Module Introduction 1 - AY2023 T1

Malware Analysis and Defence
ICT3202
Dr Peter Loh
Module Overview
SIT Restricted
Malware
Analysis and Defense
Instructor Lectures Contact
Peter Loh 1 to 6 Peter.Loh@SingaporeTech.edu.sg
Tram Truong
7 to 12 TruongHuu.Tram@singaporetech.edu.sg
Huu
2
SIT Restricted
Module Overview – Topic Schedule 1/2

Thursday - am Thursday - pm
Week Topic
(Lecture) (Lab)
1 Module Introduction 31/08/23
2 Basic Static Analysis 07/09/23 07/09/23

Advanced Static Analysis –
3 14/09/23 14/09/23
Understanding Reverse Engineered Malware 1
Advanced Static Analysis –
4 Understanding Reverse Engineered Malware 2 21/09/23 21/09/23
Quiz 1 – Basic Static Analysis
5 Dynamic Analysis – Basic and Advanced 28/09/23 28/09/23
Mid-Trimester Revision
6 05/10/23 05/10/23
Deliverable 1 – Advanced Static Analysis
7 Trimester Break 09/10/23 13/10/23

3
SIT Restricted
Module Overview – Topic Schedule 2/2

Thursday - am Thursday - pm
Week Topic
(Lecture) (Lab)
8 Windows APIs 19/10/23 19/10/23
Malware Process Injection

9 and Hooking 26/10/23 26/10/23
Quiz 2 – Basic Dynamic Analysis
10 Self-Defending (Evasive) Malware 02/11/23 02/11/23
Countering Malware Defenses

11 Deliverable 2 – Advanced Static 09/11/23 09/11/23
and Dynamic Analyses
12 Virtualization Technology 16/11/23 16/11/23
Malware Analysis and Defence 4

13 End-Trimester Revision 23/11/23 23/11/23
Module Assessment
Quiz 1 (10%) D1 (20%) Quiz 2 (20%) D2 (20%)
Basic Static Analysis Advanced Static Basic Dynamic Advanced Static and
Analysis Analysis Dynamic Analyses
Doc and submit Doc and submit Doc and submit Doc and submit
analyses and results analyses and results analyses and results analyses and results
Dr Peter Loh
1 lab session 2 weeks 1 lab session 2 weeks
Individual Team Individual Team
Quiz 1, Quiz 2: Absentees taking quiz on following

Exam (30%) week will have progressively larger quiz scope; max
Closed Book (2 consecutive MCs after which 0 awarded).
4 Questions
D1,D2: FORM YOUR OWN TEAMS (SEE XSITE)
2 hours
This is NOT an assembly
Individual language programming course
What are Your Learning Objectives?
• To distinguish among different malware types and behaviors
• To apply a suitable approach to reverse engineer an
executable or dynamic link library

• To select and apply suitable techniques and tools for static
malware analysis
Dr Peter Loh
• To select and apply suitable techniques and tools for

dynamic malware analysis
• To distinguish among different defense techniques employed
by self-defending malware
• To select suitable disabling/prevention techniques and tools
to counter specified malware defenses
• To extract investigative evidence to support identification of
a malware infection/attack
• Expected to recall assembly language programming studied in ICT1003
• Supplementary Intel x86 assembly language material on LMS (xSiTe)
Dr Peter Loh What is Malware?
• Malware is an abbreviation for Malicious Software

• A program that executes with harmful results that may not
be immediately obvious
• Modern malware can defend itself against a variety of
security measures (e.g. evade traditional Anti-Virus tools,
Analysis Sandboxes)
Dr Peter Loh
WannaCry vs Lazarus APT
• WannaCry (2017) shares code with Lazarus APT (2015)

• Modern malware unlikely to be an ideal zero-day due to complexity and purpose
Dr Peter Loh Trojan.Alphanc vs Backdoor.Duuzer
• Common strings between Trojan.Alphanc and Backdoor.Duuzer

• Trojan.Alphanc (2017) is a modified version of Backdoor.Duuzer (2015)
• Common strings show common executables as components
How Do We Begin?
• A modern, complex malware (customized zero-day) is a sum of

its parts – not all parts are zero-days
• Is your traditional Anti-Virus Scanner useless?
Dr Peter Loh
• There are many scanners – many are (very) good, others not so
• Do we know which ones are good?
• VirusTotal – subsidiary of Google, free online service that
analyses files and URLs
• VirusTotal runs multiple anti-virus and website scanners
Dr Peter Loh Virustotal – Malware Analysis
• https://www.virustotal.com/gui/
Free Malware Samples – 1/2
• https://zeltser.com/malware-sample-sources/
Dr Peter Loh
Free Malware Samples – 2/2
• http://www.tekdefense.com/downloads/malware-samples/
Dr Peter Loh
The Malware Zoo
• Daily discovery rate of new malware samples in order of 100s of thousands
• Manage and keep pace with analysis demand (identify, categorize and store)
•
Analysis automation and efficient, secure information organization needed

• A malware zoo combines these requirements into a unified solution
• Private zoo - https://www.sec.in.tum.de/i20/research/malware-zoo
•
Dr Peter Loh
Public zoo - https://github.com/ytisf/theZoo (needs analysis engine)

• Public analysis automation - https://github.com/rieck/malheur
• Sharing of information and resources is, however, necessary
Types of Malware
•
Viruses
• Worms
• Trojans
Dr Peter Loh
• Rootkits
• Adware / Scareware
• Malicious Scripts
• Blended Threats
• Advanced Malware
• Fileless Malware
Dr Peter Loh
Viruses
• A malicious piece of code
that spreads itself from file
to file
• Needs a host file

Dr Peter Loh
• Requires user interaction

• Eg. opening a file, invoking an
executable, system boot
• Different types of viruses

➢ Boot sector viruses
➢ Macro viruses
➢ File / Program viruses
Boot Sector Virus Execution
Load Master Boots active Load IO.SYS
DOS loaded
Boot Record (DOS) partition MSDOS.SYS
Virus learns Write itself to

Dr Peter Loh
Boot virus Move DOS to

location of the original
loads into mem new location
DOS partition location
Virus goes Runs original

Load Master
Boot virus runs memory DOS boot and
Boot Record
resident loads DOS
• Examples: Stoned (1988), Michelangelo (1992), Parity Boot.A (1998)

Symantec/Norton AVS
• More recent: DarkSeoul (2013), Rombertik (2015), Petya (2018)
SIT Restricted
Boot Sector Virus Example (Petya) – 1/2
• 2nd sector before and after being overwritten

• Try examining the Petya sample with Virustotal
SIT Restricted
Boot Sector Virus Example – 2/2
• AVP.exe – Kaspersky’s Anti-Virus (NotPetya – Petya variation but is a

worm)
• If AVP found, Function corrupt_mbr writes bytes from uninitialized
memory to first 10 disk sectors - renders the disk unbootable
• If AVP not found, overwrite_mbr_func, is where the malware attempts
to overwrite the MBR with its own code
Macro Virus
• Macro: an executable embedded in a document to automate
repetitive tasks (save keystrokes)

• Application-dependent, e.g., Microsoft Word, Excel
• Causes sequence of actions when app is opened
Dr Peter Loh
• Examples: Melissa (1999), Mimir (1999)

• More recently: Hancitor (2019):
➢ Also known as Chanitor, Tordal
➢ Executable embedded in Excel spreadsheets or Word documents
• Why virus writers like macro viruses?
➢ Easy to learn
➢ Easy to write
➢ Popularity of certain software packages eg. MS Office, Excel
How macro virus works in MS Word
• Every word document is based on a template

• When an existing or new document is opened, the
Dr Peter Loh
template settings are applied first

• A global template: NORMAL.DOTM
Infected Macros copy New

Macros loaded Auto macro
document themselves to documents
into memory executed
opened global template infected
Dr Peter Loh
Hancitor (Chanitor) Macro Virus Flowchart
Non-persistent
attack payloads
• Uses phishing emails as an infection method to run malicious attachment

• Downloads the Pony/Evil Pony fileless malware or Ursnif executables,
which then steals data and connects to C&C server
Hancitor Macro Virus – Macro Code
Dr Peter Loh
Macro code checks for the following antivirus solutions:

• PSUAMain - Panda Cloud Antivirus
• n360 - Norton 360
• PccNT - Trend Micro PC-cillin
• uiSeAgnt - Trend Micro Worry-Free Business Security
• mbam - Malwarebytes
• mbamtray - Malwarebytes
Dr Peter Loh
Hancitor Macro Virus Analysis Demo
Any indication of AVS checking?

Mimir Macro Virus – In Action Clip
https://www.youtube.com/watch?v=Ug5C9KoTR8g
Dr Peter Loh
File / Program Virus
• Overwriting target
Original Program File

• Appending (Pre-pending) to
target
What’s left of
• Popular host files infected − Virus code
Dr Peter Loh
original program
.EXE, .COM, .BIN, .DRV and
.SYS
• Examples: Cascade (1989),
Sality (2003), Sality variant Header Original Program File
with rootkit (2010),
Ransomware (2012 -> ),
Virus
• Cryptolocker Ransomware Header
code
Original Program File
(2013 - 2014)
What about inserting itself in the middle of the file/program?

Ransomware Virus Variant – CryptoLocker
https://www.youtube.com/watch?v=Gz2kmmsMpMI
Dr Peter Loh
Companion Virus – File / Program virus variant
Filename.com
Execute
DOS 2 Filename.exe
filename
Dr Peter Loh
Assume user enters C>chkdsk command

Filename.bat
• Do not need to modify the original files (may be difficult to detect)

• Creates a new file with a legitimate name but different ext eg. chkdsk.com
• When malicious chkdsk.com completes running, it transfers control to
chkdsk.exe (legitimate command) to avoid detection
• Examples: Stator.worm (2001), Win2K/Stream (2005), Pilsen (2006)
Companion Virus – Execution Order
• Previous slide – execution order based on file type order specified

• Execution order can also be based on path search order ($PATH)

Dr Peter Loh
• Assume standard (legitimate) gcc exists in /usr/bin

• Where should the attacker place a malicious gcc copy?
Dr Peter Loh
Worms
Worms
• A malicious piece of code that spreads itself (self-replicating)
from computer to computer by exploiting vulnerabilities
➢ A worm needs no host file

➢ Spreads without user interaction
• Can spread via

Dr Peter Loh
➢ e-mail attachments
➢ LAN or Internet
• Worms search for vulnerable computers and infect them

➢ Whole Internet can be infected in less than 20 minutes
• Morris worm (1988), Blaster worm (2003), Conficker worm

(2008), Stuxnet (2010), Server Message Block (SMB) Worm
Tool (Dec 2014), EternalRocks (2017 - 2018)
EternalRocks in Action - Clip
https://www.youtube.com/watch?v=94NkaQGbTa4
Dr Peter Loh
EternalRocks in Action – VirusTotal
• EternalRocks does not contain killswitch that was used to
block WannaCry
• Sleeps 24-hour to avoid detection / dynamic analysis

Dr Peter Loh
State of Worm Technology
• Multi-platform / cross-platform: Windows, Unix, OS-X etc.
• Multi-channel: network, browser, email etc.

• Ultrafast spreading: host/port scanning.
• Typically attacks discovered or implanted vulnerabilities or uses
Dr Peter Loh
pre-programmed zero-day exploits (eg. EternalBlue and

EternalRomance).
• Transport vehicles: for the payloads (spread attacking tools and
bots) – eg. Stuxnet’s use of PLC attack payload, NotPetya’s use
of Mimikatz, WannaCry’s use of EternalBlue exploit.
• Polymorphic: Each copy protected with new encryption-
decryption technique or key.
• Metamorphic: different behavior patterns.
Dr Peter Loh
Trojans
Trojans
• “Trojan Horse” – malware disguised
as innocent software (need not be
hidden); may need user interaction
• Different hidden malicious

functionalities – payload, typically
Dr Peter Loh
does not spread
• Examples:
➢ BlackEnergy APT (2015) -
http://www.welivesecurity.com/2016/
01/04/blackenergy-trojan-strikes-
again-attacks-ukrainian-electric-
power-industry/
➢ Silence APT (Sept 2017) -
https://securityboulevard.com/2017/1
1/trojan-silence-uses-stealth-attack-
banks/
Dr Peter Loh
BlackEnergy Trojan Sample Analysis
https://www.virustotal.com/en/file/bc062acda428f55782710f9c4f2df88c26d
slide 38
fbc004b94b479459f8572b1219444/analysis/
Dr Peter Loh
Silence connecting to Command & Control
slide 39
https://securelist.com/the-silence/83009/
zwShell RAT
• Packed with ASprotect 2.x SKE; unpack files with 7z [password
is NoNh]
• When launched, it presents a fake crash error:
Dr Peter Loh
• Type “zw.china” into the hidden password field to start RAT

• Can create a custom trojan or launching a C&C server
➢ Select listening port, password for encrypting C&C traffic, custom
sound notifications when infected machines connect or disconnect
slide 40
What a Trojan can do
• Remote Administration Trojan (RAT): attackers can get
(complete) control of a PC
• Distributed attacks: zombie network
• Backdoor: secret direct access point – usually by APTs and
Dr Peter Loh
Botnets (typically sets-up link to C & C server)

• Keyloggers: capture authentication, personal, financial info
• Audio, video capturing: control devices
• Downloader
➢ Exists only to download other malicious code
➢ Used when attacker first gains access
• Logic bomb: only executed when a specific trigger condition
is met
Dr Peter Loh
Rootkits
Rootkits
• Rootkits
➢ An application (or set of applications) that hides its presence or
presence of another application on the computer

➢ Modifies system calls and utilities to avoid detection
➢ Main characteristics: stealthiness and persistence
➢ Rubyilyn (OSX, 2012), Flame (Windows, 2012), Umbreon (Linux, 2016),
Dr Peter Loh
Spicy Hot Pot (2020)
Spicy Hot Pot puts malicious filter drivers in “WindowsApps” folder. Rename folder to see them.
Filter drivers prevent removal of registry keys, services or the kernel drivers themselves.
https://www.youtube.com/watch?v=goyiuyA-Ckw
Dr Peter Loh Flame Rootkit Infection Vectors
Dr Peter Loh Flame Rootkit - VirusTotal
Umbreon Rootkit
• Cross-platform – Intel x86, x86-64, ARM (Raspberry PI)
• Creates valid Linux user account used as backdoor
• Backdoor account via SSH is invisible – libc functions hooked by rootkit
• If seq no, ack no, and IP values are matched, reverse shell connects to attacker
Dr Peter Loh
Dr Peter Loh Umbreon Rootkit - VirusTotal

Module Introduction 1 - AY2023 T1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Module Introduction 1 - AY2023 T1

Uploaded by

Copyright:

Available Formats

Malware Analysis and Defence

Malware Analysis and Defence

Module Overview – Topic Schedule 1/2

2 Basic Static Analysis 07/09/23 07/09/23

5 Dynamic Analysis – Basic and Advanced 28/09/23 28/09/23

7 Trimester Break 09/10/23 13/10/23

Module Overview – Topic Schedule 2/2

8 Windows APIs 19/10/23 19/10/23

Malware Process Injection

10 Self-Defending (Evasive) Malware 02/11/23 02/11/23

Countering Malware Defenses

12 Virtualization Technology 16/11/23 16/11/23

Malware Analysis and Defence 4

1 lab session 2 weeks 1 lab session 2 weeks

Individual Team Individual Team

Quiz 1, Quiz 2: Absentees taking quiz on following

executable or dynamic link library

• To select and apply suitable techniques and tools for

• Malware is an abbreviation for Malicious Software

• WannaCry (2017) shares code with Lazarus APT (2015)

• Common strings between Trojan.Alphanc and Backdoor.Duuzer

• A modern, complex malware (customized zero-day) is a sum of

Analysis automation and efficient, secure information organization needed

Public zoo - https://github.com/ytisf/theZoo (needs analysis engine)

• Needs a host file

• Requires user interaction

• Different types of viruses

Virus learns Write itself to

Boot virus Move DOS to

Virus goes Runs original

• Examples: Stoned (1988), Michelangelo (1992), Parity Boot.A (1998)

Boot Sector Virus Example (Petya) – 1/2

• 2nd sector before and after being overwritten

Boot Sector Virus Example – 2/2

• AVP.exe – Kaspersky’s Anti-Virus (NotPetya – Petya variation but is a

repetitive tasks (save keystrokes)

• Examples: Melissa (1999), Mimir (1999)

• Every word document is based on a template

template settings are applied first

Infected Macros copy New

• Uses phishing emails as an infection method to run malicious attachment

Macro code checks for the following antivirus solutions:

Any indication of AVS checking?

Original Program File

What about inserting itself in the middle of the file/program?

Assume user enters C>chkdsk command

• Do not need to modify the original files (may be difficult to detect)

• Previous slide – execution order based on file type order specified

• Execution order can also be based on path search order ($PATH)

• Assume standard (legitimate) gcc exists in /usr/bin

➢ A worm needs no host file

• Can spread via

• Worms search for vulnerable computers and infect them

• Morris worm (1988), Blaster worm (2003), Conficker worm

• Sleeps 24-hour to avoid detection / dynamic analysis

• Multi-channel: network, browser, email etc.

pre-programmed zero-day exploits (eg. EternalBlue and

hidden); may need user interaction

• Different hidden malicious

does not spread

• Type “zw.china” into the hidden password field to start RAT

Botnets (typically sets-up link to C & C server)

presence of another application on the computer