Difference between revisions of "Malware analysis"

From ForensicsWiki
Jump to: navigation, search
(See Also)
(External Links)
 
(21 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
 
Some common tools for malware analysis include simple programs like [[strings]]. More complex analysis can be conducted by looking at the headers of executables with programs like [[PEiD]] and [[PeExplorer]]. Finally, the most complete analysis can be done with debuggers like [[IDA Pro]] and [[OllyDbg]].  
 
Some common tools for malware analysis include simple programs like [[strings]]. More complex analysis can be conducted by looking at the headers of executables with programs like [[PEiD]] and [[PeExplorer]]. Finally, the most complete analysis can be done with debuggers like [[IDA Pro]] and [[OllyDbg]].  
 +
 +
== Malware techniques ==
 +
=== Process hollowing ===
 +
Process hollowing is yet another tool in the kit of those who seek to hide the presence of a process. The idea is rather straight forward: a bootstrap application creates a seemingly innocent process in a suspended state. The legitimate image is then unmapped and replaced with the image that is to be hidden. If the preferred image base of the new image does not match that of the old image, the new image must be rebased. Once the new image is loaded in memory the EAX register of the suspended thread is set to the entry point. The process is then resumed and the entry point of the new image is executed. [http://www.autosectools.com/Process-Hollowing.pdf]
  
 
== See Also ==
 
== See Also ==
Line 8: Line 12:
  
 
== External Links ==
 
== External Links ==
 +
* [http://what-when-how.com/windows-forensic-analysis/executable-file-analysis-windows-forensic-analysis-part-1/ Executable File Analysis (Windows Forensic Analysis) Part 1]
 +
* [http://what-when-how.com/windows-forensic-analysis/executable-file-analysis-windows-forensic-analysis-part-2/ Executable File Analysis (Windows Forensic Analysis) Part 2]
 +
* [http://what-when-how.com/windows-forensic-analysis/executable-file-analysis-windows-forensic-analysis-part-3/ Executable File Analysis (Windows Forensic Analysis) Part 3]
 +
* [http://what-when-how.com/windows-forensic-analysis/executable-file-analysis-windows-forensic-analysis-part-4/ Executable File Analysis (Windows Forensic Analysis) Part 4]
 +
* [http://www.giac.org/paper/gcih/641/exploiting-microsoftwindows-task-scheduler-job-stack-overflow-vulnerability/104732 Exploiting the Microsoft Windows TaskScheduler‘.job’StackOverflowVulnerability], by Kevin Wenchel, May 2004
 +
* [http://ho.ax/downloads/De_Mysteriis_Dom_Jobsivs_Ruxcon.pdf De Mysteriis Dom Jobsivs: Mac EFI Rootkits], by Snare, October 2012
 
* [http://nakedsecurity.sophos.com/2013/10/11/anatomy-of-an-exploit-ie-zero-day-part-1/ Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 1], by Paul Ducklin on October 11, 2013
 
* [http://nakedsecurity.sophos.com/2013/10/11/anatomy-of-an-exploit-ie-zero-day-part-1/ Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 1], by Paul Ducklin on October 11, 2013
 
* [http://nakedsecurity.sophos.com/2013/10/25/anatomy-of-an-exploit-inside-the-cve-2013-3893-internet-explorer-zero-day-part-2/ Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 2], by Paul Ducklin on October 25, 2013
 
* [http://nakedsecurity.sophos.com/2013/10/25/anatomy-of-an-exploit-inside-the-cve-2013-3893-internet-explorer-zero-day-part-2/ Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 2], by Paul Ducklin on October 25, 2013
 +
* [http://www.deer-run.com/~hal/Detect_Malware_w_Memory_Forensics.pdf Detecting Malware With Memory Forensics], by [[Hal Pomeranz]]
 +
* [http://lockboxx.blogspot.com/2014/11/mac-os-x-live-forensics-107-mac-malware.html?m=1 Mac OS X Live Forensics 107: Mac Malware], by Action Dan, November 3, 2014
 +
 +
=== Malware techniques ===
 +
==== Process hollowing ====
 +
* [http://www.autosectools.com/Process-Hollowing.pdf Process Hollowing], by John Leitch
 +
 +
=== Malware analysis ===
 +
* [http://malware.dontneedcoffee.com/ Malware don't need Coffee]
 +
 +
==== Black POS ====
 +
* [http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-system-breaches.pdf Point-of-Sale System Breaches], by Trend Micro
 +
* [http://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/ New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts], by Rhena Inocencio, August 29, 2014
 +
* [http://blog.nuix.com/2014/09/08/blackpos-v2-new-variant-or-different-family BlackPOS v2: New Variant or Different Family?], by Josh Grunzweig, September 8, 2014
 +
 +
==== Careto ====
 +
* [http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf Unveiling "Careto" - The Masked APT], by [[Kaspersky|Kaspersky Lab]], February 2014
 +
 +
==== China Chopper ====
 +
* [http://www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html Breaking Down the China Chopper Web Shell – Part I], by Tony Lee, Ian Ahl and Dennis Hanzlik, August 7, 2013
 +
* [http://www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html Breaking Down the China Chopper Web Shell – Part 2], by Tony Lee, Ian Ahl and Dennis Hanzlik, August 9, 2013
 +
 +
==== Gh0st Rat ====
 +
* [http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf The many faces of Gh0st Rat - Plotting the connections between malware attacks] by Snorre Fagerland, 2012
 +
 +
==== FinFisher ====
 +
* [https://www.codeandsec.com/FinFisher-Malware-Dropper-Analysis FinFisher Malware Dropper Analysis], by CodeAndSec, September 19, 2014
 +
 +
==== Hacking Team ====
 +
* [https://citizenlab.org/2014/06/backdoor-hacking-teams-tradecraft-android-implant/ Police Story: Hacking Team’s Government Surveillance Malware], by Morgan Marquis-Boire, John Scott-Railton, Claudio Guarnieri, and Katie Kleemola, June 24, 2014
 +
* [http://www.securelist.com/en/blog/8231/HackingTeam_2_0_The_Story_Goes_Mobile HackingTeam 2.0: The Story Goes Mobile], Kaspersky Lab, June 24, 2014
 +
* [http://reverse.put.as/2014/06/26/shakacon-6-presentation-fuck-you-hacking-team-from-portugal-with-love/ Shakacon #6 presentation: Fuck you Hacking Team, From Portugal with Love], by fG!, June 26 2014
 +
 +
==== Hikit ====
 +
* [https://www.mandiant.com/blog/hikit-rootkit-advanced-persistent-attack-techniques-part-1-2/ The "Hikit" Rootkit: Advanced and Persistent Attack Techniques (Part 1)], by Ryan Kazanciyan, August 20, 2012
 +
* [https://www.mandiant.com/blog/hikit-rootkit-advanced-persistent-attack-techniques-part-2/ The "Hikit" Rootkit: Advanced and Persistent Attack Techniques (Part 2)], by Christopher Glyer, August 22, 2012
 +
 +
==== Icefog ====
 +
* [https://www.securelist.com/en/downloads/vlpdfs/icefog.pdf The ‘icefog’ APT: A tale of cloak and three daggers], by Kaspersky Lab, September 2013
 +
 +
==== LeoUncia, OrcaRat ====
 +
* [http://blog.airbuscybersecurity.com/post/2014/10/LeoUncia-and-OrcaRat LeoUncia and OrcaRat], by Jérémy Richard, October 24, 2014
 +
 +
==== PlugX ====
 +
* [http://labs.lastline.com/an-analysis-of-plugx An Analysis of PlugX], by Roman Vasilenko, December 17, 2013
 +
 +
==== Riptide, Hightide, Threebyte, Watersprout ====
 +
* [https://dl.mandiant.com/EE/library/WP_M-Trends2014_140409.pdf Trends Beyond the Breach], by Mandiant, 2014
 +
* [http://www.arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf Illuminating the Etumbot APT Backdoor], by Arbor Networks, June 6, 2014
 +
* [http://www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html Darwin’s Favorite APT Group], by Ned Moran, Mike Oppenheim, Sarah Engle and Richard Wartell, September 3, 2014
 +
 +
==== Sednit ====
 +
* [http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/ Sednit espionage group now using custom exploit kit], by ESET research, October 8, 2014
 +
 +
==== Shell Crew ====
 +
* [http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf RSA Incident Response: Emerging Threat Profile - Shell_Crew], by [[EMC]], January 2014
 +
 +
==== Uroburos ====
 +
* [https://public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GData_Uroburos_RedPaper_EN_v1.pdf Uroburos - Highly complex espionage software with Russian roots], by G Data SecurityLabs, February 2014
 +
* [http://artemonsecurity.com/uroburos.pdf Uroburos: the snake rootkit], by deresz, tecamac, March 12, 2014
 +
* [http://spresec.blogspot.com/2014/03/uroburos-rootkit-hook-analysis-and.html?m=1 Uroburos Rootkit Hook Analysis and Driver Extraction], SP Security Blog, March 20, 2014
 +
 +
==== Winnti ====
 +
* [https://www.securelist.com/en/downloads/vlpdfs/winnti-more-than-just-a-game-130410.pdf "Winnti" More than just a game], by Kaspersky Lab, April 2013
 +
  
 +
[[Category:Analysis]]
 
[[Category:Malware]]
 
[[Category:Malware]]
 +
[[Category:Analysis Techniques]]

Latest revision as of 14:24, 4 November 2014

Analyzing malware, or malicious software, is more of an art than a technique. Because of the wide nature of these products, there are limitless ways to hide functionality.

Some common tools for malware analysis include simple programs like strings. More complex analysis can be conducted by looking at the headers of executables with programs like PEiD and PeExplorer. Finally, the most complete analysis can be done with debuggers like IDA Pro and OllyDbg.

Malware techniques

Process hollowing

Process hollowing is yet another tool in the kit of those who seek to hide the presence of a process. The idea is rather straight forward: a bootstrap application creates a seemingly innocent process in a suspended state. The legitimate image is then unmapped and replaced with the image that is to be hidden. If the preferred image base of the new image does not match that of the old image, the new image must be rebased. Once the new image is loaded in memory the EAX register of the suspended thread is set to the entry point. The process is then resumed and the entry point of the new image is executed. [1]

See Also

External Links

Malware techniques

Process hollowing

Malware analysis

Black POS

Careto

China Chopper

Gh0st Rat

FinFisher

Hacking Team

Hikit

Icefog

LeoUncia, OrcaRat

PlugX

Riptide, Hightide, Threebyte, Watersprout

Sednit

Shell Crew

Uroburos

Winnti