Beruflich Dokumente
Kultur Dokumente
Malware Analysis
Erye Hernandez
About Me
Malware Researcher at FireEye
Member of PPP
References
Dang, Bruce, Alexandre Gazet, Elias Bachaalany,
and Sbastien Josse. Practical Reverse
Engineering: X86, X64, ARM, Windows Kernel,
Reversing Tools, and Obfuscation. Indianapolis:
Wiley, 2014. Print.
Lecture Structure
Day 1: Intro to Malware Analysis
Day 1
Malware Overview
Threat Landscape
Basic triage
http://copyfighter.org/ais3/malware
What is malware?
Malware
malicious software
History of Malware
1950s: Von Neumanns approaches
to self-reproducing automata
History of Malware
1990s: self-mutating engine, Michelangelo, virus
creation kits, selling malware in the underground,
BackOrifice
!
!
History of Malware
2000s: ILOVEYOU, Pikachu, SQL Slammer,
MyDoom, Sony BMG scandal
History of Malware
2010s: Stuxnet, Zeus, Gameover Zeus, CryptoLocker
!
!
!
Threat Actors
Insider threats / Malicious insider
misuse of access
Threat Actors
Hacktivists
Threat Actors
Cybercriminals
goal: $$$
Threat Actors
State-sponsored threat groups
lots of resources
Types of Malware
Worm
Backdoor
Infostealer
Ransomware
Downloader
Keylogger
Rootkits
Launcher
Botnets
POS
ATM
Mobile
Goals
Malware
CTF
respond to network
intrusion
find flag
find flag
Methods of Analysis
Basic Triage
is it malicious?
Methods of Analysis
Dynamic
Methods of Analysis
Static
Lab Environment
Physical
resource intensive
Virtual
Lab Environment
Automated
Anubis (https://anubis.iseclab.org/)
Snapshot
Shared Folder
In Virtual Box, set up a Shared Folder to easily copy
files into the guest image.
Network Settings
Modify Virtual Box network settings to reflect Internal
Network
Network Settings
In the Windows guest VM, disable Windows Update
and Windows Firewall
Network Settings
In the Windows guest VM, assign a static IP address.
Network Settings
In the Linux guest VM, change the IP address:
Configure INetSim
$sudo vi /etc/inetsim/inetsim.conf
Change the following settings to point to the
machines IP:
service_bind_address
dns_default_ip
Change dns_default_domainname
Take a Snapshot
After setting up the guest VMs, remember to take a
snapshot.
Basic Triage
Goals:
Is it malicious?
Static Tools
Hashes
Use MD5 or SHA1
File identification
search online
Strings
ASCII and Unicode
format
PEiD
Identifies common packers, crypters, compilers
Dependency Walker
Bundled with MS
development tools
Provides hierarchical
view of functions and
modules
Shows only
dynamically linked
functions
Demo
PE Header
Source: http://commons.bcit.ca/update/2014/03/13896/
PEview
Displays PE headers and
sections
IMAGE_FILE_HEADER
IMAGE_SECTION_HEADER
CFF Explorer
PE editor
Displays PE headers
and sections
.NET support
Resource Hacker
Displays the .rsrc section of the file
Dynamic Tools
Process Explorer
Sysinternals suite
Process Monitor
Sysinternals suite
Wireshark
Open source network
protocol analyzer
Similar to tcpdump
FakeNet
Network simulator
INetSim
Internet services simulation
Summary
History of malware
Lab