Trusted SF Member
Joined: 19 May 2004
Location: Centerville, South Dakota
|Posted: Wed Jul 20, 2005 7:06 pm Post subject: Article - MALWARE ANALYSIS FOR THE AMATEUR ENTHUSIAST
MALWARE ANALYSIS FOR THE AMATEUR ENTHUSIAST
We donít need statistics to tell us what a headache malicious programming has become. The fact that people flock to forums seeking relief from pop-ups and spyware is proof enough that malware is threatening to bring the Internet to its knees. Ok, that may be a little dramatic, but the voracity with which resources are being consumed is disturbing, to say the least.
It used to be that IT and Security Professionals could arm themselves with commercial software and be reasonably assured of maintaining system integrity. Except new tactics have emerged; Malware authors flood the Internet with as many variants of their applications as possible, and are thus always a step ahead. It is increasingly the case that unidentified applications creep onto systems, and proving difficult to remove. Security professionals and network administrators have no choice but to learn some techniques for analyzing suspicious software.
What follows is hopefully a simple blueprint for analysis, starting with test system set up, to the various free tools and resources available.
| From discovery of the first Mytob infection in February 26, 2005 to April 14, Kaspersky Labs had identified 26 different variants, with 6 variants appearing in 2 days time. Link
THE TEST SYSTEM:
The safest option is to have a designated system, and it need not be a top of the line system either. All we need is something that will meet the minimum specifications of whatever OS (Operating System) we want to run. A network card is also helpful, as some infections need an Internet connection to really get cooking. I can almost guarantee that your local computer repair shop will have parts and pieces they will be glad to see go for almost next to nothing. I recently put together a system for just under $100, and $75 of that was for memory. Running a small ad in the paper offering free disposal of computers and monitors may yield more goodies, depending on how large of a community you live in.
Another option is to purchase software that runs a virtual OS on your existing box. VMWare is available for under $200 US, and Microsoftís Virtual PC can be purchased for under $150 US. The major drawback with this is that your system needs to be fairly robust to handle the overhead of running two or more operating systems at the same time. The advantage is that you can have multiple operating systems loaded up, so if you want to see how aninfection affects each OS, you then have a platform to do so.
The final option is to use your production box. It can be done as a superficial means of identifying what is on your system. I frequently do this in order to get a thumbnail idea of what an application is doing, but my system has many layers of defense that need to be penetrated before it will be infected, so I donít worry too much about it. We all know what can happen if you donít have a properly prepared system, so insisto leviter. Ideally, a screaming-fast spare box equipped with VMWare or similar is the best situation.
One more note. In most places it is illegal to knowingly propigate malicious software. For our purposes, we will be analyzing adware, which is not self-replicating, but these same techniques can be used for analyzing any kind of malicious software. Please take care to use a closed system or network when working with those types of samples.
|The Bube infector (ISearch), which hit around February 2005, acts as a facilitator, downloading anywhere from 15 to 75 Megabytes of additional advertising software. In addition to the staggering size of the downloads, explorer.exe was infected, making removal nearly impossible. ~grooveís lab
Since the chances are high that whichever OS you choose will be unpatched, there are a few basics before you even really get started. An Anti-Virus and a firewall are necessary to make sure that your system remains sterile until such a time as you infect it yourself, otherwise you may get erroneous results that can not be duplicated. It doesnít matter which ones you use, as long as you know that there are plenty of free options available. Spybot and Adaware should installed, but make sure that their real time protection features are disabled. We want our malware to spread unfettered in order to get the best picture possible of what it is doing. We want to use Spybot and Adaware , along with our Anti-Virus, to make sure the system is completely clean before we start. We also want to make a backup of the registry in case something horrible goes wrong with our experiment.
Establishing a baseline before you even start is helpful. You want a record of what is on your system so that we can compare against any changes once we start. I have a simple application that I wrote that enumerates all files in a directory, generates an MD5 hash, and dumps it to a text file. I realize that not all of us can program our own tools, so there are a few other options. One is to use a simple batch command to list every file for a chosen directory (Thanks for the tips from Mr. Lugo):
dir %windir%\system32 /a > system32_clean.txt
dir %windir% /a > windows_clean.txt
Another option is to try and find a software solution that will do the job for you, but I donít use any, so I canít recommend any. Typically though, I keep a listing of everything in the Windows folder, DllCache, System32, and occasionally the Prefetch folder.
One of the next things I install is an Intrusion Detection System. The one I prefer to use is the free version of Prevxís HIDS. Although it is actually a prevention tool, it also serves as a tool to let us know what changes are being made to a system, and it is available here: Prevx Home Edition. Snort is also a viable option, but way more difficult to set up for those that are not already familiar with it, and our goal at this point is to make things as easy as possible.
Another valuable tool that is available from Patrick M. Kolla, maker of Spybot, is FileAlyzer. ďFileAlyzer allows a basic analysis of files (showing file properties and file contents in hex dump form) and is able to interpret common file contents like resources structures (like text, graphics, HTML, media and PE).Ē FileAlyzer is available
Sometimes we need to be able to see what is going on behind the scenes. Sysinternals has a few of my favorite tools. RootKit Revealer is a nice tool to see what is happening behind the scenes. Advertising malware from ABetterInternet and the EliteToolBar often run in hidden directories that can only be ferreted out with a tool like RootKit Revealer, or a Linux boot disk. Since we are going for simplicity, we will stick with what is easiest. While at Sysinternals, you might want to grab Filemon, Streams, and Regmon. All valuable tools, and all free.
Another favorite tool to have is called Total Uninstaller. Total Uninstaller makes a baseline before and compares it to changes after software is installed, and prints a very detailed record. Sometimes this alone is enough to get an idea of how a piece of malware affected your system. The uninstall portion of it makes it nice for reversing most of the damage done by rogue applications. The free version is available here .
The final two tools are our beloved HijackThis, and a pencil and paper. I have stacks of notes all over my desktop from various projects, so from my experience, it might be a good idea to keep a folder or two handy also. This is a fine example of do as I say, not as I do. I can't find any of my folders. They are probably buried under this stack of papers.
There are countless other applications that can aid us in one way or another, but for now we will keep it simple. In the next part, I will cover how to capture malware before it infects, as well as how to begin analysis of suspect files.
| [Ö] we speculate that a plausible worst-case worm could cause $50 billion
or more in direct economic damage by attacking widely used services in MicrosoftWindows and carrying a highly destructive payload. Nicholas Weaver, Vern Paxson