Learn about the reasons for reverse engineering, and the approaches used to understand malware.
- [Instructor] Reverse engineering is the technique used to work backwards from an executable piece of software and reconstruct a base of understandable code, and gain an understanding of its functions and capabilities. This is typically done when the original source of the executable code is not available. Reverse engineering requires a solid foundation of low-level machine code and assembler knowledge, and familiarity with key technologies such as networking and cryptography.
It also requires a great deal of persistence, malware is often written to be very difficult to reverse engineer, so it takes a substantial investment in time to understand what it's doing. Malware reverse engineering is one application of reverse engineering, and it's a highly specialized cyber defense skill employed by researchers to study the techniques used by malware authors to infect computers, exploit target systems, and exfiltrate data.
Reverse engineering requires a controlled environment in which to analyze the software, not only by disassembling it for static analysis, but also by running it and watching what it does. This is known as dynamic analysis. The test lab we need to do reverse engineering goes beyond the virtualization environment we might use for penetration testing into a more robust sandbox, which stops, or at least strongly controls, any external interactions by the malware.
A good way to begin malware reverse engineering is to run your reverse engineering sandbox on an isolated system, off your home network, and with no internet connection. Malware reverse engineering is part of the wider malware analysis capability, which Lenny Zeltser considers as having four levels of increasingly difficult analysis. At the bottom, and the easiest, is to run fully-automated analysis. Above that, static properties analysis provides a great deal of information about what the malware may do, with relatively little effort.
The second most difficult task to do is interactive behavior analysis, in which you interactively step through the software, analyzing its behavior as it runs. Finally, reverse engineering and analyzing the source code is the most difficult task. IDA is the preferred tool used by malware reverse engineers in disassembling code and creating maps of the execution flows of the software. It also provides debugging capability and it is extensible with many open-source extensions available.
A software debugger, such as the x32 debug tool, is invaluable for interactive analysis. This also provide reconstruction of assembly code from the executable file. It's a simple debugger and it's open-source. There are some complications that we might run into when attempting to reverse engineer a malware sample. Malware may often be deployed as a packed file and will need to be unpacked before we can disassemble or debug it. We'll look at how we might identify the packer and the techniques used to unpack.
It my obfuscate itself, making reverse engineering more time-consuming. Malware may be VM or debugger-aware and terminate execution if it sees these environments. We'll look at how to counter these issues. There are a number of automated malware analysis sandboxes available, either commercial products or open-source, such as Cuckoo. These products provide sandbox-based execution and monitoring of malware activity. Finally, you'll want some malware samples to work with.
There are a number of sites which provide malware samples, including a popular one known as VirusShare shown here, for which you'll need to register. Malware-Traffic-Analysis is another site which holds malware samples and also some pcap files associated with malware traffic, this may be useful. Of course, there's always the Shadow Broker's dumps of NSA malware, which provides a ready source of sophisticated binary malware to examine. We'll take a look at one of these, EternalBlue, later in the course.
- Considering malware in families
- Installing and running the IRMA reverse engineering malware detection system
- Using the VxStream service
- Enumerating auto-runs
- Using netstat and Nmap to identify open connections
- Looking at processes
- Disassembling with IDA
- Unpacking files