Upload File

lab for malware

prev
next
out of 7
Download lab for malware

Upload: hchelcow

Post on 04-Apr-2018

226 views

Category:

Documents


0 download

Report

TRANSCRIPT

  • 7/29/2019 lab for malware

    1/7

    Malware & Viruses Harold

    4055-760 Chelchowski

    Prof. Yuan 1/6/13

    LAB2: Virus Behavioral Analysis

    The purpose of this lab is to examine a malware through behavioral analysis by using various tools such

    as process explorer, file monitor, registry monitor, winanalysis and wireshark. The following are the

    results obtained from this experiment.

    Q1: Does the malware copy itself or infect any files? If it does, what file or files does it copy or infect?

    The File Monitor program was used to answer this question:

    The malware does not infect any files. Instead it makes a lot of queries for many dll files, especially those

    related to windows sockets and windows networking such as WS2_32.dll, mswsock.dll, iphlpapi.dll, and

    others (underlined as green in the image below). Also, the malware copies itself as avserve2.exe to the

    following path, C:\\WINDOWS\avserve2.exe (Red Box in the image below). Below are the results after

    the victim pc was infected with the malware. Make sure to zoom into the file in order to see the imagebetter.

    Q2: Does the malware modify the Windows Registry Keys? If it does, which registry keys does it modify?

    The Registry Monitor program was used to answer this question:

    The malware does modify the windows registry keys. According to Registry Monitor, the malware

    accesses many registry keys related to windows network services and connections. The malware tries to

    query, open, close and create registry keys. For example, the malware creates the following registry key:

  • 7/29/2019 lab for malware

    2/7

    - HKLM\System\CurrentControlSet\Services\Tcpip\Parameters (First Red Box in the Image Below)

    The malware also queries for registry values such as:

    - HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Domain

    - HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Hostname

    - HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Linkage\Bind

    There were other registry keys which were manipulated by the malware. The capture below shows the

    results.

  • 7/29/2019 lab for malware

    3/7

    Q3: Does the malware create any accounts\shares on the victim system? If it does, what

    accounts\shares does it create?

    The malware did not create any accounts\shares on the victim system. We used the Winalysis toolbefore and after the victim pc was infected and we see that no new accounts\share are created. We also

    used the command net users to see if any new user accounts were created. Below are the captutes:

    Before:

  • 7/29/2019 lab for malware

    4/7

    After:

    Q4: Did the Innocent machine get infected? Describe the behavior of the innocent machine if it did get

    infected.

    The innocent machine got infected with the malware. The behavior of the innocent machine is that

    there is a lot of lag due to 100% CPU utilization (Green Box in the Capture Below). The processes that

    take over the CPU areftp.exeand the malware under the name ofavserve2.exe (Red Box in the Capture

    Below). Below is a capture of the Task Manager from the innocent machine.

    ftp://ftp.exe/ftp://ftp.exe/ftp://ftp.exe/ftp://ftp.exe/

  • 7/29/2019 lab for malware

    5/7

    Then after the lag a window pops up stating that the computer will shut-down because the Local

    Security Authentication Server process (lsass.exe) terminated unexpectedly, and it gives us one minute

    before the system shuts down and restarts. Below is the capture of the window that pops up.

    The computer keeps restarting after 3 to 5 minutes.

    Q5: What did you observe in the Wireshark captures on the Monitor machine backtrack?

    The wireshark capture from Backtrack shows that a lot of ARP requests were coming from the victim

    machine querying for IP addresses within the victims subnet. There were also RARP requests that

  • 7/29/2019 lab for malware

    6/7

    queried for the MAC address of the victim machine. Also, there were NETBIOS over TCP/IP (NBT)

    broadcast packets coming from the victim machine. The services of NETBIOS that were observed

    included the following: name service for name registration and resolution using port 137 and datagram

    distribution service for connectionless communication using port 138. Then we saw that the malware

    tried to access other computers on the network via port 445, which is used by the SMB protocol. The

    SMB protocol is used for providing shared access to files, printers and other resources between nodes

    on a network. The following are captures from the experiment.

    ARP Requests:

    RARP Requests:

    NBT Broadcast:

    SMB Protocol:

    The capture below actually shows how the victim PC (192.168.0.1) tries to communicate with the

    monitor pc (backtrack 192.168.0.12) via port 445. But every time that the victim machine with the

    malware tries to establish a connection with backtrack, backtrack sends a [RST, ACK], meaning that the

    port is closed. Thus the malware cannot get a hold of the backtrack machine.

  • 7/29/2019 lab for malware

    7/7

    Q6: Did the victim and the innocent machines restart during the lab? What did they do after restart?

    Both the innocent and victim machines restart during the lab. After they restarted they experienced the

    same results as described in Question 4, where the processesftp.exeand avserve2.exe took over the

    CPU causing it to work 100% of the time, which led to a lot of lag on both computers.

    Q7: Use the Wireshark captures to explain how the malware infects the innocent machine.

    From the wireshark captures above, it seems that the malware first checks to see what machines are

    available in the network by sending ARP requests on all possible IP addresses that are available on thesubnet. Once a host is found, then the malware uses NETBIOS in order to establish a communication

    session with the new host. Then through this session the malware tries to exploit any security hole

    found in the new host via port 445 which the SMB protocol uses for file and other resource sharing.

    Hence, this allows the malware to replicate itself on the new host. Below is a capture of the innocent

    machine (192.168.0.11) already infected with the malware, and trying to infect the backtrack machine

    (192.168.0.12). But given that port 445 is blocked in backtrack probably because of a firewall rule, the

    infected innocent machine is unsuccessful.

    Q8: Based on your findings about the malware in this lab, what do you classify this malware as a virus, a

    worm, a trojan, or a combination of these types?

    This malware is a worm because it follows the definition of a worm as stated from the lecture slides:

    Self-replicating but a stand-alone program that exploits security holes to compromise other computers

    and spread copies of itself through the network.

    ftp://ftp.exe/ftp://ftp.exe/ftp://ftp.exe/ftp://ftp.exe/

A Survey of Visualization Systems for Malware …cavazos/cisc850-spring2017/...Abstract • Problem : increasing of malware • Automatic approaches for malware detection • The paper

Dynamic Malware Analysis - SUPELEC · Dynamic Malware Analysis Christopher Kruegel Secure Systems Lab Technical University Vienna. 2 ... –can cause problems when malware runs in

SMT Solvers for Malware Unpacking

Modern Malware For Dummies - index-of.co.ukindex-of.co.uk/Malware/MM for Dummies Unlimited Download...Modern Malware FOR DUMmIES ‰ by Lawrence C. Miller, CISSP These materials are

Creating a Malware Analysis Lab and Basic Malware Analysis

Tools and techniques for cleaning malware incidents · Tools and techniques for cleaning malware incidents Martin Overton – IBM Security Services Malware/Anti-Malware SME, Forensics,

Open Source Malware Lab - SecTor

Setup Your Personal Malware Lab

Secure Systems Lab Technical University Vienna ANUBIS · 2009. 6. 9. · 1. Malware Analysis With ANUBIS The need for automated malware analysis, static vs. dynamic, Anubis Core functionality

Harnessing Intelligence from Malware Repositories · 2018-05-11 · Harnessing Intelligence from Malware Repositories Arun Lakhotia and Vivek Notani Software Research Lab University

Modeling Internet-Scale Policies for Cleaning up Malware · 2012-09-05 · Modeling Internet-Scale Policies for Cleaning up Malware Steven Hofmeyr Berkeley Lab [email protected] Tyler

Using Mobile Malware tactics for red teaming · Verification Standard (MASVS) ... | 3 Malware tactics for red teaming. Classification: Internal Mobile Malware in a tiny nutshell Malware

Malware Artifacts. Agenda Quick Introduction Quick overview of artifacts Walk-through lab

Building Your Own Automated Malware Analysis … Your Own Automated Malware Analysis Lab for Insights on Active Threats © 2017 Scalar Decisions Inc. Not for distribution outside of

Fileprint analysis for Malware Detectionwl318/papers/wormpaper2005.pdfWORMS 2005 Columbia IDS Lab June 19, 2005 1 Review Draft Fileprint analysis for Malware Detection Columbia University

Open Source Malware Lab

Introduction to Mobile Malware. Outline ➢ Introduction ➢ Types of Malware ➢ Malware examples ➢ How Malware Spreads ➢ Prevention ➢ AndroRAT Hands-on Lab

Part4 VeronicaKovah vkovah.ostatgmailopensecuritytraining.info/MalwareDynamicAnalysis_files/Malware... · malware based upon attributes such as ... the malware is waiting for an event

C5 MS Word Template Accessible - ricardocalix.com€¦ · Web viewMachine learning cybersecurity . File-less malware analysis. LAB 2: Writing a cLAssifier for file-less malware. Lab

Building Your Own Automated Malware Analysis Lab for Insights … › presentations17 › Kurtis-Armour... · 2019-02-11 · Automating Malware Analysis Examples of cloud based malware

C5 MS Word Template Accessible · Web viewMachine learning cybersecurity File-less malware analysis LAB 2: Writing a cLAssifier for file-less malware Lab Description: This lab is

nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malware Identification

Malware Analysis Machine Learning for Andrew Davison-demand.gputechconf.com/gtc/...machine-learning-for-malware-analysis.pdf · Scaling Malware Detection - Previously mentioned approaches

Malgram Malware Analysis: Malware Unpacking Static Analysis Code Deobfuscation Decompilation Phillip Porras and Hassen Saidi Computer Science Lab SRI International

Using optimization algorithms for malware deobfuscationsigurnost.zemris.fer.hr/ns/malware/2010_spasojevic/Diplomski_Spasojevic.pdf · Using optimization algorithms for malware deobfuscation

BUILDING A LOCAL PASSIVE DNS CAPABILITY FOR MALWARE ... · building a local passive dns capability for malware incident response ... building a local passive dns capability for malware

Graph Techniques for Malware Detection

Setting Up A Malware Lab

Setting Up A Malware Lab - [email protected] - Setting Up...Setting up a Malware Lab Robert McArdle ©2016 Today we are going to concentrate on setting up a malware lab. Setting

Lab - Investigating a Malware Exploit€¦  · Web view2020. 11. 27. · This lab is based on an exercise from the website malware-traffic-analysis.net which is an excellent resource

Data Mining for Malware Detection

eKimono: a Malware Scanner for Virtual Machinesdslrouter.sourceforge.net/stuff/HTB/D1T2 - Nguyen... · 3 Agenda Problems of current malware scanner eKimono: Malware detector for Virtual

Detecting Environment-Sensitive Malware · Paolo Milani Comparetti Detecting Environment-Sensitive Malware Vienna University of Technology 1 . Int. Secure Systems Lab Vienna University

Kaspersky Endpoint Security for Business Introduction · anti-malware Die Basis der Plattform bildet die preisgekrönte Anti-Malware-Technologie von Kaspersky Lab. Diese Technologie

Open Source Malware Lab - 0x7e0.bsidesljubljana.si · 3 All material confidential and proprietary Why Do I Need A Malware Analysis Lab? • Malware Research • Automated Malware