Malware Analysis - Internetwork Security | ECE 4112, Lab Reports of Electrical and Electronics Engineering

Material Type: Lab; Class: Internetwork Security; Subject: Electrical & Computer Engr; University: Georgia Institute of Technology-Main Campus; Term: Spring 2005;

Typology: Lab Reports

Pre 2010

Uploaded on 08/05/2009

koofers-user-2r1
koofers-user-2r1 🇺🇸

10 documents

1 / 10

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
ECE 4112: Internetwork Security
Lab 1: Malware Analysis
Group Number: ________________
Member Names: _______________________ ___________________________
Date Assigned: April 12, 2005
Date Due: April 28, 2005
Last Edited: April 28, 2005
Please read the entire lab and any extra materials carefully before starting. Be sure to
start early enough so that you will have time to complete the lab. Answer ALL questions
and be sure you turn in ALL materials listed in the Turn-in Checklist ON or BEFORE
the Date Due.
Goal: The goal of this lab is to come to a better understanding of viruses and worms
by experimenting with them in a safe environment.
Summary: In this lab we will analyze the Beagle.J virus using tools that are
freely available to the public.
Background and Theory: Some of the common forms of Malware
include virus, worms, Trojan horse, backdoors, rootkits, spyware and adware.
A virus uses code written with the express intention of replicating itself. A virus
attempts to spread from computer to computer by attaching itself to a host
program. It may damage hardware, software, or data. When the host is executed,
the virus code also runs, infecting new hosts. A virus usually can not be
transferred to another computer, unless the user moves the infected file over to the
new computer.
A worm uses self-propagating malicious code that can automatically distribute
itself from one computer to another through network connections. A worm can
take harmful action, such as consuming network or local system resources,
possibly causing a denial of service attack. Some worms can execute and spread
without user intervention, while others require users to execute the worm code
directly in order to spread.
Trojan horse programs are most commonly delivered to users through e-mail
messages that misrepresent the program's purpose and function. Also called
Trojan code. A program that appears to be useful or harmless but that contains
hidden code designed to exploit or damage the system on which it is run.
1
pf3
pf4
pf5
pf8
pf9
pfa

Partial preview of the text

Download Malware Analysis - Internetwork Security | ECE 4112 and more Lab Reports Electrical and Electronics Engineering in PDF only on Docsity!

ECE 4112: Internetwork Security

Lab 1: Malware Analysis

Group Number: ______ ___ _______ Member Names: _______________________ ___________________________ Date Assigned: April 12, 2005 Date Due: April 28, 2005 Last Edited: April 28, 2005 Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions and be sure you turn in ALL materials listed in the Turn-in Checklist ON or BEFORE the Date Due.

Goal: The goal of this lab is to come to a better understanding of viruses and worms

by experimenting with them in a safe environment.

Summary: In this lab we will analyze the Beagle.J virus using tools that are

freely available to the public.

Background and Theory: Some of the common forms of Malware

include virus, worms, Trojan horse, backdoors, rootkits, spyware and adware.  A virus uses code written with the express intention of replicating itself. A virus attempts to spread from computer to computer by attaching itself to a host program. It may damage hardware, software, or data. When the host is executed, the virus code also runs, infecting new hosts. A virus usually can not be transferred to another computer, unless the user moves the infected file over to the new computer.  A worm uses self-propagating malicious code that can automatically distribute itself from one computer to another through network connections. A worm can take harmful action, such as consuming network or local system resources, possibly causing a denial of service attack. Some worms can execute and spread without user intervention, while others require users to execute the worm code directly in order to spread.  Trojan horse programs are most commonly delivered to users through e-mail messages that misrepresent the program's purpose and function. Also called Trojan code. A program that appears to be useful or harmless but that contains hidden code designed to exploit or damage the system on which it is run.

 A backdoor in a computer system (or a cryptosystem, or even in an algorithm) is a method of bypassing normal authentication or obtaining remote access to a computer, while intended to remain hidden to casual inspection. The backdoor may take the form of an installed program (e.g., Back Orifice) or could be a modification to a legitimate program.  A root kit is a set of tools used by an intruder after cracking a computer system. These tools can help the attacker maintain his or her access to the system and use it for malicious purposes. A root kit typically hides logins, processes, and logs and often includes software to intercept data from terminals, network connections, and the keyboard. In many sources root kits are counted as Trojan horse.  Spyware and adware consists of computer software that gathers and reports information about a computer user without the user's knowledge or consent. These products perform many different functions, including the delivery of unrequested advertising (pop-up ads in particular), harvesting private information, re-routing page requests to illegally claim commercial site referral fees, and installing stealth phone dialers.

Prelab Questions: None.

Lab Scenario: You will need your hard drive for this lab. For most of the lab

you will need a windows XP virtual machine. If you do not have the virtual machine installed follow the instructions set out in appendix A to create a virtual machine. First, to be safe, make sure your network cable is unplugged, this will ensure your worms do not try to infect another group machine. Copy the following file from the NAS, Malware Analysis/Windows folder to your Windows XP Virtual Machine into a desktop folder “Malware.”

Section 1: Beagle.J a Complete Analysis

If you have not already done so please unplug the network cable so the worm does not infect other computers in the lab. Beagle.J is a mass mailing worm, uses e-mail addresses collected from .wab .txt .htm .html .dbx .mdx .eml .nch .mmf .ods .cfg .asp .php .pl .adb and .sht files to distribute infected messages. Beagle worm arrives as an e-mail attachment. The infected attachment will be a password protected ZIP file or an executable file with PIF extension. This variant will not spread after 25th April 2004.

Figure 1. BinText output. As you can see one can not deduce much from this output as it is compressed in some sort of format. To determine how this file is compressed we will use IDA pro disassembler. A trial/demo version of this tool can be obtained at http://www.datarescue.com/idabase/index.htm. Obtain the executable file from the NAS server double click and follow the installation steps. After installing the file launch the application and click on the “Go” button. After the program loads click on File  Open and open our Beagle.exe file. After the it disassembles the file an output similar to one in figure 2 should be obtained.

Figure 2. IDA output. From the output we can see that the file is UPX compressed and we need to decompress it using a UPD decompressor available freely at http://www.upx.org/. After unzipping the file run the application and decompress the file using the following command. >upx -d -o NOTE: For this part the upx executable file must be in the same directory where the worm is located. After running the decompressor we are again ready to look at the output file using BinText. Follow the instructions outlined above the open and look at a file using BinText. At this point if everything worked out right a output similar to the one in figure 3 should appear.

Appendix A – Installing VMware and XP virtual machine Note: - VMWare is available free to try for 30 days at www.vmware.com Now you need to install a program called VMware. This software allows one machine to run multiple virtual machines. So, you’ll have your own virtual mini-net to do your experiments. Copy the VMWare installation file from the website or from the NAS to /root directory_._ On your Red Hat 8.0 host, open a terminal window. You can do this by right clicking on the mouse and selecting new terminal. _# cd /root

tar -zxvf VMware-workstation-4.0.1-5289.tar.gz

cd vmware-distrib

./vmware-install.pl_

(Warning: Do not EVER run the command ./vmware-install.pl again. If you do you might have to redo this entire lab!) ... Hit enter or change directory for bin files and answer other questions. Make sure you run the vmware-config.pl script by answering yes to that question (or run it after installation) This script sets up networking for the VM machine and will ask some questions. Use the following answers: Do you want networking for your virtual machines? YES Do you want this program to probe for an unused private subnet? NO What will be the address of your host on the private network? 57.35.6.x+1 (One more than your base address) What will be the netmask of your private network? 255.255.255. Do you want to be able to use host-only networking in your virtual machines? NO Do you want this program to automatically configure your system to allow your virtual machines to access the host’s file system? NO What this has done is set up a bridged network on /dev/vmnet0 , a Host-Only Network on /dev/vmnet8 which we can ignore, and NAT on /dev/vmnet8. We are only going to use the bridged network which will act like a hub for all virtual machines that we wish to put on top of our Linux host. Each of these virtual machines will be just like plugging another machine into a hub. We need to remove the vmnet8 stuff. We do this by running vmware- config.pl again Would you like to skip networking setup and keep your old settings as they are? NO Do you want networking for your virtual machines? YES

Would you prefer to modify your existing network configuration using the wizard or the editor? EDITOR Do you wish to make any changes to the current virtual networks settings? YES Which Virtual network do you wish to configure? 8 The network vmnet8 has been reserved for NAT network. Are you sure you want to modify it? YES What type of virtual network do you wish to set vmnet8? NONE Do you wish to make additional changes to the current virtual network settings? NO Do you want this program to automatically configure your system to allow your virtual machines to access the host’s file system? NO Now, _# cd /etc/init.d

./vmware stop

./network stop

./network start

./vmware start_

Now if you type ifconfig at the command prompt, all you see is eth0 set to the host machines IP that you assigned and the local loopback interface. This is what we want. Now when you start vmware with the command vmware we have the networking we want. If you type ifconfig you can see the result of setting up the networking in the VMware host. Launch vmware ( # vmware ) and goto Help, Enter Serial Number. Have the TA come in and enter a serial number for your VMware license. Note: - No serial number is required for the free trial. Now install the XP virtual machine on the VMware. One of the ways of doing this is to create a new virtual machine in VMware and then installing the OS on it, just as you would on a normal machine. If you already have one of these machines, you can make another machine from it by just copying the right directories. This cuts the installation time by a huge amount. Copies of the virtual machines, created by the TAs, are available on the NAS server. You will be creating virtual machines out of them. Follow the steps below to do this.  Copy the “ /mnt/nas4112/VMWare/winXProP ” directory to your “ /root ” directory by using the command

cp -r /mnt/nas4112/VMWare/winXPPro /root/

Again, this will take a long time to copy since the images are 4-6GB  Select File->New->New Virtual machine to create a new virtual machine  Choose Custom machine and click Next  Select Windows XP Professional for operating system

References

http://www.bizforum.org/whitepapers/microsoft-5.htm http://en.wikipedia.org/ Vmware Installation and Windows XP installation – ECE 4112 Lab 1 – http://users.ece.gatech.edu/~owen/Academic/ECE4112/Spring2005/spring2005.htm Beagle.J information - http://www.trendmicro.com/vinfo/virusencyclo/default5.asp? VName=WORM%5FBAGLE%2EJ&VSect=T