Computer Security

Identifying Malicious Patterns

Eng. Mahmoud Al-Hoby 1

Analyzing Malware
• Malware Analysis is the art of dissecting malware to understand how
it works, how to identify it, and how to defeat or eliminate it.

• The purpose of malware analysis is usually to provide the information

you need to respond to intrusions.

• The response is by identifying the unique patterns that could help in

generating the malware signature

Eng. Mahmoud Al-Hoby 2

Malware Analysis Techniques
• Static Analysis:
• involves examining the malware without running it.

• Dynamic Analysis:
• involves running the malware and examining it.

• Both of them can be either:

• Basic
• Advanced

Eng. Mahmoud Al-Hoby 3

Malware Analysis Techniques
• Basic Static Analysis
• Involves examining the executable file without viewing the actual
instructions.
• Can Confirm whether a file is malicious or not
• Can Provide information about its functionality,
• Can provide information that will help in generating simple network
signatures.

• Basic static analysis is straightforward and can be quick, but it’s

largely ineffective against sophisticated malware, and it can miss
important behaviors.
Eng. Mahmoud Al-Hoby 4
Malware Analysis Techniques
• Basic Dynamic Analysis
• Involves running the malware and observing its behavior on the
system, in order to remove the infection, produce effective signatures,
or both.

• It requires that we prepare a special environment to allow us to

study the malware without the risk of damaging the system.

Eng. Mahmoud Al-Hoby 5

Malware Analysis Techniques
• Advanced Static Analysis
• Involved reverse-engineering the malware’s internals by loading the
executable into a disassembler and looking at the program
instructions in order to discover what the program does.

• However, harder to learn and requires specialized knowledge of

disassembly, code constructs, and Windows operating system
concepts.

Eng. Mahmoud Al-Hoby 6

Malware Analysis Techniques
• Advanced Dynamic Analysis
• Uses a debugger to examine the internal state of a running malicious
executable.

• It provides another way to extract detailed information from

the samples.

• Its is the most useful when trying to obtain information that is

difficult to gather with the other techniques.

Eng. Mahmoud Al-Hoby 7

Malware Types (to remember)
• Backdoor
• Botnet
• Downloader
• Information-Stealing Malware
• Launcher
• Rootkit
• Spam-Sending Malware
• Worm or Virus

Eng. Mahmoud Al-Hoby 8

General Rules for Malware Analysis
• Don’t get too caught up in the details.

• Remember that different tools and approaches are available for

different jobs.

• Remember that malware analysis is like a cat-and-mouse game.

When analysts develop new techniques, malware writers will
improve theirs.

Eng. Mahmoud Al-Hoby 9

Basic Static Analysis
Techniques

Eng. Mahmoud Al-Hoby 10

Using an Anti-Virus
• Its possible that the sample in hand, has already been analyzed
by someone else, so first thing, try to scan the sample using
multiple antivirus programs.

• Its common to use sites like (VirusTotal) to do this task

• https://www.virustotal.com/

• We can upload the files to the website, and click Scan

Eng. Mahmoud Al-Hoby 11

Using an Anti-Virus

Eng. Mahmoud Al-Hoby 12

Using an Anti-Virus

Eng. Mahmoud Al-Hoby 13

Hashing
• Its common to use Hashing to fingerprint the existing files on
the system.

• We can either:
• Compare the hash with the hash of the original file (if available)
• Search the hash online to see if it has already been identified

Eng. Mahmoud Al-Hoby 14

Hashing
• We can write our own “Hashing Application”, but we also may use
some of the ready-made applications for this purpose, including:
• Md5deep: Command-Line tool that can be used to generate MD5 hashes
• WinMD5: a GUI windows application for the same purpose

• Quiz for Next Lecture:

• Develop a Desktop Application that can be used to Calculate the MD5
Hashes

Eng. Mahmoud Al-Hoby 15

Hashing

Eng. Mahmoud Al-Hoby 16

Finding Strings
• A string in a program is a sequence of bytes that are
interpreted as a sequence of characters.

• Any program will contain strings if it prints a message, connects

to a URL, copies a file to a specific location, or access a known
registry key.

Eng. Mahmoud Al-Hoby 17

Finding Strings
• Searching for strings can be a simple way to get hints about the
functionality of a program.
• For example, if the program accesses a URL, then this URL will be stored as a
string in the program.

• ASCII and Unicode strings usually end with Null Terminator

• ASCII uses 1 Byte to represent a character, while Unicode used 2 Bytes

• Microsoft provides the strings application, that can be used to retrieve

a list of strings in an program
• https://technet.microsoft.com/en-us/sysinternals/bb897439

Eng. Mahmoud Al-Hoby 18

Finding Strings

Eng. Mahmoud Al-Hoby 19

Finding Strings
• Strings work by searching for a three-letter or greater sequence
of ASCII and Unicode characters, followed by a string
termination character. However, not all detected strings are
actual strings.
• For example, if Strings finds the sequence of bytes 0x56, 0x50, 0x33,
0x00, it will interpret that as the string VP3, which is most likely not an
actual string.

• Fortunately, most invalid strings are obvious, because they do

not represent legitimate text.

Eng. Mahmoud Al-Hoby 20

Finding Strings

Eng. Mahmoud Al-Hoby 21

Packed and Obfuscated Malware
• Malware writers often use packing or obfuscation to make the
files more difficult to detect or analyze.
• Obfuscated programs are ones whose execution the malware author
has attempted to hide.

• Packed programs are a subset of obfuscated programs in which the

malicious program is compressed and cannot be analyzed.

Eng. Mahmoud Al-Hoby 22

Packed and Obfuscated Malware
• Packed and obfuscated code will often include at least the
functions LoadLibrary and GetProcAddress, which are used to
load and gain access to additional functions.

Eng. Mahmoud Al-Hoby 23

Packed and Obfuscated Malware

Eng. Mahmoud Al-Hoby 24

Detecting the Existence of Packers
• There exists a group of applications that can be used to detect
the packing, one of which is PEiD

Eng. Mahmoud Al-Hoby 25

Detecting the Existence of Packers
• If an application is packed, then it may be possible to unpack
the application to the original state using special
tools/applications like:
• UPX (https://upx.github.io/)

• Example Use:
D:\>upx -d PackedProgram.exe

Eng. Mahmoud Al-Hoby 26

Linked Libraries and Functions
• One of the most useful pieces of information that we can
gather about an executable is the list of functions that it
imports.

• Several Microsoft Windows functions allow programmers to

import linked functions not listed in a program’s file header, like
LoadLibrary and GetProcAddress.
• Linking can be Static or Dynamic

Eng. Mahmoud Al-Hoby 27

Dependency Walker
• The Dependency Walker program distributed with some
versions of Microsoft Visual Studio and other Microsoft
development packages, lists only dynamically linked functions
in an executable.
• http://www.dependencywalker.com/

Eng. Mahmoud Al-Hoby 28

Dependency Walker

Eng. Mahmoud Al-Hoby 29

Quick Exercise

Eng. Mahmoud Al-Hoby 30

Backdoor

Botnet

Downloader

Information-Stealing Malware

Launcher

Rootkit

Spam-Sending Malware

Worm or Virus Eng. Mahmoud Al-Hoby 31