Category Archives: Malware Analysis

Wisdom of the crowds: Detecting anomalous behavior based on mass memory analysis

Anomaly detection is a huge deal these days, there are some tools in the market that seem to perform the task, but they are pricey, complicated and too much for a non-enterprise organization.  I have written  a little script that takes a memory dump, Gives it a unique UUID and inserts to a MySQL database the output of the following volatility commands: psscan,sockets,connections and svcscan. That output can be queried in pretty interesting ways, and as you get more memory dumps, the statistics get more interesting, and it will be easier to find out anomalies.

For example, Here is a query that gets me the statistics about open sockets.

sockets

We can see that out of all the computers, we have 5 sockets open to the IP 172.16.112.128, which in this case was just a private IP address.

Another nice query, links sockets and process names, grouped together.

SocketsAndProcs

Here is a list of processes in the 12 computers, from the most common to the uncommon. pslist

 

After I have found that suspect process named aelas.exe, I went on and looked if it has any open sockets…

aelas_exe

This one is pretty interesting, and is a list of services binary paths. You can easily see a few suspect services here 🙂

ServicesByBinPath

 

A list of common sockets, and uncommon ones:

CommonSockets

I`m still working on this project, and trying to implement more complex commands, like apihooks,malfind and the like. Another feature I am working on right now, is that as part of the processing the script will dump all the processes and compare them with  additional process dumps from the database in order to white list the similar, and highlight the anomalies. The comparison algorithm will be based on different tools, like pehash,ssdeep, import hashing etc.

I made this test on 12 Memory dumps of different Windows XP Service Pack 2 machines, some infected with malware and some clean. As I collect more memory dumps, I keep adding them to the database and Improving the results. I will update as I progress with the development. When the project will be ripe I will be happy to open a git repository to share it.

What`s new in Cuckoo Sanbox 1.0

After almost four years of development, Version 1.0 was finally released. This release has serious improvements that make cuckoo box a fully fledged sandbox platform.  In the main screen we can already see some newly added features, like the ability to control on which machine the analysis will be performed (Letting you have Virtual Machines of different Windows versions, for example XP and 7 32/64-bit), and whether you want to capture memory or not (which will make the processing time longer). Also Cuckoo has now the ability to process RTF,VBS and CPL files, and the performance boost has made a really great difference.MainScreen

 

 

The wait queue is also pretty nice and has pagination to display practically unlimited rows of links to reports.

WaitQueue

 

On the static part of the analysis, resources are now shown too, and the virus total results are displayed in a more comfortable way, with a permalink to the scan results

Res

 

VirusTotal

There are new options to download the report in HTML format and to download the network capture in PCAP format (which is now is filtered, and does not show private network traffic).

But the main new feature is the integration of the amazing volatility framework (Which deserves a whole post by itself. There will be one soon, I promise). The virtual machine is paused to achieve a memory dump, on which volatility commands are executed. Exactly like the private networks are filtered in the PCAP capture, Hooks and processes related to cuckoo itself can be filtered too. (Requires messing a bit with the configuration files)

VolatilityMain VolaPSLIST VolaDlllist VOLApsxview

 

Version 1.0 of Cuckoo is a really great improvement, and i recommend the upgrade of your personal Malware analysis environments to this version.

 

Caught on the honeypot

A while ago, I have found a new malware in my honeypot, that virus total failed to recognize. I have resubmitted it a couple of hours ago,  and found out that the big AV companies still do not recognize the malware – 15 / 46 detection rate.

UPload-AttFromHoneypot

While analyzing the PE header for anomalies, I have found that the .data section has Read, Write and Execute permissions, which hints that the malware modifies it`s code during execution.

RWX_DataSection

This piece of malware has a lot of interesting strings. I prefer to look for strings using IDA because it makes it easier to find what each string has to do with the Malware:

The first thing I have found is a long list of common passwords. Arround 110 passwords like super,temp123,test123,secret,qwerty,password, etc…

PasswordStringsThe next one is Software\Microsoft\Windows\CurrentVersion\Run – The famous way of malware to achieve persistence. While looking for a reference to the string, I have found another string from the list: PHIME2008 which is the name of the value created in that key. The malware author did not bother itself, and the data (The name of the file to execute in startup) is the path from which the file was executed, appedend with the parameter /sync

REGwithParamI Have also found an IP Address, and a couple of strings that look like URLs. The IP Address had two cross-references:

IP-XrefsThe first one (sub_401C40) seemed to send some information to the destination IP. (Language, country, computer name and username)

senddata2This function has a lot of arguments, therefor the easiest way to understand what this Malware is trying to send, is using ApateDNS and netcat, and capturing the traffic. 

The malware tried to download a file from the path:  /updata/ACCl3.jpg in the IP I have found before. But that server does not exist anymore.  iNetSim does not  disappoint, and hands the Malware a jpg file just like it wanted.

DownloadingTheJpgIDA GettingTheJpgThat JPG the malware tried to download, apparently is not a JPG (The server is down, so we can only assume). The JPG is downloaded in the function sub_401EB0. The function tries to check if the file named msupd.exe at the system directory exists, and if it does not, it tries to download it. Now we can say for sure that this is not a JPG. The malware downloaded the supossed picture file from the internet, and placed it in system32:

fakemsupdexe

fakemsupdprobe

The fact that it saved it as with exe extension, proves the Malware intended to download an executable.

The next string I have noticed is GET /updata/TPDA.jpg. After looking for cross references in IDA, I have found some parameters appended to the HTTP request before it is sent. Again using iNetSim, I have managed to get easily which data is sent over the network.

senddata

URLParam

 

TheDataSent

The malware sends to its control server the time-stamp, country, internal IP, computer name and username.

Next post will cover the interesting network behavior of this malware (hint: password guessing) by using a higher interaction honeypot than iNetSim.

Enriching your Malware analysis reports with Open Source Intelligence (OSINT)

Often, while analyzing a malware sample, I open Google and start searching for the hash or for some other Indications in the malware sample like Mutexes, User agents, Registry keys, Filenames, URLs and  IP Addresses. Searching for all those indications in Google and other search engines is too cumbersome. A couple of days ago I came across Malformity. Malformity is a collection of Maltego transforms to assist with malware and malicious infrastructure research. Malformity queries data from many sources (Ex. VirusTotal, Bit9, ThreatExpert…) in order to perform Maltego transforms. To get started with Malformity, you create with Maltego entities from the data you already have:

entities

 

Then you can run transforms:

Screenshot from 2013-12-14 17:34:47

 

Using those transforms It is possible to get useful information about the malware you are analyzing. For example in the example below I took a malware and found out URLs related with it, and even a Mutex (The one on the left).

Screenshot from 2013-12-14 21:59:36

 

In the next example, I created a URL entity out of a URL address from which the malware sample downloaded a DAT file. I found information about the website (Infrastructure information) and also some information from known security companies.

Screenshot from 2013-12-15 21:47:59222

 

In the example below, I took the same hash and found different virus signatures, and alternative names for the same malware:

Screenshot from 2013-12-15 21:50:51

 

Maltego and Malformity are nice tools to have when researching for malware indicators and malicious infrastructure, and can be really helpful at times. It is important to note that those searches are not silent, and doing those transforms can expose and reveal that the malware has been discovered and is under investigation.

Some additional honorable mentions of tool that can help and ease the research:

Anatomy of a traffic generating trojan

This is a trojan with interesting behavior, That I came across during the third part of November. I have decided to analyze this malware (chosen from the pile of thousands i have for days of boredom…) because its behavior seemed very interesting when executing it in the sandbox. Aside from achieving persistence and making a DNS query for smtp.live.com, It did not do much. I suspected it had something to hide…

About The Analysis Process: 

After the first execution in my custom sandbox, as I have noticed nothing too exciting happened and the execution timed out after the max value set by the sandbox, I started suspecting this malware has awfully long sleep timers in its code.

I have started the static analysis phase, but noticed this malware has a small amount of imports, and a strange procedure with lots of lodsb assembly commands. That procedure was a Custom Packer, which was not identified by PEid.

The imports before unpacking:

croppedimports

For easy unpacking, I executed the malware until the return of what seemed to be the unpack procedure:

croppedunpackproc

Setting the breakpoint:

croppedbreakpoint

Right after the breakpoint, I did a took a memory memory dump to easily dump the processes from memory. Those are the imports after the unpack procedure returned:

croppedexports

While analyzing the dump I have noticed that this executable launches three svchost.exe processes. Each one of those svchost processes main purpose is traffic generation, but each one has an extra purpose. (Ex. Mutex creation, Persistence, Downloading the DAT files)

croppedpstree

A short static analysis of one of the svchost processes proved me right about the sleep timers:

croppedlongsleep

Sleep2This malware does not have to be executed from an administrator account, we can see that because it achieves its persistence by adding itself to:

HKU\software\microsoft\windows\current version\run 

with the executable pofpopitegra.exe as the value,  which is dropped at c:\document and settings\%username%\pofpopitegra.exe

Network behavior:

This malware generates a pretty big amount of web traffic, to sites it probably gets from this DAT file downloaded over the network, and from some html files with encoded comments. No evidence was found inside any of the svchost files or the malware executable itself for URL or IP addresses of any kind, except for the URL from which the DAT file is downloaded from.

unkwondatclippedcontent

DATlocation

The encoded comments:

croppedURLencoded

croppedsmtthttptrffic

The malware generated some SMTP traffic as well. The next part of the analysis, I will dive deeper into the traffic generated by this malware sample, and try to reverse engineer the encryption of the DAT file.

How to get interesting malware samples

As an independent malware researcher, sometimes it is not easy at all getting new malware samples. I want to show you a a few methods that can get you some really interesting samples, tough they require some investment (time & money).

  • Honeypots – I invested some dollars (and a couple of hours) and configured Dionaea on a VPS. I have installed also DioaneaFR (Web front-end for Dionaea) on another server, and the bistreams,samples and additional data are copied to the server where the front-end is hosted every 10 minutes. The samples from the honeypot are automatically submitted to some online sandboxes and virus scanners, and If you are interested it can even forward them to your own sandbox.

connections

 

main

 

If you are an independent researcher, and you are interested in access to my honeypot data, Let me know in the comments of this post, and I will contact you.

 

  • MWcrawler

mwcrawler is a simple python script that parses malicious url lists from well known websites (i.e. MDL, Malc0de) in order to automatically download the malicious code. It can be used to populate malware repositories or zoos.

MWcrawler is really useful, the problem is that because of the nature of those malicious sites, (Might be up, then down 2 hours later…) You may get some samples or not. It does not hurt to have this script on your crontab 😉

  • Recommended Websites – There are some websites where you can get some interesting malware samples, although not unique. contagio is a good source for network captures,PDFs and other types of malicious files. The virus exchange forum on malwaretips offers “Malware Packs”.

 

Static Malware Analysis

PE File Structure:  

The native windows file format (Microsoft introduced PE in Windows NT 3.1). 32 bit DLL, COM, OCX and NT kernel mode drivers are all in PE file format as well. (64-bit version is called PE32+)

pefile

 

The PE File starts of with a magic number, which is a 4 byte data block at the beginning of the PE file, that can helps the operating system define file type and therefor how to execute the file.

Here are some magic number examples:

MZheader

This is the windows executable binary header (MZ), named after Mark Zvikowvski on of the early microsoft architects.

pdfheaderThis is the magic number of a PDF file.

zipHeader

This is the magic number of a ZIP file.

Following the magic number, there is a 2 byte sector defining the machine architecture to which the executable was written, and another 4 byte sector with the number of sections included in the file.

The PE optional Header contains useful information for the malware analyst (and is not actually such optional), like the executable type (exe,com,dll, etc.), how the executable should be loaded, etc. Some important fields from the Portable Executable header are the Entry Point Address which points to the first instruction to be executed when the malware is loaded, and the Image Base which defines where the executable is loaded in virtual memory.

The header is followed by the IAT, EAT and Sections Table:

  • IAT –  The Imports Address Table, has information about functions that the program calls from DLL files. Those functions and DLLs expose some or all of the malware functionality. For example a malware that imports ws32_32.dll may have some network functionality.
  • EAT – The Exports Address Table is generally used in DLL files, and exports functions for other programs to call.
  • Section Table – actual sections of the file, each of which contains useful information. Some common section  are:
  1.  .text – The .text section contains the instructions that the CPU executes. All other sections . Most of the times, this is the only section that can execute, and it should be the only section that includes code. (Another sections including code might be sign for packed malware)
  2. .rdata – Holds read-only data that is globally accessible within the program
  3. .data – Stores global data accessed throughout the program
  4. .idata – Sometimes present and stores the import function information; if this section is not present, the import function information is stored in the .rdata section
  5. .edata – Sometimes present and stores the export function information; if this section is not present, the export function information is stored in the .rdata section
  6. .pdata – Present only in 64-bit executables and stores exception-handling information
  7. .rsrc – Stores resources needed by the executable
  8. .reloc – Contains information for relocation of library files (Loading library files to different memory addresses if the preferred addresses cannot be allocated for some reason.)

Static Analysis

Like I have said in previous post, static analysis is the process of studying a malware sample without executing it. We can look for suspicious strings (File Paths, IP Addresses, URLs, Registry Keys, etc.). We can also look at the IAT,EAT and section tables, that may indicate a lot about the malware expected behavior. In this sample i will use a tool called MASTIFF which is a static analysis automation framework:

mastiff1

In the first screenshot we can see the file sections, and observe that those are not standard section names, and that multiple sections are marked for execution which is really suspicious. We also can not ignore the section names: UPX0,UPX1 and UPX2, UPX is the name of a knows packer, and we suspect that this file has been packed with it.

mastiff2

In this screenshot we can see various imports of another malware sample. For example the import of the InternetGetConnectedState function from the WININET.dll implies that the malware checks if there is connection to the internet. Reference about all the Microsoft library functions can be obtained from MSDN (Microsoft Developer Network).

stringsThis last screenshot is of a strings execution against another malware sample, revealing some interensting file names, URLs, Error codes and library calls.

 

Introduction to Malware Analysis

Whats is malware? Short for Malicious Software, software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Malware appears in various file formats like executable files, BAT scripts, VBScript, JavaScript, Macros in Microsoft office files and exploit code in JPG, GIF, SWF, PDF files. Although More than 80% malware samples received by Security Vendors are Windows executables.

Malware Analysis is The art of dissecting malware to understand how it works, how to identify it, and how to defeat it. It is a cat and mice race, as Detection and analysis methods get more advanced, and Malware gets ahead as well.

Malware infection vectors:

  • Social networks – Malware on infected computers may post links on behalf of the connected user for his friends to click.
  • Boot Sector – Infecting the MBR of the physical disk
  • Network file shares – Malware may create autorun files on SMB, and samba shares.
  • P2P networks – Torrents, IM, etc.
  • Removable media – Malware may create autorun files root directory of the media.
  • Vulnerabilities across websites, operating systems and applications.

Why perform malware analysis?

With malware becoming more targeted toward organizations of any size, more malware in the wild is undetectable by common means of protection (Anti-Viruses and Anti-Malware applications).

Malware Types:

  • Backdoor – Malicious code to grant an attacker remote access to a machine
  • Bot – A group of computers compromised with a backdoor, connected to a single (or a group of) control servers. Usually used for distributed denial of service attacks, or sending spam. Recent malware even uses the victim computer resources to mine for bitcoins.
  • Trojan horse – Just like the horse of troy, the malware disguises itself as a normal program to trick the users into installing the malware.
  • Dropper – A piece of malware that downloads additional malicious code  – usually combined with another type of malware.
  • Info-Stealer – Collects specific information from a victim, such as Banking account credentials, online game credentials, PDF Documents, etc.
  • Root-kit – Code used to hide the existence of other code – usually combined with another type of malware.
  • Worms – Spread over computer networks by exploiting operating system vulnerabilities. Worms often spread by mail, or social network posts. Worms may carry payloads, That are pieces of code to perform actions beyond infecting the victim, like stealing data, deleting files, etc.
  • Ransom-ware (Also knows as Scare-ware) – A form of malware that holds the victim computer captive, while requiring a ransom. The malware may encrypt files on the hard-drive, or restrict computer regular operation while forcing the user to pay to the malware author to remove restrictions and regain access. (Usually the malware just remove the restrictions for a month or so, and then activates again.)

Malware can as well be a combination of a few types described above.

Malware Analysis has a few goals:

  • Determine the file (Not necessarily binary ) capabilities – Determine what are the intentions of the malware author. How the malware installs itself, how it distributes, how it achieves persistence, and what data the malware author wanted to aquire or what damage he wanted to make.
  • Do a risk assessment – Check which assets of yours might be compromised by such malware, and protect them accordingly.
  • Create IOCs (Indications Of Compromise) to detect the malware, or malware with similar behavior in the future – use the IOCs to create signatures. Host based or Network based.

Analysis Types:

  • Basic Static analysis – Examining the file, without executing it.
  • Behavioral dynamic analysis – Executing the file in a monitored environment and learning it`s behavior.

Next Post we will dive into the structure of a PE File, (Windows Portable Executable) and perform a basic static analysis on some samples of malware.