Malware Analysis


SRL Home

Home

Description

Prerequisites

Topics

Material

References


Description

The first step in initiating research in virus analysis is to establish facilities and protocol for handling contagious code. Not knowing the issues, techniques, and tools for creating such a laboratory is likely the most significant obstacle in starting a research program in this area. The tutorial will discuss physical and virtual methods of creating such a virus research laboratory, including necessary hardware and software.

Next, using a collection of public domain and commercial tools, the participants will go through the complete process of analyzing Beagle.J, a computer virus that caused billions of dollars of damages in early 2004. In particular, we will analyze the backdoor created by Beagle.J, reverse engineer it to discover the password and commands used to enter through the backdoor.

Next, research results in obfuscation and deobfuscation of programs will be surveyed. Virus writers go to extra lengths to obfuscate their programs so that they cannot be analyzed. A survey of automated methods for determining whether a program is malicious will also be provided. We will also discuss IBM's Digital Immune System, a process used by Symantec, for automatically collecting virus samples, analyzing, and generating signatures if malicious.

The tutorial will close with a proposal to create a distributed, collaborative, team for reverse engineering viruses. Such a team will augment the efforts Computer Emergency Response Team (CERT) centers by providing specialized expertise in reverse engineering.


WCRE logo and graphics design - Copyright (C) 2004 Claire Knight, University of Delft. All Rights Reserved.
Web content - Copyright (C) 2004 University of Louisiana at Lafayette. All Rights Reserved.