Malware Exam 1
_ip Instruction Pointer
(program counter) address of next instruction. - updated as current instruction executes - changed for jumps, calls and returns underscore may be R (64 bit), E (32 bit) or none (16 bit).
Using IDA
- Strings which are prompts (e.g. "Enter...") are good places to investigate - Strings which are URLs are good places to investigate - If debugger available, use for breakpoints - Hex View-A shows hex of selected instruction - Double clicking on entry in window focuses on its address *exports *imports *names *functions *strings Exports - functions visible (callable) outside program Start - where execution of the process begins TLS - Thread Local Storage TLSCallbac_n - Called (run) before start (potential source of infection) Imports - Functions from Dlls (PE examiners, CFF Explorer, also list) Types of imports - Kernel O.S. Library - Msvcrt Microsoft Visual C Run Time Library
Basic network info
- Windows (CLI) ipconfig /all netstat -a -Linux (CLI) ifconfig -a netstat -a
Malware and Networks
-Network used to transmit malware, usually a user involved. Example: April2Net\OUTLINE-w-ref.html -Malware uses network to exfiltrate data, command and control
Segments in IDA
.text - executable code .data - data .rdata - data .bss - uninitialized data .idata - import data .CRT - digital certificate file used with a web browser? .tls - thread local storage
Setting up RUNFAST
1. Open command prompt and enter the following: cd %TEMP% type con > test.txt blah blah blah CRTL/Z dir *.txt 2. Open runfast64.ex_ Profile > Start Profiling ... No Program Arguments Window > CMD.EXE - program executable - program arguments
True
A .dll file can contain malware
True
A command (such as del or dir) can be started from an executable file (True or False)
False
A disassembler produces C code from an executable (.exe) file (True or False)
A register in a CPU
A fast temporary storage location for values (one to eight bytes wide)
True
A jump instruction (e.g. JMP, JZ,...) can change the value in the IP register
White list
A list of known safe (or good) software
Black list
A list of software known to be harmful, usually with hash values
Difference between a program and a process
A process is a program which has been put in memory and is being executed.
Monitoring Software
AV (antivirus) IDS (Intrusion Detection System) SEIM (Security Event and Incident Management)
Linking
Adding operating system and other subroutines and libraries to a program.
Label
Address of instruction - adjusted for relative addressing
Virtual, Relocated Address
Address when disassembled or loaded into memory - Memory address may be virtual
Physical Memory
An array of bytes provided by hardware (memory chips) size determined by hardware (memory chips)
Indicator of Compromise (IOC)
An artifact or other evidence that a security breach has occurred. A formal rule describing a security breach. - yara - openIOC
Zero Day Exploit
An attack based upon a zero day vulnerability.
Dynamic Analysis
Analysis done by executing program (.exe, .dll,..) Dangerous Must be done in contained environment - malware analysis sandbox (online) - virtual machine
Static Analysis
Analysis done of binary code in file, not of executing process.
Assembler Comments
Anything following a semicolon (;) is a comment - beginning of line - after (to the right of) instruction
True
Before malware is run in a virtual machine, the virtual machine's access to the internet should be disabled
Cache
CPU storage for next data, instructions. Principle of locality. Invisible in operation.
IDA
Can modify code, change values. Shouldn't be done in malware forensics/analysis When .exe is loaded, PE info is used and stripped out DATA and CODE may be cross-referenced as targets. XREFs can be used to jump to call (or reference)
Terminator
Character(s) indicating end of string Text - End of line (EOL) - Control characters Program data - null (0x00) terminated
Sponsor of an APT in the Mandiant Report
China (Peoples Republic of China)
Fetch Decode Execute
Cycle of operations in CPU fetch - get next instruction (typically sequence of 1-6 bytes) decode - decode instruction execute - perform instruction
Disassembler and Debugger
Disassembler and Debugger may be combined - OllyDBG - IDA Pro
True
During malware analysis, static analysis is usually done before dynamic analysis (True or False)
False
Dynamic analysis should be done before static analysis (True or False)
True
Every process has at least one thread (True or False)
ELF File Format
Executable and Linkable Format. File format for executable programs for *NIX Signature (file header) 0x07 0x45 0x4C 0x46 E L F most windows tools for working with PE format will not work with ELF format exceptions -> string tools, TRID, IDA Pro
Threads
Executing unit within process ("lightweight process") - shares resources (e.g. data, code) with other threads of process - has own state (e.g. next instruction to execute) - must coordinate and communicate with other threads - has priority (beyond that of its process)
Physical Address Extension (PAE)
Extending the address space beyond the register size by using tables. e.g. IA-32 with more than 4GB RAM Maybe using paging
Wireshark
Good for network attacks handshake attacks syn flood DDOS
Programs with random and unusual file names
If a program name looks somewhat unusual, if it is signed, it is probably legitimate. Files in System32 can have somewhat cryptic names
True
If there are two operands in an assembly instruction, at most one can be a memory reference (True or False)
Instruction operands
Immediate - value - only as source Register - used often ex) sub esp, 10h esp <-- register 10h <-- immediate
False
Interpreted and compiled programs run the same way (True or False)
INT
Interrupt instruction INT int_num ; Interrupt using int_num usually not in disassemble code - used by lower levels
Address Space Layout Randomization (ASLR)
Is a memory-protection process for operating systems that guards against buffer-overflow attacks by randomizing the location where system executables are loaded into memory.
Intrusion Prevention System (IPS)
Is a preemptive approach to network security used to identify potential threats and respond to them swiftly, like an IDS, this monitors network traffic.
Intrusion Detection System (IDS)
Is a system that monitors network traffic for suspicious activity and issues alerts when such activity is discovered.
Security Information and Event Management (SIEM)
Is an approach to security management that combines SIM (security information management) and SEM (security event management) functions into one security management system
XOR Encryption
Is an encryption method used to encrypt data and is hard to crack by brute-force method, i.e generating random encryption keys to match with the correct one. To decrypt the encrypted characters we have to perform XOR operation again with the defined key. this is done bitwise using a key xor decryption is same as encryption done bitwise using a key (key used for encryption)
Zero Day Vulnerability
Is unknown to defender and unpatched.
Sandbox
Isolated, testing environment for software. - software development - untrusted code
What information is in the comment (DATA XREF: main+12^0)?
It indicates where the string is used in the program
Advantage of using an AV site (such as VirusTotal)
It is convenient and results are returned quickly
What is the purpose of the value 0 (a null byte) that occurs after README.TXT
It is used to indicate the end of the string. Null (zero) terminated string.
Disadvantage of using an AV site (such as VirusTotal)
It may disclose the attack to the attackers and cause them to change tactics
Near and Far
Jumps, Returns, ... For when the next instruction is not the next instruction - Near : Target instruction is close - Far : Target instruction is not close - How to change IP (EIP, RIP)
Machine Language
Language of the CPU - Instruction set
False
Library routines are only linked to a source code program when it is compiled
False
Linking is only done when a program is compiled (True or False)
Data in EXE
Locatable, unstructured bytes. - Locatable : Has an address (relative offset) - Probably in data section *.data *.rdata *.bss * Data section specified in PE Header Exception : Immediate values encoded in instruction as source code operands
hiberfil.sys
Location: C:\ compressed copy of memory decompress with volatility analyze with volatility
.DLL Dynamic Link Library
MS Implementation of dynamic linking allowing shared routines. - C:\Windows\System32 and subdirectories - executable format must be called e.g. MZ header - usually contains many functions (subroutines)
Host, Host O.S.
Machine (or operating system) upon which the VM is running.
Assembly Language
Machine language (binary code) for humans
Instruction Set
Machine language instructions for specific architecture (CPU).
Guest, Guest O.S.
Machine provided by the VM or operating system in the VM.
Trojan
Malware disguised as legitimate software.
Ransomware
Malware which encrypts data and demands ransom for key to decrypt.
Virus
Malware which self replicates and spreads ("infects" other computers) by corrupting other programs (including macros).
Obfuscated malware
Malware writers often use packing or obfuscation to make their files more difficult to detect or analyze. Obfuscated programs are ones whose execution the malware author has attempted to hide. Packed programs are a subset of obfuscated programs in which the malicious program is compressed and cannot be analyzed.
Virtual/Linear Address Space
Memory addresses available to a process for both instructions and data (and stack) when program is loaded into memory, memory references are established. virtual to physical mapping may not be simple
Memory Acquisition
Memory image at a particular time or time interval is impossible part of memory will be acquisition tool (process) part of memory is in CPU caches
User Space (Ring 3)
Memory used for application, system functions run in user mode. protected, limited cant access system space or other processes
System Space/Kernel Space (Ring 0)
Memory used for system functions run in kernel mode less protected, fewer limitations
Assembly Language
Mnemonic language for machine language.
Absolute Address
Number of bytes (offset) from beginning of file
Process ID (PID)
Numerical identifier for process.
False
Only .exe files use the PE file format (True or False)
Command
Operating system program.
Assembly Instruction Format
Operation - nop - retn Operation Operand - push epb - jmp short loc_41546 Operation Destination, Source - add eax, 4 - mov [esp+10h_var_10], offset aHelloWorld *At most of one of Destination and Source can be memory reference
Packed malware
Packed programs are a subset of obfuscated programs in which the malicious program is compressed and cannot be analyzed. Both techniques will severely limit your attempts to statically analyze the malware.
Device Memory
Part of RAM mapped directly to devices - including destination of image acquisition tool should omit this use MmGetPhysicalRanges() routine from Windows Kernel-Mode Memory Manager
Stack Frame
Part of stack associated with a particular subprogram - for current subprogram, part of stack above BP
Segments
Parts of process memory for specific purpose e.g. .text for instructions OS should check memory only used correctly roughly correspond to PE sections may use segment with registers
Paging
Parts of process' memory (and other memory - data) actually on the disk allows multiple processes in memory makes entire (or large) address space available windows: 4K pages windows: C:\pagefile.sys
Bus
Path between components of a system.
Signal (IRQ-Interrupt ReQuest)
Press the a key and this is sent to the processor -hardware interrupt -processor temporarily suspends execution of current thread or process -saves state -processor determines necessary action(s) using *where (KBD, mouse,...) signal (IRQ) originated *what signal (keys pressed, mouse click/motion) was generated *interrupt table - list of pointers to interrupt handlers (code to handle the signal *processes or threads running to pass the signal (data)
Parent Process
Process that executed (caused to run) the process. - processes are in tree (hierarchy) process tree - PPID: Parent Process ID
Compiling
Producing executable program from source code.
Source Code
Program (or component of program) in high level language
Key Logger
Program (or hardware) which surreptiously records the keys pressed.
Rootkit
Program designed to 1. hide processes, activities and files from O.S. and legitimate users 2. access a computer or areas of a computer for non-legitimate reasons
Process
Program in memory which is running or executing sequence of instructions. - some program may have more than one - only programs in memory execute this - O.S. runs this simultaneously - instructions executed by CPU
Assembler
Program to convert assembly language program into machine code - PE Format: Metadata in PE header - Linker: Program to link machine code into executable program
Disassembler
Program to convert machine language to assembly language
Debugger
Program to run another program under user control - Instruction by instruction execution - Breakpoint : Instruction designated as stopping point
Address Space
Range of memory addresses, determined by register size 32 bit register (EIP, EAX,...) 62 bit register (RIP, RAX,...)
Handle
Reference to a resource. - File Handle - inFile = open("IN.DAT");
Flags Register
Register whose bits (flags) reflect the outcome of an operation examples: -CF -PF -AF -ZF -TF -SF -DF -OF
True
Registers have become larger (contain more bits) as the Intel and AMD architectures have evolved. (True or False)
Safety Protocols
Run malware only in a virtual environment with nonexistent or constrained internet connection. Replace last letter of malware executable extension with underscore. e.g. .ex_ or .dl_
False
Running malware in a debugger always prevents the malware from causing harm (True or False)
False
Running malware in a virtual machine is always the same as running it on an actual machine
RAM
Sequence of addressable bytes. Managed by O.S. - keeps processes' instructions and data - two main regions: user space and kernel space
String
Sequence of characters - ASCII or UNICODE
Program
Sequence of instructions. - source code - binary, executable (.exe)
Strings
Sequence of values/characters ASCII - 7bit encoding of Latin(English) alphabet and control characters - stored in one byte - range 0x00 to 0x7F ASCII "Printable" - 0x20 to 0x7E UNICODE - multibyte encoding of all alphabets - 16bit (UTF-16) is common
State (or Status) - Local Context
Set of values describing position (progress) of computation. - next instruction - values of variables - low level: register values - etc.
Malware
Software (programs, scripts, libraries,...) including firmware, put on a computer (or computer system) or device with a processor by an unauthorized third party, with the intent of gain of the third party.
Linking
Some linking may be done at run-time or during execution (DLLs)
Instruction
Specification of action. - move data - alter data
Worm
Stand alone malware which spreads itself (typically across a network or networks).
Breakpoint
Statement marked for process pause - Set before or during a process execution *IDA View Statement *Function, Names - Highlighted in red
Registers
Storage for all values. All logic, arithmetic done in registers. Values and addresses moved between registers and memory. 64 (or 32) bits wide, but bytes and words within some registers can be referred to as registers. - backwards compatibility
True
String are sometimes found in the .rdata section of a disassembled executable (True or False)
Service
System initiated process. - may terminate and stay resident in memory "pause" and then restart - usually started at the boot - \HKLM\SYSTEM\CurrentControlSet\Services
Files with only Strings
Text files .txt Source Code .c .cpp .py .java Configuration Files .conf HTML Files .html Batch, Script Files .bat .js Most files have strings. Some files have strings which are meaningful
What is the significance of the "a" in the label aReadmeTxt?
The "a" indicates it is an ASCII string
False
The .text section of a disassembled executable contains text used in the program (True or False)
True
The bits (flags) in the flags register record the results (e.g. zero, overflow,...) when an instruction is executed (True or False)
True
The header of an .exe and a .dll file are normally in the same format (True or False)
Why is it useful to examine the imports of an executable program?
The imports have the functions used by the program. They can give some indication of what the malware does. For example, a network function indicates network use
IP register
The instruction pointer contains the address of the next instruction to be executed by the CPU
True
The instruction pointer register (IP, EIP, RIP) holds the address of the next instruction to be executed (True or False)
NOP instruction
The no operation instruction which has no effect. It does not have any effect except to increase the instruction pointer
False
The opcodes (actual bytes) for all assembly instructions are all the same length (number of bytes) (True or False)
True
The registers AX, EAX, and RAX are variants of the same register. (True or False)
False
The registry isn't useful for malware analysis (True or False)
True
The stack for a process grows upward (toward lower memory) (True or False)
True
The threads within a process share resources (True or False)
True
The top of the stack for a process is usually recorded in the SP register (True or False)
Limitations of using IOCs
They only identify known malware
RAT - Remote Access Trojan
Trojan designed to give remote access.
Passing, Returning Values
Use registers Use stack Use global memory (address on stack or in register)
Process Priority
Used by the O.S. for scheduling. - idle - below normal - normal - above normal - high priority - realtime
Jumps
Used for decision structures (if-then-else, case) and loops (for, while,...) includes conditional jumps
Task
User initiated process.
Advantage of using longer strings
Using a longer string length produces fewer and more meaningful strings
State (or Status) - Global Context
What process or thread is currently doing. Managed by O.S. - running - ready (waiting) - blocked - suspended (sleeping) - terminated
False
When a function returns (completes), values are pushed onto the stack (True or False)
Event logs
Windows logs (records) information constantly saved in several event log files XML format (special text file)
Program Argument
X:\SomeDir> Aprogram Arg1 Aprogram - program process start Arg1 - Argument, value(s) input to program
Base64 Encoding
a group of similar binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation
Add instruction
add destination, source *destination <-- destination + source Flags Affected: OF, ZF, CF, PF, SF, AF
Assembly language directive
an instruction to the assembler to perform some action -directives begin with a period, usually all lower case - disassemblers (and debuggers) may not produce the original directives - disassemblers usually produce some directives
Heap
area in memory which is allocated and unallocated by the process. Dynamically allocated memory, not on stack
Compare instruction
cmp operand1, operand 2 *temp <-- operand1 - operand2 temp used to set flags and discaded Flags Affected : OF, ZF, CF, PF, SF, AF
Debugger Notes
debugger stops for input debugger stops for breakpoints
Unconditional Jump
jmp label *IP <-- label
System files
kernel32.dll - windows API ntdll.dll - run time library ntoskrnl.exe - OS kernel hal.dll - HAL Hardware Abstraction Layer
Move instruction
mov destination, source *destination <-- source
No operation
nop *IP <-- IP + 1 one byte instruction - used to align - XCHG EAX, EAX
Interrupts
process or thread can generate interrupt to pause while it waits for input
pagefile.sys
random chunks of memory not for malware analysis search for items of interest (e.g. using Yara rules) may be large - over 2 GB
Subtraction instruction
sub destination, source *destination <-- destination - source Flags Affected: OF, ZF, CF, PF, SF, AF