Presentation is loading. Please wait.

Presentation is loading. Please wait.

Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.

Published byUrsula Caldwell Modified over 9 years ago

Similar presentations

Presentation on theme: "Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary."— Presentation transcript:

1 Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary

2 Part 1: Basic Analysis Chapter 1: Basic Static Techniques Chapter 2: Malware Analysis in Virtual Machines Chapter 3: Basic Dynamic Analysis

3 Chapter 1: Basic Static Techniques

4 Scanning Statically analyze payload to determine its maliciousness – Recall Aitel 2011 USENIX Security talk

5 File signatures Common code or data used across malware instances – e.g. embedded URL strings, decryptor code Signatures – Hashing (e.g. MD5, SHA) – Strings search on metadata, errors, constants – Polymorphism and metamorphism easy for an adversary to deploy

6 Analyzing executables PE (Widows), ELF (Linux) Tools for dumping linked libraries – Look for common shared libraries (e.g. kernel32.dll, User32.dll, libc.so, etc) – Dependency Walker, PEView, PEBrowse, PE Explorer, ldd Function convention in Windows – CreateWindowEx - “Ex” refers to new version – CreateDirectoryW - “W” refers to wide character strings vs. ASCII – See MSDN Note: a short function list is an indication of a packed binary

7 Packing and obfuscation Obfuscation – Code whose execution is hidden by author Packing – Obfuscated code in which programs are compressed and encrypted to prevent static analysis (Figure 1-4) – Prevents file signatures from working Example: UPX – Code to unpack binaries is common, however Can be identified (PEiD)

8 File signature coverage Astronomical growth in signatures Coverage by a single tool is difficult – Cloud-based anti-virus – http://www.virustotal.com

9 Chapter 2: Malware Analysis on VMs Chapter 3: Basic Dynamic Analysis

10 Malware and VMs Most malware must be executed in order to analyze them Requires a safe environment VMware – Host-only networking to monitor network traffic – Snapshots and roll-back – Record and replay execution

11 Sandboxes Behavior isolation and coarse-grained tracking of malware execution – File system activity – Registry activity – Network activity – Examples: GFI Sandbox, Norman SandBox

12 Executing malware Executable – Directly launching or via debugger Malicious DLLs – rundll32.exe

13 Monitoring execution Procmon – www.sysinternals.com – Combines FileMon and RegMon to track execution behavior Process explorer – Free tool from Microsoft to verify running process against the disk executable image – Useful for determining if malicious documents are launching new processes Regshot – Flag changes in registry

14 Monitoring execution ApateDNS – Free tool from Mandiant to see DNS requests from malware and modify replies Netcat – Useful for proxying and emulating connections to malware Wireshark – Packet capturing tool INetSim – Linux tool to simulate common Internet services

15 Tools in action See p. 57 in text msts.exe – Contacts web site (the textbook's) – ApateDNS – Creates new file (winhlp2.exe) – procmon – Modifies registry to autorun – regshot – Creates a mutex to ensure only a single execution – Process Explorer – Contacts a server over port 443 (https), but does not speak SSL – INetSim – Speaks a custom ASCII protocol – Wireshark

16 In-class exercises Lab 1-1 – Show the results of virustotal.com – In PEView, show the timestamps – Show the list of imported system library calls. From these calls, what might this executable be doing? – Show the list of imported calls from Lab01-01.dll. From these calls, what might this DLL be doing? – Show where the malware is attempting to create its malicious file Lab 1-2 – Show the results of virustotal.com – In PEView, show the sections that contain the packed executable code – Run UPX to unpack the code and load unpacked executable in PEView – Show the functions imported from Wininet.dll. What might this executable be doing? – Show the URL the malware connects to in memory

17 In-class exercises Lab 3-2 – Find the functions this DLL exports (Figure 3-5L) – Find the imported functions that are used to modify the registry, create services, and make network connections. Which DLLs are they loaded from? – Use strings to reconstruct the URL being requested – Set-up Regshot and Process Explorer before running rundll32 to install this malware's service. Using regshot, show whether or not the DLL installed its registry key. Lab 3-4 – Copy binary to Desktop and run it. What happens? – Examine the binary's strings using a tool of your choice to find the cmd.exe command used – Use Process Monitor (procmon) to monitor events from this binary to generate Figure 3-11L

Download ppt "Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary."

Similar presentations

Investigating Malicious Software Steve Romig The Ohio State University April 2002.

Investigating Malicious Software Steve Romig The Ohio State University April 2002.
For Removal Info: visit

For Removal Info: visit
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Web Communication Client attempts to “pull” information from server – http message sent across Internet by TCP/IP* – packet switching used to route message.

Web Communication Client attempts to “pull” information from server – http message sent across Internet by TCP/IP* – packet switching used to route message.
Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools.

Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools.
14.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

14.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.

Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.

2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Automated Malware Analysis

Automated Malware Analysis
11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.
Hands-on: Capturing an Image with AccessData FTK Imager

Hands-on: Capturing an Image with AccessData FTK Imager
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter objectives are listed in the beginning.

About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter objectives are listed in the beginning.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
One wrong click… Techniques to analyze malicious code Tyler Hudak.

One wrong click… Techniques to analyze malicious code Tyler Hudak.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Similar presentations

Ads by Google