Malware Appendix

The material in this page is out of scope (not discussed in the course) but may be interesting.

Evasion

• Evading Anti Virus Focused on metasploit and msfvenom, but very interesting and relatively easy to understand.
• Avoiding Detection with Shellcode Mutator A tool that mutates exploit source code without affecting its functionality, changing its signature and making it harder to reliably detect as malicious.
• Killer: A Tool Created To Evade AVs And EDRs Or Security Tools
• List of techniques for bypassing AV and EDR, with a nice graphic.
• Let's create an EDR and bypass it.
• Meterpreter vs Modern EDR(s) describes experiments for injecting payloads with Meterpreter while bypassing EDR (Endpoint Detection and Response: the modern term for indicating an "Antivirus"). Section "Meterpreter Reference Dropper" contains an example of usage of msfvenom.

Notes on Malware

Windows Executables

Windows executables are called PE files and their format conforms to PE/COFF (Portable Executables / Common Object File Format).

They start with bytes 4D 5A and consist of a series of structures containing the information required by the O.S. for loading the executable data in memory, including:

• Content of code and data section;
• Position in virtual memory where each section should be placed;
• List of required libraries (Import table);
• List of exported functions (Export table);
• Address of entry point.

Several tools exist for analyzing an executable, i.e., for translating the PE information in human-readable way:

• CFFExplorer, pestudio, PPEE, PE Internals, PEBrowse.

Static Analysis

File hashing

Computing hash values of files:

• Linux md5sum, sha256sum, sha1sum
• Windows HashMyFiles
• Windows pestudio, PPEE also query VirusTotal by uploading only the hash.

File similarity

Methods for detecting files that are a "small variation" of each other (they will have entirely different hashes):

• Fuzzy hashing is an efficient method for similarity comparison (files that differ only for a few bytes will be detected as highly similar). Tool: ssdeep.
• Import hashing computes hashes based on the import tables. Malware samples developed by the same actor and compiled in the same way tend to have similar import tables. Tool: python pefile.
• Section hashing computes hashes of each section separately. Tool: pestudio.

Extracting strings from executables

Strings stored in an executable can give clues about its functionality. If a malware creates a file (contacts a domain) then the filename (domain name) is likely stored in the executable.

It is useful to extract both ASCII strings and UNICODE strings.

• Linux strings
• Windows pestudio

Obfuscated strings can be extracted with FLOSS (FireEye Labs Obfuscated String Solver).

Malware Obfuscation

Obfuscation of an executable is not necessarily an indicator of malicious activity. In practice it is a very useful indicator, though.

Hints of obfuscation:

• Executable with very few imports.
• Uncommon section names.
• Sections with virtual-size much greater than raw-size.

Main techniques:

• Packer. The executable consists of an uncompressing routine (entry point) and of a compressed malware. The malware is reconstructed in memory at runtime.

  • UPX is a popular packer for Windows/Linux/MacOS.
  • ExeinfoPE is a packer detector for Windows, often able to unpack automatically. It uses thousands of signatures.
  • Cryptor. Like packing, except that the malware is encrypted.

Dynamic analysis

Monitoring of:

• Process activity
• File system
• Registry
• Network

Tools: Process Hacker, Process Monitor, Noriben (Python script that filters output of Process Monitor), Wireshark.

INetSim, FakeNet-NG emulate services for attempting to impersonate C&C servers.

• Process Hacker Examine what is going on (processes and other o.s. activity)