Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malware Reverse Engineering Process

Published byRuby Parks Modified over 6 years ago

Similar presentations

Presentation on theme: "Malware Reverse Engineering Process"— Presentation transcript:

1 Malware Reverse Engineering Process
1. Acquire Malware Specimen 2. Automated Reverse Engineering 3. Review Automated RE Report 4. Manual Reverse Engineering 5. Document Findings Physical Memory Remote Memory Snapshot Live Recon Session Static Binary Forensic Binary Journal Responder Pro 2.0 Digital DNA Report contains suspicious behaviors and malicious characteristics exhibited by code and ranked by severity If needed, an analyst can examine the suspicious code objects and conduct additional reverse engineering Analyst documents findings in malware report: Processes and Drivers Loaded Modules Network Socket Info Passwords Encryption Keys Decrypted files Order of execution Runtime State Information Rootkits Configuration Information Logged in Users NDIS buffers Open Files Unsaved Documents Live Registry Video Buffers – screen shots BIOS Memory VOIP Phone calls Instant Messenger chat Goal:  Gain the lowest level of diagnostic visibility in order to detect unknown malware and malicious behaviors To obtain our goal we created the latest advances in memory forensics & reverse engineering technology. The result was Digital DNA. HBGary Malware Reverse Engineering Process Version 0.1

2 1. Acquire Malware Specimen
Malware Reverse Engineering Process:  Acquire Malware Specimen 1. Acquire Malware Specimen 2. Automated Reverse Engineering 3. Review Automated RE Report 4. Manual Reverse Engineering 5. Document Findings Create Responder project, a container for all the files necessary to analyze, annotate and interpret a memory image or static binary Malware specimens can be analyzed using Responder Pro 2.0 from: Physical Memory Snapshot Virtual Machine infection Regular host infection Live REcon Session in Virtual Machine Live REcon Session on regular host Static Disassembly Analysis Combinations of 1 - 4 HBGary Malware Reverse Engineering Process Version 0.1

3 2. Automated Reverse Engineering
Malware Reverse Engineering Process:  Automated Reverse Engineering 1. Acquire Malware Specimen 2. Automated Reverse Engineering 3. Review Automated RE Report 4. Manual Reverse Engineering 5. Document Findings Responder 2.0 with Digital DNA automatically reverse engineers the malware specimen. Live REcon launches malware safely in virtual machine, executes code, creates forensic binary journal for analysis in Responder Pro. Responder automatically scans for suspicious behavior and adds this to the Report Tab, ranked by severity. HBGary Malware Reverse Engineering Process Version 0.1

4 3. Review Automated RE Report
Malware Reverse Engineering Process:  Review Automated RE Report 1. Acquire Malware Specimen 2. Automated Reverse Engineering 3. Review Automated RE Report 4. Manual Reverse Engineering 5. Document Findings The Report Tab stores the human-readable results of an analysis and allows the user to quickly create report items from interesting pieces of data. Identifies any SDT entries that contain hooks. Identifies any IDT entries that contain hooks. Results in the Report Tab are ranked by Severity. HBGary Malware Reverse Engineering Process Version 0.1

5 4. Manual Reverse Engineering
Malware Reverse Engineering Process:  Manual Reverse Engineering 1. Acquire Malware Specimen 2. Automated Reverse Engineering 3. Review Automated RE Report 4. Manual Reverse Engineering 5. Document Findings Responder Pro 2.0 provides Analysts with a framework and logical workflow for malware reverse engineering: Malware installation & deployment factors Communication factors Information security factors Defensive factors Development factors Command & control factors Using the Object Tab as a guide, the Analyst performs manual reverse engineering to answer questions about the malware's behavior such as... HBGary Malware Reverse Engineering Process Version 0.1

6 4. Manual Reverse Engineering
Malware Reverse Engineering Process:  Manual Reverse Engineering (Cont) 1. Acquire Malware Specimen 2. Automated Reverse Engineering 3. Review Automated RE Report 4. Manual Reverse Engineering 5. Document Findings Development Factors In what country was the malware created? Was it professionally developed? Are there multiple versions? Is there a platform involved? Is the a toolkit involved? Are there multiple parts developed by different groups or developers? Communication Factors Where does it connect to on the Internet? Drop points, Update Sites, C&C,  IP addresses or DNS names incoming or outbound connections? Does it use encryption? Does it use Steganography? Command & Control Factors How is the malware controlled by its master? Do commands come from a cutout site? What commands are supported? Sniffing, logging, search file system, Attack Poison Pill - Self-destruct? Installation & Deployment Factors Does it use the registry? Does it drop any files? Autorun.inf? USB? Open shares? Does it sleep and awaken later? JavaScript?  Flash? Infection Point/Attack Vector Defensive Factors Signs of packing or obfuscation AV Sabotage Does it have self-defense? Does it use rootkit techniques/stealth? Does it bypass the operating system? Information Security Factors Identify the risks associated with the binary What does it steal? Does it sniff keystrokes, passwords, 2 factor authentication tokens? Can it destroy data? Can it alter or inject data? Does it download additional tools? HBGary Malware Reverse Engineering Process Version 0.1

7 4. Manual Reverse Engineering
Malware Reverse Engineering Process:  Manual Reverse Engineering (Cont) 1. Acquire Malware Specimen 2. Automated Reverse Engineering 3. Review Automated RE Report 4. Manual Reverse Engineering 5. Document Findings 3.  Responder Pro 2.0 provides an organized view into malware behavior and traits: Interrupt Descriptor Table Panel Network Sockets Panel Registry Keys Panel Drivers Panel Keys & Passwords Panel Processes Panel System Descriptor Tables Panel 4.  Responder Canvas Tool provides graphical representations of code and data so an analyst can rapidly identify relationships, view control flow of modules, program dependancies and interactions. HBGary Malware Reverse Engineering Process Version 0.1

8 Malware Reverse Engineering Process: Document Findings
1. Acquire Malware Specimen 2. Automated Reverse Engineering 3. Review Automated RE Report 4. Manual Reverse Engineering 5. Document Findings The Analyst documents the malware in the Report Tab Processes and Drivers Loaded Modules Network Socket Info Passwords Encryption Keys Decrypted files Order of execution Runtime State Information Reports can be exported in several formats Adobe (PDF) Microsoft Excel (XLS) Comma-separated Value File (CSV) HTML page Text file Rich Text Format file (RTF) Results are incorporated into a formal deliverable HBGary Malware Reverse Engineering Process Version 0.1

Download ppt "Malware Reverse Engineering Process"

Similar presentations

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
11 INSTALLING WINDOWS XP Chapter 2. Chapter 2: Installing Windows XP2 INSTALLING WINDOWS XP  Prepare a computer for the installation of Microsoft Windows.

11 INSTALLING WINDOWS XP Chapter 2. Chapter 2: Installing Windows XP2 INSTALLING WINDOWS XP  Prepare a computer for the installation of Microsoft Windows.
SHAREPOINT CONNECTOR What’s new in 2.0.1. SharePoint 2010 Market SharePoint is widely adopted by all types of companies. Kyocera offers a Simple but feature.

SHAREPOINT CONNECTOR What’s new in SharePoint 2010 Market SharePoint is widely adopted by all types of companies. Kyocera offers a Simple but feature.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
1 Configuring Linksys Wireless Router Prof. Valencia Community College.

1 Configuring Linksys Wireless Router Prof. Valencia Community College.
Automated Malware Analysis

Automated Malware Analysis
Trojan Horse Implementation and Prevention By Pallavi Dharmadhikari Sirisha Bollineni VijayaLakshmi Jothiram Vasanthi Madala.

Trojan Horse Implementation and Prevention By Pallavi Dharmadhikari Sirisha Bollineni VijayaLakshmi Jothiram Vasanthi Madala.
eScan Total Security Suite with Cloud Security

eScan Total Security Suite with Cloud Security
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
13Computer Intrusions Dr. John P. Abraham Professor UTPA.

13Computer Intrusions Dr. John P. Abraham Professor UTPA.
Classroom User Training June 29, 2005 Presented by:

Classroom User Training June 29, 2005 Presented by:
Module 4: Add Client Computers and Devices to the Network.

Module 4: Add Client Computers and Devices to the Network.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Live Forensics Investigations Computer Forensics 2013.

Live Forensics Investigations Computer Forensics 2013.
Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title,

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title,
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Module 14: Configuring Server Security Compliance

Module 14: Configuring Server Security Compliance
1 Operating Systems Security. 2 Where Malware hides ? Autoexec.bat or autoexec.nt can start malware before windows start Config.sys, config.nt Autorun.inf.

1 Operating Systems Security. 2 Where Malware hides ? Autoexec.bat or autoexec.nt can start malware before windows start Config.sys, config.nt Autorun.inf.
Monnappa KA  Info Security Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics 

Monnappa KA  Info Security Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics 

Similar presentations

Ads by Google