1 / 17

Reverse Engineering Malware

Dean Carlson and Beth Anne Byrd CpSc 420. Reverse Engineering Malware. Summary. What is reverse engineering? Brief History Usefulness The process Bagle Virus example. What is Reverse Engineering?.

antoinette
Download Presentation

Reverse Engineering Malware

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dean Carlson and Beth Anne Byrd CpSc 420 Reverse Engineering Malware

  2. Summary • What is reverse engineering? • Brief History • Usefulness • The process • Bagle Virus example

  3. What is Reverse Engineering? • “[T]he process of analyzing a subject system to create representations of the system at a higher level of abstraction” (Chikofsky, 1990). • Going through the software development cycle backwards

  4. History • Started as analyzing hardware in an attempt to gain an advantage. • The first time this was applied to a piece of malware was in 1987. • Bernt Fix disassembled and neutralized the Charlie virus.

  5. Usefulness • Analysis of a product • Recreating lost or nonexistent documentation • Academic use • Curiosity • With Malware • Contain it • Remove it • Prevent it

  6. Usefulness • Diffuse “time bombs” • Conficker virus • The Y2K of today

  7. The Process • Set up a controlled, isolated laboratory • Perform behavioral analysis to examine the specimen’s interactions with its environment. • Perform static code analysis to further understand the specimen’s inner-workings. • Perform dynamic code analysis to understand the more difficult aspects of the code. • If necessary, unpack the specimen. • Repeat steps 2, 3, and 4 (order may vary) until sufficient analysis objectives are met. • Document findings and clean-up the laboratory for future analysis.

  8. Bagle - Laboratory • HOST: • Windows XP in Virtual Machine • DataRescue IDA Pro • Microsoft Visual C++ • Dumpbin • UltraEdit • SERVER • Solaris 9 (SPARC) • Snoop • BIND (DNS) • GCC • GDB

  9. Bagle – Behavior Analysis • The Email and DNS programs on the server were setup to log all of their activity and network traffic in order to see the virus interact with the server.

  10. Bagle – Static Code Analysis • Open in IDA Pro • Breaks it down into assembly and hex

  11. Bagle – Static Code Analysis • Open in dumpbin to determine type • PE (Portable Executable)

  12. Bagle – Dynamic Code Analysis • Walk through the virus step by step with a debugger and look at register values. Especially EAX, EIP, ZF bit of EFLAGS • EAX = return values from functions • ZF = flag used for comparisons and decisions • EIP = useful for thread usage

  13. Bagle – Dynamic Code Analysis • Use IDA to chart subroutines

  14. Bagle – Dynamic Code Analysis • Use IDA to identify function parameters and variables • arg_8 can be accessed by adding “10h” to the EBP Register

  15. Bagle – Dynamic Code Analysis • Multiple Thread • Extended Instruction Pointer (EIP) doesn’t follow new threads unless specified

  16. Bagle - Unpacking and Clean up • The Bagle virus was not packed • Compressed or encrypted • It also was not polymorphic • Changing the assembly, usually by inserting “noop” thus changing the virus signature but not changing the effectiveness • The Bagle virus has many removal tools

  17. Recap • Reverse engineering malware started in 1987 • It is good to contain, remove, and prevent malware • 7 steps • Set up lab • Behavioral analysis • Static code analysis • Dynamic code analysis • Unpack • Repeat steps 2, 3, and 4 • Document and clean-up

More Related