Time
4 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
4

Video Transcription

00:01
hi and welcome to lesson 1.3 dot two. In this lesson, we're gonna talk about malware identification and specifically, we're not going to talk about automatic identification because in later chapters in module to we're gonna be talking all about malware prevention
00:17
at all of the different layers. It's not just Mauer prevention, but it's just
00:21
security prevention controls at different layers, and a lot of those layers also have malware identification built in. So we're not going to get into the mouth or identification through automatic methods in this particular lesson. But what I do want to talk about in this lesson are a couple of the ways that you can manually identify malware.
00:41
You know, if your system's Mr File and you think something's suspicious, you can. You can check the file out in a couple manually in a couple different ways we're gonna described in this chapter. We can also potentially. What if your systems did catch something and you would you just want more information on it? You can also do that, and I'll show you how to do that in this section.
01:00
So basically there's two different things I'm going to talk about one is online submission, and the other one is sand boxing. So we'll start with online submission.
01:07
What you're looking at here is Ah, it's called Virus Total and Virus Total is a service that's run by Google. It's actually owned by Google's parent company, Alphabet. More specifically, it's There's a company called Chronicle that's under the Google Google umbrella, and virus Total is owned by chronicle.
01:25
Essentially, what buyers toll is is a collection of anti virus software
01:30
scanning. So if you can upload a file to virus total and it will run that file that you uploaded against 50 or 60 different virus scanners out there and it will tell you what these virus scanners see in this file, so you get a really good consensus view of whether or not this file is malicious.
01:49
Now, Virus Toll is a signature based file. So remember we talked
01:53
signature based versus anomaly based earlier, Firestone was gonna look at the actual signature of the file itself to see if this particular file is well known. Remember, we talked about how you can change one bit in the file, and all of a sudden it becomes a completely different filing has a different signature.
02:09
Um, and that's where we get more into the anomaly based which we'll discuss in a minute.
02:15
But environmental. You can either upload a file. You can also do a u R L scan so you could put a you are Ln virus total and check that out as well. Ah, and then you could simply search the system to see if there's, you know, anybody else is uploaded something that you found in your environment without having to upload it yourself.
02:31
I'll show you real quick. Let me go and choose a file, and I'm gonna upload it, and I'm gonna upload this I car file and I cars. Since essentially is just a test file for anti virus, it was developed specifically to it has a certain pattern certain signature in it if you will, Um, and it's
02:49
determined to check the effectiveness of your anti virus system. So all any viruses out there should be able to detect I car
02:57
because it's a very well known test file.
02:59
So I'll Lodi car into the system
03:01
and we see virus Total comes back and says that you know, 62 of the 63 engines detected this file as bad and you know, it goes through each one. So add aware and avast and all of these different anti virus vendors, and it shows you what each one of these,
03:19
uh, says about the file. In a lot of cases, you can see it actually says test file,
03:23
because that's exactly what it iss. So you go through, you can see how each antivirus vendor detected it. You can also see a little more details about it. It showed you some of the file hashes, which are basically just the signature, if you will. This is what the file looks like. This is how it identifies the file.
03:38
Um, you see, a little history the particular own, was first uploaded on in 2000 and six. And in some other names that the file masquerades as, and things like that
03:50
you can see some of the relationship information like, you know what, what processes that executes from and what some of the parent files are that is executed out of. And things like that.
04:02
You can see some of the behavior, you know, it creates a process. It runs a shell command and then it creates this this particular process tree within the environment. You can dive into it like that, and then you go into the community section and you can see what others are saying about this file to. This person says, it's just a ah virus total a p I.
04:24
I'm sorry. It's just a test file, which is exactly right.
04:28
So that's basically it for virus total. There's I'm not gonna go into too much depth. There's an entire
04:32
ah course that you could take. You could spend months and months taking a course on Mauer identification and reverse engineering malware. I just want to show that there are Resource is out there where you could submit files and you can get a good community view of whether the anti virus community thinks that file is malicious or not.
04:50
The next thing we'll talk about four manual submission is the concept of a sandbox. Now, this particular one that I'm looking at the sandbox, essentially what it is. It's an environment that
05:00
that executes a file and sees how it behaves.
05:03
So with virus total, that's a signature based environment. It's just looking at the file itself to see if we can find any matches for known bad things, but a sandbox actually runs the file and executes it and sees what it does and sees how it behaves.
05:19
So I'm not gonna upload. I could upload that. Say, my car. By the way, the one I'm looking at here is the hybrid analysis. This is the free Falcon sandbox tools by a company named Crowdstrike, which is Ah, very good. Very good tool. This is the free version of it.
05:33
Instead of uploading that, say, my car file, we already know that's just a test file. I'm just gonna go take a look at some of the files that have been recently uploaded here and just peek at one of them. Let's take a look at this. I don't know this menu dot txt file
05:49
this particular file. Someone uploaded this file and this is the report that was run on it, right? So it it says, Ah, few. That gives you a lot more details about hala file executes than just the hash before, right? So in this particular one, for example, um, it's it's evasive. It tries to evade analysis by by sleeping
06:09
from time to time
06:10
it shows you this report will show you some malicious indicators. Obviously, it was identified by at least one A V. It calls some native functions. Um,
06:19
it has some reverse engineering eso some characteristics that don't allow you to reverse engineer it. P file has unusual entropy sections and you can go in here and take a look at what the details are about. That particular analysis
06:34
has some environmental awareness. You know, It has the ability Teoh evade analysis by sleeping, which already said it contains ability to query CPU information toe, know what's going on with the CPU and just some other general stuff. It imports some suspicious AP eyes again. Every one of these we can click through and see you know which AP eyes does it. Does it pull it and things like that, Um,
06:56
it gives you again. I'm not gonna go into all of this, but I just wanted to show you that there's a lot more detail. It's all about how this file executes in the environment. You can see it gives some visualization of the file how it executes. It shows maybe some screenshots of what it looks like when it executes
07:13
all sorts of different information you can get in this. Which is gonna come in real handy if you're trying to identify
07:18
places in your environment where this file executed. Or if your job is malware, reverse engineering or you're trying to determine whether or something is malicious or not for your environment.
07:30
So that brings us to the end of our lesson. L'm our identification. Next up, we're gonna do our module one quiz, and we'll have a few questions about all of the different things we learn during Module one.

Up Next

Infrastructure Security

This course will cover the concepts needed to identify and prevent threats across an enterprise environment. The course content will cover the practical application of security principles, models, and technology covered in previous courses.

Instructed By

Instructor Profile Image
Scott Russ
Security Architect at Nerdery
Instructor