Malware

A software that was designed with the purpose of harming the victims CIA

3
Goals of Malware Analysis

1. Evaluate damages of the malware by understanding its functionalities.

2. Determine the compromised systems by studying its spreading techniques.
3. Determine vulnerabilities in our network and systems, and use them to
harden our environment.
4. Create a list of Signatures and IOCs, to harden our environment.
5. Identify the sophistication level of the malware.
6. Identify creator of the malware.
7. ANSWER AS MANY QUESTIONS in general.

2
Indications of Compromise

Host Based
Signatures

Indications of Compromise
IOC

3
MSN Malware (1992)

https://zeltser.com/malware-sample-sources/
General Rules of Malware Analysis

▶ Malware can be complex programs. Avoid the details and focus on key
features.
▶ Utilize the different tools and approaches available depending on the type of
analysis you intend to do.
▶ Tools overlap in functionality, if you don’t get lucky with one try another.
▶ Analyse the malware from different angles and using different approaches. To
confirm your theories.
▶ Malware programmers can be clever and can come up with techniques to hide
their traces.

5
Malware Analysis Techniques

How are we analyzing?

Static Analysis Dynamic Analysis Automated Analysis

What we are analyzing?

Behavior Based Analysis Code Based Analysis

6
Automated Analysis

▶ Relying on existing tools that do the malware analysis in an automated

manner.
▶ Advantages: Saves time and workload.
▶ Disadvantages:
▶ Confidentiality concerns regarding using third parties rather than an in house
analyst, especially since some malware sometimes collect private data.
▶ Cost can be high for professional enterprise solutions.
▶ A lot of existing tools still require an analyst to go threw the data log collected.
▶ Does not usually take into consideration the Business Impact.

10
DemoA vailable

Automated Solutions-Examples

Virus Total Joe Sandbox

Examples: Virustotal, Joe sandbox, and more.

11
6b34cf6100ac5bf4479250048d61cc4d873dd84af74e5b2771b3205e2dbf0d22
Static Malware Analysis-Introduction

▶ Static Analysis is analyzing the software information without executing it by

looking into: the fingerprints, strings, PE headers, etc.
▶ Advantages
▶ Safer since we are not executing code.
▶ Faster, we are just examining basic static information of the code
▶ Disadvantage
▶ More primitive results than dynamic analysis.

9
Static Malware Analysis-Introduction

▶ Fingerprints: Hash the suspicious software to uniquely identify it. Search and
share with the malware analyst communities.
▶ Strings: A program contains strings if it prints a message, connects to a URL,
copies a file to a specific location, or error messages, etc.
▶ Portable Executable (PE) file format is used by Windows executables, object
code, and DLLs and includes information about the code, the type of
application, required library functions, and space requirements.
▶ Linked Libraries and Functions are Imports of code and functions used by the
malware that are actually stored in an already known and existing library.

10
DemoA vailable

Static Analysis-PEStudio

11
Behavior Based Analysis

▶ Behavior-based malware is monitoring the behavior of a software for

suspicious activities in an isolated environment referred to as a sandbox.

▶ Suspicious Activities: Attempts to perform actions that are clearly abnormal

or unauthorized and they can be :
▶ System Based
▶ Network Based

▶ Isolated Environment: Not to perform our analysis directly on our machines or

on a machine connected to our network.
▶ WE USED WINDOWS 8.1 VIRTUAL MACHINE

17
DemoA vailable

General Malware Behavior

Email: [email protected] 18
Password: bbbb
Behavior Analysis Network Oriented

▶ Analyzing the network flows both (inbound/outbound) that may be caused by

the malware.
▶ Malware try to connect to servers, urls, IP addresses for many reasons, e.g.
sending/grabbing data, and/or discovery the network.
▶ IOC can show up on the network “weeks and even months” before malicious
software is uncovered

14
Behavior Analysis Network Oriented
Wireshark
Fiddler

Microsoft Network
Analyzer
15
Behavior Analysis Network Oriented

A DNS resolution query for gsmtp185.google.com as a result of running

MSN Live Messenger Malicious

16
Code Based Analysis

▶ Pre-Requisite: knowledge of disassembly, code constructs, and operating

system concepts.
▶ Code Based Analysis: Understanding the internals of the malware by breaking
it apart using software reverse engineering techniques.
▶ Tools: Hex Editor, Decompiler, Dissembler, Debugger (Ring0 Kernel Mode or
Ring3 User Mode).
▶ We will use OllyDbg as an example.

17
Code Based Analysis-Ollydbg
int main()
{ string Y;
int rnd;

printf("What is the secret word?");

getline(cin, Y);

while(!(Y=="PASSWORD")){
printf("No, What is the secret word? ");
getline(cin, Y);
}

printf("THAT IS CORRECT, Bye ");

cin >> rnd;
return 0;
}
18
 Code Based Analysis-Ollydbg

Malware Author High Level Language Malware Analyst Low Level Language
int main()
{ string Y;
int rnd;

printf("What is the secret word?");

getline(cin, Y);

while(!(Y=="PASSWORD")){
printf("No, What is the secret word? ");
getline(cin, Y);
}

printf("THAT IS CORRECT, Bye ");

cin >> rnd;
return 0;
}
CPU MACHINE CODE

Compile Disassemble

19
 Code Based Analysis-ollydbg

OllyDbg's main interface is split into 5 different regions as follows:

1. Disassembler window: shows the disassembled code as it is executed.

2. Registers window: shows the registers along with their value in real time (when a
value is changed, it appears in red). You can modify the value of these registers.
3. Information window: brings information about the current line of code.
4. Stack window: current state of the stack in memory.
5. Memory dump window: dump of live memory for the debugged process.

1 2

3
20

5 4
Code Based Analysis-ollydbg
Debugging Commands
1. Step into
2. Step over
3. Create break point
4. Go to next reference
5.Go to previous reference
6. …

Assembly Commands
1. JMP, JNZ, JE, JZ <LOC>
2. CALL, RETN <LOC>
3. MOV <VALUE><VALUE>
4. AND,OR,XOR <VALUE><VALUE>
5. POP, PUSH <VALUE>
6. TEST
7. NOP
8. …. 27
22
 Code Based Analysis

Ollydbgsample.exe Demo MSN Messenger Demo

int main()
{ string Y;
int rnd;

printf("What is the secret word?");

getline(cin, Y);

while(!(Y=="PASSWORD")){
printf("No, What is the secret word? ");
getline(cin, Y);
}

printf("THAT IS CORRECT, Bye ");

cin >> rnd;
return 0;
}

Goal: Understanding the assembly code Goal: Tracing within the assembly code
and manipulating it to change the to understand the logic behind the file
logical behavior of the program. msnsetting.dat

23
24
Analysis Summary for MSN Malware

Static Based Analysis Found URL Ourgodfather<dot>com

Behavior Based – Running Executable MSN tried accessing url

Behavior System Based Analysis • Two files were written to HD

• Parameters in the file included
• Credentials in plaintext
• Email: [email protected]
• DNS name: Gsmtp185.google.com
Behavior Network Based Analysis • Two DNS name resolution queries
• Ourgodfather<dot>com
• Gsmtp185.google.com
Code Based Analysis Secret Configuration Interface
• Contains parameters to send email to
server

25
Questions

▶ Importance of malware analysis.

▶ Different ways of Analyzing a malware.
▶ Behavior vs Code based.
▶ Static vs Dynamic vs Automatic based.
▶ How to search for IOC on both the network and the systems.
▶ How to reverse engineer a code and the benefits of that in
malware analysis

26
 IBM ICE (Innovation Centre for Education)

Welcome to:
Malware Analysis

© Copyright IBM Corporation 2016

9.1
Analyzing Live Windows System for Malware
IBM ICE (Innovation Centre for Education)

• Dynamic analysis is an efficient way to identify malware functionality from a live windows
system.
• Although dynamic analysis techniques are extremely powerful, they should be performed
only after basic static analysis has been completed, because dynamic analysis can put your
network and system at risk.
• Usually it is simple enough to run executable malware by double-clicking the executable or
running the file from the command line, it can be tricky to launch malicious DLLs because
Windows doesn’t know how to run them automatically.
• Process Monitor, or procmon, is an advanced monitoring tool for Windows that provides a
way to monitor certain registry, file system, network, process, and thread activity.
• One way to recognize process replacement is to use the Strings tab in the Process
Properties window to compare the strings contained in the disk executable (image) against
the strings in memory for that same executable running in memory.
• Regshot is an open source registry comparison tool that allows you to take and compare two
registry snapshots.
• Wireshark is an open source sniffer, a packet capture tool that intercepts and logs network
traffic. Wireshark provides visualization, packet-stream analysis, and in-depth analysis of
individual packets.

© Copyright IBM Corporation 2016

Analyzing Live Linux System for Malware
• The hard drive of a Linux computer can contain traces of malware in various places and
forms, including malicious files, configuration scripts, log files, Web browser history, and
remnants of installation and execution such as system logs and command history.
• Many intruders will use easily recognizable programs such as known rootkits, keystroke
monitoring programs, sniffers, and anti-forensic tools .
• Searching a forensic duplicate of a compromised system for hash values matching known
malware may identify other files with the same data but different names.
• Tools such as Rootkit Hunter1 and chkrootkit2 have been developed to look for known
malicious code on Linux systems.
• Using updated AntiVirus programs to scan files within a forensic duplicate of a compromised
system may identify known malware. To increase the chances of detecting malware, multiple
AntiVirus programs can be used with any heuristic capabilities enabled.
• Malware on Linux systems is often simply a modified version of a legitimate system binary,
making it more difficult to distinguish.
• Look in all available log files on the compromised system for traces of malicious execution
and associated activities such as creation of a new service.

© Copyright IBM Corporation 2016

Analyzing Physical and Process Memory
Dumps for Malware IBM ICE (Innovation Centre for Education)

• The advancement in malware, rootkit detection and digital forensics in the commercial
products just discussed was due in large part to a resurgence of interest in a research area
that has been around the digital forensics community for some time.
• KNTList forensic tool can parse information from the memory dump, reconstruct evidence
such as process listings and loaded DLLs, and analyze the memory dump to decipher the
intrusion scenario.
• Volatility is a memory analysis environment with an extensible underlying framework of tools
based on research by Aaron Walters of Volatile Systems.
• Volatility provides basic information that it parses from the memory dump, including:
– Running processes and threads
– Open network sockets and connections
– Loaded modules in user and kernel mode
– The resources a process is using such as fi les, objects, registry keys and other data
– The capability to dump a single process or any binary in the dump & use for analysis

© Copyright IBM Corporation 2016

Discovering and Extracting Malware from Windows
Systems IBM ICE (Innovation Centre for Education)

• Malware often uses the registry for persistence or configuration data.

• Real malware code opens the Run key from the registry and adds a value so that the
program runs each time Windows starts.
• Malware commonly relies on network functions to do its dirty work, and there are many
Windows API functions for network communication.
• There are many ways that malware can transfer execution in addition to the jump and call
instructions .
• Malware authors find it more advantageous to store malicious code in a DLL, rather than in
an .exe file.
• Nearly all malware uses the basic Windows DLLs found on every system. The Windows
DLLs contain the functionality needed to interact with the OS.
• Malware can also execute code outside the current program by creating a new process or
modifying an existing one.
• Malware can use CreateThread to load a new malicious library into a process, with
CreateThread called and the address of LoadLibrary specified as the start address.
• Another way for malware to execute additional code is by installing it as a service.
• When analyzing malware that uses COM, you’ll need to be able to determine which code will
be run as a result of a COM function call.

© Copyright IBM Corporation 2016

Discovering and Extracting Malware from Linux
Systems IBM ICE (Innovation Centre for Education)

• Explore the file system for traces left by malware.

• Scour files associated with applications for traces of usage related to malware.
• Search for distinctive keywords each time such an item is uncovered during forensic
analysis.
• Performing a comprehensive forensic reconstruction can provide digital investigators with a
detailed understanding of the malware incident.
• Perform targeted remote scan of all hosts on the network for specific indicators of the
malware.

© Copyright IBM Corporation 2016

Rootkits and Rootkit Detection and Recovery
IBM ICE (Innovation Centre for Education)

• The predecessor of the first rootkit was actually not a rootkit at all but a set of applications
that removed evidence of an intrusion from a machine.
• The first-generation served one major purpose—execute commands for an attacker without
being seen.
• With the ability to log back into a server with full administrative privileges, the attacker can
leverage the server for other attacks, store data, or host a malicious website. Rootkits
maintain access by installing either local or remote backdoors.
• Rootkits have the ability to conceal traces of their existence on the system
• Network-based rootkits do not run on the network but are accessible via the hacked system’s
web server.
• The two types of rootkits: user-mode and kernel-mode.
• One of the simplest and most used techniques, System Service Descriptor Table or SSDT
hooking is fairly easy to detect, and almost every tool available detects SSDT hooks.
• The method for detecting IRP hooking is the same as for detecting SSDT hooking. Each
driver exports a set of 28 function pointers to handle I/O request packets.

© Copyright IBM Corporation 2016

Reverse Engineering Tools and Techniques
IBM ICE (Innovation Centre for Education)

• Machine code is the form of code that the computer can run quickly and efficiently. When we
disassemble malware, we take the malware binary as input and generate assembly language
code as output, usually with a disassembler.
• Instructions are the building blocks of assembly programs. In x86 assembly, an instruction is
made of a mnemonic and zero or more operands.
• Each instruction corresponds to opcodes (operation codes) that tell the CPU which operation
the program wants to perform.
• All general registers are 32 bits in size and can be referenced as either 32 or 16 bits in
assembly code.
• The simplest and most common instruction is mov, which is used to move data from one
location to another.
• It is possible to read data from the stack without using the push or pop instructions.
• All programming languages have the ability to make comparisons and make decisions based
on those comparisons. Conditionals are instructions that perform the comparison.
• The Interactive Disassembler Professional (IDA Pro) is an extremely powerful disassembler
distributed by Hex-Rays.

© Copyright IBM Corporation 2016

Checkpoint
1. Which one of the following is not a malware?
A. Application software
B. Spam
C. Computer virus
D. Worm
2. What is the purpose of polyinstantiation?
A. To restrict lower-level subjects from accessing low-level information
B. To make a copy of an object and modify the attributes of the second copy
C. To create different objects that will react in different ways to the same input
D. To create different objects that will take on inheritance attributes from their class
3. Which of the following attack type best describes what commonly takes place to overwrite
a return pointer memory segment?
A. Traversal attack
B. UNICODE attack
C. URL encoding attack
D. Buffer overflow attack

© Copyright IBM Corporation 2016