Scribd
Upload
113 views33 pages

Comprehensive Malware Analysis Guide

Here are the key steps I would take in analyzing the assembly code of a malware sample using OllyDbg: 1. Load the malware sample into OllyDbg and begin disassembling the code. 2. Set breakpoints at key functions to trace execution flow (e.g. network/file system calls). 3. Step through the code using the step into, step over, and run to breakpoint commands. Monitor registers and stack for clues. 4. Analyze strings, API calls, and data structures to understand functionality like command and control, data exfiltration, etc. 5. Use dump commands to analyze memory, search for indicators, and patch/modify code for testing purposes.

Uploaded by

pjairon
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
113 views33 pages

Comprehensive Malware Analysis Guide

Here are the key steps I would take in analyzing the assembly code of a malware sample using OllyDbg: 1. Load the malware sample into OllyDbg and begin disassembling the code. 2. Set breakpoints at key functions to trace execution flow (e.g. network/file system calls). 3. Step through the code using the step into, step over, and run to breakpoint commands. Monitor registers and stack for clues. 4. Analyze strings, API calls, and data structures to understand functionality like command and control, data exfiltration, etc. 5. Use dump commands to analyze memory, search for indicators, and patch/modify code for testing purposes.

Uploaded by

pjairon
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 33

Malware Analysis.

Dalia Khader

1
Disclaimer

The demos are all done in an Isolated Environment and should not be done in
production. Students attempting the exercises are fully responsible on ensuring
they perform them in the right environment. This course does not make you a
subject expert in the matter.

2
Malware

A software that was designed with the purpose of harming the victims CIA

3
Goals of Malware Analysis

1. Evaluate damages of the malware by understanding its functionalities.


2. Determine the compromised systems by studying its spreading techniques.
3. Determine vulnerabilities in our network and systems, and use them to
harden our environment.
4. Create a list of Signatures and IOCs, to harden our environment.
5. Identify the sophistication level of the malware.
6. Identify creator of the malware.
7. ANSWER AS MANY QUESTIONS in general.

4
Indications of Compromise

Host Based
Signatures

Indications of Compromise
IOC

5
MSN Malware (1992)

https://zeltser.com/malware-sample-sources/
General Rules of Malware Analysis

 Malware can be complex programs. Avoid the details and focus on key
features.
 Utilize the different tools and approaches available depending on the type of
analysis you intend to do.
 Tools overlap in functionality, if you don’t get lucky with one try another.
 Analyse the malware from different angles and using different approaches. To
confirm your theories.
 Malware programmers can be clever and can come up with techniques to hide
their traces.

7
Malware Analysis Techniques

How are we analyzing?

Static Analysis Dynamic Analysis Automated Analysis

What we are analyzing?

Behavior Based Analysis Code Based Analysis

8
Automated Analysis

9
Automated Analysis

 Relying on existing tools that do the malware analysis in an automated


manner.
 Advantages: Saves time and workload.
 Disadvantages:
 Confidentiality concerns regarding using third parties rather than an in house
analyst, especially since some malware sometimes collect private data.
 Cost can be high for professional enterprise solutions.
 A lot of existing tools still require an analyst to go threw the data log collected.
 Does not usually take into consideration the Business Impact.

10
Demo Available

Automated Solutions-Examples

Virus Total Joe Sandbox

Examples: Virustotal, Joe sandbox, and more.


11
6b34cf6100ac5bf4479250048d61cc4d873dd84af74e5b2771b3205e2dbf0d22
Static Analysis

12
Static Malware Analysis-Introduction

 Static Analysis is analyzing the software information without executing it by


looking into: the fingerprints, strings, PE headers, etc.
 Advantages
 Safer since we are not executing code.
 Faster, we are just examining basic static information of the code
 Disadvantage
 More primitive results than dynamic analysis.

13
Static Malware Analysis-Introduction

 Fingerprints: Hash the suspicious software to uniquely identify it. Search and
share with the malware analyst communities.
 Strings: A program contains strings if it prints a message, connects to a URL,
copies a file to a specific location, or error messages, etc.
 Portable Executable (PE) file format is used by Windows executables, object
code, and DLLs and includes information about the code, the type of
application, required library functions, and space requirements.
 Linked Libraries and Functions are Imports of code and functions used by the
malware that are actually stored in an already known and existing library.

14
Demo Available

Static Analysis-PEStudio

15
Behaviour Analysis

16
Behavior Based Analysis

 Behavior-based malware is monitoring the behavior of a software for


suspicious activities in an isolated environment referred to as a sandbox.

 Suspicious Activities: Attempts to perform actions that are clearly abnormal


or unauthorized and they can be :
 System Based
 Network Based

 Isolated Environment: Not to perform our analysis directly on our machines or


on a machine connected to our network.
 WE USED WINDOWS 8.1 VIRTUAL MACHINE

17
Demo Available

General Malware Behavior

Email: Something@Somthing.com 18
Password: bbbb
Behavior Analysis Network Oriented

 Analyzing the network flows both (inbound/outbound) that may be caused by


the malware.
 Malware try to connect to servers, urls, IP addresses for many reasons, e.g.
sending/grabbing data, and/or discovery the network.
 IOC can show up on the network “weeks and even months” before malicious
software is uncovered

19
Behavior Analysis Network Oriented
Wireshark
Fiddler

Microsoft Network
Analyzer
20
Behavior Analysis Network Oriented

A DNS resolution query for gsmtp185.google.com as a result of running


MSN Live Messenger Malicious

21
Code Based Analysis

22
Code Based Analysis

 Pre-Requisite: knowledge of disassembly, code constructs, and operating


system concepts.
 Code Based Analysis: Understanding the internals of the malware by breaking
it apart using software reverse engineering techniques.
 Tools: Hex Editor, Decompiler, Dissembler, Debugger (Ring0 Kernel Mode or
Ring3 User Mode).
 We will use OllyDbg as an example.

23
Code Based Analysis-Ollydbg
int main()
{ string Y;
int rnd;

printf("What is the secret word?");


getline(cin, Y);

while(!(Y=="PASSWORD")){
printf("No, What is the secret word? ");
getline(cin, Y);
}

printf("THAT IS CORRECT, Bye ");


cin >> rnd;
return 0;
}
24
Code Based Analysis-Ollydbg

Malware Author High Level Language Malware Analyst Low Level Language
int main()
{ string Y;
int rnd;

printf("What is the secret word?");


getline(cin, Y);

while(!(Y=="PASSWORD")){
printf("No, What is the secret word? ");
getline(cin, Y);
}

printf("THAT IS CORRECT, Bye ");


cin >> rnd;
return 0;
}
CPU MACHINE CODE

Compile Disassemble

25
Code Based Analysis-ollydbg

OllyDbg's main interface is split into 5 different regions as follows:

1.Disassembler window: shows the disassembled code as it is executed.


2.Registers window: shows the registers along with their value in real time (when a
value is changed, it appears in red). You can modify the value of these registers.
3.Information window: brings information about the current line of code.
4.Stack window: current state of the stack in memory.
5.Memory dump window: dump of live memory for the debugged process.

1 2

3
26
5 4
Code Based Analysis-ollydbg
Debugging Commands
1. Step into
2. Step over
3. Create break point
4. Go to next reference
5. Go to previous reference
6. …

Assembly Commands
1. JMP, JNZ, JE, JZ <LOC>
2. CALL, RETN <LOC>
3. MOV <VALUE><VALUE>
4. AND,OR,XOR <VALUE><VALUE>
5. POP, PUSH <VALUE>
6. TEST
7. NOP
8. …. 27
28
Code Based Analysis

Ollydbgsample.exe Demo MSN Messenger Demo

int main()
{ string Y;
int rnd;

printf("What is the secret word?");


getline(cin, Y);

while(!(Y=="PASSWORD")){
printf("No, What is the secret word? ");
getline(cin, Y);
}

printf("THAT IS CORRECT, Bye ");


cin >> rnd;
return 0;
}

Goal: Understanding the assembly code Goal: Tracing within the assembly code
and manipulating it to change the to understand the logic behind the file
logical behavior of the program. msnsetting.dat

29
30
Analysis Summary for MSN Malware

Static Based Analysis Found URL Ourgodfather<dot>com

Behavior Based – Running Executable MSN tried accessing url

Behavior System Based Analysis • Two files were written to HD


• Parameters in the file included
• Credentials in plaintext
• Email: mastercleanex@gmail.com
• DNS name: Gsmtp185.google.com

Behavior Network Based Analysis • Two DNS name resolution queries


• Ourgodfather<dot>com
• Gsmtp185.google.com

Code Based Analysis Secret Configuration Interface


• Contains parameters to send email to
server

31
Objectives Summary.

 We learned the importance of malware analysis.


 We learned the different ways of Analyzing a malware.
 Behavior vs Code based.
 Static vs Dynamic vs Automatic based.
 We learned how to search for IOC on both the network and the systems.
 We learned how to reverse engineer a code and the benefits of that in
malware analysis

32
Resources

References
 CyberForensics: Understanding Information Security Investigations, Edited
by Jennifer Bayuk, ISBN: 1607617714.
 Information Security in Business, Lenny Zelter, https://zeltser.com/
 Practical Malware Analysis, The hands on guide to dissecting Malicious
Software, Michael Sikorski and Andrew Honig. ISDN 978-1-59327-290-6
Tools
Virustotal, Joe Sandbox, PeStudio, Proccess Monitor, Regshot, Wireshark, Fiddler,
Microsoft Network Analyzer, Ollydbg

33

You might also like