Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
------------------
Malicious software (malware) is any software that gives partial to full control of
your computer to do whatever the malware creator wants. Malware can be a virus,
worm, trojan, adware, spyware, root kit, etc. The damage done can vary from
something slight as changing the author's name on a document to full control of
your machine without your ability to easily find out. Most malware requires the
user to initiate it's operation. Some vectors of attack include attachments in e-
mails, browsing a malicious website that installs software after the user clicks ok
on a pop-up, and from vulnerabilities in the operating system or programs. Malware
is not limited to one operating system.
Types of Malware
------------------
Virus:
Like their biological namesakes, viruses attach themselves to clean files and
infect other clean files. They can spread uncontrollably, damaging a system’s core
functionality and deleting or corrupting files. They usually appear as an
executable file (.exe).
Trojans:
This kind of malware disguises itself as legitimate software, or is hidden
in legitimate software that has been tampered with. It tends to act discreetly and
create backdoors in your security to let other malware in.
Spyware:
No surprise here — spyware is malware designed to spy on you. It hides in
the background and takes notes on what you do online, including your passwords,
credit card numbers, surfing habits, and more.
Worms:
Worms infect entire networks of devices, either local or across the
internet, by using network interfaces. It uses each consecutively infected machine
to infect others.
Ransomware:
This kind of malware typically locks down your computer and your files, and
threatens to erase everything unless you pay a ransom.
Adware:
Though not always malicious in nature, aggressive advertising software can
undermine your security just to serve you ads — which can give other malware an
easy way in. Plus, let’s face it: pop-ups are really annoying.
Botnets:
Botnets are networks of infected computers that are made to work together
under the control of an attacker.
Static analysis
----------------
A basic static analysis is analyzing software without executing it. Basic static
analysis is straightforward and can be quick, but it’s largely ineffective against
sophisticated malware, and it can miss important behaviour.
Advanced static analysis consists of reverse-engineering the malware binary by
loading the executable into a disassembler like Ollydbg or IDA to get assembly
language source code from machine-executable code, we then look at the program to
discover what the program does.
Some of the techniques use in static analysis is determining file type, strings
encoded in the binary file, Check for file obfuscations in order to determine if
the file has been packed or determine if they have used any cryptors), Hash and
comparison, checking hash against multiple AV database
Finding strings:
Searching through the strings can be a simple way to get hints about
the functionality of a program.
Use Strings in Windows(Sysinternal)
Look for URLs,Dlls,IP Address.
Files which are UPX packed can be unpacked by the following command:
upx –o <newfilename> -d <packedfilename>
PE File Sections
----------------
Information gathering from Portable Executable (PE) file format
PE file format is used by Windows executables, DDLs etc. It contains the
necessary information for Windows OS loader to run the code. While examining the PE
files, we can analyse which functions have been imported, exported and what type of
linking is there i.e. runtime, static or dynamic.
A PE file contains a header and some more important sections. Under these
sections there is some useful information. Let’s understand these sections as well.
1) .text: This contains the executable code.
2) .rdata: This sections holds read only globally accessible data.
3) .data: Stores global data accessed through the program.
4) .rsrc: This sections stores resources needed by the executable.
Dynamic analysis
----------------
Basic dynamic analysis actually runs malware to observe its behavior, understand
its functionality and identify technical indicators which can be used in detection
signatures. Technical indicators revealed with basic dynamic analysis can include
domain names, IP addresses, file path locations, registry keys, additional files
located on the system or network.
Memory Forensics
-----------------
In investigation of advanced computer attacks which are stealthy enough to avoid
leaving data on the computer’s hard drive, the memory of the computer must be
analyzed for vital information.Memory Analysis is the science of using a memory
image to determine information about running programs, the operating system, and
the overall state of a computer.
Steps in memory Forensics
a> Memory Acquisition:
This step involves dumping the memory of the target machine. On the
physical machine you can use tools like Win32dd/Win64dd, Memoryze, DumpIt,
FastDump. Whereas, on the virtual machine, acquiring the memory image is easy, you
can do it by suspending the VM and grabbing the “.vmem” file.
b> Memory Analysis:
Once a memory image is acquired, the next step is to analyze the
grabbed memory dump for forensic artifacts, tools like Volatility and others like
Memoryze can be used to analyze the memory
Softwares:
-------------
Strings(Sysinternal) - To Check the Stringd in the executable
PEiD - To Check id the Executable is packed.
PEview(Sysinternal) - To view the structure of the exe.
Ollydbg/IDA - To reverse-engineer the malware binary by loading the executable into
a disassembler
Dependency Walker
Resource Hacker
FileAlyzer
Procmon
Process Explorer
Regshot
ApateDNS
Netcat
Wireshark
INetSim