Malware AnalysisMalware Analysis
Jaimin Shah & Krunal PatelJaimin Shah & Krunal PatelVishal Patel & Shreyas PatelVishal Patel & Shreyas Patel
Georgia Institute of TechnologySchool of Electrical and Computer Engineering
ObjectivesObjectives
Analyzing a worm or a virus
Provide a method to eliminate
How to prevent from infection in future?
OverviewOverview
IntroductionIntroduction Definition of MalwareDefinition of Malware
TechniquesTechniques
Lab ScenarioLab Scenario Hands-on analysis of Beagle.JHands-on analysis of Beagle.J
Introduction to MalwareIntroduction to Malware
How?How?
Forms of MalwareForms of Malware
Detection Detection TechniquesTechniques
Detection TechniquesDetection Techniques
Integrity CheckingIntegrity Checking
Static Anti-Virus (AV) ScannersStatic Anti-Virus (AV) Scanners Signature-basedSignature-based
StringsStringsRegular expressionsRegular expressions
Static behavior analyzerStatic behavior analyzer
Dynamic Anti-Virus ScannersDynamic Anti-Virus Scanners Behavior MonitorsBehavior Monitors
Malware Analysis Malware Analysis TechniquesTechniques
VMWareVMWare Multiple Operating SystemMultiple Operating System Creates network between host and Creates network between host and
guest systemsguest systems
Self-contained filesSelf-contained filesCan transfer virtual machines to other PCsCan transfer virtual machines to other PCs
.vmx – configuration file.vmx – configuration file
.vmdk – image of hard disk.vmdk – image of hard disk
Lab ScenarioLab Scenario
Static AnalysisStatic Analysis BinTextBinText
Extracts strings from codeExtracts strings from code IDA ProIDA Pro
DissemblerDissembler
USD 399/userUSD 399/user UPXUPX
UPX compression/decompressionUPX compression/decompression
BinTextBinTextExtracts strings from executablesExtracts strings from executables
Reveals clues: Reveals clues: IRC Commands, SMTP commands, registry keysIRC Commands, SMTP commands, registry keys
IDA ProIDA Pro
Disassembles executables into assembly Disassembles executables into assembly instructionsinstructions
Easy-to-use interfaceEasy-to-use interface Separates subroutines, creates variable Separates subroutines, creates variable
names, color-codednames, color-coded
UPX DecompressionUPX Decompression
Executable packer commonly used by Executable packer commonly used by virus writersvirus writers
Can compress wide range of filesCan compress wide range of files Windows PE executables, DOS Windows PE executables, DOS
executables, DOS COM files, and many executables, DOS COM files, and many moremore
To unpack:To unpack: upx.exe -d -o dest.exe source.exeupx.exe -d -o dest.exe source.exe
Process Observation ToolsProcess Observation Tools
Process ExplorerProcess Explorer Monitor processesMonitor processes
FileMonFileMon Monitor file Monitor file
operationsoperations
RegMonRegMon Monitor operations Monitor operations
on registryon registry
RegshotRegshot Take snapshot of Take snapshot of
registry and filesregistry and files
ProcDumpProcDump Dump code from Dump code from
memorymemory
Beagle.J CapabilitiesBeagle.J Capabilities
Registry/Run on startupRegistry/Run on startup
Copies into folders containing Copies into folders containing “shared”“shared”
Sends copies by emailSends copies by email
BackdoorBackdoor
ConclusionConclusion
As you have seen there are various ways for an attacker to get malicious code to execute on remote computers
We have only scratched on the surface, there are much more to learn and discover
Questions ?Questions ?
ReferencesReferences ImagesImages
http://www.microsoft.comhttp://www.microsoft.comhttp://www.symantec.comhttp://www.symantec.com
SoftwaresSoftwaresBinText – BinText – http://www.foundstone.comhttp://www.foundstone.comIDA Pro – IDA Pro – http://www.datarescue.comhttp://www.datarescue.comUPX – UPX – http://upx.sourgeforce.nethttp://upx.sourgeforce.net