Embed Size (px)
Citation preview
© 2003 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
Static and behavioral analysis of a malware binary
David Pérez Jorge [email protected] [email protected]
Raúl Sí[email protected]
Agenda
• Introduction• Lab Setup• Static analysis• Behavioral analysis• Conclusions• Episode III Trailer
Introducción
• RaDa: malware (trojan backdoor)• Honeynet Project:
– Scan of the Month 32: Reverse engineering– http://www.honeynet.org/scans/scan32/– Complete results published on the web
• Today: How to learn about the binary?
Lab Setup
• Virtual Machines:– VMWare, VirtualPC, Bochs, Plex, QEMU
• Tools:– Host: Network traffic analyzer, firewall…– Guest: String extractor and process, registry, connections
monitoring…
Static Analysis
• Very important to:– Compare results with other people– Fully categorize the results
• Should include:– MD5 and/or SHA1 hashes– Timestamp– File type/target OS– Static / dynamic executable (dependencies)– Executable file format (packed? which? unpackable?)– Strings (ASCII/Unicode)– Additional info (icon, company, version…)
Behavioral Analysis (I)
• It is a black box approach analysis• Best starting point (Code analysis later if needed)• Easy and fast• Limited results
Behavioral Analysis (II)
• Windows– FileMon– RegMon– TDIMon– RegShot– Task Mgr– BinText
• UNIX/Linux– /proc– Top/ps– Lsof– Strace/ltrace– strings
Behavioral Analysis (III)
1. Start monitoring tools in the victim system (processes, connections, registry)
2. Start network capture in the host system (or hub)3. Capture initial status of the victim system4. Run the malware for an amount of time in the victim
system5. Terminate the process6. Stop monitoring tools7. Capture final status of the victim system8. Walk through the obtained info9. Loop adding interactions…
Conclusions
• It is important to know what has (or can) happened• Reverse Engineering techniques learned:
– Static analysis– Behavioral analysis
• You can do it at home with parental guidance
Episode III trailer
• Code analysis:– In-depth knowledge of the malware– Helping to reduce assumptions– Much more complicated– Again DEMO!
Questions?
Thank you!
Attribution-NonCommercial-NoDerivs 2.0
You are free:to copy, distribute, display, and perform the work Under the following conditions:
Attribution. You must give the original author credit.
Noncommercial. You may not use this work for commercial purposes.
No Derivative Works. You may not alter, transform, or build upon this work.
For any reuse or distribution, you must make clear to others the license terms of this work. Any of these conditions can be waived if you get permission from the author. Your fair use and other rights are in no way affected by the above.This is a human-readable summary of the http://creativecommons.org/licenses/by-nc-nd/2.0/.
