Malware Identification

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
4 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
4
Video Transcription
00:00
>> Hi and welcome to lesson 1.3.2.
00:00
In this lesson, we're going to talk about
00:00
malware identification.
00:00
Specifically, we're not going to
00:00
talk about automatic identification
00:00
because in later chapters in module 2,
00:00
we're going to be talking all about
00:00
malware prevention at all of the different layers.
00:00
It's not just malware prevention,
00:00
but it's just security
00:00
prevention controls at different layers.
00:00
A lot of those layers also
00:00
have malware identification built-in.
00:00
We're not going to get into
00:00
the malware identification through
00:00
automatic methods in this particular lesson.
00:00
But what I do want to talk about in
00:00
this lesson are a couple
00:00
of the ways that you can manually identify malware.
00:00
If your systems missed
00:00
a file and you think something is suspicious,
00:00
you can check the file out
00:00
manually in a couple of different ways we're
00:00
going to describe in this chapter.
00:00
We can also potentially,
00:00
what if your systems did catch something
00:00
and you just want more information on it,
00:00
you can also do that.
00:00
I'll show you how to do that in this section.
00:00
Basically,
00:00
there's two different things I'm going to talk about.
00:00
One is online submission and the other one is sandboxing.
00:00
We'll start with online submission.
00:00
What you're looking at here is it's called Virustotal.
00:00
Virustotal is a service that's run by Google.
00:00
It's actually owned by Google's parent company Alphabet.
00:00
More specifically, there's
00:00
a company called Chronicle that's
00:00
under the Google umbrella and
00:00
Virustotal is owned by Chronicle.
00:00
Essentially what Virustotal is,
00:00
is a collection of antivirus software scanning.
00:00
If you can upload a file to
00:00
Virustotal and it will run that file that
00:00
you uploaded against
00:00
50 or 60 different virus scanners out there,
00:00
and it'll tell you what
00:00
these virus scanners see in this file.
00:00
You get a really good consensus view
00:00
of whether or not this file is malicious.
00:00
Now, Virustotal is a signature-based file.
00:00
Remember we talked signature-based
00:00
versus anomaly-based earlier.
00:00
Virustotal is going to look at the
00:00
actual signature of the file
00:00
itself to see if this particular file is well-known.
00:00
Remember, we talked about how
00:00
you can change one bit in the file,
00:00
and all of a sudden it becomes
00:00
a completely different file
00:00
and has a different signature.
00:00
That's where we get more into the
00:00
anomaly-based which we'll discuss in a minute.
00:00
But in Virustotal,
00:00
you can either upload a file,
00:00
you can also do a URL scan.
00:00
You can put a URL in
00:00
Virustotal and check that out as well.
00:00
Then you can simply search the system to see if
00:00
there's anybody else's uploaded something
00:00
that you found in your environment
00:00
without having to upload it
00:00
yourself. I'll show you real quick.
00:00
Let me go and choose a file and I'm going to upload it.
00:00
I'm going to upload this EICAR file.
00:00
EICAR essentially is just a test file for antivirus.
00:00
It was developed specifically to,
00:00
it has a certain pattern,
00:00
a certain signature in it,
00:00
if you will, and is determined to
00:00
check the effectiveness of your antivirus system.
00:00
All antiviruses out there should be able to detect
00:00
EICAR because it's a very well-known test file.
00:00
I'll load EICAR into the system
00:00
and we see Virustotal comes back and says
00:00
that 62 of the 63 engines detected this file as bad.
00:00
It goes through each one, so
00:00
Adaware and Avast and all of
00:00
these different antivirus vendors and it shows you what
00:00
each one of these says about the file.
00:00
In a lot of cases, you can see it actually says
00:00
test file because that's exactly what it is.
00:00
You can go through and you can see how
00:00
each antivirus vendor detected it.
00:00
You can also see a little more details about it.
00:00
It shows you some of the file hashes which are
00:00
basically just the signature, if you will.
00:00
This is what the file looks like.
00:00
This is how it identifies the file.
00:00
You can see a little history.
00:00
This particular one was first uploaded in 2006.
00:00
Then some other names that the file
00:00
masquerades as and things like that.
00:00
You can see some of
00:00
the relationship information like what
00:00
processes that executes from and what some of
00:00
the parent files are that is
00:00
executed out of and things like that.
00:00
You can see some of the behavior.
00:00
It creates a process,
00:00
it runs a shell command,
00:00
and then it creates
00:00
this particular process tree within the environment.
00:00
You can dive into it like that.
00:00
Then you can go into the community section and you can
00:00
see what others are saying about this file too.
00:00
This person says it's just a it's just a test file,
00:00
which is exactly right.
00:00
So that's basically it for Virustotal.
00:00
I'm not going to go into too much depth.
00:00
There's an entire course that you could take.
00:00
You could spend months and months taking a course on
00:00
malware identification and reverse engineering malware.
00:00
I just want to show that there
00:00
are resources out there where you could
00:00
submit files and you can get
00:00
a good community view of whether
00:00
the antivirus community thinks
00:00
that file is malicious or not.
00:00
The next thing we'll talk about for
00:00
manual submission is the concept of a sandbox.
00:00
A sandbox essentially what it is,
00:00
it's an environment that
00:00
executes a file and sees how it behaves.
00:00
With Virustotal, that's a signature-based environment.
00:00
It's just looking at the file itself to see if
00:00
we can find any matches for known bad things.
00:00
But a sandbox actually runs the file and
00:00
executes it and sees what it
00:00
does and sees how it behaves.
00:00
I'm not going to upload. I could upload that same EICAR.
00:00
By the way, the one I'm looking at here
00:00
is the Hybrid Analysis.
00:00
This is the free Falcon sandbox tool.
00:00
It's by a company named CrowdStrike,
00:00
which is a very good tool.
00:00
This is the free version of it.
00:00
Instead of uploading that same EICAR file,
00:00
we already know that's just a test file,
00:00
I'm just going to go take a look at some of
00:00
the files that have been recently
00:00
uploaded here and just pick at one of them.
00:00
Let's take a look at this. I don't know,
00:00
this menu.exe file.
00:00
In this particular file,
00:00
someone uploaded this file and this
00:00
is the report that was run on it.
00:00
It gives you a lot more details
00:00
about how the file executes than just the hash before.
00:00
In this particular one,
00:00
for example, it's evasive.
00:00
It tries to evade analysis by sleeping from time-to-time.
00:00
It shows you this report will
00:00
show you some malicious indicators.
00:00
Obviously, it was identified by at least one AV.
00:00
It calls some native functions.
00:00
It has some reverse engineering.
00:00
Some characteristics that don't
00:00
allow you to reverse engineer it.
00:00
PE file has unusual entropy sections
00:00
and you can go in here and take
00:00
a look at what the details are
00:00
about that particular analysis.
00:00
It has some environmental awareness.
00:00
It has the ability to
00:00
evade analysis by sleeping, which we already said.
00:00
It contains the ability to query
00:00
CPU information to know what's going on with the CPU,
00:00
and just some other general stuff that
00:00
import some suspicious APIs.
00:00
Again, every one of these we can click through and see
00:00
which APIs does it pull in and things like that.
00:00
Again, I'm not going to go into all of this,
00:00
but I just wanted to show you that
00:00
there's a lot more detail.
00:00
It's all about how this file executes in the environment.
00:00
You can see it gives some visualizations
00:00
of the file, how it executes.
00:00
It shows maybe some screenshots of
00:00
what it looks like when it executes,
00:00
all sorts of different information you can get in this,
00:00
which is going to come in real handy if you're trying to
00:00
identify places in your environment
00:00
where this file executed or if your job is
00:00
malware reverse engineering or you're trying to determine
00:00
whether something is malicious
00:00
or not for your environment.
00:00
That brings us to the end of
00:00
our lesson on malware identification.
00:00
Next up we're going to do our module 1 quiz.
00:00
We'll have a few questions about all of
00:00
the different things we learned during module 1.
Up Next