FPT University

Introduction to Malware Analysis and

Reverse Engineering

Pham Ho Trong Nguyen

IA Department - FPTU Da Nang

[email protected]
Outline
1. About the course
2. Introduction to Malware
3. Statistics, Reports & Forecasts
4. Symptoms of infected systems
5. Detecting malware
6. Malware infection vector
7. Dimensions of an infection vector
8. Types of malware infection vector
9. Malware classification
10.Introduction to Malware analysis
11.Malware analysis techniques
12.Setting up Lab environment
13.Exercises 2
2. Statistics, Reports & Forecasts

3
Source: Norton

4
3. Introduction to Malware

government
The number of cyber attacks Target military individuals
public organizations
Most of them use malware to private
infect their targets Steal sensitive information
performs Malicious Spy on the infected system
MALWARE = MALICIOUS SOFTWARE actions
secretly Disrupt or destroy the system
- code
- executable Take control of the system
- script
Unauthorized access to the
- other software
victim¶s system
Lock up the files and hold
them for ransom

5
4. Symptoms of infected systems

Unstable & respond slowly

Unknown new PE file found on the system
Infected System? SYMPTOMS
Unexpected network traffic
Altered system settings (like browser
homepage)
Random pop-ups are shown
Fake security alerts (ex.: “Your computer
is infected”)

Unexpected and Unpredictable

Behaviors

6
5. Detecting Malware
Detecting malware

Want to analyze malware? Find it first !

Malware techniques Protect Detect methodologies Malware

authors malware malware analysts

Anti-virus logs • AV was running?

• Malware disabled AV and other security products?
• When the application was last updated?
1. Log Analysis
• Log file for Microsoft’s Malicious Software Removal Tool
(MRT)
Operating System logs
• Event viewer in Computer Management
• eventvwr.msc
• Linux operating system log files

7
Figure 1 – Example of Antivirus log
8
Figure 2 – Example of MRT log

9
Figure 3 – Example of Event Viewer 10
2. Antivirus Scans Multiple big-name AV applications
Found the files associated with the malware

3. Digging Deeper • Packed files (Portable executable files)

• Digital Signatures
• Windows File Protection (WTP)
• MBR Infectors
• Registry Analysis
• Internet Activity
• Additional Detection Mechanisms

4. Seeded Sites

11
 Un
6. Malware Infection Vector de
r st
an
da
tt a
ck
e rs
Malware Deployment Execution to
p re
ve
nt
t he
m!
Malware Infection Vector

“The physical media, and other techniques or technology used to deploy malware are
called malware infection vectors”

Distribution Proliferation

Based on different
Which one is best for specific needs?
dimensions

12
7. Dimensions of an infection vector E-mail
If time is of the essence Faster infection vector

1 SPEED Physical media

If there is no network connection
* A worldwide malware
* A great impact

2 STEALTH Zero-day vulnerabilities

An opportunistic attack

3 COVERAGE The number of targets an infection vector can reach

A targeted attack

A race between the attackers and the researchers

4 SHELF LIFE
13
8. Types of Malware Infection Vectors
 Physical media
• Main infection vectors of computer viruses and malware with no capabilities of spreading (except file infection)
• Example: USB, external hard disk…
 E-mails
• One of the fastest ways. Anyone with an e-mail address is a potential target.
• Cheap and fast  there are lots of users who are easily fooled!!!
• Example: ILOVEYOU worm, Melissa worm
 Instant messaging and chat
• Deliver malicious links pointing to a malware-serving domain or a drive-by download site.
• Take advantage of trust to send malicious links or files to that victim’s entire list of friends.
 Social networking
• The ability to send instant messages and post updates in the form of feeds.
 Universal resource locator (URL) links
• It is both an infection vector and a payload of another infection vector.
 File shares
• P2P file sharing. A malware will drop a copy of itself in the public-facing file share folders.
 Software vulnerabilities 14
• All software has bugs, and some have flaws. Buffer overflow
9. Malware Classification
Trojan Downloader/
Virus Dropper

Information
stealer

Worm
Malware Spyware

https://blog.malwarebytes.com/glossary/

Backdoor Ransomware

Adware Botnet Rootkit 15

1. Virus = Malware Capable of copying itself and spreading to other computer
Replicate
Need user intervention
p read
n s Need to be attached to another program
Ca out
w it h
2. Worm
3. Trojan = Malware Disguises itself as a regular program User installs it

Claim to perform one function but actually do another Malicious !!!

 Stealing sensitive data
 Uploading data to the attacker’s server
 Monitoring
 Taking control of the device

4. Backdoor/Remote Access Trojan (RAT) Type of Trojan

Enables/Allows the attacker to gain access to and execute commands on the

compromised system

5. Adware = Malware Presents unwanted advertisements

 Via free downloads
(Advertising-supported software)  Can forcibly install software on the system
16
6. Botnet = a collection of bots Receive instructions from the
A group of computers infected with the same malware command-and-control server
controlled by the attacker
 DDoS
 Sending spam e-mails
Key logger
7. Information Stealer To steal sensitive data Sniffers
Form grabbers

8. Spyware
spyware
Device Third-party actor/organization that wouldn’t normally have access
gathers information

9. Ransomware = Malware Hold the system for ransom

 Locking user out of computer

 Encrypting their files

10. Rootkit  Provide the attacker with administrator privileges on the infected system
 Conceal its presence from other software on the system (even from the OS)

11. Downloader/Dropper = Malware Designed to download or

install additional malware components 17
10. Malware Naming
11. Introduction to Malware Analysis
Study of malware’s behavior

Detect and eliminate malware

Malware
?
W
HY Analysis Analyze the suspect binary in a safe
environment

To identify its characteristics

and functionalities
 Nature and purpose of the malware?
 How system was compromised and its impacts?
 Network indicators associated with the malware?  Network signatures  Can be used to detect similar
infections using network monitoring.
 To extract host-based indicators such as filenames, registry keys  Host-based signatures  Determine similar
infection using host-based monitoring 19
12. Malware Analysis Techniques
Static Analysis Dynamic Analysis Code Analysis Memory Analysis
(Behavioral Analysis) (Memory Forensics)

1. Static Analysis
The process of analyzing a binary without executing it. May not reveal all the
required information
Extract the metadata associated with the suspect binary

2. Dynamic Analysis
The process of executing the suspect binary in an isolated environment and monitoring its behavior.
 Gives valuable insights
 Useful but does not reveal all the functionalities

3. Code Analysis
Focuses on analyzing the code to understand the inner working of the binary.
Static code analysis Dynamic code analysis
 Disassembling the suspect binary  Debugging the suspect binary in controlled
 Looking at the code to understand the manner to understand its functionality 20
program’s behavior
4. Memory Analysis
Analyze the computer’s RAM for forensic artifacts.

 Understand the malware’s behavior after infection.

 Especially useful to determine the stealth and evasive capabilities of the malware.
12. Setting up the Lab environment
Lab requirements Virtualization software (VMware or VirtualBox)

Tools for analyzing + Snapshot tool

Malware samples
Sandbox
Malware sources
Hybrid Analysis: https:/​/​www.​hybrid-​analysis.​com/​
KernelMode.info: http:/​/​www.​kernelmode.​info/​forum/​viewforum.​php?​f=​16
VirusBay: https:/​/​beta.​virusbay.​io/​
Contagio malware dump: http:/​/​contagiodump.​blogspot.​com/​
AVCaesar: https:/​/​avcaesar.​malware.​lu/​
Malwr: https:/​/​malwr.​com/​
VirusShare: https:/​/​virusshare.​com/​
theZoo: http:/​/​thezoo.​morirt.​com/

22
13. Exercises
- List and classify the popular malwares (5-7 malwares). Describe the functionalities, example of those
malwares (name, when, how, impact).

- Build a virtual environment for analyzing malware  Execute some malwares on that system and show
the results.

23