We just looked at some of these basic tools that you can use. And I would say Go ahead and download more malware and play with it and just see what these tools do, or even just normal software because, like I said, my wearing off This is a subset of software analysis and you should, like, used multiple tools to confirm your findings because
this is all software. And also where has bugs
even my work, which will in just a second?
Um, and I know you may think we're focusing along when news, but most malware is for Windows. But a lot of this stuff can be applying toe Lennox malware as well. His most power would do the same type of things. Where is beginning out the network or looking functions, which we'll talk about later? Used simple encryption method.
Look both clinics and windows.
and it is key to know that we can get into this a lot more. Some of those tools, other tools.
Internals like Problem on is very powerful, but you have to spend a lot more time looking through those logs, and we'll cover that later.
Um, and if you want to step through exactly exactly what the program is doing and slow it down and step through it, control every little bit. Er de bugger
is perfect for that. And
there is one in your V m that I told you to get called Ali Depot, which we will cover it later.
Now, some notes for the paranoid.
Some our lot run because security products are installed some My war will not run just because it thinks it's in a sandbox. Like I saw some hour where it wouldn't run if the user name was user.
You know, it wouldn't run if the user name was
You know, stuff like that.
Mauer purposely trying to detect
that type of stuff, there are other reasons why it might not run, such as has in the wrong environment.
Some hour is targeted like that. It was the wrong version of word is installed. It will not run, cannot exploit it or the wrong version of Windows,
for it is on the wrong version of Windows. It will not run because it doesn't have access to certain features or whatever the case may be. It doesn't run because software
Um, or even language
packs are are not installed. Fido of big banking Trojan, huge banking Trojan. That is kind of tapered off with loss.
I will not run if it detects. That is running in AA C. I s country, basically a country that has a Russian or Ukrainian keyboard attached to it. The Mauer authors do not want to upset,
uh, the law enforcement in those countries.
For obvious reasons, I saw that there's some Pearl Harbor malware where it would only executing do damage on the anniversary Pearl Harbor if the Japanese keyboard language was detective for Japanese language detected or Japanese keyboard,
or sometimes a lot of times, actually, I've seen where malware has multiple components will hide
one part of itself in one service, or hide another part of itself in the registry and hide another part of itself in a file that infected. If any one of the components aren't there, it won't work. Operate Lee, Or if it doesn't have a network connection directly to the Internet, it won't work
like some malware will be cool dot com or we'll try to access a certain Web page, and if they can't get to it, it's just not gonna work. It says, Well, if I can't get the Internet that I'm useless anyway and just won't work
and the other not so purpose. Old things include bugs in the malware. I've seen lots of malware with
it reads the date wrong. Or it tries to read in a value from something that doesn't exist and
*** crashes. The divide by zero.
Mauer is software like any other, and it has bugged
made them. Our offer's um
You wrote the program that works fine for Windows X P, but then it didn't work on seven, or
there is one where I saw that it did work on Windows 95. It didn't on Windows 98 but then it did again on Windows 2000 which was pretty funny.
Sometimes the dependencies aren't met, so in our fresh installed with his ex P here, there's no dot net runtime libraries. This is interesting to some. Our out there is written in dot net and needs those libraries. So there have been times where I had to go and download the Donna library
because I couldn't get the malware to execute
some hour I've seen in point of sale system compromises, they are killed it in the mall, where the actors have a certain campaign time frame, so that
if it's beyond this we tch or if it's beyond this month, then it doesn't do anything. It kills itself or goes crazy home and causes a lot of logs,
Uh, or cause a lot of events to be long has nothing to do with anything, or sometimes there's a specific target in mind.
I remember one time I spent
Ah, whole week reversing the sample, and it did a whole bunch of nothing what we called junk code,
uh, it was handed to me because no one could figure out what it was doing. They just executed and just didn't do anything.
And when I was looking at and stepping through it, I realized the part was figuring that was it was trying to get the process righty or is trying to get the fluid for the system and was using that
as the key to decrypt the payload.
that meant that my computer did not have the proper key
and I didn't know where the sample came from. I didn't know who was targeting, and I didn't know that Zeus did. This is a common way to update, so it had already infected the system. It's a back home to the command control server that you would.
And then the command and control server sent an update. Uh,
you execute a ble, it would only run on that system.
you know, my found that out. Well, thanks, Zeus
of Major Mom. Our family if she hadn't heard of it,
Um and then some malware
knows that it will be analyzed at some point
employees, certain functions that takes a lot of time,
such as the sleep function in windows will specify that the Mau worship sleep for a day
So it will sleep for,
you know, an hour for a day for a week, and then it will become active and then do its damage or collect information or do whatever
and so common sandbox
An anti anti analysis technique is to hook the sleep function and just short circuited, making no up so that it just doesn't do anything. So they say, OK, sleep for 10 minutes and then do those.
Then it just short circuits and says Seek for
zero seconds, okay and then goes about its business.
and then that is also a
sandbox detection technique. If they try to sleep for a certain amount of time
and it returns immediately, then the malware noses in the sandbox.
they play this game back and forth
um, a lot of Mao will still run. Virtual machines
A lot of virtual machines nowadays are actually significant pieces of infrastructure, like there's a lot of Web service, their virtual machines that now our authors would love to, in fact,
and if they're in our sample, will just not work on virtual machines. That's a disadvantage now,
and there's a lot of I T companies
who only have virtual machines for their users. So if you'd make your sample not working a virtual machine,
you may not become an effect.
You may not become very effective infecting people
is to use this command in Windows by cows and pick a directory like C colon slash
malware and flash denying
and then use this string so that
no one can accidentally execute malware on that windows machine like a host machine. I do this for older on my machine, just in case I don't like or miss, click and infect myself. I definitely don't want to do that is when I run and
grab that were cable and pull it out
before my work and beating out.
Um, sometimes I don't want
Mauer offers to know that
I have their sample on, but I'm analyzing it.
I remember one time I was looking at, um, our sample and I was writing it over and over and over again in the B. M.
And I noticed that every time I would execute it would go on, download a command and control list, a list of all the machines that were infected most recently
and give you the right P address. And so the Mauer was in contacting those machines for, like, updates, instructions. It's kind of a peer to peer network.
taking up like the last 10 or 15 entries. It was like,
I mean, my my VM like Zach
Johnson or something like that. And so it was sacked on from Dax. Awesome backdrop that's over and over and over. It was like
it's pretty obvious to anyone who's looking at it. That someone was executing that power over and over and over again on that computer was beating out. So, um, our authors, the baht net operators could have easily seen that
I was analyzing their mouth where? And they probably did know that,
uh, the ability for anyone to absolutely actually something by doing your ch mod
six years old, you know, it's ah, read right, execute
the three groups were
your user group and everyone else and
rewrite, execute or the bit
in there. If you want to read, warn that. Just typing in man ch mod.
Another note for the paranoid is that some malware will only become active if it can really detect that there is a user there. So we'll watch for user interactions of his mouse movement window movement, other programs executing,
you know, someone using the computer or else it will not execute.
So sometimes you need to move around the mouth or open up
Explorer or surf the Internet or something like that.
So just, um, recap of what we covered Tuesday we covered with the basics are dynamic analysis released the host spaceport. We overcome the tools that we put in our VM last time. How do you think I'm one of the best practices
for them and how you might set them up, figure them and automate them if you wanted to? Um
And we toured a lot of reasons why then Eric, about analysis might fail, but it does work a lot of the time
most of the time, actually.
And if you want to do for the read on this practical malware analysis has a great chapter in basic dynamic analysis with some tools that
I'm not to fondle, but they are pretty good on that has a
advanced dynamic analysis section for debugging and doing a lot of that stuff. So sure, Justin, that I would definitely say you should get your own samples, like from
the showers you with our database
because you can see that they have been classified. They've been marked as to what they are on dhe. They've been known for a while, and you can rule around to see what the Mau work does. You can see what registry keys. Actually, if you can see exactly,
uh, what other people
like myself have done written reports about how dangerous the malware is, exactly what it does, exactly how it's spread and stuff like that, and you can make your own indicators to compromise, and then you can go and look at other people's indicators to compromise.
And I would suggest not only doing this for malware but doing this for software in general.
Again, My name is Sean Piers. I think you were watching savory