1 / 16

Malware Analysis

Malware Analysis. Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel. Georgia Institute of Technology School of Electrical and Computer Engineering. Objectives. Analyzing a worm or a virus Provide a method to eliminate How to prevent from infection in future?. Overview. Introduction

ursula
Download Presentation

Malware Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering

  2. Objectives • Analyzing a worm or a virus • Provide a method to eliminate • How to prevent from infection in future?

  3. Overview • Introduction • Definition of Malware • Techniques • Lab Scenario • Hands-on analysis of Beagle.J

  4. Introduction to Malware • How? • Forms of Malware • Detection Techniques

  5. Forms of Malware • Virus • Trojans • Worms • Spyware • Adware

  6. Detection Techniques • Integrity Checking • Static Anti-Virus (AV) Scanners • Signature-based • Strings • Regular expressions • Static behavior analyzer • Dynamic Anti-Virus Scanners • Behavior Monitors

  7. Malware Analysis Techniques • VMWare • Multiple Operating System • Creates network between host and guest systems • Self-contained files • Can transfer virtual machines to other PCs • .vmx – configuration file • .vmdk – image of hard disk

  8. Lab Scenario • Static Analysis • BinText • Extracts strings from code • IDA Pro • Dissembler • USD 399/user • UPX • UPX compression/decompression

  9. BinText • Extracts strings from executables • Reveals clues: • IRC Commands, SMTP commands, registry keys

  10. IDA Pro • Disassembles executables into assembly instructions • Easy-to-use interface • Separates subroutines, creates variable names, color-coded

  11. UPX Decompression • Executable packer commonly used by virus writers • Can compress wide range of files • Windows PE executables, DOS executables, DOS COM files, and many more • To unpack: • upx.exe -d -o dest.exe source.exe

  12. Decompressed Output

  13. Process Explorer Monitor processes FileMon Monitor file operations RegMon Monitor operations on registry Regshot Take snapshot of registry and files ProcDump Dump code from memory Process Observation Tools

  14. Beagle.J Capabilities • Registry/Run on startup • Copies into folders containing “shared” • Sends copies by email • Backdoor

  15. Conclusion • As you have seen there are various ways for an attacker to get malicious code to execute on remote computers • We have only scratched on the surface, there are much more to learn and discover

  16. Questions ? • References • Images • http://www.microsoft.com • http://www.symantec.com • Softwares • BinText – http://www.foundstone.com • IDA Pro – http://www.datarescue.com • UPX – http://upx.sourgeforce.net

More Related