Advanced Malware Analysis Notes

from Spring 2016

A chronological list of topics, papers, and things we want to discuss

• Monday 2/1/2016
  • Went over the course syllabus
• Wednesday 2/3/2016
  • Finding articles online through the UMBC Library
  • What is new in the Springer Journal of Computer Virology and Hacking Techniques
  • Demo access to UMBC Research Port
  • Take a look at the most recent Shmoocon
  • Using the Mendeley web interface
  • Demonstrate Mendeley desktop
  • What papers should we read for next week?
  • A blog post Ten Things I Wish I Knew Before Starting a Ph.D
• Monday 2/8/2016
  • Created a private group for this class on Mendeley. The group is called "UMBC CMSC691 malware seminar"
  • The Mendeley group URL is https://www.mendeley.com/groups/8219441/_/overview/
  • Send me an email and I'll add you to the group.
  • Reading and summarizing scientific and technical papers is not a skill that comes easily to everybody. Here are some guidelines.
  • For the first paper, I'm going to present Egele's Survey on Dynamic Malware Analysis. The paper has been copied to the Menedely group, and here is a direct link to the PDF.
  • We got about half way through the paper.
  • The QEMU paper from 2005 is still well cited. We'll look at that next.
• Wednesday 2/10/2016
  • finish the Egele survey paper
  • discuss future seminar topics
• Monday 2/15/2016
  • UMBC closed due to snow
• Wednesday 2/17/2016
  • Charles presents the QEMU paper link to ppt
  • Maybe a demo installation and use of QEMU on dream-cs
  • on this box we need to use ./configure --python=/usr/bin/python2
  • as one would expect, there is lots of info on the Web regarding installation and use of QEMU, for example, this quick guide to QEMU setup
  • presenting a paper - or giving a talk!
  • Stephan Chenette's talk from PacSec might be a good example. The presentation has been copied to the Mendeley group, and here is a direct link to the ppt.
• Monday 2/22/2016
  • As an in-class exercise, we used qemu to bring up Ubuntu 15 on dream-cs, which is running Ubuntu 14.
  • The magic words (on dream-lab.cs.umbc.edu) are:
    
    qemu-img create ubuntu15.img 10G
qemu-system-x86_64 -hda ubuntu15.img -boot d -cdrom <the ISO file> -m 4096 -enable-kvm

and once the system image file has been built with the above,
    
    sudo qemu-system-x86_64 -hda ubuntu15.img -boot c -m 4096 -enable-kvm

    The sudo command may be necessary to enable the KVM option.
  • For a Windows install, Windows 7 seems to work as well as XP. Follow this link to access a Windows XP sp3 ISO here. For UMBC only.
    
    qemu-img create windowsXP.img 10G
qemu-system-x86_64 -hda windowsXP.img -boot d -cdrom <windows.iso> -m 4096 [-enable-kvm]

and after install, use the same command, but replace -boot d with -boot c. The enable-kvm engages some type of speedup.
  • Once the new virtual machine is running, communicate with it using a VNC viewer. Some VNC viewers have better mouse support than others. I've had good luck with
    
    ssvncviewer 127.0.0.1:5900
    
    
  • Can we install the Panda malware analysis platform? Find the blog "Push the Red Button". There's a post dated 10/2/2015 with a Panda VM. Save this ova file, which is a few gigs in size.
  • The Panda VM has a single user, "Panda User", and the password is "panda" without quotes.
  • For more information on Panda, I'll be adding this paper to the course Mendeley archive.
  • Brendan gives a talk at Recon 2014. On Youtube.
  • Panda's record/replay function lets us repeat an execution path as many times as we like. Check out www.rrshare.org.
  • Can we use Panda to check out the recent (2/20/16) hack of Linux Mint?
• Wednesday 2/24/2016
  • Frank presents "Overview of Botnet Research" pdf. His slides
    
• Monday 2/29/2016
  • I have become aware of a Workshop on Malware Analysis.
  • Payal presents the Botnet Judo paper. Her slides.
• Wednesday 3/2/2016
  • Robert presents the Panda paper. His slides.
  • and the file with commands for using Panda and running demos.
• Monday 3/7/2016
  • Rajesh will present "Your Botnet is My Botnet: Analysis of a Botnet Takeover", available on Mendeley. His slides.
• Wednesday 3/9/2016
  • Anh presents "On the Analysis of the Zeus Botnet Crimeware Toolkit." available on Mendeley, and here. His slides.
  • The PaiMei system was mentioned in the paper.
  • Let's talk about the Zeus Tracker project.
  • I have recently become aware of Viper, a framework for management and analysis of malware binaries.
• Spring Break, already!
• Monday 3/21/2016
  • Charles will talk about entropy, NCD, and clustering! Malware white paper (pdf)
• Wednesday 3/23/2016
  • Class was cancelled since Charles had to visit NSF.
• Monday 3/28/2016
  • Payal presented a paper on the authorship of the Zeus malware family. (pdf)
  • Charles has a new version of the IR for Malware white paper (pdf)
  • clustering is a BIG topic, see this link for an overview
  • For automated malware analysis tools, see https://zeltser.com/automated-malware-analysis/
  • Did anybody catch the post about fileless ransomeware? See carbonblack
• Wednesday 3/30/2016
  • White paper proposal DUE TODAY
• Monday 4/4/2016
  • Class was cancelled due to Charles' travel.
• Wednesday 4/6/2016
  • Lisa Mathews will present her recent paper on detecting botnets. (UMBC only)
  • Winston does a demo of the Viper malware analysis system
• Monday 4/11/2016
  • Chris will do a demo of Radare
    • like IDA designed for fans of vi
  • r2
    • aaa
    • is
    • many other commands
    • VV
    • ASCII art call graph
    • commands can be piped
  • Kevin presents the Lyda and Hamrock paper "Using Entropy Analysis to Find Encrypted and Packed Malware"
• Wednesday 4/13/2016
• Frank will present the paper "Subroutine based detection of APT malware". Frank's slides.
• Charles presented an overview talk on authorship attribution. (pdf)
• Monday 4/18/2016
  • Chris will present "Malicious PDF Documents Explained", available on Mendeley. His slides.
  • Charles presented the paper "A practical approach on clustering malicious PDF documents", available on Mendeley. No slides.
• Wednesday 4/20/2016
  • Rajesh will present "Unveiling Zeus - automated classification of malware samples" (pdf) His powerpoint slides.
  • Winston will present the paper "On Technical Security Issues in Cloud Computing", in the Mendeley archive. His slides.
• Monday 4/25/206
  • Anh will present the paper "HelDroid: Dissecting and Detecting Mobile Ransomware". Available on Mendeley. His slides.
• Wednesday 4/27/2016
  • Kevin will present Anatomy of Exploit Kits, available on Mendeley. His slides.
• Monday 5/2/2016
  • Charles talks about recent work on exploit kits.
• Wednesday 5/4/206
  • Skype with Mike Wiacek <mjwiacek@gmail.com> with Google's security team and VirusTotal
  • Questions for Mike?
    • How much Android malware is there?
      • VirusTotal has almost a billion specimens. Not just Andorid, though
    • Is Google hiring in this area? Full-time or interns?
      • Yes! Send him your resume.
    • Is Mike aware of HelDroid?
      • Did not ask about this.
    • Is Google working on applications of machine learning in the area of malware analysis?
      • Yes indeed! Mike is surrounded by ML people. LOTS of work to be done in this area.
      • They have tons of compute power!
    • Do they distinguish more or less harmful sorts of malware? Adware being less harmful than just annoying.
      • Yes, VT recognizes adware, for example
    • How can access to VirusTotal data be obtained? Inexpensively?
      • Charles will follow up
    • What trends are VirusTotal seeing in terms of exploit kits, or ransomware, or whatever?
      • They are seeing ransomware,
    • What tools and techniques do you use for collection or analysis of malware?
      • Virus Total Intelligence automates a lot of analysis
      • People submit specimens to VT through its web interface
    • How does VT deal with false positives? Is benign software ever mistaken for malware?
      • The various A/V systems make their own decisions.
    • What advice can we give an ordinary user to protect themselves? Besides disconnect from the grid?
      • It seems that application whitelists are becoming a bigger deal. Not effective for all malware, though.
    • How is Go going?
      • They use it a lot! Better for system tasks that are complex in C++, more transparent than Java.
      • Charles wants to teach this in 331
    • Does Mike have any questions for us?
      • Yes! What should be added to the VT interface? Similarity? Clustering? What else?
  • Last day the class meets
• Monday 5/9/2016
  • White papers are due today, for extra credit!
  • No class
• Monday 5/16/2016
  • White papers are due today, no kidding.
  • No final exam.