Disassembly Practice

skip navigation

honeypots for windows
Chapter 12 - Malware Code Analysis
Honeypots for Windows
by Roger A. Grimes
Apress 2005
progress indicator progress indicatorprogress indicator progress indicator

Practice makes perfect. Begin with code assemblies that other programmers have analyzed. That way, you can compare your work against what other people have found. Analyze different types of code with different attack vectors to begin to see the various types of tricks that can be played. I often find an interesting malware program described on an antivirus site, and then I use a search engine to see if I can locate a copy of the actual malware program. Usually, the antivirus site has enough information about the program to give me an idea of what to begin looking for.

Develop an analysis rhythm that works for you. For me, I start code behavior analysis before the disassembly. Here are my steps:

  1. Execute the program on a test machine and monitor the system using Filemon, Regmon, Port Explorer, and a network sniffer.

  2. Run the Strings.exe program against it.

  3. Record what I find.

  4. Disassemble the program using IDA Pro.

  5. Look for what APIs are present.

  6. Print out the API routines found.

  7. Print out a logic map of what jumps go where.

  8. Read the auto-comments that IDA Pro inserted.

  9. Start methodically stepping through the code.

Using this procedure, I’ve been fairly successful at analyzing malicious code. Where I personally bow out in code analysis is when the code is encrypted, polymorphic, or uses antidebugging techniques. I rely on my professional friends in the antivirus industry for their expertise.

Code disassembly is either something you love or you find boring. For those willing to exert the effort, the payoff can be tremendously exciting. For instance, days before the MS-Blaster worm went off infecting Windows machines around the world, I found an early copy of it on a client’s computer. The early version in my possession has significantly more functionality than the version reported in the wild. My copy has all sorts of stealth techniques and search capabilities. Although maybe it’s a geek thing, I enjoy knowing that I have an early prototype of the worm that most people don’t have.

I’ve also used disassembly to track hackers and to trace them back to their country of origin, and even to their hacker group. Different country’s coders often program in different ways, and I can often spot the difference in coding. Sometimes it is because programmers from the same country learn programming from the same university, and other times it is because they belong to the same malware-writing clubs.

For many honeypot administrators, capturing unique malware and recording brand-new hacker techniques is the best part of the experience. The honeypot is a means to an end.

progress indicator progress indicatorprogress indicator progress indicator


Honeypots for Windows
Honeypots for Windows (Books for Professionals by Professionals)
ISBN: 1590593359
EAN: 2147483647
Year: 2006
Pages: 119

Similar book on Amazon
Honeypots: Tracking Hackers
Honeypots: Tracking Hackers
Know Your Enemy: Learning about Security Threats (2nd Edition)
Know Your Enemy: Learning about Security Threats (2nd Edition)
Virtual Honeypots: From Botnet Tracking to Intrusion Detection
Virtual Honeypots: From Botnet Tracking to Intrusion Detection
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net