Thursday, January 26, 2017

Malware Reverse Engineering tools and techniques

I just found an virus sample. But I do not know,
  •  what it is
  • from where did virus came
  • how it was infected
  • what is the functionality of virus
  • what type of damage did to the system
so I decided to analyze it  by using malware analysis/reverse Engineering tools and techniques.
There are two type of analse
  1. Static Analysis = analyze the malware based on  binary/code and understand functionality
  2. Behavioral analysis = analyze the malware based on its behavior.
IF you did not understand any think while reading it is natural :D.
Just follow the all steps one by one finaly you will realize what did you do.

Let's Start from Behavioral Analysis. :D

Step 1 - download OS

  • I used windows 7 machine to plant virus and analyze it.
  • I used Remnux linux virtual machine to network resolving. (fake dns resolve , wireshark analysis kind of things)
Step 2 = Setting up the Windows 7  OS



1. first of all switch off the firewall. :P 

firewall disable
2. then configure vm network to Host only network. 

 3. Windows 7 network configuration
Windows 7 network configuration

 4. download and install some tools by google searching => I will describe them while using. (name and Icon on the screenshot



5. additionally you have to download strings2.exe and upx.exe and copy them to c:\windows\system32 Directory.  (just google for latest version)

6. take an snapshot of configured environment (optional)



Step 3 = Setting up the remnux OS

 1. setting up the remnex ip adress 




2. ping from remnux to windows7 machine ( by using terminal , use bellow command)
ping 172.16.124.150

ping from windows 7 to remnux (by using windows 7 cmd)

ping 172.16.124.10


3. start wireshark on remnux os.

4. if you feel virus will communicate over web or irc , or required DNS resolve ,
it is better to start this services
commands are,
 ircd start
 httpd start
 fakedns 
 
service start
 (if you can not even guess don't worry :) I will explain how to guess later.)