Malware Exam 1

Ace your homework & exams now with Quizwiz!

_ip Instruction Pointer

(program counter) address of next instruction. - updated as current instruction executes - changed for jumps, calls and returns underscore may be R (64 bit), E (32 bit) or none (16 bit).

Using IDA

- Strings which are prompts (e.g. "Enter...") are good places to investigate - Strings which are URLs are good places to investigate - If debugger available, use for breakpoints - Hex View-A shows hex of selected instruction - Double clicking on entry in window focuses on its address *exports *imports *names *functions *strings Exports - functions visible (callable) outside program Start - where execution of the process begins TLS - Thread Local Storage TLSCallbac_n - Called (run) before start (potential source of infection) Imports - Functions from Dlls (PE examiners, CFF Explorer, also list) Types of imports - Kernel O.S. Library - Msvcrt Microsoft Visual C Run Time Library

Basic network info

- Windows (CLI) ipconfig /all netstat -a -Linux (CLI) ifconfig -a netstat -a

Malware and Networks

-Network used to transmit malware, usually a user involved. Example: April2Net\OUTLINE-w-ref.html -Malware uses network to exfiltrate data, command and control

Segments in IDA

.text - executable code .data - data .rdata - data .bss - uninitialized data .idata - import data .CRT - digital certificate file used with a web browser? .tls - thread local storage

Setting up RUNFAST

1. Open command prompt and enter the following: cd %TEMP% type con > test.txt blah blah blah CRTL/Z dir *.txt 2. Open runfast64.ex_ Profile > Start Profiling ... No Program Arguments Window > CMD.EXE - program executable - program arguments

True

A .dll file can contain malware

True

A command (such as del or dir) can be started from an executable file (True or False)

False

A disassembler produces C code from an executable (.exe) file (True or False)

A register in a CPU

A fast temporary storage location for values (one to eight bytes wide)

True

A jump instruction (e.g. JMP, JZ,...) can change the value in the IP register

White list

A list of known safe (or good) software

Black list

A list of software known to be harmful, usually with hash values

Difference between a program and a process

A process is a program which has been put in memory and is being executed.

Monitoring Software

AV (antivirus) IDS (Intrusion Detection System) SEIM (Security Event and Incident Management)

Linking

Adding operating system and other subroutines and libraries to a program.

Label

Address of instruction - adjusted for relative addressing

Virtual, Relocated Address

Address when disassembled or loaded into memory - Memory address may be virtual

Physical Memory

An array of bytes provided by hardware (memory chips) size determined by hardware (memory chips)

Indicator of Compromise (IOC)

An artifact or other evidence that a security breach has occurred. A formal rule describing a security breach. - yara - openIOC

Zero Day Exploit

An attack based upon a zero day vulnerability.

Dynamic Analysis

Analysis done by executing program (.exe, .dll,..) Dangerous Must be done in contained environment - malware analysis sandbox (online) - virtual machine

Static Analysis

Analysis done of binary code in file, not of executing process.

Assembler Comments

Anything following a semicolon (;) is a comment - beginning of line - after (to the right of) instruction

True

Before malware is run in a virtual machine, the virtual machine's access to the internet should be disabled

Cache

CPU storage for next data, instructions. Principle of locality. Invisible in operation.

IDA

Can modify code, change values. Shouldn't be done in malware forensics/analysis When .exe is loaded, PE info is used and stripped out DATA and CODE may be cross-referenced as targets. XREFs can be used to jump to call (or reference)

Terminator

Character(s) indicating end of string Text - End of line (EOL) - Control characters Program data - null (0x00) terminated

Sponsor of an APT in the Mandiant Report

China (Peoples Republic of China)

Fetch Decode Execute

Cycle of operations in CPU fetch - get next instruction (typically sequence of 1-6 bytes) decode - decode instruction execute - perform instruction

Disassembler and Debugger

Disassembler and Debugger may be combined - OllyDBG - IDA Pro

True

During malware analysis, static analysis is usually done before dynamic analysis (True or False)

False

Dynamic analysis should be done before static analysis (True or False)

True

Every process has at least one thread (True or False)

ELF File Format

Executable and Linkable Format. File format for executable programs for *NIX Signature (file header) 0x07 0x45 0x4C 0x46 E L F most windows tools for working with PE format will not work with ELF format exceptions -> string tools, TRID, IDA Pro

Threads

Executing unit within process ("lightweight process") - shares resources (e.g. data, code) with other threads of process - has own state (e.g. next instruction to execute) - must coordinate and communicate with other threads - has priority (beyond that of its process)

Physical Address Extension (PAE)

Extending the address space beyond the register size by using tables. e.g. IA-32 with more than 4GB RAM Maybe using paging

Wireshark

Good for network attacks handshake attacks syn flood DDOS

Programs with random and unusual file names

If a program name looks somewhat unusual, if it is signed, it is probably legitimate. Files in System32 can have somewhat cryptic names

True

If there are two operands in an assembly instruction, at most one can be a memory reference (True or False)

Instruction operands

Immediate - value - only as source Register - used often ex) sub esp, 10h esp <-- register 10h <-- immediate

False

Interpreted and compiled programs run the same way (True or False)

INT

Interrupt instruction INT int_num ; Interrupt using int_num usually not in disassemble code - used by lower levels

Address Space Layout Randomization (ASLR)

Is a memory-protection process for operating systems that guards against buffer-overflow attacks by randomizing the location where system executables are loaded into memory.

Intrusion Prevention System (IPS)

Is a preemptive approach to network security used to identify potential threats and respond to them swiftly, like an IDS, this monitors network traffic.

Intrusion Detection System (IDS)

Is a system that monitors network traffic for suspicious activity and issues alerts when such activity is discovered.

Security Information and Event Management (SIEM)

Is an approach to security management that combines SIM (security information management) and SEM (security event management) functions into one security management system

XOR Encryption

Is an encryption method used to encrypt data and is hard to crack by brute-force method, i.e generating random encryption keys to match with the correct one. To decrypt the encrypted characters we have to perform XOR operation again with the defined key. this is done bitwise using a key xor decryption is same as encryption done bitwise using a key (key used for encryption)

Zero Day Vulnerability

Is unknown to defender and unpatched.

Sandbox

Isolated, testing environment for software. - software development - untrusted code

What information is in the comment (DATA XREF: main+12^0)?

It indicates where the string is used in the program

Advantage of using an AV site (such as VirusTotal)

It is convenient and results are returned quickly

What is the purpose of the value 0 (a null byte) that occurs after README.TXT

It is used to indicate the end of the string. Null (zero) terminated string.

Disadvantage of using an AV site (such as VirusTotal)

It may disclose the attack to the attackers and cause them to change tactics

Near and Far

Jumps, Returns, ... For when the next instruction is not the next instruction - Near : Target instruction is close - Far : Target instruction is not close - How to change IP (EIP, RIP)

Machine Language

Language of the CPU - Instruction set

False

Library routines are only linked to a source code program when it is compiled

False

Linking is only done when a program is compiled (True or False)

Data in EXE

Locatable, unstructured bytes. - Locatable : Has an address (relative offset) - Probably in data section *.data *.rdata *.bss * Data section specified in PE Header Exception : Immediate values encoded in instruction as source code operands

hiberfil.sys

Location: C:\ compressed copy of memory decompress with volatility analyze with volatility

.DLL Dynamic Link Library

MS Implementation of dynamic linking allowing shared routines. - C:\Windows\System32 and subdirectories - executable format must be called e.g. MZ header - usually contains many functions (subroutines)

Host, Host O.S.

Machine (or operating system) upon which the VM is running.

Assembly Language

Machine language (binary code) for humans

Instruction Set

Machine language instructions for specific architecture (CPU).

Guest, Guest O.S.

Machine provided by the VM or operating system in the VM.

Trojan

Malware disguised as legitimate software.

Ransomware

Malware which encrypts data and demands ransom for key to decrypt.

Virus

Malware which self replicates and spreads ("infects" other computers) by corrupting other programs (including macros).

Obfuscated malware

Malware writers often use packing or obfuscation to make their files more difficult to detect or analyze. Obfuscated programs are ones whose execution the malware author has attempted to hide. Packed programs are a subset of obfuscated programs in which the malicious program is compressed and cannot be analyzed.

Virtual/Linear Address Space

Memory addresses available to a process for both instructions and data (and stack) when program is loaded into memory, memory references are established. virtual to physical mapping may not be simple

Memory Acquisition

Memory image at a particular time or time interval is impossible part of memory will be acquisition tool (process) part of memory is in CPU caches

User Space (Ring 3)

Memory used for application, system functions run in user mode. protected, limited cant access system space or other processes

System Space/Kernel Space (Ring 0)

Memory used for system functions run in kernel mode less protected, fewer limitations

Assembly Language

Mnemonic language for machine language.

Absolute Address

Number of bytes (offset) from beginning of file

Process ID (PID)

Numerical identifier for process.

False

Only .exe files use the PE file format (True or False)

Command

Operating system program.

Assembly Instruction Format

Operation - nop - retn Operation Operand - push epb - jmp short loc_41546 Operation Destination, Source - add eax, 4 - mov [esp+10h_var_10], offset aHelloWorld *At most of one of Destination and Source can be memory reference

Packed malware

Packed programs are a subset of obfuscated programs in which the malicious program is compressed and cannot be analyzed. Both techniques will severely limit your attempts to statically analyze the malware.

Device Memory

Part of RAM mapped directly to devices - including destination of image acquisition tool should omit this use MmGetPhysicalRanges() routine from Windows Kernel-Mode Memory Manager

Stack Frame

Part of stack associated with a particular subprogram - for current subprogram, part of stack above BP

Segments

Parts of process memory for specific purpose e.g. .text for instructions OS should check memory only used correctly roughly correspond to PE sections may use segment with registers

Paging

Parts of process' memory (and other memory - data) actually on the disk allows multiple processes in memory makes entire (or large) address space available windows: 4K pages windows: C:\pagefile.sys

Bus

Path between components of a system.

Signal (IRQ-Interrupt ReQuest)

Press the a key and this is sent to the processor -hardware interrupt -processor temporarily suspends execution of current thread or process -saves state -processor determines necessary action(s) using *where (KBD, mouse,...) signal (IRQ) originated *what signal (keys pressed, mouse click/motion) was generated *interrupt table - list of pointers to interrupt handlers (code to handle the signal *processes or threads running to pass the signal (data)

Parent Process

Process that executed (caused to run) the process. - processes are in tree (hierarchy) process tree - PPID: Parent Process ID

Compiling

Producing executable program from source code.

Source Code

Program (or component of program) in high level language

Key Logger

Program (or hardware) which surreptiously records the keys pressed.

Rootkit

Program designed to 1. hide processes, activities and files from O.S. and legitimate users 2. access a computer or areas of a computer for non-legitimate reasons

Process

Program in memory which is running or executing sequence of instructions. - some program may have more than one - only programs in memory execute this - O.S. runs this simultaneously - instructions executed by CPU

Assembler

Program to convert assembly language program into machine code - PE Format: Metadata in PE header - Linker: Program to link machine code into executable program

Disassembler

Program to convert machine language to assembly language

Debugger

Program to run another program under user control - Instruction by instruction execution - Breakpoint : Instruction designated as stopping point

Address Space

Range of memory addresses, determined by register size 32 bit register (EIP, EAX,...) 62 bit register (RIP, RAX,...)

Handle

Reference to a resource. - File Handle - inFile = open("IN.DAT");

Flags Register

Register whose bits (flags) reflect the outcome of an operation examples: -CF -PF -AF -ZF -TF -SF -DF -OF

True

Registers have become larger (contain more bits) as the Intel and AMD architectures have evolved. (True or False)

Safety Protocols

Run malware only in a virtual environment with nonexistent or constrained internet connection. Replace last letter of malware executable extension with underscore. e.g. .ex_ or .dl_

False

Running malware in a debugger always prevents the malware from causing harm (True or False)

False

Running malware in a virtual machine is always the same as running it on an actual machine

RAM

Sequence of addressable bytes. Managed by O.S. - keeps processes' instructions and data - two main regions: user space and kernel space

String

Sequence of characters - ASCII or UNICODE

Program

Sequence of instructions. - source code - binary, executable (.exe)

Strings

Sequence of values/characters ASCII - 7bit encoding of Latin(English) alphabet and control characters - stored in one byte - range 0x00 to 0x7F ASCII "Printable" - 0x20 to 0x7E UNICODE - multibyte encoding of all alphabets - 16bit (UTF-16) is common

State (or Status) - Local Context

Set of values describing position (progress) of computation. - next instruction - values of variables - low level: register values - etc.

Malware

Software (programs, scripts, libraries,...) including firmware, put on a computer (or computer system) or device with a processor by an unauthorized third party, with the intent of gain of the third party.

Linking

Some linking may be done at run-time or during execution (DLLs)

Instruction

Specification of action. - move data - alter data

Worm

Stand alone malware which spreads itself (typically across a network or networks).

Breakpoint

Statement marked for process pause - Set before or during a process execution *IDA View Statement *Function, Names - Highlighted in red

Registers

Storage for all values. All logic, arithmetic done in registers. Values and addresses moved between registers and memory. 64 (or 32) bits wide, but bytes and words within some registers can be referred to as registers. - backwards compatibility

True

String are sometimes found in the .rdata section of a disassembled executable (True or False)

Service

System initiated process. - may terminate and stay resident in memory "pause" and then restart - usually started at the boot - \HKLM\SYSTEM\CurrentControlSet\Services

Files with only Strings

Text files .txt Source Code .c .cpp .py .java Configuration Files .conf HTML Files .html Batch, Script Files .bat .js Most files have strings. Some files have strings which are meaningful

What is the significance of the "a" in the label aReadmeTxt?

The "a" indicates it is an ASCII string

False

The .text section of a disassembled executable contains text used in the program (True or False)

True

The bits (flags) in the flags register record the results (e.g. zero, overflow,...) when an instruction is executed (True or False)

True

The header of an .exe and a .dll file are normally in the same format (True or False)

Why is it useful to examine the imports of an executable program?

The imports have the functions used by the program. They can give some indication of what the malware does. For example, a network function indicates network use

IP register

The instruction pointer contains the address of the next instruction to be executed by the CPU

True

The instruction pointer register (IP, EIP, RIP) holds the address of the next instruction to be executed (True or False)

NOP instruction

The no operation instruction which has no effect. It does not have any effect except to increase the instruction pointer

False

The opcodes (actual bytes) for all assembly instructions are all the same length (number of bytes) (True or False)

True

The registers AX, EAX, and RAX are variants of the same register. (True or False)

False

The registry isn't useful for malware analysis (True or False)

True

The stack for a process grows upward (toward lower memory) (True or False)

True

The threads within a process share resources (True or False)

True

The top of the stack for a process is usually recorded in the SP register (True or False)

Limitations of using IOCs

They only identify known malware

RAT - Remote Access Trojan

Trojan designed to give remote access.

Passing, Returning Values

Use registers Use stack Use global memory (address on stack or in register)

Process Priority

Used by the O.S. for scheduling. - idle - below normal - normal - above normal - high priority - realtime

Jumps

Used for decision structures (if-then-else, case) and loops (for, while,...) includes conditional jumps

Task

User initiated process.

Advantage of using longer strings

Using a longer string length produces fewer and more meaningful strings

State (or Status) - Global Context

What process or thread is currently doing. Managed by O.S. - running - ready (waiting) - blocked - suspended (sleeping) - terminated

False

When a function returns (completes), values are pushed onto the stack (True or False)

Event logs

Windows logs (records) information constantly saved in several event log files XML format (special text file)

Program Argument

X:\SomeDir> Aprogram Arg1 Aprogram - program process start Arg1 - Argument, value(s) input to program

Base64 Encoding

a group of similar binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation

Add instruction

add destination, source *destination <-- destination + source Flags Affected: OF, ZF, CF, PF, SF, AF

Assembly language directive

an instruction to the assembler to perform some action -directives begin with a period, usually all lower case - disassemblers (and debuggers) may not produce the original directives - disassemblers usually produce some directives

Heap

area in memory which is allocated and unallocated by the process. Dynamically allocated memory, not on stack

Compare instruction

cmp operand1, operand 2 *temp <-- operand1 - operand2 temp used to set flags and discaded Flags Affected : OF, ZF, CF, PF, SF, AF

Debugger Notes

debugger stops for input debugger stops for breakpoints

Unconditional Jump

jmp label *IP <-- label

System files

kernel32.dll - windows API ntdll.dll - run time library ntoskrnl.exe - OS kernel hal.dll - HAL Hardware Abstraction Layer

Move instruction

mov destination, source *destination <-- source

No operation

nop *IP <-- IP + 1 one byte instruction - used to align - XCHG EAX, EAX

Interrupts

process or thread can generate interrupt to pause while it waits for input

pagefile.sys

random chunks of memory not for malware analysis search for items of interest (e.g. using Yara rules) may be large - over 2 GB

Subtraction instruction

sub destination, source *destination <-- destination - source Flags Affected: OF, ZF, CF, PF, SF, AF


Related study sets

Repaso ejercicio de rellenar huecos de verbos. pregunta PeVau Inglés

View Set

Med surge final REVIEW QUESTIONS

View Set

Biochemistry - Citric Acid Cycle

View Set

MGMT - Chapter 10, Chapter 8 MGT 405, Chapter 7, mgmt Chapter 9 (strategic mgmt mc)

View Set

Sadlier-Oxford Vocabulary Workshop Level A Unit 10 - Antonyms (Bold Only)

View Set

Chapter 3 & 4 - Banquet and Catering

View Set

The Fourth Amendment: Arrests Part II

View Set

USA Test Prep Benchmark Pre Test - NETOCEKALU K12

View Set

Middle East Countries and Capitals

View Set