Thursday, January 10, 2013

Jan 9th


Today, we went over how malware analysts investigate suspicious programs. The first step is to transfer the files off of the infected computer onto a USB drive and transfer them to a virtual machine. A virtual machine (VM) is a software implementation of a machine (i.e. a computer) that executes programs like a physical machine (Wikipedia). It is important that you are working inside the virtual machine when the USB is connected or else the entire computer is at risk of being infected. One of the nice things about a virtual machine is that you can take a snapshot of the machines current state and restore it to that state if anything happens to it. Once the program is loaded on to the machine there are various tools you can use to try to find out what the program does. Today I learned about five different tools that can be helpful. The first tool I learned about was WinMD5free. WinMD5free can translate a program into hash. A hash function is any algorithm or subroutine that maps large data sets of variable length, called keys, to smaller data sets of a fixed length (Wikipedia). Hash is helpful because it can tell you if you are working on the same program, even if the name changes or the text is in a different language. It can also be useful if you are working in a classified situation because you can check to see if anyone else has encountered the program without sharing the actual program with anyone else. The next tool is Strings. Strings is helpful because it shows all the strings within the program. When using strings you want to look for IP addresses and dll’s and exe’s. These are helpful because they can tell if the malware connects to the network or creates new programs. If you find an IP address you can check the firewall to see if any other computers are connecting to that address and if they are they are most likely infected as well. The next tool you can use is dependency walker. Dependency walker is used to see what functions the malware called from the various dll’s it uses. By looking at these you try to infer what types of actions the malware performs. Another important thing to check is if the malware uses only one function out of a dll. This sometimes means that the malware is encrypted or packaged, which makes it harder to figure out what the malware actually does.  PEiD is another tool that can help you figure out whether the malware is packaged. If you find that the malware is encrypted (even if it isn’t it can still be helpful), it can be helpful to use the resource hacker tool. This tool checks the malware's resources which are the media items used in the program. The resources are not encrypted, so you should still be able to see them if the program does use resources.

 



 

2 comments:

  1. Lauren, great post! I love all of the details and definitions. Good idea to include citations. You are clearly learning lots of new and useful information.

    Each time you blog, try to link your writing with your ultimate project. For example, how might VMs be related to your internship project? Very broad rationales are perfectly acceptable.

    Keep up the wonderful effort!

    ReplyDelete
  2. Lauren, please remember to post for all days, even those that you miss.

    ReplyDelete