Difference between revisions of "Malware analysis"

From ForensicsWiki
Jump to: navigation, search
(See Also)
(External Links)
 
(13 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
 
Some common tools for malware analysis include simple programs like [[strings]]. More complex analysis can be conducted by looking at the headers of executables with programs like [[PEiD]] and [[PeExplorer]]. Finally, the most complete analysis can be done with debuggers like [[IDA Pro]] and [[OllyDbg]].  
 
Some common tools for malware analysis include simple programs like [[strings]]. More complex analysis can be conducted by looking at the headers of executables with programs like [[PEiD]] and [[PeExplorer]]. Finally, the most complete analysis can be done with debuggers like [[IDA Pro]] and [[OllyDbg]].  
 +
 +
== Malware techniques ==
 +
=== Process hollowing ===
 +
Process hollowing is yet another tool in the kit of those who seek to hide the presence of a process. The idea is rather straight forward: a bootstrap application creates a seemingly innocent process in a suspended state. The legitimate image is then unmapped and replaced with the image that is to be hidden. If the preferred image base of the new image does not match that of the old image, the new image must be rebased. Once the new image is loaded in memory the EAX register of the suspended thread is set to the entry point. The process is then resumed and the entry point of the new image is executed. [http://www.autosectools.com/Process-Hollowing.pdf]
  
 
== See Also ==
 
== See Also ==
Line 8: Line 12:
  
 
== External Links ==
 
== External Links ==
 +
* [http://what-when-how.com/windows-forensic-analysis/executable-file-analysis-windows-forensic-analysis-part-1/ Executable File Analysis (Windows Forensic Analysis) Part 1]
 +
* [http://what-when-how.com/windows-forensic-analysis/executable-file-analysis-windows-forensic-analysis-part-2/ Executable File Analysis (Windows Forensic Analysis) Part 2]
 +
* [http://what-when-how.com/windows-forensic-analysis/executable-file-analysis-windows-forensic-analysis-part-3/ Executable File Analysis (Windows Forensic Analysis) Part 3]
 +
* [http://what-when-how.com/windows-forensic-analysis/executable-file-analysis-windows-forensic-analysis-part-4/ Executable File Analysis (Windows Forensic Analysis) Part 4]
 +
* [http://www.giac.org/paper/gcih/641/exploiting-microsoftwindows-task-scheduler-job-stack-overflow-vulnerability/104732 Exploiting the Microsoft Windows TaskScheduler‘.job’StackOverflowVulnerability], by Kevin Wenchel, May 2004
 
* [http://nakedsecurity.sophos.com/2013/10/11/anatomy-of-an-exploit-ie-zero-day-part-1/ Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 1], by Paul Ducklin on October 11, 2013
 
* [http://nakedsecurity.sophos.com/2013/10/11/anatomy-of-an-exploit-ie-zero-day-part-1/ Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 1], by Paul Ducklin on October 11, 2013
 
* [http://nakedsecurity.sophos.com/2013/10/25/anatomy-of-an-exploit-inside-the-cve-2013-3893-internet-explorer-zero-day-part-2/ Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 2], by Paul Ducklin on October 25, 2013
 
* [http://nakedsecurity.sophos.com/2013/10/25/anatomy-of-an-exploit-inside-the-cve-2013-3893-internet-explorer-zero-day-part-2/ Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 2], by Paul Ducklin on October 25, 2013
 +
* [http://www.deer-run.com/~hal/Detect_Malware_w_Memory_Forensics.pdf Detecting Malware With Memory Forensics], by [[Hal Pomeranz]]
 +
 +
=== Malware techniques ===
 +
==== Process hollowing ====
 +
* [http://www.autosectools.com/Process-Hollowing.pdf Process Hollowing], by John Leitch
 +
 +
=== Malware analysis ===
 +
* [http://malware.dontneedcoffee.com/ Malware don't need Coffee]
 +
 +
==== Careto ====
 +
* [http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf Unveiling "Careto" - The Masked APT], by [[Kaspersky|Kaspersky Lab]], February 2014
 +
 +
==== China Chopper ====
 +
* [http://www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html Breaking Down the China Chopper Web Shell – Part I], by Tony Lee, Ian Ahl and Dennis Hanzlik, August 7, 2013
 +
* [http://www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html Breaking Down the China Chopper Web Shell – Part 2], by Tony Lee, Ian Ahl and Dennis Hanzlik, August 9, 2013
 +
 +
==== Hacking Team ====
 +
* [https://citizenlab.org/2014/06/backdoor-hacking-teams-tradecraft-android-implant/ Police Story: Hacking Team’s Government Surveillance Malware], by Morgan Marquis-Boire, John Scott-Railton, Claudio Guarnieri, and Katie Kleemola, June 24, 2014
 +
* [http://www.securelist.com/en/blog/8231/HackingTeam_2_0_The_Story_Goes_Mobile HackingTeam 2.0: The Story Goes Mobile], Kaspersky Lab, June 24, 2014
 +
* [http://reverse.put.as/2014/06/26/shakacon-6-presentation-fuck-you-hacking-team-from-portugal-with-love/ Shakacon #6 presentation: Fuck you Hacking Team, From Portugal with Love], by fG!, June 26 2014
 +
 +
==== Hikit ====
 +
* [https://www.mandiant.com/blog/hikit-rootkit-advanced-persistent-attack-techniques-part-1-2/ The "Hikit" Rootkit: Advanced and Persistent Attack Techniques (Part 1)], by Ryan Kazanciyan, August 20, 2012
 +
* [https://www.mandiant.com/blog/hikit-rootkit-advanced-persistent-attack-techniques-part-2/ The "Hikit" Rootkit: Advanced and Persistent Attack Techniques (Part 2)], by Christopher Glyer, August 22, 2012
 +
 +
==== Icefog ====
 +
* [https://www.securelist.com/en/downloads/vlpdfs/icefog.pdf The ‘icefog’ APT: A tale of cloak and three daggers], by Kaspersky Lab, September 2013
 +
 +
==== PlugX ====
 +
* [http://labs.lastline.com/an-analysis-of-plugx An Analysis of PlugX], by Roman Vasilenko, December 17, 2013
 +
 +
==== Shell Crew ====
 +
* [http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf RSA Incident Response: Emerging Threat Profile - Shell_Crew], by [[EMC]], January 2014
 +
 +
==== Uroburos ====
 +
* [https://public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GData_Uroburos_RedPaper_EN_v1.pdf Uroburos - Highly complex espionage software with Russian roots], by G Data SecurityLabs, February 2014
 +
* [http://artemonsecurity.com/uroburos.pdf Uroburos: the snake rootkit], by deresz, tecamac, March 12, 2014
 +
* [http://spresec.blogspot.com/2014/03/uroburos-rootkit-hook-analysis-and.html?m=1 Uroburos Rootkit Hook Analysis and Driver Extraction], SP Security Blog, March 20, 2014
 +
 +
==== Winnti ====
 +
* [https://www.securelist.com/en/downloads/vlpdfs/winnti-more-than-just-a-game-130410.pdf "Winnti" More than just a game], by Kaspersky Lab, April 2013
  
 +
[[Category:Analysis]]
 
[[Category:Malware]]
 
[[Category:Malware]]
 +
[[Category:Analysis Techniques]]

Latest revision as of 07:00, 30 August 2014

Analyzing malware, or malicious software, is more of an art than a technique. Because of the wide nature of these products, there are limitless ways to hide functionality.

Some common tools for malware analysis include simple programs like strings. More complex analysis can be conducted by looking at the headers of executables with programs like PEiD and PeExplorer. Finally, the most complete analysis can be done with debuggers like IDA Pro and OllyDbg.

Malware techniques

Process hollowing

Process hollowing is yet another tool in the kit of those who seek to hide the presence of a process. The idea is rather straight forward: a bootstrap application creates a seemingly innocent process in a suspended state. The legitimate image is then unmapped and replaced with the image that is to be hidden. If the preferred image base of the new image does not match that of the old image, the new image must be rebased. Once the new image is loaded in memory the EAX register of the suspended thread is set to the entry point. The process is then resumed and the entry point of the new image is executed. [1]

See Also

External Links

Malware techniques

Process hollowing

Malware analysis

Careto

China Chopper

Hacking Team

Hikit

Icefog

PlugX

Shell Crew

Uroburos

Winnti