Virus Reverse Analysis

I visited several well-known domestic anti-virus forums or forums over the past two days. I don't know if you are interested in discussing them or why.
The virus analysis report shows a lot, but what we really need is an answer? A report? Perhaps what we need more is how to improve our analytical capabilities. We all want to have a higher income, but for a company, paying a higher return may not be a problem, provided that employees can create greater value, how can we legally convert our reverse capabilities into higher returns? This post may be helpful.
I would like to explain my personal opinions first. You are welcome to discuss them with others.
Generally, virus analysis needs to be classified into the following three categories:
1. Practice
2. Quick Response
3. Deep Analysis
For different reasons, the starting points and focus of our analysis will be different.
Start with your hands. Why practice? Pure love is beyond the scope of this article. If you need to work or prepare for future work, the first question to consider is "selecting materials ".
Not every sample is suitable for hands-training. If you want me to recommend it, I will select the following samples.
Downloader is a simple and widely used trojan. This type of Trojan will repeat in daily work. Although it is not necessary to do a complete white box analysis in most cases, this is a good start.
Background Trojans (BOTS) of machines and humans are usually driven by interests. More and more professional developers are involved in the development of such Trojans, therefore, it may be the most complex and unavoidable type of threat.
Infostealer, a type of information collection Trojan, may also be driven by benefits, but the former may cause greater harm in the future, but such threats cannot be ignored, for example, the theft of online banking accounts or automatic transfers.
Network Worm (worm) and Worm may have many transmission methods, such as email, im, p2p, file sharing, usb, etc, it is best to contact each type once.
File infector virus. Same as above, virus infection and transmission may also have many ways, .... I personally think it is enough to familiarize myself with one sample at most. Why? Is it necessary to spend a lot of time preparing for less than 1% of potential problems due to scarcity? I personally think it is not worthwhile. Do other 99% of the work well, and the remaining 1% can be fully accumulated and compensated at work.
There is another kind of Trojan, rootkit, which is very important but not recommended at least in the early stages of the training... You don't have to worry about yourself at the beginning. As for other hobbies such as MBR, BIOS, and various algorithms, it's okay to study them, but if you waste a lot of effort to train your hands... Not cost-effective
I personally think the question to consider next is "How to practice ".
What is the most important aspect of Virus analysis for work purposes? The answer is simple and quick.
You need to quickly identify whether the submitted sample is a virus, which type of virus it is, and what type of detection or repair it.
Therefore, the first thing to do for the question of "how to practice" is fast identification. For fast identification, nothing is faster than running it on a virtual machine or a dedicated virus testing machine. Of course, running + monitoring results are not 100% accurate, and some threats may require conditional triggering. The fish and the bear's paw cannot get at the same time. The important thing is to respond as much as possible in the shortest time. There are also some methods to consider, such as observing strings and calling APIs. Fast identification is not necessarily a technical step.
The next step is not to be discussed here. how to add and add the types of detection and repair code? In this step, different companies have different engines and there are selective exercises that can get twice the result with half the effort.
Back to the reverse or white box analysis in most friends' mouths, how can we improve our reverse virus capabilities?
In addition to perseverance and carefulness, I would like to raise a few questions that need attention.
Why do we need reverse viruses. Reverse viruses are totally different from other types of reverse viruses. What you need is to familiarize yourself with the various mechanisms of the virus and then make targeted repairs or provide advice to customers on how to prevent them.
The first question to be raised here is the shell issue ".
The more shells you get familiar with, the more helpful your work will be. But if a friend wants to analyze the virus and learn to get off the shell, it will be a little different. Why? Because we don't need a virus that can run after shell removal. If shell removal is good, we can't analyze it even if we can't.
1. run 2. select a suitable breakpoint. 3. suspends potential anti-debugging monitoring threads. 4. then, you can initiate debugging, or dump the running program from the memory for static analysis. There may be many methods. The most important thing is how fast it is. On the other hand, almost all high-risk threats do not only use public shells, so they are too concerned about how shelling doesn't necessarily help much.
After the shell, I want to ask "static" or "dynamic "? This is not a question with 100% answers. The specific problem is analyzed. But in principle, it can be done statically without dynamic debugging. Static is not easy to understand. Try debugging again.
The next question is the "F7 problem" that new customers often struggle ". Step-by-Step into is required, but it is definitely not a good habit to see the call. What makes a good reverse engineer the most distinctive is when F8 (Step over), F9 (Run), and Alt + F7 (load script) when necessary ), sometimes a function looks complicated, and it may take a long time to step into the analysis. But if you learn to guess + verify, you may have done it with a simple F8. We don't need to know how every function is implemented. We just need to know what the virus wants and what it will do. This guess is not something you can practice in a day or two, but if you try to stick to it, you will feel its beauty.
In addition, do not rely too much on a tool or plug-in. The authors of common tool viruses also know that if some of them are targeted, some friends who are overly dependent on the tool may be fooled.
Finally, let's talk about two more in-depth analyses. Deep analysis usually consumes a considerable amount of time. It is not worthwhile if it is not a customer requirement or a type of very active threat. In-depth analysis not only involves reverse analysis, but may even include tracking and investigation of underground networks, analysis of domain names and servers, and so on. There are technical and unrelated aspects. This article does not discuss other things. For the complete reverse analysis, in addition to the above mentioned, there are also the following suggestions:
1. if conditions permit, you may wish to find some early variants of the same family for reference. These early variants may help you better understand the new variants being analyzed. For example, Spyeye, a recent version of Spyeye, does not directly use string comparison, but an irreversible Verification Code. In other words, it would be a waste of time to understand the original string.
2. Not every virus can be completely shelled before analysis. For example, a key used by Zeus and Zeus for decryption is calculated based on the virtual address in section 3 of the original file. No matter how perfect it is, this value will definitely change.
3. for complex malicious code, if static analysis or complete dynamic debugging are not easy, it is no way To Try Ctrl + N monotonous function.
4. If you have time, use common compilers (such as VC, Delphi, and VB) to compile some program inverse games, so that you can familiarize yourself with some common compiler functions, such as strlen.
5. If you have time, you will be familiar with all kinds of encryption, decryption, and compression algorithms, saving a lot of time.
6. Make good use of google and baidu. It is not a bad thing to refer to others' analysis reports, but do not rely on them. The final report must be based on your own analysis.
7. Olly is indeed more powerful than other debuggers, But what if IDA can do? Don't forget that IDA can add remarks at any time. A good IDB may be helpful for future work, so I recommend IDA more when I allow it.
Come here first. I hope it will be helpful to anyone who loves anti-virus. You are also welcome to discuss or raise more questions and suggestions ,:)