Intro Part 3
Video Activity
Welcome to the Intro to Malware Analysis and Reverse Engineering – III class. This class begins by providing you several samples of malware analysis available on various websites or blogs. These can be used for analyzing certain malware to upskill your expertise in the area. Additionally, you can create your own malware using builders or catch your...
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
Welcome to the Intro to Malware Analysis and Reverse Engineering – III class. This class begins by providing you several samples of malware analysis available on various websites or blogs. These can be used for analyzing certain malware to upskill your expertise in the area. Additionally, you can create your own malware using builders or catch your own malware using Honey Pot. There are certain malware that are triggered when scanned, extracted from Archive, or viewed icon (Word, PDF, or System Icon). You'll also learn about hash collision and why the industry is adopting SHA256 when compared to MD5. We'll also cover how to view the malware file using Command and not viewing using the icon. And finally, there are two recommended learning tools that will help you expertise in the area: Practical Malware Analysis by Michael Sikorski and Andrew Honig, and Virus Research and Defense by Peter Szor.
Video Transcription
00:03
>> If you were to look at some more malware,
00:03
there's plenty of websites where you can get it.
00:03
There's many websites like Contagio Malware Dump,
00:03
the blog where they will provide analysis.
00:03
They will say, "Hey, I saw this virus do this,
00:03
and it does this interesting thing."
00:03
You can download the malware and try to
00:03
find that stuff by yourself.
00:03
I like buyer's share.
00:03
If you really don't
00:03
like getting your stuff from other people,
00:03
you can always catch your own, make the honeypot.
00:03
There is plenty of software
00:03
out there that we'll cover later.
00:03
We can just next deploy,
00:03
and it'll just catch malware,
00:03
and you can analyze it.
00:03
Of course, you can always make your own malware.
00:03
There is plenty of builders out
00:03
there and there's source code out there.
00:03
A few notes for the paranoid people among you.
00:03
I will include the slide at the end of every lecture.
00:03
Some malware can execute
00:03
upon being scanned by antivirus products.
00:03
I've seen vulnerabilities and antivirus scanners.
00:03
They are not infallible.
00:03
I've seen malware that will
00:03
execute as soon as the icon is viewed,
00:03
like a Word icon or a PDF icon,
00:03
or even a system icon.
00:03
In fact, that's how as one to two others
00:03
that stuxnet had,
00:03
was that as soon as a file system
00:03
recognized the icon there,
00:03
it would automatically execute code,
00:03
which is pretty dangerous,
00:03
especially for a malware analyst
00:03
where we're just looking at that icon.
00:03
Now we didn't have an extension on it,
00:03
but we are still looking at it.
00:03
I've even seen where
00:03
extracting the file from the archive,
00:03
like we did, can execute the code.
00:03
That was a nasty zero day,
00:03
but know this stuff is out there,
00:03
not very common, but it
00:03
is out there, and you should be careful,
00:03
and we will learn how to deal with
00:03
malware in a more safe manner in the next video.
00:03
Then another note for those people who are paranoid,
00:03
MD5 is the industry standard right now,
00:03
but it can be manipulated.
00:03
Then there are MD5 hashes
00:03
out there for benign files like NIST,
00:03
the National Institute for Standards and Technology,
00:03
and I love them.
00:03
They keep a database of benign hashes,
00:03
of known good software hashes.
00:03
We're soon going to be looking at
00:03
the MD5s of those hashes.
00:03
They can make their malware
00:03
produce that hash where it is not
00:03
the exact replica of those bits.
00:03
It is a file of
00:03
their own creation and that's what we call a
00:03
hash collision and that's bad.
00:03
We should never have that,
00:03
but it is more common with MD5,
00:03
I don't think anyone has ever
00:03
successfully done it for SHA256.
00:03
The industry is moving towards
00:03
the SHA256 based identification,
00:03
but it's not there yet.
00:03
For those people who are paranoid about viewing icons,
00:03
we can work exclusively in
00:03
a command line only environment.
00:03
Just to show you that,
00:03
I'll show you here that we have sigma open,
00:03
and so everything we did,
00:03
we can do from a command line.
00:03
Sig drive, we can go to C drive,
00:03
we can go to users,
00:03
Sean, desktop,
00:03
to just autocomplete I just hit tab.
00:03
Now I'm in the desktop,
00:03
and here,
00:03
the first thing we did was we
00:03
looked at it in a hex editor,
00:03
so I'll do XXD,
00:03
then the filename, and then I will pipe it to less.
00:03
I can do just the top of the file.
00:03
Here we see DU.
00:03
There is the MZ header.
00:03
There's the DAS moves string,
00:03
there is the PE header.
00:03
You'll learn about that in the future,
00:03
but we now know what's an executable on EXE or DL file,
00:03
and we can even run a string on the bar up to left,
00:03
if you save strings,
00:03
go down to the bottom, you see some function names.
00:03
We know that it can create a file,
00:03
we know that is looking for
00:03
>> another module by file name,
00:03
>> we know it's important KERNEL32.dl,
00:03
which is pretty common.
00:03
We know those pops of job. We're done.
00:03
Bottom, we see the same strings we've seen before.
00:03
Padding, some strings,
00:03
Q to exit from less.
00:03
We also got the MD5 sum of the malware,
00:03
so we can go ahead and do that.
00:03
MD5, sum that,
00:03
so here's the MD5 hash that we had before,
00:03
where we can search bars total form.
00:03
This is all without looking at the icon.
00:03
If we just want to verify that it wasn't executable,
00:03
we can use the file command.
00:03
It will pull up, that is a PE executable for Windows,
00:03
using the GUI subsystem,
00:03
the graphics subsystem, like an exit.
00:03
Just to recap of what we've learned today,
00:03
we learned well for
00:03
the vernacular and terminology was for malware.
00:03
We learned about different malware types
00:03
and functionality and how they can easily overlap,
00:03
and when the overlap happens,
00:03
it's called the blended threat.
00:03
We did a one-minute triage with freely available tools.
00:03
I also showed how to do that from the command line.
00:03
I showed you where to get samples if you need them.
00:03
I'll also suggest at the end of every lecture,
00:03
get resources if you want to get more into this topic.
00:03
This is very bad,
00:03
but I highly suggest Practical Malware Analysis.
00:03
It's a big thick book,
00:03
but it is very good.
00:03
They have malware that they'll give you,
00:03
and they will tell
00:03
you to analyze it
00:03
based on whatever you learned in that chapter,
00:03
and at the back of the book,
00:03
they will show you their analysis which you should
00:03
have seen and what you
00:03
should make conclusion should have come to.
00:03
That has been extremely effective learning tool
00:03
for me and many other people.
00:03
Virus Research and Defense is
00:03
a classic book that's been around for a while.
00:03
It's a little dry to restrict through.
00:03
It's also big and thick.
00:03
But it's really more meant to be a reference.
00:03
But I know most people in my career field
00:03
and in your career field as well.
00:03
Pretty much all of them have Practical Malware
00:03
Analysis right there on their desk.
00:03
Thank you for watching the introduction
00:03
to the malware analysis on Cybrary.
00:03
We hope you've learned a lot and will continue
00:03
to watch our videos here. Have a nice day.
Up Next
Instructed By
Similar Content
