Create your own awesome maps

Even on the go

with our free apps for iPhone, iPad and Android

Get Started

Already have an account?
Log In

Malwares Demystified and Simplified by Mind Map: Malwares Demystified and Simplified
5.0 stars - 2 reviews range from 0 to 5

Malwares Demystified and Simplified

Detection, Prevention & Response

AV/Firewall/OS regularly updated & patched

Anti- Virus, Les différentes détections ajoutées sont mentionnés par une suite de lettre ou des chiffres. ou bien la taille du fichier, Antivirus Naming Scheme, Exploit.HTML, Exploit.PDF, Exploit.SWF, Vers se propage par messagerie instannée., HTML.IFrame, Sdbot / Rbot / Spybot : : Désigne un type de malware se propageant via des failles systèmes à distance RPC etc. (comme le faisait Blaster dans le temps)., Trojan-Spy.Win32.Banker, Trojan.DNSChanger, Trojan.Clicker, Trojan.Downloader, Trojan.Delf, Trojan.Dropper, Trojan.FakeAV, Trojan.Inject, Trojan.RogueSecurity, Trojan.PWS, Trojan.Small, Trojan.Tiny, Trojan.VB, Trojan.WinUnlock, Worms.Autorun






is a proof of concept of network security hardware device capable of translate and forward packets. Designed for high availability, Honeywall is able to provide load balancing and anti flooding. Unlike a firewall, it does not block packets. Features Building — All you need to deploy centralized services on remote Honeywalls. Managing — Create and allow administrators to manage system on the fly. Monitoring — Open source hypervisor technology over network.


Network-based intrusion prevention (NIPS):

Wireless intrusion prevention systems (WIPS):

Network behavior analysis (NBA):

Host-based intrusion prevention (HIPS):

Rate-based intrusion prevention systems implemebted with specialized hardware

Global Correlated

Anomaly based detection systems

Application Execution Blockers

Web/email filtering

DNS Revooked

Education/Research/Social awareness about online security & privacy trends

Following the best practices for managing and using online host

Reword for reporting/Information exchange

Nullrouting DNS Entries

Greylisting (anti-smap)

Traffic Control (Firewalls, NAC, Proxis)


Traffic Monitoring, Signature Based Detection, Anomaly Based Detection, DNS Based Detection, Data Mining Based Detection

Anti-Malware Software


Honeypot, Malware Collection, Vulnerability Emulation




Security Researchers

ISP, Domain registrars

Law Inforcement

(Collaboration and Cooperation)

How do botnets get taken down?

● Common methods include ● Hosting provider de-peered – ● Example: McColo, Troyak Server hosting botnet cleans up/kicks off – Public IRC servers, free web hosting ● Compromised host cleaned up/rebuilt ● DNS Revoked ● IP of C&C server banned – Because Metus pwnz and I open a port on my router at home just like the tutorial told me!

New node

r ́vention et d ́tection e e Cˆt ́ utilisateur et poste client oe Installation d’outils de d ́tection : e logiciel antivirus pare-feu personnel outil de d ́tection de logiciels espions e Mise ` jour r ́guli`re : a e e syst`me d’exploitation e logiciel antivirus (et s’assurer de la validit ́ de celle-ci : e d ́sactivation possible par le botnet) e navigateur web (ne pas installer de plugins non sign ́s) e client de messagerie logiciel de messagerie instantan ́ e logiciels de bureautique 27/38 D ́finition Motivations Fonctionnement Evolution Pr ́vention et d ́tection Commerce de botnets D ́monstration Conclusion S e e e e Pr ́vention et d ́tection e e Cˆt ́ utilisateur et poste client oe Pr ́cautions : e ne pas travailler en mode administrateur ne pas d ́sactiver les mises ` jour automatiques e a ne pas suivre les liens contenus dans les spam ˆtre vigilant sur les pi`ces jointes e e les correctifs logiciels ne sont jamais envoy ́s par mail e droit de lecture sur les ex ́cutables si possible et contrˆle e o d’int ́grit ́ e e ne pas t ́l ́charger n’importe quoi (cracks, etc.) ! ee 28/38 D ́finition Motivations Fonctionnement Evolution Pr ́vention et d ́tection Commerce de botnets D ́monstration Conclusion S e e e e Pr ́vention et d ́tection e e Cˆt ́ administrateur oe existence de listes noires : RBLs (Real-time Black Lists) ⇒ g ́n ́ration de filtres e e surveillance du trafic r ́seau (protocole IRC, P2P) ⇒ NDIS e (Network Intrusion Detection System) ˆtre vigilant avec les applications PHP sur serveur WEB e (failles de s ́curit ́) e e gestion stricte des mots de passe d ́finition d’une politique pour la gestion des correctifs de e s ́curit ́ e e ne pas laisser de cot ́ les ordinateurs nomades e droit restreint pour les utilisateurs analyse des journaux apr`s infections (d ́couverte nouvelles e e machines infect ́es, trouver le C&C) e mise en place de pare-feu, proxy, filtrage SMTP, VLAN

detection methods

 No single method  Use defense in depth  Watch anti-virus/anti-spyware logs   Many bots are caught by anti-virus Not a 100% fool-proof plan  Monitor firewall logs for C&C traffic   Watch FW logs for both allowed and denied connections to common C&C services IRC (TCP 6667), P2P (varies), odd ports Use IDS to watch for:   IRC/P2P/Botnet activity Attacks and DoS traffic coming FROM your network  Network flow analysis   Watch for increase in traffic Unusual traffic patterns  Your users

Advanced Response

 Can you get forensic information on the malware?  Got a copy of the executable?   Submit it to anti-virus vendors  Command and control information?  Send it to the Shadowserver Foundation, ISC Handlers DO NOT CONNECT TO THE C&C CHANNEL!

Roadmap to Botnet Prevention

 Patch, patch, patch   Both workstations AND servers Bots were using MS06-40 exploits 2 days after patches were released  Teach users safe computing habits   Safe browsing habits Not running unknown files will help prevent bot infection  Maintain up to date anti-virus signatures  Its not 100% effective, but important!

You’ve detected it, now what?

 Begin incident response  Treat it like a virus infection  First priority is removal of malware  If possible, determine how it got on  This will help prevent further infections  Prevent it from happening again  Patch, user awareness, etc.

Why should you care?

Bot infections can be costly  Cleaning up 1 infection is easy. How about 1,000?  Better understanding = better protection  Botmasters are organized. We need to be as well.

High level of activity by botmaster makes them easier to detect than their bots

Network signatures can becreated without malware analysis, but signatures created with the help of malware analysis are usually far more effective, offering a higher detection rate and fewer false positives.

Hunting the ecosystem

Education, Computer Security Basics, Antivirus Update, Apply vendors Security updates, Relatively efficient, Good Usage of IT, Do not click on everything !, Avoid suspicisous sites, Only use legal software and licenses, No illegal download of MP3, DivX, Stop believing everyobody wants to give you money !, Merely useless: humans will be humans

Laws, Financial, Common laws against crime money, Increses risks and reduce interest for criminals, Falls into organized crime prevention methods, Efficient for 'big' business not for 10.000$ exploits, IT Specefic, Illegal behavior repression, Prevention of ressearch, Adopted by many countries, Forbid security research and publication, Leads to opposite effects, searching going underground.


Preventing technologies

Defending against Bots & Botnets

Home User: Prevention

Home User: Detection

Home User: Response

Sys-Admin: Prevention

Sys-Admin: Detection

Sys-Admin: Response

Botnets are moviong targets

No technique is perfect

All networks are not the same

Malware Taxonomy and Evolution

Remote Access Tools

TeamViewer / Hamachi / Mikpo






Permanent Connexion Between the Client and each server

Commun Features, File Manager, KeyLogger, Cam Capture, Reverse Shell



alias : (Zombies/Drones) / Loaders Similar to a backdoor, in that it allows the attacker access to the system, but all computers infected with the same botnet receive the same instructions from a single command-and-control server.

Architecture, Centralized, IRC-Based, Pros, Easy to implement, Uses IRC servers/channels/topics/messages for communication, No much bandwith required, Infrastructure already set up and maintained, Code Already exists, just drag and drop, Cons, Connexion en permanence, Serveur Central, Usually unecrypted, Easy to detect( filtrage du flux IRC), to get into and to shut down., HTTP/HTTPs-Based, Pros, Difficile à detecter (Flux HTtp + ssl), Connexion régulières vers des serveurw web entre les bot et le C&C (non permantenae) pour récupérer les ordres, Recherche des ordre dans les forums, avec des mots clé ou mm des images (stégano), IRC not always allowed through corporate firewalls, HTTP almost always is, Web servers are found everywhere, Provide Simple interface for the bnots and the botmaster, HTTP is the most stable, and has other benefits such as domain backups, and domain generation., Cons, Point central, VoIP-Based, Skype, SMS-Based in Mobiles, Why Smartphone Botnets?, Nearly 62 million smartphones sold in Q2 2010, Development is similar to standard platforms, Android = Linux iPhone = OSX Windows Mobile = Windows node, Technical specs not as good as top of the line desktops. They are capable and improving rapidly., Why SMS C&C?, Battery Management: IP runs down battery quickly, Fault Tolerant: If SMS fails it will queue and retry, Difficult for security researchers to monitor, Android, capture IMEI number, IMSI number, user id etc and send that information to a remote server., Contacts, connect with a remote server and would delete sms, make a call, steal sms etc., this malware would listen to the keypad tones by activating the phone's microphone This would allow the attackers to check for credit card numbers from the DTMF tones., send SMS to premium numbers with a text. But in the background would block the delivery report from that premium number that the user doens't know anything what is happening in the background., access to the SD Card, GPS Location, Full internet access and phone call access., Author tried to add permissions like to browse history, read, send and write sms etc., Propriety channels, Usually based on Covert Channels and/or encryption, with the adoption of PKI, Needs a private Infrastructure, Eficient at short-term but blocked, TOR to change this status 0..., Decentralized, P2P-Based, Pros, Difficile à réperer, Très difficle à neutraliser, Indépendant de l'architecture DNS, Distributed, Resilient Controle Strcuture, Resilient to failures, Harder to shutdown, Hard to discover, Hard to Defend, Hard to Enumerate, Commabd abd control location discovery, Cons, Très difficle à neutraliser, Hard to lunch large scale attacks because P2P technologies are currently only capable of supporting very small groups (<50peers), No guarantees on message dilivery or latency, Different Types, Gossiping, Overlay Network, eDonkey - DHT, Randomized (Hybrid or Mix), Commnication betwwen the bot client and C&C server using HTTP, Communication betwwen bots using TCP or encrypted ICMP, Command transmission using P2P, The detection of a single bot would never compromise the full botnet, The message latency would be exteremely high, with no gurantee of delivery, Cutsom, TCP / IP, XMPP / UNPN / ICMP-Based, Classification can be done: Based on the architecture of the botnet OR its communication protocols with the bots.

Internal Strucutre, Monolithic, Coherent, all features in one binary, Evolution may not be trivial, Kaiten, SDBot, Spybot, Modular, Evolution voluntarily made easy, Choice of appropriate language (C++), AgoBot, Barnum, Set of heterogenous scripts, Often relies on local interpreters, PHP Bots, GTBot

Lifecycle, Spread/Propagation Phase, Activation, I'm active, you can take control of me !, Update, Add new features, Auto-Protection, Code Mutation / Self-Modifying Code, Polymorphism/Metamorphism/Oligomorphism, Bypass and Block or Kill AntiVirus / Firewalls, Managed crypting services, System Hardening, System FIle Protection Hiding, DDNS - Dynamic DNS Domain Name (Fast Fluxing), Single, Utilisateur d'un ou de plusieurs domaines, Bot : Choix de l'url destination en fonction du type de requete, Changement régulièr des IP associés au nom du domaine (NDS), Utilisatation des machines zombies en Reverse Proxy ( Trasfert des reqêtes de la victime vers le serveur réel), +, Camouflage de l'IP du serveur réél, -, @ du serveur de noms compromis, Double, +, disponibilité quasi optimale, résiste à l'arrêt d'un serveur DNS, Double évolué, Botnets run own DNS service to resolve the C&C servers., Use high port numbers to avoid detection by security devices and gateways, Quality Assurance, Server side polymorphism, File Extension Manipulation / Double Extention, Ghost RAT, Rallying mechanisms, Hard-Coded IP address, The bot communicates using C&C ip addresses that are hard-coded in it’s binary files., Easy to defend against, as ip addresses are easily detectable and blocked, which makes the bot useless., Dynamic DNS Domain Name, - Hard-coded C&C domains assigned by dynamical DNS providers. - Detection harder when botmaster randomly changes the location - Easier to resume attack with new, unblocked Domain Name - If connection fails the bot performs DNS queries to obtain the new C&C address for redirection., Distributed DNS Service, Hardest to detect & destroy. Newest mechanism. Sophisticated. Botnets run own DNS service out of reach of authorities Bots use the DNS addresses to resolve the C&C servers Use high port numbers to avoid detection by security devices and gateways, Modification du système (changeùment de regle de filtrage réseau, désactivation d'outils de sécurité., Action, Attack, Spam

Motivation, Financial Gain, Whos has the most of Bots ?, Availability of bots ?, Low User Awareness & Monitoring Capability ?, Location ?, Contries with a low probability of law enforcement officers being able to trace the bot back to the attacker, The most resilient ?, In fact, it's all about resilient !, How easy is-it to control it ?, The highest overall bandwith ?, The most high quality infected machine ?, Universities (.edu domains), Gouvernement machines, Military workstations, Large Corporations, Ideological, Retorsion, Counter-Attack, Hadopi, SOPA, PIPA, Casterecops, Challenge, Personal, Blackmail, Extortion

Taxonomy & Evolution, 1999, Sub7 / PrettyPark, Connect to an IRC Chnnal, Listen for Malicious Commands, 2000, GTbot, 1998, IRC-Based, - Runs Custom Scripts, Responds to IRC Event(s, Accesses Raw TCP and UDP Sockets, 2002, SDBot, Single Small Binary, Written in C++, Comersialized by Creator, /RxBot//UrBot/UrXBot/JrBot, AgoBot, Squensially delivers payloads via modular staged attacks, 2003, SpyBot, Log Keystores, Mines Data, Send out Spim, rBot, Used Compression & Encryption schemes, Tried to evade detection, Sinit, First p2p botnet, PolyBot, Uses Polymorphism, Bagle, 2004, Bobax, First Spam botnet, SoBig, MyTob, 2004, PhatBot, 2006, Rustock, 2006, Costrat, Send out spam, ZeuS, Stealing banking related and other financial data, 2007, Storm, Spreads via spam, aka NuWar, Specifically atrgets some security vendors/researchers, Used an encrypted implementation that was based on the eDonkey protocol, Cutwail, 2007, Aliases, Pushdo, Pandex, Intigates DDos Attacks, Send out spam, Srizbi, aka Cbeplay, aka Echanger, Send out spam, 2008, Mega-D, SMTP Slightly Modified Based, Ozdoc, Responsible for 30-35% of world's spam, Koobface, Sends out spamp on social networking sites, writes malicious posts on user's walls, Conficker, aka DOWNAD, alternative C&C server per day, ASprox, Send out spam, 2009, BredoLab, Waledac, 2010, TDSS, Armageddon, Artro, Aurora, BlackEnergy, Carberp, ClickBot, DSNX Bots, Donbot, DopeBot, EggDrop, 1993, IRC-Based, Festi, Forbot, Gaobot, Gheg, Gozi, Grum, Tedroo, Hodprot, Kaiten, Kelihos, Kraken, Lurk, Lethic, Maazben, MayDay, NuCrypt, Perl Based bots, Phatbot, Ponmocup, Q8 Bots, Qhost, Sality, Shiz, Spamthru, Spy.Ranbyus, SpyEye, SpyRanbus, Waledac, Xarvester, XtremBot, odprot, Pony, Andromeda

Terminology, Bot Master, Bot, Botnet Army, Bot Binary, Command and Control, C&C Channel, C&C Server, Push, Pull, C&C Infrastructure, Centralized, Distributed, Unstructured

Topology, Star, Multi-server, Hierrarchical, Random

Usage, Legetimate, Web crawler, Game Managing, Managing Databases, Maintaining access lists, Protect Channel, Carry out Conversations, Malicious, BitCoin, Log Keystores, Taking screen shots / Video CAM, Browser Hijacking, Sniffing Traffic, Online Fraud, Abused Click-Fraud, Online Banking Fraud, Theft of Electronic Funds, Fishing, Cashing, Host Illegal Data, Spam/Spamdexing, Spam, Pharma and conterfeits, Fake Software, Nigerian Scam .., Information Theft, Login IDs, Passwords, Clipboard content, Email addresses, Digital certtidicates, Auto-complete fileds, Identities, SSN, Applications License, Credit Card Numbers, Sensitive Information, Corporate Financials, Source Code Infection, Spread new malwares, FakeAVs, Adwares, Ransomewares, Disabling Existing Security, Selling infected Computers, Access Number Replacement, Manipulating Online Polls/Games, Using multiple identities such as multiple player at the same poker table and voting system such as music clip and contest., DDoS (Distributed Denial of Service), ICMP Flood, UDP Flood, Steam of TCP requests, Slowloris, HTTP Flood, Buy/Rent out the service of the bot to third parties, Trade Bandwidth of high speed bots / Sale of Traffic, Act as a proxy server to conceal the attacker's identity / provide anonymity, generic port redirection, HTTP Proxy, Socks Proxy, IRC Bounce, Brute-forcing Remote Machines/Distributed Password Cracking (Computing Power / Scurmping), FTP, SMPT, SSH, ..., Gov CYber aTTACK, Sold on the black market !, Sale of traffic, Sale of exploits, Sale of loaders, Anonymization, Result, Loss of revenue ;, Regulatory Compliance ;, Customer Evidence ;, Reputation ;, And even the business itself.

Browser Hijackers



Browser Helper Object Malicious Plugins



Malicious code that exists only to download other mali-cious code. Downloaders are commonly installed by attackers when they first gain access to a system. The downloader program will download and install additional malicious code.




Exploit Kits




Hoaxes: Chain Letters

Joke Programs

Kits (Virus Generators)

Logic Bombs

Potential Unwanted Program

Installing via, Web Banners, Google Sponsored Links, Fake VLC/Activix Plugins, VLC Plugins in Steaming

How it works ?, SMS Rip-Off, Repack GNU Free Software, Add Affiliate Program (Toolbars)

To Clean, HijackThis, Submit Report to PPoint, Configure your AV to block PUP, AdwCleaner

Some examples, Babylon Toolbar, Boxore, Complitly, Ezlooker, Eorezo, Incredimail Toolbar, SweetIM / SweetPack, Searchqu / Searchnu, Savings / SideKick, PCTuto / Tuto4PC, Wagram, Yontoo

Download from Trusted Sources : Clubic /


Malware designed to frighten aninfected user into buying something. It usually has a user interface that makes it look like an anti-virus or other security program. It informs users that there is malicious code on their system and that the only way to get rid of it is to buy their “software,” when in reality, the software it’s selling does nothing more than remove the scareware.


MBR Lockers

Exemples, Gimemo, Reveton, Tobfy, Lock Em All


Shadow Walker, NTIllusion, NT Rootkit, and Hacker Defender are popular and widely used, other user mode rootkits exist, such as AFX. Malicious code designed to conceal the existence of other code. Rootkits are usually paired withother malware, such as a backdoor, to allow remote access to the attacker and make the code difficult for the victim to detect. A rootkit is a set of programs and code that allows a permanent and undetectable presence on a computer. The ability to hide files, directories, drivers, processes, and registry entries are likely to be requirements of your rootkit.  and config files.  


Loading a driver, Using an undocumented API, The only time when this loading method is really safe is when it's specifically designed around the paging problem., Using the Service Control Manager, When a driver is loaded using the SCM, it is non-pageable. This means your callback functions, IRP-handling functions, and other important code will not vanish from memory, be paged out, or cause Blue Screens of Death. This is a Good Thing.

Surviving Reboot, Using the run key ("old reliable"), Using a Trojan or infected file, Using .ini files, Registering as a driver, Registering as an add-on to an existing application, Modifying the on-disk kernel, Modifying the boot-loader

API-Hooking, IAT-Hooking, asy to discover these types of hooks. On the other hand, hooks like these are used frequently, even by the operating system itself in a process called DLL forwarding. Even if someone is trying to detect a rootkit hook, determining what is a benign hook as opposed to a malicious hook is difficult., Another problem with this technique has to do with the binding time. Some applications do late-demand binding. With late-demand binding, function addresses are not resolved until the function is called. This reduces the amount of memory the application will use. These functions may not have addresses in the IAT when your rootkit attempts to hook them. Also, if the application uses LoadLibrary and GetProcAddress to find the addresses of functions, your IAT hook will not work.

Kernel Hooks, As a general rule, processes cannot access kernel memory. The exception to this rule is when a process has debug privileges and goes through certain debugging APIs, or when a call gate has been installed. We will not cover these exceptions here. For more information on call gates refer to the Intel Architecture Manuals.[4]

Code / DLL Injection into a userland process, The code cave method

The Problem with Hooking, There are anti-rootkit applications that can rebuild the system call table. This can be done by reinitializing kernel memory from the original file, ntoskrnl.exe., If the system call table is rebuilt after your rootkit is installed, all hooks will be lost., To prevent this possibility, newer rootkits follow the table entries to the actual functions and patch the functions themselves to jump to their respective rootkit routines. This technique is called trampolining

Virtual Rootkit ( ring 1), BluePill (supports AMD-V and recently VT-X) SubVirt (supports VT-X) VM aware malwares. (Not a root kit, but related.)

Scareware (Rogue) or (Blackmailwaire)

Antimalware Doctor

Spyware Guard 2009

Security Suite

HDD Defragmenter

Security essentials 2011

Advanced Virus Remover

type, System Defragmenter, Anti-Spyware

Infected Users need to send a text call to get a valid serial number to remove the Trojan.

Displays a lot of warning messages, change the desktop background, detects fake infections and blocks softwares execution. It comes from fake online scanners, malicious porn sites, fake cracks and exploits.

Windows Problems Protector is a fake security application from the same family as: Windows Problems Remover, Windows Health Center, Windows Shield Center, Windows Antispyware Solution, Windows Risk Eliminator, Windows Universal Tool, Windows Utility Tool, Windows Security & Control, Windows Optimization & Security, Windows System Optimizator, Windows Optimization Center, Privacy Corrector, Privacy Guard 2010.

A new version of the multi-rogue scareware has been released. This malware is looking for the OS version (XP, Vista, Seven) and changes its name and skin: XP Anti-Spyware, XP Home Security 2011, XP Anti-Virus 2011 (...). It belongs to the Braviax family. As usual it displays fake warning messages to push users into buying a license.

WindowsTool is a fake Defragmenter tool (rogue) from the same family as: WinScan, Disk Recovery, WinDisk, Windows Disk, Windows Scan, Memory Optimizer, Disk Optimizer, Good Memory, Fast Disk, Disk OK, My Disk, Memory Fixer, HDD Fix, HDD Low, Scanner, Disk Repair, Defragmenter, HDD Tools, Smart HDD, HDD Rescue, HDD Plus, HDDDiagnostic, Hard Drive Diagnostic, HDD Scan, Win Defragmenter, Win Defrag, Win HDD, Check Disk, Ultra Defragger, Quick Defragmenter, HDD Defragmenter, System Defragmenter

Malware will modify the registry key for go into safe mode on the next reboot, and will queue your antivirus for unistallation.

Spammer Programs

Malware that infects a user’s machine and then uses that machine to send spam. This malware generates income for attackers by allowing them tosell spam-sending services.

Mail Bombers

How it works?, Bullet proof Servers, Hacked servers, Botnets, The bot received the template of the spam message, Mailing list, Webmails, Gmail, Hotmail, ...

Anti Spam, SpamPal Spamihilator SpamFighter, PharmaIncome, Drugstore


Trojan Horses

Backdoors (Trapdoors)

Password-Stealing Trojans (PWS)

Banking Trojans


CodeRed SQLSlammer

Mailers and Mass-Mailer Worms



Malware often spans multiple categories. For example, a program might have a keylogger that collects passwords and a worm component that sends spam. Don’t get too caught up inclassifying malware according to its functionality.

Malware Analysis

What is Malware Analysis ?

The action of taking the malware apart to study it in a Malware Laboratory

What is a Malware Lab ?

Controlled Environnement, All the information must be recorded for later usage

Isolmated, The malware must not be allowed to contact with any external source , but…

Full Simulated, The laboratory must provide all the resources needed by the malware

Why Malware Analysis ?

Analysis of unknown/suscpious files

Public information from antivirus & Security Companies is not complete

Private information about the malware required an expensive paid service

To determine the sophistication level of the malware author

To identify the intruder or insider that is responsible for installing the malware

Questions broken down into, Business, What is the purpose of the malware ?, How did it get here ?, Who is targetting us and how good are they ?, It is a customized malware that target small/particular organization ?, What are the risks and the consequences ?, What did they steal ?, How can I get rid of it ?, How long has it been here ?, Does it spread on its own ? How does the malware propagate ?, How can I find it in other machines ?, How can you make sure I've deleted the entire malware package and not just one part of it?, How do I prevent this from happening in the in the futur ?, If you were a virus writer, how might you improve it ?, Technicals, What are the network-based indicators that reveal the precense and activity of the malware ?, What are the host-based indicators that reveal the precense and activity of the malware ?, Is it based on any other well-known tool ?, Is it persistent ? If so, what mechanism does it use to ensure that it keeps running after a machine is rebooted ?, What affects does the malware on the Windows Registry ?, Does the malware create/tamper any files?, If so, what are the filenames and where are these files located on the file Windows file system?, What do you think these files might be used for?, When was the program written, compiled, and installed ?, What languages was used to write the program ?, Is it packed ? What packer was used ? It is a customized or a well-known packer ?, Does it have any anti-reverse engineering functionality ?, Does it include any rootkit/worm/trojan functionality ?, What was the vulnerabilities that was exploited to allow the malware to get there in the first place, How did it get here ?, or, to learn and have fun

How can we get the malware ?

acquisition of samples from sandboxed machines working in a honeypot samples sent in via customers either automatically or manually samples acquired from third parties including competing vendors

From Online Sandboxes & Anti virus


From honeypots, Recovered from complete machines, Automated capture systems., Nepenthes,, Vulnerable service simulation (Ex: MS-RPC), ...and the good news are...,  Do NOT execute the buffer overflow code,  Parse the attack and simulate an infected system,  Download and store those interesting payloads, Untitled

Received from another CSIRT or group

From our costumer, when handling an incident

Lab Elements

Victim machines, In which the malware can be run., OS-Unpached, Firewall/AV disabled, Applications unpatched (Microsoft Office, Browser, ...), Consider leaving some intentional traces of normal usage, such as browsing history, cookies, documents, images etc. If a malware is designed to operate, manipulate or steal such files you’ll be able to notice it.

Support Tools for building the lab, VMTools-like

Analysis Tools, that can be used to analyze the malware, Static Analysis Tools, Pros, Getting a complete image of the code, Modern tools are available, Do not require an extensive programming or reverse engineering background, Cons, Need special skills/knowledge, Time Consuming, Code obfuscation and anti-analysis may make the task complicated, involves examining the malware without running it., Dynamic Analysis Tools, Pros, Complimentary to static analysis, Vision pas à pas de l'exécution, Cons, Need special skills/knowledge, Anti-analysis may delay the analysis, involves running the malware, Remote Analysis Tools, Outside the lab, public or private service providing automatic analysis of the files, Pros, Fast analysis of the file, Most of them keep the information for later referral., Cons,  Moving to pay services,  Sometimes don’t provide the required information,  Malware can detect some of the systems, Example,, Analyze a file against a battery of antivirus., • Don't perform any analysis of the file, • Detection rate varies due to encryption techniques used to avoid antivirus, Most malware is encrypted / packed to, avoid analysis.,  UPX,,  Not possible to direclty perfom analysis based, on pattern matching .,  Cryptographic checksum (MD5, SHA1, fails), • Malware change every few hours,  Need to recover all the files and analyze it., Norman Sandbox, Two level model.,  Free, small report by email.,  Paid service: detailed information, How this tools works ?, se a virtual machine to execute the, malware.,  Perform automatic check,  Windows registry,  File system changes,  Network activity,  DLL hoocks,  Replace operating system API,  Malware calls the API,  The new dll log the call and execute the windows, AP, Anubis, File Exploration Tools, Extraction simple de beaucoup d’informations –Les auteurs de malware cachent rarement toutes leurs traces., Ne fonctionne pas si camouflage

Network Simulation, Internet connection, DNS server, DHCP server, IRC server, SMTP server, Proxy, Web server, • Use a free address range, We can configure a linux/Unix box that,  Accept traffic like a router,  Respond to the DNS queries,  Accept traffic to some services

How many machines do we need for our lab ?, Hardware is not only expense, but, Difficult to maintain, Too much space .., Virtualization software can be used to reduce this cost., Run different virtual machines at the same time, Run unmodified version of most operating system, Provide configurable resources, advanced disaster recovery, and isolation., Allow to have different, isolated networks for the machines, Machines can be connected to the real interfaces, Examples, VMware, is the most used, Workstation , you can build the lab in your, own laptop, or deskop , but requiere a, licence.,  Server , free , you can install the lab in a, remote machine and handle the binaries, remotely., Parallels, VirtualBox, Microsoft Virtual PC, Xen, ..., But ...., Your virtualisation software is not perfect, and may allow information to leak from the virtual machine to your host machine in a way you didn't expect, Malware is incorporing code to detect virtualization environment and may modify its behavior, Check for some special drivers, Check for some special devices, Sometimes we need to try with another virtualization software or use real machines or use real machines connected to the virtual lab, Or, if you have a budget, Use Norton Ghost for quickly restoring system images or any re-imaging machines softwares, Updcast, Truman, CoreProtect Card

Lab hardware

Intel based:

• Machine with

 Memory for running three virtual machines


 Network interfaces

 Disk space for storing virtual machines ~


• Additional hardware/software

 Emulator of other hardware

 Real machines

Only two machines:

 One to simulate the net

 Another to execute & analyze the tool

Subtopic 14, Windows machine, Unpatched Windows machine.,  To execute the malware,  To analyze the malware, Tools installed in the machine, Regshot,,  LordPE,,  Binhex , from foundstone tools,  Ollydbg ,,,  Idapro ,

Build the lab

Caution before executing the malware

Check that all the machines are in the correct network

Check that the lab is not connected to any other network.

Check that you are executing the malware in the correct machine

Malware Analysis Methodology/Process

Preparation, File Fingerprinting / Hashing, Filtering (AntiVirus Scanning), Online Sandbox Services, Weeding, Quick Examination of Virus Code, Inside the PE format (header/functions/IAT), String Dump, Packer Detection, Crypto Routines, Disassembling, Black-Boxing

Unpacking, How do you know if a file is packed, no import table, sometime, in the start function, there are some xor eax, eax, no strings, a big portion of code is inside .data section, high entropy, The general way by using ESP registerHD BP on ESP register change, OllyDBG SFX Features, BP on access on the code section of the program., Tracing the program till Retn / jmp, Exceptions generated by the packer, File is packed? moddify the JMP to OEP to our own code ( code cave), patch the target, then jmp back to OEP < Inline Patching, POSHAD/POPAD method, Always verifi base of code and base of data after unpacking, so OLly won't caplain with EP outside code section, insert unexisting addresses to distract the reverse ( IAT rebuilding), To unpack it, the easier way is to put a breakpoint on WriteProcessMemory. At this breakpoint, the packer writes the unpacked binary in a new process., Most Visual Basic packers are packers on the “heap”, so we can directly recover the binary by setting breakpoints on functions like VirtualAllocEx and WriteProcessMemory,, Also LoadLibrary, LocalFree, Packers Theory, The Imports Table has been removed, the packer saves only (in a secure place) the hashes of the API names and their addresses at the IAT., The algorithm is well obfuscated and has lots of anti-debug, anti-trace..., The packer doesn’t use GetProcAddress. Instead, it implements its own algorithm to find the APIs at the exports table of the DLLs., The IAT has been redirected, Packers Theory 2, PE Packers compress the PE sections or some other data using some compression algorithms like LZMA ,LZSS,APLIB etc. So to before the running the actual malicious code the packer would, 1)Decompress the compressed code: To do this usually it allocates some space using VirtualAlloc(), VirtualAllocEx, ZwAllocateVirtualMemory().Then it will decompress the data to the allocated memory., 2)Fixes the imports: The imports are fixed so the malware can use the imported API’s . To resolve the import addresses it will use the API’ GetProcAddress() LoadLibrary() or dynamically with PEB_LDR_DATA strucuture., 3)Jump to OEP: Finally jumps to the OEP where the the actual malware code begins. Many malwares use multilevel packers., How to unpack, We can set breakpoint on VirtualAlloc() first then after the breakpoint is hit we can remove the breakpoint on VirtualAlloc() and set breakpoint GetProcAddress(). We see that GetProcAddress() would be called repetedly in the loop. This loop is used to resolve all the API’s in the dll. We bypass the loop after that continue debugging. After few lines of codes we will reach the OEP.

Disassembling and Decryption

Dynamic Analysis Techniques, File-change monitoring, Goat file-based analysis, Registry change tracking, Process and thread monitoring, CPU in use, Memory in use, Drivers/DLLs used, Network port monitoring, Network sniffing and capturing, NetBIOS, NetStat, System call tracing, Debugging, Code emulation

Automation ?, Processus manuel, fastidieux, erreurs possibles, Scripts –Reboot / Snapshots automatisés:

You don't have to follow the process as it is. Most are done because of either lack of time, skills or understanding of how to reverse malware. Some may think, why reinvent the wheel? This is all OK.

Note down your finding so you will be able to see trends or recognize similar behaviors of samples that could help in reversing future samples that exhibit similar characteristics.

Methodology of Reverse Engineering Code, Do always some investigation about the app you're reversing : EXE/DLLs + Configuration Files, Compiler, Call Stack, RET TO DISASSASEMBMER, Stack Window / Pane Window, Ressource Identifiers, Search for commands -> Push (ID number), Magic Byte / Half Byte, BP Particular APIs, KillTimer (), RegQueryKey (), GetLastError (), GetDlgItemText (), ....., Find references to @ contstant, Esthetical Patching, Protections, Server Check, KeyFile, Registry Key, Time Limit, Keygenning Routines, ADD, SUB, ROR, ROL, SHL, SHR, XOR, OR, AND, NOT, BTSWAP, MODULO, SIGMA, Simple Ciphers: Ceaser, Base64, .., Standard Ciphers, Custom Encodin Algos, Insert / replace a char between a stringcode, Generate a stringcode and use it somewhere, Algo/Math tricks: NUmber THeory, Prefect Numbers, FPU instructions : Arctan, sin, cos, puissance, ..., PI, Equations, GetComputerName() / GetLocalTime ()

Done ?

Malware Analysis Report

Supporting Figures, Logs, Strings, Function listings, Screenshots

Observations, Behavioral analysis, Static code analysis, Dynamic code analysis, Memory analysis

Dependencies, Targeted Archiecture / OS, Targeted Format, Patch level, Required libraries, Configuration files, Scripts and executables, URLs

Sample's Characteristics, Infection capabilities, Self-preservation capacity, Spreading mechanics, Payload, Data leakage abilities, Performance degradation, Destruction of personal data to bot infection,, Remote attacker interactions

Sample's Identification, File name, type, size, File hashes, Anti-virus identifiers

Summary of the analysis, Key observations, Recommendations, Limitations, Report date and authors

Malware Analysis Tools

General Rules for Malware Analysis

don’t get too caught up in the details. Most malware programs are large and complex, and you can’t possibly understand every detail. Focus instead on the key features. When you run into difficult and complex sec-tions, try to get a general overview before you get stuck in the weeds.

remember that different tools and approaches are available for different jobs. There is no one approach. Every situation is different, and the various tools and techniques that you’lllearn will have similar and sometimes overlapping functionality. If you’re not having luck with one tool, try another. If you get stuck, don’t spend too long on any one issue; move on to some-thing else. Try analyzing the malware from a different angle, or just try a dif-ferent approach.

remember that malware analysisis like a cat-and-mouse game. As new malware analysis techniques are developed, malware authors respond with new techniques to thwart analysis. To succeed as a malware analyst, you must be able to recognize, understand, and defeat these techniques, and respond to changes in the art of malware analysis.

Infection Vectors and Spreading Mechanisms


SPAM / eMail-Attach

Target users with – Fake delivery notices – Fake IRS notices – Fake orders from online retailers


Instant Messaging

MSN Messenger

Yahoo Messenger


Social Networks




Warez/P2P Networks

Cracks, Keygens, .. flagged as maliciours, Users think it's false positives To prevent illegal content, but they are maliciours

Trojan Horses/Backdoors

Drive-by Download/Install

Fake Codecs

Fake ActiviX

Java Applet


Exploits / Exploit Kits

Exploiting One Specific vulnerability / Known multiple Vulnerabilities / 0-days, Browsers, Firefox, Chrome, IE, ..., Software, Java, Adobe, ..., OS, MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise, MS03-026 Buffer Overrun In RPC Interface Could Allow Code Execution, MS04-011 Vulnerabiility in LSASS, MS04_007 Microsoft ASN.1 Library Bitstring Heap Overflow, MS04-045 Vulnerability in WINS Could Allow Remote Code Execution, ms05017-, ms05039, WebDAV, NETBIOS, DCOM, LSAAS, VNC, Exploit-kits, Blackhole, Bleeding Life, BestPack, CritXPack (Previously Vintage Pack), CoolPack, Fiesta, ICEPack, MPack, NeoSploit, Nuclear Pack, PhenixPack, ProPack, RedKit, Sakura, Styx, Sweet Orange, Yang Pack, Anti-crawling, anti-honeyclient, Sweet Orange, Upas

Trusted Products/Services

Cacao web

BlackHat Forums, People who install whatever they asked to, To Earn Income

Profit for famous personalities/events, spread becomes easy

Links in Social Networks / Blogs that leads to Malicious Web Pages

Combined with Social-Engineering Attacks



Forensics 610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques

Security 569: Combating Malware in the Enterprise courses


Rootkits: Subverting the Windows Kernel

Professional Rootkits

The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System

Hacking Exposed: Malware & Rootkits

The Art of Computer Virus Research and Defense


Malware Database & Repositiries



Some Notes ...

Malware is tricky, and creators of it are trickier. 

Malware can be detected from user PCs / Mail traffic

Click fraud appears to be comparatively easy to manipulate with the further advantage of drawing little attention from law enforcement, unlike banking trojans.


the number of messages sent

the number of bytes-sent

the number of bot members

According to the MSDN, WNet* functions are used to enumerate networks resources and connections.

The most interesting is the import table from MPR.dll.

To sum up: Rob a bank and face a one-in-four or one-in-five chance of doing hard time. Steal someone's identity and your odds of being caught are almost infinitesimal. Consider, too, that identity theft comprises only 9.8 percent of all Internet crime, not including the likes of intellectual property theft. Factor in all Internet crime, and the numbers are likely to be far, far worse -- which is saying a lot.

Why botnets owners stop making money

Because security guys found it, how did they found it ?, maybe coz they advertise it, qomeone leak it, Honeypotd captured the sample and analyzed it, making so much noise, people are complaining about their data

Type of people

Normal Internet USer, Surf Internet, facebook, social network, Listen to music, Watch youtube, Check News, Work in Office, Protection is done by AV chiefly !

Advanced User, Have some CS knowledge, Some Security Background, ScanFiles, Update Antivirus, Remove entries from registre, Protection is done by AV chiefly !

Malware Analyst, Avanced User +, Know how malware infection happen, and how it spreads, Know how to reverse / analyse classical malware but not advanced, He chould manage to delete it from the system if found, Protection is done by User knowledge then AV / IDS come second

Virus Expert, Antivirus Companies, Have advanced tools for monitoring § capuring malwares, Just a question of time to demystify the malicious code and write a desinfector for it !, The knowledge pure & dure !

steal gauss data

Injecting its own modules into different browsers in order to intercept user sessions and steal passwords, cookies and browser history. Collecting information about the computer's network connections. Collecting information about processes and folders. Collecting information about BIOS, CMOS RAM. Collecting information about local, network and removable drives. Infecting USB drives with a spy module in order to steal information from other computers. Installing the custom Palida Narrow font (purpose unknown). Ensuring the entire toolkit's loading and operation. Interacting with the command and control server, sending the information collected to it, downloading additional modules.

Defense mechanisms of Malware

Anti-Reversing Tools

Blacklisting some processes, Process Monitor, Process Explorer, Total Commander

Anti-Sandbox / Anti-VM

Generic or Specific

Advapi32.RegOpenKeyExW” API and looks for keys present in “System\ControlSet001\Services\Disk\Enum”. Enum key stores values for the various drives present in the system. The malware checks for the presence of emulators through strings like vmware, vbox, virtual, qemu etc

Advapi32.RegOpenKeyExW” API and looks for keys present in “System\ControlSet001\Services\Disk\Enum”. Enum key stores values for the various drives present in the system. The malware checks for the presence of emulators through strings like vmware, vbox, virtual, qemu etc



Erasing the header


Page Guard

Stolen Bytes

IAT Elimination / API Redirection


Write -> Execute, Some interceptors watch for write-then-exec Executing dummy just-written instruction can fool them Used by ASPack, but probably for multi-processor support

Write^Execute, Change can be detected indirectly Kernel functions return error when writing to read-only pages VirtualQuery() and VirtualProtect() return old page attributes


Interrupt 3


Invalid API parameters


"Modern" CPU instructions

Undocumented instructions

Selector verification

Memory Layout

File Format Tricks, Non-aligned SizeOfImage Windows will silently round up the value Overlapping structures Tools such as IDA have a problem with this Non-standard NumberOfRvaAndSizes SoftICE and OllyDbg have a problem with this Non-aligned SizeOfRawData Windows will silently round up the value Non-aligned PointerToRawData Windows will silently round down the value No section table Allowed when SectionAlignment is less than 4kb Header becomes writable and executable


Hardware Breakpoint, Context Structure

Memory Breakpoints

Software Breakpoints


Self-Checking / Self-Validation or Integrity checking : CRC, Static : Verity only on startup, Dynamic : Repeatedly verifies its integrity as it is running

rolling checksum, CRC32, md5, sha1, adler, md4



Heap Flags




Debug Objects, NtQueryInformationProcess(), ProcessDebugObjectHandle class, ProcessDebugFlags class, SystemKernelDebuggerInformation class (kernel), NtQueryObject (kernel)

Thread hiding, NtSetInformationThread(), HideThreadFromDebugger class

OpenProcess() & SeDebugPrivilege




UnhandledExceptionFilter(), SetUnhandledExceptionFilter ()



Guard pages / CopyMem2

Multi-Threads Packing

Heap Flags

Alternative Desktop

Prefetch queue

Execution timing, GetTickAccount, TimeGetTime() or QueryPerformanceCounter(), RDTSC

Instruction counting, Count Hardware Breakpoint

Parent Process

Exceptions, Move EIP around

Header Entrypoint


Process Name, CreateToolhelp32Snapshot, Process32First/Next



TLS Callback


Device Names, SoftIce, Filemon, Regmon, Product and copyright strings can be compared to "watch list"


Soft-ICE Specific, Interrupt 1 is normally not invokable from ring 3 SoftICE hooks interrupt 1 and allows ring 3 access So wrong exception when SoftICE is running Used by SafeDisc

OllyDbg Specific, Cannot handle unusual NumberOfRvaAndSizes value Some unchecked fields allow memory allocation DoS Initial ESI register value is -1 on Windows XP Looks like a detection method It's just a coincidence, Passes user-defined data directly to _vsprintf() Leads to DoS condition Debugger window can be found by calling FindWindow("OLLYDBG"), Hide-Debug Specific :Plug-in for OllyDbg Detectable by far jump at OpenProcess()+6, OllyDBG API Redirection,

ImmunityDebug Specific, Based on OllyDbg Shares many of the same vulnerabilities

WinDBG Specific, Debugger window can be found by calling FindWindow("WinDbgFrameClass")

Self-Modifying Code




Garbage/Junk Code Insertion and Permutation

Opaque Predicates are false branches, where the branch appears to be conditional, but is not. For example, if( 1==1) is an unconditional jump, but because of the way decompilers like Olly work, the fact that this is not really a conditional is not known.


hide files, directories, drivers, processes, and registry entries and config files.

Malformed PE Header

Fooling OllyDBG :)

Erase PE header if reversing detected

System FIle Protection Hiding

System Hardening

Bypass, Block, Blacklist or Kill AntiVirus / Firewalls / Desinfinctinf Forums

Dumphive, The Avenger, Gmer, IceSword, ComboFix, SDFix

DDNS - Dynamic DNS Domain Name (Fast Fluxing)

Dynamic DNS services often used : Service which allows changing IP address of a hostnae at will allow attackers to move their c&c servers quicly and easy

Single, Utilisateur d'un ou de plusieurs domaines, Bot : Choix de l'url destination en fonction du type de requete, Changement régulièr des IP associés au nom du domaine (NDS), Utilisatation des machines zombies en Reverse Proxy ( Trasfert des reqêtes de la victime vers le serveur réel), +, Camouflage de l'IP du serveur réél, -, @ du serveur de noms compromis

Double, +, disponibilité quasi optimale, résiste à l'arrêt d'un serveur DNS

Double évolué, Botnets run own DNS service to resolve the C&C servers., Use high port numbers to avoid detection by security devices and gateways

Managed malware crypting services

Quality Assurance

Cybercriminals aren't solppy about their work !

windows native API in NTDLL.DLL and NTFS ADSs, Alternate Data Streams. Malware will frequently  abuse these rather helpful tools to keep itself from being discovered. 

DDos Whos Studying it

Quality Assurance

Server side polymorphism

File Extension Manipulation / Double Extention

Ghost RAT

Rallying mechanisms

Hard-Coded IP address, The bot communicates using C&C ip addresses that are hard-coded in it’s binary files., Easy to defend against, as ip addresses are easily detectable and blocked, which makes the bot useless.

Dynamic DNS Domain Name, - Hard-coded C&C domains assigned by dynamical DNS providers. - Detection harder when botmaster randomly changes the location - Easier to resume attack with new, unblocked Domain Name - If connection fails the bot performs DNS queries to obtain the new C&C address for redirection.

Distributed DNS Service, Hardest to detect & destroy. Newest mechanism. Sophisticated. Botnets run own DNS service out of reach of authorities Bots use the DNS addresses to resolve the C&C servers Use high port numbers to avoid detection by security devices and gateways

Modification du système (changeùment de regle de filtrage réseau, désactivation d'outils de sécurité.

To evade signature-based detection systems, it appends some randomly generated bytes to the end of the file.

Double Checks in separate places / on each startup

Do-it-yourself malwares cryptors

Hijack HOSTS file to point to the local host120.0.0.1

Delete SafeBoot Key to make access to the Safe Mode impossible

Disable CMD / Regedit / TaskManager / SystemRestore

Hide Folder Options in the explorer Menu to prevent show hidden files

Hook Mouse event to check if it is an automated system

SLeep for evading automated systems : NtDelayExecution() or SLeepEx ()

In order to hide itself, the bot duplicates the Modification, Access, and Creation times (MAC times) information from Ntdll.dll library, and applies them to the sdra64.exe. The intent of this is to make sdra64.exe appears to be a system file that has been around since Windows was first installed

In another level of hiding the created file, it sets the sdra64.exe file attributes to system and hidden, so that the user cannot see the file using the standard file explorer

Anti Cracking

Checks for good or bad serial should be as much far as possible

malware drop another malware than load VBS script from its ressources then inject it to another process

Throw BSOD

Known malwares techniques

persistence to reboot

adding an entry to the well-known "Run key" in the user's registry base, or creating a Windows service if the necessary privileges are available. Malware can also use Scheduled Tasks, Winlogon, AppInit, ActiveSetup