Malware AnalysisMalware Analysis

Jaimin Shah & Krunal PatelJaimin Shah & Krunal PatelVishal Patel & Shreyas PatelVishal Patel & Shreyas Patel

Georgia Institute of TechnologySchool of Electrical and Computer Engineering

ObjectivesObjectives

Analyzing a worm or a virus

Provide a method to eliminate

How to prevent from infection in future?

OverviewOverview

IntroductionIntroduction Definition of MalwareDefinition of Malware

TechniquesTechniques

Lab ScenarioLab Scenario Hands-on analysis of Beagle.JHands-on analysis of Beagle.J

Introduction to MalwareIntroduction to Malware

How?How?

Forms of MalwareForms of Malware

Detection Detection TechniquesTechniques

Forms of MalwareForms of Malware

VirusVirus

TrojansTrojans

WormsWorms

SpywareSpyware

AdwareAdware

Detection TechniquesDetection Techniques

Integrity CheckingIntegrity Checking

Static Anti-Virus (AV) ScannersStatic Anti-Virus (AV) Scanners Signature-basedSignature-based

StringsStringsRegular expressionsRegular expressions

Static behavior analyzerStatic behavior analyzer

Dynamic Anti-Virus ScannersDynamic Anti-Virus Scanners Behavior MonitorsBehavior Monitors

Malware Analysis Malware Analysis TechniquesTechniques

VMWareVMWare Multiple Operating SystemMultiple Operating System Creates network between host and Creates network between host and

guest systemsguest systems

Self-contained filesSelf-contained filesCan transfer virtual machines to other PCsCan transfer virtual machines to other PCs

.vmx – configuration file.vmx – configuration file

.vmdk – image of hard disk.vmdk – image of hard disk

Lab ScenarioLab Scenario

Static AnalysisStatic Analysis BinTextBinText

Extracts strings from codeExtracts strings from code IDA ProIDA Pro

DissemblerDissembler

USD 399/userUSD 399/user UPXUPX

UPX compression/decompressionUPX compression/decompression

BinTextBinTextExtracts strings from executablesExtracts strings from executables

Reveals clues: Reveals clues: IRC Commands, SMTP commands, registry keysIRC Commands, SMTP commands, registry keys

IDA ProIDA Pro

Disassembles executables into assembly Disassembles executables into assembly instructionsinstructions

Easy-to-use interfaceEasy-to-use interface Separates subroutines, creates variable Separates subroutines, creates variable

names, color-codednames, color-coded

UPX DecompressionUPX Decompression

Executable packer commonly used by Executable packer commonly used by virus writersvirus writers

Can compress wide range of filesCan compress wide range of files Windows PE executables, DOS Windows PE executables, DOS

executables, DOS COM files, and many executables, DOS COM files, and many moremore

To unpack:To unpack: upx.exe -d -o dest.exe source.exeupx.exe -d -o dest.exe source.exe

Decompressed OutputDecompressed Output

Process Observation ToolsProcess Observation Tools

Process ExplorerProcess Explorer Monitor processesMonitor processes

FileMonFileMon Monitor file Monitor file

operationsoperations

RegMonRegMon Monitor operations Monitor operations

on registryon registry

RegshotRegshot Take snapshot of Take snapshot of

registry and filesregistry and files

ProcDumpProcDump Dump code from Dump code from

memorymemory

Beagle.J CapabilitiesBeagle.J Capabilities

Registry/Run on startupRegistry/Run on startup

Copies into folders containing Copies into folders containing “shared”“shared”

Sends copies by emailSends copies by email

BackdoorBackdoor

ConclusionConclusion

As you have seen there are various ways for an attacker to get malicious code to execute on remote computers

We have only scratched on the surface, there are much more to learn and discover

Questions ?Questions ?

ReferencesReferences ImagesImages

http://www.microsoft.comhttp://www.microsoft.comhttp://www.symantec.comhttp://www.symantec.com

SoftwaresSoftwaresBinText – BinText – http://www.foundstone.comhttp://www.foundstone.comIDA Pro – IDA Pro – http://www.datarescue.comhttp://www.datarescue.comUPX – UPX – http://upx.sourgeforce.nethttp://upx.sourgeforce.net