Intro Part 2
Video Activity
Now that you know what malware is and why Malware Analysis is critical for any organization, let's understand some basic tools that are used in the analysis of malware infections. This session begins with an introduction of basic malware analysis tools such as SysInternals, MAP pack, 010, PE Viewer, disassembler, Cygwin, Notepad++, and, 7zip. Thoug...
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9
Video Description
Now that you know what malware is and why Malware Analysis is critical for any organization, let's understand some basic tools that are used in the analysis of malware infections. This session begins with an introduction of basic malware analysis tools such as SysInternals, MAP pack, 010, PE Viewer, disassembler, Cygwin, Notepad++, and, 7zip. Though there are several tools available in the market today, you should ensure that tools are not driving your analysis. You'll also learn some tips to keep in mind when installing these tools. Further into the class, we'll use an example to explain how to analyze a potential malware file using the VirusTotal tool (available online). VirusTotal helps you know the history of the malware and similar instances of the file. You'll also understand that certain file types (or malware) display a PDF after executing the file to avoid any suspicion.
Video Transcription
00:04
>> Like I said before, we're
00:04
going to go through a few basic tools
00:04
and just a very basic one-minute three-hour situation.
00:04
I'm just going to say, SysInternals by
00:04
Mark Russinovich is really good.
00:04
The Map Pack, the malware analysis pack
00:04
by David Zimmer is really good.
00:04
I would highly suggest you get
00:04
a text editor like 010 is really good.
00:04
There are free ones out there.
00:04
A PE viewer,
00:04
a lot of these are free.
00:04
I would suggest one of those,
00:04
but we're not going to show them here.
00:04
A disassembler, IDA Pro is the industry standard,
00:04
but there are some others there that are pretty decent.
00:04
Hoppers from ACT, x64_debug does a pretty good job at
00:04
debugging or does a pretty good job
00:04
at disassembling 64-bit code.
00:04
But it is the debugger,
00:04
so it will start automatically
00:04
executing code if you're not careful.
00:04
Just as a personal preference,
00:04
I would prefer Cygwin,
00:04
this is a Linux environment
00:04
because it has with it MD5sums,
00:04
you can calculate hashes.
00:04
GCC is a GNU C compiler that can be used to
00:04
create executable code that from C code,
00:04
from the command line right there quite easily.
00:04
If you don't want to install Visual Studio,
00:04
xxd is a hex viewer,
00:04
much like 010.
00:04
But command line-based,
00:04
the file command, the strings command,
00:04
and Cygwin also have this on Python
00:04
2.7 and 3.3 distributions inside of it.
00:04
Nifty, if you just want to have an all in
00:04
one package for a bunch of different tools.
00:04
Notepad++ is a text editor I highly suggest and 7zip is
00:04
a compression and decompression tool
00:04
that I highly suggest.
00:04
I'm going to say you were presented with a sample,
00:04
what do you do?
00:04
Let's say these are the tools I just adjusted.
00:04
>> Malware analysis pack,
00:04
>> you just run and it'll install several
00:04
of these shell extensions, not that.
00:04
It will also install some of these shell extensions
00:04
such as MD5 hash and string submit virus total,
00:04
010 and then install this shell extension.
00:04
7zip here, install this shell extension,
00:04
which is really nifty because you can
00:04
easily just extract lots of different file types.
00:04
This is an MSI file type,
00:04
so I can probably extract that.
00:04
If I look over here on my desktop,
00:04
I'll find that it was extracted.
00:04
Then if I open that,
00:04
I can see that there's lots
00:04
of files in that MSI installer.
00:04
Then I can further dive into
00:04
this EXE file and say I would like to
00:04
extract that and cue it
00:04
inside the EXE file with all the different sections,
00:04
the dot text section is famous for having
00:04
executable code and not actual text
00:04
for some weird reason.
00:04
Inside the resource section,
00:04
I can find a text file.
00:04
Sometimes malware keeps
00:04
other malware or other components,
00:04
other executables in their resource sections.
00:04
Here's pretty benign, it's just a text file.
00:04
But when you're setting up Cygwin,
00:04
it's important to note that some tools aren't
00:04
installed by default and
00:04
here I'm just going to run through the basic.
00:04
If you're installing this software the
00:04
first time and this scares you,
00:04
don't let it scare you,
00:04
all the packages should be signed and verified,
00:04
so I usually pick just any old thing.
00:04
You'd like to stick to edu or government websites.
00:04
To get one command that I really like called Bile,
00:04
I will have to type in binutils.
00:04
You go to development and it's
00:04
this first one here, binutils.
00:04
I've already installed it,
00:04
but you should click this to make sure it installs.
00:04
Another one is xxd under editors.
00:04
Last one is files.
00:04
I'm pretty sure it is default.
00:04
No, the last one is gcc.
00:04
You don't have to install it if you don't want to.
00:04
I prefer to keep it around,
00:04
give it just, like I said,
00:04
if you to pump some C code up.
00:04
Let's say you get a sample here,
00:04
you don't know what it is.
00:04
Some instant response guy said he just found it,
00:04
okay, that's bad.
00:04
Let's say I just
00:04
try looking at it
00:04
in a hex editor just to see what's there.
00:04
On the left-hand side, here's
00:04
the raw binary data represented in hexadecimal format.
00:04
I'm going to write on the left-hand side,
00:04
it shows the raw hexadecimal format
00:04
and on the right-hand side,
00:04
it shows the ASCII representation of the binary data.
00:04
Obviously, the binary data is a lot of
00:04
gibberish if you tried to view it as English text.
00:04
But a lot of programmers have a lot of
00:04
embedded ASCII like Mz.
00:04
This file header,
00:04
you know this is an executable or
00:04
Windows executable due to this file header.
00:04
This string is more proof that it has
00:04
a DOS file header and this is what we call PE header,
00:04
we are going to learn a lot more about PE files in
00:04
the future but not right now,
00:04
you just know that this is
00:04
an EXE file or a DLL file at this point.
00:04
Let's say I want to get hash,
00:04
it has an icon right here.
00:04
I can copy the hash and search Google for it.
00:04
One result pops up,
00:04
it's for a virus total.
00:04
For those of you who don't know virus total,
00:04
it's a website where you can submit any file
00:04
and it will scan it with about 52,
00:04
it goes up and down sometimes,
00:04
with 52 at this point in time,
00:04
antivirus products and it
00:04
will tell you the detection's between them.
00:04
This should not be used as
00:04
>> an end-all be-all in security.
00:04
>> But it is useful.
00:04
We see the first analysis in 2014,
00:04
in May it was uploaded by this name.
00:04
This is a SHA256 hash.
00:04
You've all this information saying, "Okay.
00:04
There's one person who commented,
00:04
said it was bad,
00:04
I had 42 detections."
00:04
A lot of them say Symmi, Zbot,
00:04
Zbot, and Zbot, and Zbot.
00:04
If I Googled Zbot,
00:04
that might lead to some more information;
00:04
Zeus malware, Trojan.zbot, trojan.zbot.
00:04
It's good stuff in the comments.
00:04
Someone has commented, malware family
00:04
Zeus, version 2.1.0.1.
00:04
Some other information, which is pretty cool.
00:04
I have pretty much
00:04
confirmed this is Zbot, this malware example.
00:04
It's important to know
00:04
that why I have shown you a few tools,
00:04
your analysis should drive the tools.
00:04
Your tools should not drive your analysis.
00:04
Now, let that sink in for a moment.
00:04
Your tools should not drive the analysis.
00:04
You should not say, "Oh,
00:04
I have this or this tool,
00:04
let me run this script or
00:04
let me upload to virustotal every single time.
00:04
Because I've seen some stuff on
00:04
virustotal that probably shouldn't have been
00:04
uploaded like sensitive company emails
00:04
or internal memos or classified things,
00:04
things that should not be up there,
00:04
but people are just like, "Oh,
00:04
let me just upload everything because virustotal told
00:04
me that the virus is not very good."
00:04
If I want to see if
00:04
there's any strings in the malware,
00:04
I can with this,
00:04
with the malware analysis pack tool.
00:04
I can see that there's a lot of gibberish.
00:04
This stuff looks interesting.
00:04
In a way, I can Google for this type of
00:04
stuff to do like an RP page.
00:04
This looks like a PDF document type of stuff,
00:04
so maybe this thing drops
00:04
a PDF after it's done executing,
00:04
it will display a PDF file
00:04
so that it doesn't look as suspicious.
Up Next
Instructed By
Similar Content
