Scribd
Upload
32 views45 pages

ch2 3

The document discusses dynamic analysis techniques for malware, including running malware in virtual machines to safely monitor its behavior and effects. Key topics covered include using tools like Process Monitor, Process Explorer, Regshot, virtual networks like INetSim, and packet sniffers like Wireshark to observe malware processes, registry changes, network activity, and other behaviors in an isolated virtual environment.

Uploaded by

Yazan Al-Nirab
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
32 views45 pages

ch2 3

The document discusses dynamic analysis techniques for malware, including running malware in virtual machines to safely monitor its behavior and effects. Key topics covered include using tools like Process Monitor, Process Explorer, Regshot, virtual networks like INetSim, and packet sniffers like Wireshark to observe malware processes, registry changes, network activity, and other behaviors in an isolated virtual environment.

Uploaded by

Yazan Al-Nirab
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 45

Practical Malware

Analysis

Ch 2: Malware Analysis in Virtual


Machines

Updated 2-2-21
Dynamic Analysis
• Running malware deliberately, while
monitoring the results
• Requires a safe environment
• Must prevent malware from spreading to
production machines
• Real machines can be airgapped –no
network connection to the Internet or to
other machines
Real Machines
• Disadvantages
– No Internet connection, so parts of the
malware may not work
– Can be difficult to remove malware, so re-
imaging the machine will be necessary
• Advantage
– Some malware detects virtual machines and
won't run properly in one
Virtual Machines
• The most common method
• We'll do it that way
• This protects the host machine from the
malware
– Except for a few very rare cases of malware
that escape the virtual machine and infect
the host
VMware Workstation Player/Fusion
• Free for education
• Cannot take snapshots
• You could also use VirtualBox, Hyper-V,
Parallels, or Xen.
Configuring VMware
• You can disable networking by
disconnecting the virtual network adapter
• Host-only networking allows network
traffic to the host but not the Internet
Connecting Malware to the Internet

• NAT mode lets VMs see each other and the


Internet, but puts a virtual router
between the VM and the LAN
• Bridged networking connects the VM
directly to the LAN
• Can allow malware to do some harm or
spread – controversial
• You could send spam or participate in a
DDoS attack
Snapshots
Risks of Using VMware for Malware
Analysis
• Malware may detect that it is in a VM and
run differently
• VMware has bugs: malware may crash or
exploit it
• Malware may spread or affect the host –
don't use a sensitive host machine
• All the textbook samples are harmless
Practical Malware Analysis

Ch 3: Basic Dynamic Analysis


Why Perform Dynamic Analysis?
• Static analysis can reach a dead-end, due
to
– Obfuscation
– Packing
– Examiner has exhausted the available static
analysis techniques
• Dynamic analysis is efficient and will show
you exactly what the malware does
Sandboxes: The Quick-and-
Dirty Approach
Sandbox
• All-in-one software for basic dynamic
analysis
• Virtualized environment that simulates
network services
• Examples: Norman Sandbox, GFI Sandbox,
Anubis, Joe Sandbox, ThreatExpert,
BitBlaze, Comodo Instant Malware Analysis
• They are expensive but easy to use
• They produce a nice PDF report of results
Running Malware
Launching DLLs
• EXE files can be run directly, but DLLs
can't
• Use Rundll32.exe (included in Windows)
rundll32.exe DLLname, Export arguments
• The Export value is one of the exported
functions you found in Dependency
Walker, PEview, or PE Explorer.
Launching DLLs
• Example
– rip.dll has these exports: Install and Uninstall
rundll32.exe rip.dll, Install
• Some functions use ordinal values instead
of names, like
rundll32.exe xyzzy.dll, #5
• It's also possible to modify the PE header
and convert a DLL into an EXE
Monitoring with Process
Monitor
Process Monitor
• Monitors registry, file system, network,
process, and thread activity
• All recorded events are kept, but you can
filter the display to make it easier to find
items of interest
• Don't run it too long or it will fill up all
RAM and crash the machine
Launching Calc.exe
• Many, many events recorded
Process Monitor Toolbar

Default Filters
Start/Stop Erase Filter Registry, File system, Network,
Capture Processes
Filtering with Exclude
• One technique: hide normal activity
before launching malware
• Right-click each Process Name and click
Exclude
• Doesn't seem to work well with these
samples
Filtering with Include
• Most useful filters: Process Name,
Operation, and Detail
Viewing Processes with
Process Explorer
Coloring
• Services are pink
• Processes are blue
• New processes are green briefly
• Terminated processes are red
DLL Mode
Properties
• Shows DEP (Data
Execution Prevention)
and ASLR (Address
Space Layout
Randomization) status
• Verify button checks
the disk file's
Windows signature
– But not the RAM
image, so it won't
detect process
replacement
Strings
Compare Image
to Memory
strings, if they
are very
different, it can
indicate process
replacement
Detecting Malicious Documents
• Open the document (e.g. PDF) on a
system with a vulnerable application
• Watch Process Explorer to see if it
launches a process
• The Image tab of that process's Properties
sheet will show where the malware is
Comparing Registry Snapshots
with Regshot
Regshot
• Take 1st shot
• Run malware
• Take 2nd shot
• Compare them to
see what registry
keys were changed
Faking a Network
INetSim
• Included in Kali Linux
• Simulates the Internet, including
• HTTP / HTTPS
• SMTP, POP3
• DNS
• FTP
• Much more
Ncat Listener
• Using Ncat.exe, you can listen on a single
TCP port in Windows
• In Linux, use nc (netcat)
• This will allow malware to complete a TCP
handshake, so you get some rudimentary
information about its requests
• But it's not a real server, so it won't reply
to requests after the handshake
Monitoring with Ncat
(included with Nmap)
Packet Sniffing with Wireshark
Follow TCP Stream
• Can save
files
from
streams
here too
Using INetSim
inetsim
INetSim Fools a Browser
INetSim
Fools
Nmap
Basic Dynamic Tools in
Practice
Using the Tools
• Procmon
– Filter on the malware executable name and
clear all events just before running it
• Process Explorer
• Regshot
• Virtual Network with INetSim
• Wireshark

You might also like