Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 1. Basic Static Techniques

Published byBeverley Magdalen McKenzie Modified over 6 years ago

Similar presentations

Presentation on theme: "Chapter 1. Basic Static Techniques"— Presentation transcript:

1 Chapter 1. Basic Static Techniques
Basic Techniques Chapter 1. Basic Static Techniques

2 Static Analysis Examine payload without executing it to determine function and maliciousness Scanning content Several techniques: Using antivirus tool (Virus Total introduced before) Using Hash Information from file header, function and strings

3 Antivirus Tool Antivirus relies on a database of identifiable pieces of known code (suspicious) Use behavioral or pattern matching algorithms Database is static, malware author can easily modify the code and evade detections Use VirusTotal to check through multiple engines (cloud-based solutions) Question: how does malware authors utilize VirusTotal? Always update your local Antivirus software

4 Hashing to get Malware Fingerprint
Hashing program produces unique hash MD5/SHA-1/SHA-256 hashes Example – use md5deep to calculate hash Share/search the hash online or with other analyst to identify the malware

5 Use MD5 Hash Online

6 A Quick Note about MD5 Hash
Hash: different files, different hash – like our fingerprints Collisions of hash – can counterfeit digital signatures (break MD5/SHA-1) MD5/SHA-1 is breakable – Prof. Xiaoyun Wang from Shandong University in China (at Tsinghua University now) How to Break MD5 and Other Hash Functions, EUROCRYPT, Finding Collisions in the Full SHA-1, CRYPTO, 2005. Use SHA-256

7 Finding Strings Search through strings in program to get hints about functionality Stored in ASCII/Unicode format String ended with a NULL terminator String.exe downloaded from Generate false positives (memory address, CPU instructions or data)

8

9 Packing and Obfuscation
Packing: compress/encrypt the program to make it hard to analyze Obfuscation: hide the execution of malware Legit programs always include many strings – malware contains very few strings (obfuscated or packed) Packed or obfuscated code will at least include LoadLibrary and GetProcAddress to access functions Only accessible to the wrapper program

10 Detect Packer with PEiD
Detect Packer with PEiD – unfortunately, development stopped after 2011. Used a UPX packer ( a classic one), so use UPX unpacker to unpack it.

11 Portable Executable (PE) File Format
PE file is a data structure Includes a header: type of application, required library functions, space Imports libraries statically or dynamically through linking Static link: Rare in Windows, all code from that library is copied into executable (grow size) Two common APIs: LoadLibrary and GetProcAddress Dynamic link: Most common, host searches for necessary libraries when loaded; function executes within the library Know the functions used is important- knows what the program does

12 PE File Headers and Sections
PE file contains: .text section: contains the instructions that CPU executes; only section that includes code .rdata section: contains import and export information (dependencies) .data section: contains the program’s global data, not local data. .rsrc section: includes resources needed by executable such as icons, images, menus, strings.

13 Static Analysis: PotntialKeyLogger.exe
Table 1-2: get a list of DLLs and functions imported From Table 1-2 , need clues to tell it is a keylogger Imports from Kernel32.dll – FindFirstFile/FindNextFile – search through directories Imports from User32.dll: lots of GUI – the malware may have an interface; SetWindowsHookEx: receive keyboard inputs, usually used by malware Imports from Advapi32.dll: this program uses registry Table 1-3: Less imports from packed program

14 Use PEview TimeStamp tells when the program is compiled; info about how old is the attack (can be modified)

15 Use PEview Virtual Size and Size of Raw Data: if Virtual Size is much larger, it is packed -> means it needs more space in memory than on disk

16 Comparison of packed program
Virtual Size much larger than raw data; raw data is zero-> takes no space on disk Section names are suspicious

17 In-Class Homework Form into groups of max. 2 students each group
See instructions from the course website ( Answer question including screenshots/notes/explanations in a word file

Download ppt "Chapter 1. Basic Static Techniques"

Similar presentations

Sample chapter from https://training.zdresearch.com Reverse Engineering Course.

Sample chapter from Reverse Engineering Course.
Linkers and Loaders 1 Linkers & Loaders – A Programmers Perspective.

Linkers and Loaders 1 Linkers & Loaders – A Programmers Perspective.
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Computer & Network Forensics

Computer & Network Forensics
Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.

Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.
F13 Forensic tool analysis Dr. John P. Abraham Professor UTPA.

F13 Forensic tool analysis Dr. John P. Abraham Professor UTPA.
CAS: A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY From: First IEEE International Conference on Communications in China:

CAS: A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY From: First IEEE International Conference on Communications in China:
DroidKungFu and AnserverBot

DroidKungFu and AnserverBot
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.

Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.
Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.

Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.
AccessMiner Using System- Centric Models for Malware Protection Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu and Engin Kirda.

AccessMiner Using System- Centric Models for Malware Protection Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu and Engin Kirda.
Dr. Richard Ford  Szor 12  Virus Scanners – why they need to scan memory and what issues there are in this area.

Dr. Richard Ford  Szor 12  Virus Scanners – why they need to scan memory and what issues there are in this area.
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.

MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.
Analyzing Malicious Code Nicolas Brulez Ryan Russell Disassembly with a time constraint Recon 2005.

Analyzing Malicious Code Nicolas Brulez Ryan Russell Disassembly with a time constraint Recon 2005.
Static Shared Library. Non-shared v.s. Shared Library A library is a collection of pre-written function calls. Using existing libraries can save a programmer.

Static Shared Library. Non-shared v.s. Shared Library A library is a collection of pre-written function calls. Using existing libraries can save a programmer.

Similar presentations

Ads by Google