1 / 21

Reverse Engineering

Reverse Engineering. Paul deGrandis. Applications. Software Maintenance Source Code and Documentation Engineering Virus Analysis. Malware. Virus Needs a vector for propagation Worm No vector needed Can spread by network shares, email, security holes. Malware. Trojan Horse

norina
Download Presentation

Reverse Engineering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Reverse Engineering • Paul deGrandis

  2. Applications • Software Maintenance • Source Code and Documentation Engineering • Virus Analysis

  3. Malware • Virus • Needs a vector for propagation • Worm • No vector needed • Can spread by network shares, email, security holes

  4. Malware • Trojan Horse • Performs unstated and undesirable functions • Spyware, adware, logic bombs, backdoors, rootkits

  5. Anti-Virus • Integrity Checking • Static AV Scanners • Dynamic AV Scanners

  6. Anti-Virus • Integrity Checking • Checksum comparison • Static AV Scanners • Program properties (registry, system calls) • Malware byte sequence extraction

  7. Anti-Virus • Dynamic AV Scanners • Intercepting system calls • Analyzing audit trails • Operation patterns

  8. Procedures For Analysis • Restrict Access • Save only disassembled files • Rename Extensions, prevents double-click • Password protect dangerous files and ZIPs • NEVER SEND MALWARE

  9. Procedures For Analysis

  10. Tools • VMware • Isolate and restore snapshots • BinText • Extracts strings from binary files (code) • IRC commands, SMTP, registry keys

  11. Tools • IDA Pro • Dissassembles executables into assembly

  12. Tools • UPX Decompression • Executable packer • To unpack: upx.exe -d -o dest.exe source.exe

  13. Tools • SysInternals.com • FileMon - monitors file access • RegMon - monitors registry access

  14. Tools • RegShot • Records modifications to the registry, but not reads

  15. Tools • ProcDump • Dumps a processes code from memory • Useful in detecting an analyzing polymorphic viruses

  16. Tools • OllyDbg • Attaches to a process • Can actively manipulate memory and registers during operation • Swiss Army Knife

  17. Tools • Network Activity • TCPView - displays open network ports • TDIMon - monitors network activity • Ethereal/Wireshark - Packet Sniffer • Snort - IDS / Packet Sniffer • netcat - Network swiss army knife

  18. Tools • SysInternals.com • TCPView - TCP and UDP endpoints and processes • TDIMon - Logs all network activity, but not packet contents

  19. Tools • Wireshark (formerly Ethereal) • Captures and displays all packet contents • One of your best friends

  20. Tools • Netcat - reads and writes across data connections using TCP/IP • Great for probing, listening, debugging, or exploring unknown network behavior • The other one of your best friends

  21. The Assignment • Beagle.J (and its cousin Beagle.K) • Static analysis (BinText, IDA) • Dynamic Analysis • Host Side (Registry, process, files) • Networking (Ports, connections, traffic) • Propagation, Backdoors

More Related