Malware-2

Code Review

• Purpose: Systematic examination to understand code.

• Disassembling: Studying how the program works and identifying vulnerabilities.

• Example: Reviewing spyware code to see what information it snoops.

Heuristic Scanning

• Purpose: Detect malware using rules and algorithms instead of relying on known signatures.

• Method: Simulate the execution of suspicious files in a virtual machine and monitor for viral activities.

• Decompilation: Analyze the source code and compare it to known virus code.

Network-Based Intrusion Detection System (NIDS)

• Purpose: Analyze network traffic in real-time to detect intrusions.

• Methods:

• Pattern Matching: Look for known attack patterns.

• Stateful Inspection: Monitor ongoing connections.

• Protocol Decode: Understand network protocols.

• Heuristic Analysis: Detect potential threats based on rules.

• Anomaly Analysis: Detect abnormal traffic patterns.

Anomaly-Based Detection

• Purpose: Identify traffic that deviates from normal patterns.

• Learning Phase: System learns what is normal and flags deviations as anomalies.

• Advantages:

• Detects unknown attacks.

• Low overhead since no new signatures are needed.

• Environment-dependent learning for accuracy.

Summary

• Code Review: Understand code and find vulnerabilities.

• Heuristic Scanning: Detects unknown malware without signatures.

• NIDS: Monitors network traffic for real-time intrusion detection.

• Anomaly-Based Detection: Identifies abnormal traffic to detect unknown attacks.

Behavioral Analysis

• Definition: Dynamic analysis of malware by executing it.

• Focus: Examines interactions with file systems, registries, networks, processes, and OS components.

• Method: Infects an isolated system while using monitoring tools.

Sandbox Technologies

• Definition: Isolates programs (malware) in a confined environment for testing.

• Purpose: Safely runs untrusted programs without harming real systems.

• Examples: Norman Sandbox, GFI Sandbox, Anubis, Joe Sandbox, ThreatExpert, BitBlaze, Comodo Instant Malware Analysis.

• Advantages: Provides easy-to-understand output for initial triage.

• Drawbacks:

• May not execute code requiring command-line options.

• Might miss malware waiting for specific triggers.

• Could fail to detect malware aware of virtual environments.

Reverse Engineering

• Definition: Taking apart an object (software/hardware) to understand its workings.

• Software: Converts machine code back to source code to study program operations or fix bugs.

• Hardware: Disassembling devices to understand their functions.

• Legalities: May violate copyrights; often illegal in some countries.

Anti-Reverse Engineering

• Purpose: Protects malware from detection and analysis.

• Techniques:

• Anti-Decompilers: Prevents reversing by denying access to source code.

• Anti-Disassemblers: Blocks tools from disassembling malware.

• Challenges: Works only with popular reversing tools; can delay but not stop reversing.

Automated Analysis

• Definition: Uses automated tools to monitor and report malware behavior.

• Systems: Often called sandboxes; provide actionable intelligence quickly.

Intercepting Network

• Definition: Detecting malware presence via network communication.

• Tools:

• Wireshark: Captures and analyzes network traffic.

• Packet Analyzer: Intercepts and logs traffic for analysis.

Network Flow Analysis

• Definition: Studies network traffic to identify communication patterns.

• Flow: Series of packets sharing source and destination addresses.

• Tools: nTop, softflowd, flow-tools.

Malicious

Code Analysis

• Definition: Understanding how malware interacts with the Windows OS and API.

• Common API Functions:

• File Operations:

• CreateFile: Creates or opens files, pipes, streams, and I/O devices.

• ReadFile/WriteFile: Reads from and writes to files as streams.

• CreateFileMapping/MapViewOfFile: Maps files to memory for easier manipulation.

• Special Files:

• Shared Files: Accessed via names like \\serverName\share.

• Namespace Files: Special access to devices like \\.\PhysicalDisk1.

• ADS (Alternate Data Streams): Hides data in NTFS files.

• Registry Operations:

• RegOpenKeyEx: Opens a registry key for editing.

• RegSetValueEx: Sets a new value in the registry.

• RegGetValue: Retrieves data from a registry entry.

• Persistence: Malware often uses registry entries to run at system startup.

Practical Exercises

1. Sandbox Technologies:

• Install and explore Cuckoo Sandbox

• Install and explore LiMon

1. Intercepting Network Traffic:

• Explore Wireshark to intercept and analyze network traffic.

1. Network Flow Analysis:

• Install and explore nTop from ntop.org

• Install softflowd and flow-tools, and analyze a sample pcap file.

1. Malicious Code Analysis:

• Disassemble any malware and get familiar with its code using x86 and x64 assembly instructions.

These concise points cover the key aspects of each topic, focusing on the essentials and practical exercises.

Network Analysis

Intercepting Network Connection and Network Flow Analysis

• Windows API Functions: Malware often relies on network functions for malicious activities. Key network functions include:

• socket: Creates a socket.

• connect: Establishes a connection to a server.

• bind: Binds a socket to a specific IP address and port.

• listen: Listens for incoming connections.

• accept: Accepts incoming connections.

• send: Sends data over a connection.

• recv: Receives data from a connection.

Berkeley Compatible Sockets and Winsock Libraries

• Berkeley Compatible Sockets: Malware uses Berkeley compatible sockets for network communication, implemented in Windows via the Winsock libraries (primarily ws2_32.dll).

Anti-disassembly Techniques

• Purpose: Prevents or delays malware analysis by causing disassembly tools to produce incorrect listings.

• Techniques:

• Jump Instructions with the Same Target: Conditional jumps (e.g., jz loc_512 followed by jnz loc_512) point to the same target, making disassembly inaccurate.

• Jump Instruction with a Constant Condition: A conditional jump that always has the same condition (e.g., jz after x-x, which always returns zero).

• Rogue Bytes: Data bytes placed strategically after jump instructions to mislead disassemblers.

Identifying Assembly Logic Structures

• Approach: Analyze groups of instructions to understand high-level functionality.

• Common Constructs:

• Conditions: If-else statements, switches.

• Loops: For, while loops.

• Function Calls: Different calling conventions like cdecl, stdcall, and fastcall.

Smart Phone Malware Analysis

• Characteristics: Stealing personal info, sending premium SMS, remote access, installing apps without consent, adware.

• Detection Methods:

• Misuse-Based Detection: Signature-based, identifies known malware.

• Anomaly-Based Detection: Detects deviations from normal behavior.

APK Disassembly

• Structure: APK is a ZIP archive containing:

• AndroidManifest.xml: Application information.

• META-INF: Metadata files.

• classes.dex: Dalvik executable.

• res: Resource files.

• resources.arsc: Precompiled resources.

• Tools:

• Santoku: Linux distribution for mobile forensics.

• d2j-dex2jar: Converts APK to JAR.

• JD-GUI: Java Decompiler GUI.

IPA Disassembly

• Structure: IPA files are containers for iOS apps, similar to ZIP files.

• Components:

• iTunesArtwork: App icon.

• Payload: App data.

• iTunesMetadata.plist: Developer and app information.

• Practical: Rename IPA to ZIP to view contents.

These sections cover the basics of network analysis, anti-disassembly techniques, assembly logic structures, smartphone malware analysis, APK and IPA disassembly, offering a comprehensive understanding for malware analysts.