Reverse Engineering Paul deGrandis Applications Software - PowerPoint PPT Presentation

Reverse Engineering Paul deGrandis

Applications • Software Maintenance • Source Code and Documentation Engineering • Virus Analysis

Malware • Virus • Needs a vector for propagation • Worm • No vector needed • Can spread by network shares, email, security holes

Malware • Trojan Horse • Performs unstated and undesirable functions • Spyware, adware, logic bombs, backdoors, rootkits

Anti-Virus • Integrity Checking • Static AV Scanners • Dynamic AV Scanners

Anti-Virus • Integrity Checking • Checksum comparison • Static AV Scanners • Program properties (registry, system calls) • Malware byte sequence extraction

Anti-Virus • Dynamic AV Scanners • Intercepting system calls • Analyzing audit trails • Operation patterns

Procedures For Analysis • Restrict Access • Save only disassembled files • Rename Extensions, prevents double-click • Password protect dangerous files and ZIPs • NEVER SEND MALWARE

Procedures For Analysis 51&17'D*G'>)=#$/)I1)7 J7*7#2'()*+,&#& J17'%B')17K/$9'/G&1$=*7#/)'7//+& J17'%B'B$/21&&'/G&1$=*7#/)'7//+& 5%)'B$/:$*I LG&1$=1')17K/$9'7$*<<#2 LG&1$=1'B$/21&&'*27#/)& 6E1)7#<,'&1$=#21&'$14%1&71E ;$1*71P$1=#&1'2+#1)7'/)'D#)%O ;$1*71'MNJ'7*G+1& 5%)'2+#1)7 5%)'&1$=#21&'/)'D#)%O

Tools • VMware • Isolate and restore snapshots • BinText • Extracts strings from binary files (code) • IRC commands, SMTP , registry keys

Tools • IDA Pro • Dissassembles executables into assembly %-)-:P%-6/6

Tools • UPX Decompression • Executable packer • To unpack: upx.exe -d -o dest.exe source.exe

Tools • SysInternals.com • FileMon - monitors file access • RegMon - monitors registry access

Tools • RegShot • Records modifications to the registry, but not reads

Tools • ProcDump • Dumps a processes code from memory • Useful in detecting an analyzing polymorphic viruses

Tools • OllyDbg • Attaches to a process • Can actively manipulate memory and registers during operation • Swiss Army Knife

Tools • Network Activity • TCPView - displays open network ports • TDIMon - monitors network activity • Ethereal/Wireshark - Packet Sniffer • Snort - IDS / Packet Sniffer • netcat - Network swiss army knife

Tools • SysInternals.com • TCPView - TCP and UDP endpoints and processes • TDIMon - Logs all network activity, but not packet contents

Tools • Wireshark (formerly Ethereal) • Captures and displays all packet contents • One of your best friends

Tools • Netcat - reads and writes across data connections using TCP/IP • Great for probing, listening, debugging, or exploring unknown network behavior • The other one of your best friends

The Assignment • Beagle.J (and its cousin Beagle.K) • Static analysis (BinText, IDA) • Dynamic Analysis • Host Side (Registry, process, files) • Networking (Ports, connections, traffic) • Propagation, Backdoors