1 / 22

Advanced Techniques in Malware Analysis: Basic Dynamic Analysis

Learn the process of executing malware to observe its behavior. Understand how this complements static analysis, advantages, disadvantages, sandboxes, monitoring system activities, running and monitoring malware, and faking networks.

henriettas
Download Presentation

Advanced Techniques in Malware Analysis: Basic Dynamic Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 4. Basic Dynamic Analysis Malware Analysis

  2. What is Basic Dynamic Analysis? • Allowing the malware to run - executing the program binary • It complements static analysis • Makes analysis more efficient in some cases • Helps us understand the program behavior

  3. Various Types of Malware Analysis • Basic Static Analysis • Examining target binary without execution (i.e., strings, hashing, signature) • Advanced Static Analysis • Understanding target binary using reverse engineering (i.e., disassembly) • Basic Dynamic Analysis • Executing target binary and observing its behavior • Advanced Dynamic Analysis • Executing target binary and using a debugger to analyze internal state

  4. Basic Dynamic Analysis • Monitored execution of a program in order to perform analysis • Often performed after static analysis is done • Advantages • Efficient way to determine program functionality • Able to check file activity, process creation, network activity, etc. • Disadvantage • Not all functional paths may be explored

  5. Executing the Malware • In most cases, you can just double-click the “exe” file • You may want to run it from the command-line as well (Why?) • What if the extension is not “exe”? • You can change it. Verify it is a PE file using a PE parser • What if it is a DLL? • You can run a DLL using the rundll32 program • Format: C:\> rundll32.exe <name>.dll

  6. Sandboxes • What is Sandbox? • All-in-one software solutions to analyze the execution of a program • Provides security mechanism for running untrusted programs in a safe environment • Lets you monitor behavior/changes to the system • The “real” system remains isolated – so, it does not get infected

  7. Sandboxes • Usually use virtual components • Simulates network services to allow program to execute as it ‘normally’ would • Sandboxes for Malware Analysis • There are many free and commercial versions available • Some online and some you can download • Lets you analyze a variety of file types: EXE, PDF, Office Documents, URLs, etc.

  8. Sandboxes - Drawbacks • May run the EXE w/o command line arguments • EXE may wait for response from C2 • Malware may find out that it is running in a sandbox • An anti-analysis technique • In that case, the malware may change its behavior • Often the environment is not properly setup

  9. Sandbox – Example: malwr.com

  10. Monitoring System Activity • Process Monitor (aka ProcMon) • Tool that allows monitoring of registry, file system, network, process, and thread activities • Not a reliable tool for network activities • So other tools need to be used • Monitors all system calls • Captures a lot of data (> 50,000 events a minute) • Uses RAM to capture events • Can easily crash a VM - so, run for a limited amount of time

  11. Running Malware: ProcMon

  12. Running Malware: ProcMon • To narrow the result, use filtering • You may want to filter on: • Executables running on the system • System call (such as RegSetValue, CreateFile, WriteFile, etc.) • Note: Filtering does not prevent from consuming too much memory though

  13. ProcMon Filtering

  14. Process Explorer • Windows task manager and system monitoring tool • It monitors all running processes • Free • Shows which program in the system has a specific file/directory open • Provides insight into the processes that are running on a system • Lists active processes, DLLs loaded by a process, process properties, system information

  15. Process Explorer

  16. Process Explorer Vs. Process Monitor • Process Explorer • Shows current state of each process • Shows files, registry keys and thread loaded by each running process • Process Monitor • In addition to monitoring, it logs process information – all events • Logs show the files, registry, network etc. the process attempted to use – successful or not • “Access Denied” events also appear

  17. Monitoring Network Activities • Why? • Most malware will need to communicate with external services/entities • Download additional malware, files • Exchange/obtain keys for encryption • C2 – Command and Control: Receive instructions and check-in • Extract data • Infect other machines • Question: Do we allow them access to network?

  18. Faking a Network • It is too risky to allow a malware to access the network • Faking a network allows us to find out how/what is communicated • Important: Faking requires that the malware does not realize it is executing on a virtualized environment

  19. Faking a Network - ApateDNS • ApateDNS is a Free tool from Mandiant/Fire-Eye • Allows to control DNS responses though GUI • It listens on UDP port 53 on the local machine • Spoofs DNS responses to a user-specified IP address • One of the quickest and easiest ways to see DNS requests made on the system • It redirects all requests though • Typically redirects to localhost. But, you can also redirect to other IPs

  20. Faking a Network - ApateDNS

  21. FakeNet • An open source tool • Allows users to intercept and redirect all or specific network traffic • You can identify malware functionality and capture network signatures

  22. Netcat • Typically used for reading from and writing to network connections • Handles both inbound and outbound connections

More Related