Malware-3

Intercepting Network Connections and Network Flow Analysis

• Malware often relies on network functions for malicious activities.

• Many Windows API functions facilitate network communication.

• Recognizing and understanding these functions is key to identifying malicious network activity.

Berkeley Compatible Sockets in Windows

• Malware commonly uses Berkeley compatible sockets for network functionality.

• In Windows, these functions are implemented in the Winsock libraries, primarily in ws2_32.dll.

• Common functions include socket, connect, bind, listen, accept, send, and recv.

Example Server Socket Program

• Example code for a server socket program can help understand how these functions are used in practice.

Anti-disassembling

Techniques and Purpose

• Anti-disassembly techniques disrupt disassembly analysis tools, causing incorrect program listings.

• Malware authors use these techniques to delay or prevent analysis of malicious code.

• Such techniques increase the skill required for reverse engineering malware.

Types of Anti-disassembly Techniques

• Jump Instructions with the Same Target: Back-to-back conditional jumps pointing to the same target can confuse disassemblers.

• Jump Instruction with a Constant Condition: Conditional jumps with always-true conditions can mislead disassemblers.

• Rogue Byte Insertion: Inserting a byte that appears as part of a multibyte instruction can throw off disassembly.

Disassembler Limitations

• Interactive disassemblers like IDA Pro can handle some of these techniques accurately.

Identifying Assembly Logic Structures

Overview

• Reverse engineers focus on groups of instructions to understand code functionality, rather than evaluating each instruction individually.

• Understanding high-level code constructs, such as loops and if statements, is crucial.

Common Code Constructs

• Malware is typically developed using high-level languages, and understanding the assembly representation of constructs like loops and conditions is key.

• Conditions: Assembly representation of if statements and similar constructs.

• Loops: Assembly representation of loop constructs.

Function Calls

• Understanding calling conventions like cdecl, stdcall, and fastcall is essential for analyzing function calls in assembly.

Smart Phone Malware Analysis

Characteristics of Smartphone Malware

• Similar to traditional malware but targets mobile devices.

• Common activities include stealing personal information, sending premium SMS, and giving attackers remote access.

Malware Detection Methods

• Misuse-Based Detection: Signature-based detection identifying known malware through predefined signatures.

• Anomaly-Based Detection: Classifies system activity as normal or anomalous by monitoring behaviors.

APK Disassembly

• Android applications are packaged as APK files, which are ZIP archives containing the app’s code and resources.

• Tools like d2j-dex2jar and JD-GUI are used for disassembling APK files to analyze their contents.

IDA Pro

Overview

• IDA Pro is a powerful disassembler used by malware analysts and reverse engineers.

• Supports various file formats including PE, COFF, ELF, and a.out.

Features

• Performs function discovery, stack analysis, and variable identification.

• Uses FLIRT for recognizing and labeling disassembled functions.

• Allows interactive analysis, saving progress in an IDA Pro database (idb).

Disassembly Window Modes

• Graph Mode: Visual representation of the program’s flow, with arrows indicating conditional and unconditional jumps.

• Text Mode: Traditional view showing the program’s nonlinear flow with solid and dashed lines for jumps.

Navigation and Analysis Tools

• Functions Window: Lists all functions in the executable.

• Names Window: Lists all named addresses.

• Strings Window: Shows all strings in the disassembly.

• Imports and Exports Windows: Lists imported and exported functions.

• Structures Window: Displays active data structures.

Cross-Reference Feature

• Locating code that calls specific functions using cross-references.

Navigation and Search

• The navigation band provides a linear view of the address space.

• Various search options facilitate finding specific instructions, strings, or byte sequences.

Practical Exploration

• Experiment with disassembling different files to become familiar with IDA Pro’s capabilities and interface.

By understanding these aspects of network analysis, anti-disassembling techniques, assembly logic structures, smartphone malware analysis, APK and IPA disassembly, and the extensive features of IDA Pro, analysts can effectively dissect and analyze malicious software.

Analyzing Malicious Windows Programs

Understanding the Basics

• Most malware targets Windows platforms and interacts closely with the OS.

• A solid understanding of basic Windows coding concepts is crucial for identifying host-based indicators of malware, understanding how malware executes code without direct jumps or calls, and determining the malware’s purpose.

• Non-malicious programs are generally well-formed by compilers and follow Microsoft guidelines, whereas malware is often poorly formed and performs unexpected actions.

• Focus on the Windows functionality most relevant to malware analysis.

Windows API Overview

• The Windows API is a comprehensive set of functionalities that govern how malware interacts with Microsoft libraries.

• Windows-only applications rarely need third-party libraries due to the extensive functionality provided by the Windows API.

• Malware often interacts with the system by creating or modifying files, providing hints at its functionality.

Key Windows File System Functions

• CreateFile: Used to create and open files, pipes, streams, and I/O devices. The dwCreationDisposition parameter controls whether the function creates a new file or opens an existing one.

• ReadFile and WriteFile: Used for reading and writing to files as streams. The ReadFile function reads bytes sequentially from a file.

• CreateFileMapping and MapViewOfFile: These functions load a file into memory and provide a pointer to the base address of the mapping, enabling easy manipulation of the file in memory.

Special File Types and Access Methods

• Shared Files: Special files with names starting with \\serverName\share or \\?\serverName\share, where the \\?\ prefix allows access to longer filenames.

• Files Accessible via Namespaces: Using prefixes like \\.\PhysicalDisk1 to directly access physical devices, allowing malware to modify disk sectors without creating files, which helps evade detection.

• Alternate Data Streams (ADS): A feature in NTFS that allows additional data to be hidden within an existing file. Malware authors use ADS to hide data.

Windows Registry

• The registry stores OS and program configuration information, making it a good source of host-based indicators.

• Malware often uses the registry for persistence or configuration data, adding entries to ensure it runs automatically when the computer boots.

• Common registry functions include RegOpenKeyEx, RegSetValueEx, and RegGetValue, which are used to open, edit, and query registry keys.

Identifying Malicious Code in the Registry

• Malware may add values to the Run key in the registry to ensure execution on startup.

• Example: The RegSetValueEx function takes six parameters and either edits an existing registry value or creates a new one if it does not exist.

Network Functions in Malware

• Malware relies heavily on network functions for communication and control.

• Commonly used functions from the Winsock library (ws2_32.dll) include socket, connect, bind, listen, accept, send, and recv.

Analyzing Assembly Logic Structures

• Reverse engineers focus on understanding groups of instructions to determine the overall functionality, rather than evaluating each instruction individually.

• Recognize common code constructs like loops, if statements, and switch statements, as malware is typically developed using high-level languages.

Common Calling Conventions

• cdecl: Parameters are pushed onto the stack from right to left, and the caller cleans up the stack. Return values are stored in the EAX register.

• stdcall: Similar to cdecl but the callee cleans up the stack. Commonly used in Windows API functions.

• fastcall: The first few arguments are passed in registers (typically EDX and ECX), with additional arguments loaded from right to left. The calling function is responsible for cleaning up the stack if necessary.

Practical Analysis

• Disassemble malware samples and familiarize yourself with the code.

• Refer to introductory materials on x86 assembly instructions and IDA Pro for better understanding.

By focusing on these key aspects, analysts can effectively dissect and analyze malicious Windows programs, gaining insights into their behavior and purpose.

Working with OllyDbg

OllyDbg is a powerful, free debugger designed for x86 architectures, developed by Oleh Yuschuk. It's a favorite among malware analysts and reverse engineers for its user-friendliness and extensive plug-in support. Even though OllyDbg 1.1 was acquired and rebranded as Immunity Debugger (ImmDbg), the tools remain largely similar, making them interchangeable for many tasks.

Key Features and Usage

1. Loading Executables and DLLs

• You can load executables and DLLs directly into OllyDbg for analysis. If the malware is already running, you can attach OllyDbg to the process to start debugging.

• To load an executable, select File > Open and browse to the desired file. OllyDbg will load the binary, pausing at the entry point if detectable.

1. Attaching to Running Processes

• Attach OllyDbg to a running process via File > Attach. The executing thread's code will be paused and displayed for analysis.

1. Debugging Interface

• OllyDbg's interface consists of four primary windows:

• Disassembler Window: Displays the program’s code with the current instruction highlighted. You can modify instructions by pressing the spacebar.

• Registers Window: Shows the current state of registers, which change color upon modification. Right-click to modify register values.

• Stack Window: Displays the current state of the stack. Right-click to modify stack locations.

• Memory Dump Window: Shows live memory for the debugged process. Press CTRL-G to navigate to specific memory addresses and right-click to edit.

1. Memory Map and Threads

• The Memory Map window (View > Memory) shows all memory blocks allocated by the debugged program.

• Use View > Threads to examine active threads, their memory locations, and status.

1. Breakpoints

• Add or remove breakpoints by selecting an instruction in the disassembler window and pressing F2. View active breakpoints via View > Breakpoints.

1. Debugging DLLs

• For debugging DLLs, OllyDbg uses loaddll.exe to load them. OllyDbg will pause at the DLL entry point (DllMain).

1. Tracing Execution

• OllyDbg supports various tracing features:

• Back Trace: Records movement through the disassembler window.

• Call Stack Trace: Shows the execution path to a function.

• Run Trace: Saves every executed instruction and all register changes during code execution.

Kernel Debugging using WinDbg

WinDbg, a free debugger from Microsoft, is essential for kernel debugging. It allows debugging of Windows drivers, which run in the kernel space and interact with core OS components.

Key Concepts and Setup

1. Understanding Drivers

• Drivers run in the kernel and are loaded similarly to DLLs, with DriverEntry functioning akin to DllMain. They register callback functions for user-space requests.

1. Kernel Debugging Challenges

• Debugging the kernel freezes the OS, requiring a virtual environment for practical debugging. Tools like VirtualBox are commonly used.

1. Setup for Kernel Debugging

• On the guest machine, enable kernel debugging:

• Open an elevated command prompt and execute: shell Copy code bcdedit /debug ON bcdedit /dbgsettings SERIAL DEBUGPORT:1 BAUDRATE:115200

• Configure the virtual machine with a named pipe serial port (\\.\pipe\com_1).

1. WinDbg Configuration

• Download and install the Windows Driver Kit (WDK) or Software Development Kit (SDK) for WinDbg.

• Launch WinDbg and set up kernel debugging via File > Kernel Debug. Enter the serial port and baud rate settings.

1. Connecting and Debugging

• Once the virtual machine is running, WinDbg will connect and display detailed debugging information, including driver load/unload notifications.

1. Command-line Interface

• WinDbg uses commands like d (to read memory) and e (to write memory). For example:

• da addressToRead (reads memory at the address as ASCII)

• ea addressToWrite dataToWrite (writes data to the address)

Anti-Reverse Engineering Techniques

Malware often incorporates techniques to thwart analysis, such as anti-disassembly, anti-debugging, and anti-virtual machine detection.

Anti-Disassembly

1. Jump Instructions

• Malware uses conditional jumps like jz followed by jnz to the same target, confusing disassemblers into incorrectly parsing code.

1. Rogue Bytes

• Strategic placement of rogue bytes after conditional jumps prevents accurate disassembly by inserting multibyte instruction opcodes.

Anti-Debugging

1. Debugger Detection

• API functions like IsDebuggerPresent and CheckRemoteDebuggerPresent can detect debuggers.

1. INT Scanning and Checksums

• Scanning for INT 3 breakpoints (0xCC) or using checksums to detect code modifications by debuggers.

1. Timing Checks

• Malware measures execution time to detect the slowdowns caused by debugging.

Anti-Virtual Machine Techniques

1. VM Detection

• Malware detects virtual environments, often by checking for artifacts specific to VMs. This can prevent execution within honeypots or analysis environments.

1. Decreasing Popularity

• As virtualization becomes more common, anti-VM techniques are less prevalent in modern malware.

By understanding and employing these tools and techniques, analysts can effectively dissect and analyze malware, overcoming the obstacles posed by anti-reverse engineering tactics.