Today, we went over how malware analysts investigate suspicious
programs. The first step is to transfer the files off of the infected computer
onto a USB drive and transfer them to a virtual machine. A virtual machine (VM) is a software
implementation of a machine (i.e. a computer) that executes programs like a
physical machine (Wikipedia). It is important that you are working
inside the virtual machine when the USB is connected or else the entire
computer is at risk of being infected. One of the nice things about a virtual
machine is that you can take a snapshot of the machines current state and
restore it to that state if anything happens to it. Once the program is loaded
on to the machine there are various tools you can use to try to find out what
the program does. Today I learned about five different tools that can be
helpful. The first tool I learned about was WinMD5free. WinMD5free can
translate a program into hash. A hash
function is any algorithm or subroutine
that maps large data
sets of variable length, called keys, to smaller data sets of a
fixed length (Wikipedia). Hash is helpful because it can tell you if you
are working on the same program, even if the name changes or the text is in a
different language. It can also be useful if you are working in a classified
situation because you can check to see if anyone else has encountered the
program without sharing the actual program with anyone else. The next tool is
Strings. Strings is helpful because it shows all the strings within the
program. When using strings you want to look for IP addresses and dll’s and
exe’s. These are helpful because they can tell if the malware connects to the
network or creates new programs. If you find an IP address you can check the
firewall to see if any other computers are connecting to that address and if
they are they are most likely infected as well. The next tool you can use is
dependency walker. Dependency walker is used to see what functions the malware
called from the various dll’s it uses. By looking at these you try to infer
what types of actions the malware performs. Another important thing to check is
if the malware uses only one function out of a dll. This sometimes means that
the malware is encrypted or packaged, which makes it harder to figure out what
the malware actually does. PEiD is
another tool that can help you figure out whether the malware is packaged. If
you find that the malware is encrypted (even if it isn’t it can still be helpful),
it can be helpful to use the resource hacker tool. This tool checks the
malware's resources which are the media items used in the program. The resources
are not encrypted, so you should still be able to see them if the program does
use resources.
Lauren, great post! I love all of the details and definitions. Good idea to include citations. You are clearly learning lots of new and useful information.
ReplyDeleteEach time you blog, try to link your writing with your ultimate project. For example, how might VMs be related to your internship project? Very broad rationales are perfectly acceptable.
Keep up the wonderful effort!
Lauren, please remember to post for all days, even those that you miss.
ReplyDelete