KEMBAR78
CMSC 449 - Lec2 - Basic Static Analysis | PDF | Malware | System Software
0% found this document useful (0 votes)
55 views28 pages

CMSC 449 - Lec2 - Basic Static Analysis

This document discusses basic static analysis techniques for malware analysis. It describes examining malware files while at rest to identify unusual features without executing the files. Specific static analysis techniques covered include analyzing strings, file metadata like PE file headers and sections, imported functions, and embedded resources. The goal is to guide further dynamic analysis steps.

Uploaded by

Nafaa Jabeur
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
55 views28 pages

CMSC 449 - Lec2 - Basic Static Analysis

This document discusses basic static analysis techniques for malware analysis. It describes examining malware files while at rest to identify unusual features without executing the files. Specific static analysis techniques covered include analyzing strings, file metadata like PE file headers and sections, imported functions, and embedded resources. The goal is to guide further dynamic analysis steps.

Uploaded by

Nafaa Jabeur
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 28

CMSC 449

Malware Analysis
Lecture 2
Basic Static Analysis

1
Types of Malware Analysis

2
Basic Static Analysis
 Examining the malware while it is “at rest”

 Plain-text strings within the code


 Functions imported
 File metadata
 File similarity metrics (to identify related malware)

 Goal is to find unusual features that guide next analysis steps

3
Basic Dynamic Analysis
 Observing the output and/or changes when the malware is run
 But not interfering or interacting with the malware

 Changes to filesystem
 Created processes / threads
 Network traffic
 Changes to the registry / system configuration

 Can use a sandbox or run malware in a VM


4
Advanced Static Analysis
 Examining the malware’s code in detail

 Disassemblers convert machine code to assembly


 Organize the code into subroutines, and allow the analyst to more
easily trace their way through the code
 Much, much easier than reading the raw assembly

 Can also decompile machine code into an approximation of C

5
Advanced Dynamic Analysis
 Using a debugger to control any and all aspects of
the malware as it is being executed
 Registers, stack, memory, and code

 Can “trick” malware to execute in ways it normally wouldn’t


 May be necessary if it hides behaviors during a sandbox run

6
Static Dynamic

Looking at details of the Running the malware and


Basic
malware when it is “at rest” observing changes/output

Closely examining the Running the malware and


Advanced
malware’s code in detail using a debugger to control
details of its execution

7
Objectives of Malware Analysis

8
Detection, Classification, and Attribution
 Detection: Is a file benign or malicious?

 Classification: What family of malware is this?

 Attribution: Which person/group used this malware?

9
Other Analysis Objectives
 Determining what malicious behaviors it performed

 Deeply understanding a function(s) in the file

 Identifying related malware samples

 Creating a signature for the malware

10
Malware Triage
 Hundreds of thousands of unique, previously unseen malicious
files created every day

 Many of these are minor alterations of existing malware


 Malware authors continually update their malware to add new
capabilities and evade detection

 Not enough time for human analysts to look at everything!


 Triage: Give most attention to new/unusual/important samples!

11
Malware Triage
 Large malware analysis shops may perform different levels of
analysis depending upon priority

 All samples receive automated basic static analysis

 Many samples receive sandbox runs

 A handful of samples are flagged for manual analysis

12
Levels of Analysis
 Analysis time by a human can also vary
 Again, depends on objectives and importance of file

 Sometimes, just need to take a quick look

 But may also spend days (or longer!) figuring out exactly what
a file does

13
Basic Static Analysis

14
Static Analysis
 Learning properties of a file without running it

 For now, just doing basic static analysis


 Analyzing file properties / metadata

 Advanced static analysis involves disassembling / decompiling


an executable file to inspect code

15
Strings
 Sequences of printable characters in a file

 Running strings on a file is usually first step of analysis

 Gives hints about functionality of program

 Example: strings -n 8 [file path] | less


 Gets all strings of length >= 8 from a file and pipes output to more

16
FLOSS
 Like strings but more powerful

 Extracts:
 ASCII strings
 UTF-16 strings
 Stack strings
 Some encoded strings

 floss -n 8 --no-decoded-strings [file path] | less

17
Strings and FLOSS Demo

Lab01-01.exe
Lab09-02.exe

18
PE File Format
 File format for Windows executables

 Includes EXE, DLL, SYS, and other file types

 Describes how the executable file is loaded into memory

 Contains lots of metadata that is useful to malware analysts!

19
The IMAGE_FILE_HEADER
 Contains basic file information
 NumberOfSections
 TimeDateStamp
 Characteristics

20
The IMAGE_OPTIONAL_HEADER
 Not actually optional

 Contains lots of important metadata:


 AddressOfEntryPoint
 Sizes of various parts of the file that get
loaded into memory
 Minimum versions of operating system,
linker, image, subsystem

21
The Section Table
 Each section corresponds to a
continuous area of memory in a
process

 Section table contains an array of


IMAGE_SECTION_HEADERs

22
IMAGE_SECTION_HEADERs
 Each contains that section’s:
 Name
 VirtualAddress
 VirtualSize
 SizeOfRawData
 Characteristics

23
Common PE Sections
Section name Contents
.text Executable code
.data Initialized data
.idata Import Address Table
.rsrc Resource Directory Table
.rdata Read-only initialized data

 Many other common section names


 Unusual section names are a malicious indicator

24
PE File Format Demo
(Detect it Easy and PE-Bear)

Lab03-03.exe

25
Imports
 Import Address Table lists which functions a file imports from
the Windows API
 Windows API functions defined in DLL files

 Imports give info about what actions a file can perform

 Commonly second step in basic static analysis, after strings

26
Resources
 Additional data/file contained within a PE file

 In legitimate files, often icons, application manifest, etc.

 Malware often hides things in resources!

27
Resources and Imports Demo

Lab03-03.exe

28

You might also like