Applications Software MaintenanceSource Code and Documentation EngineeringVirus Analysis
Malware Virus- Needs a vector for propagation
Worm
Malware - Trojan Horse
- Performs unstated and undesirable functions
- Spyware, adware, logic bombs, backdoors, rootkits
Anti-Virus Dynamic AV Scanners
Anti-Virus Integrity CheckingStatic AV Scanners- Program properties (registry, system calls)
- Malware byte sequence extraction
Anti-Virus - Dynamic AV Scanners
- Intercepting system calls
- Analyzing audit trails
- Operation patterns
Procedures For Analysis Save only disassembled files Rename Extensions, prevents double-click NEVER SEND MALWARE
Procedures For Analysis
Tools - Isolate and restore snapshots
BinText - Extracts strings from binary files (code)
- IRC commands, SMTP, registry keys
Tools IDA Pro- Dissassembles executables into assembly
Tools UPX Decompression- Executable packer
- To unpack: upx.exe -d -o dest.exe source.exe
Tools
Tools RegShot- Records modifications to the registry, but not reads
Tools ProcDump- Dumps a processes code from memory
- Useful in detecting an analyzing polymorphic viruses
Tools
Tools Network Activity- TCPView - displays open network ports
- TDIMon - monitors network activity
- Ethereal/Wireshark - Packet Sniffer
- Snort - IDS / Packet Sniffer
- netcat - Network swiss army knife
Tools SysInternals.com- TCPView - TCP and UDP endpoints and processes
- TDIMon - Logs all network activity, but not packet contents
Tools Wireshark (formerly Ethereal)- Captures and displays all packet contents
- One of your best friends
Tools Netcat - reads and writes across data connections using TCP/IP
Great for probing, listening, debugging, or exploring unknown network behavior The other one of your best friends
The Assignment Beagle.J (and its cousin Beagle.K)
Static analysis (BinText, IDA) Dynamic Analysis - Host Side (Registry, process, files)
- Networking (Ports, connections, traffic)
Dostları ilə paylaş: |
