table of Contents
The bottleneck of analysis technology
Hi
I arrived at the company early the next day, and there were few people in the open office on the 10th floor, and I was the first one in our virus analysis department. After a while, Rocky came too. He saw that I had arrived first, so he came to our analyst's office specially, smiled and said "Morning" to me, and I quickly replied "Morning", and then he returned to the next office.
At this time, I also realized that the atmosphere of our Kabbah office is still very harmonious. Maybe everyone thinks that everything is normal and natural, but if in the past, whether it was selling books or selling mobile phones, everyone came to work in the store in the morning. After glancing at each other a few times, I basically wouldn't say hello specifically. In particular, I heard that in order to avoid embarrassment, it is too late for employees of many companies to avoid each other, let alone greet each other proactively. And this characteristic of our department-coming to the office in the morning and saying "early" to each other-also continued to the end. Whether it's Rocky or between the four of our analysts, the one who arrives later will take the initiative and the first will come early. In fact, in addition to greeting each other when you go to work, the same is true after get off work. The colleagues who leave first will also say goodbye to Rocky and the rest of the colleagues. All kinds of things make me feel that our department is very united, and there is no arrogance between superiors and superiors.
One more thing, the influence on me continues to the present. At that time, Rocky would sometimes send me messages to inform me of something. Every time he sends me a message, the first word he uses must be "Hi" to open the chatterbox. This made me also deeply affected. After all, before this, I said everything straightforwardly, and it often felt very abrupt. But after joining "Hi", I feel that no matter what I have to say next, I feel a lot more gentle. So even now, as long as I send a message to one person alone, I basically start with "Hi". If you don't use this word, you will feel like you can't speak.
Internship
I said in the previous story that when I first joined Kabbah, even though I had not graduated yet, Kaspersky still gave me the treatment of a regular employee. The contract did not specify the concept of the internship period, but my department head Rocky considered that I was a newcomer after all, so he did not let me be directly responsible for specific tasks. But from the second day I went to work, let me analyze some characteristic samples every day to consolidate the foundation to enter the actual combat state earlier. So I call this period my internship period, which lasted for about three months from the beginning of March to the end of May 2016.
The malicious programs Rocky asked me to analyze also went from simple to deep. Let me write a brief behavior description for each sample, which needs to be discussed from three aspects: file operation, registry operation, and network behavior. At the same time, I was given a copy of Kabbah's internal document on the classification of malicious programs. It is necessary to write out which category and family the malicious program belongs to after the analysis is completed. In fact, the relatively simple malicious programs at the beginning are not difficult for me at all. After all, as long as they are dragged into IDA, their behavior is clear at a glance. At most, they are supplemented by OD for dynamic and static debugging and analysis. Therefore, the first few rounds of training progressed very quickly, and the brief analysis that I wrote was also recognized by Rocky. He believed that I wrote quickly and accurately, which also greatly strengthened my self-confidence.
And from the second day of my work, I also met Seth, another old employee in our office, who had just returned from his annual leave. Since the "Scum Rabbit" is off, Seth will be responsible for Kabbah's daily business. Although I just said that during the training period, ordinary samples can’t help me, but occasionally I get headaches. Some strange samples make me very out of ideas, including some uncommon programming. The same is true for language-generated samples. At this time I often ask Seth. He will also give me some tools and suggestions, which is equivalent to broadening my knowledge. Especially when I analyzed ransomware for the first time, I needed to classify them at the end. I thought for a long time and didn't know whether this kind of malicious program is a virus or a Trojan horse, so I asked him and he told me that this kind of malicious program belongs to Ransom, to be precise, it is Trojan-Ransom. This is undoubtedly broadening my knowledge. After all, I have read graduate school and I am about to graduate, and I have never seen the word "Ransom". Although I have heard about ransomware malicious programs for a long time, I still read Chinese materials. I know they are "extortion" or "ripping off", but I really don't understand what English is. Kabbah's information is still all in English, and there is no English-Chinese contrast. It seems to be more or less strenuous. So from this perspective, Seth really helped me a lot during my internship.
My commuting time during the internship period is the same as that of other employees. They arrive at the company at 10 in the morning and leave at 6 in the evening. The daily working hours are exactly 8 hours, and there is no special lunch break at noon. Such a time gave me a lot of freedom, at least staggering the time of the most serious morning peak. But because before I graduated, I lived in the dormitory of the school. Not only did it take a while to get to the subway station, but I also needed to transfer when I got on the subway, so it would take me about an hour to go to work. So I basically leave the bedroom door at about 8 o'clock, have breakfast on the first floor, and then walk out of the Zhonglan apartment at 8:30 to catch the subway, and try to get on the subway at 9 o'clock. But this time is actually at the end of the peak period, and there are still a lot of people taking the bus, especially at the transfer station. It’s already very difficult to get on the subway. After squeezing in, it makes me feel difficult to breathe. It flows completely with the crowd, and it makes me feel that my body no longer belongs to me. Especially when I wanted to get off the bus, I had to apologize all the way to the door. Therefore, I have exercised my strong psychological endurance, and no longer feel guilty for stepping on other people's feet.
It’s better to go to work more or less, but it’s not the same when it’s off work, because 6 o'clock is the rush hour. Sometimes when I wait in line for the subway, I may have to wait two or three shifts before I can get on the train. Some friends may say, why don’t you leave late after get off work, for example, have a meal at the company, and then read a book and do some research. Isn’t it good to wait until 7 or 8 o’clock? Yes, this is indeed a good way. However, because I am in a dormitory, the universities in the north are not like those in the south. Basically, every bedroom in the south has its own bathroom. Northern universities, whether it is Changli or Beijing University of Technology, have special bathrooms, which exist outside of the dormitory. For example, in our Zhonglan Apartment, the bathroom is on the basement floor, and there are fixed opening hours every day. If you miss it, you can only wait until the next day. At that time, our bathroom was open from 1pm to 8pm, and the bathroom would stop letting people in at 7:30pm. Since most of the people living in Zhonglan Apartments were graduate students, even if they didn’t go out for internships, they would basically be in the tutor. Our laboratory helps with projects, so every night from 6 to 8 is the peak period for our graduate students to return to Zhonglan from get off work, and it is also the peak period for taking a bath. At this time, there is often such a situation, that is, a classmate occupies the shower head, and there are several classmates surrounding him. The most annoying thing is that some classmates who occupy the shower head don’t know whether it’s intentional or what. In addition to the normal bathing process, he will slowly brush his teeth with his waist on his hips, and then squat down to wash the socks and pants. I don't mind watching the classmates' feelings, which makes people very broken.
It is precisely because of the reason to come back to take a bath, I have to leave the company at 6 o'clock in the evening. Under normal circumstances, I can only return to the apartment at around 7:10. I hurriedly went upstairs to fetch toiletries, and then rushed to the ground to take a bath. It was almost 7:30, and I didn't even eat any food after a long time of tossing. This can be said to be the one thing that annoys me the most. Many times I think I still don’t want to wash it, but considering that I spent a whole day in the office, and squeezed with everyone on the subway for about two hours after get off work, I couldn’t sleep without taking a shower, which prompted me every day. Getting off work is like a rapid march during the war, and you need to go to the front as soon as possible. In particular, there are sometimes troublesome samples that I can't finish the analysis at 6 o'clock in the evening. At this time, I can only apologize to Rocky to explain the reason, and promise to complete the task when I return to the dormitory at night, and then leave with guilt. And a situation like this was not completely resolved until I graduated and moved out of Zhonglan to live in a small apartment outside.
During the three-month internship, I have been in the training stage. During this period, I also expressed my apologies to Rocky, because during this period I did not make a substantial contribution to the company, but I was also receiving salary. He said it was okay, but the guilt still filled my heart. This is not like when I used to sell goods for sales. No matter what I sold, I was profiting for the company and reflecting my own value. I could also earn a share of my own commission. But in Kabbah, I feel that the company pays only to allow me to consolidate my analytical skills. Although the internship was easy, I didn't make any actual contribution to the company, which still made me very unsteady.
The bottleneck of analysis technology
In fact, the analysis of malicious programs is completely a process of work. After mastering the basic methods, the next step is to accumulate experience. There will be no more advanced, deeper and more complex technologies. Especially before that, I have accumulated a lot of analysis experience, and the samples during the internship period are basically not challenging, which gives me the illusion that real virus analysis work is "but so". And such an illusion did not show a 180-degree twist until Rocky gave me a batch of new samples.
On this day, I happily and easily analyzed the previous batch of training samples, wrote a sample behavior report and classified them, waiting for Rocky to give me a new training task. Such tasks and leisure between tasks are my favorite time. There is not only a sense of satisfaction with the completed tasks, but also an expectation of new challenges.
At this time, Rocky sent me an email containing the latest analysis tasks and sample packages. Tell me Hi, this time let me analyze some new types of samples, which contain obfuscated techniques, let me study it myself. This is the first time I have heard of the word "confusion." In the process of studying and researching before, no book has mentioned similar things. I was also very curious, so I took the first sample to practice hands.
Everything went according to the process, but during the analysis process, I found that this sample seems to use some encryption methods, so that no matter whether it is static or dynamic analysis, it is impossible to see the full picture of the program, so it is difficult to see its true behavior. . It seems to be a kind of shelling, but using shell checking tools and shelling tools has no effect. So in the tangled, one day almost passed, I still have no clue.
When I was about to get off work in the afternoon, Rocky came over and asked me how I was doing. I said I haven't seen anything yet, and I don't know what these samples are. So he came over on my computer and used OD to give me a brief demonstration of the analysis method. At this time, I discovered that the original obfuscation technique can be understood as a kind of shelling to counter the analyst's reverse analysis. And this method of shelling (or encryption) was invented by hackers themselves, so of course general shelling tools have no effect. The basic encryption idea of this obfuscation technology is also very simple, that is, its real operation and data are initially placed in a certain position of the program body in an encrypted manner. During the execution of the program, the allocation of memory will be executed. Operation, and then copy these encrypted content to the newly applied memory space, and then decrypt this part of the content, thereby restoring the virus itself for execution. This really opened the door to a new world for me, only to realize that the hackers still have this hand. It seems that the hackers are also very hardworking and hardworking. Well, now that I have mastered the basic de-obfuscation method, then I can go to the actual operation. But when I was about to get off work, I wanted to "rush on the march" to go back to take a bath, so I could only apologize to Rocky about the situation, and he let me go back.
The imagination is very beautiful. I feel that these samples are just a little more troublesome. There are more decryption operations. I always feel that it does not exceed the scope of my understanding and ability. However, the reality is cruel, and I was beaten mercilessly. After returning to the dormitory to take a shower and eat, turn on the computer to start the analysis tool, and start to study the second confusion sample. But I found that the difficulty of this sample was a lot more advanced than the example Rocky gave me, and I was in a daze. I don't want to be stuck here all the time, and then I took a look at the third sample, which is different from the previous two, and Rocky's method doesn't work here again. The next fourth and fifth... also have their own characteristics, which instantly exposed my knowledge and skills blind spots, and caused a devastating blow to my self-confidence. I felt that I was completely defeated by these hackers. So this also shows that I didn't get any results that night.
The analysis continued the next morning, and at about four o'clock in the afternoon, Rocky came to ask me if there was any progress. I said that these samples are quite difficult, except for the one you showed me, the rest are still out of ideas. He asked me which one was more troublesome and wanted to show me again. So I pointed him one of the samples that I didn't know what was going on at all, and then he opened the OD to debug and analyze it for me. This sample is really troublesome. It uses a lot of weird techniques to achieve confusion. I have never heard of some of the techniques. In actual debugging, I missed the core functions with a little carelessness. Therefore, Rocky is also careful every step of the way. If you find a clever place, let me analyze it. It was about six o'clock in the end that I thoroughly understood the obfuscation method of this program. During this period, I discovered that Rocky's analytical skills are really great. I don't know when I can catch up with him. This is world-class strength.
It is estimated that Rocky did not expect this sample to take such a long time. Let me go back and analyze it manually, and he returned to the office. Because it was already 6 o’clock, I just packed up my things and prepared for the "rush march". When I said goodbye to Rocky, I found that he was still reading, because he discovered an interesting technique during debugging, and he wanted to take a closer look in the book. , To confirm further. I remember very clearly that the book is "C++ Disassembly and Reverse Analysis Techniques Revealed". Suddenly, I was very emotional. The great people will never forget to study and improve themselves. It is this kind of studious spirit that makes the great gods become great gods. These spirits and attitudes were something I could not learn through videos and self-study before. It was Kaspersky, the company’s platform, that was able to provide them to me, which became my precious experience and wealth, and benefited a lot.
Later, when I returned to the bedroom, I didn’t debug this sample, but at least the other samples that are not that complicated, I can already debug it. I feel that I have gained a lot in these two days. I have explored an unknown world. I feel a lot of emotion. . It took me about half a month to complete this batch of confusing samples. However, for some complicated samples, I am also at a stage of ignorance. Rocky considered that I still have follow-up learning tasks to complete, and did not catch this batch of malicious programs too much. Later, it came to the next stage to analyze new samples. But through the research at this stage, I also found my own shortcomings, and this batch of samples is indeed a technical bottleneck during my internship.