Dynamic Analysis Part 1.3

Video Activity

In this lesson, we'll dig deeper into the malware dynamic analysis. You can download more advanced tools such as SysAnalyzer, ProcMon, and OllyDbg. We'll cover about these advanced tools later in the course. We will then discuss some reasons why certain malware codes may not work on virtual machines. Certain malware programs may not run if the user...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9
Video Description

In this lesson, we'll dig deeper into the malware dynamic analysis. You can download more advanced tools such as SysAnalyzer, ProcMon, and OllyDbg. We'll cover about these advanced tools later in the course. We will then discuss some reasons why certain malware codes may not work on virtual machines. Certain malware programs may not run if the username is 'analysis machine' or just 'user', or if it detects a sandbox environment, or security products. Further we'll discuss other reasons why some malware don't work on some virtual machine. You'll also learn certain malware execution tips. Finally, you can read Practical Malware Analysis by Michael Sikorski and Andrew Honig to learn more about dynamic analysis.

Video Transcription
00:03
>> We just looked at some of
00:03
these basic tools that you can use.
00:03
I would say go ahead and download
00:03
some more malware and play with
00:03
it and just see what these tools do or
00:03
even just normal software because,
00:03
like I said, malware analysis
00:03
is still software analysis.
00:03
You should, like I said,
00:03
use multiple tools to confirm your findings
00:03
because this is all software and all software has bugs,
00:03
even malware which we'll talk about in just a second.
00:03
I know you may think we're focusing a lot on Windows,
00:03
but most malware is for Windows.
00:03
But a lot of the stuff can be applied
00:03
to Linux malware as well because most malware will
00:03
do the same type of things where
00:03
it's picking out to the network
00:03
or hooking certain functions
00:03
which we'll talk about later,
00:03
use simple encryption method on both Linux and Windows.
00:03
It is key to know that we can get into this a lot more.
00:03
Some of those tools are the tools and just internals,
00:03
like ProcMon is very powerful,
00:03
but you have to spend a lot more time looking
00:03
through those logs and we'll cover that later.
00:03
If you wanted to step through
00:03
exactly what the program is doing,
00:03
and slow it down,
00:03
and step through it and control every little bit,
00:03
debugger is perfect for that.
00:03
There's one in your VM that I
00:03
told you to to get called OllyDbg,
00:03
which we will cover later.
00:03
Now, some notes for the paranoid.
00:03
Some malware will not run
00:03
because certain security products are installed.
00:03
Some malware will not run just
00:03
because it thinks it's in a sandbox,
00:03
like I saw some malware where it
00:03
wouldn't run if the user name was user,
00:03
they wouldn't run if the username was
00:03
analysis machine, stuff like that.
00:03
But beyond malware purposely
00:03
trying to detect that type of stuff,
00:03
there are other reasons why it might not run,
00:03
such as it's in the wrong environment.
00:03
Some malware is targeted like that.
00:03
If the wrong version of Word is installed,
00:03
it will not run because it cannot exploit it.
00:03
Or if it's on the wrong version of Windows,
00:03
it will not run because it doesn't have access to
00:03
certain features or whatever the case may be.
00:03
It doesn't run because certain software is or is not
00:03
there or even language packs are not installed.
00:03
Citadel, a big banking trojan,
00:03
huge banking trojan that is tapered off of last year or
00:03
so I will not run if it
00:03
detects it is running in a CIS country.
00:03
Basically any country that has
00:03
a Russian or Ukrainian keyboard attached to it.
00:03
The malware authors do not want to
00:03
upset the law enforcement
00:03
in those countries for obvious reasons.
00:03
I saw that there's some false Pearl Harbor malware
00:03
where it would only execute and do damage on
00:03
the anniversary of Pearl Harbor if
00:03
a Japanese language detected or Japanese keyboard.
00:03
Or a lot of times,
00:03
actually, I've seen where
00:03
malware has multiple components.
00:03
It'll hide one part of itself in one service or hide
00:03
another part of itself in the registry and hide
00:03
another part of itself in a file they infected.
00:03
If any one of the components aren't there,
00:03
it won't work properly or if it doesn't have
00:03
a network connection directly to
00:03
the Internet, it won't work.
00:03
Some malware will ping
00:03
Google.com or try to act as a certain webpage,
00:03
and if it can't get to it, it's just not going to work.
00:03
It says, well, if I can't get to the Internet,
00:03
then I'm useless anyway,
00:03
and just won't work.
00:03
Some other not so purposeful things
00:03
include bugs in the malware.
00:03
I've seen lots of malware with so many bugs.
00:03
It reads the date wrong or it
00:03
tries to read in
00:03
a value from something that doesn't exist,
00:03
and it just crashes it though the divide-by-zero.
00:03
Malware is software like any other and it has bugs.
00:03
Even the malware authors wrote
00:03
the program and it worked fine for Windows XP,
00:03
but then it didn't work on 7 or there's
00:03
one where I saw that it did work on Windows 95,
00:03
it didn't on Windows 98,
00:03
but then it did again on
00:03
Windows 2000, which was pretty funny.
00:03
Sometimes the dependencies aren't met.
00:03
When I first installed Windows XP here,
00:03
there is no.NET runtime libraries.
00:03
This is interesting because some malware up
00:03
there is written in.NET and needs those libraries.
00:03
There have been times where I've
00:03
had to go and download the.NET libraries
00:03
because I couldn't get the malware to execute.
00:03
Some malware I've seen
00:03
in point-of-sale system compromises,
00:03
there are kill dates in the malware,
00:03
the actors have a certain campaign time frame so that,
00:03
if it's beyond this week or if it's beyond this month,
00:03
then it doesn't do anything.
00:03
It kills itself or goes crazy on and cause a lot
00:03
of events to be logged,
00:03
has nothing to do with anything.
00:03
Sometimes there's a specific target in mind.
00:03
I remember one time I spent a whole week
00:03
reversing the sample and
00:03
it did a whole bunch of nothing,
00:03
what we call junk code.
00:03
It was handed to me because no one could
00:03
figure out what it was doing.
00:03
They just executed it and just didn't do anything.
00:03
When I was looking at and stepping through it,
00:03
I realized a part it was doing that
00:03
was it was trying to get the processor ID or it
00:03
was trying to get the GUID from the system and
00:03
was using that as the key to decrypt the payload.
00:03
That meant that my computer did not have the
00:03
proper key. I didn't know where the sample came from,
00:03
I didn't know who it was targeting,
00:03
and I didn't know that Zeus did this,
00:03
the common way to update.
00:03
It had already infected the system.
00:03
If sent back home to
00:03
the command control server, the GUID, and then
00:03
the command control server will send an update,
00:03
an executable that would only run on that system.
00:03
When I found that out, I was like,
00:03
well, thanks, Zeus.
00:03
A major malware family if she hadn't heard of it.
00:03
Then some malware knows
00:03
that it will be analyzed at some point.
00:03
>> We've got some malware authors
00:03
as an anti-dynamic analysis.
00:03
Defense mechanism will employ
00:03
certain functions that take a lot of time,
00:03
such as the sleep function in Windows,
00:03
it'll specify that the malware should sleep for
00:03
a day or two.
00:03
It will sleep for an hour or a day for a week,
00:03
and then it will become active and then do
00:03
its damage or collect information or do whatever.
00:03
So common sandbox counter technique,
00:03
an anti-analysis technique, is to
00:03
hook the sleep function and just short-circuit it,
00:03
we can know of so that it doesn't do anything.
00:03
Let's say, sleep for 10 minutes and then do
00:03
this then it just short-circuits and says,
00:03
sleep for zero seconds,
00:03
and then it goes about its business.
00:03
That is also a sandbox detection technique.
00:03
If they try to sleep for a certain amount of time,
00:03
and it returns immediately,
00:03
then the malware knows it's in the sandbox.
00:03
But they play this game back and forth constantly.
00:03
But then again, a lot
00:03
of malware will still run virtual machines.
00:03
Because a lot of virtual machines
00:03
nowadays are actually
00:03
significant pieces of infrastructure,
00:03
like, there's a lot of web servers or
00:03
virtual machines that malware authors
00:03
would love to infect.
00:03
If there are malware sample will just
00:03
not work on virtual machines,
00:03
that's a disadvantage now.
00:03
there's lots of IT companies
00:03
who only have virtual machines for their users.
00:03
If you'd make your sample not work in a virtual machine,
00:03
then you may not
00:03
become very effective in infecting people.
00:03
Just another good OPSEC,
00:03
operational security tip,
00:03
is to use this command in Windows, icacls,
00:03
and pick a directory like C:\malware/deny,
00:03
and then use a string so that no one can
00:03
accidentally execute malware on that Windows machine,
00:03
like a host machine.
00:03
I do this Work Folder on my machine just in
00:03
case I double-click on this click and infect myself.
00:03
I definitely don't want to do that,
00:03
because when I run and rob
00:03
the network cable and pull it
00:03
out before the malware can be taken out.
00:03
Because sometimes I don't want malware authors to know
00:03
that I have their sample and that I'm analyzing it.
00:03
I remember one time I was looking at
00:03
malware sample and I was running it over
00:03
and over and over again in a VM.
00:03
I noticed that every time I would execute it,
00:03
it would go and download a command and control list,
00:03
list of all the machines that were
00:03
infected most recently,
00:03
and it will give me their IP address so the malware
00:03
has been contacting those machines like, updated
00:03
instructions was kind of a peer-to-peer network.
00:03
I saw my machine's name
00:03
picks it up like the last 10 or 15 entries.
00:03
My VM's like, Zack Johnson or something like that.
00:03
It was like, Zack Johnson,
00:03
Zack Johnson over and over and over again.
00:03
It was pretty obvious to anyone who's looking at it,
00:03
that someone was executing that malware over and
00:03
over and over again on
00:03
that computer and it was picking out.
00:03
The malware authors, the botnet operators,
00:03
could easily see that I was analyzing their malware.
00:03
They probably did know that.
00:03
On a Linux hosts,
00:03
you can take away the ability for anyone to actually
00:03
execute something by doing those chmod 600,
00:03
it's a read, write, execute.
00:03
These three groups were
00:03
your user group and everyone else and read,
00:03
write, execute are the bits in there.
00:03
If you want to read more on that, you
00:03
just typing in man chmod.
00:03
Another note for the paranoid is that
00:03
some malware will only become
00:03
active if it can
00:03
really detect that there was a user there.
00:03
We'll watch for user interaction.
00:03
Such as mouse movement, window movement,
00:03
other programs executing,
00:03
just someone using the computer,
00:03
or else it will not execute.
00:03
Sometimes you need to move around the mouse or open up
00:03
Explorer or surf the Internet or something like that.
00:03
Just a recap of what we covered here today.
00:03
We covered what the basics are, dynamic analysis,
00:03
at least the host-based part,
00:03
we covered the tools that we put in our VM last time.
00:03
How to use them, what are the best practices for them,
00:03
and how you might set them up, figure them,
00:03
and automate them if you wanted to.
00:03
We talked about a lot of reasons why
00:03
the analysis might fail.
00:03
But it does work a lot of the time,
00:03
most of the time, actually.
00:03
If you want to do further reading on this,
00:03
Practical Malware Analysis has a great chapter in
00:03
basic dynamic analysis with
00:03
some tools that I'm not too fond of,
00:03
but they're all pretty good.
00:03
Then have a advanced dynamic analysis section
00:03
for debugging and doing a lot of that stuff.
00:03
If you're interested in that, I would
00:03
definitely say you should get
00:03
your own samples like
00:03
from the Malware Zoo with the malware database.
00:03
Because you can see that they've been classified,
00:03
they've been marked as to what they are,
00:03
and they've been known for a while and you can go
00:03
around to see what the malware does.
00:03
You can see what registry keys of other.
00:03
You can see exactly what
00:03
other people like myself have done,
00:03
written up reports about how dangerous the malware is,
00:03
exactly what it does,
00:03
exactly how it spread,
00:03
and stuff like that.
00:03
You can make your own indicators of compromise.
00:03
Then you can go and look at
00:03
other people's indicators of compromise.
00:03
I would suggest not only doing this for malware
00:03
but doing this for software in general.
00:03
Again, my name is Sean Pierce.
00:03
Thank you for watching Cybrary and goodnight.
Up Next