<img class="banner-img" src="/images/fulls/malware-analysis-basics.webp" alt="CyberDome Malware Analysis Basics Workshop"> --- name: Title class: middle, center # Kerala Police CyberDome Malware Analysis Workshop .footnote[By [Rejah Rehim](https://rejahrehim.com)] --- # What is a malware ? A Malware is a set of instructions that run on your computer and make your system do something that an attacker wants it to do. --- What it is good for ? - Steal personal information - Delete files - Click fraud - Steal software serial numbers - Use your computer as relay --- name: Title class: middle, center # Investigating Hacker Tools --- # Given an executable, how do we find out what it does? -- - Try to find the program online. - Analyze source code to find clues. - Search for the name of the program. -- - Perform source code review. -- - Execute the program in a sandbox. - Some programs can break out of a sandbox / jail. --- # Program Analysis -- - Determine the type of executable. - ELF file in Unix - Exe-type in Windows -- - Symbol Extraction: - Use a program like strings to find symbols left in object code. - Names give hints on program. - Will not work for stripped files. --- class: middle Malware Analysis Techniques --- # Static v. Dynamic Analysis ## Static Analysis - Examines malware without running it - Tools: VirusTotal, strings, a disassembler like IDA Pro ## Dynamic Analysis - Run the malware and monitor its effect - Use a virtual machine and take snapshots - Tools: RegShot, Process Monitor, Process Hacker, CaptureBAT - RAM Analysis: Mandant Redline and Volatility --- # Hashes MD5 or SHA-1 - Uniquely identifies a file well in practice - Label a malware file - Share the hash with other analysts to identify malware - Search the hash online to see if someone else has already identified the file ??? There are MD5 collisions but they are not common Collision: two different files with the same hash --- # PE Basics - Native file format of Windows - Can be an EXE or DLL --- <img src="/images/fulls/pe-headers.webp" alt="PE Headers"> # DOS Header: Starts with magic number 4D 5A 50 00 (first two bytes is the letters MZ) # PE Header: 1. 4-byte magic code 2. 20-byte file header and its data type is IMAGE_FILE_HEADER 3. 224-byte optional header and its data type is IMAGE_OPTIONAL_HEADER32 --- # Packer functionalities Binary packers alter the original binary data, and restore it (more or less) before execution. - Compress - Encrypt - Randomize (polymorphism) - Anti-debug technique (int / fake jmp) - Add-junk - Anti-VM - Virtualization --- # Packing Files - The code is compressed, like a Zip file - This makes the strings and instructions unreadable - All you'll see is the wrapper – small code that unpacks the file when it is run --- # Detecting Packers peutils --- class: middle # Investigate source code Use Reversing Tools ??? Disassembler --- class: middle # Disassembler Decodes binary machine code into a readable assembly language text ??? # For example: - IDA-Pro - ILDasm (Microsoft .Net IL disassembler) --- # Debuggers - Kernel-mode: Component that sits alongside the system’s kernel Allows for stopping and observing the entire system. - User-mode: Attach to a process. Take full control of process. - Tools: OllyDbg WinDbg (MS tool) IDA-Pro Numega-SoftIce (no longer available in isolation) --- # Decompilers - Attempt to produce a high-level language source-code-like representation from a binary. - Never completely possible because - The compiler removes some information, - The compiler optimizes the code. --- # System Monitoring Tools - Filemon - TCPView - RegMon - PortMon - WinObj - Process Explorer --- # Executable-Dumping - Dumpbin (MS) - PEView - PEBrowse Professional --- name: Artifacts to look for # Artifacts to look for -- - Names of functions - Especially API functions - Data strings - Names of constant strings - Names of directories - Identification of compiler --- # Dynamic Program Analysis - Run the program and see what it is doing -- - Requires security mechanisms -- - Dedicated machine. -- - Virtual machine. -- - Code can recognize whether it is running in VMWare. -- - Transport malware --- # Strace, systrace -- - Run the programming, but keep track of the system calls that it makes with parameters. -- - More relevant calls (Unix) -- - All text (str) is Unicode and encoded text is binary data (bytes) -- - Other minor changes in std lib ??? More relevant calls (Unix): - open - read - write - Unlink - lstat - socket - close --- name: Environment class: middle, center #Use fport, netstat, … to determine ports opened by the program ??? On Windows systems. Use regmon Use ListDlls Use psList to find out processes created by program. --- name: REPL # Intercept communication of program -- Need to generate a fake network ??? # Run program on a debugger - IDA-Pro - OllyDbg - SoftIce --- # Malware writers can use antireversing techniques. -- - Eliminate symbolic information. -- - Encrypt code -- - Code obfuscation. - Make HLL constructs difficult to understand. -- - Antidebugger Methods: - Use the IsDebuggerPresent API to protect against user-level debuggers. - Use the NTQuerySystemInformation API to determine if a kernel debugger is attached to the system. - Set a trap flag and check whether it is still there. (A debugger would “swallow” it) - Put in bogus bytes over which the code jumps. (Does not work for all disassemblers)