Reverse Engineering and

Malware Analysis
Erye Hernandez

About Me
Malware Researcher at FireEye

Member of PPP

BS Computer Science from George Mason

University

MS Information Security from Carnegie Mellon

University

References
Dang, Bruce, Alexandre Gazet, Elias Bachaalany,
and Sbastien Josse. Practical Reverse
Engineering: X86, X64, ARM, Windows Kernel,
Reversing Tools, and Obfuscation. Indianapolis:
Wiley, 2014. Print.

Sikorski, Michael, and Andrew Honig. Practical

Malware Analysis: The Hands-on Guide to
Dissecting Malicious Software. San Francisco:
No Starch, 2012. Print.

Lecture Structure
Day 1: Intro to Malware Analysis

Day 2: Static Analysis

Day 3: Dynamic Analysis

Day 1
Malware Overview

Threat Landscape

Building a lab environment

Basic triage

Tools and Labs

Download from:

http://copyfighter.org/ais3/malware

What is malware?

Malware
malicious software

deliberately designed to disrupt computer and

network operations

History of Malware
1950s: Von Neumanns approaches
to self-reproducing automata

1970s: Creeper and Reaper, Rabbit,

Pervading Animal, Hunter

1980s: Elk Cloner, Brain, Virden,

Morris Worm, CERT

History of Malware
1990s: self-mutating engine, Michelangelo, virus
creation kits, selling malware in the underground,
BackOrifice

!
!

History of Malware
2000s: ILOVEYOU, Pikachu, SQL Slammer,
MyDoom, Sony BMG scandal

History of Malware
2010s: Stuxnet, Zeus, Gameover Zeus, CryptoLocker

!
!
!

Threat Actors
Insider threats / Malicious insider

current or former employee, contractor, etc

misuse of access

goal: revenge or $$$

Threat Actors
Hacktivists

protest or promote political agenda

not well resourced

goal: media attention

Threat Actors
Cybercriminals

better resourced that hacktivists

utilize infostealers and ransomware

goal: $$$

Threat Actors
State-sponsored threat groups

lots of resources

goals: gather intelligence, military or national

security

Types of Malware
Worm

Backdoor

Infostealer

Ransomware

Downloader

Keylogger

Rootkits

Launcher

Botnets

POS

ATM

Mobile

Malware vs CTF Binaries

Dierent goals when analyzing

Analysis requires similar skills

Creators/Authors of the binaries have dierent goals

Goals
Malware

CTF

respond to network
intrusion

find flag

figure out what binary

does

figure out what a binary

does

find a way to detect and

contain

find flag

Methods of Analysis
Basic Triage

assign degrees of urgency Websters

Dictionary

is it malicious?

understand basic properties of a binary

Methods of Analysis
Dynamic

observing the executables behavior by running it

using a debugger to examine the internal state of

the executable

Methods of Analysis
Static

examining binary without viewing actual

instructions (file, exiftool, strings, etc)

reverse engineering via disassembler

Lab Environment
Physical

resource intensive

Virtual

does not require physical hardware

easy to revert back to snapshots

Lab Environment
Automated

Cuckoo Sandbox (http://cuckoosandbox.org/)

Anubis (https://anubis.iseclab.org/)

Building a Virtual Lab

Building a Virtual Lab

Create shared folder

Download and install tools

Modify network settings

Snapshot

Shared Folder
In Virtual Box, set up a Shared Folder to easily copy
files into the guest image.

Network Settings
Modify Virtual Box network settings to reflect Internal
Network

Network Settings
In the Windows guest VM, disable Windows Update
and Windows Firewall

Network Settings
In the Windows guest VM, assign a static IP address.

Network Settings
In the Linux guest VM, change the IP address:

Configure INetSim
$sudo vi /etc/inetsim/inetsim.conf
Change the following settings to point to the
machines IP:

service_bind_address
dns_default_ip
Change dns_default_domainname

Take a Snapshot
After setting up the guest VMs, remember to take a
snapshot.

Basic Triage
Goals:

Is it malicious?

What is the malwares basic functionality?

Static Tools

Hashes
Use MD5 or SHA1

File identification

search online

share with other

researchers

Strings
ASCII and Unicode
format

Provide clues to the

functionality of the
binary

IPs, URLs, functions,

error messages, etc

PEiD
Identifies common packers, crypters, compilers

Outdated but still useful

Dependency Walker
Bundled with MS
development tools

Provides hierarchical
view of functions and
modules

Shows only
dynamically linked
functions

Demo

Portable Executable (PE)

File format for executables used in 32-bit and 64-bit

Windows operating systems (exe, dll, sys)

Modified version of Unix Common Object File Format

(COFF)

PE Header

Source: http://commons.bcit.ca/update/2014/03/13896/

PEview
Displays PE headers and
sections

IMAGE_FILE_HEADER

contains compile time

IMAGE_SECTION_HEADER

contains size on disk and

in memory

CFF Explorer
PE editor

Displays PE headers
and sections

.NET support

Resource Hacker
Displays the .rsrc section of the file

View, modify and delete resources

Dynamic Tools

Process Explorer
Sysinternals suite

Similar to Windows Task

Manager

Displays currently active

processes (parent and
child)

Shows open handles

and loaded DLLs

Process Monitor
Sysinternals suite

Real-time file system, registry, process/thread

activity

Wireshark
Open source network
protocol analyzer

Similar to tcpdump

Live capture and oine

analysis

FakeNet
Network simulator

Supports DNS, HTTP, SSL, SMTP

INetSim
Internet services simulation

Easy to customize and configure

Summary
History of malware

Threat actors and their motivations/goals

Built a virtual lab environment

Tools for basic triage

Lab