Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
523 views33 pages

Practical Malware Analysis - Part 2 Dynamic Analysis

This document discusses dynamic malware analysis techniques. It describes how dynamic analysis is used when static analysis reaches limitations. It outlines risks of dynamic analysis and how sandboxes can be used to safely analyze malware. Common sandbox tools like Norman and GFI are mentioned. The document also discusses monitoring malware behavior using tools like Process Monitor and Process Explorer to track registry, file system, process and network activity. It provides guidance on running malware directly and analyzing the results.

Uploaded by

Muhammad Saeed Javed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
523 views33 pages

Practical Malware Analysis - Part 2 Dynamic Analysis

This document discusses dynamic malware analysis techniques. It describes how dynamic analysis is used when static analysis reaches limitations. It outlines risks of dynamic analysis and how sandboxes can be used to safely analyze malware. Common sandbox tools like Norman and GFI are mentioned. The document also discusses monitoring malware behavior using tools like Process Monitor and Process Explorer to track registry, file system, process and network activity. It provides guidance on running malware directly and analyzing the results.

Uploaded by

Muhammad Saeed Javed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 33

Malware Analysis

Practical Malware Analysis – Part 2


Dynamic Analysis
1. Goals of Malware
Analysis

2. Signature types

3. Rules of Analysis

4. Basic Static
Analysis tools

5. Labs (Review)
All rights reserved
Dynamic Malware Analysis
 Dynamic Malware analysis is a second step
– Normally when static malware analysis reaches a dead end
– An efficient, quick and reliable way of knowing malware
functionality

 Dynamic analysis also has some associated risks /


shortcomings
– Can risk your system / network
– Not every code path gets executed all the time
• Some code runs under certain pre-defined conditions

 Advanced static / dynamic analysis may be needed to know


full functionality of the malware

Malware Analysis - Riphah International University 2


All rights reserved
Sandboxes
 Sandbox is a security mechanism for running untrusted
codes in a safe environment
– Without risk of any damage to the system

 Sandbox is a virtual environment which runs necessary


network services needed by the malware
– Pretty much like the virtual machines which run entire OS in a
safe environment

 Many web-based free Sandboxes are available


– Examples: Norman, GFI, Anubis, Joe, ThreatExpert, BitBlaze,
Commodo Instant Malware Analysis etc.
• Norman and GFI are more popular and probably commercial as
well
Malware Analysis - Riphah International University 3
All rights reserved
GFI Sandbox

Malware Analysis - Riphah International University 4


All rights reserved
GFI Sandbox
 Analysis Summary consists of:
– Static analysis information & an overview of dynamic analysis
 File Activity lists:
– Files created, deleted or opened by a malware process
 Created Mutexes lists
– Mutexes created by the malware

 The Registry Activity lists:


– Changes made to the registry
 The Network Activity consists of:
– Setting up a listening port / DNS activity
 VirusTotal lists the results of virus scan done by VirusTotal

Malware Analysis - Riphah International University 5


All rights reserved
Sandbox Drawbacks
 Drawbacks of Sandboxes
– Can not run malware using command line arguments

– If malware needs some command from C&C server, it will not


run within sandbox

– Sleeping for much longer period of times before performing


some event is another reason sandbox might fail

– Malware with anti-VM techniques is another problem

– Certain malware need some registry keys to run

Malware Analysis - Riphah International University 6


All rights reserved
Basic Dynamic Analysis

HOW TO RUN MALWARE?

Malware Analysis - Riphah International University 7


All rights reserved
Running Malware
 Running EXE files is simple
– Double click or run from command line

 Running DLL files

– Export Arguments refer to exported functions


• Can be referred by function names or ordinals

Malware Analysis - Riphah International University 8


All rights reserved
Running Malware
 DLLMain is executed on loading of DLL
– rundll32.exe will force DLL to load

 DLL can also be turned into an EXE file


– Modify the PE header and file extension

 Modifying the PE header


– Wipe the IMAGE_FILE_DLL flag in the characteristics field of
IMAGE_FILE_HEADER
• No imported function will work and binary may crash

– DLLMain is still executed and we can collect some information

Malware Analysis - Riphah International University 9


All rights reserved
Running Malware
 Running Malware as a service
– runDLL32.exe will force DLL to load

 Service may also need some command line arguments


– Or may need windows SC command if no explicit function for
installing it as a service (see book)

Malware Analysis - Riphah International University 10


All rights reserved
Basic Dynamic Analysis

PROCESS MONITORING

Malware Analysis - Riphah International University 11


All rights reserved
Process Monitoring – Process Monitor
 An advanced tool for process monitoring
– Also known as procmon
– A combination of two tools – FileMon, RegMon

 procmon can monitor


– Registry, file system, network and threat activities

 Drawbacks of procmon
– Can not monitor device driver related activities
• Ex: talking to a rootkit via device I/O interface

– Inconsistent across different windows versions

Malware Analysis - Riphah International University 12


All rights reserved
Process Monitoring – Process Monitor
 Using procmon for a longer period of time can make VM run
out of memory and crash eventually
– Use option: File -> Capture Events to being capture
– Clear display before starting

Procmon mm32.exe example

Malware Analysis - Riphah International University 13


All rights reserved
Process Monitoring – Process Monitor (Filters)
 Filtering option in procmon can be used to short-list the
entries based on:
– exe/process name or system calls

Malware Analysis - Riphah International University 14


All rights reserved
Process Monitoring – Process Monitor (Filters)

Display after applying the filter

Malware Analysis - Riphah International University 15


All rights reserved
Process Monitoring – Process Monitor (Filters)
 Filters on Toolbar
– Registry By examining registry operations, you can tell how a
piece of malware installs itself in the registry.

– File system Exploring file system interaction can show all files
that the malware creates or configuration files it uses.

– Process activity Investigating process activity can tell you


whether the malware spawned additional processes

– Network Identifying network connections can show you any


ports on which the malware is listening

Malware Analysis - Riphah International University 16


All rights reserved
Process Monitoring – Process Explorer
 Processor Explorer is a free tool from Microsoft to:
– list active processes, DLLs loaded by a process, various process
properties, and overall system information
– Kill processes, launch / validate processes, force logout etc.

 Process Explorer lists processes in a tree format


– Child-Parent relationship

Malware Analysis - Riphah International University 17


All rights reserved
Process Monitoring – Process Explorer

Parent

Child

Services Processes New Processes

Terminated Processes
Malware Analysis - Riphah International University 18
All rights reserved
Process Monitoring – Process Explorer

Double Click on a
Process to bring up
Properties window

 Verify if the image on disk


 is a Microsoft signed binary
 Malware often changes
Legal binary files

o Malware may
also replace in-
memory image of
a process

Malware Analysis - Riphah International University 19


All rights reserved
Process Monitoring – Process Explorer

The Process Explorer Strings tab shows strings on disk (left)


versus strings in memory (right) for active svchost.exe
(In-memory process replacement if drastic differences)

Malware Analysis - Riphah International University


All rights reserved
Process Monitoring – Process Explorer
 Processor Explorer also allows to launch Dependency Walker
– Right click on a process, and choose Launch Depends

 Process Explorer also searches DLLs loaded after loading the


process
– Useful if we have a malicious DLL on disk and want to know if
any process uses it

 Can also compare list of DLLs used by a running process and


the imports shown by Dependency Walker
– Shows if any DLL is loaded by a process after loading

Malware Analysis - Riphah International University 21


All rights reserved
Comparing Registry Snapshots - Regshot
 Regshot - a tool to take snapshots of registry and compare
them
– Right click on a process, and choose Launch Depends

Malware Analysis - Riphah International University 22


All rights reserved
Comparing Registry Snapshots - Regshot
Regshot Values modified:2
Comments: ----------------------------------
Datetime: <date>
Computer: MALWAREANALYSIS HKLM\SOFTWARE\Microsoft\Cryptogr
Username: username aphy\RNG\Seed: 00 43 7C 25 9C 68
---------------------------------- DE 59 C6 C8
Keys added: 0 9D C3 1D E6 DC 87 1C 3A C4 E4 D9
---------------------------------- 0A B1 BA C1 FB 80 EB 83 25 74 C4
C5 E2 2F CE
---------------------------------- 4E E8 AC C8 49 E8 E8 10 3F 13 F6 A1
Values added:3 72 92 28 8A 01 3A 16 52 86 36 12 3C
---------------------------------- C7 EB
5F 99 19 1D 80 8C 8E BD 58 3A DB
HKLM\SOFTWARE\Microsoft\Windows\Cu 18 06 3D 14 8F 22 A4
rrentVersion\Run\ckr:C:\WINDOWS\system ...
32\ ----------------------------------
ckr.exe Total changes:5
... ----------------------------------
... Listing 3-1: Regshot comparison
---------------------------------- results
Malware Analysis - Riphah International University 23
All rights reserved
Faking a Network - ApateDNS

Malware Analysis - Riphah International University 24


All rights reserved
Network Monitoring – WireShark
 WireShark is an open source tool
– Can intercept and log network traffic
– Provides a Visual interface
• can be used for packet-stream analysis, and in-depth analysis of
individual packets

 A tool used by both white-hat and black-hat community


– White Hat: analyze internal networks and network usage,
debug application issues

– Black Hat: sniff passwords, reverse-engineer network


protocols, steal sensitive information, and can even listen to
online chats

Malware Analysis - Riphah International University 25


All rights reserved
Network Monitoring – WireShark

1. Filter Box

2. Packets Listing
(matching the
filters)
3. Packet details
(of selected pkt)

4. Hex format (of


selected pkt)

Malware Analysis - Riphah International University 26


All rights reserved
Network Monitoring – WireShark (following a TCP stream)

Right Click a TCP


Packet and Select
Follow TCP Stream

Each side of
Connection will be
in different colors

Select Capture
from Menu and then
Interfaces

Malware Analysis - Riphah International University 27


All rights reserved
Dynamic Analysis – Tools in Practice
 Setup may include the following
– Running procmon and setting a filter on the malware
executable name and clearing out all events just before
running

– Starting Process Explorer

– Gathering a first snapshot of the registry using Regshot

– Setting up your virtual network to your liking using REMNuxand


ApateDNS
– Setting up network traffic logging using Wireshark

Malware Analysis - Riphah International University 28


All rights reserved
Dynamic Analysis – Tools in Practice

Malware Analysis - Riphah International University 29


All rights reserved
Dynamic Analysis

DYNAMIC ANALYSIS WITH


REMNUX

Malware Analysis - Riphah International University 30


All rights reserved
Virutal Machines Setup

XP Machine

Malware Analysis - Riphah International University 31


All rights reserved
REMNux Setup
 REMnux configurations
– Define the Network adapter settings on VM to be in a custom
virtual network – VMNet in our case
– Start FakeDNS to answer any DNS requests
– Start HTTP daemon to answer HTTP requests
– Redirect HTTP and HTTPS traffic to port TCP 8080 by
configuring redirect rules via iptables
– Intercept HTTP requests using BURP Suite in Invisible mode on
port 8080

Malware Analysis - Riphah International University 32


All rights reserved
REMNux Setup
 Here are the commands needed to configure REMnux VM
– sudo fakedns IP-Address
– httpd start

 Following commands are needed only if you wanna capture


network traffic in Burpsuite on REMnux VM
– sudo sysctl -w net.ipv4.ip_forward=1
– sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
REDIRECT --to-port 8080
– sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443
-j REDIRECT --to-port 8080
– sudo iptables -t nat -L

Malware Analysis - Riphah International University 33


All rights reserved

You might also like