Книга: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Назад: Conclusion
Дальше: V. Anti-Reverse-Engineering

, since when developing network signatures, you’ll often need to deal with encoded content.

. Imagine that this malware is an attempt by the attacker to improve his techniques. Analyze the malware found in file Lab14-03.exe.

Q:

1. What hard-coded elements are used in the initial beacon? What elements, if any, would make a good signature?

Q:

2. What elements of the initial beacon may not be conducive to a long-lasting signature?

Q:

3. How does the malware obtain commands? What example from the chapter used a similar methodology? What are the advantages of this technique?

Q:

4. When the malware receives input, what checks are performed on the input to determine whether it is a valid command? How does the attacker hide the list of commands the malware is searching for?

Q:

5. What type of encoding is used for command arguments? How is it different from Base64, and what advantages or disadvantages does it offer?

Q:

6. What commands are available to this malware?

Q:

7. What is the purpose of this malware?

Q:

8. This chapter introduced the idea of targeting different areas of code with independent signatures (where possible) in order to add resiliency to network indicators. What are some distinct areas of code or configuration data that can be targeted by network signatures?

Q:

9. What set of signatures should be used for this malware?

Назад: Conclusion
Дальше: V. Anti-Reverse-Engineering

sss
sss

© RuTLib.com 2015-2018