Homework tar file
Download your course tarball from web page
–
Named using your PSU ID
–
Chapter labeled for each binary
Part 1: Basic Analysis
Chapter 1: Basic Static Techniques
Chapter 2: Malware Analysis in Virtual Machines
Chapter 3: Basic Dynamic Analysis
Chapter 1: Basic Static Techniques
Scanning

Statically analyze payload to determine its
maliciousness
–
Recall Aitel 2011 USENIX Security talk
File signatures

Common code or data used across malware
instances
–

e.g. embedded URL strings, decryptor code
Signatures
–
Hashing (e.g. MD5, SHA)
–
Strings search on metadata, errors, constants
–
Polymorphism and metamorphism easy for an
adversary to deploy
Analyzing executables

PE (Widows), ELF (Linux)

Tools for dumping linked libraries


–
Look for common shared libraries (e.g. kernel32.dll,
User32.dll, libc.so, etc)
–
Dependency Walker, PEView, PEBrowse, PE Explorer,
ldd
Function convention in Windows
–
CreateWindowEx - “Ex” refers to new version
–
CreateDirectoryW - “W” refers to wide character
strings vs. ASCII
–
See MSDN
Note: a short function list is an indication of a packed binary
Packing and obfuscation

Obfuscation
–

Code whose execution is hidden by author
Packing
–
Obfuscated code in which programs are compressed
and encrypted to prevent static analysis (Figure 1-4)
–
Prevents file signatures from working
–
• Example: UPX
Code to unpack binaries is common, however
•
Can be identified (PEiD)
File signature coverage

Astronomical growth in signatures

Coverage by a single tool is difficult
–
Cloud-based anti-virus
–
http://www.virustotal.com
Chapter 2: Malware Analysis on VMs
Chapter 3: Basic Dynamic Analysis
Malware and VMs

Most malware must be executed in order to analyze them

Requires a safe environment

VMware
–
Host-only networking to monitor network traffic
–
Snapshots and roll-back
–
Record and replay execution
Sandboxes

Behavior isolation and coarse-grained tracking
of malware execution
–
File system activity
–
Registry activity
–
Network activity
–
Examples: GFI Sandbox, Norman SandBox
Executing malware

Executable
–

Directly launching or via debugger
Malicious DLLs
–
rundll32.exe
Monitoring execution



Procmon
–
www.sysinternals.com
–
Combines FileMon and RegMon to track
execution behavior
Process explorer
–
Free tool from Microsoft to verify running process
against the disk executable image
–
Useful for determining if malicious documents are
launching new processes
Regshot
–
Flag changes in registry
Monitoring execution

ApateDNS
–

Netcat
–

Useful for proxying and emulating connections to
malware
Wireshark
–

Free tool from Mandiant to see DNS requests
from malware and modify replies
Packet capturing tool
INetSim
–
Linux tool to simulate common Internet services
Tools in action

See p. 57 in text

msts.exe
–
Contacts web site (the textbook's) – ApateDNS
–
Creates new file (winhlp2.exe) – procmon
–
Modifies registry to autorun – regshot
–
Creates a mutex to ensure only a single execution
– Process Explorer
–
Contacts a server over port 443 (https), but does
not speak SSL – INetSim
–
Speaks a custom ASCII protocol – Wireshark
In-class exercises
Lab 1-1
–
Show the results of virustotal.com
–
In PEView, show the timestamps
–
Show the list of imported system library calls. From these calls, what
might this executable be doing?
–
Show the list of imported calls from Lab01-01.dll. From these calls, what
might this DLL be doing?
–
Show where the malware is attempting to create its malicious file
–
Show the results of virustotal.com
–
In PEView, show the sections that contain the packed executable code
–
Run UPX to unpack the code and load unpacked executable in PEView
–
Show the functions imported from Wininet.dll. What might this
executable be doing?
–
Show the URL the malware connects to in memory
Lab 1-2
In-class exercises
Lab 3-2
–
Find the functions this DLL exports (Figure 3-5L)
–
Find the imported functions that are used to modify the registry, create
services, and make network connections. Which DLLs are they loaded
from?
–
Use strings to reconstruct the URL being requested
–
Set-up Regshot and Process Explorer before running rundll32 to install
this malware's service. Using regshot, show whether or not the DLL
installed its registry key.
–
Copy binary to Desktop and run it. What happens?
–
Examine the binary's strings using a tool of your choice to find the
cmd.exe command used
–
Use Process Monitor (procmon) to monitor events from this binary to
generate Figure 3-11L
Lab 3-4