Understanding Malware Security Camp 2015 10-D - JPCERT
Transcript of Understanding Malware Security Camp 2015 10-D - JPCERT
![Page 1: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/1.jpg)
UnderstandingMalware
2015/08/13 Security Camp 2015 10-D
JPCERT/CC Analysis CenterYou NAKATSURU
![Page 2: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/2.jpg)
Copyright©2015 JPCERT/CC All rights reserved.1
Notice
These training materials are used for "Security Camp 2015" in Japan—Security training program for students to discover &
nurture young talent—https://www.ipa.go.jp/jinzai/camp/ (Japanese only)
The training course consists of the following 2 parts—Malware, Malware analysis basics, Static analysis basics
Learning basic knowledge for malware analysis—Malware analysis
Understanding details of malware samples using static analysis method
The training mainly focuses on 32bit Windows malwareSome slides have display problems due to animationAny questions and comments are welcome—Please contact us at [email protected]
![Page 3: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/3.jpg)
Copyright©2015 JPCERT/CC All rights reserved.2
AgendaMalware BasicsMalware Analysis BasicsStatic Analysis Basics
![Page 4: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/4.jpg)
Copyright©2015 JPCERT/CC All rights reserved.3
Objectives of This Session
•What malware is•What malware does•Malware trends• Typical prevention/response methods
Understanding malware
•What malware analysis is•Malware analysis methods•Static analysis techniques
Understanding malware analysis
![Page 5: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/5.jpg)
Malware Basics
![Page 6: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/6.jpg)
Copyright©2015 JPCERT/CC All rights reserved.5
Definition
Malicious SoftwareBroader in concept than a computer virus—Virus, Worm, Trojan Horse, Rootkit, Bot, DoS Tool,
Exploit kit, Spyware
![Page 7: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/7.jpg)
Copyright©2015 JPCERT/CC All rights reserved.6
Malware Purpose
Mischief• Crashing a system• DoS
For Profit• Havoc via DDoS• Sending Spam• Visiting affiliate sites
Others• Stalking• Self-assertion
![Page 8: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/8.jpg)
Copyright©2015 JPCERT/CC All rights reserved.7
For Profit
Selling• Sensitive information• Malware, malware builder
Sending spam emails• Rental business
DDoS• Blackmail
Affiliate• Let user access to the site using malware
![Page 9: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/9.jpg)
Copyright©2015 JPCERT/CC All rights reserved.8
Growth of Malware
Virus
Worm, Trojan,Backdoor
Bot
Mischief,Concept code
For Profit(underground)
![Page 10: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/10.jpg)
Copyright©2015 JPCERT/CC All rights reserved.9
Infection Method
•Attack software vulnerabilities•OS, Office, Browser
•Make machines to execute malware
Software
•Trick users to execute malware•provide a line about software contents
•camouflage an "icon"
Human
![Page 11: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/11.jpg)
Copyright©2015 JPCERT/CC All rights reserved.10
Exploiting Software Vulnerability
Attack Vulnerability
• Buffer overflow, etc.
• Take control and execute arbitrary code
Execute arbitrary
code
• Shellcode for malware execution
• Malware
![Page 12: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/12.jpg)
Copyright©2015 JPCERT/CC All rights reserved.11
Malware Attack VectorVulnerability, Social engineering
Network Download
![Page 13: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/13.jpg)
Copyright©2015 JPCERT/CC All rights reserved.12
Malware BehaviorCan do anything on the infected machine—Within the limits of infected user's privilege
Registry
Process/Service
File
LAN
Internet
![Page 14: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/14.jpg)
Copyright©2015 JPCERT/CC All rights reserved.13
Malware Behavior: Installation
Create main module•download, creation
Copy / Delete itself• copy to the system folder
Run after reboot• registry entry related to Autorun•Startup folder• register as a service
![Page 15: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/15.jpg)
Copyright©2015 JPCERT/CC All rights reserved.14
Malware Behavior: Modifying System
Disable security features•Windows Firewall•Windows Update
Avoid security programs•Anti-Virus software•Analysis tool
Hide itself•modifying other processes
![Page 16: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/16.jpg)
Copyright©2015 JPCERT/CC All rights reserved.15
Malware Behavior: Main Behavior
Steal information• read registry entries / config files• key logging, packet capture
Bot• connect to C&C servers
• execute commands
Spread•attack other machines
![Page 17: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/17.jpg)
Copyright©2015 JPCERT/CC All rights reserved.16
Important Points
• Attackers need to take out information for profit
• Able to recognize damage by analyzing packets
Network activity is important
• Possibility of data falsification• Such as anti-virus software results on infected
machines• Recommended to re-install Windows
• Preventing malware infection is the most important
Do not trust infected machines
![Page 18: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/18.jpg)
Copyright©2015 JPCERT/CC All rights reserved.17
MALWARE EXAMPLE
![Page 19: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/19.jpg)
Copyright©2015 JPCERT/CC All rights reserved.18
Targeted Attack
Looks like normal
Excel file
From©○○Subject: Personnel reshuffle
There was a personnel reshuffle.See the attachment file
Exploits vulnerability
in Excel
![Page 20: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/20.jpg)
Copyright©2015 JPCERT/CC All rights reserved.19
RATRemote Administration Tool/Trojan—Often used for targeted attack
![Page 21: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/21.jpg)
Copyright©2015 JPCERT/CC All rights reserved.20
Banking TrojanAttempts to steal users credential of the Internet banking—Inject additional input form on the web page
InternetBanking
Controller
![Page 22: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/22.jpg)
Copyright©2015 JPCERT/CC All rights reserved.21
Web-based AttackAttacking web browsers or add-ons
4. Information theft
1. Inject malicious JavaScript into web contents
2. Redirects to an attack site in background
3. Attacks vulnerabilities
![Page 23: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/23.jpg)
Copyright©2015 JPCERT/CC All rights reserved.22
Ransomware"All your important files are encrypted!"
Encryption key,URL to lead(Tor)
Delete after encryption
Intimidation message
![Page 24: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/24.jpg)
Copyright©2015 JPCERT/CC All rights reserved.23
Android MalwareRe-package popular legitimate apps—Distributed through
3rd party marketAndroid Market
Steal contact information in background
![Page 25: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/25.jpg)
Copyright©2015 JPCERT/CC All rights reserved.24
MALWARE TRENDS IN JAPAN
![Page 26: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/26.jpg)
Copyright©2015 JPCERT/CC All rights reserved.25
Banking TrojanZeuS, Citadel, Gameover were over
Vawtrak Dyre Tsukuba
Tinba Dridex Chthonic
KINS
![Page 27: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/27.jpg)
Copyright©2015 JPCERT/CC All rights reserved.26
RansomwareSpread through Drive-by-Download attack
https://isc.sans.edu/forums/diary/Angler+exploit+kit+pushes+new+variant+of+ransomware/19681
![Page 28: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/28.jpg)
Copyright©2015 JPCERT/CC All rights reserved.27
Targeted Attack: Watering Hole Attack
A case of compromised site for a media player update
Update Server
Player
Another site
Automatically install malware
IP address check
![Page 29: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/29.jpg)
Copyright©2015 JPCERT/CC All rights reserved.28
Attack infrastructure (affected sites, affected VPS servers)
CloudyOmega/Blue Termite
Victim (government related organizations, private companies)
Mass emailTargeted email
![Page 30: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/30.jpg)
Copyright©2015 JPCERT/CC All rights reserved.29
ANTI-MALWARE
![Page 31: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/31.jpg)
Copyright©2015 JPCERT/CC All rights reserved.30
Typical Malware Prevention
Fix vulnerabilities• Update OS & software• Configure security options for OS &
software
Use anti-virus software• Possibly false results
Do not open a file without confirming
• Beware of social engineering
![Page 32: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/32.jpg)
Copyright©2015 JPCERT/CC All rights reserved.31
Typical Response
Disconnect network connection first
• To stop information leakage & attack to outside
Re-install OS• Basically malware can do anything on
infected machines
Recurrence prevention• Identify & fix up the cause of infection
![Page 33: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/33.jpg)
Copyright©2015 JPCERT/CC All rights reserved.32
Worldwide Activity
Botnet takedown•Microsoft, FBI, anti-virus vendors, etc.•Major activities•Rustock takedown•ZeroAccess takedown•Citadel takedown
Convention on Cybercrime•Drawn up by the Council of Europe•Convention for co-investigation of cyber criminals
![Page 34: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/34.jpg)
Malware Analysis Basics
![Page 35: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/35.jpg)
Copyright©2015 JPCERT/CC All rights reserved.34
Who Analyzes Malware?
CSIRTs
Security product developers
Security service providers
Anti-malware researchers
Software developers
Law enforcement
![Page 36: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/36.jpg)
Copyright©2015 JPCERT/CC All rights reserved.35
Why Analyze Malware?
Incident response
Product development/improvement
Signature creation
Cutting-edge countermeasure
Vulnerability analysis
Criminal arrest
![Page 37: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/37.jpg)
Copyright©2015 JPCERT/CC All rights reserved.36
Malware Analysis Method
Environment Setup
Malware collection
Surface analysis
Runtime analysis
Static analysis
![Page 38: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/38.jpg)
Copyright©2015 JPCERT/CC All rights reserved.37
IMPORTANT POINT
![Page 39: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/39.jpg)
Copyright©2015 JPCERT/CC All rights reserved.38
Security is a Key for Success
• If you make a mistake, it may bring serious consequences
Analyze malware with great care
• Pay great attention to environment for malware download and analysis
Develop environment with great care
• Take great care in publishing details of malware• e.g. 0-day vulnerability
Publish results with great care
![Page 40: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/40.jpg)
Copyright©2015 JPCERT/CC All rights reserved.39
Analysis Environment
Download Environment
Sample Analysis Environment
Real time filtering
Linux
Dedicated network
Change file extension
Write-protected
Be able to restore to a clean system
![Page 41: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/41.jpg)
Copyright©2015 JPCERT/CC All rights reserved.40
SURFACE ANALYSIS
![Page 42: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/42.jpg)
Copyright©2015 JPCERT/CC All rights reserved.41
Surface AnalysisRetrieve surface information from targets without execution
Target
Hash value
VirusTotal Analyst's blog
File type Strings
Tool information
Anti-virus software results
Vender's database
![Page 43: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/43.jpg)
Copyright©2015 JPCERT/CC All rights reserved.42
Runtime AnalysisExecute malware and monitor its behavior—Difficult to reveal "all" of malware’s behavior
• Use monitoring tools on analysis environment• Sysinternals suite, etc.
Manual Analysis
• Use sandbox system• Free / Commercial products
• Can reduce analysis time
Automation
![Page 44: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/44.jpg)
Copyright©2015 JPCERT/CC All rights reserved.43
Runtime Analysis EnvironmentDedicated and isolated network/system—Native or Virtual (VMware, etc.)
Fake server
The Internet
Fake LANAnalysis Machine
DNSHTTPHTTPS
FTPIRC
SMTPPOP3etc.
netcatInternalNetwork
![Page 45: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/45.jpg)
Copyright©2015 JPCERT/CC All rights reserved.44
Reading code in binary file and understanding its functionality—Takes a long time—Requires deep and broad knowledge
What Static Analysis is
![Page 46: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/46.jpg)
Copyright©2015 JPCERT/CC All rights reserved.45
ANALYSIS PROCESS
![Page 47: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/47.jpg)
Copyright©2015 JPCERT/CC All rights reserved.46
Analysis Process ComparisonSurface analysis
Runtimeanalysis
Static analysis
Overview
Retrieve surface information from targets without execution
Executesamples and monitor its behavior
Read codes in binary files and understand its functionality
Output
- Hash values- Strings- File attributes- Packer info- Anti-virus
detection info
Activity of- File system- Registry- Process- Network
Malware’s functionalitye.g.- Bot commands- Encode/decode
methods
Security risk Low High Moderate
Analysiscoverage Low Moderate High
![Page 48: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/48.jpg)
Copyright©2015 JPCERT/CC All rights reserved.47
Malware Analysis Flow
End
Yes
No
Yes
No
Surfaceanalysis
Runtimeanalysis
Staticanalysis
enough? enough?
SummarizeResult
Start
![Page 49: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/49.jpg)
Static AnalysisBasics
![Page 50: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/50.jpg)
Copyright©2015 JPCERT/CC All rights reserved.49
Important Points
• You need much time for static analysis
No need to know all of malware
• Need• OS knowledge• Assembly basics• Efficient reading techniques• Anti-analysis techniques
• We have to continue studying
Need much knowledge/experiences
![Page 51: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/51.jpg)
Copyright©2015 JPCERT/CC All rights reserved.50
Disassemble & DecompileBinary -> source code
Disassemble
Decompile
![Page 52: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/52.jpg)
Copyright©2015 JPCERT/CC All rights reserved.51
DebuggingRead assembly code while executing step by step
![Page 53: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/53.jpg)
Copyright©2015 JPCERT/CC All rights reserved.52
Static Analysis Flow
End
Result
Candecompile?
Yes
Start
Packed?
1. Manual Unpacking
3. Disassemble,Debugging
2. Decompile
Yes
Analyze unpacked target
![Page 54: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/54.jpg)
Copyright©2015 JPCERT/CC All rights reserved.53
Static Analysis ToolsCategory Name Description
Disassembler IDA Disassembles more than 50 architectures
Decompiler
Hex-raysDecompiler
x86/ARM binary to Csource code
VB Decompiler
Visual Basic binary to Visual Basic source code
.NETReflector
.NET binary to .NET source code
DebuggerOllyDbg World famous x86
debuggerImmunity Debugger
Python familiar x86 debugger
![Page 55: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/55.jpg)
Copyright©2015 JPCERT/CC All rights reserved.54
Static Analysis Basics
End
Result
Candecompile?
Start
Packed?
1. Manual unpacking
3. Disassemble,
Debugging
2. Decompile
Yes
Yes
Analyze unpacked target
Focused on "Dissassemble"
only
![Page 56: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/56.jpg)
Copyright©2015 JPCERT/CC All rights reserved.55
Interactive DisAssemblerhttp://www.hex-rays.com/idapro/—3 versions are available
Free Starter Pro
Version Ver. 5.0Ver. 6.8 demo Ver. 6.8 Ver. 6.8
Cost Free• 589USD/User• 879USD/Comp
uter
• 1129USD/User• 1689USD/Comp
uter
Features • Old or limited • Supports up to 20 processes
• Supports up to 50 processes
• Can analysefiles for 64 bit platforms
![Page 57: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/57.jpg)
Copyright©2015 JPCERT/CC All rights reserved.56
ASSEMBLY BASICS
![Page 58: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/58.jpg)
Copyright©2015 JPCERT/CC All rights reserved.57
Components of Computer System
Arithmetic Logic Unit
Control Unit
Storage(HDD...)
Main Memory
(DRAM...)
Output Device
(Display...)
Input Device
(Keyboard...)
CPU
I/O
Memory Unit
![Page 59: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/59.jpg)
Copyright©2015 JPCERT/CC All rights reserved.58
CPU Operation
CPU
・・・・
90
90
55
8B EC
81 EC 14 01 01 00 00
FF 15 28 70 40 00
68 05 01 00 00
6A 00
68 88 B7 40 00
E8 29 0B 00 00
83 C4 0C
68 05 01 00 00
6A 00
8D 85 F0 FE FF FF
50
E8 13 0B 00 00
83 C4 0C
・・・・
ALU
Memory
ControlUnit
Accumulator
RegistersCounter
Program Counter
FlagsStack Pointer
0x00000000
0xFFFFFFFF
Fetch & Decoderead CPU instruction from Memory
Executeexecute CPU instructionusing Registers
next instruction address
![Page 60: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/60.jpg)
Copyright©2015 JPCERT/CC All rights reserved.59
int main(){int a,b,c;
a = 1;b = 2;c = a + b;
printf("Answer is %d¥n", c);
return 0;}
Compiling Source Code
Execute CPU instructions
Executable file
Binary file includesCPU instructions(Machine Code)
![Page 61: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/61.jpg)
Copyright©2015 JPCERT/CC All rights reserved.60
DisassembleMachine code to assembly code (human readable)
![Page 62: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/62.jpg)
Copyright©2015 JPCERT/CC All rights reserved.61
Format of Assembly Codepush ebpmov ebp, espsub esp, 0Chmov [ebp-4], 1mov [ebp-8], 2mov eax, [ebp-4]add eax, [ebp-8]mov [ebp-0Ch], eaxmov ecx, [ebp-0Ch]push ecxpush 0040C000hcall 00401034hadd esp, 8xor eax, eaxmov esp, ebppop ebpretn
Operand(arguments)
OpCode
![Page 63: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/63.jpg)
Copyright©2015 JPCERT/CC All rights reserved.62
RegisterMemory inside CPU—Can use them as variables for calculations—Address that indicates next instruction (Program
Counter)—Pointers related stack
Register name Description
EAX, EBX, EDX General purpose register
ECX General purpose register especially used for counter
ESI, EDI General purpose register especially used for "source" and "destination"
EIP (Instruction Pointer) Address that indicates next instruction
ESP (Stack Pointer) Current stack address
EBP (Base Pointer) Bottom of stack for current function
![Page 64: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/64.jpg)
Copyright©2015 JPCERT/CC All rights reserved.63
Register SizeSeveral registers' names are changed according to the data size—EAX, EBX, ECX…
EAX (32bit)AX (lower16bit)
AL (lower 8bit)AH (higher 8bit)
“mov eax, 0” ≠ “mov ax, 0”
![Page 65: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/65.jpg)
Copyright©2015 JPCERT/CC All rights reserved.64
Major InstructionsAssignment mov Copy value
lea Load address
Calculation add & sub + / -
and & or & xor & not Logical operation
inc & dec ++1 / --1
Jump jmp Jump to specified address
jz, jnz, ja, … For branch on condition
call Call subroutine (function)
![Page 66: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/66.jpg)
Copyright©2015 JPCERT/CC All rights reserved.65
StackStore temporary values to "stack" on memory—Due to the limits of registers
Stack management—Use PUSH/POP—Stack related addresses are stored in EBP & ESP
00000000
FFFFFFFF
00000001000000020000000300000004
EBPESPESP
ESP
ESPPUSH 1PUSH 2PUSH 3PUSH 4
ESP
POP EAXPOP EBXPOP ECXPOP EDX
![Page 67: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/67.jpg)
Copyright©2015 JPCERT/CC All rights reserved.66
Function Call using Stackcall = push + jmpretn = pop + jmp
foopush ebpmov ebp, espxor eax, eax:mov esp, ebppop ebpretn 10h
main:push 440100h ;arg1push 440000h ;arg2call foomov [ebp+result],eax:
00000000
FFFFFFFF
main func'svariables
0044000000440100
Old EBP
EBP
ESP
Return Addr
foo func'svariables
![Page 68: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/68.jpg)
Copyright©2015 JPCERT/CC All rights reserved.67
Local VariablesLocal variables are allocated on stack—Normally referred using offset from ebp
void func(){char Name[] = “abcdefg”;int i;:
}
Name8Byte
i4Byte
EBP
ebp - 8
ebp - och
![Page 69: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/69.jpg)
Copyright©2015 JPCERT/CC All rights reserved.68
Branch on ConditionsBasic flow
1. Comparison operation—cmp a b
"sub a b" and discard result—test a b
"and a b" and discard result test2. Jump on condition
—jz—jnb—ja—etc.
Comparison operation Jump on condition
Char Descriptionn not
z/e zero/equal Previous result is 0 (Both values are same)a above Operand 1 is higher than operand 2b below Operand 1 is smaller than operand 2
![Page 70: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/70.jpg)
Copyright©2015 JPCERT/CC All rights reserved.69
Exercise 1. Static Analysis Basici. Analyze the following function and explain what
it does
![Page 71: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/71.jpg)
Copyright©2015 JPCERT/CC All rights reserved.70
Exercise 1. Answeri. Analyze the following function and explain what
it does
arg_0 + arg_4
![Page 72: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/72.jpg)
Copyright©2015 JPCERT/CC All rights reserved.71
Exercise 1. Static Analysis Basicii. Find “branch on condition” and explain each
condition and corresponding result
sub_401000 is "add_value" function
![Page 73: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/73.jpg)
Copyright©2015 JPCERT/CC All rights reserved.72
Exercise 1. Answerii. Find “branch on condition” and explain each
condition and corresponding result
stored result of "add_value" func
result is 0 or not?
![Page 74: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/74.jpg)
Copyright©2015 JPCERT/CC All rights reserved.73
Deep Understanding x86IA-32 Architectures Software Developer Manuals— http://www.intel.com/content/www/us/en/processors/architect
ures-software-developer-manuals.html
![Page 75: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/75.jpg)
Copyright©2015 JPCERT/CC All rights reserved.74
EFFICIENT CODE ANALYSIS
![Page 76: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/76.jpg)
Copyright©2015 JPCERT/CC All rights reserved.75
Understanding Source CodeIn which order should be read the following source code?
int send_data(){HANDLE hInternet, hConnect, hRequest;
hInternet = InternetOpen(NULL, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
if(hInternet == NULL)return 1;
hConnect = InternetConnect(hInternet, SERVER_NAME,INTERNET_DEFAULT_HTTP_PORT,…
if(hConnect == NULL){InternetCloseHandle(hInternet);return 2;
}hRequest = HttpOpenRequest(hConnect, __T("GET"), NULL, NULL, …
![Page 77: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/77.jpg)
Copyright©2015 JPCERT/CC All rights reserved.76
Reading Steps
1. Check Windows API
2. Check arguments
3. Check brunch on condition
![Page 78: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/78.jpg)
Copyright©2015 JPCERT/CC All rights reserved.77
Learning Windows APIUse MSDN Library—http://msdn.microsoft.com/library
Online Offline
Cost Free MSDN Subscription needed to download
Features
• Always up to date• Need Internet
connection• Can download
necessary sections for offline use
• Depends on connection speed
• Can be used in offline environment
• Fast
![Page 79: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/79.jpg)
Copyright©2015 JPCERT/CC All rights reserved.78
Reading ArgumentsAssembly code
C++ syntax from MSDN Library
Return value is stored in EAX
push 0 ;bFailIfExistsmov eax,[ebp+C]push eax ;lpNewFileNamemov ecx,[ebp+8]push ecx ;lpExistingFileNamecall ds:CopyFileA
BOOL CopyFile(LPCTSTR lpExistingFileName,LPCTSTR lpNewFileName,BOOL bFailIfExists
);
Reverse order
![Page 80: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/80.jpg)
Copyright©2015 JPCERT/CC All rights reserved.79
Exercise 2. Efficient Code AnalysisRead the following function efficiently and guess what it does
ersion¥¥Run
![Page 81: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/81.jpg)
Copyright©2015 JPCERT/CC All rights reserved.80
Exercise 2. AnswerRead the following function efficiently and guess what it does
ersion¥¥Run
Write value in registry entry
Target entry is "Run" key
Register itself to be executed automatically after rebooting
![Page 82: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/82.jpg)
Copyright©2015 JPCERT/CC All rights reserved.81
USING IDA
![Page 83: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/83.jpg)
Copyright©2015 JPCERT/CC All rights reserved.82
(recap) Interactive DisAssemblerhttp://www.hex-rays.com/idapro/—3 versions are available
Free Starter Pro
Version Ver. 5.0Ver. 6.5 demo Ver. 6.5 Ver. 6.5
Cost Free• 539USD/User• 819USD/Comp
uter
• 1059USD/User• 1589USD/Comp
uter
Features • Old or limited • Supports up to 20 processes
• Supports up to 50 processes
• Can analyze files for 64 bit platforms
![Page 84: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/84.jpg)
Copyright©2015 JPCERT/CC All rights reserved.83
You Have to Talk with
Madame de Maintenon(see Wikipedia)
![Page 85: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/85.jpg)
Copyright©2015 JPCERT/CC All rights reserved.84
Important Points for IDA
1. Make it right• Instruction or data?• Malicious function or library function?
2. Use as a high functionality notepad•Name analyzed function / variables•Write your comments• Put function type-declaration•Change display format for easier reading
•Hex / binary / ASCII / offset
![Page 86: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/86.jpg)
Copyright©2015 JPCERT/CC All rights reserved.85
Main Windows (IDA view)Graph view / Text view
![Page 87: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/87.jpg)
Copyright©2015 JPCERT/CC All rights reserved.86
Main Windows (IDA view)Reading Code
Calling API
XREF
Comments
Name
![Page 88: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/88.jpg)
Copyright©2015 JPCERT/CC All rights reserved.87
Strings WindowLike BinText
![Page 89: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/89.jpg)
Copyright©2015 JPCERT/CC All rights reserved.88
Functions WindowA list of functions
![Page 90: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/90.jpg)
Copyright©2015 JPCERT/CC All rights reserved.89
Imports WindowsA list of APIs required by the target
![Page 91: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/91.jpg)
Copyright©2015 JPCERT/CC All rights reserved.90
Hex View WindowImports (list of APIs required by the target)
![Page 92: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/92.jpg)
Copyright©2015 JPCERT/CC All rights reserved.91
Recommended ConfigurationIDA config files you can edit—C:¥Program Files (x86)¥IDA Free¥cfg¥
You can create user settings file—idauser.cfg, idauserg.cfg
Config File Name Meaning Recommended Value
ida.cfg /idauser.cfg
OPCODE_BYTES Display binary data 8
SHOW_SP Display stack pointer YES
SHOW_XREFS Display cross references 8
idagui.cfg /idauserg.cfg
DISPLAY_PATCH_SUBMENU Display patch submenu YES
![Page 93: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/93.jpg)
Copyright©2015 JPCERT/CC All rights reserved.92
Basic InstructionMove
Changing data typeU Change selection to "Unknown"C Change selection to "Code"D Change selection to "Data"
• Byte, Word, Double WordP Change selection to "Function"A Change selection to "ASCII string"* Change selection to "Array"
Key assign DescriptionG Jump to address
Esc Back
![Page 94: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/94.jpg)
Copyright©2015 JPCERT/CC All rights reserved.93
Basic InstructionNote
Display format
Key assign DescriptionN Name function/variables/etc.: Insert comment; Insert repeatable commentY Put type-declaration
• void __cdecl Func(int num1, int num2);
H Decimal <-> HexadecimalR ASCII <-> Hexadecimal
Right-click->
Symbolicconstant
Symbolic constant <-> Hexadecimal• ERROR_ALREADY_EXISTS• ACCESS_ALL• KEY_WRITE
![Page 95: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/95.jpg)
Copyright©2015 JPCERT/CC All rights reserved.94
Basic Analysis Process in IDA
Read instructions
Rename & Comment• Variables• Functions• Data• etc.
Understand meaning
![Page 96: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/96.jpg)
Copyright©2015 JPCERT/CC All rights reserved.95
Example of RenamingExercise 1
![Page 97: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/97.jpg)
Copyright©2015 JPCERT/CC All rights reserved.96
Example of AnalysisAnalyzed IDB sample
![Page 98: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/98.jpg)
Copyright©2015 JPCERT/CC All rights reserved.97
Exercise 3. Using IDAi. Analyze the following functions in
"static_sample3.idb" and rename functions/variables or insert your comments—sub_4012DD—sub_401303—sub_401357
![Page 99: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/99.jpg)
Copyright©2015 JPCERT/CC All rights reserved.98
Exercise 3. Answeri. Analyze the following functions in
"static_sample3.idb" and rename functions/variables or insert your comments—sub_4012DD—sub_401303—sub_401357—See static_sample3_ans.idb
![Page 100: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/100.jpg)
Copyright©2015 JPCERT/CC All rights reserved.99
FYI: IDC ScriptingIf you want to change background color on "jmp" & "call" instructions
Light blue
![Page 101: Understanding Malware Security Camp 2015 10-D - JPCERT](https://reader033.fdocuments.net/reader033/viewer/2022051522/58a039271a28ab2b4a8c7026/html5/thumbnails/101.jpg)
Questions?