Transcript 1. Malicious code in computer network

CHAPTER 1
Malicious code in computer
network
MALICIOUS CODE DEFENSE IN MOBILE NETWORKS
Funded by Intel Corp.
What is malicious code
• Malicious code is a kind of program that
inserts codes into another program to
destroy data in computers, run the
destructive process and destruct the
security and integrity of the data.
• In short, malicious code is a
instruction set that make a computer
run according to the intention of the
attacker
The purposes of malicious code
•
•
•
•
•
Show off technology/prank
Remote control
Steal private information
Steal resource
Launch DDoS on another
service
The history of malicious code
• 1949: Von Neumann put forward the notion of program’s
self-replication
• 1960: Conway's Game of Life , 1961: Game of Darwin
• 1970s: The first virus “Creeper” spread on APANET
• 1983: Fred Cohen gave the definition of virus
• 1986: The first PC virus “Brain”
• 1988: The first worm “Morris Worm”
• 1990: SunOS Rootkit
• 1995: The concept of macro virus
• 1998: The first virus that damage computer hardware
“CIH”
• 1998: The most famous backdoor “Back Orifice”
The history of malicious code
•
•
•
•
1999-2000：Melissa, ILOVEYOU
2001：Code Red I/II, Nimda
2002：Reverse connection Trojan “Setiri”
2003-2004：Outburst of worms
– 2003: Slammer, Blaster, Nachi, Sobig…
– 2004: Mydoom, Witty, Sasser, Santy…
• 2007-2008：Storm worm
Outline
• 1.1 Different types of malicious codes
–
–
–
–
–
–
1.1.1 Virus
1.1.2 Worm
1.1.3 Malicious mobile code
1.1.4 Backdoor
1.1.5 Trojan
1.1.6 RootKit
• 1.2 Overview of malicious code analysis and
detection
– 1.2.1 Overview of malicious code analysis
– 1.2.2 Static analysis technology
– 1.2.3 Dynamic analysis technology
1.1 Different types of malicious
codes
1.1.1 Virus
• Definition:
– Self-replicating program that spreads by inserting
copies of itself into other executable code or
documents. Usually the process of infection needs
manual intervention.
• Properties:
–
–
–
–
–
Infectious
Latency
Ignitionability
Destructive
Derivative
Virus
Panda Burning Incense
Virus
• Generally virus can replicate itself
and send its copies to other
executable code or documents. It is
usually embedded in the host programs.
When the infected file performs an
operation, the virus will replicate itself.
• Viruses have different purposes.
Some are just made for prank, but some
viruses have the purpose of destruction.
• Viruses fall into the following categories:
file virus, boot sector virus, macro virus
and prank E-mail.
File virus
• File virus can load itself to executable
files such as WORD, EXCEL and so on.
– When a program is infested, the virus will
replicate itself to infect other programs in the
system or other systems which have used the
infected file by sharing.
– In addition, the virus will reside in the memory
so that a program will be infected when it is to
run.
– Another infection way is modifying the files’
executive sequence rather than the files
executed. On this occasion, the infected
program will execute virus before executing
its own files.
Boot sector virus
• Boot sector virus can infect the master
boot sector of hardware or portable storage
devices.
– Boot sector is the beginning space of memory. It is used
to store data structure definition information. Moreover,
Boot sector includes the bootstrap program. it is used to
boot the operation system.
– Master boot sector is a length of independent space on
the hardware. Its bootstrap program can be loaded only
by using BIOS. When the content of infected hardware is
read during system booting, the virus will be executed.
– Boot sector virus has superb ability to hide. It may bring
great damage to the computer. The damage is even
beyond repair.
Macro virus
• Macro virus is becoming popular currently.
• As its name is said, it replicates by using
programs which are written by macro language.
– Much software use macro language to compile and
execute jobs, witch is utilized by macro virus to
spread malicious codes.
– Because users often share files with macro programs,
the virus’ propagation speed is rather fast.
– When macro virus infects files, it will also infect their
temporary files. Therefore the created temporary files
of an infected file is also infected.
Prank E-mail
• This kind of virus is fake virus warnings. It
threatens users to make some damage or tells
them the system is about to be infected.
• Although the warnings are not true, they spread
just like real virus. The propagation depends on
innocent victims who want to inform other users.
• Usually prank E-mail is not destructive, but
sometimes it reminds users to delete some files
or modify system settings. This will damage the
security of the system.
Infection mechanisms of virus
• The prefix infection
• The suffix infection
• The insertion infection
Propagation modes of virus
• Portable storage devices:
floppy disks, USB flash
disks
• E-mail: email virus
• File sharing: SMB shared
service, NFS, P2P
1.1.2 Worm
• Worm is a kind of reproducible, independent
program whose propagation doesn’t need help
from other programs in a host.
• Its self replication is different from virus’. It can
create its copies and execute automatically.
• Worm invades by using vulnerabilities and
insecurity of settings. Its properties
make it spread at a very high speed.
Defining characteristics of worm
• Individual files that don’t
need a host
• Spread via network
• Self replicate
automatically
• Infect and spread without
user interaction
Propagation modes of worm
• Attacking web service bugs
• Spread via shared network directory
• Spread via E-mail
Components of worm
Components of worm
Components of worm
• Breaking a worm down into its building
blocks, we see
– The warhead that contains exploits used to break into a system,
such as buffer overflow, file sharing, or e-mail attacks.
– The propagation engine moves the worm to the target system.
– The payload contains code to take some action on the target.
Some worms carry backdoors, denial-of-service flooding tools, or
password-cracking programs.
– The target selection algorithm chooses new addresses to scan
for vulnerabilities, while the scanning engine actually checks the
address to see if it is vulnerable.
Superworm
• The worms we've seen so far have been relatively
benign, especially when compared to the
superworms currently on the drawing board of
various worm developers.
• Superworms will attack multiple operating
systems. They'll also include multiple exploits for
breaking into targets.
• Attackers will take advantage of zero-day
exploits in worms to break into our systems using
vulnerabilities we've never before seen.
Superworm
• Superworms will spread like wildfire, using the
prescanning techniques of the Warhol worm to
conquer most vulnerable systems within an hour.
• To mask their capabilities and evade detection,
such worms will include metamorphic and
polymorphic capabilities, respectively. Finally,
the superworms will actually do something nasty
when they reach a target.
1.1.3 Malicious mobile code
• Mobile code is a lightweight program that
is downloaded from a remote system and
executed locally with minimal or no user
intervention.
• Malicious mobile code is mobile code that
makes your system do something that you
do not want it to do.
Common malicious mobile code
• Browser scripts
• ActiveX controls
• Java applets
Browser scripts
• Browser scripts are embedded in HTML documents as
plain-text commands designated by the script tag, and
are usually written using JavaScript or VBScript.
• One of the ways in which an attacker can misuse the
functionality available to the script is by overwhelming
the browser with repetitive tasks.
• Malicious sites might also use scripts in an attempt to
hijack the visitor's browser by jumping to unwanted Web
sites, resizing the screen, resetting the home page, and
adding bookmarks.
Browser scripts
• Malicious browser scripts also play an active role in
stealing the victim's session cookies, which could allow
an attacker to access someone's browsing session
without supplying proper user credentials.
• One way of gaining unauthorized access to cookies
involves exploiting flaws in the implementation of the
browser's cookie-protection mechanisms.
• Another approach, called cross-site scripting, operates
by injecting a script into the vulnerable Web site, so that
the victim executes malicious code when viewing the
affected page.
Browser scripts
This demo uses JavaScript to create and resize browser
windows that spell out the desired word, one letter per window.
ActiveX controls
• ActiveX controls are full-fledged programs that can
operate with access privileges of a regular Windows
application.
– Site developers can embed ActiveX controls in an HTML page
by using the object tag and specifying the unique class identifier
of the desired control.
– If the developer of the control designated it as safe for scripting,
then it might fall under the influence of a malicious browser script.
– Powerful ActiveX controls erroneously marked safe for scripting
might act as a window through which malicious code can find its
way into the system, as was the case with Scriptlet.Typelib and
Eyedog exploits.
ActiveX controls
• The Authenticode methodology, developed by Microsoft,
allows developers to cryptographically sign their mobile
code.
• This technique allows users to decide whether to allow
an ActiveX control to run depending on who authored it.
• Unfortunately, signing an ActiveX control does not
vouch for its good intentions, because an attacker can
cryptographically sign a malicious program. Once the
user agrees to run a malicious ActiveX control, it will
have unrestricted access to the victim's system.
• Malicious mobile code can also take the form of
browser plug-ins, and plug-ins written for Internet
Explorer as special ActiveX controls is called BHOs.
ActiveX controls
A security warning asks the user whether to fully trust the
author of the downloaded ActiveX control
Java applets
• Java applets are programs written in the Java
programming language in a way that allows them to be
embedded in Web pages.
• Like all Java programs, Java applets can run on multiple
operating systems, and execute within the confines of
the JRE. Unsigned applets that were downloaded from
the Internet are subjected to strict access restrictions:
• They can not access the machine's file systems or
registry, and can only communicate with the host from
which they were retrieved.
• The Java security model also allows administrators to
enforce granular access restrictions on
cryptographically signed applets; however, if a user
agrees to execute a signed applet for which the
security policy was not defined, the applet will run with
full system privileges.
Java applets
An untrusted malicious applet can crash a vulnerable Opera browser.
1.1.4 Backdoor
• A backdoor is a program that allows
attackers to bypass normal security
controls on a system, gaining access on
the attacker's own terms.
Backdoors could give the attacker many different
types of access, including the following:
• Local Escalation of Privilege:
– This type of backdoor lets attackers with an account
on the system suddenly change their privilege level to
root or administrator.
– With these superuser privileges, the attacker can
reconfigure the box or access any files stored on it.
• Remote Execution of Individual Commands:
– Using this type of backdoor, an attacker can send a
message to the target machine to execute a single
command at a time.
– The backdoor runs the attacker's command and
returns the output to the attacker.
Backdoors could give the attacker many different
types of access, including the following:
• Remote Command-Line Access:
– Also known as remote shell, this type of backdoor lets the
attacker type directly into a command prompt of the victim
machine from across the network. The attacker can utilize all of
the features of the command line, including the ability to run a
series of commands, write scripts, and select groups of files to
manipulate.
– Remote shells are more powerful than simple remote execution
of individual commands because they simulate the attacker
having direct access to the keyboard of the target system.
• Remote Control of the GUI:
– Rather than messing around with command lines, some
backdoors let an attacker see the GUI of the victim machine,
control mouse movements, and enter keystrokes, all across the
network.
– With remote control of the GUI, the attacker can watch all of a
victim's actions on the machine or even remotely control the GUI
All-purpose network connection gadget: Netcat
• Netcat is a simple program that connects
standard input and output to various TCP and
UDP ports on the network.
– With this capability, it is often abused as a backdoor.
– Using Netcat, an attacker can create a passive
backdoor shell listener waiting for a connection, or
implement an active connection that shovels a shell
across the network.
– The latter technique gets around firewalls that block
incoming connections.
– Cryptcat is an encrypting version of Netcat that uses
symmetric encryption.
All-purpose network connection gadget: Netcat
Netcat in client mode and listen mode connecting
Standard In and Standard Out with the network.
Remote GUI control: VNC
• Many tools allow for transmission of GUI control
across the network, including the very popular
VNC tool. VNC servers can passively wait for
connections, or actively shovel a GUI across the
network.
• In publicly released versions of WinVNC, the
server always shows up in the tool tray or as a
running service. Nonpublic versions, however,
mask their presence in the GUI.
• VNC can be installed remotely using registry
importing techniques.
Remote GUI control: VNC
Controlling a VNC server using the VNC Viewer
Backdoors without ports
• To increase their stealthiness, not all backdoors
listen on TCP or UDP ports.
– Some tools use ICMP.
– Others use sniffers, in nonpromiscuous or
promiscuous mode.
• Because they don't use a port, they are more
difficult to detect.
• Promiscuous sniffers can confuse investigators
because they can make a backdoor appear to
be on another system. Sniffers can be used in a
switched environment using ARP cache
poisoning techniques.
1.1.5 Trojan
Trojan war
Trojan
• Origin: Trojan war
• Definition: A Trojan horse is a program
that appears to have some useful or
benign purpose, but really masks some
hidden malicious functionality.
Camouflage mechanisms of Trojan
• Name camouflage
• Software packaging
• Kidnap software publisher
Different types of Trojan
•
•
•
•
Remote access type Trojan
Password sent type Trojan
Keyboard record type Trojan
Destruction type Trojan
Remote access type Trojan
• This kind of Trojan is very popular
today. it has function of remote
control and is easy to use.
• The attacker can visit a host
arbitrarily by executing the
server program and obtaining
the IP address of a remote host
simultaneously.
Password sent type Trojan
• This kind of Trojan is devoted to finding all
the passwords and sending them to
certain mail boxes.
• Most of them send E-mails rather
than load automatically when the
system reboots.
Keyboard record type Trojan
• This kind of Trojan is
very simple. It only
records all the
keystrokes and make
complete records in
the log files.
• It begins to work
as the system
boots up, keeps
a record of
every user
event and sends
them via E-mail.
Destruction type Trojan
• This kind of Trojan tends to destroy or
delete files.
• It can delete all the dynamic link library
files or executable files in a host, or even
format the user’s hardware.
1.1.6 RootKit
• Definition:
• RootKits are Trojan horse backdoor tools
that modify existing operating system
software so that an attacker can keep
access to and hide on a machine.
Different types of RootKit
• User-Mode RootKit
– UNIX User-Mode RootKit
– Windows User-Mode RootKit
• Kernel-Mode RootKit
– Linux Kernel-Mode RootKit
– Windows Kernel-Mode RootKit
UNIX User-Mode RootKit
The tools bundled together in most user-mode
RootKits on UNIX can be broken into five
different areas:
• Binary replacements that provide backdoor
access. These tools are the heart of the usermode UNIX RootKit.
– By overwriting various programs and services used to
access the machine, an attacker uses these
replacements to log in to the system through various
backdoors.
– When the backdoors are used, the attacker is
immediately granted root privileges on the target
system
UNIX User-Mode RootKit
• Binary replacements to hide the attacker.
– These tools overwrite existing binaries on the system, replacing
them with Trojan horse versions that let an attacker hide.
– These new binaries lie to users and administrators about the
attacker's files, processes, and network usage on the victim
machine.
• Other tools for hiding that don't replace binary programs.
– These programs let attackers alter the system to hide their
nefarious activities, although they don't replace commands.
Instead, they support the RootKit by including features such as
altering the last modification time of a program to disguise the
alterations caused by installing the RootKit.
– Others even remove evidence of particular account usage on the
box. Still others let the attacker edit logs.
UNIX User-Mode RootKit
• Additional odds and ends.
– Many UNIX RootKits also include various
other tools useful to an attacker on the target
system.
– Some RootKits come with a built-in sniffer, for
gathering traffic from the LAN, which might
include valuable clear-text user IDs and
passwords.
– Backdoor shell listeners are another popular
option bundled with RootKits.
UNIX User-Mode RootKit
• Installation script.
– This program opens up the other bundled RootKit tools,
compiles them if necessary, and moves them to the appropriate
location.
– Rather than manually pushing every binary in place and
handcrafting it to fit properly in the system, automated RootKit
installation scripts run through the entire installation process,
which usually requires a mere 10 seconds or less.
• After the replacement programs are loaded in the proper
places, this script resets the last modification date and
might even compress or pad portions of the binary
replacements so that they are all the same length as
the original programs.
Windows User-Mode RootKit
Three different methods for implementing
user-mode RootKits on Windows:
• Use existing interfaces to insert malicious
code between existing Windows functions
• Disable Windows File Protection feature and
overwrite files on the hard drive
• Utilize DLL injection and API hooking to
manipulate running processes in memory
Windows User-Mode RootKit
Three different methods for implementing user-mode RootKits on Windows
Linux Kernel-Mode RootKit
Five different strategies to manipulate a
Linux kernel
• Using evil loadable kernel modules. These modules
typically alter the system call table so that it points to the
attacker's code. In a sense, the attackers are
implementing API hooking inside the kernel itself. Adore
and KIS are two tools that utilize this technique.
• Altering /dev/kmem. To reload any modules during
system boot, the attackers frequently alter the init
daemon to apply kernel changes at system boot.
Manipulating /dev/kmem allows an attacker to alter the
kernel without using modules.
Linux Kernel-Mode RootKit
• Patching the kernel image file. An attacker could patch
the kernel image on the hard drive by changing the
vmlinuz file. This file can be altered to build various evil
kernel modules right into the kernel file itself
• Creating a fake system with UML. With UML, an attacker
can create a fake guest operating system to trick
administrators and users into thinking they are on the
real system. The attacker really owns and controls the
underlying host operating system
• Altering the kernel with KML. KML extends a kernel so
that user-mode programs can run in Ring 0 and have
direct access to kernel structures
Windows Kernel-Mode RootKit
Five different strategies to manipulate a
Windows kernel
• Evil device drivers. The most popular Windows kernel
attacks involve device drivers that manipulate interrupt
handling, system service dispatching, or the underlying
kernel functionality for handling system services. Each of
these techniques is really a form of API hooking
• Alter a running kernel in memory. An attacker could alter
a running kernel in memory by manipulating the Global
Descriptor Table or altering the \Device\Physical Memory
object
Windows Kernel-Mode RootKit
• Overwrite the kernel image on the hard drive. To
patch a kernel image file on the hard drive, the
attacker first must alter the NTLDR program to
disable its kernel integrity check
• Deploy a kernel on a virtual system. Employ a
virtual machine environment such as VMWare or
VirtualPC to create a fake system that is a prison
for administrators and users
• Try to run user-mode code at the kernel level.
An attacker could alter the kernel so that usermode programs could run in Ring 0, thereby
implementing a kernel-mode Windows tool
1.2 Overview of malicious code
analysis and detection
1.2.1 Overview of malicious code analysis
• Malicious code have become increasingly frequent,
causing damage to the security of information systems.
In order to improve the emergency response speed of
malicious code, it is necessary to monitor the status of
the host and the behavior of malicious code to make a
rapid analysis.
• Malicious code analysis technology is the basis for
emergency response network. Through testing and
analysis of the host state information, we can understand
the basic functions of malicious code, grasp the possible
sabotage and provide information for the recovery of the
victim system,
Overview of malicious code analysis
• Malicious code have become increasingly
frequent, causing damage to the security
of information systems. In order to improve
the emergency response speed of
malicious code, it is necessary to monitor
the status of the host and the behavior of
malicious code to make a rapid analysis.
• Malicious code analysis technology is the basis for
emergency response network. Through testing
and analysis of the host state information, we can
understand the basic functions of malicious code,
grasp the possible sabotage and provide
information for the recovery of the victim system.
The contents of the analysis:
• As a result of malicious
code writers have special
attempt, malicious code
program itself has some
unique characteristics
compared to general
application in the technical
system and the required
functions.
• The main task of
analysis is to grasp
these characteristics,
thus we will understand
the malicious code
features technical trend
and lay the foundation
for the detection and
prevention.
We need to analyze the following contents:
•
•
•
•
Conceal function
Encryption
Trigger condition
function of since the
launch
• Autonomous attack and
reproducing
• Damage function
Contents of the analysis
• Conceal function. Most
of the malicious codes
are capable of
concealing in the target
machine in a long time.
They can easily expose
themselves, and then be
cleared if they are not
able to hide. So we need
to analyze the hidden
host features and the
hidden network
communication.
• Encryption. Malicious code
encryption includes two
aspects: Encrypting program
itself. It is used to avoid antivirus software’s recognition.
And a lot of encryption tools
have file compression function,
which reduces the size of PE
file. Traffic encryption, It is
used to prevent network
monitoring and make attackers
circumvent the rules of firewall
and intrusion detection system.
Contents of the analysis
• Trigger condition. Malicious code does not startup its
various functional modules as soon as running, but only
if certain trigger conditions is satisfied. The trigger
conditions are: timing trigger, associated events trigger,
network control trigger, etc.
• Function of since the launch. In order to work normally in
the controlled host next time, basically every malicious
code has the function of since the launch. At the same
time, some malicious codes are still trying to keep their
job status after having been found, it embodies the
refractoriness of malicious code.
Contents of the analysis
• Autonomous attack and reproducing.
• Many malicious codes have the ability of autonomous
attack. They copy themselves from one host to another
host so as to realize the purpose of breeding. There are
a lot of differences between malicious code attacks and
ordinary hackers behaviors. The malicious code attack is
very limited. Usually attack range is limited within three
or four bugs, and the scanning process is fused together
with the attacking process.
• Damage function.
• Malicious code is referred to as "malicious" because its
act of sabotage. The dangers of the damage depends
on the specific malicious code. Some of them are for
purpose of collecting local information. Some of them
are for purpose of using local resources. Some look for
a springboard to attack other machines, We can assess
the losses after having understood the damage function
of the malicious code.
Analysis technologies
• There are many types of malicious code
analysis technology. They are divided into
two categories according to the state of
the malicious code (if implemented) In
the process of analysis.
• Static analysis technology
• Dynamic analysis technology
Analysis technologies
1.2.2 Static analysis technology
• Malicious code static analysis technology is analysis
under the premise of not performing malicious code. The
analysis system will not be damaged. It includes the
disassembly analysis, source code analysis, binary
statistical analysis, etc.
• This method performs for static signature scanning
technology in the early days. It’s widely used in the
field of anti-virus. This technology is mature and the
maximum amount of work lies in the t extraction and
analysis of signature.
• In this way, we can analyze the general structure of
malicious code, the used system calls. And consider
about how to transform the destruction behavior of the
malicious code into elimination behavior of the
malicious code , which code can be used as a
malicious code signature and how to prevent this kind
of malicious code.
Four categories of static analysis method
•
•
•
•
The malicious code analysis software
Strings analysis
Scripts analysis
Disassembly analysis
The malicious code analysis software
• Anti-virus software detect the malicious code via
feature code method, calibration method, the
software simulation method.
• If the anti-virus software has a collection of analytical
data of the malicious code, it will use their analysis
results directly.
• But if there is no analytical data of the malicious code, it
will search for more information according to the
malicious code information including name and other
characteristics through the Internet.
The malicious code analysis software
Strings analysis
• The aim of strings analysis is to find a
continuous string of malicious code file
that uses ASCII or other methods to
encode.
• Many malicious code programs contain a
number of strings that involve a variety of
libraries and programs the malicious code
used.
Strings analysis
Search through the malicious code samples for the
following information:
•
•
•
•
•
•
The name of the malicious code;
Help and command line options;
The user dialog box;
The backdoor password;
The related URL of the malicious code,
The author of the malicious code or the attacker's Email address;
• Library, the function call and other executable files
the malicious code use;
• Other useful information.
Scripts analysis
• If malicious code uses JavaScript,
VBScript or Shell script language, we
can open the script and view the source
code via a text editor. Scripts analysis
can help analysts identify types of most
popular scripts within short time.
• By analyzing the source code, we may
understand the function, process, logical
judgment and attempt of a program. But
the script analysis requires personnel to
have a certain foundation of programming
language.
Scripts analysis
Disassembly analysis
• Static disassembly analysis refers to
disassembling malicious code samples with
the disassembly tools, and then analyzing
according to assembly instruction code and
prompt message from the disassembly
program list .
• Normally, the forms of the malicious code samples
include executable files, dynamic link libraries, software
libraries or other forms of documents. These files are
displayed as topsy-turvy, unreadable in a standard text
editor. Compiler compiles the source code into
executable code, generates binary data such as
instruction operation code, text, identifiers and saves
them in the form of target file.
Disassembly analysis
• Compile process is as follows: the source code → the
compiler → compiled target file → the linker →
binary executable file. Therefore, a lot of useful
information exists in the binary file. So the disassembly
tool converts the binary executable code to assembly
language instructions with the aid of these useful
information.
• Debugging tools such as W32DSAM, IDA Pro are
commonly used in static disassembly. these tools can
reach the specified code quickly, see the target address
of the JMP command, see the reference string and save
the static assembly code.
Merits and demerits of static analysis technology
• Merits:
• It doesn’t execute the malicious
code, the analysis system will be
safer.
• We can have a global view of the
whole process before executing
the executable file.
• We can have detailed fine-grained
analysis of the code without
regard to the specific process
execution flow.
Merits and demerits of static analysis technology
• Demerits:
• Omissions exist due to the
limitations of static analysis itself and
the content of analysis is not
comprehensive.
• The vast majority of static analysis
techniques can only detect known
viruses or malicious code. They are
powerless when it comes to
encoded polymorphic variation or
packed program.
1.2.3 Dynamic analysis technology
• Dynamic analysis is the analyzing process
that needs monitoring the operation
process of the malicious code.
• Dynamic analysis method is divided into
dynamic tracing method and the external
monitoring method according to whether the
semantics are analyzed.
Dynamic tracing method
• We can execute malicious code step by step and track it
dynamically using program debugging tools. Commonly
used tools include OllyDbg, SoftIce, etc. Generally the
process can be divided into two steps:
– Coarse tracking. We do not need to go on tracking when we
meet instructions as CALL, REP, LOOP and so on. We can
analyze the function of the code according to the execution
result.
– Fine tracking for critical section. We should trace and analyze
specific key codes in detail. In general, it takes several times to
understand the program. It’s necessary to record the
intermediate results or instruction address every time. Because it
will make great help for the next analysis.
External monitoring method
• We analyze system changes and monitor the behavior of
malicious code In the process of its execution.
• System changes include change of process, documents,
the registry, network communication, etc.
• The core of dynamic analysis is HOOK technology. In
fact, we detect and analyze the function of the malicious
code samples by using the HOOK technology to monitor
the state of system calls and API function throughout the
process of execution.
Commonly used HOOK technologies
• Import Address Table (IAT HOOK)
• System Service Description Table
HOOK (SSDT HOOK)
• Interrupt Descriptor Table HOOK
(IDT HOOK)
• Driver input and output request
packet processing (IRP HOOK)
• Inline HOOK
Dynamic monitoring program
• The dynamic monitoring program comes from the hook
API functions. We track malicious code according to
function parameters and the returned information when
malicious code calls hook API functions.
• According to the level of a hook procedure in the
operating system, monitoring programs can be divided
into the user mode and kernel mode.
– User mode. Program in user mode is easy to implement and
safe to use. But these programs can only detect API function
calls in the user mode.
– Kernel mode. Program uses more underlying monitoring
technology in order to achieve better effect. But the programming
is complex. System portability is poor. The stability requirements
of running are higher.
The contents of the monitoring include:
•
•
•
•
•
Process
Files
The registry
Startup
Network communication
Process monitoring
• To implement the process of invasion, dissemination and
attack, malicious code need to generate a new process
or steal legal authority of system process. Any slight
changes of processes could be important reference
information for analysis.
• Process monitoring focuses on process creation,
termination, loading the dynamic link library, thread
creation, termination etc. They implement by hooking
the following functions: CreateProcess,
TerminateProcess, LoadLibrary, CreateThread,
CreateRemoteThread
File monitoring
• Generally speaking, malicious code always visits the file
system in the process of propagation and damage.
– It may read and write files, modify the system programs and the
applications, add new files, or even embed their own code in
other files.
• File monitoring focuses on the creation, read-write
operation, remove of files. They implement by hooking
the following functions: CreateFile, WriteFile, DeleteFile,
OpenFile.
• As to system with a digital signature on files, we can
achieve the purpose of monitoring by verifying the digital
signature.
– Signature information includes the names of system files,
storage paths, creation date, version number and other
information. By comparing with the original signature, we can
judge whether the system file is changed.
The registry monitoring
• The registry of Windows is a hierarchical database. It
contains the configurations of the OS and most applications.
• Generally malicious code must change the registry
key, namely change the configurations of the Windows
operating system, so as to change the behavior of the
Windows operating system and achieve its purpose.
• The registry monitoring focuses on creation, modification
and remove of registry keys. They implement by hooking
the following functions: RegCreateKey, RegDeleteKey,
RegSetValue, RegDeleteValue
The registry monitoring
The registry monitoring
Startup monitoring
• Malicious code uses autostart technology to run
automatically the next time the system boots.
• There are a lot kinds of start methods such
as the registry start position, file start
position, attach other applications (IE
plug-in), and new methods have been
updating.
Network communication monitoring
• Malicious code changes from the single infection, single
behavior to propagation relying on the network, E-mail,
attack techniques as hackers, viruses.
• So our analysis should pay attention to the network
behavior of malicious code, check the TCP and UDP
ports which are monitoring the reliable system and the
time the running applications send or receive data
through ports.
• Network communication monitoring focuses on open of
port, creation of socket, connection to the remote
host, data receive and dispatch. They need to hook
the following functions: socket, bind, connect,
send\sendto, recv\recvfrom
In conclusion
• In this chapter we mainly introduce the malicious
code in computer network respectively from two
aspects: the types of malicious code and
malicious code detection and analysis.
• Malicious code refers to virus, worm, malicious
mobile code, backdoor. Trojan and RootKit. The
infection and propagation of them have their
own characteristics, and their purposes and
properties are also different. Only having have a
deep understanding for they, can we lay a solid
foundation for analysis and detection.
In conclusion
• Malicious code analysis needs to be conducted
in the light of the features of malicious code.
Analysis technologies include static analysis
technology and dynamic analysis technology.
• Static analysis does not perform malicious code,
and has no damage to the analysis system. But
there are some limitations. Dynamic analysis
needs monitoring the operation process of the
malicious code. It’s divided into dynamic tracing
method and the external monitoring method.
Malicious code analysis is the foundation of
malicious code detection and prevention.