2012 preiskovanje škodljive kode

Preiskovanje škodljive kode

[email protected]

mailto:[email protected]

ZAKAJ?

KAKO?

• Statična analiza– antivirus– strings– PE struktura• header• sekcije

– dissasembler

• Dinamična analiza– sandbox– zagon v varnem okolju– razhroščevalnik

Foto: Ampelmann, Loozrboy@Flickr

NASLEDNJA PROSOJNICA JE NAMENOMA V

CELOTI BELA

Compilation timedatestamp.....: 2012-10-03 12:11:18Target machine................: 0x14C (Intel 386 or later processors and compatible processors)Entry point address...........: 0x00001240

PE Sections...................:Name Virtual Address Virtual Size Raw Size Entropy MD5.text 4096 10516 10752 5.91 4312d7434a3372946eba33c28fb873b0.data 16384 288 512 2.09 bfb575c0474c82e26c00f249045d7c0d.rdata 20480 7744 8192 5.38 07de6b1763094129fea2aba5c5d4330b.bss 28672 512 0 0.00 d41d8cd98f00b204e9800998ecf8427e.idata 32768 2196 2560 3.94 dafc70a44d21553fd67800c431676326aqylxyp 36864 4096 512 0.00 bf619eac0cdf3f68d496ea9344137e8baqylxyp 40960 8192 6144 5.29 492ef1fa20f3508b61318ebd41b5649bemtbmpa 49152 40960 38400 7.80 b67ff3c94dfdbb663f91c5c3d8cda9aaqdoevxg 90112 4096 512 0.00 bf619eac0cdf3f68d496ea9344137e8b

PE Imports....................:[[KERNEL32.dll]]GetAtomNameA, GetFileSize, AddAtomA, WriteFile, ReadFile, SetUnhandledExceptionFilter, FindAtomA, ExitProcess, CloseHandle, CreateFileA, SetFilePointer, GetModuleFileNameA, VirtualAlloc, GetModuleHandleA[[msvcrt.dll]]_cexit, __p__fmode, malloc, __p__environ, signal, free, _onexit, atexit, abort, _setmode, __getmainargs, fprintf, fflush, _iob, strcmp, __set_app_type[[ws2_32.dll]]listen, htonl, WSAConnect, getpeername, ntohl, inet_addr, getprotobyname, ioctlsocket, gethostbyname, ntohs, getsockname, inet_ntoa, htons, recv, gethostbyaddr, getsockopt[[comctl32.dll]]CreateToolbarEx, ShowHideMenuCtl, DrawInsert, MenuHelp, CreateUpDownControl, MakeDragList, DestroyPropertySheetPage, InitCommonControls, CreateStatusWindowA, CreateMappedBitmap, GetEffectiveClientRect, CreatePropertySheetPageA, ImageList_Add, DrawStatusTextA

Category: Write

Process Name: svchost.exe, PID 148Operation: CreateFilePath: "C:\Documents and Settings\tt\Application Data\msconfig.dat"

Process Name: svchost.exe, PID 148Operation: WriteFilePath: "C:\Documents and Settings\tt\Application Data\msconfig.dat"

Process_Name: svchost.exe, PID 148 Operation: RegSetValuePath: "HKU\...\Windows NT\CurrentVersion\Winlogon\shell„Details: "C:\Documents and Settings\tt\Application Data\msconfig.dat“

Operation: Process Create

Process_Name: Explorer.EXE, PID: 1848Path: C:\users\...\ttvke9443gcw8q7l.exeDetail: PID: 680, Command line: "C:\users\...\ttvke9443gcw8q7l.exe"

Process_Name: ttvke9443gcw8q7l.exe, PID: 680Path: C:\users\...\ttvke9443gcw8q7l.exeDetail: PID: 1124, Command line: "C:\users\...\ttvke9443gcw8q7l.exe"

Process_Name: ttvke9443gcw8q7l.exe, PID 1124Path: C:\WINDOWS\explorer.exeDetail: PID: 2012, Command line: "C:\WINDOWS\explorer.exe"

Process_Name: Explorer.EXE, PID: 1848Path: C:\WINDOWS\system32\svchost.exeDetail: PID: 148, Command line: "C:\WINDOWS\system32\svchost.exe";

1. CreateProcess(…,CREATE_SUSPENDED,…)2. ZwUnmapViewOfSection()3. VirtualAllocEx()4. WriteProcessMemory()5. ResumeThread()

Operation: Process Create

Process_Name: Explorer.EXE, PID: 1848Path: C:\users\...\ttvke9443gcw8q7l.exeDetail: PID: 680, Command line: "C:\users\...\ttvke9443gcw8q7l.exe"

Process_Name: ttvke9443gcw8q7l.exe, PID: 680Path: C:\users\...\ttvke9443gcw8q7l.exeDetail: PID: 1124, Command line: "C:\users\...\ttvke9443gcw8q7l.exe"

Process_Name: ttvke9443gcw8q7l.exe, PID 1124Path: C:\WINDOWS\explorer.exeDetail: PID: 2012, Command line: "C:\WINDOWS\explorer.exe"

Process_Name: Explorer.EXE, PID: 1848Path: C:\WINDOWS\system32\svchost.exeDetail: PID: 148, Command line: "C:\WINDOWS\system32\svchost.exe";

2012 preiskovanje škodljive kode

Technology