Difference between revisions of "Malware analysis"

From ForensicsWiki
Jump to: navigation, search
(See Also)
(Regin)
 
(40 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
 
Some common tools for malware analysis include simple programs like [[strings]]. More complex analysis can be conducted by looking at the headers of executables with programs like [[PEiD]] and [[PeExplorer]]. Finally, the most complete analysis can be done with debuggers like [[IDA Pro]] and [[OllyDbg]].  
 
Some common tools for malware analysis include simple programs like [[strings]]. More complex analysis can be conducted by looking at the headers of executables with programs like [[PEiD]] and [[PeExplorer]]. Finally, the most complete analysis can be done with debuggers like [[IDA Pro]] and [[OllyDbg]].  
 +
 +
== Malware techniques ==
 +
=== Process hollowing ===
 +
Process hollowing is yet another tool in the kit of those who seek to hide the presence of a process. The idea is rather straight forward: a bootstrap application creates a seemingly innocent process in a suspended state. The legitimate image is then unmapped and replaced with the image that is to be hidden. If the preferred image base of the new image does not match that of the old image, the new image must be rebased. Once the new image is loaded in memory the EAX register of the suspended thread is set to the entry point. The process is then resumed and the entry point of the new image is executed. [http://www.autosectools.com/Process-Hollowing.pdf]
  
 
== See Also ==
 
== See Also ==
Line 8: Line 12:
  
 
== External Links ==
 
== External Links ==
 +
* [http://what-when-how.com/windows-forensic-analysis/executable-file-analysis-windows-forensic-analysis-part-1/ Executable File Analysis (Windows Forensic Analysis) Part 1]
 +
* [http://what-when-how.com/windows-forensic-analysis/executable-file-analysis-windows-forensic-analysis-part-2/ Executable File Analysis (Windows Forensic Analysis) Part 2]
 +
* [http://what-when-how.com/windows-forensic-analysis/executable-file-analysis-windows-forensic-analysis-part-3/ Executable File Analysis (Windows Forensic Analysis) Part 3]
 +
* [http://what-when-how.com/windows-forensic-analysis/executable-file-analysis-windows-forensic-analysis-part-4/ Executable File Analysis (Windows Forensic Analysis) Part 4]
 +
* [http://www.giac.org/paper/gcih/641/exploiting-microsoftwindows-task-scheduler-job-stack-overflow-vulnerability/104732 Exploiting the Microsoft Windows TaskScheduler‘.job’StackOverflowVulnerability], by Kevin Wenchel, May 2004
 +
* [http://ho.ax/downloads/De_Mysteriis_Dom_Jobsivs_Ruxcon.pdf De Mysteriis Dom Jobsivs: Mac EFI Rootkits], by Snare, October 2012
 
* [http://nakedsecurity.sophos.com/2013/10/11/anatomy-of-an-exploit-ie-zero-day-part-1/ Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 1], by Paul Ducklin on October 11, 2013
 
* [http://nakedsecurity.sophos.com/2013/10/11/anatomy-of-an-exploit-ie-zero-day-part-1/ Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 1], by Paul Ducklin on October 11, 2013
 
* [http://nakedsecurity.sophos.com/2013/10/25/anatomy-of-an-exploit-inside-the-cve-2013-3893-internet-explorer-zero-day-part-2/ Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 2], by Paul Ducklin on October 25, 2013
 
* [http://nakedsecurity.sophos.com/2013/10/25/anatomy-of-an-exploit-inside-the-cve-2013-3893-internet-explorer-zero-day-part-2/ Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 2], by Paul Ducklin on October 25, 2013
 +
* [https://www.us-cert.gov/ncas/tips/ST13-003 Security Tip (ST13-003) - Handling Destructive Malware], by US-CERT, November 04, 2013
 +
* [http://www.deer-run.com/~hal/Detect_Malware_w_Memory_Forensics.pdf Detecting Malware With Memory Forensics], by [[Hal Pomeranz]]
 +
* [http://lockboxx.blogspot.com/2014/11/mac-os-x-live-forensics-107-mac-malware.html?m=1 Mac OS X Live Forensics 107: Mac Malware], by Action Dan, November 3, 2014
 +
* [http://www.hexacorn.com/blog/2014/12/05/the-not-so-boring-land-of-borland-executables-part-1/ The not so boring land of Borland executables, part 1], Hexacorn blog, December 5, 2014
 +
* [http://www.hexacorn.com/blog/2014/12/18/the-not-so-boring-land-of-borland-executables-part-2/ The not so boring land of Borland executables, part 2], Hexacorn blog, December 18, 2014
 +
* [https://blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf RSA Incident Response: An APT Case Study], by RSA Security, April 8, 2015
 +
 +
=== Analysis techniques and tools ===
 +
==== Remnux ====
 +
* [http://countuponsecurity.com/2015/01/13/dynamic-malware-analysis-with-remnux-v5-part-1/ Dynamic malware analysis with Remnux v5 – part 1], by Luis Rocha, January 13, 2015
 +
* [http://countuponsecurity.com/2015/01/21/dynamic-malware-analysis-with-remnux-v5-part-2/ Dynamic malware analysis with Remnux v5 – part 1], by Luis Rocha, January 21, 2015
 +
 +
=== Malware techniques ===
 +
* [http://null.co.in/2015/05/07/windows-kernel-exploitation-hacksys-extreme-vulnerable-driver/ Windows Kernel Exploitation Humla], by Ashfaq Ansari, May 7, 2015
 +
 +
==== Reflective DLL injecting ====
 +
* [http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf Reflective DLL Injection], by Stephen Fewer, October 31, 2008
 +
 +
==== Process hollowing ====
 +
* [http://www.autosectools.com/Process-Hollowing.pdf Process Hollowing], by John Leitch
 +
 +
=== Malware analysis ===
 +
* [http://malware.dontneedcoffee.com/ Malware don't need Coffee]
 +
 +
==== APT28 ====
 +
* [https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack], by Fireeye Labs, April 18, 2015
 +
 +
==== Black POS ====
 +
* [http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-system-breaches.pdf Point-of-Sale System Breaches], by Trend Micro
 +
* [http://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/ New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts], by Rhena Inocencio, August 29, 2014
 +
* [http://blog.nuix.com/2014/09/08/blackpos-v2-new-variant-or-different-family BlackPOS v2: New Variant or Different Family?], by Josh Grunzweig, September 8, 2014
 +
 +
==== Careto ====
 +
* [http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf Unveiling "Careto" - The Masked APT], by [[Kaspersky|Kaspersky Lab]], February 2014
 +
 +
==== China Chopper ====
 +
* [http://www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html Breaking Down the China Chopper Web Shell – Part I], by Tony Lee, Ian Ahl and Dennis Hanzlik, August 7, 2013
 +
* [http://www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html Breaking Down the China Chopper Web Shell – Part 2], by Tony Lee, Ian Ahl and Dennis Hanzlik, August 9, 2013
 +
 +
==== Gh0st Rat ====
 +
* [http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf The many faces of Gh0st Rat - Plotting the connections between malware attacks] by Snorre Fagerland, 2012
 +
 +
==== Dark Hotel ====
 +
* [http://securelist.com/blog/research/66779/the-darkhotel-apt/ The Darkhotel APT], by Kaspersky Lab Research, November, 2014
 +
 +
==== Dridex ====
 +
* [https://jon.glass/analyzes-dridex-malware-p1/ My analysis of Dridex malware (Part One)], by Jonathan Glass, March 20, 2015
 +
* [https://jon.glass/analyzes-dridex-malware-p2/ My analysis of Dridex malware (Part Two)], by Jonathan Glass, March 23, 2015
 +
 +
==== Equation group ====
 +
* [http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/ How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last], by Dan Goodin, Feb 16, 2015
 +
 +
==== FinFisher ====
 +
* [https://www.codeandsec.com/FinFisher-Malware-Dropper-Analysis FinFisher Malware Dropper Analysis], by CodeAndSec, September 19, 2014
 +
 +
==== Hacking Team ====
 +
* [https://citizenlab.org/2014/06/backdoor-hacking-teams-tradecraft-android-implant/ Police Story: Hacking Team’s Government Surveillance Malware], by Morgan Marquis-Boire, John Scott-Railton, Claudio Guarnieri, and Katie Kleemola, June 24, 2014
 +
* [http://www.securelist.com/en/blog/8231/HackingTeam_2_0_The_Story_Goes_Mobile HackingTeam 2.0: The Story Goes Mobile], Kaspersky Lab, June 24, 2014
 +
* [http://reverse.put.as/2014/06/26/shakacon-6-presentation-fuck-you-hacking-team-from-portugal-with-love/ Shakacon #6 presentation: Fuck you Hacking Team, From Portugal with Love], by fG!, June 26 2014
 +
 +
==== Hikit ====
 +
* [https://www.mandiant.com/blog/hikit-rootkit-advanced-persistent-attack-techniques-part-1-2/ The "Hikit" Rootkit: Advanced and Persistent Attack Techniques (Part 1)], by Ryan Kazanciyan, August 20, 2012
 +
* [https://www.mandiant.com/blog/hikit-rootkit-advanced-persistent-attack-techniques-part-2/ The "Hikit" Rootkit: Advanced and Persistent Attack Techniques (Part 2)], by Christopher Glyer, August 22, 2012
 +
 +
==== Icefog ====
 +
* [https://www.securelist.com/en/downloads/vlpdfs/icefog.pdf The ‘icefog’ APT: A tale of cloak and three daggers], by Kaspersky Lab, September 2013
 +
 +
==== Kriptovor ====
 +
* [https://www.fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html Analysis of KRIPTOVOR: Infostealer+Ransomware], by Erye Hernandez, April 08, 2015
 +
 +
==== LeoUncia, OrcaRat ====
 +
* [http://blog.airbuscybersecurity.com/post/2014/10/LeoUncia-and-OrcaRat LeoUncia and OrcaRat], by Jérémy Richard, October 24, 2014
 +
 +
==== PlugX ====
 +
* [http://labs.lastline.com/an-analysis-of-plugx An Analysis of PlugX], by Roman Vasilenko, December 17, 2013
 +
* [https://www.blackhat.com/docs/asia-14/materials/Haruyama/Asia-14-Haruyama-I-Know-You-Want-Me-Unplugging-PlugX.pdf I Know You Want Me - Unplugging PlugX], by Takahiro Haruyama and Hiroshi Suzuki, BlackHat Asia  2014
 +
 +
==== Regin ====
 +
* [http://artemonsecurity.com/regin_analysis.pdf Malware Instrumentation Application to Regin Analysis], by tecamac, May 27, 2015
 +
 +
==== Riptide, Hightide, Threebyte, Watersprout ====
 +
* [https://dl.mandiant.com/EE/library/WP_M-Trends2014_140409.pdf Trends Beyond the Breach], by Mandiant, 2014
 +
* [http://www.arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf Illuminating the Etumbot APT Backdoor], by Arbor Networks, June 6, 2014
 +
* [http://www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html Darwin’s Favorite APT Group], by Ned Moran, Mike Oppenheim, Sarah Engle and Richard Wartell, September 3, 2014
 +
 +
==== Rombertik ====
 +
* [http://blogs.cisco.com/security/talos/rombertik Threat Spotlight: Rombertik – Gazing Past the Smoke, Mirrors, and Trapdoors], by Talos Group, May 4, 2015
 +
 +
==== Sednit ====
 +
* [http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/ Sednit espionage group now using custom exploit kit], by ESET research, October 8, 2014
 +
 +
==== Shell Crew ====
 +
* [http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf RSA Incident Response: Emerging Threat Profile - Shell_Crew], by [[EMC]], January 2014
 +
 +
==== Uroburos ====
 +
* [https://public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GData_Uroburos_RedPaper_EN_v1.pdf Uroburos - Highly complex espionage software with Russian roots], by G Data SecurityLabs, February 2014
 +
* [http://artemonsecurity.com/uroburos.pdf Uroburos: the snake rootkit], by deresz, tecamac, March 12, 2014
 +
* [http://spresec.blogspot.com/2014/03/uroburos-rootkit-hook-analysis-and.html?m=1 Uroburos Rootkit Hook Analysis and Driver Extraction], SP Security Blog, March 20, 2014
 +
 +
==== Winnti ====
 +
* [https://www.securelist.com/en/downloads/vlpdfs/winnti-more-than-just-a-game-130410.pdf "Winnti" More than just a game], by Kaspersky Lab, April 2013
 +
 +
==== Wiper ====
 +
* [http://blog.cyren.com/articles/wiper-family-of-malware-grows.html Wiper family of malware targeting Sony Pictures grows], by Rommel Ramos, December 10, 2014
 +
 +
==== WireLurker ====
 +
* [https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf WIRELURKER: A New Era in iOS and OS X Malware], by Palo Alto Networks
 +
 +
==== Sources ====
 +
* [https://github.com/pop-pop-ret/lizkebab lizkebab]
  
 +
[[Category:Analysis]]
 
[[Category:Malware]]
 
[[Category:Malware]]
 +
[[Category:Analysis Techniques]]

Latest revision as of 05:52, 6 June 2015

Analyzing malware, or malicious software, is more of an art than a technique. Because of the wide nature of these products, there are limitless ways to hide functionality.

Some common tools for malware analysis include simple programs like strings. More complex analysis can be conducted by looking at the headers of executables with programs like PEiD and PeExplorer. Finally, the most complete analysis can be done with debuggers like IDA Pro and OllyDbg.

Malware techniques

Process hollowing

Process hollowing is yet another tool in the kit of those who seek to hide the presence of a process. The idea is rather straight forward: a bootstrap application creates a seemingly innocent process in a suspended state. The legitimate image is then unmapped and replaced with the image that is to be hidden. If the preferred image base of the new image does not match that of the old image, the new image must be rebased. Once the new image is loaded in memory the EAX register of the suspended thread is set to the entry point. The process is then resumed and the entry point of the new image is executed. [1]

See Also

External Links

Analysis techniques and tools

Remnux

Malware techniques

Reflective DLL injecting

Process hollowing

Malware analysis

APT28

Black POS

Careto

China Chopper

Gh0st Rat

Dark Hotel

Dridex

Equation group

FinFisher

Hacking Team

Hikit

Icefog

Kriptovor

LeoUncia, OrcaRat

PlugX

Regin

Riptide, Hightide, Threebyte, Watersprout

Rombertik

Sednit

Shell Crew

Uroburos

Winnti

Wiper

WireLurker

Sources