Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dean Carlson and Beth Anne Byrd CpSc 420.  What is reverse engineering?  Brief History  Usefulness  The process  Bagle Virus example.

Published byVernon Hilyard Modified over 9 years ago

Similar presentations

Presentation on theme: "Dean Carlson and Beth Anne Byrd CpSc 420.  What is reverse engineering?  Brief History  Usefulness  The process  Bagle Virus example."— Presentation transcript:

1 Dean Carlson and Beth Anne Byrd CpSc 420

2  What is reverse engineering?  Brief History  Usefulness  The process  Bagle Virus example

3  “[T]he process of analyzing a subject system to create representations of the system at a higher level of abstraction” (Chikofsky, 1990).  Going through the software development cycle backwards

4  Started as analyzing hardware in an attempt to gain an advantage.  The first time this was applied to a piece of malware was in 1987.  Bernt Fix disassembled and neutralized the Charlie virus.

5  Analysis of a product  Recreating lost or nonexistent documentation  Academic use  Curiosity  With Malware  Contain it  Remove it  Prevent it

6  Diffuse “time bombs”  Conficker virus ▪ The Y2K of today

7 1. Set up a controlled, isolated laboratory 2. Perform behavioral analysis to examine the specimen’s interactions with its environment. 3. Perform static code analysis to further understand the specimen’s inner-workings. 4. Perform dynamic code analysis to understand the more difficult aspects of the code. 5. If necessary, unpack the specimen. 6. Repeat steps 2, 3, and 4 (order may vary) until sufficient analysis objectives are met. 7. Document findings and clean-up the laboratory for future analysis.

8  HOST:  Windows XP in Virtual Machine  DataRescue IDA Pro  Microsoft Visual C++ ▪ Dumpbin  UltraEdit  SERVER  Solaris 9 (SPARC)  Snoop  BIND (DNS)  GCC  GDB

9  The Email and DNS programs on the server were setup to log all of their activity and network traffic in order to see the virus interact with the server.

10  Open in IDA Pro  Breaks it down into assembly and hex

11  Open in dumpbin to determine type  PE (Portable Executable)

12  Walk through the virus step by step with a debugger and look at register values. Especially EAX, EIP, ZF bit of EFLAGS  EAX = return values from functions  ZF = flag used for comparisons and decisions  EIP = useful for thread usage

13  Use IDA to chart subroutines

14  Use IDA to identify function parameters and variables  arg_8 can be accessed by adding “10h” to the EBP Register

15  Multiple Thread  Extended Instruction Pointer (EIP) doesn’t follow new threads unless specified

16  The Bagle virus was not packed  Compressed or encrypted  It also was not polymorphic  Changing the assembly, usually by inserting “noop” thus changing the virus signature but not changing the effectiveness  The Bagle virus has many removal tools

17  Reverse engineering malware started in 1987  It is good to contain, remove, and prevent malware  7 steps 1. Set up lab 2. Behavioral analysis 3. Static code analysis 4. Dynamic code analysis 5. Unpack 6. Repeat steps 2, 3, and 4 7. Document and clean-up

Download ppt "Dean Carlson and Beth Anne Byrd CpSc 420.  What is reverse engineering?  Brief History  Usefulness  The process  Bagle Virus example."

Similar presentations

Practical Malware Analysis

Practical Malware Analysis
Remote Procedure Call (RPC)

Remote Procedure Call (RPC)
Utilizing the GDB debugger to analyze programs Background and application.

Utilizing the GDB debugger to analyze programs Background and application.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
1 Postdelivery Maintenance Xiaojun Qi. 2 Why Postdelivery Maintenance Is Necessary Corrective maintenance: To correct residual faults –Analysis, design,

1 Postdelivery Maintenance Xiaojun Qi. 2 Why Postdelivery Maintenance Is Necessary Corrective maintenance: To correct residual faults –Analysis, design,
PC hardware and x86 3/3/08 Frans Kaashoek MIT

PC hardware and x86 3/3/08 Frans Kaashoek MIT
C Prog. To Object Code text text binary binary Code in files p1.c p2.c

C Prog. To Object Code text text binary binary Code in files p1.c p2.c
SRE  Introduction 1 Software Reverse Engineering (SRE)

SRE  Introduction 1 Software Reverse Engineering (SRE)
SEG4210 - Software Maintenance1 Software Maintenance “The modification of a software product after delivery to correct faults, to improve performance or.

SEG Software Maintenance1 Software Maintenance “The modification of a software product after delivery to correct faults, to improve performance or.
Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.

Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.
Application Security Tom Chothia Computer Security, Lecture 14.

Application Security Tom Chothia Computer Security, Lecture 14.
Practical Malware Analysis Ch 8: Debugging Rev. 10-13-14.

Practical Malware Analysis Ch 8: Debugging Rev
6.828: PC hardware and x86 Frans Kaashoek

6.828: PC hardware and x86 Frans Kaashoek
CS-2710 Computer Organization Dr. Mark L. Hornick web: faculty-web.msoe.edu/hornick – CS-2710 info syllabus, homework, labs… –

CS-2710 Computer Organization Dr. Mark L. Hornick web: faculty-web.msoe.edu/hornick – CS-2710 info syllabus, homework, labs… –
Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.

Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.
Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.

Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.
Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.

Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.
Department of Computer Science A Static Program Analyzer to increase software reuse Ramakrishnan Venkitaraman and Gopal Gupta.

Department of Computer Science A Static Program Analyzer to increase software reuse Ramakrishnan Venkitaraman and Gopal Gupta.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:

Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:

Similar presentations

Ads by Google