Add to collection(s) Add to saved
  1. Science
  2. Biology
  3. Virology
  4. Viruses

Reverse Engineering Malware

advertisement 
Dean Carlson and Beth Anne Byrd
CpSc 420




What is reverse engineering?
Brief History
Usefulness
The process
 Bagle Virus example


“[T]he process of analyzing a subject system
to create representations of the system at a
higher level of abstraction” (Chikofsky, 1990).
Going through the software development
cycle backwards



Started as analyzing hardware in an attempt
to gain an advantage.
The first time this was applied to a piece of
malware was in 1987.
Bernt Fix disassembled and neutralized the
Charlie virus.





Analysis of a product
Recreating lost or nonexistent
documentation
Academic use
Curiosity
With Malware
 Contain it
 Remove it
 Prevent it

Diffuse “time bombs”
 Conficker virus
▪ The Y2K of today
Set up a controlled, isolated laboratory
Perform behavioral analysis to examine the
specimen’s interactions with its environment.
3. Perform static code analysis to further
understand the specimen’s inner-workings.
4. Perform dynamic code analysis to understand
the more difficult aspects of the code.
5. If necessary, unpack the specimen.
6. Repeat steps 2, 3, and 4 (order may vary) until
sufficient analysis objectives are met.
7. Document findings and clean-up the laboratory
for future analysis.
1.
2.

HOST:
 Windows XP in Virtual Machine
 DataRescue IDA Pro
 Microsoft Visual C++
▪ Dumpbin
 UltraEdit

SERVER





Solaris 9 (SPARC)
Snoop
BIND (DNS)
GCC
GDB

The Email and DNS programs on the server
were setup to log all of their activity and
network traffic in order to see the virus
interact with the server.

Open in IDA Pro
 Breaks it down into assembly and hex

Open in dumpbin to determine type
 PE (Portable Executable)

Walk through the virus step by step with a
debugger and look at register values.
Especially EAX, EIP, ZF bit of EFLAGS
 EAX = return values from functions
 ZF = flag used for comparisons and decisions
 EIP = useful for thread usage

Use IDA to chart subroutines

Use IDA to identify function parameters and
variables
 arg_8 can be accessed by adding “10h” to the EBP
Register

Multiple Thread
 Extended Instruction Pointer (EIP) doesn’t follow
new threads unless specified

The Bagle virus was not packed
 Compressed or encrypted

It also was not polymorphic
 Changing the assembly, usually by inserting
“noop” thus changing the virus signature but not
changing the effectiveness

The Bagle virus has many removal tools
Reverse engineering malware started in 1987
It is good to contain, remove, and prevent
malware
 7 steps
1. Set up lab
2. Behavioral analysis
3. Static code analysis
4. Dynamic code analysis
5. Unpack
6. Repeat steps 2, 3, and 4
7. Document and clean-up


Related documents
Digital Citizenship - Bruning
Digital Citizenship - Bruning
Battlefield Cell Virus Attacks
Battlefield Cell Virus Attacks
Outline for Pathogenesis Document
Outline for Pathogenesis Document
Understanding Viruses Video Notes Integrated Science 2
Understanding Viruses Video Notes Integrated Science 2
Amplification of baculovirus
Amplification of baculovirus
Microbes and Disease Study Guide
Microbes and Disease Study Guide
Malware original slides provided by Prof. Vern Paxson University of California, Berkeley
Malware original slides provided by Prof. Vern Paxson University of California, Berkeley
Malware original slides provided by Prof. Vern Paxson University of California, Berkeley
Malware original slides provided by Prof. Vern Paxson University of California, Berkeley
Download
advertisement