Jump to content
Tuts 4 You

Seeking Directions...


Guest sowhat

Recommended Posts

...Didn't knew if the "General Topics" is the appropriate place to post this,

if not,then please move accordingly...

Also,excuse me in advance if I'm flooding you with a lot of sub-questions,

just trying to figure out which is the shortest way...

Question is(and will always be,I guess):

"How to determine if this executable that I downloaded from some potentially untrusted source,

acts maliciously when run (virus,trojan,exploit etc.)and harms my system?"

After some moment,I stopped say,"trusting",my current AV.

Not because it's not "protecting" me well enough,

but because I understand the limitations of signature-based solutions.

Heuristics are a nice concept,but give way a lot of false positives.

Eventually,for checking suspicious files,

I started using online AV multi-engines,like VirusTotal and Jotti.

And it's true that the comparison of the results gives a way more clear view.

Soon I found out that almost all AV products have major drawbacks,for example,

some of them always report as "suspicious" a UPX-compressed executable,

(ha!they can't even unpack properly an open-source packer,and they dare sell their product...).

As a second example,say,I download a packet spoofing Perl script,

it gets detected as "trojan"(?) or even worse,as a "virus"(for what reason?),and furthermore,

if I convert it to standalone .exe using Perl2Exe or similar tools,all warnings are gone away...

Seeing the above,I started using various pre-made unpackers,

before submitting the samples to VirusTotal etc...results where proven to be a bit more reliable.

But I am still not convinced/impressed with all this...so,what do I need to learn?

What is the currently more reliable way to check for a .exe 's behavior...

say for discovering if an exe overwrites/modifies other executables,

or opens ports/connects to remote addresses?What's the shortest/fastest way?

I currently just know how to write simple scripts in Perl and Python,

in order to automate administration tasks and stuff like that...

is also C/C++ and Assembly really required for a task like this?

I'm not requesting for a "lamers' 1-click solution":

it's just that I don't need/want to become a full-blown reverse-engineering expert,say,

I'm not interested in techniques of "removing nag-screens" or stuff like "inline patching",

I just want to extend my admin skills to a further point where I would feel more secure...

It's my understanding that at least a good knowledge of the PE format is required,

along with some experience in manual unpacking...but what else?

Thanks in advance for any replies,opinions and helpful directions,

once again,I hope I didn't bug you with too many questions...

Edited by sowhat
Link to comment

You should run a posibly infected executable inside a virtual machine or at least in a virtual sandbox(like Sandboxie) to be safe. I suggest using VMware. Then you'll need an OS to run inside a VM. Then you'll need some tools to analyse the executables' behaviour. These tools can include:IDA, OllyDbg, PEiD, Process Monitor, Regshot, SmartSniff.

Of course the basic requirement for reversing is the knowledge of ASM.

A few articles on reversing malware:

http://www.zeltser.com/reverse-malware-pap...rse-malware.pdf

http://www.cacs.louisiana.edu/cybersecurit...l/material.html

http://isc.sans.org/presentations/

http://www.symantec.com/enterprise/securit...whitepapers.jsp

http://www.offensivecomputing.net/?q=node/205

An article which explains Sandboxies' capabilities:

http://www.zone-h.org/content/view/13831/98/

Reversing Malware I: The Science of Malware Analysis:

http://www.osix.net/modules/article/?id=760

Malware Fighting Malicious Code book:

http://www.fixdown.com/soft/15700.asp?www.....com=gdteldowns

I hope & I gave you enough reading material & remember google is my friend it could be yours too! :)

Link to comment

You can never know whats gonna happen when you run the file. The best protection is to be paranoid. Know what you download and from where. If someone sent you a SFX archive, don't run it to extract it. Open up Total Commander and do Ctrl+PgDn on it. View it with lister (f3 in total commander) in binary mode. It's quickest way to see if it's packed (view section names). 99% of malicious software is packed. Then jump down to bottom and see if there's company name and such data. They don't bother to set that stuff.

In the end, I don't think you should have a reason to often start executables from very suspicious sources. Avoid them, and if you can't run the executable in virtual machine and thats it.

I don't use a firewall or AV. Only thing I'm afraid of is getting my browser hijacked, but other than that todays malicious software is not too malicious. It mostly makes your computer a part of DoSing zombie army, and if you notice that it shouldn't be too hard to remove it.

Link to comment

Many thanks for your replies people...

most of the links supplied were already known to me,except Skoudis's book and Zeltser's paper...

I already use DeepFreeze and/or VMWare,when wanting to (somehow) test/check suspicious files...

"Of course the basic requirement for reversing is the knowledge of ASM."

Guess that's what I wanted to hear...or to be honest,maybe I should better say...didn't wanted! ;)

I currently work as an admin,so I had to read a lot of books,papers and RFCs regarding TCP/IP,

various networking protocols,"hacking"/security tools and the theory behind them,

manually parse the code of public exploits or step through packet captures etc.

And after say,one year and a half(or so),I came to a point where I could say to myself,

"Ok,man,you now have a basic understanding of how remote intrusion works,

of course you're not able to find new bugs and write exploit code for them,

but one thing for sure,you're able to do some good pentesting against your machines,

in order to be able to secure them properly after..."

Surely there's a lot more to read and learn:everyday is a completely different day... :P

That's the reason I got interested in executables...

I hope I made the point pretty clear for what my goal is,

and the reason I said I don't need/want to become a full-blown reverse-engineering expert.

For preventing network-based attacks,regarding programming knowledge,

you just have to know the basics of Perl,

and be able to manually parse,(at least to some extend),C code...

Assembly really scares the hell out of me...(shouldn't it do so?),

it seems too difficult to learn/understand,that's the reason I asked for the "shortest/fastest way",

seems there really isn't one...well,what can I say,patience and good reading!

For the moment,I'll start with manually unpacking tutorials...but for future reference/direction,

should I start learning how to write simple/basic programs in Assembly,

or should I dive directly into "cracking"/reverse engineering tutorials,

until at some point I get familiar with the various instructions and their equilevant meaning?

Edited by sowhat
Link to comment

Then I think your question is faulty. This wont help you administer a network. You'll have to do a loooot of reading :)

I haven't done so myself, but you should check books Defcon recommends. Also, it wouldn't harm to click though their past presentations or watch videos of past conventions. I learned a lot about web application security just from one ppt presentation.

http://www.defcon.org/html/links/book-list.html

Link to comment

Sorry for not replying earlier,working to make a living...didn't left me much free time these days...

"You'll have to do a loooot of reading"

You bet I'll do so! B)

No matter how much time it will take me...well,what can I do,

I MUST understand/learn these concepts,I hate not being able to know what's going on in the "inside".

I wget'd from the main site all of Lena's tutorials,and the guides from the "Unpacking Theory" section...

I will never feel 100% sure about my admin skills,when I know that every guy/girl in my office,

(including me also),downloads and executes ready-made compiled binaries.

And I cannot just rely only in 3rd-party AV solutions...in the final end,it's pretty simple:

you can trust something only as much as you understand it by yourself.

P.S:By summer,there were some ftp servers,listing all of Defcon's presentations,past and present.

Unfortunately,I don't seem to be able to locate them at the moment.

But in any case,most of Defcon's material should have find it's way in PacketStorm's archives...

Edited by sowhat
Link to comment

As a network Admin you probably got the broucher for SANS 2007

however in case you didnt then Security 601 is for you - Reverse Enginering Malware

h**p://www.sans.org/training/description.php?tid=390

plus as a network admin you could argue the case for the company paying for it ;-)

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...