Basic Dynamic Analysis of Malware
Download as PPTX, PDF2 likes2,242 views
This document provides an overview of basic dynamic malware analysis techniques. It explains that dynamic analysis examines how malware behaves when executed by monitoring changes to the system, unusual processes, network traffic, and other behaviors. A number of tools are described that can be used for dynamic analysis, including sandboxes, process monitors, registry snapshots, network service emulators, and packet sniffers. Caution is advised to perform analysis safely in a isolated lab environment.
Basic Dynamic Analysis of Malware
- 1. 1 Basic Dynamic Analysis - malware by @x00itachi
- 2. 2 Why and what is malware analysis ? To gain an understanding of how a specific piece of malware functions so that defenses can be built to protect an organization’s network. We can write, Host-based signatures(HIPS), or indicators, are used to detect malicious code on victim computers. Network signatures(NIPS) are used to detect malicious code by monitoring network traffic. Malware Analysis types – Static/Code Analysis Dynamic/Behavioral Analysis
- 3. 3 Brief intro on static analysis…. Taking a closer look at the suspicious file by examining its static properties. Static properties include the strings embedded into the file, header details, hashes, embedded resources, packer signatures, metadata such as the creation date, etc. This process also helps determine whether the analyst should take closer look at the specimen using more comprehensive techniques and where to focus the subsequent steps.
- 4. 4 What is dynamic analysis ? When performing behavioral analysis, look for changes to the system as well as any unusual behavior on an infected system. Changes on the system that should raise a red flag include files that have been added and/or modified, new services that have been installed, new processes that are running, any registry modifications noting which modifications took place, and finally, if any systems settings have been modified. Beside the behavior of the system itself, network traffic will also be examined.
- 5. 5 Why dynamic analysis ? Both types accomplish the same goal of explaining how malware works, the tools, time and skills required to perform the analysis are very different. Behavioral analysis is how the malware behaves when executed, who it talks to, what gets installed, and how it runs. Both static and dynamic analysis should be performed to gain a complete understanding on how a particular malware functions. Knowing how malware functions allows for better defenses to protect the organization from this piece of malware
- 6. 6 Caution while doing!!! you must set up a safe environment. For the best protection of production networks, the malware lab should never be connected to any network. Dynamic analysis techniques are extremely powerful & dynamic analysis can put your network and system at risk.
- 7. 7 How we do it ?.....Use tools Sandboxes Process monitors Registry snapshots Network service faking tools Domain faking tools Packet sniffers
- 8. 8 Tools & use case
- 9. 9 Sandboxes A sandbox is a security mechanism for running untrusted programs in a safe environment without fear of harming “real” systems. Ex: Norman SandBox, GFI Sandbox, Anubis, Joe Sandbox, ThreatExpert, BitBlaze, and Comodo Instant Malware Analysis Malware sandboxes do have a few major drawbacks. Ex: the sandbox simply runs the executable, without command-line options. The sandbox also may not record all events, because neither you nor the sandbox may wait long enough. Malware may detect the virtual machine, and it might stop running or behave differently. Source: Arial 9pt.
- 10. 10 Monitoring with Process Monitor Process Monitor, or procmon, is an advanced monitoring tool for Windows that provides a way to monitor certain registry, file system, network, process, and thread activity. Procmon monitors all system calls it can gather as soon as it is run. sometimes more than 50,000 events a minute. It can crash a virtual machine using all available memory. Source: Arial 9pt.
- 11. 11 Processes with Process Explorer The Process Explorer, free from Microsoft, is an extremely powerful task manager that should be running when you are performing dynamic analysis. You can use Process Explorer to list active processes, DLLs loaded by a process, various process properties, and overall system information. Source: Arial 9pt.
- 12. 12 Registry Snapshots with Regshot Regshot is an open source registry comparison tool that allows you to take and compare two registry snapshots. Source: Arial 9pt.
- 13. 13 Faking a Network Using ApateDNS Malware often beacons out and eventually communicates with a commandand-control server. You can create a fake network and quickly obtain network indicators, without actually connecting to the Internet. ApateDNS spoofs DNS responses to a user-specified IP address by listening on UDP port 53 on the local machine. It responds to DNS requests with the DNS response set to an IP address you specify. Source: Arial 9pt.
- 15. 15 Using INetSim INetSim is a free, Linux-based software suite for simulating common Internet services. INetSim is the best free tool for providing fake services, allowing you to analyze the network behavior of unknown malware samples by emulating services such as HTTP, HTTPS, FTP, IRC, DNS, SMTP, and others. INetSim does its best to look like a real server, and it has many easily configurable features to ensure success. Ex: by default, it returns the banner of Microsoft IIS web server if is it scanned and INetSim can serve almost any file requested. Source: Arial 9pt.
- 17. 17 Monitoring with Netcat Netcat, the “TCP/IP Swiss Army knife,” can be used over both inbound and outbound connections for port scanning, tunneling, proxying, port forwarding, and much more. Source: Arial 9pt.
- 18. 18 Packet Sniffing with Wireshark Wireshark is an open source sniffer, a packet capture tool that intercepts and logs network traffic. Wireshark provides visualization, packet-stream analysis, and in-depth analysis of individual packets. Source: Arial 9pt.
- 20. 20 Source: Arial 9pt. THANKS TO :