sign in sign up
<<
Home , Interactive Disassembler

for Malware Analysis Seminars in Distributed Systems 2015/2016 March, 18° 2016

Dr. Donato Dell’Atti [email protected] Malware

• Short for malicious , is any software used to disrupt operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising. • To detect and understand malware it is performed the Malware Analysis Malware Analysis

• Static Analysis – The procedure of analyzing the code or structure of a program without executing it. • Dynamic Analysis – Run the malware and observe its behaviour Basic Analysis

• Basic Static Analysis – It consists in examining the file without viewing the actual instructions. • Basis Dynamic Analysis – This technique involves running the malware and observing its behavior on the system

Basic Static Analysis

• Tools used to determine if a Sample is a malware and which are its characteristics – Upload on VirusTotal https://www.virustotal.com/ – Find Strings – Check if the executable is packed – Header inspection – etc Strings • ASCII/Unicode (PE)

• File format for .exe and .dll • Header contains a lot of useful information • Composed of (partial list) – Optional Header (only executable) 3parts • Standard/Windows/Data directories – AddressOfEntryPoint-SizeOfCode/SizeOfImage/ImportTable – Section table • Composed of N Section Header PEview

Portable Executable (PE)

– Import table: stores information about every library that will be loaded and every function that will be used by the program (.idata) – Section header • The size, virtual size and address of each section PE File Sections

• Names are standard but can change Packed Malware

• Few or missing readable strings • Few functions, usually LoadLibrary and GetProcAddress • Packer compress the executable to hide its content

• Software to detect packed executable: PEiD Packed executable

• UPX example Obfuscation

• Packing is a type of obfuscation • Other examples –Identifier renaming –Junk code insertion –Function call Obfuscation –Code reordering –Call indirections Basic Dynamic Analysis

• It is the execution of malware and the study of its effects on the system • Analysis performed with tools that actively monitor the system during or after the execution • Dynamic analysis is typically performed after basic static analysis to bypass obfuscation, packing or to gain other information. Virtual Machine

• Dynamic analysis is harmful for the system • Malware should be executed in a safe environment • VMware-Virtualbox create virtualized machines – A memory snapshot can be saved and loaded at any time to reproduce the analysis or load a clean state – Drawback: anti-virtual machine techniques

Monitoring

• ProcMon: monitors registry, file system, network, process, and thread activity • Process Explorer monitors real-time filesystem, registry, and process activity • RegShot: allows you to take and compare two registry snapshots Process Monitor Example

Windows Registry

• Used to store programs configuration information and options • Composed of 5 root key – HKEY_LOCAL_MACHINE (HKLM) Stores settings that are global – HKEY_CURRENT_USER (HKCU) Stores settings of the current user – HKEY_CLASSES_ROOT Stores information defining types – HKEY_CURRENT_CONFIG Stores settings about the hardware – HKEY_USERS defines settings for the default/current user • Malware use registry for persistence or config data Advanced Static Analysis

• It’s the reverse engineering of the malware • Performed through a disassembly of the code • Majority of malware are compiled for x86 which is the most popular architecture for PCs Architecture

System Bus Memory Bus

CPU I/O bridge RAM

Input/Output Bus

controller graphic controller USB controller Disk

Mouse Keyboard Screen Disk CPU

• Execute programs written in machine language • Sequence of bytes that creates instructions • Instruction Set – Data transfer- arithmetic calculation-jump-etc – Specific for each family of CPU x86-ARM-etc – Can be different between each model

x86 Registers

• Registers are high speed memory inside the CPU • Identified with symbolic names in assembly General-Purpose Registers

• Used primarily for arithmetic and data movement • EAX – Accumulator register – Automatically used by multiplication and division instructions • EBX – Base register • ECX – Counter register – Automatically used by LOOP instructions • EDX– Data register

Offset Registers

– ESP – Stack Pointer register • Used by PUSH and POP instructions, points to top of stack – ESI and EDI – Source Index and Destination Index register • Used by string instructions – EBP – Frame Pointer register • Used to reference parameters and local variables on the stack – EIP – Instruction Pointer register Accessing Parts of Registers

• EAX, EBX, ECX, and EDX are 32-bit Extended registers – can access their 16-bit and 8-bit parts – Lower 16-bit of EAX is named AX – AX is further divided into • AL = lower 8 bits • AH = upper 8 bits • ESI, EDI, EBP, ESP – have only 16-bit names for lower half EFLAGS Register

EFLAGS Register is 32bits in size, each bit is a flag. • ZF The zero flag is set when the result of an operation is equal to zero, otherwise, it is cleared. • CF The carry flag is set when the result of an operation is too large or too small for the destination operand; otherwise, it is cleared. • SF The sign flag is set when the result of an operation is negative or cleared when the result is positive. This flag is also set when the most significant bit is set after an arithmetic operation. • TF The trap flag is used for debugging. The x86 processor will execute only one instruction at a time if this flag is set • Many others Operands

• Intel uses the order(destination<-source) • Source – Immediate – Register – Memory • Destination – Register – Memory

Opcode and Endianness

• Each instruction corresponds to an opcode – translates opcode into human-readable instructions, for example:

• The endianness of data describes which byte is stored at the smallest address in memory – the most significant (big-endian) [network data] – least significant (little-endian) [x86] Arithmetic Operations

Logical Operations

• XOR operation is very common Nop Operation

• No OPeration opcode is 0x90 • It corresponds to the operation XCHG EAX,EAX – This operation does not change anything – Used in buffer overflow attack – Used for padding Compare Operation

Conditional Operations

The Stack • A stack is an area of memory for storing data temporarily. • The stack stores data starting from high memory. • The data is said to be pushed onto, and popped from the top of the stack. • ESP register always points to the top of the stack. • EBP is the base pointer that stays consistent within a given function • The most common convention is for local variables and parameters to be referenced relative to EBP Push/Pop

• When data is pushed onto the stack – assembler decreases the ESP (Stack Pointer) register – Value is saved starting from ESP • POP operation takes the data from the stack and put it into the destination – Data pointed by ESP – Increase the value of ESP

IDA Pro

• Interactive Disassembler Professional • Tool for windows and with GUI • Supports many CPUs

• Most used disassembler in malware analysis IDA Pro Interface IDA Disassembly windows IF statement

For Loop

For loop

• Equivalent to previous slide • But in Graph mode Function example Crackme demo

• Live execution of crackme • Another more long and complex analysis on: – http://securityxploded.com/reversing-basics-ida- pro.php Anti-Disassembly

• Disassembler can be fooled • Opcodes can be disassembled in the wrong sequence, resulting into a wrong assembly • The opcodes will run on the CPU, but the analyst could not understand why Anti-Disassembly example Anti-Disassembly example2

Advanced Dynamic Analysis

• Execution of the malware through a • A debugger is a piece of software or hardware used to test or examine the execution of another program – Source Level vs Assembly Level – User mode vs Kernel mode

Assembly Debugger

• Provides a dynamic view of the program of every memory location, register, argument • Function to navigate in the code – Single-Stepping – Stepping Over-Into Debugger

• Breakpoints: – Software/Conditional – Hardware • Exception handling • Tracing • Ability to patch the program at runtime OllyDbg • Most famous user mode assembly debugger Anti-Debugging techniques

• Windows API checks – IsDebuggerPresent or CheckRemoteDebuggerPresent • INT3 scanning • Checksum of portions of the code • Timing checks – Instrution rdtsc: reads register Time stamp counter – GetTickCount() ms from reboot – QueryPerformanceCounter() timer Debugger Plugins

• Created from other developers to enhance the functionalities of the debugger, for OllyDbg – OllyDump – Hide Debugger – Command Line – Many others • For ImmunityDbg (alternative to ollyDbg) – Python Scripts ZeusVM

• Zeus is a financial trojan which creates a botnet • Steals data from infected machine and sends them back to the botnet owner • Mainly with Man in the browser technique • Injects himself into explorer.exe • Execution demo Projects

• Reverse engineering of ZeusVM to understand WebInject and system process injections • Reverse enginering of another banking trojan: Dyre, Dridex, etc... • Reverse engineering of a Ransomware • Automatic reverse engineering • Your proposals References

• THE IDA PRO BOOK, 2ND EDITION – The Unofficial Guide to the World’s Most Popular Disassembler by CHRIS EAGLE • PRACTICAL MALWARE ANALYSIS – The Hands-On Guide to Dissecting Malicious Software by Michael Sikorski and Andrew Honig