Bypassing Security Mechanisms
Google Chrome has security mechanisms to protect a user from downloading malicious files, it will prohibit the downloading of any file it deems to be suspicious.. Downloading Password-Protected Zip Files however can bypass these Google Chrome restrictions.
Wannacry Injection Mechanism: The WannaCry ransomware injects its payload directly into the registry, encrypting files system-wide. This is also a method of Security mechanisms bypass, as the registry settings often supersede other conflicting instructions.
Process Analysis Tools
Regshot Unicode
A tool for taking snapshots of the Windows registry before and after executing malware, thereby helping detect changes.
Windows 10 Sandbox
An isolated memory environment that allows secure execution of suspicious applications.
Autoruns (Sysinternals program)
Lists all auto-start programs and their associated registry keys. Also provides direct links to registry locations for easy navigation.
Process Explorer (ProcExp)
Displays all running processes, their respective memory consumption and CPU usage.
Double-clicking a process , navigating to its "image" tab and selecting "Verify" ensures no hidden malware migration (e.g., via Process Hollowing/Migrating of malware into a legitimate program) and checks whether the process is authentic or not. One common and easy method to migrate a process into another one in order to hide it is provided by Metasploit's Meterpreter shell.
TCP/IP Tab: Shows all of the network connections and all of the active services and processes that utilize the network connections.
Also provides each process' imported DLLs, similar to Dependency Walker.
Process Monitor (ProcMon)
Monitors system processes, elaborately describes their activity, registry modifications, the registry values, outcomes and file system activity.
Useful for DLL injection detection.
Indicators of Compromise (IOC) Detection
Identifying Malicious Artifacts
Open IOC (GitHub Project) provides a list of known IOCs for malware detection.
Wireshark captures network traffic to analyze malware communication patterns.
Some malware detects Wireshark activity and (once detected,) ceases execution to evade analysis. With such malware, a solution could be to run wireshark on another computer in the LAN . One could route all of the traffic from and to the infected device through the device running wireshark.
Bypassing Network Analysis Restrictions
The following guide shows how to analyze malware which requires internet connectivity (meaning that it avoids running without an active internet connection) . This is done without risking external exposure (ie. without the malware actually reaching out to the external network).
The following example assumes that the infected machine has a windows OS and that the investigaive machine has a Kali Linux OS. Both need to be on the same isolated local network with no access to the external network.
On both machines you'd need to configure the settings of their network adapters in order to isolate them to a seperate LAN (with a distinct subnet and ip addresses range.) A false default gateway and a false DNS server address need to be configured on the infected machine and point to the investigative machine.
An isolated network differs from a LAN (virtual or otherwise), in that it does not include a DG, but rather simply provides a network for devices to connect to, without being able to reach out to other networks from it.
An isolated Network segment means that you are configuring a device to be included in a normal LAN, but to be isolated from the external network (as opposed to other devices on the same LAN).
On VirtualBox (in case your Kali is running on a virtual machine), you can create an Isolated Network Segment by navigating to the VM's network settings and selecting LAN Segment -> Machine -> Add. This prevents external internet exposure while capturing network traffic locally.
An isolated LAN segment allows its devices to be on the regular LAN and still be isolated from it. We can leverage this configuration to simulate connectivity to a false external network.
In order to configure the infected machine this way you'd need to:
- Modify its DNS Configuration - the server is set to be the investigating machine.
- In case of a suspected windows machine infection, one would need to open a command prompt and issue the command 'Route ADD 0.0.0.0 MASK 255.255.255.255 <fake router IP>' to configure a fake route in order to "trick" the malware to send all of its traffic to it.
- Enable Packet Redirection in Kali Linux (which is your investigative machine and fake router): iptables -t nat -A PREROUTING -i eth0 -j REDIRECT (This is needed because by default, Kali does not forward traffic destined to other devices, to the local machine).
* Conversely, echo 1 >/proc/sys/net/ipv4/ip_forward is NOT used because we don't want to forward traffic to the external network. - Run Wireshark on the investigative Machine – Prevents malware from detecting active monitoring (can't detect it on a seperate device). Once Wireshark is running it should capture the investigated machine''s traffic (including the suspected malware's traffic). You'd need to track and open the malwares associated packets' details and discern the particular protocol of the network service they communicate on, the traffic's destination address and the associated destination port.
- Once the aforementioned details had been discerned, you can proceed to the following step as Inetsim can now be used.
- Use Inetsim on the investigative machine – a program which simulates responses from network services to malware queries.
- To instruct Inetsim to pose as a DG and DNS server and to intercept all of the suspected malware's traffic, you'd need to edit the program's configuration file and search for the required protocol's service. Once found, that particular line would be uncommented to affect the configuration.
- Also the bindport line, designating the service's port, needs to be uncommented (and modified as needed).
- Locate the file's line containing the "dns_default" setting, uncomment it and specify its value to be the ivestigative machine's ip address (DNS Spoofing).
- Finally locate the file's line that includes the "service_bind_address", uncomment it, and specify the investigative's device IP address.
So basically, to reiterate, we have:
- Captured Malware Traffic with Wireshark:
- Identified the target IP, port, and protocol.
- Configured Inetsim to respond as a fake server.
After all of this, we can open wireshark once more, and open a particular suspicious TCP/UDP stream to analyze the suspected traffic.
Once analyzed, we re-edit Inetsim's configuration file and re-comment the "start service <protocol>" line, but leave the "dns_default server" as configured for futher investigation. We are still utilizing Inetsim to pose as a DNS server in order to capture and analyze susupected malware's traffic.
Now to investigate further, open up a netcat listener on the DNS port to intercept more traffic sent by the malware. The command for doing so is "nc -nvlpu 53"
Obfuscation and Malware Packing
A packer is program that "packs" an executable file. Malware authors use packers to alter binary data, making detection harder.
Common Packers:
- UPX (Ultimate Packer for Executables), the resulting file would have the same extention of the packed executable - .exe
- Armadillo
- ASPack
- VMProtect
- Themida –Considered as one of the most difficult packers to reverse-engineer. It bypasses many AV's. It's algorith is very long and requires many system actions.
Most packers have a reversing algorithm (which reverses the packing process). Themida doesn't have such an algorithm, which makes it harder to detect.
An example of using UPX:
And one of unpacking (reversing the packing process):
On the flip side, Cantor Dust is a program that can expose packed executables. Cantor Dust grapically illustrates the binary data, making changes apparent and easily recognizable.
It visualizes binary changes graphically, helping identify obfuscation.
Detecting and Unpacking Malware
All of the virus's activity will be obfuscated and render our tools ineffective. We would first need to decompile the packed executable , but to do so it is crucial to identify the packer's type, as every packer is decompiled differently. To do so (identify the packer) , we would employ the program PEid.
Example:
Identify the Packer:
Unpack the File:
Analyze Unpacked Code:
Some packers, like Themida, use advanced anti-debugging techniques and require specialized debuggers.
Static vs. Dynamic Analysis
Static Analysis (Analyzing without Execution - by simply observing the data)
- Example of a static analysis tool: AIDA, which displays hidden instructions within the binary.
- IDA Pro: Examines malware assembly code.
- Resource Hacker: Extracts icons, metadata, and embedded resources.
Dynamic Analysis (Execution-Based, runs the program and analyzes its functionality)
- Debugging is a type of Dynamic analysis. A Debugger runs malware in a controlled environment, monitoring system impact including to the CPU.
- Process Explorer & ProcMon: both are examples of dynamic analysis tools. Both identify runtime modifications.
Binary Number Systems and Assembly Language
Converting a binary number to its decimal value
Formula:
Where V is the decimal value of each digit within the binary number . You would need to sum up all of these (all V values) to complete the conversion. N is the binary value of each digit within the binary number (either 0 or 1), B is the base ( which is always 2 for binary numbers), and r is the relative position of the digits within the number. Finally, as mentioned, you'd sum all of the decimal values to receive the decimal value.
Example:
Converting a decimal number to its binary value (opposite to the above operation)
To convert a decimal number to it binary value you'd divide the decimal number by 2 repeatedly, each time using the result of the division to divide again, and each time writing down a 0/1 , according to wether the result is a round number or a fracture (a fracture result is assigned a value of 1 , whereas a round number result is assigned a value of 0). These 0/1 assigned numbers are stringed from right to left to form the binary number. Each fracture result is rounded before the subsequent division and the process continues untill a result is reached of a fracture between 0 -1
Example
Hexadecimal Representation
This is another, shortened way of representing a binary number- by using its hexadecimal value.
Whereas Binary uses a Base-2 , Hexadecimal Uses Base-16, where A-F represent values 10-15 respectively.
Conversion from a Hexadecimal to a decimal number
This process utilizes the same formula (V=N*B^r), only the bases are changed to 16 (B) and the N is not necessarily 1/0 but can be of any value according to the particular digit's value in the decimal number.
Example:
Conversion from a decimal number to a Hexadecimal one
To convert a decimal number into a hexadecimal number (just the opposite of the above operation), we'd need to firstly convert the decimal into it's binary value (as discussed above, by dividing the number by two over and over again untill a fracture between 0-1 results, and sequentially, from right to left, assigning a 1/0 value to each of the divisions , in accordance with each result having or not having a remainder). After which, we'd seperate the resulting binary number into groups of adjacent four digits and treat each group as an isolated number (each with its rightmost digit being at a base of 2^0 and its leftmost digit as being 2^3) . We'd then calculate their respective decimal value. Finally, the decimal numbers are stringed from left to right according to their order to form the resultant hexadecimal number.
Example:
To convert a hexadecimal number into a binary number, each hexadecimal digit is firstly isolated from the rest of the number's digits and is converted into it 's 4 digit binary number value. After which , each of the resulting groups of 4-bit segments binary are combined (simply appended from left to right without summing or anyother methamatical operation)
Example:
Each hexadecimal can be expressed as a 4 digit number in the following manner: 7E => 0x07E .
Negative Number Representation
There is a need in computing to represent negative numbers in the processor and memory, utilizing bits and bytes.
The Sign-and-Magnitude method addresses this problem: it appends a 0/1 digit to the left of every binary number to signifiy whether that number is a positive or negative (a 0 means the number is a positive and 1 signifies a negative number). The rest of the binary number assign the value of the actual number as per usual. In other words, the method uses the MSB (Most Significant Bit, which is the leftmost bit) as a sign signal/flag.
The shortcoming of using the "Sign and Magnitude" method is that when attempting to perform mathematical calculations on numbers erroneous results may occur (because the processor does not differentiate the MSB and simply processes it as any other bit). For example, when summing up two numbers it may assign a decimal value to the MSB, despite that it is only meant to signify the number's sign, and include it in the values to be summed).
To address this shortcoming, Two's complement method was conceived: (complementry to the Sign-And-Magnitude method).
One's Complement: Inverts all bits to represent negative numbers. As mentioned ,this method is complementary and does not appear on its own. So practically, a number would be expressed according to the Size -And-Magnitude method (with the MSB signifying whether the number is positive or negative), and then if the value of the MSB is 1 (signifying a negative number), all of the digits in the number would be inverted (meaning 1's will be turned to 0's and vice versa to prepare the number for a subtraction operation. The processor would then proceed to add the numbers, but since the inverted number is now the mirror image of its former value, the actual operation would be adding it's inverted value (ie. subtracting it from the other number).
Two's Complement: This a complementary method to One's complement (which is itself complementary to the Sign and Magnitude method). It aims to solve the problem that arises from the Sign and Magnitude system which One's complement does not addresss, and that is the adding of a sign bit to the number zero (effectively creating false entities which are -0 and +0 that do not exist in reality as zero has no sign and is neither negative nor positive) . This creates problems as the processor differentiates between a postitive and a negative zero which creates
← Back to Articles