1 / 16

Investigating Malicious Software

Investigating Malicious Software. Steve Romig The Ohio State University April 2002. Malware Analysis. Got a piece of *something*, what does it do? In our case, an email attachment Not recognized by "usual" anti-virus scanners. Run UNIX "strings". Sometimes useful, sometimes misleading

janina
Download Presentation

Investigating Malicious Software

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Investigating Malicious Software Steve Romig The Ohio State University April 2002

  2. Malware Analysis • Got a piece of *something*, what does it do? • In our case, an email attachment • Not recognized by "usual" anti-virus scanners

  3. Run UNIX "strings" • Sometimes useful, sometimes misleading • Do Google searches on what turns up • Try to determine what it does by symbol names, included libraries, include files, etc. • Nothing useful here, that I remember - self-extracting UPX file

  4. Try Running It • Danger, Danger!! • It Might Do “Bad Things”(tm) • To the computer it is running on • To other computers • Tip off the perpetrators?

  5. So, You Should... • Create a clean test machine… • Detached from network… • Run malware there • Don't reuse this for other tests • Hard to figure out what changes are due to what malware • Might screw up subsequent tests

  6. VMWare! • Create a virtual machine • Install the host operating system, patches, applications as needed • *Make a snapshot* of the virtual disk • Squirrel your snapshots away somewhere

  7. VMWare (continued) • To create a clone: • make a directory • restore files • change config as needed • boot • I use a read-only "airlock" with host-only access to pass files back and forth.

  8. Run the Malware • No net access, of course • System, library call tracers • lsof, handlex • filemon, regmon (windows only) • tcpdump, ethereal

  9. In Our Case • Malware makes some registry changes • Installs something that starts at login • Apparently checks a web site every minute

  10. Create a Fake Network • Attempts to resolve an IP Address • We create a fake DNS entry, try again • Attempts to connect to tcp/80 at that IP • Web traffic? Create a fake web server, try again • Attempts to Download nethief_connect.htm • Search the real web site (found it, but risky) • Search on web (Google)

  11. Google, Babelfish are Your Friends! • Got the zip file (finally) • It has a readme! (let’s see) • Install the application (let’s see) • The application web site is down :-(

  12. Google caching, Archive.org to the Rescue! • Google caches pages that it has searched, which can be useful • Archive.org caches pages (when?) • It is (unfortunately) messy dealing with pages cached in archive.org that need to be translated

  13. What Does This Thing Do - Attacker End • Install, run application • Configure • web site • ftp address, account, password for updating web site • Updates web site once a minute with current IP • Create the trojan • Infect someone

  14. What Does This Thing Do - Victim End • Get infected :-) • Runs at login • Checks web site once a minute • Sends "hey, I'm here" traffic to indicated IP address • Shows up on attacker's console

  15. Attacker Selects a Target • Click on it in list of active victims • Inserts instructions on the web site • Intended victim downloads the instructions, connects to tcp/80 on the host where the console is currently running • Can now read, write, modify any file

  16. Interesting Notes • Works "just fine" behind firewalls • There appear to be virus populations that are "known" to only parts of the Internet.

More Related