Yesterday I went to my internship. I learned how to do basic dynamic analysis on malware. First make sure you are in the virtual machine and that it is not connected to the internet. After that the next step is to open process explorer and Regshot. In Regshot take the first snapshot. Then open process monitor. After opening process monitor and quickly open the malware. After about a minute stop process monitor. Apply filters, such as the name of the executable and some operations like WriteFile and RegSetKey. Look for new executables (exe) created and find their location. If the exe. is created in HKLM\Software\Microsoft\Windows\CurrentVersion\run than the file will be started automatically when the computer starts up. This is a common place that malware creates new files. If you see that a file is created, find the file, hash it, and compare the hash to the hash of the original malware file. If they are the same the malware has copied itself. The next step is to take the second snapshot in Regshot, compare them and see what has changed. After doing so, check to see if the malware tries to connect to the network by using ApateDNS and Wireshark. Use ApateDNS to set up a fake network and to see what websites the malware tries to connect to. Then use Wireshark to see the ports it uses and to analyze the packets that the malware tries to send. You can also use another VM that uses Linux to listen in on what the malware is sending.

These are the basic steps in dynamic analysis. I will describe later what exactly each tool is used for.

I was not able to go to my internship on Friday because of the snow.

On Friday I went to my internship. I learned that there are two types of analysis. Static and Dynamic. In static analysis we do not run the malware. We look at the strings, the dlls, the imports, exports, and functions. If the malware is packed this can be a difficult tactic to use, because most of the code is hidden from our view. There are ways to unpack malware, but I have not gotten that far in the lesson. Dynamic analysis is when you run the malware and see what it does and how it affects the machine. It is important that you do dynamic analysis in a virtual machine, so you do not harm your computer or spread the malware. In class we also "cracked" the game solitaire. We changed the program so that are any valid move, you would win the game. This was one of my favorite parts of class this week. It was fun.

I have decided that my final project will be analyzing an actual piece of malware. In order to accomplish this I will be attending my mentors Malware Analysis class. I attended the first class on Friday. In the class we reviewed PEids, Virtual Machines, and other tools useful in static malware analysis.

Last week I learned about the mIRC, which is basically where hackers communicate. I learned the basics of how to communicate and how to protect your identity. I also learned about bots, which a basically programs that connect to IRC channels. The bots can be used by hackers. The bot connects to IRC from the victims computer and the hacker then has control of the computer. This allows hackers to create botnets, which occur when one person controls a large number of computers. In order to prevent from being  caught many people connect to multiple hosts in multiple countries which makes it hard for people to find out the hackers location.

Jan 9th

Today, we went over how malware analysts investigate suspicious programs. The first step is to transfer the files off of the infected computer onto a USB drive and transfer them to a virtual machine. A virtual machine (VM) is a software implementation of a machine (i.e. a computer) that executes programs like a physical machine (Wikipedia). It is important that you are working inside the virtual machine when the USB is connected or else the entire computer is at risk of being infected. One of the nice things about a virtual machine is that you can take a snapshot of the machines current state and restore it to that state if anything happens to it. Once the program is loaded on to the machine there are various tools you can use to try to find out what the program does. Today I learned about five different tools that can be helpful. The first tool I learned about was WinMD5free. WinMD5free can translate a program into hash. A hash function is any algorithm or subroutine that maps large data sets of variable length, called keys, to smaller data sets of a fixed length (Wikipedia). Hash is helpful because it can tell you if you are working on the same program, even if the name changes or the text is in a different language. It can also be useful if you are working in a classified situation because you can check to see if anyone else has encountered the program without sharing the actual program with anyone else. The next tool is Strings. Strings is helpful because it shows all the strings within the program. When using strings you want to look for IP addresses and dll’s and exe’s. These are helpful because they can tell if the malware connects to the network or creates new programs. If you find an IP address you can check the firewall to see if any other computers are connecting to that address and if they are they are most likely infected as well. The next tool you can use is dependency walker. Dependency walker is used to see what functions the malware called from the various dll’s it uses. By looking at these you try to infer what types of actions the malware performs. Another important thing to check is if the malware uses only one function out of a dll. This sometimes means that the malware is encrypted or packaged, which makes it harder to figure out what the malware actually does.  PEiD is another tool that can help you figure out whether the malware is packaged. If you find that the malware is encrypted (even if it isn’t it can still be helpful), it can be helpful to use the resource hacker tool. This tool checks the malware's resources which are the media items used in the program. The resources are not encrypted, so you should still be able to see them if the program does use resources.

 

http://en.wikipedia.org/wiki/Virtual_machine

http://en.wikipedia.org/wiki/Hash_function

 

I will not be meeting with my mentor this week because he is on winter break.