Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9

Video Description

In this module, we'll begin with another packing example. In the hands-on demonstration, we'll compare the following:

  • Strings between a packed and non-packed code
  • Anti Virus (AV) detections in the code
  • Different PE sections in the code

You'll also learn about the Virustotal.com, which is a meta-anti virus scanning portal. We'll also explain how to view PEiDs in a code.

Video Transcription

00:04
we're gonna do another packing example. And we looked at the illusion bought strings before and after packing,
00:13
and we're gonna look at the Avie antivirus detections
00:19
and we're going to look at the bots P E sections.
00:24
So a good way to get a feel for anti virus detections
00:29
is ah, site I've mentioned before Cold virus total dot com
00:33
and it's ah meta
00:37
anti virus scanning engine.
00:40
So it has many, many different antivirus products scanning ah, single file to see if any of them
00:49
trigger on Ah,
00:52
that file
00:54
and thats useful for us at least
01:07
copy paste
01:15
so we can upload our original bought buying air any dot t x c.
01:22
And someone in all likelihood has already uploaded and and had it analyzed. And we can see
01:30
it was originally in 2007
01:34
and we can say
01:34
reanalyzed like have it re scanned, but
01:38
it doesn't really matter. Weaken. We can take a quick look at it.
01:42
Pretty much everything has triggered off of it.
01:46
And, um, except for these last few, for whatever reason.
01:51
And they all classified is Steve Ott are generic Trojan Are
01:57
IRC bought or whatever else and it's known to be bad, and people have even said that is
02:04
you know, it's really bad. And
02:06
someone's posted that mu text that we saw the last video, and, uh,
02:12
we can definitely
02:14
see that That's it's ah, malicious file.
02:16
Now what about the pact? E x e.
02:25
I haven't done this before, so I don't know if, uh, someone's already packed it and uploaded it and analyzed it.
02:32
But ah,
02:35
we'll see how many detection is that? Scott?
02:38
So
02:39
it's also important to note that this is not a good indicator,
02:44
ah, of whether
02:46
a file is truly malicious,
02:49
because a lot of these anti virus engines are turned up pretty high
02:55
in the terms of sensitivity.
02:59
And ah, I've seen
03:01
you know, I'm not going to get the product, but I've seen one antivirus company always alert on my medicine. Floyd executed Bols.
03:10
Um,
03:12
even though in the real world
03:13
I've never seen this antivirus software alert on anything before,
03:19
So uh,
03:20
they tend to tweak their their products to make it look good
03:24
in terms of detection
03:29
also.
03:30
Ah,
03:31
the deal that virus total makes with these companies is that
03:36
anto the antivirus companies will will scan
03:39
a file and alert
03:42
if they detect it as something so it's almost a competitive disadvantage because they're flagging something. It's malicious that the other antivirus venders may not know about,
03:52
Um,
03:53
and the flip side is, and other anti virus vendors,
03:57
uh, no, that this file something malicious and making market malicious a swell. But what came out recently,
04:03
we can see that a number of products did not detect or packed file.
04:11
Ideally,
04:12
you know, if we were a malicious actor, ideally, this would be down to zero.
04:15
And a lot of packers on the underground will,
04:19
uh, advertise as fully undetectable, which they call food if you d
04:27
um,
04:28
and it's not something they can guarantee,
04:31
but some packers are better than others. And since you PX has been around for so long, either
04:38
most considerate, malicious or most antivirus companies know how to,
04:42
um,
04:43
unpack it
04:44
and scan its insides.
04:47
If we use another packer, it might get even lower detection rights. And if we used a packer on top of a packer,
04:55
it may even get lower rates. So,
04:58
um,
04:59
but it did definitely take down our score. Even this, even though this binary this excusable is really old Trojan. Even though U. P X is a really old packer, it was still able to elude,
05:11
um,
05:13
some antivirus engines as I was machine earlier. What came out in the news recently was some antivirus companies were purposely marking benign files as malicious on virus total and watching other antivirus companies just copy them. And, uh,
05:30
it's kind of
05:32
kind of Ah,
05:35
I don't know how to say poisoning the watering hole, if you will.
05:41
So
05:42
here in our Callie machine,
05:45
we have Ah,
05:47
I just opened two terminals here
05:49
and eyebrows, too. The Malware Analyst Cookbook
05:54
Ah, code website Google Code. A lot of it is
05:58
pretty old. It's, ah, 2000
06:00
twelves when most this was released by find So several of the scripts still useful. And since they're open source, a lot of people have improved upon them
06:11
and made significant improvements. But I just wanted demo something here,
06:15
and that is
06:17
we can download the script and use it to take a look at
06:23
the
06:24
sections of a P file pretty easily with us. The code they released. Typically,
06:31
if I'm just downloading someone script, I'll take a quick look at it. make sure it's not doing something obviously malicious. But then also make sure I have the right dependencies.
06:41
So copy that and
06:42
pasted to make sure I can import all these libraries. There's no issues.
06:46
Um,
06:47
import this
06:48
and there's no issues because I already have the p e
06:51
dependency.
06:54
But if you don't,
06:57
which most people don't by default, you conduce. You pit the most popular python
07:04
package installer,
07:05
um,
07:08
and stole
07:10
p e file.
07:12
And it says it's already installed. And I say, Great.
07:16
So
07:21
I'm going to look for an executed A ll
07:25
on Callie XY file,
07:29
of which there are plenty.
07:30
So I'm just going to, ah, locate command.
07:33
Fine would probably be faster, but locators simpler to use, in my opinion.
07:40
So we find plenty
07:42
of very useful windows execute pal's like the Net cat version of, uh,
07:49
of,
07:51
uh, for for Windows. You actually took that? Uh, you know, Windows credential editor s so on so forth.
08:01
So
08:01
I'm gonna take one of these. Let's say w get that's Ah, simplistic. That cat.
08:11
A lot of anti virus companies will alert on on that cat because it's pretty easy to just open up a port and,
08:20
uh, start listening or make a pretty rudimentary back door.
08:24
So I'm going to copy it to the desktop.
08:28
So I just saved the peace scanner, and I just
08:33
download or copied over in that cat.
08:37
And, uh, I'm gonna run this script
08:41
typing in python.
08:45
You scared her.
08:46
See, I could make
08:48
and on a specify and see Dr Sexy.
08:54
So
08:56
this python scanner or the P E scanner will go through, say, Okay, it was this file, um, must empty five, shot one. When was it compiled
09:07
and says it marks is suspicious because 1998. That's pretty old for an executed all, um,
09:18
the CRC is off the
09:20
the code checking algorithm. Our basic corruption checking,
09:26
um not is not as good as a hash, but it's just basic checking to see if anything was corrupted while all on disk,
09:35
because hard drives usedto fail a lot more than they do now.
09:37
And we can see the sections
09:41
here.
09:43
And I want you to take note of, um, the virtual size
09:46
versus the raw size, the raw sizes. How big is it in the file? And this usually aligned to certain bite, value
09:56
and So has your pretty brown did up numbers, and we can see here that says, Okay, I need this much memory to run this code in this section. Um,
10:07
I need you know, this much memory too
10:11
accesses, et cetera, et cetera,
10:13
And we can see the entropy values are right here on the right. So it goes from one bite to another to another to another to see how much difference there is between the
10:24
Tween the bites. Since u p x has been around for so long and it stands for the universal.
10:30
Oh,
10:31
back on,
10:33
uh,
10:35
compressor, I think
10:37
it ah is also reported toe Lennox and cannon pack you LF executed als er
10:43
But more importantly, we can
10:46
use it to pack windows excusable zzzz well on Lennox.
10:52
So I'm gonna say u p x,
10:54
uh, neck at dxc.
10:58
So it opened up on that cat file, compressed it and then re saved it.
11:03
So we also get ah, 50% compression rate.
11:09
So again we shrunk the binary toe half of its size.
11:13
Okay, so let's run.
11:16
Ah,
11:18
our little
11:20
P E scanner script again.
11:24
And we can see that again. The half has changed the size has changed.
11:28
The, uh, date state the same U p x was sure Thio preserve that
11:35
right here. The
11:37
e p the, um,
11:41
entry point
11:41
has changed and it goes into a weird section. So, uh, the script has marked that as suspicious seer sees again, Uh,
11:54
not
11:56
correct. And so I think that's suspicious. But more importantly,
12:01
here, down where we can see the virtual size versus that Ross eyes the raw sizes. Zero. So there's no code on this. There's no nothing on disk in the file,
12:11
but it's still requiring a lot of memory.
12:16
And this is why it's considered suspicious.
12:20
Ah, here we can see. Ah,
12:24
there's no real difference between the raw size of virtual size, but it has a very high entropy,
12:28
so that is suspicious.
12:31
So here the virtual size and the Ross eyes aren't too big a difference, and the entropy is fairly low. So this is not suspicious, and this is probably where are
12:45
so are unpacking. Code
12:46
is
12:48
so we can see the BP. The entry point
12:54
is that you PX one So it's gonna begin its execution in this section,
12:58
whereas before,
13:01
uh, it would have began its, uh,
13:03
execution in the not tech section, which is fairly common.
13:09
So
13:11
it's it's useful. Ah, this is one of the first scripts I run on an executed. Well, just just to get an idea if it's packed, especially if I don't see any strings right away.
13:22
Another tool that is very useful
13:26
is P i D.
13:28
And P I. D is no longer developed or really maintained, but free to download and use.
13:37
I'm gonna versus machine ready to be infected.
13:46
And, um,
13:48
soapy Eddie has a small database of packers,
13:52
and there are people who have collected very large databases of Packer signatures
13:58
uh, some false positives.
14:01
And but overall, it's a pretty good way to just get an idea for,
14:07
uh, whether a file was packed or not.
14:11
Okay, so we have a fresh copy of Are Ready to be infected. Bm
14:16
I'm a dragon. Drop over putty.
14:20
Simple.
14:22
A sage client and I can actually do a lot more than that.
14:26
Um
14:28
p i d
14:30
which is? I described earlier eyes a bit old, but still a useful tool. And a lot of people still have,
14:37
um
14:39
p i d databases are fairly large
14:43
and have a lot of signatures for different packers.
14:46
So if we, uh, just drag and drop inexcusable, like putty
14:50
onto P i d. We can see that it's using Ah,
14:56
win 32 subsystem compiled with myself visuals, c++ and, um
15:03
no. Has the entry point of the text section We can actually look at the other sections to see what's there. The
15:11
the virtual size, Um, and the raw size
15:16
s so we can kind of visually inspect where our script was telling us, and we can actually even have ah, many disassemble er kind of
15:22
show us some interesting stuff.
15:26
Um, not as good as Ida, but, uh, still, it's kind of useful sometimes.
15:31
Mmm.
15:33
And if we, uh,
15:35
use u p x
15:37
to, um,
15:41
uh, pack the file.
15:46
So the desktop
15:48
and U P x
15:50
Yeah. See, putty that Yuxi
15:54
Now we have packed plenty. Ah, about 50%. Again
16:00
on if we execute buddy. Excuse. Just the same. So, uh,
16:04
it's unfolding and memories decompressing. It's it's doing its thing and executing the original code
16:11
that's very useful. Must run p i d. Again.
16:15
Nothing found,
16:17
um,
16:19
skin it again.
16:22
Um,
16:23
but
16:26
usually it will detect that. That is U P X. But there's nothing detecting right now. Probably because I haven't really provided it with a good database. The databases here, huh? Well, see, that's the
16:37
That's your reason wise,
16:40
There's no
16:41
user, not DVD database.
16:44
So I'm just gonna Google
16:47
p i d,
16:49
um,
16:52
signatures
17:17
on. And there's quite a few of them out there.
17:21
I'm just gonna go with, uh,
17:23
yeah, uh,
17:26
a big one.
17:32
Contains characters and Unicode.
17:34
Mmm.
17:36
I hope they don't.
17:37
Let's up the database.
17:38
But again, I'm just kind of
17:41
trying it.
17:45
Nothing found about the databases of it messed up because
17:49
they were Unicode character. Someone to ah, save as
17:57
I'm just gonna transfer the file
18:00
manually.
18:02
Oh,
18:03
it's a bug.
18:07
I'm just gonna replace it
18:11
on rerun P i. D.
18:15
There's something wrong with it.
18:18
Something wrong with that database. So I'm gonna use ah, different database.
18:22
Charlie Owen from sand isn't very good.
18:33
Gonna vanish saying replace it
18:38
because the sands ones wasn't very good.
18:41
Not surprising
19:00
place that
19:03
Let's run it again.
19:07
Nothing found, huh is not attacking ups. So is, uh,
19:12
the first time I've ever seen that
19:19
there's a signature for it
19:22
for 0.6 and probably above.
19:26
I was looking for that. Yeah, and more signatures and more signatures
19:47
since it was a version of this u p x
19:49
version 3.91
20:04
Since u p s u p x is open source. A lot of people have taken that source code and modified it Maur to, ah
20:18
to use in their own projects.
20:22
Good.
21:23
Okay,
21:26
So
21:27
if we
21:30
look at our just packed putty
21:32
Ah,
21:33
there's no signatures in the database we grabbed
21:36
ah, from the Internet for the newest version of putty.
21:41
Um, although I expect there would be,
21:48
um,
21:51
Buzz, if we grab u p X, we can see that there is ah, signature for that because the U P X program itself was packed
22:00
with U P. X 2.93
22:03
So our signature database definitely is working that we just grabbed off the internet. Um,
22:10
but it hasn't been updated for the news version.
22:14
So as we saw in our demonstration
22:18
before packing, we could see, you know, lots of strings and our illusion baht. We could see that almost everything was triggering off of some protections are
22:29
a lot of a V vendors were triggering off of,
22:32
uh, signatures that they had made a long time ago for illusion bought and, uh, illusion, but had its typical P E sections. After packing, there were almost no strings. They were very
22:45
there are fewer antivirus detections and had completely different sections.
22:52
And I did a quick little thing showing U P I D
22:55
um,
22:56
almost every hour analyst has p i d. And they keep their signature is updated.
23:02
Um,
23:03
I typically don't rely on
23:06
touch things.

Up Next

Intro to Malware Analysis and Reverse Engineering

In this malware analysis course you will learn how to perform dynamic and static analysis on all major files types, how to carve malicious executables from documents and how to recognize common malware tactics and debug and disassemble malicious binaries.

Instructed By

Instructor Profile Image
Sean Pierce
Instructor