Uncovering the Tactics of Cyber Attackers: A Guide to Analyzing Malware for Incident Responders
Introduction
Cybersecurity incident handling is a crucial aspect of ensuring the safety and security of an organization's information systems. One of the critical tasks that incident handlers must perform is the analysis of malware that has been discovered on the network. Malware analysis requires a deep understanding of the tactics used by attackers to create and spread malicious code. In this article, we will explore a few techniques in analyzing viruses.
Reverse Engineering
Reverse engineering is the process of taking a piece of software or hardware and analyzing its functions and information flow so that its functionality and behavior can be understood. To start, incident responders must disassemble the suspicious files that have been detected on the network. During this process, they must look for any malicious function calls present in the subroutines of the binary code. This is important as attackers often design malware to evade the reverse engineering process in order to maintain their confidentiality. Incident handlers must analyze the disassembled code for the presence of any anti-reverse engineering malware using tools such as OllyDbg to help with this analysis.
Obfuscation
Attackers are always evolving their tactics and using new techniques to create malware that is harder to detect and analyze. One common tactic is obfuscation, which scrambles the malware code contents in a way that retains functionality while making it look unintelligible. It makes it more difficult to determine the functionality of the malware. They are also using techniques such as code signing and digital certificates to make the malware appear legitimate, tricking the incident handler into thinking that the code is harmless.
Incident responders must be aware of these tactics and use the right tools and techniques to effectively analyze malware. This includes using dynamic analysis tools that can execute the code in a controlled environment and monitoring its behavior, as well as using static analysis tools that can analyze the code without executing it. By combining the results from both dynamic and static analysis, incident handlers can get a more comprehensive understanding of the malware's behavior and capabilities.
OllyDbg
OllyDbg is a free 32-bit disassembler for Microsoft Windows binary files.?I will demonstrate how we can use this tool to disassemble a file. I will be using HackTheBox's "Find the Easy Pass" challenge. In this challenge we have to find the password of the file we want to crack. You can find the zip of the .exe file on the HackTheBox website.
When we try to open the EasyPass.exe file, it prompts us for a password, which we don't have.
Instead, let's use OllyDBG to open and analyze the file.
The main window in the top left corner is called the CPU window, and it contains the disassembly and byte-code instructions. Next to it, in the top right corner is the Registers window which shows register settings and the EFLAGs register settings. In the bottom left we see the Memory View Window which shows us the memory contents of the data and registers. Finally, beside it on the right is the stack window, which shows the current stack setup during the debugging session.?
Now that we have the file open in OllyDbg, we can search for text strings in the file which will give us some clues about how it's structured. Often, by reading text strings we can figure out the operations that the file will perform, even if the code is obfuscated.
How to search for "All referenced text strings":
1) Right click in the window
2) Hover over "Search for"
3) Select "All referenced text strings"
领英推荐
Immediately we can see two very interesting strings: "Good job, Congratulations" and "Wrong Password".
By double clicking on the "Wrong Password" string, we can see more details about what is happening in this part of the code.
Right above the ASCII "Good job. Congratulations" string, we see a JNZ assembly command. JNZ is a conditional jump, which means some sort of decision operation was performed at this point. If we click on the JNZ command it takes us to 00454144 ASCII "Wrong Password". This means that the program first evaluates if the password is incorrect at the CALL EasyPass command, and then jumps to the "Wrong Password" message with the JNZ command. If we click on the CALL EasyPass command and press enter, it jumps to a sub-routine in the code which is comparing two variables, EAX and EDX with the CMP EAX, EDX command. One of these is our password entry and the other is the password set on the file.
We can set the CALL command as a Breakpoint to see what it's doing, by right clicking over "CALL EasyPass", hovering over "Breakpoint" and then selecting "Toggle".
Now, let's run the .exe by clicking the play button at the top. The code prompts us for a password.
We can enter anything and click Check Password.
The Registers will show that EAX is our password entry, and the variable EDX is set as "fortran!".
If we try entering "fortran!" as our password next time we run the .exe, we'll see that it's accepted and we get the "Good job, Congratulations" message.
Summary
Analyzing malware is a complex and challenging task, but it is essential for incident handlers to be able to do it effectively. By understanding the tactics used by attackers and using the right tools and techniques, incident responders can help protect their organizations from the devastating effects of a cyber attack. As cyber threats continue to evolve, incident handlers must stay up to date with the latest techniques and tools to ensure that they are prepared to handle any type of malware that they may encounter.