M.A.R.E
EAX
Accumulator, Contains the return value
CONTROL TRANSFER
CALL,RET,JMP,LOOP,JE/JZ,JL,JG,JGE,JLE,JNE/JNZ, CONDITIONAL JMPs, INT
EDI
Destination Index Pointer
EBX
General purpose register
EDX
General purpose register
miscellaneous
LRA,NOP,XLAT
EIP
instruction pointer
decompilers and disassemblers
never actually provide the answers - they merely present the information.
Crimeware kits
- Automated tools that allow anyone to create viruses or other malware without any programming skill i.e SpyEye and Zeus.
FakeNet-NG
to emulate the network environment and trick the malware into thinking it is connected to the Internet when done the malware reveals its network signatures such as command and control (C2) domain names, User-Agent strings, URLs queried, and so on.
STRING
CMPS,SCAS,LODS,STOS,MOVS,REP prefix
Windows APIs
Windows Application Programming Interface, is implemented as a set of system libraries such as kernal32.dll, user32.dll, etc.
Logical
XOR,OR, AND, TEST,NOT
ESI
Source Index Pointer
EBP
Stack base pointer
Flags
ZERO, SIGN, CARRY, OVERFLOW, TRAP
Virtual machines and bytecodes
- A java compiler generates bytecode. - Bytecodes are like object code, except that they are decoded by a program instead of a CPU. - The compiler generates the bytecodes and then a virtual machine decodes the bytecodes. - The virtual machine must at some point convert the bytecode to standard object code that is compatible with the underlying CPU.
Botnets
- A network of computer made up of machines infected with a malicious backdoor program. - Enables Cybercriminals to remotely control infected computers. - Backdoor programs designed to create botnets are often refereed to as bots/zombies. - DDOS
The Stack
- Area of memory access as First in Last Out queue. - A stack is an area in program memory that is used for short-term storage of information by the CPU and the program - It can be thought of as a secondary storage area for short-term information - Registers are used for storing the most immediate data, and the stack is used for storing slightly longer-term data - Physically, the stack is just an area in RAM that has been allocated for this purpose - Stack resides in RAM just like any other data -the distinction is entirely logical - It should be noted that modern operating systems manage multiple stacks at any given moment-each stack represents a currently active program or thread - Internally stacks are managed as simple Last In First Out (LIFO) data structures - Memory for stacks is typically allocated from the top down. - Stack is short term memory for storing functions, local variables, parameters and for flow control - X86 has in-built support for the stack which includes the ESP and EBP registers:-ESP is the stack pointer - Stack instructions include push, pop, call, leave, enter, ret
Injection Vectors
- Boot Sector: Infecting Master boot record (MBR) of the physical disk - File Infection: Parasitic infectors - Email: Email worms - File Shares: Parasitic infectors, worms - Network: Network worms, through vulnerabilities - IRC: Internet Relay Chat P2P Networks: IM, Kazaa, etc. - Removable Media: Floppy, USB drives, optical discs - Bluetooth: Worms for mobile devices - Web Apps: Using cross-site scripting vulnerabilities - Vulnerabilities: Operating system, Web browser and plugins, Adobe Reader vulnerabilities
Compilers
- C or C++ program file is fed into compiler, which takes a source file and generates a corresponding machine code file. - Depending on the language, this machine code can either be a standard platform-specific object code that is decoded directly by the CPU - Or it can be encoded in a specific platform-independent format called bytecode. - Compiler generated machine code when translated to assembly language by a disassembler is essentially a machine-generated assembly language program. - The biggest hurdle in deciphering compiler-generated code is the optimisation applied by most modern compilers. The resulting code is often counterintuitive and difficult to read.
Malicious Code
- Corrupt, Disrupt, Destroy - service, data, software. - Everything should be checked! - Prevention is Key: scanning, Prevention/detection software. - Anti-virus/malware is essential! - Education! - Patch
Assembly Language
- Each assembly language command is represented by a number, called the operation code, or opcode. - Object code is essentially a sequence of opcodes and other numbers used in connection with the opcodes to perform operations. Because assembly language is a platform-specific: - we need to choose a specific platform to focus on. - In this course, we focus on Intel IA-32 architecture, on which most 32-bit PCs are based.
Common Classifications
- File Infectors - Boot Sector Viruses (Old school - commonly found by anti-virus) - Interpreted viruses (Macro and Scripts)
Security-related reverse engineering
- Has been applied to encryption research - It is heavily used in connection with malicious software, on both sides of the fence, by; malware developers and those developing mechanisms against it. - Popular with crackers who use it to analyse and eventually defeat various copy protection schemes-DRMs. Developers of antivirus software dissect and analyse every malicious program that falls into their hands. Antivirus developers use reverse engineering techniques to; - Trace every step the program takes - Assess the damage it could cause - Assess the expected rate of infection - How it could be removed from infected systems, -And whether infection can be avoided altogether.
Drive-by Malware
- Malware which automatically downloads itself onto a user's computer and executers without user consent. - Runs on web servers of rogue websites as well as legitimate website which have been compromised. - Downloaded upon user visit through exploiting one or more vulnerabilities within the user browser. - To evade suspicion, it redirects the user to numerous HTTP 302 requests.
Drive-by malware
- Malware which automatically downloads itself onto a user's computer and executers without user consent. - Runs on web servers of rogue websites as well as legitimate website which have been compromised. - Downloaded upon user visit through exploiting one or more vulnerabilities within the user browser. - To evade suspicion, it redirects the user to numerous HTTP 302 requests.
Rogue Application
- Pose as security applications or system tools to mislead users int paying for the removal of non-existing malware or issues with their systems. - On the rise - SE techniques are used to trick the user into installation.
Trojan: Types
- Remote Access Trojans (RATs) -used for remote access - Data-Sending Trojans -used to find and deliver data to a hacker - Destructive Trojans -used to delete or corrupt files - DoSTrojans -used to launch a denial of service - Proxy Trojans -used to tunnel traffic or launch hacking attacks via other system - FTP Trojans -used to create FTP server to copy files - Security Disabler Trojans -used to stop anti-virus software
Trojan: Detection
- Scan for suspicious open ports (netstat,Fport,TCPView). - Scan for Suspicious Process (ProccessViewer, Inzider). - Scan for suspicious Registry entries (Registry, MSConfig). - Run Trojan Scanners or Anti Malware Software.
HackTool
- Used by a hacker to attack and exploit a system to gain unauthorized access to system resources and transmit data on the network - Attempts to gain information about the system after bypassing security mechanisms Example: NetCat
Rootkit
- Uses stealth techniques to actively hide their presence. - A collection of programs used by a hacker to evade detection while trying to gain unauthorized access to a computer. - This is done either by replacing system files or libraries, or by installing a kernel module. Hide their own presence as well as that of other malware or hacker utilities -Manipulate/replace system tools to list directories -Manipulate/replace system tools to list running processes -Intercept attempts to scan RAM contents for malware -Modify system logs
PE File format
-Microsoft uses Portable Executable (PE) file format for executables and libraries -Essential for reverse engineering PE Header contains important information about; - the linker version used - How the executable should be loaded - Compatible version of Microsoft Windows - Type of executable file ect Important Fields: AddressofEntryPoint & Image Base -> point to the first instruction to be executed when the executable s loaded and Virtual Address where executable is loaded in virtual memory, respectively. -Followed by Data Directories - include import and export tables - The import table has info about functions that the program calls from DLL files - The Export table, generally present in DLL files, has information of functions that call other programs. -Followed by the Section Table - Provided relative virtual address and characteristics of sections of the program.
Worm
-Self-replicating -Standalone strains -Do Not modify files to spread, instead, they make copies of themselves. The lack of user interaction makes them exceptionally dangerous to networking infrastructure and a significant threat i.e Stuxnet.
Spyware
-Software that gather confidential/personal information from the user system without their knowledge. -Once installed, it does not show any visible notifications to indicate that it is monitoring user activities. - Instantly sends information to the configured remote server. -Spyware programs are usually hidden among other programs or can be unwittingly downloaded to a user's system when certain websites are visited. (This is known as drive-by downloading). - Appropriate user consent.
Backdoor
-allows unauthorised access to a system by opening a port -creates a pathway, enabling hackers to control the compromised system by sending commands of malicious nature. - Goal is to remove evidence of initial entry from the log files. - Enables the hacker to retain access. -Alerts owners/joins botnets by: Traditionally, IRC/ICQ, More Recently, Email to an anonymous, monitored account, connecting back to a pre-existing 'listener'. Examples: SubSeven, NetBus, Back Orifices
Trojan
-non-replicating in nature -disguises itself as something legitimate while hiding malicious functionality. - must be installed by another program, or the user must be tricked into installing it. Can take one of three forms: - An unauthorised program contained within a legitimate one. - A legitimate program that has been altered by the placement of unauthorized code in it. - Any program that appears to perform a desired function but due to hidden (unauthorised) code, it does something else.
Data Encoding
-the process of hiding malware in order to hide the malware's intent. - works in the concealer component of malware, highly upon as it seems but as much as its upon in its own it is the main purpose of data encoding. So for instance if i stream say in fact we will represent it in another format, for instance you would to the first part of the function in, then add a string that concatenate secret fact. So you'd misrepresent the intent because someone will ask you its input if they only come through each part in isolation. It's basically misrepresentation, or rather a representation that isn't as friendly to the human eye, but isn't as hard to decode if the person wants to get the original text.
Virus vs Worm
A worm and a virus are similar in that they are both forms of malicious software-Worms are distinguished from viruses by the fact that a virus requires some form of 'host' involvement to infect a computer whereas a worm does not-A worm is self-contained and spreads automatically, but a virus infects another executable file and uses the host to spread.
arithmetic
ADD,ADC,SUB,SBB,MUL,DIV,IMUL,IDIV,INC,DEC,CMP,NEG
Binary Reverse engineering
Aim to extract valuable information from programs for which source code is unavailable
Registers
All general registers are 32 bits in size and can be referenced as either 32 or 16 bits e.g. EDX is used to reference the full 32-bit register, and DX is used to reference the lower 16 bits of the EDX register. Four registers (EAX, EBX, ECX and EDX) can also be referenced as 8 bit registers. Multiplication and Division use EAX and EDX. EAX generally contains the return value for function calls. • General registers -used by the CPU during execution • Segment registers -used to track sections of memory • Status registers -used to make decisions • Instruction pointers -used to keep track of the next instruction to execute
Malware Components
• Concealer - Features to hide the malware and/or its activity. (May open hidden connections to the internet to secretly download the payload). • Replicator - Manual or automated features that allow malware to spread (could be triggered when open by user and spread to the user's network). • Payload - Malware feature that causes the damage or other malicious function.
Sysmptoms of an infected computer
• System is unstable and responds slowly - malware may be consuming resources in the background. • New and unknown executables found on system • Altered system settings (without your consent) • Unusual network traffic • Random pop ups Overall system showcases unexpected / unpredictable behaviour
Pests
Colloquial collective term for lesser malware variants; often annoyances rather than threats:-Adware, Tracking cookies.
Classification
Can be classified as malware if it does one of the following; • Modifies another program • Replicates itself without user consent • Allows an unauthorized person to take control of the system • Transmits confidential data to a remote system without consent • Sends data to a system to disrupt normal functioning • Opens a port for listening in on a local machine to accept commands from a control server • Records keystrokes and send the info to a remote server • Downloads and executes files from suspicious remote servers • Copies itself into multiple locations • Injects code into another program • Makes unauthorized changes to the system • Modifies a protected system setting • Modifies a registry setting used for launching programs on start up
DLL
Dynamic Link Libraries are the current Windows way to use libraries to share code among multiple applications. A DLL is an executable that does not run alone, but exports functions that can be used by other applications. Basic Structure Under the hood a DLL and a .exe file are very similar except for a single flag which indicates whether the file is a DLL or .exe. DLLs have more exports and fewer imports. The main DLL function is DllMain that is not an export and it is specified in the PE header as the file's entry point. Some of the ways malware authors use DLLs To store malicious code + explanation By using Windows DLLs + explanation By using third party DLLs + explanation
Path Companion Viruses
Exploit the order in which executable files are called: - Same filename, priority path (current over system directory). - Same path, priority filename extension (.com over .exe).
Abstraction: 6 levels
Hardware-The only physical level, consists of electrical circuits that implement complex combinations of logical operators such as xor, and, orand notgates known as digital logic.(3 marks)Microcode-Also known as firmware. It only operates on the exact circuitry for which it was designed. It contains microinstructions that translate from higher machine-code level to provide a way to interface with the hardware. (3 marks)Machine code-Consists of op-codes, hexadecimal digits that tell the processor what you want to do. Machine code is typically implemented with several microcode instructions so that the underlying hardware can execute the code. Machine code is created when a computer program written in a higher-level language is compiled.(3 marks)Low-level / assembly-It is a human readable version of computer architecture's instruction set. The most common low-level language is assembly language. Malware analysts operate at this level because the machine code is too difficult for a human to comprehend. (3 marks)High-level languages-We use a disassembler to generate low-level language text, which consists of simple mnemonics such as movand jmp. Many different dialectsof assembly language exist.(3 marks)Interpreted languages-They are at the top level. Many programmers use interpreted languages such as C-sharp, Perl, .NET and Java. The code at this level is not compiled into machine code; instead it is translated into bytecode.Bytecode is an intermediate representation that is specific to the programming language. Bytecode executes within an interpreter, which is a program that translates bytecode into executable machine code on the fly at runtime. An interpreter provides an automatic level of abstraction when compared to traditional compiled code, because it can handle errors and memory management on its own, independent of the OS. (3 marks)(b) The student should mention that Machine Code, Low-level/assembly and High-level are important for malware analysis. (3 marks)The justification should mention that most malware is written in high-level languages and distributed as binaries and Assembly is the highest-levelof human readablelanguage that can be reliably and consistently recovered from machine code when high-level language source code is not available.
Main memory
Lowest to Highest memory address Data - specific section of memory called data section, which contains values that are put in place when a program is initially loaded. - values can be static values or global values. Code - instructions fetched by the CPU to execute. - Controls what the program does, the flow of logic. Heap - is a managed memory region that allows dynamic allocation of variable-sized blocks of memory in runtime. - called dynamic because its contents can change frequently during execution. Stack - Used for local variables and parameters for functions.
DATA TRANSFER
MOV,PUSH,POP,PUSHA,POPA,XCHG
PE Files
PE is a file format for windows executable files, DLLs, Object code etc.It has metadata about the DLL or .exe file. Student must explain(6marks)(b) The main sections are:(2.6marks for eachexplanation)Analysis Virtual MachineServices Virtual MachineHost Physical MachineNICNICNICVMNet •a header section •.text -instructions that the CPU executes•.rdata -contains import and export functions etc.•.data -global data which is accessible from anywhere in the program•.rsrc -resources used by the executable that are not part of the executable, such as icons, menus, and strings.(c)Importance for malware analysis should includeany 3 of the following with necessary explanations : A header file listslots of useful things like •importedfunctions,•exported functions, •strings,•DLLs,•Embedded executablesthat provide clues of what the malware hopefully
Malware Categories
Malware may appear in many different forms and with a variety of capabilities. However, certain characteristics allow malware to be classified into the following categories:Clickers:Redirect victim machines to specified Internet resources,for example, by manipulating the 'hosts' file on the machine;Downloaders: Download and install other malware onto the victim machine;Droppers: Contain multiple applications wrapped into one; all executed at once;Backdoors: Installs on a target system to allow access to the system at a later time. The goal is to remove evidence of initial entry from the log files. Most backdoors listen on special ports for incoming connections.Remote Access Trojans (RATs): Such as Netbus, used for remote access.Data-Sending Trojans: Used to find and deliver data to a hackerDestructive Trojans:Used to delete or corrupt filesBotnets: A network of machines infected with a malicious backdoor program what enables cybercriminals to remotely control the infected computers, some of the computers making up the network or the entire network
Types of memory
Modern computers have 3 types of memory: registers, cache and bulk addressable memory. Bulk addressable memory is also commonly referred to as RAM (Random Access Memory), DDR (Double Data Rate)++, main memory, or just plain "memory". It's called bulk because, well, there's a lot of it compared to the other types, i.e. registers and cache. registry - uses actively cache -use often main memory - not needed often but available if you do
OllyDbg
OllyDbg is a 32-bit debugging tool used to analyze binary code. Its popularity is tied to the fact that people can do so despite not having access to the source code. OllyDbg can be used to evaluate and debug malware. OllyDbg is a popular debugger due to its ease of use and being freeware. OllyDbg is useful in analyzing malware. If you plan to analyze malware on your own, you want to ensure you have your environment setup to protect yourself and your assets. This should be done in a closed environment within a virtual machine. Using a virtual machine is not enough. Do some research on best ways to isolate your environment. Avoid using bridged mode, as it leaves your network exposed. OllyDbg is meant to run on a Windows platform. If you are creating a virtual environment using Kali Linux instead of Windows, you will need to use Wine to run OllyDbg. This is important to note, as many researchers prefer using Kali Linux for analysis. It's important to note that if using a dissembler, it is expected the user have knowledge of the assembly language. It will help tremendously in the evaluation of the code.
File infectors
Overwriting: Replaces the original file completely Parasitic: Modifies the original file to include either the malicious code itself to a call to a separate, malicious file. - Prepending - Appending - Inserting
Important Terminology
Presence: Malware is on the system, but payload has not been triggered. Infection: Malware is present and active/payload triggered. Damage: Performing malicious actions: Deliberate, accidental or incidental. Stealth: The methods through which malware conceals itself. Polymorphism: Malware's ability to create different copies to evade signature detection.
SHIFT AND ROTATE
ROR,ROL,RCR,RCL,SHR,SHL,SAR,SAL
APTS
Refer to security attacks which are designed to infiltrate a targets enterprise network infrastructure and carry out some pre-defined objectives over long periods of time. APT attacks differ from traditional malware attacks, in that they: - are highly coordinated in their attack nature; - are designed with clearly identified targets in mind; - are designed to reside within the target network over long periods of time; - have built-in mechanisms to avoid detection. Consists of six stages: 1. Information gathering 2. Delivery 3. Exploitation 4. Operation 5. Data collection 6. Exfiltration.
Memory speed
Register file - 1 cycle .5 nsec (100x bigger that cache (L1) Cache (L1) - 4 cycles 2nsec (4 x faster than the register file, 300x bigger the cache (L2) Cache (L2) - 65 cycles 33nsec ( 1.5 x faster that cache (L1), 20,000x bigger than ddr/main memory DDR/ Main Memory - 120 cycles 60 nsec ( 2x faster than cache L2)
Reverse engineering
Reverse engineering is a critical set of techniques and tool for understanding what the software is about - the malware is deconstructed in a way that reveals its innermost details. "The process of analysing a subject system to identify the system's components and their interrelationships and to create representations of the system in another form or at a higher level of abstraction" (IEEE 1990). Allows us to visualize; - The software's structure - Its method of operation - The features that drive its behaviour A good understanding of low-level software and low-level programming is essential. It is; - Often platform specific - Affected by the specific operating system and hardware platforms used. - Not popular in the software industry, primarily, due to the software being so complex., Not financially feasible. - Mainly applied in two areas: security related, software development related. - Used by developers of malicious software to locate vulnerabilities in operating systems and other software, allowing them to gain access to sensitive information or even take full control of the system.
malware attack response
Start by describing quick winners like Google search of the filename, Google search of the malware hashes, which help find out what is already known if any about the malware.(3marks)Upload the malware to online scanners like www.virutotal.comand look at the reports(3marks)If the above draw a blank then follow it up by doing a basic static analysis in a booted environment thatcould include tools like Strings, look for alternate data streams(3marks)If basic analysis fails follow it by doing a basic dynamic analysis with some tools like process explorer, procmon, nmap, Fport, etc enabled(3marks)When all else fails, reverse-engineer the binaries.(3marks)(b) Do a networkscanby scanningall the hosts, talk to the penetration testing people to help identify the vulnerability being exploited.(5marks)(c)Student should mention that they would look for how the malwaresurvives restarts. They should mention things likealternate data streams and registry keys being used
Trojan: Function
Trojans work like a client-server network model. Most Trojans come in two parts, a Client, and a Server. - The server part is installed on the victim's machine. - The client is on the attacker's system. - The server and clients are used to establish a connection between the victim and the attacker's system via the Internet. - Once the victim runs Server (unknowingly), the attacker will use a port to connect to the Server (the target) and start using the Trojan. - The Trojan generally runs in stealth mode on a victim's computer and can be configured for different functions.
Virus
Virus (The parasitic infector) - Self-replicating in nature - Does not have a separate existence - inserts code into existing files on the system - require human activity for infection
Dynamic Analysis
We study a program as it executes. Can tell you how the malware responds when it receives a specifically designed packet. You can only learn the format when you dig deeper, this is where disassembly comes in. We need to monitor the changes made to the file system, Registry, processes and its network communication. SysInternals Tools: Progress Monitor. Process Explorer, TCPView, GMER & Wireshark (useful observing runtime behavior) Debuggers: OllyDbg, IDA Pro and WinDbg (helpful to dig into details about encrypting malware & for detailed analysis). When a safe environment is not available to execute the suspicious sample, an online automate malware analysis tool may be used. A generic report is then returned based on file modifications, registry modification and network communications. involves monitoring what malware does on a testcomputer and deriving conclusions based on the way the malware behaves. The analyst starts by preparing a clean computer - installing utilities that are able to monitor different aspects of a program's behaviour. This includes monitoring changes to the file system, changes to the system registry, the loading of processes into memory, network traffic and web traffic. malware programs exhibit different types of behaviour, so a particular sample being analysed may not trigger all of the monitoring tools being used. But there's no way of knowing what the behaviour of the program will be in advance, so it's wise to configure them all. The specific monitoring tools used may vary since different researchers favour different tools. Once the computer has been prepared, the analyst runs the suspect program and waits for the various tools to capture and log the different actions of the program. The display output, and/or log files of the monitoring tools can be examined, to see if any of the actions performed by the suspect program match known malware behaviour. By systematically recording any 'hits' in behaviour, the analyst can build up a picture of what the malware does - or decide that the program is innocent. Dynamic analysis is ideal for 'triage' analysis. The analyst is able to decide if there is an infection, and to quantify the nature of the threat, pending full analysis in a lab"
Static Analysis
We study a program without executing it. Can be used to draw preliminary conclusions Tools: Hex editors, disassemblers and packer identifiers. Can look for: - Suspicious strings related to file paths - Registry Keys - URLs or messages intended for users, if any are used in the program. - APIs used also give an idea about the functionality of the program. Packed/Obfuscated sample provide a challenge for static analysis, they must be unpacked before diving into code analysis. inspecting a program's code, to determine how it works. This task, i.e. code disassembly, is what people typically associate with the job of an anti-malware analyst. this work involves a greater level of expertise than is required for dynamic analysis.
Process Monitor
a free tool from Microsoft that displays file system, registry, process, and other activities on the system. It's an invaluable tool for troubleshooting Windows problems as well as for malware forensics and analysis tasks. The thoroughness of the tool is also weakness, as the amount of data captured by Process Monitor can easily overwhelm the analyst - filtering is key. "A peak under the hood" is using a device driver and Event Tracing for Windows (ETW) for tracing these activities. Can be exported to an external file for later viewing.
Sandbox**
a security mechanism for running untrusted programs in a safe way without fear of harming "real" systems.(2 marks) Sandboxes: The quick-and-dirty approach•Several all-in-one software products can be used to perform basic dynamic analysis, and the most popular ones are sandbox technology. •A sandbox is a security mechanism for running untrusted programs in a safe environment without fear of harming "real" systems. (4marks) Sandboxes comprise virtualized environments that often simulate network services in some fashion to ensure that the software or malware being tested will function normally.(4marks) (b) Advantages (1 mark for each)•These sandboxes produce easy-to-understand output •They are great for initial triage, as long as you are willing to submit your malware the sandbox websites. Even though the sandboxes are automated, you might choose not to submit malware that contains company information to a public website. •Easy to use, •They produce easy to use outputs •Most are free•Some have a big user community, which means lots of free help and support(c) Sandboxes drawbacks(1 mark for each) •For example, the sandbox simply runs the executable, without command-line options. If the malware executable requires command-line options, it will not execute any code that ruins only when an option is provided. •In addition, if your subject malware is waiting for a command-and-control packet to be returned before launching a backdoor, the backdoor will not be launched in the sandbox .•The sandbox also may not record all events, because neither you nor the sandbox may wait long enough. For example if the malware is set to sleep for a day before it performs malicious activity, you may miss that event. There is more than one way to sleep, and sandboxes cannot account for all of them. •Malware often detects if it is running in a virtual machine, and if a virtual machine is detected, the malware might stop running or behave differently. Not all sandboxes take this issue into account.•Some malware requires the presence of certain registry keys or files on the system that might not be found in the sandbox. These might be required to contain legitimate data, such as commands or encryption keys •If the malware is DLL, certain exported functions will not be invoked properly because a DLL will not run as easily as an executable •The sandbox OS environment may not be correct for the malware. For example, the malware might crash on Windows XP but run correctly on windows 7 •A sandbox cannot tell you what the malware does. It may export basic functionality, but it cannot tell you that the malware is a custom Security Accounts Manager (SAM) hash dump utility or an encrypted keylogging backdoor(d)The solution must include: an analysis VM, Services VM and Host Physical Machine, network component.
Malicious Software
designed to disrupt or deny operations, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behaviour. The expression is a general term used by computer professionals to refer to a variety of forms of hostile, intrusive, or annoying software or program code.
malware analysis uses
i)Malware authors' use of reverse engineering Developers of malicious software often use reversing to locate vulnerabilities in operating systems and other software. Such vulnerabilities can be used to penetrate the system's defense layers and allow a infection-usually over the internet. Beyond infection, culprits sometimes employ reversing techniques to locate software vulnerabilities that allow a malicious program to gain access to sensitive information or even take full control of the system (ii)Security/Malware Analysts (Security-Related Reversing) It is related to several different aspects of computer security. E.g., reversing has been applied in encryption research It is also heavily used in connection with malicious software both malware developers and those developing the antidotes use it. (iii)Developers of antivirus software dissect and analyze every malicious program that falls into their hands. They use reverse engineering techniques to trace every step the program takes and assess the damage it could cause, the expected rate of infection, how it could be removed from infected systems, and whether infection can be avoided altogether. (iv)Crackers Finally, reversing is very popular with crackers who use it to analyze and eventually defeat various copy protection schemes like DRMs, encryption. (b) Answers may include the following: (0.5 marks for mention, 0.5 for explaining) (i) Some of the benefits: It enables development of new technologies Improves security tools Password cracking or encryption cracking (ii)Some legal issues Reverse engineering could aid code stealing Infringement of copyrights Circumvention of copyright protection
ESP
stack pointer
Malware analysis
to study a program's behaviour and verify if it has malicious functionality or behaviour. If the analysed sample is found to be malicious, then its classification and identification of which malware family it belongs to is necessary. The results of this analysis allow the investigator to be better prepared if the malware is encountered again. to provide the information needed to respond to a network intrusion. include determining exactly what happened and ensuring that all infected machines and files have been identified. , it is fundamental to determine what a particular suspect binary can do, how to detect it on the network, and how to measure and contain its damage." Needs to be done very carefully: should be done on a system that is separated from production environment and on a network, which is isolated from public network. Virtualization software such as VMWare, Virtual Box provides options to create such an environment.
ECX
used as a loop counter, 'this' pointer on C++
PE File Format
used by windows executables, object-code and DLL's. The PE file format is a data structure that contains the information necessary for the Windows OS loader to manage the wrapped executable code. - PE file stores information on every libary that will be loaded and every library that will be used. - 4D 5A start hex of windows portable executable. - contain everything need to run without being installed. Packed/Obfuscated sample provide a challenge for static analysis, they must be unpacked before diving into code analysis.