Malware Analysis and Reverse Engineering

Transcript

1. Malware Analysis and Reverse Engineering (MARE) Olakanmi Oluwole

2. Who am I? ▪ 6+ years doing mostly offensive security

   “stuff” ▪ Currently at CyberLab Africa ▪ Experiments at L4ser Security Labs ▪ @woleoflagos @l4sec

3. TABLE OF CONTENTS 01 INTRO Brief introduction to Malware Analysis

   and Reverse Engineering (MARE) 03 TOOLS Tools for carrying out MARE activities 02 METHODOLOGY Methodologies for MARE 04 WALKTHROGH MARE walkthrough

4. 01 INTRO Brief introduction to Malware Reverse Engineering (MARE)

5. Malware Malware is a program designed to gain access to

   computer systems, normally for the benefit of some third party, without the user’s permission. Malware examples includes: ▪ Computer viruses ▪ Worms ▪ Trojan horses ▪ Ransomware ▪ Spyware ▪ Logic bombs ▪ Backdoors ▪ Rootkits ▪ Keyloggers, etc.

6. Malware Characteristics ▪ Increased processor load ▪ Reduced performance ▪

   Greater network latency ▪ Slow loading of web pages ▪ Lots of ad popups ▪ Increased temp file storage on hard drive. ▪ Odd network traffic ▪ Nom-typical ‘user’ activity

7. Malware Detection Malware detection is the process of scanning the

   computer and files to detect malware. It can get quite complex because it involves multiple tools and approaches. Popular approach includes: ▪ Signature-Based Detection ▪ Heuristic Analysis ▪ Sandbox ▪ Removal Tools

8. ▪ Signature-Based Detection Signature-Based Detection uses virus codes to identify

   malware. Malware carries a unique code that is used to identify it. When a file reaches the computer, the malware scanner collects the code and sends it to a cloud-based database. The database has a vast collection of virus codes. If the file code is found in the list, the database returns with a verdict that the file is malware. The anti malware denies the file from the computer and deletes it. If there’s a new malware discovered, its code is added to the list.

9. ▪ Heuristic Analysis Heuristics applies rules to identify malware. It

   has established certain rules that files cannot violate. Some of the possible rules are: ▪ Camera manipulation is prohibited ▪ Direct access to the hard drive is not allowed ▪ Read only access to certain files and folder Heuristics has also set a numerical value that determines if the file is suspicious. If the score meets the assigned point, it is flagged as a threat.

10. ▪ Sandbox Sandbox is a protected cell within the computer

    the anti malware creates to contain any suspicious or unknown file. This prevents malware infection because the file runs without infecting the other programs in the computer. Inside the sandbox, the file is observed and analyzed further to determine if it’s harmful or safe. If the file is legit, it is released, but if it’s malicious it is denied and deleted.

11. ▪ Removal Tools Removal Tools helps to delete the malware

    immediately after it has been identified and contained as a threat. This is usually the last process in malware detection.

12. 02 METHODOLOGY Methodologies for MARE

13. Malware Analysis Malware analysis is about understanding the behavior and

    purpose of a suspicious file or URL. This analysis refers to the process by which the purpose and functionality of a given malware sample are analyzed and determined. Filtering information out of malware analysis provides us with the information needed to develop effective detection techniques against the malicious code. It provides a solution for high loyalty warnings earlier in the attack life cycle and provides an understanding of malware types and the type of attack methods. ▪ Static or Code Analysis ▪ Dynamic or Behavioral Analysis

14. ▪ Static or Code Analysis Static analysis is also called

    as code analysis. Static analysis is the way toward investigating the program by inspecting it. For instance, the software code of malware exposes how malware’s capacities work. In this malware analysis methodology, it uses reverse engineering. Debugger and source code analyzer tools understand the structure of malware. Before the program starts, static data are in the header information. The sequence of bytes decides if it is malicious. Disassembly technique is one of the methods of static analysis. With static analysis, executable file uses disassemble tools. So that it gets the assembly language program file. From this, the opcode breaks down the application behavior to detect the malware.

15. ▪ Dynamic or Behavioral Analysis Dynamic analysis is also called

    behavioral analysis. Examination of a contaminated file during its execution is dynamic analysis. Infected files are in a simulated environment like a virtual machine and sandbox. Malware analysis methodology researchers distinguish the general behavior of the file. In dynamic analysis, the file is in the wake of execution in a real environment. During the execution of the file, it observes system interaction. The advantage of dynamic analysis is that it analyzes the known, as well as unknown, new malware. It’s easy to identify unknown malware. Also, dynamic analysis can analyze the complicated, changeable malware by watching their behavior. This malware analysis methodology is more time-consuming. It requires as much time to set up the environment for malware analysis methodology. For example, the virtual machine environment or sandboxes.

16. ▪ Hybrid Analysis This methodology beats the limitations of static

    or dynamic malware analysis methodology. Hybrid analysis analyses the signature specification of any malware code. Then it consolidates it with the other behavioral parameters. It is for the improvement of the malware analysis methodology. Hybrid analysis conquers the limitations of static or dynamic malware analysis methodology.

17. 03 TOOLS Tools for carrying out MARE activities

18. TOOLS… DISASSEMBLERS: ▪ IDA free or pro ▪ Ghidra ▪

    Capstone DEBUGGERS: ▪ GDB/Windbg ▪ Radare2 ▪ OllyDbg

19. TOOLS… PE VIEWER: ▪ PEiD ▪ CFF Explorer ▪ Resource

    Hacker ▪ PE Studio NETWORK ANALYZERS: ▪ WireShark ▪ Bro

20. 04 WALKTHROUGH MARE walkthrough

21. Please feel free to ask me whatever questions you may

    have. Questions?

22. CREDITS: This presentation template was created by Slidesgo, including icons

    by Flaticon, and infographics & images by Freepik THANKS Do you have any questions? @woleoflagos @l4sec l4seclabs.com