Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download ppt
Document related concepts
Computer network wikipedia , lookup
Distributed firewall wikipedia , lookup
Airborne Networking wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Deep packet inspection wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Network tap wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Service-oriented architecture implementation framework wikipedia , lookup
Transcript
Reverse Engineering Paul deGrandis Applications • Software Maintenance • Source Code and Documentation Engineering • Virus Analysis Malware • Virus • Needs a vector for propagation • Worm • No vector needed • Can spread by network shares, email, security holes Malware • Trojan Horse • Performs unstated and undesirable functions • Spyware, adware, logic bombs, backdoors, rootkits Anti-Virus • Integrity Checking • Static AV Scanners • Dynamic AV Scanners Anti-Virus • Integrity Checking • Checksum comparison • Static AV Scanners • Program properties (registry, system calls) • Malware byte sequence extraction Anti-Virus • Dynamic AV Scanners • Intercepting system calls • Analyzing audit trails • Operation patterns Procedures For Analysis • Restrict Access • Save only disassembled files • Rename Extensions, prevents doubleclick • Password protect dangerous files and ZIPs • NEVER SEND MALWARE Procedures For Analysis Tools • VMware • Isolate and restore snapshots • BinText • Extracts strings from binary files (code) • IRC commands, SMTP, registry keys Tools • IDA Pro • Dissassembles executables into assembly Tools • UPX Decompression • Executable packer • To unpack: upx.exe -d -o dest.exe source.exe Tools • SysInternals.com • FileMon - monitors file access • RegMon - monitors registry access Tools • RegShot • Records modifications to the registry, but not reads Tools • ProcDump • Dumps a processes code from memory • Useful in detecting an analyzing polymorphic viruses Tools • OllyDbg • Attaches to a process • Can actively manipulate memory and registers during operation • Swiss Army Knife Tools • Network Activity • TCPView - displays open network ports • TDIMon - monitors network activity • Ethereal/Wireshark - Packet Sniffer • Snort - IDS / Packet Sniffer • netcat - Network swiss army knife Tools • SysInternals.com • TCPView - TCP and UDP endpoints and processes • TDIMon - Logs all network activity, but not packet contents Tools • Wireshark (formerly Ethereal) • Captures and displays all packet contents • One of your best friends Tools • Netcat - reads and writes across data connections using TCP/IP • Great for probing, listening, debugging, or exploring unknown network behavior • The other one of your best friends The Assignment • Beagle.J (and its cousin Beagle.K) • Static analysis (BinText, IDA) • Dynamic Analysis • Host Side (Registry, process, files) • Networking (Ports, connections, traffic) • Propagation, Backdoors
