Malware Lab

Project Part 3: Analyzing Malicious Windows Programs What you need:

A Windows machine, real or virtual with IDA Pro installed. Refer to Lab 7-1 instructions & solutions in "Practical Malware Analysis" textbook chapter 7.

Purpose

You will practice the techniques in chapter 7.

You should already have the lab files, but if you don't, do this:

Downloading the Lab Files

In a Web browser, go here:

http://practicalmalwareanalysis.com/labs/

Download and unzip the lab files. Downloading and Installing IDA Pro In your Windows machine, open a Web browser and go to https://www.hex-rays.com/products/ida/support/download_freeware.shtml Download "IDA Freeware" and install it.

Analyzing the Malware

Follow the instructions for Lab 7-1 in the textbook. There are more detailed solutions in the back of the book.

Open and analyze the malware found in the file Lab07-01.exe using IDA Pro. 1. Answer all the questions (Q1 to Q6) found in Lab 7-1 in your own words.

2. This malware uses a function named StartAddress to perform a DDoS attack.

When answering question 4 in Lab 7-1, you find the user agent it uses to perform the attack, and the URL it will attack.

Save a screen capture of the IDA Pro screen showing those two values, as shown below (with the important items grayed out).

3. You will see these features:

 A persistence mechanism   A mutex  A host-based signature  A network-based signature

Explain the above terms briefly in the context of this lab assignment. Deliverables: Please complete all steps mentioned in this document, and submit the lab report on Canvas. Make sure to capture screenshots for all steps and paste them in your lab report (word document).