Tuesday, May 22, 2012

Basic Information Gathering of Analysis on Malware (Part 1)


Basic Information Gathering of Analysis on Malware (Part 1)
--------------------------------------------------------------------
Malware (spyware,Rootkits,worms,trojans,virus etc.), a malicious software designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems.

The first thing you do when your system is infected is scan with some antivirus softwares and anti malwares and so on , This tut shows how to analyse
it and bring out its functionality . This first thing we are doing here is info gathering of analysis of malware , its the first basic part to start with and go on advanced depending on the complexity of malware.

We have 2 types of Analysis Static and Dynamic.
Static :- Analyzing code or structure of program.
Dynamic:- Actually running the program to see wat its doing.

Note:
-----
This tut is not on advanced part of analyzing malware or disassembly . Hope if my study goes on learning advanced things will be first to post here... :)

note 2:
-------
first go through PE (portable executable) file format and structure. basically PE contains inofrmation necessary for windows os loader.
for analyzing we need actually to concentrate on PE file header which includes information about code ,type of application , required library functions and space requirements. And know about dll and its functions (import and export funstions).

Basic info Gathering of Static Analysis:
----------------------------------------

Now lets take a malware ... 

or create urself a trojan 

malware is uniquely identified by a hash.The malicious software is run through hashing program that produces hash which produces a hash that identifies a malware.

to fingerprint it we use a tool called md5deep there are other tools also.

usage: md5deep 123.exe (malware file name).



in the above screen shot u see a hash this hash can be used to search online to see if its already been identified.

Now here comes the problem u donno that the malware is packed or not.beacuse wen its packed , it becomes difficult to analysor detect it.
its normally packed with some kind of wrapper program . to identify or detect with wat packer that this malware has been packed we use tool called...

PEiD



from this we can know its packed with upx paker.

to unpack it there's program called upx (you will get it in sourceforge.net)
to unpack usage :  upx -d filename.exe


now its been unpacked.

now the next step goes like we ned to see that what kind of linked functions (loading dlls)its using. 

we have tool called dependency walker. now load the file on it (see below)


1.)here in right pane u can observe many dll's u its the dll's u imported
2.)imported functions
3.)when malware imports function by ordinal you can find which function is being imported by looking at ordinal value.
4.)additional info about the dll tat would be load if you run the program.

A common trojan or keylogger has interesting dll and fuctions will have like

Kernel32.dll: user32.dll  GDI32.dll,Shell32.dll,Advapi32.dll etc.
------------- -----------
(functions) Setwindowshookexw
CreateFilew Registerclassexw
findfirstfilew registerhotkey
findnextfilew setwindoetextw
etc .......... etc......

)Kernel32 tells us that software can create and manipulate process.here above findnextfile and firstfile functions
which are interesting as we can search through directories.

)User32.dll has function like setwindowhook is commonly used in spyware and keyloggers.
)GDI32 is for graphics related tat program probably has GUI 
)shell32 can lauch other programs
)Advapi32 uses the registry.


As we said that to take a look at PE headers 

We have sections in PE file like:
.text (contains executable code) , .rdata(holds read only data), .data(global data throughout) , .rsrc (resources needed by executable
.idata(stores important function information & if not present it will be in rdata) , .reloc (info. for relocation of library files) etc...

we have a tool called PEview (see below)


u can observe the machine info and time stamp when it wa compiled which is useful.
we can ingnore the DOS_Header and signature.
Image_Optinal_Header includes important information and has subsystem ,which shows there is console or GUI program.
Image_Section_Header also contains important info.These are used to describe each section in PE file.Sections cn be consistent
from exe to other exe files.



here u can observer on thing is the .data section is that
virtual size is much large than raw data size (u can ignore if there is small difference)
this alone will not tell its suspicious. it is likely unpacked.

{{Continued with Basic info gathering of Dynamic Analysis. sooon }}




Wednesday, May 16, 2012

Disable Directory Listing

Mostly you observe this directory listing in many websites :

Ex:  www.demo.com/

like traversing direcotries trying www.demo.com/images/
there is a possibilty that an attacker tries to look for hidden directories and there is possibility
of finding possible web confg files too.

to disable this

In Apache:
---------------
goto file called httpd.conf

and search for:


 Options Indexes FollowSymLinks 


now just add ' - ' before indexes like :

Options -Indexes FollowSymLinks 



In IIS 7:
----------
Open IIS manager and go to the level or navigate to manage.
then in  "Feature view" .  Double-click " Directory browsing "

In  " Actions " pane click Disable if directory browsing is enabled.

Twitter Delicious Facebook Digg Stumbleupon Favorites More