Malware Analysis Jaimin Shah Krunal Patel Vishal Patel

  • Slides: 16
Download presentation
Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute

Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering

Objectives Analyzing a worm or a virus Provide a method to eliminate How to

Objectives Analyzing a worm or a virus Provide a method to eliminate How to prevent from infection in future?

Overview Introduction n Definition of Malware Techniques Lab Scenario n Hands-on analysis of Beagle.

Overview Introduction n Definition of Malware Techniques Lab Scenario n Hands-on analysis of Beagle. J

Introduction to Malware How? Forms of Malware Detection Techniques

Introduction to Malware How? Forms of Malware Detection Techniques

Forms of Malware Virus Trojans Worms Spyware Adware

Forms of Malware Virus Trojans Worms Spyware Adware

Detection Techniques Integrity Checking Static Anti-Virus (AV) Scanners n Signature-based Strings Regular expressions n

Detection Techniques Integrity Checking Static Anti-Virus (AV) Scanners n Signature-based Strings Regular expressions n Static behavior analyzer Dynamic Anti-Virus Scanners n Behavior Monitors

Malware Analysis Techniques VMWare n n n Multiple Operating System Creates network between host

Malware Analysis Techniques VMWare n n n Multiple Operating System Creates network between host and guest systems Self-contained files Can transfer virtual machines to other PCs. vmx – configuration file. vmdk – image of hard disk

Lab Scenario Static Analysis n Bin. Text Extracts strings from code n IDA Pro

Lab Scenario Static Analysis n Bin. Text Extracts strings from code n IDA Pro Dissembler USD 399/user n UPX compression/decompression

Bin. Text Extracts strings from executables Reveals clues: n IRC Commands, SMTP commands, registry

Bin. Text Extracts strings from executables Reveals clues: n IRC Commands, SMTP commands, registry keys

IDA Pro Disassembles executables into assembly instructions Easy-to-use interface n Separates subroutines, creates variable

IDA Pro Disassembles executables into assembly instructions Easy-to-use interface n Separates subroutines, creates variable names, color-coded

UPX Decompression Executable packer commonly used by virus writers Can compress wide range of

UPX Decompression Executable packer commonly used by virus writers Can compress wide range of files n Windows PE executables, DOS COM files, and many more To unpack: n upx. exe -d -o dest. exe source. exe

Decompressed Output

Decompressed Output

Process Observation Tools Process Explorer n Monitor processes File. Mon n Monitor file operations

Process Observation Tools Process Explorer n Monitor processes File. Mon n Monitor file operations Reg. Mon n Monitor operations on registry Regshot n Take snapshot of registry and files Proc. Dump n Dump code from memory

Beagle. J Capabilities Registry/Run on startup Copies into folders containing “shared” Sends copies by

Beagle. J Capabilities Registry/Run on startup Copies into folders containing “shared” Sends copies by email Backdoor

Conclusion As you have seen there are various ways for an attacker to get

Conclusion As you have seen there are various ways for an attacker to get malicious code to execute on remote computers We have only scratched on the surface, there are much more to learn and discover

Questions ? References n Images http: //www. microsoft. com http: //www. symantec. com n

Questions ? References n Images http: //www. microsoft. com http: //www. symantec. com n Softwares Bin. Text – http: //www. foundstone. com IDA Pro – http: //www. datarescue. com UPX – http: //upx. sourgeforce. net