Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9

Video Description

Welcome to the Malware Defenses module. This module will provide you a deeper insight into the various malware defenses. Malware defenses has several categories such as anti-debugging, anti-virtual machine, anti-disassembly, anti-analysis. Malware goals are to stop automated analysis and slow down the Malware Analysts. We'll also explain using a basic anti-debugging code example.

Video Transcription

00:04
Hi. My name is Sean Pearson on the subject matter expert for introduction to Malware Analysis.
00:08
Today we're gonna be talking about my word defense's
00:12
now when I say my word defense's I'm usually referring to anti debugging ah, anti virtual machine or anti disassembly code.
00:21
But this can also mean anti analysis
00:24
ah, code. And generally that's made to stop us from analyzing the sample. Eso Some samples will look for tools on disabled them or just stop running when they see them, or they will do something like,
00:41
uh, do something completely different than the original
00:45
objective is. So I know one sample, one large baht net. When it detects that it is being instrumented or it is in a virtual machine or sandbox, it will open up a port Ah, some high level port
00:59
or high number of port. And it will begin listening on that port four connections, and it will, uh,
01:07
act on those connections. So it looks like a very simple backdoor. But in actuality, it is, um,
01:14
a malicious
01:15
baht net that would go out to the command and control server and pull down more instructions.
01:19
If it wasn't detecting that it is in a virtual machine
01:26
now, uh,
01:27
defense code, I would also say sometimes offensive. So there are two big samples back in the day. Zeus and Spy I and they were kind of going at each other, and they would take each other out if they found that the other family was installed on the computer.
01:47
Um, there's a
01:49
malware family out there cold zero access, and it is pretty vicious when it when anti virus or any program really tries to access it, it will go and corrupt the file
02:04
that is trying to access it on disk, and we'll kill the process. So
02:09
they're, uh,
02:10
defense,
02:13
Uh, examples and their offense And I generally kind of all group from the same. Their malware authors is tryingto make amore.
02:23
It was trying to make it more difficult for automated analysis in in sandboxes or slowing down our analysts.
02:32
So
02:34
I had break things down to, like, three major categories. Four major categories. The first is anti debugging and the past we have pulled up on ladybug, and we've kind of stepped through some things. Um,
02:46
but we haven't used it a whole lot, but that is ah, big tool used by Mauer analysts. And instead of reverse engineering and figuring out every little thing, we can just say, Oh, that looks like an interesting spot memory, You know, we place a break point there and execute the mount where, up to that point, and then look to see what's in that buffer or,
03:07
you know, whatever else we want. If we want to see what that C two
03:12
i p address or domain name is Weaken, just place a break point right before it's about to make a network connection to it, and
03:20
we can see what it wherever it grabbed it from memory, however, decrypted it. We don't really care. We just run to that point and then say, OK, what is it?
03:29
I can't really hide it.
03:30
So
03:31
ah, lot about were
03:34
builds in anti debugging code
03:38
to stop a d bugger from attaching or start Stop it the bugger from finding out what's going on in that process. And there's a lot of tricks to that, and we'll go over some of the major obvious ones.
03:50
Um,
03:52
the second category is anti virtual machine. Now most malware is executed and virtual machines or detonated in virtual machines
04:01
and some platforms is automatically like virus Total Kuku um, Cougar sandbox, that is sandbox ijo, sandbox threat cred.
04:12
And they all try to hide the fact that the malware is in a virtual machine.
04:16
But it's a back and forth battle. Sometimes there's really clever techniques. Sometimes there's not so clever techniques, like
04:26
more recently, a lot of pen testers are just testing to see how many cores are on the computer. If it's more than two cores and there's like, Okay, it's a modern computer and then they
04:36
continue execution. If it's less than they, they figure they're in underpowered VM because these people like to build huge clusters. Underpowered of'em Is that Nate Malware in there and see what happens? They don't really give it. A whole lot of resource is like memory or cores. Ah, CPU.
04:55
So
04:57
it's anti virtual machine
04:59
code could be a simple as checking the number of cores or advanced as trying to execute
05:05
instructions. Only virtual machines can execute, like the Bt accer VM instructions or checking parts of memory that, um,
05:15
that a virtual machine can't actually access.
05:19
The next category is anti disassembly. So if we pull up sample on Ida will sometimes see things that don't make whole lot of sense. Or that we can't really, uh,
05:32
continue with. Like if you pull up some malware, this written and visual basic and Vehbi Ida Pro won't really help you that much. You have to do other things or use other tools or find other methods. Um,
05:47
malware. This written in del fi. It's another programming language that's a little bit more popular. And Russia in Brazil,
05:56
uh, I've never seen anyone use it
05:58
in America. Um,
06:00
I'm a pro Doesn't really handle that very well. Or some our written in dot net
06:06
or any of the dot net
06:09
style languages like Vehbi dot net or, um,
06:14
J script. Our ah S P
06:18
um
06:20
c sharp.
06:21
You know, those are bite, code interpreted or compiled languages. So I'd a pro Doesn't really help you a whole lot there.
06:30
But when I say Antioch Assembly, I don't mean
06:33
the language that was used to create them. Our ah, more mean like,
06:39
ah, it's usually assembly that the Mauer author has created specifically that will break the algorithms used by disassemble er's
06:47
and we'll talk about that in a little bit.
06:50
So
06:51
when I talk about my word defense defenses like anti debugging directory, virtual machine or whatever those usually put in by Mauer authors like I said, to stop automated analysis of their malware
07:04
by using documented undocumented AP I calls or using anti assembly techniques like we saw in the illusion baht, where dynamically would call,
07:15
uh, its main function by putting
07:19
the
07:20
return address manually on the stack and then using the red instruction to actually jump to main instead of returning to the function that called it.
07:30
Now you may ask. Okay, this is all great and we see packers before and you know, we can get around those and weaken, you know, do this type of stuff. Why don't,
07:43
uh,
07:44
antivirus companies just look for these techniques and then just blacklist malls? Malware? And the answer is because with the same with packers. Ah, lot of companies will use these techniques to Fort
08:00
pirating off their software, or they try to use it in digital rights management or D r M, or try to protect their intellectual property. Try to protect algorithms when
08:09
anti distantly technique. Not really, it's more of ah, miscellaneous technique is to fill the code with junk code. Um,
08:20
no operational code or not code or whatever else Instructions or a P I calls it really don't result in anything
08:26
functionally changing in the malware software. So let's look at a basic anti debugging technique used by malware. There is a function Cole and Windows that is widely supported, and it's very simple, and it just is, is debunker present.
08:46
If it returns true, that means that
08:48
the, uh,
08:52
the function is
08:54
checked a certain location of memory.
08:56
And in that spot memory,
09:00
it's ah has been marked as yes, there's a debunker attached
09:05
and a lot of my work. And just to exit zero and or terminate process or, um,
09:11
lunch
09:13
bad,
09:15
phony code or whatever else. Now
09:18
we gotta be careful because I've seen a lot of sand boxes that will say, Oh, this malware, you know, called this his debunker president has this capabilities as that'll do this blah, blah,
09:31
uh, and that's not quite
09:33
okay, because
09:35
I've seen this function used in frame works all the time. So if I've written a small
09:43
application that takes the image and flips it around,
09:48
like just does a little simple transform on it, it inside the framework. It calls this function left and right
09:54
because in the framework and needs to know if it should print out debug statements or should
10:01
you know, act a little differently or put extra padding around its memory.
10:05
Um,
10:07
buffers.
10:09
So, uh, just because you see this function doesn't mean it's malware. It just means the code is trying to be more aware of whether AH de burger is present.

Up Next

Intro to Malware Analysis and Reverse Engineering

In this malware analysis course you will learn how to perform dynamic and static analysis on all major files types, how to carve malicious executables from documents and how to recognize common malware tactics and debug and disassemble malicious binaries.

Instructed By

Instructor Profile Image
Sean Pierce
Instructor