IS 873: Malware Analysis and Reverse Engineering

Introduction
 Overview
• What is Malware?
• Types of malware
• The goals of malware analysis
• Malware analysis techniques
• General rules for malware analysis
 What is Malware?

• A set of instructions that run on your computer and

make your system do something that an attacker
wants it to do.
– Change configurations
– Use your computer as a jump-off point to further spread
– Log keystrokes
– Log web browsing history and habits
– Stream video of your screen
– Grab audio and/or video from your camera or microphone.
– Steal files/other information
– Use your computer as a Bot.
 Malware Categories
• You can often speed up malware analysis by making
educated guesses about what the malware is trying to
do and then confirming those hypotheses.
• Of course, you’ll be able to make better guesses if you
know the kinds of things that malware usually does.
• To that end, here are the categories that most
malware falls into:
– Backdoor
• Malicious code that installs itself onto a computer to allow the
attacker access.
• Backdoors usually let the attacker connect to the computer with little
or no authentication and execute commands on the local system.
 Malware Categories
– Botnet
• Similar to a backdoor, in that it allows the attacker access to the
system
• but all computers infected with the same botnet receive the same
instructions from a single command-and-control server
– Downloader
• Malicious code that exists only to download and install other
malicious code.
• Downloaders are commonly installed by attackers when they first gain
access to a system.
– Information-stealing malware
• Malware that collects information from a victim’s computer and
usually sends it to the attacker.
• Examples include sniffers, password hash grabbers, and keyloggers.
 Malware Categories
– Launcher
• Malicious program used to launch other malicious programs.
• Usually, launchers use nontraditional techniques to launch other
malicious programs to ensure stealth or greater access to a system.
– Rootkit
• Malicious code designed to conceal the existence of other code.
• Rootkits are usually paired with other malware, such as a backdoor, to
allow remote access to the attacker and make the code difficult for
the victim to detect.
– Spam-sending Malware
• Malware that infects a user’s machine and then uses that machine to
send spam.
• This malware generates income for attackers by allowing them to sell
spam-sending services.
 Malware Categories
– Scareware
• Malware designed to frighten an infected user into buying something.
• It usually has a user interface that makes it look like an antivirus or
other security program.
• It informs users that there is malicious code on their system and that
the only way to get rid of it is to buy their “software,” when in reality,
the software it’s selling does nothing more than remove the
scareware.
– Worm or Virus
• Malicious code that can copy itself and infect additional computers.
 Malware Categories
• Malware often spans multiple categories.
• A program might have a keylogger that collects
passwords and a worm component that sends spam
• Malware can also be classified based on whether the
attacker’s objective is mass or targeted.
• Mass malware, such as scareware, takes the shotgun
approach and is designed to affect as many machines
as possible.
• It is the most common, and is usually the less
sophisticated and easier to detect and defend against
because security software targets it.
 Malware Categories
• Targeted malware is tailored to a specific organization.
• It is a bigger threat to networks because it is not
widespread and your security products probably
won’t protect you from it.
• Without a detailed analysis of targeted malware, it is
nearly impossible to protect your network against that
malware and to remove infections.
• Targeted malware is usually very sophisticated, and its
analysis will often require the advanced analysis skills
 Goals of Malware Analysis
• Malware analysis usually follows an intrusion
• Typically, the next goal is
– To determine what happened
– Locate infected machines and files
• When analyzing suspect malware, the goal is
– To determine exactly what the binary does
– How to detect it on your network
– How to measure and contain its damage
 Malware Signatures

• Host-based Signatures
– Used to detect malicious code on victim computers
– These signatures identify files created or modified or changes
made to the registry
– Focus on what a malware does to a system, unlike anti-virus
signatures which mostly focus on malware’s own
characteristics
– This is useful in case of malware that changes form or is
deleted from the hard disk
 Malware Signatures

• Network Signatures
– Used to detect malicious code by monitoring network traffic
– Network signatures can be created without malware analysis
– However, network signatures created with malware analysis
offer greater detection rate and reduce false positives

• Malware signatures help in figuring out exactly what

the malware does – understanding the bigger picture
 Malware Analysis Techniques
• The malware analyst will most often have only the
malware executable
• Not human-readable.
• Use a variety of tools and tricks, each revealing a small
amount of information.
• Two fundamental approaches to malware analysis:
– Static
• Involves examining the malware without running it.
– Dynamic
• Involves analysis while running the malware.
– Both techniques are further categorized as basic or advanced.
 Basic Static Analysis
• Consists of examining the executable file without
viewing the actual instructions.
• Can confirm
– whether a file is malicious
– provide information about its functionality
– and sometimes provide information that will allow you to
produce simple network signatures.
• It is straightforward and can be quick
• But largely ineffective against sophisticated malware,
and can miss important behaviors.
 Basic Dynamic Analysis
• Basic dynamic analysis techniques involve running the
malware and observing its behavior on the system in
order to
– Remove the infection
– Produce effective signatures
– Or both
• Like basic static analysis techniques, basic dynamic
analysis techniques can be used by most people
without deep programming knowledge
• But they won’t be effective with all malware and can
miss important functionality.
 Advanced Static Analysis
• Consists of reverse-engineering the malware’s
internals by
– loading the executable into a disassembler
– and looking at the program instructions in order to discover
what the program does
• The instructions are executed by the CPU, so advanced
static analysis tells you exactly what the program does
• However, advanced static analysis has a steeper
learning curve than basic static analysis and requires
specialized knowledge of
– disassembly,
– code constructs, and
– (Windows) operating system concepts
 Advanced Dynamic Analysis
• Advanced dynamic analysis uses a debugger to
examine the internal state of a running malicious
executable.
• Provide yet another way to extract detailed
information from an executable.
• These techniques are most useful when you’re trying
to obtain information that is difficult to gather with
the other techniques
 WARNING
• You need to set up an environment that will allow you
to study the running malware without risk of damage
to your system or network.
 General Rules for Malware Analysis
• First, don’t get too caught up in the details.
– Most malware programs are large and complex, and you can’t
possibly understand every detail.
– Focus instead on the key features.
– When you run into difficult and complex sections, try to get a
general overview before you get stuck in the details.
• Second, There is no single approach.
– Every situation is different, and the various tools and
techniques that you’ll learn will have similar and sometimes
overlapping functionality.
– If you’re not having luck with one tool or issue, try another.
– Try analyzing the malware from a different angle, or just try a
different approach
 General Rules for Malware Analysis
• Finally, malware analysis is like a cat-and-mouse
game.
– As new malware analysis techniques are developed, malware
authors respond with new techniques to thwart analysis.
– To succeed as a malware analyst, you must be able to
recognize, understand, and defeat these techniques, and
respond to changes in the art of malware design as well as
analysis.
 References

• Practical Malware Analysis A hands-on guide to dissecting Malicious Software

by Michael Sikorski