User talk:Maliciousbrains

Author: Rajdeep (aka ~MaliciousBrains~)
Website: http://www.malwareinfo.org
Blog: http://blog.malwareinfo.org
Forum: http://forum.malwareinfo.org
Email: rajdeep@malwareinfo.org

---

The purpose of this article is to help users analyze and determine if an executable\process\binary running in their system is a harmful Malware. We will do the analysis by analyzing it in a controlled environment without the use of antivirus software, debuggers, code disassembly or any other sophisticated tools or applications. However, we would take the help of certain freely available tools and utilities to fulfill our requirements.

---

The steps for Malware Analysis followed here in this article have been taken from the article "Malware Analysis for Administrators" posted by S.G. Masood of F-Secure (http://www.securityfocus.com/infocus/1780). The basic methodologies proposed by him in the document have been kept the same but I have tried to explain those methodologies in a much more detailed fashion.

---

—Preceding unsigned comment added by 121.247.130.179 (talk) 14:58, 19 August 2008 (UTC)[reply]

Traditionally, Malware analysis has been considered to be very complicated, and in fact some of the techniques or methodologies involved are very complicated and way beyond a normal user's access or understanding. However, in context of today’s scenario, we can see that there is a clear need for people to learn how to analyze Malware themselves. But the most important factor is that the analysis techniques should be simplified enough so that even the average computer user can understand it. Unfortunately, information dealing with Malware analysis techniques is either too complicated for the average users to understand or they are in a very much scattered form, beyond the reach of normal users. With the help of this, sort of tutorial, I would try to fill in this disparity and also would like to make it easy and simplified enough for the average users to understand and do hands on themselves.

Malwares has evolved into the cyber era as the most dangerous, damaging and menacing tantrum. It is not an exaggerated statement that if you are linked to the Internet, there’s every chance of being affected by this nuisance. So, it is very important that we should possess a peripheral view about this threat. We will look into some basic details of this thing called Malware.

Malware is a malicious software, which is designed specifically to damage your system or interrupt the normal computing environment. A trojan horse, worm, virus or spyware could be classified as malware. Some advertising software can be malicious by trying to re-install itself after you have removed it. A binary is considered Malware on the basis of certain features.

A Malware can be Viruses, Worms, Trojan horses, Rootkits, Spywares, dishonest Adware or other malicious and unwanted rogue softwares. Hence a Malware is something that usually contaminates the system and carries out malicious activities. The best-known types of Malware are viruses and worms. They are known for the manner in which they spread, rather than any other particular behavior.

Virus: A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. A virus can only spread from one computer to another when its host is taken to the uninfected computer, for instance by a user sending it over a network or the Internet, or by carrying it on a removable medium such as a floppy disk, CD, or USB drive.

Worm: A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program.

Trojan horse: A piece of software which appears to perform a certain action but in fact performs another such as a computer Virus. Trojan horses are notorious for their use in the installation of backdoor programs in the system that can be exploited by the author of such programs. These systems now become zombies and they can be completely controlled by the attacker.

Spyware: A computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user's interaction with the computer, without the user's informed consent. Spyware suggests software that secretly monitors the user's behavior, collect various types of personal information, interfere with user control of the computer in other ways such as installing additional software, redirecting Web browser activity, accessing websites blindly that will cause more harmful viruses, or diverting advertising revenue to a third party.

Adware: Computer software that comes with advertising functions integrated into or bundled with a program. It is usually seen by the programmer as a way to recover programming development costs. Some types of Adware are also Spyware and can be classified as privacy-invasive software. They automatically play, display, or download advertising material to a computer after the software is installed on it or while the application is being used.

There can be many more categories of Malware depending on their characteristics and malicious activities. However, detailed description of those is not within the scope of this article.

The threat of malicious software can easily be considered as the greatest threat to Internet security these days. Earlier, Viruses were, more or less, the only form of Malware. However, nowadays, the threat has grown to include a vast range of highly sophisticated applications viz. network-aware worms, Trojans, DDoS agents, IRC Controlled bots, Spywares, Rootkits and many more. The infection vectors have also changed and grown drastically as malicious agents now use mechanisms like email harvesting, browser exploits, operating system vulnerabilities, and P2P networks and many more unknown, unheard and technologically advanced techniques of replication.

A relatively large percentage of the software that a normal internet user encounters in his/her online activities are or can be malicious in some form or other. Most of these Malwares are detected by Antivirus software, Spyware removal applications and other similar tools. However, this protection is not always enough and there are times when a small, benign looking binary sneak through all these levels of protection and compromises the system and the user’s data. The reasons for this breach can be:

> Users not updating their Antivirus signatures regularly
> Users not keeping their systems well patched
> Failure of Antivirus Software’s heuristics engine
> New or low-profile Malware that has not yet been discovered by Antivirus vendors
> Custom coded Malware which cannot be detected by Antivirus
> Firewall not installed or not properly configured

Malwares are continuously evolving, and Antivirus vendors are finding it difficult to keep up with this ever increasing threat list. In some cases, the vendors may opt not to include a signature for a particular piece of Malware. However, this should not prevent knowledge seekers from using freeware tools and techniques to analyze the files and develop their own prevention and detection mechanisms. Though the Antivirus Softwares are continually getting better and more sophisticated, a small but very significant percentage of Malwares escape this predefined screening process and manages to enter and compromise both the system and the network itself. Unfortunately, this percentage of the Malwares escaping this predefined screening process is also growing everyday.

It is essential for users and absolutely essential for administrators to be able to determine if a binary is harmful by examining it manually and without relying on the automated scanning engines. The level of information required after an analysis is done differs according to the user's needs. For instance, a normal user might only want to know if a binary is malicious or not, while an administrator might want to know more like the registry values the binary injects, the copies of infected files it creates, the types of files the binary infects and also the actual payload information and what it does. That means, he may want to completely reverse engineer the binary for his purposes.

There are basically two techniques that are used for analyzing a Malware:

> Code Analysis (Reversing)
> Behavior Analysis

In most cases, a combination of both these techniques is used. However, we will consider code analysis first.

Code analysis is one of the primary techniques used for examining Malwares. The best way of understanding the way a program works is, of course, to study the source code of the program. However, the source code for most Malware is not available. Malicious software is more often distributed in the form of binaries, and binary code can still be examined using debuggers and disassembles. However, the use of these tools is often beyond the ability of all but a small minority because of the specialized knowledge that is required. Given sufficient time, any binary, however large or complicated, can be reversed completely by using code analysis techniques. We will deal with some aspect of code analysis and reverse engineering process later.

Behavior analysis is more concerned with the behavioral aspects of the malicious software. Like a beast kept under observation in a zoo, a binary can be kept in a tightly controlled environment and have its behavior scrutinized. It is mainly done in Virtual OS environment so that the effects of the Malware can be kept under control. Analysis of activities or changes it makes to the environment (file system, registry, network, etc), its communication with the rest of the network, its communication with remote devices, and so on are closely monitored and information is collected. The collected data is properly documented, analyzed and the complete picture is reconstructed from these different bits of information.

The best thing about behavior analysis is that it is within the scope of an average administrator or even a normal user. Though reverse engineering using behavior analysis does not lead to the generation of the binaries code, it is sufficient for most users' needs. For instance, it is not sufficient for an antivirus researcher but for most other users or Administrators, behavior analysis can fulfill all their needs. In this article, we will deal mainly with the behavioral analysis of the Malwares and the ways and tools with which we can do that.

The goal of this article is to provide a set of behavior analysis techniques for reverse engineering Malwares activities in a controlled environment. We also have to keep in mind that the learning curve should be simple enough so that it is within the scope of the average users understanding. Using these methods, people should be able to analyze an unknown binary and determine whether it is a Malware or not. For those who require more in-depth knowledge, they can further reverse engineer the binary and document its workings completely. Assumptions

This paper makes a few assumptions for the sake of convenience and clarity. These are:

> We assume that the Malware[s] are Win32 based binary on Intel x86 platform
> We sometimes will refer to the Malware as "Binary". However, a Malware can be a collection of one or more Binaries
> The host machine on which the Binary is executed is referred to as the "Sandbox" or the "Victim Computer"
> The other machine on the test network is referred to as the "Sniffer Computer"

Since the goal of this article is to propose a generic set of techniques, the tools mentioned in this paper are just "proposed" tools and are readily available as freeware. Any other tool that has the same or similar functionality can be used in place of the proposed ones, however it would be recommended to use the ones suggested here, though the versions may vary. The tools or applications we would be using for our analysis part are:

Microsoft Virtual PC 2007: Virtual PC 2007 is a powerful software virtualization solution that allows you- to run multiple PC based operating systems, simultaneously on one workstation. We will be using it to create the “Sandbox” or the “Victim Computer”.
SysInternals Process Explore: To find out what files, registry keys and other objects the running processes have opened, which DLLs they have loaded, and more.
SysInternals AutoRuns: To see what programs are configured to startup automatically when your system boots and you login. Autoruns also shows you the full list of Registry and file locations where applications can configure auto-start settings.
SysInternals FileMon: This monitoring tool lets us see all file system activity in real-time.
SysInternals RegMon: This monitoring tool lets you see all Registry activity in real-time.
SysInternals Process Monitor: This is an advanced monitoring tool for Windows that shows real-time file system, Registry and Process/thread activity.
7th Sphere Port Scan: This is probably the best Windows port scanner I've used. It’s fast and accurate. Fport is also a good choice as it will map the owing process to the open port.
FileAlyzer: This is a file analysis tool that can be used as a standalone utility or with SpyBot S&D.
Trend Micro HijackThis v2.0.0: This program will scan the system and will generate a log file containing the registry, file and BHO settings, which are commonly manipulated by Malwares.
ESUG Loadpoint Diagnostic: This is a tool that I have received from the Symantec Support guys and I don’t think it can be downloaded, however I will try to upload it for people to get benefited. This command line tool scans the system and generates a zip file that contains a detailed HTML summary of the entire system.
Network Active PIAFCTM: This is a packet Sniffer. You can use any other good packet Sniffer if you wish to.
InstallWatch: A utility that tracks changes made to your system during the installation or removal of software or hardware. It tracks deletions, or modifications to files and directories, INI files, and the Registry.
Resource Hacker: A freeware utility to view, modify, add, delete and extract resources from 32bit Windows executables.

There can be more tools that can be used to lean down the approach or methodologies for this analysis. However, for now we will work with these above mentioned tools. Detailed description of the individual tool used for our analysis will be provided at the end of this article.

The proposed methodology to go ahead with this behavioral analysis of a Malware will be broadly divided into six stages. They are:

> A controlled environment
> Baseline the environment
> Information gathering
> Analysis (Static/Dynamic)
> Reconstructing the scenario
> Documenting the results

The setting up of a controlled environment is absolutely essential for analyzing Malwares. A "test environment" is created for this purpose. Some essential features of this test environment will be:

> At least two systems should be used. One system is for hosting the malicious binary (Sandbox) and the other is to baseline and sniff the network traffic (Sniffer Computer). They should be networked in such a way that the Sniffer Computer can sniff the Sandbox's network traffic. We will use Microsoft Virtual PC to create the Sandbox and we will use the host OS as the Sniffer Computer.

> These two systems should be isolated from the rest of the network but it is recommended that we have Internet accessibility from the Host/Sniffer Computer.

> Fresh copies of Operating Systems should be installed on each of the two machines. In both the systems, we will be installing Windows XP Professional SP2; however, we will not be installing any further updates or hotfixes. This is done so that the Malwares, incase they exploit any vulnerability in the XP SP2 System, can take full advantage of those vulnerabilities. This would give us a better insight to the activities of the Malware.

> The above mentioned tools should be transferred to the relevant systems. Later on we will make a note/list of which tool has to be kept in which System.

> The binary that is to be examined should be transferred to the Sandbox.

> It is highly preferable not to install any other application upon the Sandbox apart from the tools required for analysis.

> This is the most basic setup for a Malware Analysis environment. Apart from this and depending on the situation, more modifications can be made. For instance, if the malicious binary tries to communicate with a remote server xyz.com, then specific host file entries can be made or a fake xyz.com can be set up in the Host OS and the requests to the Hosts port 80 can be redirected for trapping the packets sent. An excellent paper that discusses the creation of a Malware Analysis environment is "An Environment for Controlled Worm Replication and Analysis".

> We may have to return to this "creating a controlled environment" stage many times during the analysis process.

Baselining the environment created for carrying out the Malware Analysis process is the next most important step towards any Malware Analysis process. To "Baseline" means taking a snapshot of the current environment. We will use this snapshot or state of the existing two systems, specially the Sandbox, as the benchmark for comparison. To determine the differences in the configuration and state of the Sandbox will be our goal.

This will be the most vital stage in our analysis. If baselining is not done properly, it will have a serious effect on the information gathering stage, which in turn seriously affects our understanding of the binary and the activities that the binary will carry out once executed in the Sandbox. If baselining is done efficiently, the information gathered during the next stage will become very accurate and depending on this behavioral analysis we can get a clear picture of the Malware that we would be analyzing.

To accomplish our goals, the binary which has to be analyzed is executed in a controlled environment and the changes it makes to that environment are captured. Before executing the binary, a snapshot of the environment is created (baseline) and then after execution another snapshot is created. In theory, the difference between the baseline and the final snapshot shows the changes made by the binary.

The elements of the Sandbox environment that has to be baselined are: File System & Installed Applications: The file system on the victim host has to be baselined. There are many programs that can create a snapshot of the file system and after a few changes occur, they can point out the modifications. Some of the programs we can use InstallWatch, Loadpoint Diagnostic, AutoRuns etc.

Registry: The registry is the next component that is to be baselined. Most Malware applications rely on registry entries. Therefore it is crucial to capture registry modifications. InstallWatch, Loadpoint Diagnostic as mentioned above can be used for registry baselining.

Running processes: A snapshot of the running processes can be created using a number of programs. Some of them are available from SysInternals.

Open Ports: A snapshot of the open ports can be created using the 'netstat' utility. However, it does not list the name of the process that is tied to the port. We can also use 7th Sphere Port Scan to scan the Sandbox. Fport is also a good choice as it will map the owing process to the open port.

Network traffic: The next element that has to be baselined is the network traffic. Even when there is no application running on either of the test machines, there will still be some network traffic. This traffic has to be recorded and the "normal traffic" in our test network has to be defined. This is because when deviations occur in the "normal traffic" pattern, we can assume it to be generated by the binary and perform further testing on it. Sniffing software that is installed on our "Sniffer Computer" is used for this purpose. Any sniffing software running in verbose mode is sufficient for our purposes. However, to make our task easier, it is preferable to use a protocol analyzer like Network Active PIAFCTM or Ethereal.

External view: Although we have created a snapshot of the open ports in the Sandbox, it is always better to create one more snapshot from an external machine. A port scanner running on our "Sniffer System" can achieve this task for us. 7th Sphere Port Scan will be the port scanner we will use here.

Users, Groups, Network Shares and Services are some of the other elements that should be baselined as well.

Now that the preparations are over, we can go ahead with our activities. This is the only stage where we have an actual interaction with the Malware. A lot of raw information about the binary is collected during this stage which is analyzed in the next stage. Therefore, it is very important to carefully record all the information generated in this stage. The steps in the information collection stage are:

Static analysis

During the static analysis stage, we collect as much information about the binary as possible, without executing it. This involves many techniques and tools. Static analysis reveals the scripts, HTML, GUI, passwords, commands, control channels, and so on. Simple things like the file name, size and version string are recorded. Human-readable strings are extracted from the Malware and these strings are recorded. A program like Binary Text Scan can be used for this purpose. These strings reveal a lot of information about the function of the binary.

Resources that are embedded in the binary are extracted and recorded. A program like Resource Hacker can be used for this purpose. The resources that can be discovered through this process include GUI elements, scripts, HTML, graphics, icons, and more.

Dynamic analysis

During this stage, we actually execute the binary and observe its interaction with the environment. All monitoring tools including the sniffing software are activated. Different experiments are done to test the response of the running Malware process to our tools. Attempts to communicate with other machines are recorded. In this analysis phase a new snapshot of the environment is created like in the baselining the environment stage.

After taking a snapshot of all the changes the Malware performs in the system, the Malware process is terminated. Now, the differences between the new snapshot and the baseline snapshot are determined. The dynamic analysis step is very similar to the baselining the environment stage. Therefore, the tools are reused for this stage. Loadpoint Diagnostic and InstallWatch can be used for this purpose. Apart from these tools, AutoRuns, FileMon and RegMon from SysInternals can be used for monitoring the file system and the registry dynamically. These tools are used for observing the changes to the file system and the registry of the Sandbox.

The information recorded, forms the input for the next stage of our analysis. The information generated here can be new files, registry entries, open ports, etc. Sometimes, the static analysis has to be repeated once more after doing a dynamic analysis.

This is the stage where we can finally reverse engineer the binary based on all the information collected during the previous stages. Each part of the information is analyzed over and over and till the "jigsaw puzzle" is complete. Then the bigger picture begins to appear and the reverse engineering process is finished. However, before this is achieved, we may have to repeat the previous stages several times. We will look into the process of ‘Reverse Engineering a Malware’ in another article dedicated to Reverse Analysis.

The goals of the individual or organization evaluating the Malware determine the type of analysis and because the goals differ, no standard methodology is provided for this stage. Looking for deviations from the stated security policy of an organization, the goals and information to be collected may differ. Although a complete methodology for information analysis is beyond the scope of this paper, a few techniques are presented here. In many cases, these techniques are sufficient for analysis.

A search engine can be used for searching for more information on the Malware. Keywords for the search engine can be drawn from the information generated during the "Static Analysis" step. Things like filenames, registry entries, commands, etc. often reveal a lot of information about the Malware. Some good sources of information on the internet include Online Virus Databases (mostly maintained by Antivirus Vendors), News Groups and Mailing Lists. Many times, internet searches reveal almost all the information about a Malware and no further research is needed.

One very interesting and important site that I personally refer to before carrying out any Malware Analysis process is: http://www.virustotal.com

VirusTotal is a service that analyzes suspicious files and facilitates the quick detection of Viruses, Worms, Trojans and all kinds of Malware detected by antivirus engines.

Features: > Free, independent service
> Use of multiple antivirus engines
> Real-time automatic updates of virus signatures
> Detailed results from each antivirus engine
> Real time global statistics

Personally I also submit any suspicious binary to the Microsoft Malware Protection Center (MMPC) and its for sure, that even if the Malware is not getting detected by any of the Antivirus Scanners, MMPC responds back within 10-12 hours of submission. The Virus Submission url of MMPC is: https://www.microsoft.com/security/portal/submit.aspx

Every Malware needs a way to ensure that it is executed when a system reboots. This is the most vulnerable aspect of the Malware. There are number of ways in all operating systems that a program can use to restart automatically when a system reboots. The information collected during the static & dynamic analysis stage can be analyzed to identify the startup methods the Malware uses to get activated at system reboot.

A special section to inform the users about the various startup methods used by Malwares will be added at the end of this article. A tool from SysInternals called AutoRuns does the trick for us during the Malware Analysis process. AutoRuns monitors more startup areas, compared to any other startup applications available today hence giving us opportunity to check the ways by which a Malware actually can become alive.

If the Malware under observation is a self-spreading worm or a virus, the collected network traffic data will easily reveal its spreading mechanism. In most cases, a brief analysis of the network traffic is enough; else, a study of the file system activity and registry activity is carried out to find out the activities of the payload of the Malware.

Documenting the results of the Malware analysis process is essential. One of the main advantages is that the knowledge incorporated into the documentation can be used for later analysis activity. The documentation will differ from individual to individual and organization to organization, depending on the requirement and purpose.

From this article we have seen that a basic behavioral analysis of a Malware can be easily performed by an administrator, or indeed by a power user. While this approach does not give the same level of detail as code analysis or reverse engineering would, still it is sufficient for most people's needs when figuring out what a potentially malicious binary is capable of and also how to go ahead with the removal and disinfection process.

Read further

Case Study: A known rogue application
Analysis of a real Malware

http://www.malwareinfo.org/files/WhitePaper.pdf

Some archived Analysis Reports:
(you can stay updated about this list from the url: http://www.malwareinfo.org/archive.html)

AMIR - Advance Malware Identification & Removal Download Link: http://www.malwareinfo.org/Utilities/AMIR.zip

Published: June 28, 2008

Aka: USBMalwareStopper
Version: 1.0.0.0
Copyright: MalwareInfo.Org
File size: 236 KB (241,664 bytes)
MD5: 8430684b9458d49d5a0733e777b003fc
SHA1: 920d03200cf8d79c7258e4793e36413e9b73b5ec
SHA256: 96e2fd71ab62de8dc2482cc70769824891e4143fa64d2b4a9737acc0164c3b82
SHA512: 065b59505fd6f767f6dcceb19a74dd64f8915705321906d744f8f05ade3b6c220
5d4f4c152acd8f05ab2e7291cf1c6c92289005e3b7e381ea54b03713dff883f
Prerequisite: DotNet Framework 2.0
Installation: Simply extract and run USBActivityMonitor (USBActivityMonitor.exe)

PE Structure Information:

Base Data:
Entry Point Address.: 0x43881e
Time Date Stamp.....: 0x48670f01 (Sun Jun 29 04:26:41 2008)
Machine Type...........: 0x14c (I386)

Sections:
Name Viradd Virsiz Rawdsiz Ntrpy MD5
.text 0x2000 0x36824 0x37000 7.52 e2941ebef091d3d1f026c91065fc72dd
.sdata 0x3a000 0xcc 0x1000 0.50 ca73773af3103914cf0b6ae49d5c5cb3
.rsrc 0x3c000 0x8b0 0x1000 3.15 798d94823dc1389d0a6791a159ecede3
.reloc 0x3e000 0xc 0x1000 0.02 3fb289bf95d0f58920117f0e9ffa7761

Imports:
> mscoree.dll: _CorExeMain

Description:

USBActivityMonitor (aka. USBMalwareStopper) is an application that runs in the background and monitors all the drives (fixed & removable) to detect the creation of autorun.inf files. In recent times, there has been an increase in Malwares that spread via USB pen drives. I am sure, everyone of us has been troubled by these absolutely nasty Malwares that causes various unwanted activities in our computers. The frequency in which newer variants of these Malwares are coming out, on numerous occasions, these get undetected by the Antivirus Software running in your computer. The AV Vendors are finding it quite difficult to add the signatures of these Malwares in their daily Virus Definition Updates. As a result, the menace and threat posed by these ever increasing variants are quite significant.

Download USBActivityMonitor (236 KB)

USBActivityMonitor quietly monitors the activities of USB pen drives. From the time they are plugged in till the time they are plugged out. USBActivityMonitor will not just protect your computer from these Malwares, but it also makes sure that others don't get infected by your USB pen drive. USBActivityMonitor will make the Malware (if it finds it there) inside your USB pen drive inactive.

However, at times, there are various USB utilities, viz. Data Backup tools, File Encryption tools that also run automatically from the USB pen drives when they are plugged in the system. To make USBActivityMonitor super intelligent, I have provided a feature by which you can generate the MD5 hash of these useful tools present in your USB pen drive and place them in the exclusion list. When an autorun.inf calls the corresponding file, USBActivityMonitor will check if the MD5 of the app called is present in its exclusion list. If it finds it in the exclusion list, then USBActivityMonitor will skip that file, making sure hat the legitimate files are not detected as false positives.

Hope you will like USBActivityMonitor and please feel free to let me know your experience with USBActivityMonitor. Also, please let me know, if there are any bugs in the application.