I have decided that my final project will be analyzing an actual piece of malware. In order to accomplish this I will be attending my mentors Malware Analysis class. I attended the first class on Friday. In the class we reviewed PEids, Virtual Machines, and other tools useful in static malware analysis.

Last week I learned about the mIRC, which is basically where hackers communicate. I learned the basics of how to communicate and how to protect your identity. I also learned about bots, which a basically programs that connect to IRC channels. The bots can be used by hackers. The bot connects to IRC from the victims computer and the hacker then has control of the computer. This allows hackers to create botnets, which occur when one person controls a large number of computers. In order to prevent from being  caught many people connect to multiple hosts in multiple countries which makes it hard for people to find out the hackers location.

Jan 9th

Today, we went over how malware analysts investigate suspicious programs. The first step is to transfer the files off of the infected computer onto a USB drive and transfer them to a virtual machine. A virtual machine (VM) is a software implementation of a machine (i.e. a computer) that executes programs like a physical machine (Wikipedia). It is important that you are working inside the virtual machine when the USB is connected or else the entire computer is at risk of being infected. One of the nice things about a virtual machine is that you can take a snapshot of the machines current state and restore it to that state if anything happens to it. Once the program is loaded on to the machine there are various tools you can use to try to find out what the program does. Today I learned about five different tools that can be helpful. The first tool I learned about was WinMD5free. WinMD5free can translate a program into hash. A hash function is any algorithm or subroutine that maps large data sets of variable length, called keys, to smaller data sets of a fixed length (Wikipedia). Hash is helpful because it can tell you if you are working on the same program, even if the name changes or the text is in a different language. It can also be useful if you are working in a classified situation because you can check to see if anyone else has encountered the program without sharing the actual program with anyone else. The next tool is Strings. Strings is helpful because it shows all the strings within the program. When using strings you want to look for IP addresses and dll’s and exe’s. These are helpful because they can tell if the malware connects to the network or creates new programs. If you find an IP address you can check the firewall to see if any other computers are connecting to that address and if they are they are most likely infected as well. The next tool you can use is dependency walker. Dependency walker is used to see what functions the malware called from the various dll’s it uses. By looking at these you try to infer what types of actions the malware performs. Another important thing to check is if the malware uses only one function out of a dll. This sometimes means that the malware is encrypted or packaged, which makes it harder to figure out what the malware actually does.  PEiD is another tool that can help you figure out whether the malware is packaged. If you find that the malware is encrypted (even if it isn’t it can still be helpful), it can be helpful to use the resource hacker tool. This tool checks the malware's resources which are the media items used in the program. The resources are not encrypted, so you should still be able to see them if the program does use resources.

 

http://en.wikipedia.org/wiki/Virtual_machine

http://en.wikipedia.org/wiki/Hash_function