Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9

Video Description

Welcome to the Intro to Malware Analysis and Reverse Engineering – III class. This class begins by providing you several samples of malware analysis available on various websites or blogs. These can be used for analyzing certain malware to upskill your expertise in the area. Additionally, you can create your own malware using builders or catch your own malware using Honey Pot. There are certain malware that are triggered when scanned, extracted from Archive, or viewed icon (Word, PDF, or System Icon). You'll also learn about hash collision and why the industry is adopting SHA256 when compared to MD5. We'll also cover how to view the malware file using Command and not viewing using the icon. And finally, there are two recommended learning tools that will help you expertise in the area: Practical Malware Analysis by Michael Sikorski and Andrew Honig, and Virus Research and Defense by Peter Szor.

Video Transcription

00:04
If you want to look at some, warm out where there's plenty of websites where you can get it and there's many websites like contains your jump shares. Ah, love where they will provide analysis. They will say, Hey, I saw this
00:16
virus do this Does this interesting thing involve ball ball ball and you can download them outward and try to find that stuff
00:23
by yourself?
00:25
I like parties share.
00:27
Um,
00:28
if you really don't like it in your stuff from other people, you can always catch your own, make a honeypot. There is plenty of software out there that will cover later, or you can just
00:37
next next, next deploy, and
00:40
we'll just catch my wear and
00:42
you can analyze it.
00:43
Um,
00:45
and of course, you can always make grown malware. There's playing builders out there, and there's source code out there.
00:52
A few notes for apparently people among you, and I won't let this slide at the end of every lecture.
00:58
Uh, some malware can execute upon being scanned by antivirus products. I've seen vulnerabilities in anti virus scanners. They're not infallible.
01:07
Um,
01:08
I've seen malware. They will execute, assumes the icon is You'd like a word icon or, Ah, pdf icon or even a system icon. In fact, that's how those 10 days that stuxnet had assumed the file system,
01:23
uh, recognized
01:26
the icon there.
01:27
It would automatically execute code, which is pretty dangerous, especially from our analyst where
01:34
you were just looking at that
01:37
Now we didn't have an extension on it, but we're still looking at it.
01:41
And I didn't see
01:44
where
01:45
extracting the file from the archives like we did,
01:48
uh, can execute code.
01:51
Um,
01:52
that was a Matthews your day. But know this stuff is out there.
01:57
Uh, not very common, but it's out there, and you should be careful, and we'll learn how to deal with our more safe manner in the next video.
02:04
Uh, another note for those people who are paranoid MD five is the industry standard right now, but it can be
02:12
manipulated as in there
02:15
rnd five hashes out there for
02:17
benign files like Mr National Institute for Science and Technology. I love them. They keep a database of benign caches of known good software hashes.
02:29
Um, but someone's just look at the Indy five of those hashes
02:34
They could make their malware produce that ash where it is not the exact
02:40
replica of those Bith is a file of their own creation, and that's what we call a hash collision.
02:49
And that's bad. We should never have that,
02:53
but it is more common with Indy five. I don't think anyone has ever successfully done it for shot 56
02:58
and the industry is moving toward the shock 56
03:00
based
03:04
identification. But it's not there yet.
03:07
And
03:08
for those people who are paranoid about Ewing icons, we can work
03:14
exclusively in a
03:15
oh
03:17
command line only environment.
03:20
And just to show you that, I'll show you hear that
03:24
you have Sigmund open.
03:29
So everything we did
03:32
we can do from the command line
03:35
So
03:37
sick, Dr.
03:38
Uh, we could go to
03:42
drive. We could go to yours.
03:45
Go on.
03:46
Um,
03:47
that's Tom
03:49
to just auto complete. I just hit Tab.
03:52
So now I'm in the desktop,
03:53
and here The first thing we did was we looked at in a hex editor. So I do accept,
04:00
uh, in the file them
04:01
and then I will pipe it
04:03
to less, so I could be just the top of the file.
04:09
And here we see you.
04:11
There's the empty header.
04:14
There is the DOS move string.
04:16
There is a P E heather.
04:18
You learn about that in the future,
04:20
but
04:21
we now know it's Mexican won't get your ghetto file.
04:25
And
04:26
we can even ruin a string
04:29
on the farm
04:30
toe. Love if you same sort of strength
04:35
go down on the bottom. We see some,
04:38
uh,
04:39
potion names
04:41
so we know that it can create a file we know that
04:45
is looking for another
04:46
module
04:47
by me by file name. We know it's important. Carl could teach you dirty yellow,
04:51
which is pretty common.
04:55
You know, there's
04:57
parts of Joe
05:00
way see the same sort of strays we've seen before. Patting, patting, patting
05:13
strings,
05:15
acute exit from less.
05:17
Um,
05:20
we also got the Indy five some
05:24
of
05:25
the of the Mahler so we can go ahead and do that.
05:30
And the five some
05:31
Oh,
05:33
yeah.
05:34
So here is the Indy five cash that we had before.
05:38
We can search for us total for this is all out,
05:42
uh,
05:43
looking at the iPhone.
05:46
And if we just want to verify that it was acceptable we used to file command,
05:53
it will tell us that is a P E excusable
05:57
for windows
05:58
using the gooey subsystem, the graphics subsystem.
06:04
Excellent.
06:06
So just to recap of what we've learned today, we learned
06:11
with the vernacular and terminology was for malware. We learned about different malware types and functionality and how they easily overlap with those.
06:19
When the overlap happens, all the blended threat.
06:23
Um,
06:24
we did a one minute triage,
06:26
Freely available tools. We can also, I also showed how to do that from the command line.
06:30
Um,
06:31
why should you want to get samples if you need them? And I will also suggest that the end of every lecture good resource is
06:40
if you want to get more into various topics,
06:44
Uh, and this is very bond, but I highly suggest practical now analysis. It's a big, thick
06:48
book, but
06:50
it is very, very good. They have malware that they give you, and
06:56
they will
06:57
tell you, uh,
07:00
to analyze it
07:00
based on whatever you learned that chapter
07:03
and at the back of book, they will show you their analysis, which you should have seen what you should the conclusion should have come to. And that has been extremely effective learning tool for it.
07:15
For me and many of the people virus research and defense is a classic boat that's been around for a while.
07:23
Uh, it's a little dry to read it straight through.
07:26
It's also big, but it's really Maur meant to be a reference.
07:31
But
07:32
I know most people in law and my career field in your real career, for you
07:39
and in your field as well.
07:43
Pretty much all of them have practical matter where analysis
07:46
right there on the desk.
07:47
So thank you for watching
07:49
the introduction team. Our analysis on cyber.
07:54
We hope you have learned a lot, and we'll continue to watch our videos here.
07:59
Uh, how about Thursday?

Up Next

Intro to Malware Analysis and Reverse Engineering

In this malware analysis course you will learn how to perform dynamic and static analysis on all major files types, how to carve malicious executables from documents and how to recognize common malware tactics and debug and disassemble malicious binaries.

Instructed By

Instructor Profile Image
Sean Pierce
Instructor