427 Botnet fm qxd

Download 6,98 Mb.

Pdf ko'rish

bet	287/387
Sana	03.12.2022
Hajmi	6,98 Mb.
	#878307

1 ... 283 284 285 286 287 288 289 290 ... 387

Bog'liq
Botnets - The killer web applications

Ctrl +
C
, which is the standard Windows shortcut for terminating console applica-
tions. If termination is not ended prematurely using this shortcut, the sandbox
runs until all malware processes have terminated, a custom timeout is reached,
www.syngress.com
354
Chapter 10 • Using Sandbox Tools for Botnets
427_Botnet_10.qxd 1/9/07 3:06 PM Page 354

or some critical event has occurred that requires an instant termination of the
malware processes. During its runtime the following tasks are performed:
■
The malware process is started in suspended mode, such that the pro-
cess object is created and all modules are loaded, but no single
instruction is executed yet.
■
The cwmonitor.dll is injected into this new process.
■
Runtime options and information are exchanged with this DLL.
■
Throughout the execution, notifications are received from the DLL
inside each monitored process; depending on the received notifica-
tion, some decisions have to be made by the sandbox.The DLL then
waits for these decisions and continues in the way the sandbox
decided. However, in most cases no decision is needed and the DLL
simply routes the call to the original API function after sending the
notification.
■
After all processes have terminated or a given timeout is reached, all
still running processes are terminated or the created malicious threads
are stopped if their parent processes cannot be terminated safely, as is
the case with essential Windows processes like winlogon.exe.
■
Under some circumstances, the malware is terminated before the
timeout occurs—for example, to prevent serious harmful actions.
■
A high-level analysis report is created from the collected data.
■
Optionally, a .cab file archive is created from all the monitored data
and some additional files.
Besides monitoring the relevant API function calls, the sandbox also offers
some helpful features for a manual post-processing step of the results. Some of
the most important features are enabled with the configuration options
STORE_CREATED_FILES
and
DUMP_PROCESSES
.The first one pro-
vides that a copy of all newly created files is written into the
.
cab file. With
this you can get the data of temporary files, which often are used as a source
for encryption and then contain the plain text of data, which is transmitted in
an obfuscated version over the network. Furthermore, this includes copies of
all downloaded files, which could contain code updates or other malware
files.The second option enables a functionality that creates process dumps of

Download 6,98 Mb.

Do'stlaringiz bilan baham:

1 ... 283 284 285 286 287 288 289 290 ... 387