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
1 Remote Installation Service Windows 2003 Server Prof. Abdul Hameed.
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.
CS 492/592: Malware
Chapter 2. Malware Analysis in VMs
Lab assignments Follow each lab walkthrough in textbook
Topic 7 Malware Analysis Basics
Malware Reverse Engineering Process
Techniques, Tools, and Research Issues
Chapter 1. Basic Static Techniques
Techniques, Tools, and Research Issues
Malware Reverse Engineering Process
Part 1: Basic Analysis Chapter 1: Basic Static Techniques
Chapter 2. Malware Analysis in VMs
Windows Internals Brown-Bag Seminar Chapter 1 – Concepts and Tools
Chapter 3. Basic Dynamic Analysis
Chap 10 Malicious Software.
Lab assignments Follow each lab walkthrough in textbook
COEN 252 Computer Forensics
Chap 10 Malicious Software.
CMSC 491/691 Malware Analysis
CSC 497/583 Advanced Topics in Computer Security
Basic Dynamic Analysis VMs and Sandboxes
Talking Malware Analysis with MITRE
Presentation transcript:

Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary

Part 1: Basic Analysis Chapter 1: Basic Static Techniques Chapter 2: Malware Analysis in Virtual Machines Chapter 3: Basic Dynamic Analysis

Chapter 1: Basic Static Techniques

Scanning Statically analyze payload to determine its maliciousness – Recall Aitel 2011 USENIX Security talk

File signatures Common code or data used across malware instances – e.g. embedded URL strings, decryptor code Signatures – Hashing (e.g. MD5, SHA) – Strings search on metadata, errors, constants – Polymorphism and metamorphism easy for an adversary to deploy

Analyzing executables PE (Widows), ELF (Linux) Tools for dumping linked libraries – Look for common shared libraries (e.g. kernel32.dll, User32.dll, libc.so, etc) – Dependency Walker, PEView, PEBrowse, PE Explorer, ldd Function convention in Windows – CreateWindowEx - “Ex” refers to new version – CreateDirectoryW - “W” refers to wide character strings vs. ASCII – See MSDN Note: a short function list is an indication of a packed binary

Packing and obfuscation Obfuscation – Code whose execution is hidden by author Packing – Obfuscated code in which programs are compressed and encrypted to prevent static analysis (Figure 1-4) – Prevents file signatures from working Example: UPX – Code to unpack binaries is common, however Can be identified (PEiD)

File signature coverage Astronomical growth in signatures Coverage by a single tool is difficult – Cloud-based anti-virus –

Chapter 2: Malware Analysis on VMs Chapter 3: Basic Dynamic Analysis

Malware and VMs Most malware must be executed in order to analyze them Requires a safe environment VMware – Host-only networking to monitor network traffic – Snapshots and roll-back – Record and replay execution

Sandboxes Behavior isolation and coarse-grained tracking of malware execution – File system activity – Registry activity – Network activity – Examples: GFI Sandbox, Norman SandBox

Executing malware Executable – Directly launching or via debugger Malicious DLLs – rundll32.exe

Monitoring execution Procmon – – Combines FileMon and RegMon to track execution behavior Process explorer – Free tool from Microsoft to verify running process against the disk executable image – Useful for determining if malicious documents are launching new processes Regshot – Flag changes in registry

Monitoring execution ApateDNS – Free tool from Mandiant to see DNS requests from malware and modify replies Netcat – Useful for proxying and emulating connections to malware Wireshark – Packet capturing tool INetSim – Linux tool to simulate common Internet services

Tools in action See p. 57 in text msts.exe – Contacts web site (the textbook's) – ApateDNS – Creates new file (winhlp2.exe) – procmon – Modifies registry to autorun – regshot – Creates a mutex to ensure only a single execution – Process Explorer – Contacts a server over port 443 (https), but does not speak SSL – INetSim – Speaks a custom ASCII protocol – Wireshark

In-class exercises Lab 1-1 – Show the results of virustotal.com – In PEView, show the timestamps – Show the list of imported system library calls. From these calls, what might this executable be doing? – Show the list of imported calls from Lab01-01.dll. From these calls, what might this DLL be doing? – Show where the malware is attempting to create its malicious file Lab 1-2 – Show the results of virustotal.com – In PEView, show the sections that contain the packed executable code – Run UPX to unpack the code and load unpacked executable in PEView – Show the functions imported from Wininet.dll. What might this executable be doing? – Show the URL the malware connects to in memory

In-class exercises Lab 3-2 – Find the functions this DLL exports (Figure 3-5L) – Find the imported functions that are used to modify the registry, create services, and make network connections. Which DLLs are they loaded from? – Use strings to reconstruct the URL being requested – Set-up Regshot and Process Explorer before running rundll32 to install this malware's service. Using regshot, show whether or not the DLL installed its registry key. Lab 3-4 – Copy binary to Desktop and run it. What happens? – Examine the binary's strings using a tool of your choice to find the cmd.exe command used – Use Process Monitor (procmon) to monitor events from this binary to generate Figure 3-11L

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.