reverse engineering malware workshop

38
Reverse Engineering Malware Hands-on Workshop

Upload: mustafa-qasim

Post on 18-Nov-2014

299 views

Category:

Technology


2 download

DESCRIPTION

Presentation Slides of workshop I delivered on Malware Reversing at Cyber Secure Pakistan 2014 conference.

TRANSCRIPT

Page 1: Reverse Engineering Malware Workshop

Reverse Engineering MalwareHands-on Workshop

Page 2: Reverse Engineering Malware Workshop

$whoami

@mustafaqasim

Page 3: Reverse Engineering Malware Workshop

Class Introduction

Page 4: Reverse Engineering Malware Workshop

What’s REM

Page 5: Reverse Engineering Malware Workshop

Evolution of Virus/Malware

Page 6: Reverse Engineering Malware Workshop
Page 7: Reverse Engineering Malware Workshop
Page 8: Reverse Engineering Malware Workshop

Virus vs. Malware

Page 9: Reverse Engineering Malware Workshop

Malware Classification

Page 10: Reverse Engineering Malware Workshop

Adware, Clicker SpamInfoStealer,

Spyware

Ransomware Trojan Horse Rootkit, Backdoor

Virus Worms Botnet

Downloader Launcher

Page 11: Reverse Engineering Malware Workshop

Reverse Engineering Malware

Page 12: Reverse Engineering Malware Workshop

Static Analysis

Dynamic Analysis

Page 13: Reverse Engineering Malware Workshop

Basic Static Analysis

Advanced Static Analysis

Page 14: Reverse Engineering Malware Workshop

Basic Dynamic Analysis

Advanced Dynamic Analysis

Page 15: Reverse Engineering Malware Workshop

Covered in this Workshop

Basic Static AnalysisBasic Dynamic Analysis

Page 16: Reverse Engineering Malware Workshop

Malware Analysis Lab

Page 17: Reverse Engineering Malware Workshop

Lab Requirements

IsolatedEmulate Intel Arch.Virtualized vs. Physical

Page 18: Reverse Engineering Malware Workshop

Virtualization Pro & Con

Page 19: Reverse Engineering Malware Workshop

Lights, Camera, Action

Boot your VMs :)

Page 20: Reverse Engineering Malware Workshop

Basic Static Analysis

Page 21: Reverse Engineering Malware Workshop

Hash

Page 22: Reverse Engineering Malware Workshop

Strings

Page 23: Reverse Engineering Malware Workshop

Packers

Page 24: Reverse Engineering Malware Workshop

Packer Detection

Page 25: Reverse Engineering Malware Workshop

Linked Libraries

StaticDynamic (Runtime, Loadtime)

Page 26: Reverse Engineering Malware Workshop

Portable Executable (PE) Format

Used by Windows OS Loader for files like exe, dll, ocx.

Page 27: Reverse Engineering Malware Workshop

PE Header reveals a function

URLDownloadToFile

Page 28: Reverse Engineering Malware Workshop
Page 29: Reverse Engineering Malware Workshop

Explore Dynamic Linked Functions

Page 30: Reverse Engineering Malware Workshop
Page 31: Reverse Engineering Malware Workshop

Dependency WalkerResource Hacker

PEView

Page 32: Reverse Engineering Malware Workshop

Basic Dynamic Analysis

Page 33: Reverse Engineering Malware Workshop

Regshot

Page 34: Reverse Engineering Malware Workshop

Process Monitor

Page 35: Reverse Engineering Malware Workshop

Process Explorer

Page 36: Reverse Engineering Malware Workshop

Wireshark

Page 37: Reverse Engineering Malware Workshop

Lab

Analysis of an IRC botnet malware

Page 38: Reverse Engineering Malware Workshop

Q & A