Presentation is loading. Please wait.

Presentation is loading. Please wait.

Techniques, Tools, and Research Issues

Published byOlivia Quinn Modified over 6 years ago

Similar presentations

Presentation on theme: "Techniques, Tools, and Research Issues"— Presentation transcript:

1 Techniques, Tools, and Research Issues
Virus Analysis Techniques, Tools, and Research Issues Part II: Tools Michael Venable Arun Lakhotia University of Louisiana at Lafayette, USA

2 Analysis Environment & Tools
AV Lab and Procedures Virus Analysis Process Static Analysis Tools Process Observation Tools Network Observation Tools

3 Anti-Virus Lab Key Requirements Should not spread contamination
Should be easy to revert to clean state Support storage and exchange of malware

4 Procedures for handling malware
Restrict access Save only disassembled files Rename file extensions Protect against accidental double click Zip/compress and password protect Protects against misappropriation Be cautious about exchanging malware Preferably – Avoid sending malware Send zip/password files, with notes of caution

5 Lab Alternatives Physically separate machines and network
Prevents accidental spread Difficult to setup and tear down Difficulty in accessing outside information during analysis Logically separate machines and network Using virtualization technologies Easy to setup and tear down Must adhere to procedures to secure against accidental spread Can create a sense of complacency

6 Example: Virtual Machines

7 VMWare Runs multiple operating systems simultaneously
Creates network between host and guest systems

8 VMWare Snapshot Self-contained files Can save copy of good state
Can transfer virtual machines to other PCs .vmx – configuration file .vmdk – image of hard disk

9 Virtualization Technologies
Virtualizing a single host VMWare ( USD 200/user Virtual PC (Microsoft) USD 129/user Bochs (bochs.sourceforge.net) Free. Emulates in software. Virtualizing a network DETER/Emulab (

10 Attacking VMWare Detecting VMWare Emulator remnants Abnormalities
Registry keys Directories/files Abnormalities Predetermined hardware info Possibly incorrectly emulated ports

11 Attacking VMWare Retaliation Act benign Communicate with VMWare
Enable/disable virtual devices Spread to host (not yet seen)

12 Malware Analysis Process
Reset Lab Environment Static Analysis Set up network observation tools Set up process observation tools Run program Observe network traffic Observe process actions Identify services requested Create/revise client on Linux Create DNS tables Run client Run services on Linux

13 Static Analysis Tools BinText (www.foundstone.com)
Extracts strings from code Free IDA Pro ( Disassembler USD 399/user UPX (upx.sourceforge.net) UPX compression/decompression MD5 Checksum

14 BinText Extracts strings from executables Reveals clues:
IRC Commands, SMTP commands, registry keys

15 IDA Pro Disassembles executables into assembly instructions
Easy-to-use interface Separates subroutines, creates variable names, color-coded

16 UPX Decompression Executable packer commonly used by virus writers
Can compress wide range of files Windows PE executables, DOS executables, DOS COM files, and many more To unpack: upx.exe -d -o dest.exe source.exe

17 Process Observation Tools
Process Explorer Monitor processes FileMon Monitor file operations RegMon Monitor operations on registry Regshot Take snapshot of registry and files ProcDump Dump code from memory OllyDbg Debugger

18 Process Explorer Real-time monitoring
Reports process name & id; Useful as filter with other tools Processes highlight in green when created Freely available from

19 FileMon Records all file accesses
Freely available from

20 RegMon Records all registry accesses
Freely available from

21 RegShot Records modifications to registry and file system
Does not detect read attempts Freely available from regshot.yeah.net

22 ProcDump Dumps process’ code from memory
Useful for polymorphic viruses

23 OllyDbg Breakpoints Attach to process
Can manipulate memory and registers Freely available at home.t-online.de/home/OllyDbg

24 Network Observation Tools
TCPView Displays open network ports TDIMon Monitors network activity Ethereal Packet sniffer Snort

25 TCPView Displays all open TCP and UDP endpoints
Also displays process name Freely available from

26 TDIMon Logs all network activity Does not log packet contents
Freely available from

27 Ethereal Captures and displays packet contents
Freely available from

28 Snort Captures and displays packets Usage: snort -vd | tee snort.out
Sample packet A = Acknowledgement R = Reset connection P = Push data F = Finish S = Synchronize

29 Summary Creating an AV Lab Virus Analysis Process Tools
Virtual environment Procedures for handling malware Virus Analysis Process Tools Static Analysis Process Observation Network Observation

Download ppt "Techniques, Tools, and Research Issues"

Similar presentations

Dean Carlson and Beth Anne Byrd CpSc 420.  What is reverse engineering?  Brief History  Usefulness  The process  Bagle Virus example.

Dean Carlson and Beth Anne Byrd CpSc 420.  What is reverse engineering?  Brief History  Usefulness  The process  Bagle Virus example.
Operating-System Structures

Operating-System Structures
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools.

Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools.
Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.

Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
VMware is a registered trademark of VMware, Inc. (an EMC company).

VMware is a registered trademark of VMware, Inc. (an EMC company).
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Hands-on: Capturing an Image with AccessData FTK Imager

Hands-on: Capturing an Image with AccessData FTK Imager
About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter objectives are listed in the beginning.

About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter objectives are listed in the beginning.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Hands-On Virtual Computing

Hands-On Virtual Computing
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
CHAPTER FOUR COMPUTER SOFTWARE.

CHAPTER FOUR COMPUTER SOFTWARE.
Live Forensics Investigations Computer Forensics 2013.

Live Forensics Investigations Computer Forensics 2013.
Module 10: Monitoring ISA Server 2004. Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
Chapter 2: Operating-System Structures. 2.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 2: Operating-System Structures Operating.

Chapter 2: Operating-System Structures. 2.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 2: Operating-System Structures Operating.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:

Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
INTRODUCTION TO VIRTUALIZATION KRISTEN WILLIAMS MOSES IKE.

INTRODUCTION TO VIRTUALIZATION KRISTEN WILLIAMS MOSES IKE.

Similar presentations

Ads by Google