Forensic Analysis of Malcode - Step by Step - Page 2
Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 32

Thread: Forensic Analysis of Malcode - Step by Step

  1. #11
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Nope. Not at all Hoggy.

    Wasn't aware of the publication but now that you mention it, sounds like a good book if they're doing things my way.



    Sure. We can do a co-author forensic deal.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #12
    Your norman link is broken.

    According to URL forensics, it is
    http://sandbox.norman.no/live_4.html

    lol

  3. #13
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    LOL. Dammit. It must have been rooted when I copied it over to AO.

    Seriously though. There was a trailing period inside the URL tag. I removed it and it works fine now.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #14
    Member
    Join Date
    Aug 2005
    Posts
    98
    Great post TH13 - good info!

    I did something similar a while ago but came at it from a slightly different angle, I was more looking at how I could perform a behavioural analysis of a piece of malicious code for example what files and registry keys it touched as well as what communications it established with the outside world.

    I have posted it previously in the following thread but people reading your thread may also be interested

    http://www.antionline.com/attachment...achmentid=6447

  5. #15
    Senior Member
    Join Date
    Oct 2005
    Posts
    197
    wicked, this is better then 0day spl0itz!


    kidding, kidding. Wicked post mate, topself yet again.
    meh. -ech0.

  6. #16
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    I did something similar a while ago but came at it from a slightly different angle, I was more looking at how I could perform a behavioural analysis of a piece of malicious code for example what files and registry keys it touched as well as what communications it established with the outside world.
    I use install watch pro to map out behavior (as mentioned in the tut) and the venerable TCPView FileMon & RegMon combo when mapping in real time. Oh and I always have a sniffer running when doing this. My personal favorite is Ethereal. All those years of memorizing TCPDump switches at least go to use when using Ethereal.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #17
    Junior Member
    Join Date
    Dec 2005
    Posts
    4

    Re: Forensic Analysis of Malcode - Step by Step

    ollydbg and SoftICE are not hex editors! these are debuggers!

    an example of a hex editor is hex workshop or hiew. these can be used to display and edit the raw hexadecimal code of a binary

    a debugger is a program that executes a binary and allows dynamic analysis of the code by displaying the disassembly of the code as it executes. debuggers also typically allow 'single-stepping' through the instructions, as well as the setting of breakpoints on parts of the code where execution is stopped and the state of the debugged program is frozen for analysis or manipulation. softice is a kernel-mode or ring 0 debugger which means it can be used to trace low level kernel-mode code such as device drivers. ollydbg is a user-mode or ring 3 debugger, and is limited to user-mode code. it does however enjoy more features of the underlying operating system and hence has a superior windowed user interface. (softice is expensive commerical software from Compuware, ollydbg is free open-source software by a single guy called Oleh Yuschuk!)

    typically a disassembler is used in the analysis of a malware binary - this is a lot more powerful than relying on a strings output, although the strings are useful. (to understand the disassembled binary one must of course understand assembly.) the best example of a disassembler is IDA Pro - however this software is also very expensive (but there is a free limited evaluation available from Datarescue)

    it is really to enable disassembly and other static analysis than one might bother to unpack a packed binary - not for dynamic analysis! as there really is little point in unpacking an exe and rebuilding the headers & imports just to run it anyway! all the dynamic analysis can be done on the packed sample (since the packer must first unpack 'itself' before the packed code can be run!) and the unpacked code can be traced in a debugger...

    ...unless the packer (or malware) detects the debugger ... this is known as armour. however with suitable knowledge or armour techniques these can be circumvented to enable tracing/disable detection... alternatively there are programs or plugins for softice and olly that protect the debugger from detection in some cases

    it is not really accurate to suggest that malware is even sometimes password-protected so only the "C&C master can run it". it is not in the interests of malware authors to prevent use or even prompt a user for credentials when running their malware (it is usually desired that the code execute in a covert fashion). perhaps this is more applicable to software protection for shareware or evaluation software... however since it is illegal to reverse engineer or 'crack' software protection schemes we best leave that topic alone...

    another useful tool in dynamic analysis is a tool which traces API (or system) calls. A lot can be learnt from reading the sequence of API calls with knowledge of what the functions do (the Win32 API is of course documented at MSDN http://msdn.microsoft.com/) there are a few publicly-available such tools on the web, searching for 'strace' or 'apispy' may show up a few

    anti-virus vendors are now typically able to pro-actively detect a given malware variant despite it being packed differently or having a differing checksum. even completely new variants can be detected by such 'generic' detection. this detection is usually based on common sequences of API calls or strings in the malware. this is done statically so of course unpacking is required first - modern anti-virus engines are also typically adept at unpacking too.

  8. #18
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Interesting review of the symantecs used to describe the tools. Both tools have hex capabilities and typically I use each for that purpose. However, yes, technically they are debugging tools. I should have caught that before I posted. Thank you for pointing it out.

    anti-virus vendors are now typically able to pro-actively detect a given malware variant despite it being packed differently or having a differing checksum. even completely new variants can be detected by such 'generic' detection. this detection is usually based on common sequences of API calls or strings in the malware. this is done statically so of course unpacking is required first - modern anti-virus engines are also typically adept at unpacking too.
    Do you have an example of just one commercial product that does this well? If you do, I'll certainly buy it.

    it is not really accurate to suggest that malware is even sometimes password-protected so only the "C&C master can run it". it is not in the interests of malware authors to prevent use or even prompt a user for credentials when running their malware (it is usually desired that the code execute in a covert fashion).
    Actually it is accurate. Your statement suggests that you're either just getting into analysis and have not seen many samples or have been taught incorrectly on techniques used by malware authors. Review the current accepted definition of malware.

    Welcome to AO. I look forward to your first tutorial dealing with this subject.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #19
    Junior Member
    Join Date
    Dec 2005
    Posts
    4
    i was slightly dubious about the notion of submitting a reply on this forum for precisely the reason that it is not uncommon for such posts to descend into critical and egotistical flame wars. it looks as if this fear was well founded.

    let me first of all state that i made every effort in my reply not to be overly critical of technical inaccuracies or omissions in previous posts, instead trying to point out constructive technical facts for the benefit of anyone who is interested in this subject.

    it is also not in the interests of my own ego or proving my knowledge to others that i submitted.

    it is therefore with regret that i read comments that suggest i might not know what i am talking about, or that i am inexperienced or have analysed few malware samples. but i am wary of egotism so i won't dwell on this, other than to say that none of the above are true, and my statement about the lack of password-protection in common malware is entirely accurate. since i am being prompted to justify my statement about anti-virus engines' ability to unpack malware, i urge you to provide examples of modern common malware that has such password protection. malware samples are plentiful and password-protected malware is at best rare. this is i am afraid a statement of cold fact. what good is a keylogging backdoor trojan that prompts for a password before it runs on a victim's machine?

    on to the issue of anti-virus engines and unpacking. i did not mean to suggest that anti-virus products will take a packed file and produce an unpacked file for the benefit of the user. this unpacking is a feature of the scanning, and is done 'under the hood' so to speak. it is however a feature of almost all currently available commercial anti-virus engines, and advanced features like generic detection is dependent on the ability of the scanning engine to 'see through' the packer. (as an aside it is also of note and even more impressive that some modern anti-virus engines also contain emulators to assist in the unpacking of unseen packers).

    the vendor with the best ability to unpack within its scanning engine is Kaspersky. i believe Sophos comes next. however if you are interested in buying such software then please don't just take my word for it. none of what i have said is not knowledge that is obtainable by other means, nor is it groundbreaking or novel.

    i really fear that this post is descending into something other than a constructive discussion on the topic of malware analysis. to be told to review definitions and that i am just 'getting into' analysis is quite galling. bear in mind i was the one to point out that the most common tool used in malware analysis is the disassembler, for which a pre-requisite is a knowledge of x86 assembly. this omission alone speaks for itself.

    thank you for the welcome - i am open to the idea of contributing to a positive and constructive discussion for the 'greater good' however i fear already that i may not be making many more submissions.....

  10. #20
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    what good is a keylogging backdoor trojan that prompts for a password before it runs on a victim's machine?
    Again, there are many subsets of malware. I would need a 300 page book to cover all of them. Please review the definition of malware. Believe it or not, there are different payloads in different malware for different purposes. In the *example* I gave, there was password protection on the sample. I purposely selected this to highlight how to use OLLYDBG.

    i urge you to provide examples of modern common malware that has such password protection.
    I would be happy to give you access to my personal sample library but first you'd have to be vetted. I have about 35,000 samples in there. You can sift through all of them and come up with new cold hard facts just like the ones I have provided here.

    the vendor with the best ability to unpack within its scanning engine is Kaspersky.
    NOD32 actually scores higher in this area. Likewise, don't take my word for it.

    bear in mind i was the one to point out that the most common tool used in malware analysis is the disassembler, for which a pre-requisite is a knowledge of x86 assembly. this omission alone speaks for itself.
    Actually it doesn't. You showed up here with ego written all over you. The first post you made assumed that I never speak of ASM and I willingly left out many areas of practice because of lack of knowledge, not lack of practical space and time. You also focused on a very small subset of malware that isn't even the topic of conversation. I would reconsider the source of descent in this thread. It was perfectly positive until you showed up. Basically, you focused on everything outside of the scope of the post.

    Many others here can clearly tell you that #1 IDA Pro is what I use for ASM diagnostics (ech0 just got a paper on it from me) and #2 I always advise folks to learn ASM and IDA Pro if they believe that they want to get into the area of analysis.

    If you believe that the tutorial is bad, or you feel this strongly about areas outside of the scope of the post, I welcome you to write your own tutorial on ASM and other variants of malware and post it here.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides