What and Why

What is malware analysis and why it is useful?

Anti-Virus cannot be relied on

50% to 97% of breaches involve malware

Breach Happens- Then What?

Typical:

Reimage the machine

Advanced: Incident Response

Analyze logs, network traffic, strange processes, etc.

is it anywhere else?

How did it get there?

Mature: Gather Intelligence

What is the impact?

What is the Risk?

Financially motivate? Hacktivism? Opportunistic? APT?

Read: Verizon Data Breach report 2015

Scope

Beginner's Intro to

Windows Malware Analysis

Basic Forensics/ Incident Response / Malware Discovery

Basic Reverse Engineering

Recommended Background

Networking - TCP/IP, Operating System Internals, Programming (C, C++), Software Vulnerabilities, Hacking

What is Malware?

Malicious Software, Executes without permission or Knowledge

Software problems like every other product:

Compatibility issues, Bugs, customer service, versions/updating issues, Team Development/ Source code control

Malware Types/Functionality

General

Virus (File Infector Rare)

Trojan (Common)

Worm (Rare)

Bot (Very Common)

Rootkits (Uncommon)

RAT (Very Common)

More Specialized

Scareware

Spyware

Adware

Backdoors

Credential Stealers

Anti-Analysis

Defenses

Stealth

Loader / Downloader

Other Malicious Software

Builders

Exploit Kit

Packer/ Crypter

Types of Analysis

Dynamic analysis

Executing the malware. Simple, fast, easy to miss things

Static Analysis

Reverse Engineering. Slow, Deep technical Knowledge. With enough time anything can be reversed

Hybrid Static/ Dynamic

Most analysis is a mixture: you find something in the disassembly then you confirm/investigate while the malware is executing.

Memory Forensics. Can be very useful, but is not the end-all-be-all

Tools

Sysinternals Suite - Windows Sysinternalsdocsmsft

Sysinternals

MAP Pack (Malware analysis pack)

SweetScape Software Inc - 010 Editor - Pro Text/Hex Editor | Edit 200+ Formats | Reverse Engineering

010

PE viewer: CFF explorer, PE Explorer, PE View, PE Studio

A disassembler: IDA Pro, x64_dbg, Hopper, etc

other (personal preference)

Cygwin - packages (MD5sum, gcc, xxd, file, string, python , binutils) https://cygwin.com/install.html

Notepad++

7Zip

Sample Viruses

sample Viruses can be tested

Some malware can be executed upon: Being Scanned, Viewing the icon: Word, PDF, system icon, Extracting the file from an archive

MD5 vs SHA256

Books