CE0612

Advanced Malware
Reverse Engineering
Outline

• Introduction to malware

• Basic analysis

• Advanced static analysis

• Advanced dynamic analysis

• Malware functionality

• Anti-reverse-engineering
CH1: Introduction to malware
 What Is
Malware?
• Malware is a code that performs
malicious actions; it can take the
form of an executable, script, code,
or any other software.

• Attackers use malware to steal

sensitive information, spy on the
infected system, or take control of
the system.
• It typically gets into your system
without your consent and can be
delivered via various communication
channels such as email, web, or USB
drives.
Malicious actions?
The following are some of the malicious actions performed by
malware:

• Disrupting computer operations

• Stealing sensitive information, including personal, business, and financial

data

• Unauthorized access to the victim's system

• Spying on the victims

• Sending spam emails

• Engaging in distributed-denial-of-service attacks (DDOS)

• Locking up the files on the computer and holding them for ransom
Malware types
• virus
• worm
• backdoor
• trojan
• Spyware
• keylogger
• Botnet
• Remote administration tool (RAT)
• Adware
• Rootkit
• Banking malware
• Ransomware
• Downloader or dropper
Virus
• The first kind of malware that is known to
self-replicate.
• It is also called a file infector.
• Viruses survive by infecting and inserting
themselves into other healthy files on the
system.

Worm
A worm is a malware or a malware
functionality that spreads and infects other
computers, either via the network or some
physical means like the USB.
Trojan
A malware that masquerades as clean software and
is installed on the victim’s machine with the user’s
full knowledge, but the user is not aware of its real
malicious intentions.

Examples: Software hacking FB, Email, …

Backdoor
• A backdoor is malware that allows an
unauthorized user into devices, applications,
RAT: Remote Access Trojan, Remote
and networks. Administrative tools
• Attackers can gain backdoor access using a
command-line interface or other text-based
commands.
Ransomware
Ransomware is a type of malware that locks and encrypts
a victim's data, files, devices, or systems, rendering
them inaccessible and unusable until the attacker
receives a ransom payment.
The first iterations of ransomware used only encryption
to prevent victims from accessing their files and systems.

Logic Time Bomb

• A logic bomb is a set of instructions in a program
carrying a malicious payload that can attack an
operating system, program, or network.

• It only goes off after certain conditions are met.

Spyware
Spyware is malicious software that enters a user’s
computer, gathers data from the device and user, and
sends it to third parties without their consent. A
commonly accepted spyware definition is a strand of
malware designed to access and damage a device
without the user’s consent.
Data sent from the infected device to attacker

Adware
• Adware (or advertising software) is the term used for various
pop-up advertisements that show up on your computer or
mobile device.
• Adware has the potential to become malicious and harm
your device by slowing it down, hijacking your browser, and
installing viruses and/or spyware.

Data sent from attacker to infected device

Fileless
Fileless malware is a type of malicious activity that uses native, legitimate tools built into
a system to execute a cyber attack. Unlike traditional malware, fileless malware does not
require an attacker to install any code on a target's system, making it hard to detect.
Advanced persistent threat (APT)

Advanced Persistent Threat

Remains
State sponsored
undetected for an
group
extended period

An advanced persistent threat (APT) is a sophisticated, sustained cyberattack in which

an intruder establishes an undetected presence in a network in order to steal sensitive
data over a prolonged period of time.

• Rootkits • Bootkits
APT: Rootkit vs Bootkit

Rootkits Bootkits= boot capability + rootkits

• Designed to hide the existence of • Are rootkits, in which the first point of
certain process from normal methods control is during the boot process.
of detection, to enable continued
access to computer • This allows the malicious program to be
• Examples: Stuxnet, Flame,.. executed before the operating system
boot ➔ run before antivirus

• Malicious boot record cannot just be

deleted or moved without damaging
the computer
 Mass v. Targeted Malware

• Mass malware
– Intended to infect as many machines as
possible
– Most common type
• Targeted malware
– Tailored to a specific target
– Very difficult to detect, prevent, and remove
– Requires advanced analysis
– Ex: Stuxnet
 Incident Response

• Case history
– A medical clinic with 10 offices found
malware on one of their workstations
– Hired a consultant to clean & re-image that
machine
• All done—case closed?
 Incident Response

• After malware is found, you need to know

– Did an attacker implant a rootkit or trojan on
your systems?
– Is the attacker really gone?
– What did the attacker steal or add?
– How did the attack get in
• Root-cause analysis
 Malware Analysis
• Dissecting malware to understand
– How it works
– How to identify it
– How to defeat or eliminate it
• A critical part of incident response
 The Goals of Malware Analysis
• Information required to respond to a
network intrusion
– Exactly what happened
– Ensure you’ve located all infected machines and
files
– How to measure and contain the damage
– Find signatures for intrusion detection
systems
 Signatures
• Host-based signatures
–Identify files or registry keys on a victim
computer that indicate an infection
–Focus on what the malware did to the system,
not the malware itself
• Different from antivirus signature
• Network signatures
–Detect malware by analyzing network traffic
–More effective when made using malware
analysis
 Static Vs. Dynamic Analysis

• Static Analysis
– Examines malware without running it
– Tools: VirusTotal, strings, a disassembler like IDA
Pro
• Dynamic Analysis
– Run the malware and monitor its effect
– Use a virtual machine and take snapshots
– Tools: RegShot, Process Monitor, Process Hacker,
CaptureBAT
– RAM Analysis: Mandant Redline and Volatility
Basic Analysis

Basic Static Analysis Basic Dynamic Analysis

• View malware without looking at • Running the malware in safe and isolated
instructions lab environment
• Provide information about its • Observing its behavior on the system
functionality (net connexion, Reg, • Remove the infection
Domain) • Produce effective signatures

• Straightforward and easy

• Straightforward and easy • Can be used by the most people without
deep program knowledge

• Fails for advanced malware and can miss • Fails for advanced malware and can miss
important behavior important behavior
• It doesn’t reveal the full extent of the • It doesn’t reveal the full extent of the
malware capabilities malware capabilities
Advanced Analysis

Advanced Static Analysis Advanced Dynamic Analysis

• Loading the executable into a • Run code in a debugger
disassembler and looking at the program • Examines internal state of a running
instructions which executed by the CPU malicious executable
• Reverse-engineering with a disassembler • The ability to modify its execution path
and state

• Extract detailed information from the

• It tell you exactly what the program does malicious executable

• It requires knowledge of disassembly • Fails for advanced malware and can miss
code, constructs windows OS concept and important behavior
internal • It doesn’t reveal the full extent of the
• It takes much longer time than basic static malware capabilities
analysis
General Rules for Malware Analysis

• Don’t Get Caught in Details

– You don’t need to understand 100% of the code
– Focus on key features
• Try Several Tools
– If one tool fails, try another
– Don’t get stuck on a hard issue, move along
• Malware authors are constantly raising the bar