Hi,
I am a final year computer forensics student, and i have interest in doing a project on reverse engineering of malware. However, my programming skills are not the best, but i think i can manage picking out and understanding bits of code.
I was thinking of downloading malware on a virtual pc and using various tools to analyse it.
Can someone give me a tad more info to guide me the right way???
Greatly appreciated.
PAP
Very interesting project you're doing, pappose66!
Interesting book in that regard is Eilam E., (2005), "Reversing Secrets of Reverse Engineering", Wiley Publishing Inc.., Indiana, US, ISBN-10 0-7645-7481-7
Also, I would recommend that you should at least familiarise yourself with the C programming language as well as with the Assembly language well enough so as to read source code moderately well as you will need quite a bit of both the above.
I would also recommend reading up on Honeypots and Honeynets (as I recall there are a number of solutions and papers on their use as malware traps and would greatly assist you in both collecting malware and studying first-hand (though in a black-box way) their mode of spreading and infecting computers).
Other than that, what you can do is look at netsec and DF publications dealing with the issue of malware analysis through google scholar or sciencedirect or ACM's portal (you should do it through your institution which should have access to most if not all of the publications you will need).
Hope this helps
Cheers
DarkSYN
Hi papoose66,
Drop me an email and I can give you some pointers. I am working towards a PhD in this area. I think you will need to be realistic what you can achieve in one year, so perhaps an evaluation of the various automated online analysis engines may be a way forward? These go beyond the brief descriptions you get from AV vendor's sites.
You may also wish to check out http// vx . netlux . org/ (remove the spaces) as there is a lot of documentation and even a library of malware (albeit a bit old now) for you to experiment with.
Regards
Ian
I used to be interested in computer viruses a while ago, so I started reading about it.
It turned out that I have to know not only some programming, but also a lot about Assembly languages (most of the code you will read is actually disassembled from the binary with the malware code inside). Also you will need to do it on a Virtual machine (and preferably take a snapshot before starting to work with the mall code).
Here are the tools I used
IDA Pro – disassembler that is really good. There is a free version.
Ollydbg – a really nice free debugger (you will need it to see exactly what the mall code does), or skip some steps of the program (some mall code is smart enough to check is it running on virtual machine and if it is – it stops).
Process monitor – if you are using windows virtual machine. Sysinternals made a really nice one. It’s free for download from Microsoft’s TechNet – you will need this to see what exactly is happening in the system while running the mall code (I only sued it on a XP machine and never tried it on vista, 7 and any of the server versions) start it, wait a while after you start capturing, start the mall code, wait a while – 3-5 min. and stop capturing – or your system will hang eventually.
Process explorer – if you are using windows virtual machine. Made by Sysinternals and its downloadable again at the same spot. Monitor your processes (even that most of the mall code will not show up there).
String utility – utility that extract strings from binary files. I used the one from Mark Russinovich. It’s available at the same place as the previous two.
Microsoft network monitor 3.3 – used to monitor the network traffic. Really useful it the virus is trying to send anything trough the network.
Of course you may want to use a virus scanner, and here is one http//
Well that are the tools I used, but unfortunately I didn’t manage to find the time needed to really get into that field, and I’m not that familiar with the assembly language.
Cheers.
Nicci
Addiding to Nicci's list also check out;
Regmon - another tool from sysinternals, like procmon but for the registry
Filemon - as above but monitors file accesses/creation/deletion
TCPView - another sysinternals, shows open connections and their PID
rootkit revealer - another sysinternals, basic rootkit scanner
Autoruns - shows the what is set to run on startup
Something to do snapshot analysis - ie do a snapshot of a clean system, infect it, and see the changes
Sysanalyzer from iDefense labs incorporates a lot of these tools into one handy package, only downside to it is that it requires you to point it at the malware and execute it (least it did last I used it). There are some other cool tools on their site too.
This all pretty much covers behavioural analysis rather than straight reverse engineering. But usually you'll have to do this first and then build from it. A lot of malware will be packed and then extracted to memory to execute, so like Nicci said you'll want a good disassembler (I used OllyDbg previously) to have a play with.
You could also look at it from a live response perspective rather than hardcore RE. So you can do things like dump the memory for analysis later with your favourite tool, run scripts for open connections etc etc. There is a lot of focus on this in Windows Forensic Analysis 2/e by Harlan Carvey which might be of use.
Oh by the way - should go without saying, but do all this in a virtual machine within an isolated network. You want to be part of the solution, not the problem!
Hope that helps…
All good tools listed there by Nicci and ddewildt but take heed of the following provisos
(1) A large proportion of malware is 'instrumentation' aware and can detect, for example, the presence of VMs and a variety of tools such as debuggers.
(2) As ddewildt indicates different approaches are useful and I would say for malware are a requirement. Static analysis of dead code with strings or IDA Pro will only take you so far.
(3) There are a variety of unpackers and packer identifier tools (eg PEiD) out there which mean you don't have to use a debugger for this step
(4) A lot of malware requires an active network to be encouraged to do anything interesting. You can use DNS Spoofing tools and install a webserver (IIS tools on XP Pro for example) to to get things moving.
(5) Be mindful of the fact that like any benign software, malware can have multiple execution branches and so running a binary on your test system may only show you *one* of several possible behaviours.
Ian