Malware Analysis – Static Analysis: Computer Security Lectures 2014/15 S1
iSpeech
This video is part of the computer/information/cyber security and ethical hacking lecture series; by Z. Cliffe Schreuders at Leeds Beckett University. Laboratory work sheets, slides, and other open educational resources are available at http://z.cliffe.schreuders.org.
The slides themselves are creative commons licensed CC-BY-SA, and images used are licensed as individually attributed.
Topics covered in this lecture include:
Malware (malicious software): the author intends for the program to act maliciously
Viruses, Worms, Trojan Horses, Rootkits, Zombies
What is malware analysis? The study of malicious code to discover technical details and behaviour
Why malware analysis?
Approaches to malware analysis
Static analysis: while the malware is not running. Offline analysis of the program executable itself
Dynamic analysis: while the malware is running. Analysis of running process(es) of the malware.
Resulting changes to the system
Live analysis of network use, memory contents, and so on
Static analysis
Static analysis is the safest approach to malware analysis
One-way hash functions
md5sum, shasum
Executable packers
Mutating code
Often multiple layers of packers are used
Hidden payloads: code encryption/obfuscation (and by including a decryption function to run the code)
Polymorphic code: the stored code changes each time, but the outcome is the same (may include changing the decryption code)
Metamorphic code: the executed code changes each time (for example, different instructions such as NOPs, reordering, and extra loops)
Fuzzy hashing: a hash that can identify similar files
For example, ssdeep: context triggered piecewise hashes (CTPH)
Anti-malware
Locally: for example on Linux, ClamAV, open source anti-malware
Free online scanners use multiple antimalware vendors
False positives: it says the file is malware but it is not, or is not the one that is claimed
False negatives: it reports that the file is not malware, but it is. This is common with new unknown (“zero-day”) malware
Looking at the contents
Examine hex: hexdump
Extract ASCII: strings -a path.to/executable
Executable code life cycle
Executable files: Programs are stored in a format readable by the OS:
Executable and Linkable Format (ELF): Linux and most other Unix systems
Portable Executable (PE)/PE32+: Windows
Mach-O: Mac OS X
These executables contain metadata (incl. date compiled, and version information), linking information, code, variables, debug symbols, icons
Examining executables
Various tools for examining executable files
readelf: Displays information about ELF files, including debug symbols
objdump: disassembler (generates the ASM code) for Win/Linux (objdump -Dslx file)
ldd: dynamic linked dependancies (Linux)
pescanner: detect packers, and metadata
Advanced reverse engineering tools: Pyew, Radare, The Interactive Disassembler (IDA)
Inspection of the machine code via disassembly
Automatic detection of packing, unpacking
Writing ClamAV malware signatures
clamscan --debug --leave-temps malware.exe
Signatures should be against the uncompressed instructions
ClamAV sigtool
Hash-based signatures
Can include hex-based signatures, with wildcards
“Extended” (hex wildcard) signature format
ClamAV also supports various other kinds of signatures and processing, such as HTML, executable metadata, and combinations of signatures
2015-01-05 13:18:07
source
Gloss