Jump to content
Aerosol

MALWARE ANALYSIS BASICS - PART 1 & PART 2

By Aerosol, in Reverse engineering & exploit development

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted (edited)

Static Malware Analysis

Starting here, I would like to share the results of my recent research into malware analysis. We will begin with some basics and proceed to advanced levels. In this first installment, we will discuss the techniques involved in static analysis of malware. I will also include some files for illustrative purposes in this document.

Before we directly move onto the analysis part, let us set up context with some definitions.

What is Malware?

Malware is any software that does something that causes detriment to the user, computer, or network—such as viruses, trojan horses, worms, rootkits, scareware, and spyware.

Malware Static Analysis

Basic static analysis consists of examining the executable file without viewing the actual instructions. Basic static analysis can confirm whether a file is malicious, provide information about its functionality, and sometimes provide information that will allow you to produce simple network signatures. Basic static analysis is straightforward and can be quick, but it’s largely ineffective against sophisticated malware, and it can miss important behaviors.

Enough with definitions — let’s get down to Malware Static Analysis Techniques.

Malware Static Analysis Techniques

Uploading the results to VirusTotal

The very first technique in static analysis is to upload the suspicious executable to VirusTotal, which runs the executable against several AV solutions and gives the result. For example, the below file states that the detection ratio is 17 out of 57.

042915_1047_MalwareAnal1.png

Finding strings

Searching through the strings can be a simple way to get hints about the functionality of a program. For example, if the program accesses a URL, then you will see the URL accessed stored as a string in the program.

Microsoft has a utility called “Strings”. When Strings searches an executable for ASCII and Unicode strings, it ignores context and formatting, so that it can analyse any file type and detect strings across an entire file (though this also means that it may identify bytes of characters as strings when they are not). Strings searches for a three-letter or greater sequence of ASCII and Unicode characters, followed by a string termination character.

Below are some examples of strings from which important information can be revealed. Using the Strings utility, files can be searched with following command at the cmd:

  • Strings <filename>

Example 1: Below is a string extraction of keywords from a malicious executable. As we can see, it gives us good information that functions like “FindNextFileA” and “FindFirstFileA”, which shows that this executable will search for a file, and then combining that with “CopyFileA” means that it will find a file and replace it with another file. Another important point to note that is about “Kerne132.dll”. This is a misleading text and should not be confused with “Kernel32.dll”.

042915_1047_MalwareAnal2.png

Example 2: Below is another extraction from a string utility. It shows us that usage of “CreateProcessA” will create a process. Commands like “Exec” and “sleep” are used to control a remote file. It can be a bot as well, and then an IP field, which can be the IP of a controlling server.

042915_1047_MalwareAnal3.png

Example 3: Below is another example of an extraction using Strings. Interesting fields are “InternetOpenURLA” which states that it will connect with some external server to download something, and then we have a http:// file also, which even clarifies the server address from which it will connect and download.

042915_1047_MalwareAnal4.png

How to check if a malware code is obfuscated or not?

Often malware writers obfuscate their codes so that the files are hard to read. When a packed program runs, a wrapper program also runs around to unpack it. With static analysis, it is really hard to predict which files are packed unless it is clearly evident that they are. For example, tools like PEid sometimes are able to tell that the files are packed. In the below figure, it is clearly evident that files are packed with UPX.

042915_1047_MalwareAnal5.png

Files which are UPX packed can be unpacked by the following command:

  • upx –o <newfilename> -d <packedfilename>

PE file sections

ETHICAL HACKING TRAINING – RESOURCES (INFOSEC)

Information gathering from Portable Executable (PE) file format

PE file format is used by Windows executables, DDLs etc. It contains the necessary information for Windows OS loader to run the code. While examining the PE files, we can analyse which functions have been imported, exported and what type of linking is there i.e. runtime, static or dynamic.

PE file sections

A PE file contains a header and some more important sections. Under these sections there is some useful information. Let’s understand these sections as well.

  • .text: This contains the executable code.
  • .rdata: This sections holds read only globally accessible data.
  • [.data: Stores global data accessed through the program.
  • .rsrc: This sections stores resources needed by the executable.

  • Most often malware writers use dynamic linking in their code. For example, with the use of the tool Dependency
  • Walker, we can see in the below screenshot that under WININET.dll are functions like “InternetOpenUrlA”, which states that this malware will make a connection with some external server.
    042915_1047_MalwareAnal6.png
  • Note: Wininet.dll contains higher level networking functions that implement protocols such as FTP, HTTP and NTP.
  • Under the header, there is a subsection named “IMAGE_FILE_HEADER”, which contains the timestamp field. This
  • timestamp shows the compile time of the executable. This is very important information, since if the time is old, then
  • there may a case that AV solutions might have a signature around it. However, this field is not reliable, since the
  • compile can be changed easily by the malware writer.
  • 042915_1047_MalwareAnal7.png
  • Suppose from static analysis, an analyst predicts that the executable will create a process and then suppose the
  • following exec and sleep command is found, but there is no information found about the respective DLL, which has a
  • function to connect with another server. In that case, the resource is hidden with the executable. Open the .rsrc
  • section of PE file with a tool like Resource Hacker to gain more information regarding the malware.

Below is the analysing of the above resource using PEview.

042915_1047_MalwareAnal8.png

As we have learnt with static analysis, there is very little information that can be gathered, but it is very useful too. In a coming article, I will bring in dynamic analysis though basic to the rescue.

Source

MALWARE ANALYSIS BASICS - PART 2 Dynamic Analysis Techniques

As we have covered the malware analysis basics with static techniques here, this post is all about performing the basic analysis of malware using dynamic technique.

As we have seen in the previous post, the ability to fully perform malware analysis is very much restricted using static techniques either due to obfuscation, packing, or the analyst having exhausted the available static analysis techniques.

Precautions

Before performing dynamic malware analysis, be sure to do it in a safe environment. Consider deploying a Windows virtual machine and using VMware for provisioning virtual machines. You should also take a snapshot of the virtual machine before executing the malicious binaries so that the safe state can be easily restored.

Analyzing with Process Monitor

Process Monitor is an advanced monitoring tool for Windows that provides a way to monitor certain registry, file system, network, process, and thread activities. Process Monitor monitors all system calls it can gather as soon as it is run. Since there are always huge number of calls being made in the Windows OS, it is sometimes impractical to discover important events. Process Monitor helps this issue with a filter tab through which we can filter by the type of calls. For example, see the screenshot below. It shows that I have applied a filter with operation of “WriteFile” and “RegSetValue”. These are usually the call made by a malicious executable to write the file onto the disk and to make registry changes.

051115_1607_MalwareAnal1.png

After applying the filter, we get a list of following events in Process Monitor.

051115_1607_MalwareAnal2.png

The most important are the top two entries which shows the execution of file and creation of registry entry with a new entry named “Video Driver.” Other entries can be ignored as it is usual for pseudorandom numbers to be generated.

On clicking the first entry, we can even see that what action that call has made. As is clear from the screenshot below, a total 7168 bytes have been written to the file system by this binary.

051115_1607_MalwareAnal3.png

Analyzing with Process Explorer

Process Explorer is a tool used for performing dynamic analysis and can give you a great insight onto the processes currently running onto the system. Below is an example of the process being created after running a binary. Clicking on process can help you reveal whether the process has created any mutant or not.

051115_1607_MalwareAnal4.png

Also it can give you all the information about the DLLs being used by the function. Below, the screenshot shows that the process uses ws2_32.dll, which means that a network connection will be made by this process.

051115_1607_MalwareAnal5.png

Double clicking a particular process will yield more information about the process. Some of the important attributes are:

  1. Verify Option. There is a verify option in every process to check whether that binary is signed by the MS or not. Below, the screenshot depicts that this binary is not signed by the MS.
  2. 051115_1607_MalwareAnal6.png
  3. Threads will showcase the number of threads associated with this process.
  4. Strings tab can help in determining whether there is any process replacement occur or not. If two strings are drastically different then the process replacement might have occur. Below, the screenshot shows that strings in the executable both on disk and in memory.

051115_1607_MalwareAnal7.png051115_1607_MalwareAnal8.png

Using INetSim

INetSim is a free Linux based suite for simulating common Internet services. It is sometimes difficult to analyze a malware without letting it complete execute the code and that can involve contacting the outer world for services over http, https, FTP etc. INetSIM does exactly this by emulating services like Http, Https, FTP and allows analyst to analyze the behaviour of malware. Since this is Linux based, the best way to use this is to install it on a Linux machine and keep it in the same network as that of windows testing machine.

INetSIM can serve any type of request that the malware might request for. For example, suppose a malware requests for an image from the for tis code to execute. INetSIM can fulfil the request of the malware though the image will not be what malware will be looking for but it will keep the malware to keep executing the code. INetSIM can also log all the request from the client regardless of the port. This can be used to record all the data sent from malware.

In the next series, we will move to advanced techniques of malware analysis using both static and dynamic analysis.

Source

Edited by Aerosol
  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...