Applications Software Maintenance Source Code and Documentation Engineering Virus Analysis
Malware Virus - Needs a vector for propagation
Worm
Malware - Trojan Horse
- Performs unstated and undesirable functions
- Spyware, adware, logic bombs, backdoors, rootkits
Anti-Virus Dynamic AV Scanners
Anti-Virus Integrity Checking Static AV Scanners - Program properties (registry, system calls)
- Malware byte sequence extraction
Anti-Virus - Dynamic AV Scanners
- Intercepting system calls
- Analyzing audit trails
- Operation patterns
Procedures For Analysis Save only disassembled files Rename Extensions, prevents double-click NEVER SEND MALWARE
Procedures For Analysis
Tools - Isolate and restore snapshots
BinText - Extracts strings from binary files (code)
- IRC commands, SMTP, registry keys
Tools IDA Pro - Dissassembles executables into assembly
Tools UPX Decompression - Executable packer
- To unpack: upx.exe -d -o dest.exe source.exe
Tools
Tools RegShot - Records modifications to the registry, but not reads
Tools ProcDump - Dumps a processes code from memory
- Useful in detecting an analyzing polymorphic viruses
Tools
Tools Network Activity - TCPView - displays open network ports
- TDIMon - monitors network activity
- Ethereal/Wireshark - Packet Sniffer
- Snort - IDS / Packet Sniffer
- netcat - Network swiss army knife
Tools SysInternals.com - TCPView - TCP and UDP endpoints and processes
- TDIMon - Logs all network activity, but not packet contents
Tools Wireshark (formerly Ethereal) - Captures and displays all packet contents
- One of your best friends
Tools Netcat - reads and writes across data connections using TCP/IP Great for probing, listening, debugging, or exploring unknown network behavior The other one of your best friends
The Assignment Beagle.J (and its cousin Beagle.K) Static analysis (BinText, IDA) Dynamic Analysis - Host Side (Registry, process, files)
- Networking (Ports, connections, traffic)
Dostları ilə paylaş: |