2. OUR GAME PLAN
TODAY – A THEORETICAL OVERVIEW
FOLLOWED BY A CASE STUDY
DETAILED PRESENTATIONS ABOUT EACH
COMPONENT.
VIRTUALIZATION.
HONEYPOTS / HONEYNETS.
DEBUGGING
AND SO ON (HOPEFULLY)
3. CAPABILITY FOR ‘ABSTRACT MATHEMATICS’
ASSEMBLY LANGUAGE
LACK OF SOCIAL LIFE
ADEQUATE ‘BEHAVIOR MODIFICATION’ OR
‘TRANCE INDUCING’ MATERIALS.
4. BASICS
SETTING UP A LAB ENVIRONMENT
ANALYSIS
o NETWORK TRAFFIC
o DISK IMAGE / FILE SYSTEM
o MEMORY IMAGE
o STATIC ANALYSIS
5. TRADITIONALLY WE HAD – SOURCE CODE
AUDITING – PRIME REQUIREMENT WAS
SAFETY OF CODE.
THEN CAME PROPRIETARY CODE AND
WITH IT ‘BLACK BOX TESTING’
ALONG CAME MODULAR COMPONENTS
AND WE GRADUATED TO ‘REVERSE
ENGINEERING’
6. WITH COTS PRODUCT CAME ISSUES OF
TRUST – MICROSOFT IS SAFE BUT WHAT
ABOUT THE GUYS WHO MADE THE DLL.
SUGGESTED READING ‘WYSINWYX’ GOGUL
BALAKRISHNAN’s PHD THESIS.
METHOD TO REVERSE ENGINEERING
ALONG WITH ALL ASSOCIATED LIBRARIES
‘HOLISTIC REVERSE ENGINEERING’
7. A FOCUSED APPLICATION– MALWARE
ANALYSIS.
WHY – TRADITIONAL SIGNATURE BASED
ANALYSIS IS FUTILE GIVEN THE EVOLVING
MALWARE.
SAME LOGIC HAS MULTIPLE ‘SIGNATURES’
HENCE ‘BEHAVIORAL ANALYSIS’
8. PROS & CONS OF BOTH STATIC ANALYSIS &
BEHAVIORAL ANALYSIS.
LARGER VOLUMES OF SAMPLES
NECESSITATE ‘AUTOMATION’.
ENTER CWSANDBOX, NORMAN SANDBOX
& OTHERS
BUT WE NEED ‘MORE’
9. OVERLAPPED WITH FORENSICS.
PRIVACY & POLICY ISSUES.
WISH TO LEARN
‘LIVE’ EXERCISE – PART OF GROWING UP
FIELD OF WORK
REQUIREMENT OF CUSTOMIZED DATA
COMPLEXITIES IN THE MALWARE WORLD
10. BASICS
SETTING UP A LAB ENVIRONMENT
ANALYSIS
o STATIC ANALYSIS
o NETWORK TRAFFIC
o DISK IMAGE / FILE SYSTEM
o MEMORY IMAGE
11. A CONTROLLED ENVIRONMENT.
▪ MALWARE COLLECTION. MALWARE COLLECTION
THROUGH SPAM TRAPS, HONEY POTS AND SHARED
DATA. NEPENTHES AS AN EXAMPLE.
▪ VICTIM MACHINES. VIRTUALISATION OR REAL.
VIRTUAL MACHINES ARE EASIER TO MANAGE BUT
MALWARE INCREASINGLY BECOMING MORE AWARE
OF THEM. VIRTUAL MACHINES LIKE VMWARE,
PARALLELS, QEMU AND BOCHS ARE AVAILABLE.
12. ▪ SUPPORT TOOLS.
▪ NETWORK SIMULATION. INTERNET CONNECTION,
DNS CONNECTION, IRC, WEB, SMTP, SERVER
▪ ANALYSIS TOOLS. SUPPORT OF ONLINE RESOURCES
LIKE VIRUS TOTAL.
IT SHOULD BE ISOLATED.
IT SHOULD PROVIDE A FULL SIMULATION.
13. FRIENDS
ONLINE RESOURCES
HONEYPOTS
o AMUN
o NEPENTHES
o ….
14. WINDOWS OS
START – WINDOW IMAGE USING LINUX
THE RE-USABLE MALWARE ANALYSIS NET
‘TRUMAN’
VIRTUAL MACHINES
NORTON GHOST / UDPCAST / ACRONIS
HARDWARE – CORE RESTORE
MICROSOFT – STEADY STATE
15. THIS MINI LINUX IMPLEMENTATION
CONTAINS TOOLS LIKE PARTIMAGE,
NTFSRESIZE, AND FDISK AND IS BASED
AROUND THE FANTASTIC BUSYBOX.
IT ENABLES YOU TO PXE BOOT A PC INTO A
LINUX CLIENT WHICH CAN CREATE AN NTFS
PARTITION, GRAB A WINDOWS DISK IMAGE
FROM THE NETWORK, WRITE IT TO A LOCAL
DISK AND THEN RESIZE THAT PARTATION.
16. TWO MINIMUM MACHINES.
LINUX BASED SERVER
TRUMAN MACHINE AS CLIENT (XP
WITHOUT PATCHES). INSTALLATION FAQ
ON NSMWIKI.
VIRTUAL NETWORK SIMULATION
17.
18.
19. MAVMM: LIGHTWEIGHT AND PURPOSE
BUILT VMM FOR MALWARE ANALYSIS
AUTHORS - ANH M. NGUYEN, NABIL
SCHEAR, HEEDONG JUNG, APEKSHA
GODIYAL, SAMUEL T. KING, HAI D. NGUYEN
A SPECIAL PURPOSE VIRTUAL MACHINE
FOR MALWARE ANALYSIS
20. ACADEMIC VERSION OF XP AVAILABLE.
INSTRUMENTATION OF CODE FEASIBLE
CREATION OF ‘SPECIAL WINDOWS’ BOXES
21. BASICS
SETTING UP A LAB ENVIRONMENT
ANALYSIS
o STATIC ANALYSIS
o NETWORK TRAFFIC
o DISK IMAGE / FILE SYSTEM
o MEMORY IMAGE
22. CREATE A CONTROLLED ENVIRONMENT. VIRTUAL
OR REAL.
BASELINE THE ENVIRONMENT:-
▪ VICTIM MACHINE. FILE SYSTEM, REGISTRY,
RUNNING PROCESSES, OPEN PORTS, USERS,
GROUPS, NETWORK SHARES, SERVICES ETC.
▪ NETWORK TRAFFIC.
▪ EXTERNAL VIEW.
23. INFORMATION COLLECTION.
▪ STATIC. STRINGS, RESOURCES, SCRIPTS, FILE
PROPERTIES ETC
▪ DYNAMIC.
INFORMATION ANALYSIS. INVOLVES INFORMATION
COLLATION, INTERNET SEARCHES, STARTUP
METHODS, COMMUNICATION PROTOCOLS,
SPREADING MECHANISMS ETC
RECONSTRUCTING THE BIG PICTURE.
DOCUMENTATION.
24. PSEXEC – PART OF SYSINTERNALS
PSTOOLS KIT.
MS REMOTE DESKTOP
VIRTUAL NETWORK COMPUTING (VNC)
ULTRAVNC – SOURCEFORGE
IF YOU ARE COMFORTABLE WITH REMOTE
COMMAND LINE – PSEXEC
25. BASELINE INFORMATION
o NETWORK TRAFFIC
o FILE SYSTEM
o REGISTRY
o MEMORY IMAGE
26. REMEMBER IT IS ‘MALWARE’
USE PKZIP TO HANDLE THE SAMPLE
COMMAND LINE METHOD
IF YOU ARE SUBMITTING SAMPLES ONLINE
PASSWORD = ‘infected’
27. DISK IMAGE ANALYSIS ADVANCED INTRUSION
DETECTION ENVIRONMENT FOR COMPARING DISK
IMAGES BEFORE AND AFTER.
NTFS-3G DRIVERS & GETFATTR FOR ADS STREAMS.
REGISTRY USING DUMPHIVE
COMPARE REGISTRY DUMP BEFORE AND AFTER USING
LINUX DIFF –U COMMAND
MEMORY IMAGE ANALYSIS. PMODUMP.PL MODIFIED
TO HANDLE PEB RANDOMISATIONS, VOLATILITY
FRAMEWORK USED FOR ANALYSIS.
OUTPUTS OF MULTIPLE TOOLS USED TO COMPARE
AND ANALYSE.
28. FILE SYSTEM AND REGISTRY MONITORING:
PROCESS MONITOR AND CAPTURE BAT
PROCESS MONITORING: PROCESS
EXPLORER AND PROCESS HACKER
NETWORK MONITORING: WIRESHARK AND
SMARTSNIFF
CHANGE DETECTION: REGSHOT
29. A GOOD WAY TO SEE CHANGES TO THE
NETWORK IS WITH A TOOL CALLED NDIFF.
NDIFF IS A TOOL THAT UTILIZES NMAP
OUTPUT TO IDENTIFY THE DIFFERENCES,
OR CHANGES THAT HAVE OCCURRED IN
YOUR ENVIRONMENT.
NDIFF CAN BE DOWNLOADED FROM
http://www.vinecorp.com/ndiff/.
31. THE OPTIONS OFFERED IN NDIFF INCLUDE:
ndiff [-b|-baseline <file-or-:tag>] [-o|-observed <file-or-:tag>]
[-op|-output-ports <ocufx>] [-of|-output-hosts <nmc>]
[-fmt|-format <terse | minimal | verbose | machine | html | htmle>]
NDIFF OUTPUT MAY BE REDIRECTED TO A WEB PAGE:
ndiff –b base-line.txt –o tested.txt –fmt machine | ndiff2html >
differences.html
THE OUTPUT FILE, “DIFFERENCES.HTML”, MAY BE DISPLAYED
IN A WEB BROWSER. THIS WILL SEPARATE HOSTS INTO THREE
MAIN CATEGORIES:
o NEW HOSTS,
o MISSING HOSTS, AND
o CHANGED HOSTS.
32. NETSTAT
FPORT
TCPVcon – CONSOLE
TCPView – GUI
HANDLE – CONSOLE
PROCESS EXPLORER – GUI
USE PID TO CORRELATE OUTPUTS
33. HASHING FUNCTIONS
o MD5DEEP – JESSE KORNBLUM
FUZZY HASHING
o SSDEEP – AGAIN JESSE
ONLINE HASHES OF GOOD FILES – NIST
34. A GOOD START
VIRUSTOTAL
VIRUSSCAN
AND MANY MORE
HELP RETAIN FOCUS
35. virus@ca.com
sample@nod32.com
samples@f-secure.com
newvirus@kaspersky.com
VIRUSTOTAL, JOTTI, VIRUS.ORG
MANY MORE
36. PEID
POLYUNPACK
RENOVO – PART OF BIT BLAZE
BASED ON MEMORY UNPACKING
AND MANY MORE
37. TOOLS:-
o PEVIEW
o DEPENDS
o PE BROWSE PRO
o OBJ DUMP
o RESOURCE HACKER
o STRINGS
DETERMINE THE DATE/ TIME OF COMPILATION,
FUNCTIONS IMPORTED BY THE PROGRAM, ICONS,
MENUS, VERSION, INFO AND STRINGS EMBEDDED
IN THE RESOURCES.
39. PE FORMAT NEED I SAY MORE.
LORD PE CAN ALSO DO MEMORY
DUMPS
PETOOLS
PEID TO FIND PACKER DETAILS
40. WINDBG
OLLYDBG
IDA PRO
SYSRDBG – KERNEL LEVEL ?
KERNEL DEBUGGER FROM MS
KNOWLEDGE OF ASSEMBLY LANGUAGE
CRITICAL
TRAP – API EMULATION
41. JAVASCRIPT OBFUSCATION – SPIDER MONKEY.
TOOLS FOR MS OFFICE FORMATS:-
OFFICEMALSCANNER
OFFVIS
OFFICE BINARY TRANSLATOR (INCLUDES BIFFVIEW
TOOL).
OFFICECAT.
FILEHEX AND FILEINSIGHT HEX EDITORS CAN PARSE
AND EDIT OLE STRUCTURES.
SIMILARLY TOOLS FOR PDF, FLASH ETC
42. EXTENSIVE FEATURES ≠ GOOD TOOL
REQUIREMENT TO SCRIPT & PARSE
OUTPUTS INTO A ‘READABLE REPORT’
COMMAND LINE / GUI OPTIONS
COMPARISON OF MULTIPLE TOOLS AS
VERIFICATION
43. RAPID ASSESSMENT & POTENTIAL
INCIDENT EXAMINATION REPORT
RAPIER IS A SECURITY TOOL BUILT TO
FACILITATE FIRST RESPONSE PROCEDURES
FOR INCIDENT HANDLING.
OVERLAP BETWEEN FORENSICS AND
MALWARE ANALYSIS.
TO ILLUSTRATE THE REQUIREMENT TO
‘SCRIPT AROUND GUI TOOLS’
44. AS PART OF ANALYSIS, TRY TO IDENTIFY
THE SOURCE.
BLOCK LISTS OF SUSPECTED MALICIOUS
IPS AND URLS
LOOKING UP POTENTIALLY MALICIOUS
WEBSITES
INITIAL VECTOR – BROWSER HISTORY,
EMAIL LOGS
45. SIMILARITY STUDIES:-
http://code.google.com/p/yara-project/
GENOME BASED CLASSIFICATION
MALWARE SIMILARITY ANALYSIS – BLACK HAT
09 - DANIEL RAYGOZA
BLAST: BASIC LOCAL ALIGNMENT SEARCH
TOOL BASED CLASSIFICATION
FUZZY CLARITY – DIGITAL NINJA
46. RESEARCH IS ON FOR CLASSIFICATION
ACCORDING TO:-
o OPCODE DISTRIBUTION
o API CALLS MADE
o COMPILER PARAMETER
o ……
o WILL GIVE THE ‘HEURISTICS'
47. ALWAYS CORRELATE THE ANALYSIS:-
o ANUBIS (FORMERLY TTANALYSE)
o BIT BLAZE ( COUSIN OF WEB BLAZE PROJECT)
o COMODO
o CWSANDBOX
o EUREKA
o JOEBOX
o NORMAN SANDBOX
o THREAT EXPERT
o XANDORA
48.
49. SUGGESTED READING
o WILDCAT: AN INTEGRATED STEALTH
ENVIRONMENT FOR DYNAMIC MALWARE
ANALYSIS – AMIT VASUDEVAN
o ‘WYSINWYX’ WHAT YOU SEE IS NOT WHAT
YOU EXECUTE - GOGUL BALAKRISHNAN
o LARGE-SCALE DYNAMIC MALWARE ANALYSIS
- ULRICH BAYER