Basic Tools
- what is the AV industry (200+companies?) doing about
malware?
- strengths and weaknesses of AV signatures
- look at Symantec and McAfee lab sites. There are lots of similar sites from organizations that do malware research.
- Including us! The Malware Research Group meets on Fridays, 4-5pm, in ITE 366. (That's the DREAM lab. Will Virus Scan for Food.
- The blogosphere is one way to keep up with this field...see the resources page.
- I keep track of several blogs in the cyber area, looking for posts relevant to this course or the malware analysis research group's activities.
- The first few sessions of the course focus on static (as opposed to dynamic) analysis
- A lot of static analysis tools use the PE Header
- In case we missed this, discuss Table 1-4 in PMA, Sections of a PE File
- The Portable Executable File Format is described in
detail at this
Wikipedia article which refers to this spec
from Microsoft and this PE poster and this article which describes the smallest possible PE
file.
- The PE header can tell us several things, and along with
the strings command, we can tell if perhaps the file has
been packed or obfuscated. Strings is one of several utilities bundled up in Sysinternals.
- Examples of malware analyses, for various platforms.
- You should by now have the class Flare virtual machine running. If so then you are ready to move files around using shared folders.
- When
are Shared Folders a good idea? or a bad idea?
- File signatures: MD5, SHA-1, SHA-2*, and more are available using QuickHash. (The textbook mentions several older hashing utilities.)
- Using QuickHash itself, check the MD5 value for the 64-bit QuickHash.exe, which should be 89F13F0D67DD2250849541D330C4E14F4CBBCDAB
- Entropy is an important concept in CS, and Information Theory
- What can we see in a binary? Demonstrate the strings
command from a UNIX shell
- Windows 10 now comes with an Ubuntu subsystem...
- In general, the CMSC program at UMBC does not stress coding in the Windows environment.
- If you want to learn Windows internals, Russinovich's books have no equal.
- But you'll need to write some C code to understand the Windows API!
- I have used CodeBlocks with some success, and in fact CodeBlocks installs MINGW authomatically, I think.
- The PMA book describes PEid, which is no longer supported
- Detect It Easy (or DIE) seems to be a good alternative to PEid
- In fact, DIE seems to know more about PEiD than does PEiD itself :-)
- Another malware course mentions PEBrowsePro
- but you need to turn on the .net features in Windows to run the 64-bit version. The 32/64 bit version seems to run just fine
- There are other PE utilities available, some of which are mentioned in PMA.
- Using PEBrowsePro or similar tools, we can examine QuickHash.exe as if it was possibly malicious, which it is not, and see what the PE header tells us.