Reverse Engineering

Paul deGrandis

Applications

•Software Maintenance

•Source Code and Documentation Engineering

•Virus Analysis

Malware

•Virus

•Needs a vector for propagation

•Worm

•No vector needed

•Can spread by network shares, email, security holes

Malware

•Trojan Horse

•Performs unstated and undesirable functions

•Spyware, adware, logic bombs, backdoors, rootkits

Anti-Virus

•Integrity Checking

•Static AV Scanners

•Dynamic AV Scanners

Anti-Virus

•Integrity Checking

•Checksum comparison

•Static AV Scanners

•Program properties (registry, system calls)

•Malware byte sequence extraction

Anti-Virus

•Dynamic AV Scanners

•Intercepting system calls

•Analyzing audit trails

•Operation patterns

Procedures For Analysis

•Restrict Access

•Save only disassembled files

•Rename Extensions, prevents double-click

•Password protect dangerous files and ZIPs

•NEVER SEND MALWARE

Procedures For Analysis

Tools•VMware

•Isolate and restore snapshots

•BinText

•Extracts strings from binary files (code)

•IRC commands, SMTP, registry keys

Tools•IDA Pro

•Dissassembles executables into assembly

Tools

•UPX Decompression

•Executable packer

•To unpack: upx.exe -d -o dest.exe source.exe

Tools

•SysInternals.com

•FileMon - monitors file access

•RegMon - monitors registry access

Tools

•RegShot

•Records modifications to the registry, but not reads

Tools•ProcDump

•Dumps a processes code from memory

•Useful in detecting an analyzing polymorphic viruses

Tools•OllyDbg

•Attaches to a process

•Can actively manipulate memory and registers during operation

•Swiss Army Knife

Tools

•Network Activity

•TCPView - displays open network ports

•TDIMon - monitors network activity

•Ethereal/Wireshark - Packet Sniffer

•Snort - IDS / Packet Sniffer

•netcat - Network swiss army knife

Tools•SysInternals.com

•TCPView - TCP and UDP endpoints and processes

•TDIMon - Logs all network activity, but not packet contents

Tools•Wireshark (formerly Ethereal)

•Captures and displays all packet contents

•One of your best friends

Tools•Netcat - reads and writes across data

connections using TCP/IP

•Great for probing, listening, debugging, or exploring unknown network behavior

•The other one of your best friends

The Assignment

•Beagle.J (and its cousin Beagle.K)

•Static analysis (BinText, IDA)

•Dynamic Analysis

•Host Side (Registry, process, files)

•Networking (Ports, connections, traffic)

•Propagation, Backdoors