Home

Submit Article

Photography

 Malware Analysis : How To...


Rajdeep Chakraborty





A detailed analysis of the continuously evolving threat of Malwares

Contents
* 1 A detailed analysis of the continuously evolving threat of Malwares
* 2 Introduction
* 3 Basics
* 4 What is Malware?
* 5 Types of Malware
* 6 Background of Malware Analysis
* 7 Techniques for Malware Analysis
* 8 Code Analysis
* 9 Behavior Analysis
* 10 Goals of the Analysis
* 11 Tools used in Malware Analysis
* 12 Methodology
* 13 Creating a controlled environment
* 14 Baseline the environment
* 15 Baselining the Sandbox
* 16 Information gathering
* 17 Analysis
* 18 Internet searches
* 19 Startup methods
* 20 Spreading/Traversal mechanism
* 21 Documenting the findings
* 22 Conclusion

A detailed analysis of the continuously evolving threat of Malwares

Author: Rajdeep (aka ~MaliciousBrains~)
Website: http://www.malwareinfo.org
Blog: http://blog.malwareinfo.org
Forum: http://forum.malwareinfo.org
Email: rajdeep@malwareinfo.org/rajdeep.chakraborty@gmail.com

The purpose of this article is to help users analyze and determine if an executable\process\binary running in their system is a harmful Malware. We will do the analysis by analyzing it in a controlled environment without the use of antivirus software, debuggers, code disassembly or any other sophisticated tools or applications. However, we would take the help of certain freely available tools and utilities to fulfill our requirements.

[edit] Introduction

Traditionally, Malware analysis has been considered to be very complicated, and in fact some of the techniques or methodologies involved are very complicated and way beyond a normal user's access or understanding. However, in context of today's scenario, we can see that there is a clear need for people to learn how to analyze Malware themselves. But the most important factor is that the analysis techniques should be simplified enough so that even the average computer user can understand it. Unfortunately, information dealing with Malware analysis techniques is either too complicated for the average users to understand or they are in a very much scattered form, beyond the reach of normal users. With the help of this, sort of tutorial, I would try to fill in this disparity and also would like to make it easy and simplified enough for the average users to understand and do hands on themselves.


Basics

Malwares has evolved into the cyber era as the most dangerous, damaging and menacing tantrum. It is not an exaggerated statement that if you are linked to the Internet, there's every chance of being affected by this nuisance. So, it is very important that we should possess a peripheral view about this threat. We will look into some basic details of this thing called Malware.


[edit] What is Malware?

Malware is a malicious software, which is designed specifically to damage your system or interrupt the normal computing environment. A trojan horse, worm, virus or spyware could be classified as malware. Some advertising software can be malicious by trying to re-install itself after you have removed it. A binary is considered Malware on the basis of certain features.


Types of Malware

A Malware can be Viruses, Worms, Trojan horses, Rootkits, Spywares, dishonest Adware or other malicious and unwanted rogue softwares. Hence a Malware is something that usually contaminates the system and carries out malicious activities. The best-known types of Malware are viruses and worms. They are known for the manner in which they spread, rather than any other particular behavior.

Virus: A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. A virus can only spread from one computer to another when its host is taken to the uninfected computer, for instance by a user sending it over a network or the Internet, or by carrying it on a removable medium such as a floppy disk, CD, or USB drive.

Worm: A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program.

Trojan horse: A piece of software which appears to perform a certain action but in fact performs another such as a computer Virus. Trojan horses are notorious for their use in the installation of backdoor programs in the system that can be exploited by the author of such programs. These systems now become zombies and they can be completely controlled by the attacker.

Spyware: A computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user's interaction with the computer, without the user's informed consent. Spyware suggests software that secretly monitors the user's behavior, collect various types of personal information, interfere with user control of the computer in other ways such as installing additional software, redirecting Web browser activity, accessing websites blindly that will cause more harmful viruses, or diverting advertising revenue to a third party.

Adware: Computer software that comes with advertising functions integrated into or bundled with a program. It is usually seen by the programmer as a way to recover programming development costs. Some types of Adware are also Spyware and can be classified as privacy-invasive software. They automatically play, display, or download advertising material to a computer after the software is installed on it or while the application is being used.

There can be many more categories of Malware depending on their characteristics and malicious activities. However, detailed description of those is not within the scope of this article.

Background of Malware Analysis

The threat of malicious software can easily be considered as the greatest threat to Internet security these days. Earlier, Viruses were, more or less, the only form of Malware. However, nowadays, the threat has grown to include a vast range of highly sophisticated applications viz. network-aware worms, Trojans, DDoS agents, IRC Controlled bots, Spywares, Rootkits and many more. The infection vectors have also changed and grown drastically as malicious agents now use mechanisms like email harvesting, browser exploits, operating system vulnerabilities, and P2P networks and many more unknown, unheard and technologically advanced techniques of replication.

A relatively large percentage of the software that a normal internet user encounters in his/her online activities are or can be malicious in some form or other. Most of these Malwares are detected by Antivirus software, Spyware removal applications and other similar tools. However, this protection is not always enough and there are times when a small, benign looking binary sneak through all these levels of protection and compromises the system and the user's data. The reasons for this breach can be:

> Users not updating their Antivirus signatures regularly
> Users not keeping their systems well patched
> Failure of Antivirus Software's heuristics engine
> New or low-profile Malware that has not yet been discovered by Antivirus vendors
> Custom coded Malware which cannot be detected by Antivirus
> Firewall not installed or not properly configured

Malwares are continuously evolving, and Antivirus vendors are finding it difficult to keep up with this ever increasing threat list. In some cases, the vendors may opt not to include a signature for a particular piece of Malware. However, this should not prevent knowledge seekers from using freeware tools and techniques to analyze the files and develop their own prevention and detection mechanisms. Though the Antivirus Softwares are continually getting better and more sophisticated, a small but very significant percentage of Malwares escape this predefined screening process and manages to enter and compromise both the system and the network itself. Unfortunately, this percentage of the Malwares escaping this predefined screening process is also growing everyday.

It is essential for users and absolutely essential for administrators to be able to determine if a binary is harmful by examining it manually and without relying on the automated scanning engines. The level of information required after an analysis is done differs according to the user's needs. For instance, a normal user might only want to know if a binary is malicious or not, while an administrator might want to know more like the registry values the binary injects, the copies of infected files it creates, the types of files the binary infects and also the actual payload information and what it does. That means, he may want to completely reverse engineer the binary for his purposes.


[edit] Techniques for Malware Analysis

There are basically two techniques that are used for analyzing a Malware:

> Code Analysis (Reversing)
> Behavior Analysis

In most cases, a combination of both these techniques is used. However, we will consider code analysis first.


Code Analysis (Reversing)

Code analysis is one of the primary techniques used for examining Malwares. The best way of understanding the way a program works is, of course, to study the source code of the program. However, the source code for most Malware is not available. Malicious software is more often distributed in the form of binaries, and binary code can still be examined using debuggers and disassembles. However, the use of these tools is often beyond the ability of all but a small minority because of the specialized knowledge that is required. Given sufficient time, any binary, however large or complicated, can be reversed completely by using code analysis techniques. We will deal with some aspect of code analysis and reverse engineering process later.

Behavior Analysis

Behavior analysis is more concerned with the behavioral aspects of the malicious software. Like a beast kept under observation in a zoo, a binary can be kept in a tightly controlled environment and have its behavior scrutinized. It is mainly done in Virtual OS environment so that the effects of the Malware can be kept under control. Analysis of activities or changes it makes to the environment (file system, registry, network, etc), its communication with the rest of the network, its communication with remote devices, and so on are closely monitored and information is collected. The collected data is properly documented, analyzed and the complete picture is reconstructed from these different bits of information.

The best thing about behavior analysis is that it is within the scope of an average administrator or even a normal user. Though reverse engineering using behavior analysis does not lead to the generation of the binaries code, it is sufficient for most users' needs. For instance, it is not sufficient for an antivirus researcher but for most other users or Administrators, behavior analysis can fulfill all their needs. In this article, we will deal mainly with the behavioral analysis of the Malwares and the ways and tools with which we can do that.

Goals of the Analysis

The goal of this article is to provide a set of behavior analysis techniques for reverse engineering Malwares activities in a controlled environment. We also have to keep in mind that the learning curve should be simple enough so that it is within the scope of the average users understanding. Using these methods, people should be able to analyze an unknown binary and determine whether it is a Malware or not. For those who require more in-depth knowledge, they can further reverse engineer the binary and document its workings completely. Assumptions

This paper makes a few assumptions for the sake of convenience and clarity. These are:

> We assume that the Malware[s] are Win32 based binary on Intel x86 platform
> We sometimes will refer to the Malware as "Binary". However, a Malware can be a collection of one or more Binaries
> The host machine on which the Binary is executed is referred to as the "Sandbox" or the "Victim Computer"
> The other machine on the test network is referred to as the "Sniffer Computer"

Tools used in Malware Analysis

Since the goal of this article is to propose a generic set of techniques, the tools mentioned in this paper are just "proposed" tools and are readily available as freeware. Any other tool that has the same or similar functionality can be used in place of the proposed ones, however it would be recommended to use the ones suggested here, though the versions may vary. The tools or applications we would be using for our analysis part are:

Microsoft Virtual PC 2007: Virtual PC 2007 is a powerful software virtualization solution that allows you- to run multiple PC based operating systems, simultaneously on one workstation. We will be using it to create the "Sandbox" or the "Victim Computer".
SysInternals Process Explore: To find out what files, registry keys and other objects the running processes have opened, which DLLs they have loaded, and more.
SysInternals AutoRuns: To see what programs are configured to startup automatically when your system boots and you login. Autoruns also shows you the full list of Registry and file locations where applications can configure auto-start settings.
SysInternals FileMon: This monitoring tool lets us see all file system activity in real-time.
SysInternals RegMon: This monitoring tool lets you see all Registry activity in real-time.
SysInternals Process Monitor: This is an advanced monitoring tool for Windows that shows real-time file system, Registry and Process/thread activity.
7th Sphere Port Scan: This is probably the best Windows port scanner I've used. It's fast and accurate. Fport is also a good choice as it will map the owing process to the open port.
FileAlyzer: This is a file analysis tool that can be used as a standalone utility or with SpyBot S&D.
Trend Micro HijackThis v2.0.0: This program will scan the system and will generate a log file containing the registry, file and BHO settings, which are commonly manipulated by Malwares.
ESUG Loadpoint Diagnostic: This is a tool that I have received from the Symantec Support guys and I don't think it can be downloaded, however I will try to upload it for people to get benefited. This command line tool scans the system and generates a zip file that contains a detailed HTML summary of the entire system.
Network Active PIAFCTM: This is a packet Sniffer. You can use any other good packet Sniffer if you wish to.
InstallWatch: A utility that tracks changes made to your system during the installation or removal of software or hardware. It tracks deletions, or modifications to files and directories, INI files, and the Registry.
Resource Hacker: A freeware utility to view, modify, add, delete and extract resources from 32bit Windows executables.

There can be more tools that can be used to lean down the approach or methodologies for this analysis. However, for now we will work with these above mentioned tools. Detailed description of the individual tool used for our analysis will be provided at the end of this article.


Methodology

The proposed methodology to go ahead with this behavioral analysis of a Malware will be broadly divided into six stages. They are:

> A controlled environment
> Baseline the environment
> Information gathering
> Analysis (Static/Dynamic)
> Reconstructing the scenario
> Documenting the results


[edit] Creating a controlled environment

The setting up of a controlled environment is absolutely essential for analyzing Malwares. A "test environment" is created for this purpose. Some essential features of this test environment will be:

> At least two systems should be used. One system is for hosting the malicious binary (Sandbox) and the other is to baseline and sniff the network traffic (Sniffer Computer). They should be networked in such a way that the Sniffer Computer can sniff the Sandbox's network traffic. We will use Microsoft Virtual PC to create the Sandbox and we will use the host OS as the Sniffer Computer.

> These two systems should be isolated from the rest of the network but it is recommended that we have Internet accessibility from the Host/Sniffer Computer.

> Fresh copies of Operating Systems should be installed on each of the two machines. In both the systems, we will be installing Windows XP Professional SP2; however, we will not be installing any further updates or hotfixes. This is done so that the Malwares, incase they exploit any vulnerability in the XP SP2 System, can take full advantage of those vulnerabilities. This would give us a better insight to the activities of the Malware.

> The above mentioned tools should be transferred to the relevant systems. Later on we will make a note/list of which tool has to be kept in which System.

> The binary that is to be examined should be transferred to the Sandbox.

> It is highly preferable not to install any other application upon the Sandbox apart from the tools required for analysis.

> This is the most basic setup for a Malware Analysis environment. Apart from this and depending on the situation, more modifications can be made. For instance, if the malicious binary tries to communicate with a remote server xyz.com, then specific host file entries can be made or a fake xyz.com can be set up in the Host OS and the requests to the Hosts port 80 can be redirected for trapping the packets sent. An excellent paper that discusses the creation of a Malware Analysis environment is "An Environment for Controlled Worm Replication and Analysis".

> We may have to return to this "creating a controlled environment" stage many times during the analysis process.


Baseline the environment

Baselining the environment created for carrying out the Malware Analysis process is the next most important step towards any Malware Analysis process. To "Baseline" means taking a snapshot of the current environment. We will use this snapshot or state of the existing two systems, specially the Sandbox, as the benchmark for comparison. To determine the differences in the configuration and state of the Sandbox will be our goal.

This will be the most vital stage in our analysis. If baselining is not done properly, it will have a serious effect on the information gathering stage, which in turn seriously affects our understanding of the binary and the activities that the binary will carry out once executed in the Sandbox. If baselining is done efficiently, the information gathered during the next stage will become very accurate and depending on this behavioral analysis we can get a clear picture of the Malware that we would be analyzing.

To accomplish our goals, the binary which has to be analyzed is executed in a controlled environment and the changes it makes to that environment are captured. Before executing the binary, a snapshot of the environment is created (baseline) and then after execution another snapshot is created. In theory, the difference between the baseline and the final snapshot shows the changes made by the binary.


Baselining the Sandbox

The elements of the Sandbox environment that has to be baselined are: File System & Installed Applications: The file system on the victim host has to be baselined. There are many programs that can create a snapshot of the file system and after a few changes occur, they can point out the modifications. Some of the programs we can use InstallWatch, Loadpoint Diagnostic, AutoRuns etc.

Registry: The registry is the next component that is to be baselined. Most Malware applications rely on registry entries. Therefore it is crucial to capture registry modifications. InstallWatch, Loadpoint Diagnostic as mentioned above can be used for registry baselining.

Running processes: A snapshot of the running processes can be created using a number of programs. Some of them are available from SysInternals.

Open Ports: A snapshot of the open ports can be created using the 'netstat' utility. However, it does not list the name of the process that is tied to the port. We can also use 7th Sphere Port Scan to scan the Sandbox. Fport is also a good choice as it will map the owing process to the open port.

Network traffic: The next element that has to be baselined is the network traffic. Even when there is no application running on either of the test machines, there will still be some network traffic. This traffic has to be recorded and the "normal traffic" in our test network has to be defined. This is because when deviations occur in the "normal traffic" pattern, we can assume it to be generated by the binary and perform further testing on it. Sniffing software that is installed on our "Sniffer Computer" is used for this purpose. Any sniffing software running in verbose mode is sufficient for our purposes. However, to make our task easier, it is preferable to use a protocol analyzer like Network Active PIAFCTM or Ethereal.

External view: Although we have created a snapshot of the open ports in the Sandbox, it is always better to create one more snapshot from an external machine. A port scanner running on our "Sniffer System" can achieve this task for us. 7th Sphere Port Scan will be the port scanner we will use here.

Users, Groups, Network Shares and Services are some of the other elements that should be baselined as well.


Information gathering

Now that the preparations are over, we can go ahead with our activities. This is the only stage where we have an actual interaction with the Malware. A lot of raw information about the binary is collected during this stage which is analyzed in the next stage. Therefore, it is very important to carefully record all the information generated in this stage. The steps in the information collection stage are:

Static analysis

During the static analysis stage, we collect as much information about the binary as possible, without executing it. This involves many techniques and tools. Static analysis reveals the scripts, HTML, GUI, passwords, commands, control channels, and so on. Simple things like the file name, size and version string are recorded. Human-readable strings are extracted from the Malware and these strings are recorded. A program like Binary Text Scan can be used for this purpose. These strings reveal a lot of information about the function of the binary.

Resources that are embedded in the binary are extracted and recorded. A program like Resource Hacker can be used for this purpose. The resources that can be discovered through this process include GUI elements, scripts, HTML, graphics, icons, and more.

Dynamic analysis

During this stage, we actually execute the binary and observe its interaction with the environment. All monitoring tools including the sniffing software are activated. Different experiments are done to test the response of the running Malware process to our tools. Attempts to communicate with other machines are recorded. In this analysis phase a new snapshot of the environment is created like in the baselining the environment stage.

After taking a snapshot of all the changes the Malware performs in the system, the Malware process is terminated. Now, the differences between the new snapshot and the baseline snapshot are determined. The dynamic analysis step is very similar to the baselining the environment stage. Therefore, the tools are reused for this stage. Loadpoint Diagnostic and InstallWatch can be used for this purpose. Apart from these tools, AutoRuns, FileMon and RegMon from SysInternals can be used for monitoring the file system and the registry dynamically. These tools are used for observing the changes to the file system and the registry of the Sandbox.

The information recorded, forms the input for the next stage of our analysis. The information generated here can be new files, registry entries, open ports, etc. Sometimes, the static analysis has to be repeated once more after doing a dynamic analysis.


Analysis

This is the stage where we can finally reverse engineer the binary based on all the information collected during the previous stages. Each part of the information is analyzed over and over and till the "jigsaw puzzle" is complete. Then the bigger picture begins to appear and the reverse engineering process is finished. However, before this is achieved, we may have to repeat the previous stages several times. We will look into the process of Reverse Engineering a Malware' in another article dedicated to Reverse Analysis.

The goals of the individual or organization evaluating the Malware determine the type of analysis and because the goals differ, no standard methodology is provided for this stage. Looking for deviations from the stated security policy of an organization, the goals and information to be collected may differ. Although a complete methodology for information analysis is beyond the scope of this paper, a few techniques are presented here. In many cases, these techniques are sufficient for analysis.

Internet searches

A search engine can be used for searching for more information on the Malware. Keywords for the search engine can be drawn from the information generated during the "Static Analysis" step. Things like filenames, registry entries, commands, etc. often reveal a lot of information about the Malware. Some good sources of information on the internet include Online Virus Databases (mostly maintained by Antivirus Vendors), News Groups and Mailing Lists. Many times, internet searches reveal almost all the information about a Malware and no further research is needed.

One very interesting and important site that I personally refer to before carrying out any Malware Analysis process is: http://www.virustotal.com

VirusTotal is a service that analyzes suspicious files and facilitates the quick detection of Viruses, Worms, Trojans and all kinds of Malware detected by antivirus engines.

Features: > Free, independent service
> Use of multiple antivirus engines
> Real-time automatic updates of virus signatures
> Detailed results from each antivirus engine
> Real time global statistics

Personally I also submit any suspicious binary to the Microsoft Malware Protection Center (MMPC) and its for sure, that even if the Malware is not getting detected by any of the Antivirus Scanners, MMPC responds back within 10-12 hours of submission. The Virus Submission url of MMPC is: https://www.microsoft.com/security/portal/submit.aspx

Startup methods

Every Malware needs a way to ensure that it is executed when a system reboots. This is the most vulnerable aspect of the Malware. There are number of ways in all operating systems that a program can use to restart automatically when a system reboots. The information collected during the static & dynamic analysis stage can be analyzed to identify the startup methods the Malware uses to get activated at system reboot.

A special section to inform the users about the various startup methods used by Malwares will be added at the end of this article. A tool from SysInternals called AutoRuns does the trick for us during the Malware Analysis process. AutoRuns monitors more startup areas, compared to any other startup applications available today hence giving us opportunity to check the ways by which a Malware actually can become alive.


Spreading/Traversal mechanism

If the Malware under observation is a self-spreading worm or a virus, the collected network traffic data will easily reveal its spreading mechanism. In most cases, a brief analysis of the network traffic is enough; else, a study of the file system activity and registry activity is carried out to find out the activities of the payload of the Malware.


Documenting the findings

Documenting the results of the Malware analysis process is essential. One of the main advantages is that the knowledge incorporated into the documentation can be used for later analysis activity. The documentation will differ from individual to individual and organization to organization, depending on the requirement and purpose.


Conclusion

From this article we have seen that a basic behavioral analysis of a Malware can be easily performed by an administrator, or indeed by a power user. While this approach does not give the same level of detail as code analysis or reverse engineering would, still it is sufficient for most people's needs when figuring out what a potentially malicious binary is capable of and also how to go ahead with the removal and disinfection process.

Read further

Case Study: A known rogue application
Analysis of a real Malware http://www.malwareinfo.org/files/WhitePaper.pdf

Some archived Analysis Reports:
(you can stay updated about this list from the url: http://www.malwareinfo.org/archive.html)

http://www.malwareinfo.org/archive/XPAntivirus2008.doc
http://www.malwareinfo.org/archive/TrojanSpyFinanzJ.doc
http://www.malwareinfo.org/archive/SystemErrorFixer.doc
http://www.malwareinfo.org/archive/TrojanWin32Srizbigen.doc
http://www.malwareinfo.org/archive/Peacomm.doc
http://www.malwareinfo.org/archive/TrojanDropperWin32CutwailY.doc
http://www.malwareinfo.org/archive/HeurDownloader.doc
http://www.malwareinfo.org/archive/TrojanWin32Buzusbrq.doc
http://www.malwareinfo.org/archive/TrojanCryptXPACKGen.doc
http://www.malwareinfo.org/archive/SpywareSpyBuddy.doc
http://www.malwareinfo.org/archive/MalDropperY.doc
http://www.malwareinfo.org/archive/NewMalwarebl.doc
http://www.malwareinfo.org/archive/Win32AutoHotKey.doc
http://www.malwareinfo.org/archive/W32MalwareGemini.doc
http://www.malwareinfo.org/archive/VirToolWin32ObfuscatorC.doc
http://www.malwareinfo.org/archive/TrojanWin32Meredrop.doc
http://www.malwareinfo.org/archive/MalEncPkBW.doc
http://www.malwareinfo.org/archive/TrojanDownloaderWin32HarniggenL.htm
http://www.malwareinfo.org/archive/HeuristicSuspiciousDownloader.doc
http://www.malwareinfo.org/archive/TrojanSpyWin32Zbotaob.doc
http://www.malwareinfo.org/archive/TrojanWin32DNSChangerarn.htm
http://www.malwareinfo.org/archive/TrojanWin32AlureonGenH.htm
http://www.malwareinfo.org/archive/TrojanDropperQhostN.htm
http://www.malwareinfo.org/archive/BackdoorWin32GF13xA.txt
http://www.malwareinfo.org/archive/WormWin32TaterfGenC.txt
http://www.malwareinfo.org/archive/W32SillyDC.txt
http://www.malwareinfo.org/archive/TrojanWin32TibsEW.txt
http://www.malwareinfo.org/archive/TrojanWin32NsilA.txt
http://www.malwareinfo.org/archive/TrojanSpyWin32BankerKew.txt
http://www.malwareinfo.org/archive/TrojanDropperWin32AgentDgc.txt
http://www.malwareinfo.org/archive/Infostealer.txt
http://www.malwareinfo.org/archive/BackdoorWin32SharkAoo.txt
http://www.malwareinfo.org/archive/AdwareUdefenderT.txt
http://www.malwareinfo.org/archive/Win32SorerA.doc
http://www.malwareinfo.org/archive/WinTrojanXemaVariant.txt
http://www.malwareinfo.org/archive/AdWareWin32MostofateAA.txt
http://www.malwareinfo.org/archive/TrojanClickerWin32DelfLP.txt
http://www.malwareinfo.org/archive/TrojanDownloaderWin32AgentCCL.txt
http://www.malwareinfo.org/archive/TrojanWin32PakesCHF.txt
http://www.malwareinfo.org/archive/TrojanZlob.txt
http://www.malwareinfo.org/archive/Win32DelfITZ.txt

Author Site

4/5/2008