Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9

Video Description

In this lesson, we'll dig deeper into the malware dynamic analysis. You can download more advanced tools such as SysAnalyzer, ProcMon, and OllyDbg. We'll cover about these advanced tools later in the course. We will then discuss some reasons why certain malware codes may not work on virtual machines. Certain malware programs may not run if the username is 'analysis machine' or just 'user', or if it detects a sandbox environment, or security products. Further we'll discuss other reasons why some malware don't work on some virtual machine. You'll also learn certain malware execution tips. Finally, you can read Practical Malware Analysis by Michael Sikorski and Andrew Honig to learn more about dynamic analysis.

Video Transcription

00:04
We just looked at some of these basic tools that you can use. And I would say Go ahead and download more malware and play with it and just see what these tools do, or even just normal software because, like I said, my wearing off This is a subset of software analysis and you should, like, used multiple tools to confirm your findings because
00:23
this is all software. And also where has bugs
00:26
even my work, which will in just a second?
00:29
Um, and I know you may think we're focusing along when news, but most malware is for Windows. But a lot of this stuff can be applying toe Lennox malware as well. His most power would do the same type of things. Where is beginning out the network or looking functions, which we'll talk about later? Used simple encryption method.
00:48
Look both clinics and windows.
00:50
Um,
00:51
and it is key to know that we can get into this a lot more. Some of those tools, other tools.
00:59
Internals like Problem on is very powerful, but you have to spend a lot more time looking through those logs, and we'll cover that later.
01:08
Um, and if you want to step through exactly exactly what the program is doing and slow it down and step through it, control every little bit. Er de bugger
01:19
is perfect for that. And
01:22
there is one in your V m that I told you to get called Ali Depot, which we will cover it later.
01:26
Now, some notes for the paranoid.
01:32
Some our lot run because security products are installed some My war will not run just because it thinks it's in a sandbox. Like I saw some hour where it wouldn't run if the user name was user.
01:47
You know, it wouldn't run if the user name was
01:51
analysis machine,
01:53
You know, stuff like that.
01:55
So
01:56
but beyond
01:57
Mauer purposely trying to detect
02:01
that type of stuff, there are other reasons why it might not run, such as has in the wrong environment.
02:09
Some hour is targeted like that. It was the wrong version of word is installed. It will not run, cannot exploit it or the wrong version of Windows,
02:23
for it is on the wrong version of Windows. It will not run because it doesn't have access to certain features or whatever the case may be. It doesn't run because software
02:32
is or is not there,
02:35
Um, or even language
02:38
packs are are not installed. Fido of big banking Trojan, huge banking Trojan. That is kind of tapered off with loss.
02:49
Ah, year or so
02:51
I will not run if it detects. That is running in AA C. I s country, basically a country that has a Russian or Ukrainian keyboard attached to it. The Mauer authors do not want to upset,
03:06
uh, the law enforcement in those countries.
03:09
For obvious reasons, I saw that there's some Pearl Harbor malware where it would only executing do damage on the anniversary Pearl Harbor if the Japanese keyboard language was detective for Japanese language detected or Japanese keyboard,
03:24
Um
03:25
or sometimes a lot of times, actually, I've seen where malware has multiple components will hide
03:32
one part of itself in one service, or hide another part of itself in the registry and hide another part of itself in a file that infected. If any one of the components aren't there, it won't work. Operate Lee, Or if it doesn't have a network connection directly to the Internet, it won't work
03:50
like some malware will be cool dot com or we'll try to access a certain Web page, and if they can't get to it, it's just not gonna work. It says, Well, if I can't get the Internet that I'm useless anyway and just won't work
04:04
and the other not so purpose. Old things include bugs in the malware. I've seen lots of malware with
04:13
silly bugs like
04:15
it reads the date wrong. Or it tries to read in a value from something that doesn't exist and
04:23
*** crashes. The divide by zero.
04:26
Mauer is software like any other, and it has bugged
04:30
made them. Our offer's um
04:32
You wrote the program that works fine for Windows X P, but then it didn't work on seven, or
04:40
there is one where I saw that it did work on Windows 95. It didn't on Windows 98 but then it did again on Windows 2000 which was pretty funny.
04:49
Sometimes the dependencies aren't met, so in our fresh installed with his ex P here, there's no dot net runtime libraries. This is interesting to some. Our out there is written in dot net and needs those libraries. So there have been times where I had to go and download the Donna library
05:08
because I couldn't get the malware to execute
05:12
some hour I've seen in point of sale system compromises, they are killed it in the mall, where the actors have a certain campaign time frame, so that
05:24
if it's beyond this we tch or if it's beyond this month, then it doesn't do anything. It kills itself or goes crazy home and causes a lot of logs,
05:35
Uh, or cause a lot of events to be long has nothing to do with anything, or sometimes there's a specific target in mind.
05:46
I remember one time I spent
05:47
Ah, whole week reversing the sample, and it did a whole bunch of nothing what we called junk code,
05:57
and,
05:58
uh, it was handed to me because no one could figure out what it was doing. They just executed and just didn't do anything.
06:04
And when I was looking at and stepping through it, I realized the part was figuring that was it was trying to get the process righty or is trying to get the fluid for the system and was using that
06:18
as the key to decrypt the payload.
06:23
And
06:24
that meant that my computer did not have the proper key
06:28
and I didn't know where the sample came from. I didn't know who was targeting, and I didn't know that Zeus did. This is a common way to update, so it had already infected the system. It's a back home to the command control server that you would.
06:44
And then the command and control server sent an update. Uh,
06:47
you execute a ble, it would only run on that system.
06:51
So
06:53
you know, my found that out. Well, thanks, Zeus
06:59
of Major Mom. Our family if she hadn't heard of it,
07:01
Um and then some malware
07:03
knows that it will be analyzed at some point
07:08
one
07:09
some of our authors
07:12
as an anti
07:13
dynamic analysis
07:15
defense mechanism.
07:16
Whoa,
07:18
employees, certain functions that takes a lot of time,
07:23
such as the sleep function in windows will specify that the Mau worship sleep for a day
07:29
for,
07:30
you know,
07:31
two.
07:32
So it will sleep for,
07:34
you know, an hour for a day for a week, and then it will become active and then do its damage or collect information or do whatever
07:45
and so common sandbox
07:47
counter technique.
07:49
An anti anti analysis technique is to hook the sleep function and just short circuited, making no up so that it just doesn't do anything. So they say, OK, sleep for 10 minutes and then do those.
08:03
Then it just short circuits and says Seek for
08:07
zero seconds, okay and then goes about its business.
08:09
Um
08:11
and then that is also a
08:13
sandbox detection technique. If they try to sleep for a certain amount of time
08:18
and it returns immediately, then the malware noses in the sandbox.
08:22
But
08:22
they play this game back and forth
08:24
constantly.
08:26
But then again,
08:28
um, a lot of Mao will still run. Virtual machines
08:31
be close.
08:35
A lot of virtual machines nowadays are actually significant pieces of infrastructure, like there's a lot of Web service, their virtual machines that now our authors would love to, in fact,
08:45
and if they're in our sample, will just not work on virtual machines. That's a disadvantage now,
08:50
and there's a lot of I T companies
08:54
who only have virtual machines for their users. So if you'd make your sample not working a virtual machine,
09:01
then
09:03
you may not become an effect.
09:05
You may not become very effective infecting people
09:09
just another good.
09:11
So
09:13
operational security
09:16
is to use this command in Windows by cows and pick a directory like C colon slash
09:22
malware and flash denying
09:26
and then use this string so that
09:28
no one can accidentally execute malware on that windows machine like a host machine. I do this for older on my machine, just in case I don't like or miss, click and infect myself. I definitely don't want to do that is when I run and
09:46
grab that were cable and pull it out
09:50
before my work and beating out.
09:52
Um, sometimes I don't want
09:54
Mauer offers to know that
09:58
I have their sample on, but I'm analyzing it.
10:01
I remember one time I was looking at, um, our sample and I was writing it over and over and over again in the B. M.
10:07
And I noticed that every time I would execute it would go on, download a command and control list, a list of all the machines that were infected most recently
10:22
and give you the right P address. And so the Mauer was in contacting those machines for, like, updates, instructions. It's kind of a peer to peer network.
10:31
I saw
10:33
my machines name
10:35
taking up like the last 10 or 15 entries. It was like,
10:39
I mean, my my VM like Zach
10:41
Johnson or something like that. And so it was sacked on from Dax. Awesome backdrop that's over and over and over. It was like
10:48
it's pretty obvious to anyone who's looking at it. That someone was executing that power over and over and over again on that computer was beating out. So, um, our authors, the baht net operators could have easily seen that
11:03
I was analyzing their mouth where? And they probably did know that,
11:09
um, a little close,
11:11
uh,
11:11
you can take away,
11:15
uh, the ability for anyone to absolutely actually something by doing your ch mod
11:18
six years old, you know, it's ah, read right, execute
11:22
sixes.
11:24
Um,
11:26
I'm sorry
11:26
the three groups were
11:28
your user group and everyone else and
11:31
rewrite, execute or the bit
11:35
in there. If you want to read, warn that. Just typing in man ch mod.
11:43
Another note for the paranoid is that some malware will only become active if it can really detect that there is a user there. So we'll watch for user interactions of his mouse movement window movement, other programs executing,
11:58
you know, someone using the computer or else it will not execute.
12:05
So sometimes you need to move around the mouth or open up
12:09
Explorer or surf the Internet or something like that.
12:13
So just, um, recap of what we covered Tuesday we covered with the basics are dynamic analysis released the host spaceport. We overcome the tools that we put in our VM last time. How do you think I'm one of the best practices
12:28
for them and how you might set them up, figure them and automate them if you wanted to? Um
12:33
And we toured a lot of reasons why then Eric, about analysis might fail, but it does work a lot of the time
12:41
most of the time, actually.
12:43
And if you want to do for the read on this practical malware analysis has a great chapter in basic dynamic analysis with some tools that
12:52
I'm not to fondle, but they are pretty good on that has a
12:56
advanced dynamic analysis section for debugging and doing a lot of that stuff. So sure, Justin, that I would definitely say you should get your own samples, like from
13:11
the showers you with our database
13:15
because you can see that they have been classified. They've been marked as to what they are on dhe. They've been known for a while, and you can rule around to see what the Mau work does. You can see what registry keys. Actually, if you can see exactly,
13:31
uh, what other people
13:33
like myself have done written reports about how dangerous the malware is, exactly what it does, exactly how it's spread and stuff like that, and you can make your own indicators to compromise, and then you can go and look at other people's indicators to compromise.
13:50
And I would suggest not only doing this for malware but doing this for software in general.
13:58
Again, My name is Sean Piers. I think you were watching savory
14:03
and good night.

Up Next

Intro to Malware Analysis and Reverse Engineering

In this malware analysis course you will learn how to perform dynamic and static analysis on all major files types, how to carve malicious executables from documents and how to recognize common malware tactics and debug and disassemble malicious binaries.

Instructed By

Instructor Profile Image
Sean Pierce
Instructor