1 / 21

3 . Basic Static Analysis

3 . Basic Static Analysis. Malware Analysis. What is Basic Static Analysis?. Static Analysis: Analyzing a program without executing it Just review the code to determine the program behavior It is usually the first step in malware analysis Many tools exist to do the analysis

jonathanr
Download Presentation

3 . Basic Static Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 3. Basic Static Analysis Malware Analysis

  2. What is Basic Static Analysis? • Static Analysis: Analyzing a program without executing it • Just review the code to determine the program behavior • It is usually the first step in malware analysis • Many tools exist to do the analysis • One has to choose the proper tool based on the objective • Some tools may execute the code – so, be careful • A combination of tools may be used

  3. Hashing the file • It is a common method used to uniquely identify a malware • A hash function is a one-way function • Creates a unique signature for the file based on the binary content • Example functions: • md5sum (available in *nix platforms) • PowerShell or applications such as Cygwin (in Windows platforms) • SHA1, SHA2, … (Example command: shasum –a 256 <filename>) • May use online resources (be careful though!!)

  4. Hashing on Turing • md5sum <filename> • Example:

  5. Hashing with PowerShell • To open PowerShell • Windows + R (opens the Run window) • Type: powershell (and hit enter) • Enter the following • gci-Recurse | select FullName | %{get-Filehash -Algorithm md5 -Path $_.FullName ; get-FileHash -Algorithm sha1 -Path $_.FullName} | format-list • “gci -Recurse” grabs all items, plus child items from the working directory • “select FullName” returns the full item name • “get-Filehash -Algorithm md5” returns the md5 hash • “get-Filehash -Algorithm sha1” returns the sha1 hash • “format-list” prints it out neatly

  6. Hashing with PowerShell

  7. Strings • What is a string? • A sequence of printable characters • There are mainly two formats used to store strings • ASCII and Unicode • The format defines how you can search for strings

  8. Strings

  9. Strings • What can we find? • Any string appearing in a program • Typical strings • Imports/Exports and other data about the program itself (i.e. artifacts from the file format – such as PE file information) • Messages • IPs, domain names and other command and control information

  10. Strings • If you don’t find any strings, that is still useful information • Indicates that the program may be packed or obfuscated • Adjust your approach – first figure out if you can unpack/deobfuscate the sample, then search for strings

  11. Running “strings” command on Turing Random data Valid string

  12. Anti-Virus (AV) Software • They are effective and prevalent • Usually a good place to start • Should use multiple scanners • If one did not identify, another one may • AVs rely on database of identifiable suspicious code (file signature) • Some use pattern-matching / behavioral analysis • Malware authors can modify the code to avoid detection

  13. AV: VirusTotal • A web service that analyzes malware • Utilizes file signatures and heuristics • It compares its results with those of numerous antivirus databases • It also provides: • Basic Properties • Hashing, File Size • History • First/Last Submission • File Names • Packer Detection

  14. AV: VirusTotal

  15. AV: ClamAV • It is an open-source AV engine • It performs Email scanning, web scanning, end-point security • Available at clamav.net • On *nix platforms use: apt-get install • Freshclam: allows updates from command line • Clamscan: Command line AV scanner • You can also write custom signatures for detection

  16. AV: ClamAV • Distributed with several CVD files • Archive of signature files • Main.cvd and daily.cvd • A group of files that contain information/signatures that Clam uses to match files • To unpack a CVD file to view its contents: • $ sudosigtool –u daily.cvd

  17. AV: ClamAV Signature Formats • Hash-based signatures • Easiest way to create a signature for ClamAV • Create file hash checksums • Only used against static malware – i.e. it doesn’t change • Database uses .hdb extension

  18. AV: ClamAV – Creating Hash Signatures • Create/identify a file that you want detected by ClamAV • Generate a hash using sigtool: $ sigtool--md5 <file> • Create a HDB: $ sigtool--md5 <file> >test.hdb • Scan with ClamAV: $ clamscan-d test.hdba.out • Also supports SHA1 and SHA256 signatures • Same format, engine differentiates by hash length

  19. AV: ClamAV – Body-based Signatures • Example: “Hi There” • Create ASCII-based signature based off custom EXE • Use sigtool with --hex-dump to generate hex • Example: sigtool --hex-dump Hi There Input Output 5ui89juy4kd9lka98t50a (not correct output, just randomly picked) • The last two characters in the output will be the newline code – so, ignore those.

  20. AV: ClamAV – Body-based Signatures • Example continued • Build a properly formatted signature and store in a file with .ndbextension • SigName:Target:Offset:HexadecimalSignature • Example: MySignature:0:*: 5ui89juy4kd9lka98t5 • Notice that “0a”, the newline code is removed from the signature • SigName = Malware Name • Target = 0 any file, 1 PE, 2 OLE2, 3 HTML … • Offset: Range of bytes to match in • Hex Signature

  21. AV: ClamAV – Body-based Signatures • To use custom signatures, store them in a file with .ndbextension • $ clamscan-d custom_db.ndbfile_name • Make use of wildcards in your signature to increase detection rate • ??: wildcard for a single byte value 0 - FF • *: traditional wildcard, much broader (match any number of bytes)

More Related