Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 2. Malware Analysis in VMs

Published byIsaac Washington Modified over 6 years ago

Similar presentations

Presentation on theme: "Chapter 2. Malware Analysis in VMs"— Presentation transcript:

1 Chapter 2. Malware Analysis in VMs

2 Gradings If you scored you earned at least 85% A- 70% B- 55% C-

3 Undergrad/Grad Some homework later in the course will be distributed to graduate students (research-oriented) – CS595 Undergrad students: not necessary – CS495 Bonus questions: distributed later in the course for both CS495/595 students

4 Project Survey Programming Language (Python) Pcap
Deep learning frameworks (Caffe/Tensorflow/Theano/PyTorch)

5 Honeypot Project Honeypot Use for IDS/Malware monitoring – real-time
Gather traces for analysis

6 Research: DEF Con - Evade Anti-Virus
Hackers use OpenAI Gym toolkit (reinforcement learning) to evade anti-virus detection OpenAI is an organization in AI research – Elon Musk. Change the PE file, receive the feedback/rewards; repeat Applies to behavior ? Deep reinforcement learning Playing Atari with Deep Reinforcement Learning, NIPS, 2013.

7 VMs Most malware must be executed in order to analyze them
Running on production machine -> spread to others (worms) Requires a safe environment with no risk VirtualBox, Vmware Host-only networking to monitor network traffic Snapshots and roll-back Record and replay execution

8 VM Structure Guest OS installed inside host OS as a VM
VM is isolated from the host OS

9 Host-only Networking Host-only networking: creates a separate private LAN between the host OS and the guest OS Malware is contained in VM, but not the Internet

10 Host-only Networking

11 Connecting VM to the Internet
Default option in VirtualBox (NAT) NAT mode shares the host IP; host acts as a router and translates all the requests from VM In real malware analysis: Cautious – spreading worm, becoming botnet for DDoS, spamming Malware authors may notice you are connecting to the control server and trying to analyze

12 VM: Snapshot Snapshot is unique to VM
Allows you to save the current state and possibly return to this state in future Extremely helpful in malware analysis Usually after you install all the tools, make a snapshot, or before you analyze some unknown program

13 Virtual Box Snapshot Under Machine -> Snapshot, view all the snapshots taken

14 Risks of using VM Malware can detect it is in VM and behave differently VM also have bugs, cause the host OS to crash or run the code on host OS (through the share folder possibly) Make sure the host OS is fully patched Avoid using a sensitive machine to perform malware analysis (save some of the non-personal files to the cloud like dropbox)

15 Chapter 3. Basic Dynamic Analysis

16 Dynamic Analysis When static analysis is exhausted; monitor the malware after it is executed; identify its functionality Usually performed after static analysis is completed; could put your system and network at risks Not all the malware functionalities can be explored in dynamic analysis (limitation)

17 Sandbox Simpler alternative to VMs
Isolation and track of malware behavior Example from the book – GFI SandBox – generated logs File activity (modified files) Mutexes created Registry activity (changes to the registry) Network activity (Events, traffic and DNS requests)

18 Drawbacks of Sandbox Malware detects in a VM – stops running
Certain registry keys/files are not included in Sandbox DLL malware will not run as an executable in Sandbox Only reports the logs and left the analysis to the analyst

19 Running DLL Malware Difference between EXE and DLL EXE: DLL
Executable file No export is called, only the module entry point A new process is launched DLL A dynamic linked library Multiple exported symbols System loads DLL into an existing process Purpose is to have a collection of methods/classes that can be reused by other applications Malware in DLL format may not executable, need rundll32.exe, know Install is in the Export Table (PEview)

20 Turning DLL into EXE Force DLL into executable by modifying the PE header Remove IMAGE_FILE_DLL flag in IMAGE_FILE_HEADER - > it will run the DLLMain The rest of the program may crash Achieve our purpose to analyze the malicious payload

21 Process Monitor Process Monitor (procmon)
Monitor certain registry, file system, network, process, and thread activity Combines FileMon and RegMon to track execution behavior Might cause performance degradation on VM (limited virtual memory assigned), run for a few minutes

22 Demo of Procmon

23 Demo of Procmon - Filter
Do not forget to Add the filter after defining the rules

24 Process Explorer Downloaded here: us/sysinternals/downloads/process-explorer List active processes, DLLs loaded by a process and properties Can be used to kill process, log out users and validate process Shown in tree structure with parent and child processes

25 Process Explorer Pink: services; Blue: processes; New Process: green; terminated process: red

26 Thread Tab: Active threads
TCP/IP: active connections/ports

27 Verify button: verifies the executable
is from Microsoft (against process Replacement by attacker) Or use Strings tab to compare Strings to see the differences Malicious process could have strings Very different from the normal ones

28 Find Handle or DLL Already know a DLL Is malicious -> find
All the processes using the DLL

29 Registry Snapshot (Regshot)
Take snapshot before and after execution of malware to see the keys being modified Listing 3-1, Example in book Note the noise being captured as the random seed is different

30 Faking a Network Create a fake network, without actually connecting to the Internet – prevent malware from knowing it is in a virtual environment ApateDNS – see DNS requests made by malware; redirect the DNS request from the malware, e.g. dest – evil.malwar3.com, to something else (a fake virtual web server) Netcat Monitoring – can be used for both inbound/outbound connections. Listen mode: acts as a server – connect mode, client Netcat combined with reverse shell (Listing 3-2)

31 Reverse Shell What is a shell ? What is a reverse shell ?
Shell is a program which can be used to gain code or command execution on a device. What is a reverse shell ? Target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved. – Why ? Ingress/egress firewall config

32 Network Tools Packet Sniffing with WireShark INetSim
Can be used to sniff passwords (sent in plaintext), reverse- engineering protocols, steal sensitive information, listen to online chat INetSim Linux-based simulation of Internet services – need virtual machine if on windows Provides a wide range of fake services: HTTP/HTTPS, FTP, IRC, DNS, SMTP, etc. Does its best to respond malware request – if a request is not satisfied, return 404 error

33 Using the combination of tools
Go through the example at p. 56 Analyze malware called: msts.exe Summary of tools at hand: Procmon: set a filter to be the name of msts.exe Process Explorer: start before launch malware RegShot: gather a first snapshot INetSim and ApateDNS: set up virtual network Wireshark: log network traffic

34 Virtual Network Set up two VMs – windows running malware; linux running web services ApateDNS redirect to

35 Analysis of Recordings/Logs
1. ApateDNS shows DNS requests performed 2. Create a file called winhlp2.exe under system 32 (windows help) 3. Registry snapshot shows the malware is set to autorun in startup

36 Analysis of Recordings/Logs
4. Process Explorer: examine the process – see a mutex is created – ensure one malware version is running at a time

37 Analysis of Recordings/Logs
5. Review INetSim logs to see connection attempted Capture communication via port 443 (SSL) though failed 6. Wireshark should capture similar protocol activities

38 In-class Homework Do In-class homework hw_2_in.docx

Download ppt "Chapter 2. Malware Analysis in VMs"

Similar presentations

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.

Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Automated Malware Analysis

Automated Malware Analysis
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
Hands-On Virtual Computing

Hands-On Virtual Computing
By : Himanshu Mishra Nimish Agarwal CPSC 624.  A system designed to prevent unauthorized access to or from a private network.  It must have at least.

By : Himanshu Mishra Nimish Agarwal CPSC 624.  A system designed to prevent unauthorized access to or from a private network.  It must have at least.
What is FORENSICS? Why do we need Network Forensics?

What is FORENSICS? Why do we need Network Forensics?
Live Forensics Investigations Computer Forensics 2013.

Live Forensics Investigations Computer Forensics 2013.
Learningcomputer.com SQL Server 2008 Configuration Manager.

Learningcomputer.com SQL Server 2008 Configuration Manager.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.

| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium 2004. Presenter: Hiral Chhaya for CAP6103.

A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.
CHAPTER 9 Sniffing.

CHAPTER 9 Sniffing.
Homework 02 NAT 、 DHCP 、 Firewall 、 Proxy. Computer Center, CS, NCTU 2 Basic Knowledge  DHCP Dynamically assigning IPs to clients  NAT Translating addresses.

Homework 02 NAT 、 DHCP 、 Firewall 、 Proxy. Computer Center, CS, NCTU 2 Basic Knowledge  DHCP Dynamically assigning IPs to clients  NAT Translating addresses.

Similar presentations

Ads by Google