© 2003 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Static and behavioral analysis of a malware binary David Pérez Jorge Ortiz [email protected] [email protected] Raúl Síles [email protected]
Analisis Estatico y de Comportamiento de un Binario Malicioso
Jul 28, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
© 2003 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
Static and behavioral analysis of a malware binary
David Pérez Jorge [email protected] [email protected]
Raúl Sí[email protected]
Agenda
• Introduction• Lab Setup• Static analysis• Behavioral analysis• Conclusions• Episode III Trailer
Introducción
• RaDa: malware (trojan backdoor)• Honeynet Project:
– Scan of the Month 32: Reverse engineering– http://www.honeynet.org/scans/scan32/– Complete results published on the web
• Today: How to learn about the binary?
Lab Setup
• Virtual Machines:– VMWare, VirtualPC, Bochs, Plex, QEMU
• Tools:– Host: Network traffic analyzer, firewall…– Guest: String extractor and process, registry, connections
monitoring…
Static Analysis
• Very important to:– Compare results with other people– Fully categorize the results
• Should include:– MD5 and/or SHA1 hashes– Timestamp– File type/target OS– Static / dynamic executable (dependencies)– Executable file format (packed? which? unpackable?)– Strings (ASCII/Unicode)– Additional info (icon, company, version…)
Behavioral Analysis (I)
• It is a black box approach analysis• Best starting point (Code analysis later if needed)• Easy and fast• Limited results
Behavioral Analysis (II)
• Windows– FileMon– RegMon– TDIMon– RegShot– Task Mgr– BinText
• UNIX/Linux– /proc– Top/ps– Lsof– Strace/ltrace– strings
Behavioral Analysis (III)
1. Start monitoring tools in the victim system (processes, connections, registry)
2. Start network capture in the host system (or hub)3. Capture initial status of the victim system4. Run the malware for an amount of time in the victim
system5. Terminate the process6. Stop monitoring tools7. Capture final status of the victim system8. Walk through the obtained info9. Loop adding interactions…
Conclusions
• It is important to know what has (or can) happened• Reverse Engineering techniques learned:
– Static analysis– Behavioral analysis
• You can do it at home with parental guidance
Episode III trailer
• Code analysis:– In-depth knowledge of the malware– Helping to reduce assumptions– Much more complicated– Again DEMO!
Questions?
Thank you!
Attribution-NonCommercial-NoDerivs 2.0
You are free:to copy, distribute, display, and perform the work Under the following conditions:
Attribution. You must give the original author credit.
Noncommercial. You may not use this work for commercial purposes.
No Derivative Works. You may not alter, transform, or build upon this work.
For any reuse or distribution, you must make clear to others the license terms of this work. Any of these conditions can be waived if you get permission from the author. Your fair use and other rights are in no way affected by the above.This is a human-readable summary of the http://creativecommons.org/licenses/by-nc-nd/2.0/.
Related Documents
