Reverse

Engineering &

Malware Analysis ENG. AHMED KHLIEF , CYBER SECURITY ANALYST

Must-Know Cybersecurity Statistics

“In Q3 2016 alone, 18 million new malware samples were captured.”

- Panda Labs.

“More than 4,000 ransomware attacks have occurred every day

since the beginning of 2016.” - CCIPS

“78% of people claim to be aware of the risks of unknown links in

emails. And yet they click anyway.” - Friedrich-Alexander University

Must-Know Cybersecurity Statistics

“52% of organizations that suffered successful cyber attacks in 2016

aren't making any changes to their security in 2017” - Barkly,

December 2016

What is Malware?

The term malware is a contraction of malicious software .

Any piece of software that was written with the intent of doing harm

to data, devices or to people.

Viruses

Worms

Intrusion Tools

Spyware

ransomware

Rootkits

ccleaner malware

Targeting windows devices.

Discovered in 13/9/2017.

Suspected Chinese hacking group called Axiom.

Hackers compromised a portion of (CCleaner’s) development .

They inserted a malware into the CCleaner build that was released

and hosted by the organization.

Malware consist of two stages .

The researchers believe the secondary stage malware was likely

intended for industrial espionage.

Linux.ProxyM Malware

Discovered in 22/9/2017

Targeting linux devices .

It act as mass spam mailer .

Hackers used default credentials to access the devices .

Can operate on any IoT device running linux with following Arch :

X86

MIPS

PowerPC

ARM

SPARC

Motorola 680000

AndroidOS_ZNIU Malware

Discovered in 26/9/2107.

Targeting Android Devices .

Malware uses a year old privilege escalation vulnerability (CVE-2016-

5195) known as Dirty COW, to gain root access on the mobile .

It serves as backdoor for potential remote control attacks in the

future .

It also send payments via premium SMS messages that sent on

behalf of the mobile user .

Why Analyze Malware ?

To assess damage.

To discover indicators of compromise.

To determine sophistication level of an intruder.

To identify a vulnerability ( Zero-Days like SMB bug… ).

To catch the “bad guy”®.

To stop the spread of malware.

To answer questions…

Why Analyze Malware ?

Business Questions :

What is the purpose of the malware?

How did it get here?

Who is targeting us and how good are they?

How can I get rid of it?

What did they steal?

Why Analyze Malware ?

Business Questions :

How long has it been here?

Does it spread on its own?

How can I find it on other machines?

How do I prevent this from happening in the future?

Technical Questions :

Network Indicators ?

Host-based Indicators ?

Persistence Mechanism ?

What language was it written in ?

Is it packed ?

Anti-analysis ?

Malware Analysis techniques

Dynamic Analysis

Executing the Malware. Simple, Fast. Easy to miss things.

Static Analysis

Reverse Engineering. Slow, need deep technical knowledge. With enough time anything can be reversed.

Hybrid Static/ Dynamic

Most Analysis is a mixture: You find something in the disassembly then you confirm/investigate while the malware is executing.

Memory Forensics.

Preparing a Safe Environment

Each malware requires environment same as its target system.

Do Not Run Malware on Your Computer !

To be safe there is two choices :

Grab some devices with an isolated network, create disk images, re-image a

target machine to return to pristine state .

Adv : malware can’t easily detect if it’s a honeypot .

Disadv : time consuming , hard to implement , cost much .

Use virtualization to make things fast and safe .

Adv : easy to implement

Disadv : some malware can detect the virtual environment and stop the execution .

Virtual machines as safe

environment

Use WinXP for windows executable dynamic and static analysis .

Comptabile with almost all malwares .

Does not require high specs .

Less security control ( let the malware do what it like ) .

Use REMnux for static analysis .

Linux distribution created for malware analysis

Many tools to extract information from malware .

Support analysis for many file types : exe , .doc , .pdf , bin

Pre-installed static and network analysis tools .

Preparing a Safe Environment

It is easier to perform analysis if you allow the malware to “call

home”…

However:

The attacker might change his behavior

Your IP might become the target for additional attacks (consider using

TOR)

You may end up attacking other people

Preparing a Safe Environment

Therefore, we usually do not allow malware to touch the real

network

Use the host-only networking feature of your virtualization platform

Establish real services (DNS, Web, etc) on your host OS or other virtual

machines

Use netsim and netcat to create listening ports and interact with text-

based client

Build custom controlling servers as required (usually in a high-level

scripting language)

Dynamic Analysis

Dynamic analysis is conducted by observing and manipulating malware as

it runs .

Usually you care more about “what” malware is doing than “how” it is

being accomplished .

Monitoring the system for changes and IOC .

Dynamic Analysis

Using Snapshot to save time.

Many Virtualization software offer snapshots .

You can Return to present state any time .

System Monitoring

We need to monitor :

Registry Activity : Regshot , Sysinternals Process monitor , etc…

File Activity : Sysinternal file monitor

Process Activity : process monitor and process hacker

Network Traffic : wireshark , netsim , fakedns , sysinternal tcpview .

Process Monitor

One of the most powerful tool for malware analyst.

Its power resides in the filter configuration .

Wireshark and TCPView

Wireshark is a protocol analyzer that captures and decodes network traffic .

Wireshark is not aware of what process generates traffic .

TCPVIEW can show process name and ID which is making connections with

destiniation IP and port used in the connection .

Using TCPVIEW and Wireshark we can connect the traffic to each process .

Static Analysis

Collect information about an executable file without running it .

Search for interesting strings to act as IOC .

Create A finger print for the malware ( Hash using sha256 )

Gather info about executable structure ( PE Headers ) .

Search for known crypto , packers signatures .

Extracting strings

Using Strings command in REMnux .

Using Strings Command added by MAP tool installed in windows .

Be careful about drawing conclusions

There is nothing stopping the attacker from planting strings meant

to deceive the analyst

PE Headers analysis

The Architecture of the executable x86 or x64 .

Compilation date .

Signs of packed executable .

Number of Sections and their properties .

Tools to parse the PE headers :

Peframe - Remnux

Pescanner - Remnux

Cffexplorer - Windows

Peview - Windows

Extracting data

Malware can pack exploits , other malicious executable in its

resources section .

To identify and extract them we use :

Resource Hacker - Windows

Bulk_extraction - Remnux

Signsrch - Remnux

Foremost - Remnux

Disassembly and Reverse

Engineering

Automated disassemblers can take machine code and “reverse” it

to a slightly higher-level

Many tools can disassemble x86 and X64 code .

Objdump, OLLyDBG, IDA Pro

But, IDA Pro is what everyone uses

Manual examination of disassembly is somewhat painstaking, slow,

and can be hard

Keep your goals in mind and don’t get bogged down

Disassemblers – IDA Pro

It automatically identifies code and data .

It groups instruction streams into functions and show its arguments .

It can show code flow as a graph.

It automatically identifies library functions of common compilers .

You can easily navigate in the whole binary, rename any location

to a descriptive name and add comments .

Disassemblers

Future relies on automating

malware analysis

Malware Analyst now focuses on using Machine Learning to catch

malwares .

Sandboxes can be very useful .

You can try Cuckoo sand box

Open source .

Great performance .

Can be used to gather initial info before digging manually .

Easy to use APIs .

The END

Thank you for listening