Presentation is loading. Please wait.

Presentation is loading. Please wait.

Techniques, Tools, and Research Issues

Published byCatherine Hood Modified over 6 years ago

Similar presentations

Presentation on theme: "Techniques, Tools, and Research Issues"— Presentation transcript:

1 Techniques, Tools, and Research Issues
Virus Analysis Techniques, Tools, and Research Issues Part IV: Analysis Techniques - Advanced Michael Venable Arun Lakhotia University of Louisiana at Lafayette, USA

2 Malware Analysis Techniques: Advanced
Client-Server Interaction

3 Debugging the Backdoor
Locate the Backdoor Set Breakpoints Prepare Client Run Worm in Debugger Run Client

4 Locate the Backdoor Use IDAPro’s “Jump To function…” option to find functions of interest

5 Locate the Backdoor Look for network-related functions

6 Locate the Backdoor Use “Jump to xref to operand…” to find calls to the selected function

7 Locate the Backdoor Make note of the function call addresses

8 Set Breakpoints Locate the function calls in OllyDbg using “Go to Expression”

9 Set Breakpoints Press F2 to set a breakpoint

10 Prepare Client Retrieve IP address of infected machine

11 Prepare Client Configure port number & IP address in client

12 Sending Data to Worm Run the worm and client Send input to worm

13 Debugging Make note of how the worm processes the input

14 Debugging Control the flow of the worm by modifying register and flag values

15 Debugging Press F7 to execute one instruction
Press F8 to execute a function, without entering it Press CTRL+F9 to jump to end of current function

16 Debugging First 8 bytes are read

17 Debugging First four bytes must be 0x43 FF FF FF

18 Debugging 9th byte is read

19 Debugging 9th byte is compared to 0x0 and 0x0B
Must be greater than 0x0 Must be less to 0x0B

20 Debugging Up to 200 bytes are read or until 0x0 is read

21 Debugging Address 0x004025A8 calls a function that hashes previously read bytes If hash value is incorrect, connection closes

22 Debugging Beagle responds with 8 byte sequence if hash value is correct

23 Debugging 9th byte is used as option number
Option numbers are 2, 3, 4, 8, and 10

24 Exercise How does Beagle.J behave with option numbers 2, 3, 4, 8, 10?
Why is Beagle.J contacting websites? What’s a/the password for the backdoor?

25 Summary Analyzing backdoor opened by virus
Need to work on both sides: Client and server Locate backdoor Create client to connect to backdoor Use debugger to trap connection trace execution alter execution

Download ppt "Techniques, Tools, and Research Issues"

Similar presentations

Caf é Net Management System … Prepared By : Shereen Atallah Shereen Atallah Elham AL_Yaseen Elham AL_Yaseen.

Caf é Net Management System … Prepared By : Shereen Atallah Shereen Atallah Elham AL_Yaseen Elham AL_Yaseen.
Socket Programming. Basics Socket is an interface between application and network – Application creates a socket – Socket type dictates the style of communication.

Socket Programming. Basics Socket is an interface between application and network – Application creates a socket – Socket type dictates the style of communication.
The IDE (Integrated Development Environment) provides a DEBUGGER for locating and correcting errors in program logic (logic errors not syntax errors) The.

The IDE (Integrated Development Environment) provides a DEBUGGER for locating and correcting errors in program logic (logic errors not syntax errors) The.
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
Visual Basic Debugging Tools Appendix D 6/27/20151Dr. Monther Aldwairi.

Visual Basic Debugging Tools Appendix D 6/27/20151Dr. Monther Aldwairi.
TCP connection my Computertelnet client web server remote computer 1 character per transmission * Telnet uses TCP connection * but Nagle's algorithm modifies.

TCP connection my Computertelnet client web server remote computer 1 character per transmission * Telnet uses TCP connection * but Nagle's algorithm modifies.
OllyDbg Debuger.

OllyDbg Debuger.
Setting up Email in Outlook Express. Select “Tools” from the toolbar menu.

Setting up in Outlook Express. Select “Tools” from the toolbar menu.
Installing a DHCP Server role on Windows Server 2008 R2 in a home network. This is intended as a guide to install the DHCP role on a Domain Controller.

Installing a DHCP Server role on Windows Server 2008 R2 in a home network. This is intended as a guide to install the DHCP role on a Domain Controller.
Server Load Balancing. Introduction Why is load balancing of servers needed? If there is only one web server responding to all the incoming HTTP requests.

Server Load Balancing. Introduction Why is load balancing of servers needed? If there is only one web server responding to all the incoming HTTP requests.
Practical Malware Analysis Ch 8: Debugging Rev. 10-13-14.

Practical Malware Analysis Ch 8: Debugging Rev
INFS 752 Summer Juan Salazar Please right click the symbol in the lower right corner, and then press preview, to hear the presentation for each page.

INFS 752 Summer Juan Salazar Please right click the symbol in the lower right corner, and then press preview, to hear the presentation for each page.
Section 2.2 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE

Section 2.2 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE
Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.

Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.
Learningcomputer.com SQL Server 2008 Configuration Manager.

Learningcomputer.com SQL Server 2008 Configuration Manager.
Vintage Computer Hardware 101 Featuring the MITS Altair 680b Bill Degnan.

Vintage Computer Hardware 101 Featuring the MITS Altair 680b Bill Degnan.
Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.

Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.
Our Environment We will exercise on Microsoft Visual C++ v.6 We will exercise on Microsoft Visual C++ v.6 because that is what we have in the univ. because.

Our Environment We will exercise on Microsoft Visual C++ v.6 We will exercise on Microsoft Visual C++ v.6 because that is what we have in the univ. because.
® IBM Software Group © 2011 IBM Corporation RDz Workbench – Debugging z/OS COBOL Applications Batch COBOL Debugging Workshop Jon Sayles, Rational System.

® IBM Software Group © 2011 IBM Corporation RDz Workbench – Debugging z/OS COBOL Applications Batch COBOL Debugging Workshop Jon Sayles, Rational System.
Jump to first page (C) 1998, Arun Lakhotia 1 Quality Assurance: Reviews and Walkthroughs Arun Lakhotia University of Southwestern Louisiana Po Box 44330.

Jump to first page (C) 1998, Arun Lakhotia 1 Quality Assurance: Reviews and Walkthroughs Arun Lakhotia University of Southwestern Louisiana Po Box

Similar presentations

Ads by Google