Professional Documents
Culture Documents
ICT3202
Dr Peter Loh
Module Overview
SIT Restricted
Malware
Analysis and Defense
Instructor Lectures Contact
Peter Loh 1 to 6 Peter.Loh@SingaporeTech.edu.sg
Tram Truong
7 to 12 TruongHuu.Tram@singaporetech.edu.sg
Huu
2
SIT Restricted
Mid-Trimester Revision
6 05/10/23 05/10/23
Deliverable 1 – Advanced Static Analysis
Basic Static Analysis Advanced Static Basic Dynamic Advanced Static and
Analysis Analysis Dynamic Analyses
Doc and submit Doc and submit Doc and submit Doc and submit
analyses and results analyses and results analyses and results analyses and results
Dr Peter Loh
• There are many scanners – many are (very) good, others not so
• Do we know which ones are good?
• VirusTotal – subsidiary of Google, free online service that
analyses files and URLs
• VirusTotal runs multiple anti-virus and website scanners
Malware Analysis and Defence
Dr Peter Loh Virustotal – Malware Analysis
• https://www.virustotal.com/gui/
Free Malware Samples – 1/2
• https://zeltser.com/malware-sample-sources/
Malware Analysis and Defence
Dr Peter Loh
Free Malware Samples – 2/2
• http://www.tekdefense.com/downloads/malware-samples/
Malware Analysis and Defence
Dr Peter Loh
The Malware Zoo
• Daily discovery rate of new malware samples in order of 100s of thousands
• Manage and keep pace with analysis demand (identify, categorize and store)
•
Malware Analysis and Defence
Viruses
• Worms
• Trojans
Dr Peter Loh
• Rootkits
• Adware / Scareware
• Malicious Scripts
• Blended Threats
• Advanced Malware
• Fileless Malware
Malware Analysis and Defence
Dr Peter Loh
Viruses
• A malicious piece of code
that spreads itself from file
Malware Analysis and Defence
to file
DOS loaded
Boot Record (DOS) partition MSDOS.SYS
Non-persistent
attack payloads
https://www.youtube.com/watch?v=Ug5C9KoTR8g
Dr Peter Loh
File / Program Virus
• Overwriting target
Malware Analysis and Defence
original program
.EXE, .COM, .BIN, .DRV and
.SYS
• Examples: Cascade (1989),
Sality (2003), Sality variant Header Original Program File
with rootkit (2010),
Ransomware (2012 -> ),
Virus
• Cryptolocker Ransomware Header
code
Original Program File
(2013 - 2014)
https://www.youtube.com/watch?v=Gz2kmmsMpMI
Dr Peter Loh
Companion Virus – File / Program virus variant
Filename.com
Malware Analysis and Defence
Execute
DOS 2 Filename.exe
filename
Dr Peter Loh
Worms
Worms
• A malicious piece of code that spreads itself (self-replicating)
from computer to computer by exploiting vulnerabilities
Malware Analysis and Defence
➢ e-mail attachments
➢ LAN or Internet
https://www.youtube.com/watch?v=94NkaQGbTa4
Dr Peter Loh
EternalRocks in Action – VirusTotal
• EternalRocks does not contain killswitch that was used to
block WannaCry
Malware Analysis and Defence
Trojans
Trojans
• “Trojan Horse” – malware disguised
as innocent software (need not be
Malware Analysis and Defence
• Examples:
➢ BlackEnergy APT (2015) -
http://www.welivesecurity.com/2016/
01/04/blackenergy-trojan-strikes-
again-attacks-ukrainian-electric-
power-industry/
➢ Silence APT (Sept 2017) -
https://securityboulevard.com/2017/1
1/trojan-silence-uses-stealth-attack-
banks/
Malware Analysis and Defence
Dr Peter Loh
BlackEnergy Trojan Sample Analysis
https://www.virustotal.com/en/file/bc062acda428f55782710f9c4f2df88c26d
slide 38
fbc004b94b479459f8572b1219444/analysis/
Malware Analysis and Defence
Dr Peter Loh
Silence connecting to Command & Control
slide 39
https://securelist.com/the-silence/83009/
zwShell RAT
• Packed with ASprotect 2.x SKE; unpack files with 7z [password
Malware Analysis and Defence
is NoNh]
• When launched, it presents a fake crash error:
Dr Peter Loh
(complete) control of a PC
• Distributed attacks: zombie network
• Backdoor: secret direct access point – usually by APTs and
Dr Peter Loh
Rootkits
Rootkits
• Rootkits
➢ An application (or set of applications) that hides its presence or
Malware Analysis and Defence
Spicy Hot Pot puts malicious filter drivers in “WindowsApps” folder. Rename folder to see them.
Filter drivers prevent removal of registry keys, services or the kernel drivers themselves.
https://www.youtube.com/watch?v=goyiuyA-Ckw
Malware Analysis and Defence
Dr Peter Loh Flame Rootkit Infection Vectors
Malware Analysis and Defence
Dr Peter Loh Flame Rootkit - VirusTotal
Umbreon Rootkit
• Cross-platform – Intel x86, x86-64, ARM (Raspberry PI)
• Creates valid Linux user account used as backdoor
• Backdoor account via SSH is invisible – libc functions hooked by rootkit
Malware Analysis and Defence
• If seq no, ack no, and IP values are matched, reverse shell connects to attacker
Dr Peter Loh
Malware Analysis and Defence
Dr Peter Loh Umbreon Rootkit - VirusTotal