I have decided that my final project will be analyzing an actual piece of malware. In order to accomplish this I will be attending my mentors Malware Analysis class. I attended the first class on Friday. In the class we reviewed PEids, Virtual Machines, and other tools useful in static malware analysis.

Last week I learned about the mIRC, which is basically where hackers communicate. I learned the basics of how to communicate and how to protect your identity. I also learned about bots, which a basically programs that connect to IRC channels. The bots can be used by hackers. The bot connects to IRC from the victims computer and the hacker then has control of the computer. This allows hackers to create botnets, which occur when one person controls a large number of computers. In order to prevent from being  caught many people connect to multiple hosts in multiple countries which makes it hard for people to find out the hackers location.

Jan 9th

Today, we went over how malware analysts investigate suspicious programs. The first step is to transfer the files off of the infected computer onto a USB drive and transfer them to a virtual machine. A virtual machine (VM) is a software implementation of a machine (i.e. a computer) that executes programs like a physical machine (Wikipedia). It is important that you are working inside the virtual machine when the USB is connected or else the entire computer is at risk of being infected. One of the nice things about a virtual machine is that you can take a snapshot of the machines current state and restore it to that state if anything happens to it. Once the program is loaded on to the machine there are various tools you can use to try to find out what the program does. Today I learned about five different tools that can be helpful. The first tool I learned about was WinMD5free. WinMD5free can translate a program into hash. A hash function is any algorithm or subroutine that maps large data sets of variable length, called keys, to smaller data sets of a fixed length (Wikipedia). Hash is helpful because it can tell you if you are working on the same program, even if the name changes or the text is in a different language. It can also be useful if you are working in a classified situation because you can check to see if anyone else has encountered the program without sharing the actual program with anyone else. The next tool is Strings. Strings is helpful because it shows all the strings within the program. When using strings you want to look for IP addresses and dll’s and exe’s. These are helpful because they can tell if the malware connects to the network or creates new programs. If you find an IP address you can check the firewall to see if any other computers are connecting to that address and if they are they are most likely infected as well. The next tool you can use is dependency walker. Dependency walker is used to see what functions the malware called from the various dll’s it uses. By looking at these you try to infer what types of actions the malware performs. Another important thing to check is if the malware uses only one function out of a dll. This sometimes means that the malware is encrypted or packaged, which makes it harder to figure out what the malware actually does.  PEiD is another tool that can help you figure out whether the malware is packaged. If you find that the malware is encrypted (even if it isn’t it can still be helpful), it can be helpful to use the resource hacker tool. This tool checks the malware's resources which are the media items used in the program. The resources are not encrypted, so you should still be able to see them if the program does use resources.

 

http://en.wikipedia.org/wiki/Virtual_machine

http://en.wikipedia.org/wiki/Hash_function

 

I will not be meeting with my mentor this week because he is on winter break.

Example Code:

void prepareForLauren ();
int main()

{

        // call function
        
        int time = 200;
        while (!isLaurenHere(time)) // (condition (argument))
        {
                
                prepareForLauren();
                time--;
        
        }

}

        bool isLaurenHere (int time) //definition, return boolean = true or false
{
        if (time == 0)
        return true;

        else
                return false;

}

void prepareForLauren () //void = return nothing
{

        cout << "Hey prepare for Lauren!" <<endl;
}

Yesterday I went to my internship and I learned a lot. I learned about the four different types of USB devices that are used as ways to do transfer information. They are HID, U3 smart drives, normal USB drives, and USB keyloggers. Sadly many of these things are difficult to use because there are now built in protection mechanism in peoples computers, from over use of these devices. Things such as autorun in USB drives and USB keyloggers are now gone or have warnings that pop-up that would identify the user. A way people get around this and a popular field is social engineering. Social engineering is basically tricking people into doing things they wouldn't normally do or want to do. For example, if you name a file and call it passwords many people will click on it and look through it. Social engineering takes advantage of human nature and curiosity. Today I also learned more coding. I learned how to use while, which is much like a for loop, only it does not use numbers. While learning to use a while statement I also learned about Boolean, which basically returns whether the condition is true or false. In the while statement I wrote, it returned a Boolean. I read a few articles on Windows programming (link found below).

http://msdn.microsoft.com/en-us/library/windows/desktop/ff381398(v=vs.85).aspx

On November 14 I learned a lot. We went over various hacking techniques such as remote control of a computer via ssh, stack smashing, and format string attack. This was really interesting because I never knew you could control a computer from a different town or city. I got to practice hacking by stack smashing which has lots of different techniques. One way is to over flow the program by giving it too many characters. A quick way to type a certain number of characters is by using this format: perl -e 'print "A"x10'. I also learned about hexadecimal numbers which are based on 16 instead of the normal 10. Each character has a corresponding hexadecimal number. We can use this information when trying to smash the stack. I also learned some C++ coding. We went over arrays which assign a certain number of spaces that can be filled with characters. For example: int x[10]; has ten spaces for integers to fill. I also learned how to use a for loop. The format for a for loop looks like this: for(int i = 0;i<10;i++) . This example says that there is an integer x that is equal to zero. When i is less than 10 run through the commands below and add one to i.