Question

You want to identify the purpose of a malware and possible damages that it has done to a computer network, after the executable file is discovered. Explain step-by-step approach that you will follow to reverse engineer the executable file by using static analysis tools. List all the tools that you will use and what type of information you will be able to gather by using that tool.

Answer 1

Answer:-malicious programs become more complex, it becomes increasingly likely that the disassembler fails somehow, or the decompiler produces obfuscated code. So, reversers need more time to understand the disassembled or decompiled code. And this is time during which the malware may be wreaking havoc on a network. Because of this, there has been an increasing focus on dynamic malware analysis. Dynamic malware analysis relies on a closed system (known as a sandbox), to launch the malicious program in a secure environment and simply watch to see what it does.

reverse engineer tool

• angr — Platform-agnostic binary analysis framework
• bamfdetect — Identifies and extracts information from bots and malware
• BARF — Open source multiplatform Binary Analysis and Reverse engineering Framework.
• binnavi — Binary analysis IDE for reverse engineering
• Capstone — Disassembly framework for binary analysis and reversing
• codebro — Web based code browser with basic code analysis.
• dnSpy — .NET assembly editor, decompiler and debugger
• Evan’s Debugger (EDB) — Modular debugger with a Qt GUI
• Fibratus — Windows kernel exploration and tracing tool
• GDB — The GNU debugger
• GEF — GDB Enhanced Features, for exploiters and reverse engineers
• hackers-grep — Uility to search for strings in PE executables
• IDA Pro — Windows disassembler and debugger
• Immunity Debugger — Debugger for malware analysis
• ltrace — Dynamic analysis tool for Linux executables
• strace — Dynamic analysis tool for Linux executables
• objdump — Static analysis tool for Linux binaries
• OllyDbg — Debugger for Windows executables
• PANDA — Platform for Architecture-Neutral Dynamic Analysis
• PEDA — Python Exploit Development Assistance for GDB
• pestudio —Static analysis tool for Windows executables
• plasma — Interactive disassembler for x86/ARM/MIPS
• PPEE (puppy) — PE file inspector.
• Process Monitor — Advanced monitoring tool for Windows programs
• Pyew — Python tool for malware analysis
• Rdare2 — Reverse engineering framework
• ROPMEMU — Framework to analyze, dissect and decompile complex code-reuse attacks
• SMRT — Sublime Malware Research Tool, a plugin for Sublime Text 3 focused on malware analyis.
• Triton — A dynamic binary analysis (DBA) framework
• Udis86 — Disassembler library and tools
• Vivisect — Python tool for malware analysis
• X64dbg — Debugger for windows

Detection

• AnalyzePE — Wrapper for a variety of tools for reporting on Windows PE files.
• chkrootkit — Linux rootkit detector.
• Rootkit Hunter — Detect Linux rootkits.
• Detect-It-Easy — A program for determining types of files.
• hashdeep — Compute digest hashes with a variety of algorithms.
• Loki — Host based scanner for IOCs.
• MASTIFF — Static analysis framework.
• MultiScanner — Modular file scanning/analysis framework
• nsrllookup — A tool for looking up hashes in NIST’s National Software Reference Library database.
• PEV — A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
• totalhash.py — Python script for searching in TotalHash.cymru.com database.
• TrID — File identifier.
• YARA — Pattern matching tool for analysts.
• PEiD to detect packers, Dependency Walker to view dynamically linked functions, Resource Hacker to view the malware's resources and PEview and FileAlyzer to examine the PE file headers and sections.
• Anti-virus vendors did not provide much information about this particular trojan, and later examination of virus databases disclosed lack of documented details regarding the trojan’s capabilities, probably due to its relatively low profile. Since the discussion on the Incidents mailing list in June 2001, the trojan did not seem to catch the public’s eye, and has remained relatively unexplored. However, our interest in this program was rekindled after a recent posting to the mailing list by Pete Schmitt on 10 March 2001.PS His brief description of the trojan that has infected his computer seemed to match the one discussed on the mailing list eight moths earlier. Pete also observed that the trojan attempted to connect to an IRC server using the name of “Joe Blow,” which later allowed us to tie this incident to another variant of this trojan. Our research methodology and findings are documented in the following pages.