Search the Community

Static Malware Analysis Starting here, I would like to share the results of my recent research into malware analysis. We will begin with some basics and proceed to advanced levels. In this first installment, we will discuss the techniques involved in static analysis of malware. I will also include some files for illustrative purposes in this document. Before we directly move onto the analysis part, let us set up context with some definitions. What is Malware? Malware is any software that does something that causes detriment to the user, computer, or network—such as viruses, trojan horses, worms, rootkits, scareware, and spyware. Malware Static Analysis Basic static analysis consists of examining the executable file without viewing the actual instructions. Basic static analysis can confirm whether a file is malicious, provide information about its functionality, and sometimes provide information that will allow you to produce simple network signatures. Basic static analysis is straightforward and can be quick, but it’s largely ineffective against sophisticated malware, and it can miss important behaviors. Enough with definitions — let’s get down to Malware Static Analysis Techniques. Malware Static Analysis Techniques Uploading the results to VirusTotal The very first technique in static analysis is to upload the suspicious executable to VirusTotal, which runs the executable against several AV solutions and gives the result. For example, the below file states that the detection ratio is 17 out of 57. Finding strings Searching through the strings can be a simple way to get hints about the functionality of a program. For example, if the program accesses a URL, then you will see the URL accessed stored as a string in the program. Microsoft has a utility called “Strings”. When Strings searches an executable for ASCII and Unicode strings, it ignores context and formatting, so that it can analyse any file type and detect strings across an entire file (though this also means that it may identify bytes of characters as strings when they are not). Strings searches for a three-letter or greater sequence of ASCII and Unicode characters, followed by a string termination character. Below are some examples of strings from which important information can be revealed. Using the Strings utility, files can be searched with following command at the cmd: Strings <filename> Example 1: Below is a string extraction of keywords from a malicious executable. As we can see, it gives us good information that functions like “FindNextFileA” and “FindFirstFileA”, which shows that this executable will search for a file, and then combining that with “CopyFileA” means that it will find a file and replace it with another file. Another important point to note that is about “Kerne132.dll”. This is a misleading text and should not be confused with “Kernel32.dll”. Example 2: Below is another extraction from a string utility. It shows us that usage of “CreateProcessA” will create a process. Commands like “Exec” and “sleep” are used to control a remote file. It can be a bot as well, and then an IP field, which can be the IP of a controlling server. Example 3: Below is another example of an extraction using Strings. Interesting fields are “InternetOpenURLA” which states that it will connect with some external server to download something, and then we have a http:// file also, which even clarifies the server address from which it will connect and download. How to check if a malware code is obfuscated or not? Often malware writers obfuscate their codes so that the files are hard to read. When a packed program runs, a wrapper program also runs around to unpack it. With static analysis, it is really hard to predict which files are packed unless it is clearly evident that they are. For example, tools like PEid sometimes are able to tell that the files are packed. In the below figure, it is clearly evident that files are packed with UPX. Files which are UPX packed can be unpacked by the following command: upx –o <newfilename> -d <packedfilename> PE file sections ETHICAL HACKING TRAINING – RESOURCES (INFOSEC) Information gathering from Portable Executable (PE) file format PE file format is used by Windows executables, DDLs etc. It contains the necessary information for Windows OS loader to run the code. While examining the PE files, we can analyse which functions have been imported, exported and what type of linking is there i.e. runtime, static or dynamic. PE file sections A PE file contains a header and some more important sections. Under these sections there is some useful information. Let’s understand these sections as well. .text: This contains the executable code. .rdata: This sections holds read only globally accessible data. [.data: Stores global data accessed through the program. .rsrc: This sections stores resources needed by the executable. Most often malware writers use dynamic linking in their code. For example, with the use of the tool Dependency Walker, we can see in the below screenshot that under WININET.dll are functions like “InternetOpenUrlA”, which states that this malware will make a connection with some external server. Note: Wininet.dll contains higher level networking functions that implement protocols such as FTP, HTTP and NTP. Under the header, there is a subsection named “IMAGE_FILE_HEADER”, which contains the timestamp field. This timestamp shows the compile time of the executable. This is very important information, since if the time is old, then there may a case that AV solutions might have a signature around it. However, this field is not reliable, since the compile can be changed easily by the malware writer. Suppose from static analysis, an analyst predicts that the executable will create a process and then suppose the following exec and sleep command is found, but there is no information found about the respective DLL, which has a function to connect with another server. In that case, the resource is hidden with the executable. Open the .rsrc section of PE file with a tool like Resource Hacker to gain more information regarding the malware. Below is the analysing of the above resource using PEview. As we have learnt with static analysis, there is very little information that can be gathered, but it is very useful too. In a coming article, I will bring in dynamic analysis though basic to the rescue. Source MALWARE ANALYSIS BASICS - PART 2 Dynamic Analysis Techniques As we have covered the malware analysis basics with static techniques here, this post is all about performing the basic analysis of malware using dynamic technique. As we have seen in the previous post, the ability to fully perform malware analysis is very much restricted using static techniques either due to obfuscation, packing, or the analyst having exhausted the available static analysis techniques. Precautions Before performing dynamic malware analysis, be sure to do it in a safe environment. Consider deploying a Windows virtual machine and using VMware for provisioning virtual machines. You should also take a snapshot of the virtual machine before executing the malicious binaries so that the safe state can be easily restored. Analyzing with Process Monitor Process Monitor is an advanced monitoring tool for Windows that provides a way to monitor certain registry, file system, network, process, and thread activities. Process Monitor monitors all system calls it can gather as soon as it is run. Since there are always huge number of calls being made in the Windows OS, it is sometimes impractical to discover important events. Process Monitor helps this issue with a filter tab through which we can filter by the type of calls. For example, see the screenshot below. It shows that I have applied a filter with operation of “WriteFile” and “RegSetValue”. These are usually the call made by a malicious executable to write the file onto the disk and to make registry changes. After applying the filter, we get a list of following events in Process Monitor. The most important are the top two entries which shows the execution of file and creation of registry entry with a new entry named “Video Driver.” Other entries can be ignored as it is usual for pseudorandom numbers to be generated. On clicking the first entry, we can even see that what action that call has made. As is clear from the screenshot below, a total 7168 bytes have been written to the file system by this binary. Analyzing with Process Explorer Process Explorer is a tool used for performing dynamic analysis and can give you a great insight onto the processes currently running onto the system. Below is an example of the process being created after running a binary. Clicking on process can help you reveal whether the process has created any mutant or not. Also it can give you all the information about the DLLs being used by the function. Below, the screenshot shows that the process uses ws2_32.dll, which means that a network connection will be made by this process. Double clicking a particular process will yield more information about the process. Some of the important attributes are: Verify Option. There is a verify option in every process to check whether that binary is signed by the MS or not. Below, the screenshot depicts that this binary is not signed by the MS. Threads will showcase the number of threads associated with this process. Strings tab can help in determining whether there is any process replacement occur or not. If two strings are drastically different then the process replacement might have occur. Below, the screenshot shows that strings in the executable both on disk and in memory. Using INetSim INetSim is a free Linux based suite for simulating common Internet services. It is sometimes difficult to analyze a malware without letting it complete execute the code and that can involve contacting the outer world for services over http, https, FTP etc. INetSIM does exactly this by emulating services like Http, Https, FTP and allows analyst to analyze the behaviour of malware. Since this is Linux based, the best way to use this is to install it on a Linux machine and keep it in the same network as that of windows testing machine. INetSIM can serve any type of request that the malware might request for. For example, suppose a malware requests for an image from the for tis code to execute. INetSIM can fulfil the request of the malware though the image will not be what malware will be looking for but it will keep the malware to keep executing the code. INetSIM can also log all the request from the client regardless of the port. This can be used to record all the data sent from malware. In the next series, we will move to advanced techniques of malware analysis using both static and dynamic analysis. Source

In acest HowTo voi descrie pasii care trebuie facuti pentru configurarea retelei folosind o adresa ip statica intrun sistem Unix/Solaris. Majoritatea comenzilor care fac parte din smf pot fi folosite incepand cu versiunile 9,10,11 de Solaris In Unix totul este un fisier si aceasta regula sper ca multi au imprimat-o deja prin creier si precum stiti deja pentru a face orice fel de setari trebuie modificate fisiere pe care le putem defini fisiere de configurare.Datele stocate in aceste fisiere vor fi citite de catre sistem si executate.Pana aici sper sa aveti o idee clara despre cum functioneaza un sistem Unix in privinta fisierelor. Pentru a configura o interfata de retea cu un ip static vor trebui create cateva fisiere.Numele unei interfete de retea deriva din numele driverului care piloteaza interfata + numarul interfetei (0) fiind prima interfata (1) fiind a doua interfata.Datele necesare pentru a configura interfata de retea fiind: -Adresa ip (192.168.123.105) -Adresa de subnet + Netmask (192.168.123.0 255.255.255.0) -Un nume de host (eclipse) -Un gateway (192.168.123.254) -Unul sau mai multe nameservere (192.168.123.254) Se presupune ca ambientul unde se va face configurarea foloseste un router care are functia de gateway pentru a iesi pe internet. Se presupune ca driverul pentru interfata de retea este instalat si vine recunoscuta de catre sistem [eclipse]# dladm show-dev nfo0 link: unknown speed: 100 Mbps duplex: unknown Se presupune ca interfata de retea este deja in statul enabled ifconfig nfo0 plumb up Note: Aceste exemple le-am folosit pentru configurarea unui host intern din reteaua mea, adresele ip vor trebui schimbate in baza range-urile si claselor de ip interne pe care le aveti. Interfata de retea pe care o voi configura in exemplele urmatoare este nfo0 nfo fiind driverul pe care o piloteaza iar valoarea (0) fiind numarul interfetei(prima interfata de retea a acestui sistem) Note: O mica observatie ar fi faptul ca lo0 are tot valoarea 0 dar este prima interfata de loopback.E normal sa nu fie catalogata ca 1 deoarece nu are nici o treaba cu interfata fizica asadar nu este a doua interfata din sistem ci tot prima interfata dar nu fizica. Presupunem totusi faptul ca initial sistemul foloseste DHCP pentru a avea o adresa ip.In acest caz va exista in sistem urmatorul fisier /etc/dhcp.nfo0 Un fisier gol fara nici o data dar cu o valoare importanta deoarece existenta lui va face in asa fel incat agentul DHCP sa ruleze in sistem. Pentru solaris 10 se poate verifica acest lucru folosind comenzile smf svcs -a | grep -i agent disabled 0:37:32 svc:/application/management/common-agent-container-1: default Note: In cazul in care fisierul /etc/dhcp.nfo0 exista , va rula si common-agent-container asadar va fi online si nu disabled. Pentru a trece la o configurare statica va trebui eliminat acest fisier /etc/dhcp.nfo0 daca exista,mentionez faptul ca de default nu exista si ca interfata de retea trebuie configurata in oricecaz manual chiar daca in mod static sau dinamic. O data ce am stabilit si facut aceste verificari se poate incepe configurarea statica. Cum am mai spus aceasta procedura comporta configurarea unor fisiere sau mai bine zis introducerea unor date in cateva fisiere. Primul fisier care trebuie creat este fisierul interfetei de retea care va contine adresa de ip statica pe care o vom configura. echo "192.168.123.105" > /etc/hostname.nf0 Al doilea fisier este /etc/netmasks unde vom introduce urmatoarele date .Adresa subnetului si adresa netmask echo "192.168.123.0 255.255.255.0" >> /etc/netmasks Al treilea fisier care trebuie creat este /etc/defaultrouter care va detine gateway-ul echo "192.168.123.254" > /etc/defaultrouter Al patrulea fisier care vine creat este /etc/defaultdomain cu numele de host echo "eclipse" > /etc/defaultdomain Un alt fisier in care va fi polulat cu date este /etc/hosts echo "192.168.123.105 eclipse" >> /etc/hosts Vom specifica intrun fisier si serverurile dns pentru conexiune.Nameserver-ul poate fi adresa de gateway sau daca exista adresa unui nameserver divers echo "nameserver 192.168.123.254" > /etc/resolv.conf Ultimul fisier care trebuie configurat este /etc/nsswitch.conf si are o importanta foarte mare deoarece fara directiva corecta specificata in acest fisier nu veti reusi sa faceti name solving. In primul rand daca acest fisier nu exista in /etc/nsswitch.conf poate fi luata o copie din /etc/nsswitch.files Important insa este ca urmatoarea directiva sa fie specificata hosts: dns files De obice de default va fi doar hosts: files O data configurate aceste optiuni se poate face restart la network [eclipse]# svcs -a | grep physical online 13:50:12 svc:/network/physical:default [eclipse]# svcadm restart svc:/network/physical:default Un simplu ifconfig va demonstra faptul ca nu folosim un server DHCP pentru atribuirea unei adrese ip. [eclipse]# ifconfig -a lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 nfo0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.123.105 netmask ffffff00 broadcast 192.168.123.255 ether 0:x:xx:xx:xx:xx Note: In momentul in care ip-ul vine atribuit de catre un server DHCP ,ifconfig va arata urmatorul output [eclipse]# ifconfig -a alo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 nfo0: flags=1004843<UP,BROADCAST,RUNNING,MULTICAST,[COLOR="#FF0000"]DHCP[/COLOR],IPv4> mtu 1500 index 2 inet 192.168.123.105 netmask ffffff00 broadcast 192.168.123.255 ether x:x:xx:xx:xx:xx Se poate verifica si tabela de routing pentru a intelege mai bine daca totul a fost configurat bine. [eclipse]# netstat -rn Routing Table: IPv4 Destination Gateway Flags Ref Use Interface -------------------- -------------------- ----- ----- ---------- --------- default 192.168.123.254 UG 1 225 192.168.123.0 192.168.123.105 U 1 15 nfo0 127.0.0.1 127.0.0.1 UH 1 64 lo0 Happy static internet navigation!!!