.

Malware Analysis

<<

satyr

User avatar

Newbie
Newbie

Posts: 41

Joined: Wed Aug 11, 2010 6:15 am

Post Wed Dec 22, 2010 5:59 pm

Malware Analysis

hi folks :)

After a eye opener of a post (http://www.ethicalhacker.net/component/ ... ic,6426.0/) I thought it would be fair enough to have a dedicated post on Malware Analysis.

It would benefit folks who are interested in learning about malware analysis.

Lets contribute to what is needed for one to start with malware analysis, I am new to this field myself so ill post what all I came across when I searched about this topic on the net:

1. Basics of both Assembly Language and reverse Engineering

2. An lab environment, mainly using VM (reflux is a distro dedicated to
    malware analysis)

3. Books
    Malware Analyst's Cookbook and DVD: Tools and Techniques for
    Fighting Malicious Code (havent read it but i have seen this
    recommended)

Useful Links:
http://computer-forensics.sans.org/blog ... e-analysis
http://www.networkforensics.com/categor ... -analysis/
http://www.security-forums.com/viewtopi ... 792c2a4d19
http://zeltser.com/reverse-malware/malw ... bcast.html

http://tuts4you.com/download.php?list.88

An excellent article which talks from start to finish about analyzing a trojan
http://www.skullsecurity.org/blog/2010/ ... rt-1-setup


Please contribute to this list with what suits it best based on your experiences
Last edited by satyr on Thu Dec 23, 2010 12:38 am, edited 1 time in total.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Dec 22, 2010 7:45 pm

Re: Malware Analysis

My approach - as usual - is different from most that you will find and my reasoning is as follows: Analyzing malware usually means identifying what occurred due to an application being run. (Remember, most malware will be some code that has managed to run on a machine). In analyzing what went on, you need to know the prior state of a given machine, and the current state of the machine. AFTER you have these two values, differentiate between the two (pre-machine state and post-machine state), to find what is different after the rogue program/application/code is run.

So I now quote a great MUST HAVE BOOK (at least if you're serious about malware/mwforensics) "Malware Forensics - Investigating and Analyzing Malicious Code" (Ch. 9 for those who have the book and are wondering which chapter this is from)

What is the nature and purpose of the program?
How does the program accomplish its purpose?
How does the program interact with the host system?
How does the program interact with the network?
What does the program suggest about the sophistication level of the attacker?
Is there an identifiable vector of attack the program uses to infect a host?
What is the extent of the infection or compromise on the system or network?


So how do you do this? From my POV... Configure a virtualized machine to run code on. This machine must be kept away from a live network as to NOT infect any other machines. Once your machine is configured, if using VMWare, take a snapshot, this allows you to revert back and forth.

So you have your clean spiffy new machine. Now you'd want to take a pre analysis of your machine prior to inection. Suggested tools...

Winalysis - after you start your spiffy new machine. Immediately take a snapshot of the machine configuration, then monitors for changes to files, registry, users, groups, rights policies, svcs, etc.

RPIER (MUST MUST MUST HAVE) - too many things to type on this

Nigilant32 (http://www.agileriskmanagement.com/publications_4.html)

PEiD (find out if someone packed or encrypted their crapware)

Mandiant Red Curtain

Wireshark

SysAnalyzer
SysAnalyzer - An automated malicious code runtime analysis application, SysAnalyzer enables the digital investigators to execute an unknown binary, and then monitors various aspects of the host system, including running processes, open ports, loaded drivers, injected libraries, file modifications, registry changes, API calls made by the target process, and certain network traffic (Hypertext Transfer Protocol [HTTP], Internet Relay Chat [IRC] and Domain Name System [DNS]).


FakeDNS

Netcat


This is a brief summary of what I would play with as a beginner. Be advised, it pays to have some form of debugging skills at the end of the day. I use WinDBG a lot (yes to you programmers (h1tm0nk3y) I also use ImmunityDBG and Olly but prefer WinDBG :D) ... Debugging helps a lot since there will be points in time you will need to understand HOW something occurred, not soley: "Well it crashed IE, then boom!" ... HOW did it crash IE and trigger code execution? Where in mem did it occur and HOW did it do it

For help in the above (debugging), I suggest getting used to debugging by trial, error and reading. I visit DumpAnalysis.org (http://www.dumpanalysis.org/) a lot of obscure things since I found that they have the most information for specifics I look for, particularly heap and stack issues. If you have some money to spend though: MUST HAVE BOOK: Advanced Windows Debugging (http://www.amazon.com/Advanced-Windows- ... 0321374460) its a great read and a book you will always reference.

Anyway this post is long enough for now, holidays are in full season here @ home, so happy holidays all (hannukah, kwanzaa, xmas, whatever one celebrates)
<<

satyr

User avatar

Newbie
Newbie

Posts: 41

Joined: Wed Aug 11, 2010 6:15 am

Post Thu Dec 23, 2010 12:29 am

Re: Malware Analysis

wow :)

Thanks again Sil for such a wonderful and informative post ...great stuff  :)

This can be used as a starting point to dive into Malware Analysis ...

I am collecting the material mentioned here so that I can start Malware Analysis in a jiffy

Thanks again Sil

Happy Christmas and have a good time in the holidays :)
God bless

Return to General Certification

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software