Monday, March 3, 2014

Daily Blog #253: Sunday Funday 3/2/14 Winner!

Hello Reader,
       It's always suprising to me which Sunday Fundays get the most responses. This one got some of the least amount of responses. I finally got a late response and so it wins, it helps that its not a bad answer. So if you are looking at winning a Sunday Funday my advice is submit every time, you never can tell when even 1/2 of what you think is your best answer could win!

The Challenge:
PeStudio does static analysis of exectuables. List and explain what behavior of an executable cannot be examined by this tool.

The Winning Answer:
As PE Studio uses static analysis a malicious binary can use a number of techniques to hinder PE from analysing the binary.

Packed or Obfuscated code, Obfuscated code is typically used by the malware author to hide the intent of the binary.

Packed executables typical use compression and in some cases encryption to limit what information can be analysed.

Packed programs use a small wrapper program which unpacks/decompress the packed file, this can be used to hide valuable information found in ASCII and Unicode strings ( IP addresses, possible commands, DLLs used import/export functions, registry locations used for persistence etc)

Additionally it may be possible to identify a particular import but not how it is used.

  Another full week of posts ahead, I hope you stick with me and tell your DFIR friends!