Incident Response Tool of The Month: ESET SysInspector

From ESET Website:

ESET SysInspector® is a free, state of the art diagnostic tool for Windows systems. It is also an integral part of ESET Smart Security 6 and ESET NOD32 Antivirus 6. It peers into your operating system and captures details such as running processes, registry content, startup items and network connections. Once a snapshot of the system is made, ESET SysInspector applies heuristics to assign a risk level for each object logged

SysInspector is an excellent tool for first responders, as it can gather  useful volatile and non-volatile information of a computer with suspicious behavior, and can be used to compare a freshly installed image of the computers in your organization, against a current image that is behaving suspiciously.  In the next example I will execute SysInspector before and after executing a malware, and demonstrate how the IOCs can be found easily.

First, I execute the tool, before running any malware:

General

 

Nothing suspicious here… You can see here a lot of useful information, such as running processes, open connections, important registry values,services, drivers and much more. Now I will execute the malware (This time I will execute CryptoLocker), and save another XML report with SysInspector. Now it`s time to compare both logs:

SetToCompareThe results are interesting, some new processes created by the malware:

NewProcs

A new file dropped by the malware:

NewFile

 

A registry key to achieve persistence:

NewReg

And finally, some network activity by the processes we have discovered earlier:

NetworkTraffic

 

CryptoLocker is relatively old, Most AVs have signatures for it, but a big part of new malware that AVs can`t identify can  be detected using the same technique.

SysInspector is a really useful tool, That can  shorten the incident response time, and focus the response team on what`s important.

SysInspector can be downloaded from the ESET Website below:

http://www.eset.com/us/download/utilities/

 

 

Static Malware Analysis

PE File Structure:  

The native windows file format (Microsoft introduced PE in Windows NT 3.1). 32 bit DLL, COM, OCX and NT kernel mode drivers are all in PE file format as well. (64-bit version is called PE32+)

pefile

 

The PE File starts of with a magic number, which is a 4 byte data block at the beginning of the PE file, that can helps the operating system define file type and therefor how to execute the file.

Here are some magic number examples:

MZheader

This is the windows executable binary header (MZ), named after Mark Zvikowvski on of the early microsoft architects.

pdfheaderThis is the magic number of a PDF file.

zipHeader

This is the magic number of a ZIP file.

Following the magic number, there is a 2 byte sector defining the machine architecture to which the executable was written, and another 4 byte sector with the number of sections included in the file.

The PE optional Header contains useful information for the malware analyst (and is not actually such optional), like the executable type (exe,com,dll, etc.), how the executable should be loaded, etc. Some important fields from the Portable Executable header are the Entry Point Address which points to the first instruction to be executed when the malware is loaded, and the Image Base which defines where the executable is loaded in virtual memory.

The header is followed by the IAT, EAT and Sections Table:

  • IAT –  The Imports Address Table, has information about functions that the program calls from DLL files. Those functions and DLLs expose some or all of the malware functionality. For example a malware that imports ws32_32.dll may have some network functionality.
  • EAT – The Exports Address Table is generally used in DLL files, and exports functions for other programs to call.
  • Section Table – actual sections of the file, each of which contains useful information. Some common section  are:
  1.  .text – The .text section contains the instructions that the CPU executes. All other sections . Most of the times, this is the only section that can execute, and it should be the only section that includes code. (Another sections including code might be sign for packed malware)
  2. .rdata – Holds read-only data that is globally accessible within the program
  3. .data – Stores global data accessed throughout the program
  4. .idata – Sometimes present and stores the import function information; if this section is not present, the import function information is stored in the .rdata section
  5. .edata – Sometimes present and stores the export function information; if this section is not present, the export function information is stored in the .rdata section
  6. .pdata – Present only in 64-bit executables and stores exception-handling information
  7. .rsrc – Stores resources needed by the executable
  8. .reloc – Contains information for relocation of library files (Loading library files to different memory addresses if the preferred addresses cannot be allocated for some reason.)

Static Analysis

Like I have said in previous post, static analysis is the process of studying a malware sample without executing it. We can look for suspicious strings (File Paths, IP Addresses, URLs, Registry Keys, etc.). We can also look at the IAT,EAT and section tables, that may indicate a lot about the malware expected behavior. In this sample i will use a tool called MASTIFF which is a static analysis automation framework:

mastiff1

In the first screenshot we can see the file sections, and observe that those are not standard section names, and that multiple sections are marked for execution which is really suspicious. We also can not ignore the section names: UPX0,UPX1 and UPX2, UPX is the name of a knows packer, and we suspect that this file has been packed with it.

mastiff2

In this screenshot we can see various imports of another malware sample. For example the import of the InternetGetConnectedState function from the WININET.dll implies that the malware checks if there is connection to the internet. Reference about all the Microsoft library functions can be obtained from MSDN (Microsoft Developer Network).

stringsThis last screenshot is of a strings execution against another malware sample, revealing some interensting file names, URLs, Error codes and library calls.

 

Introduction to Malware Analysis

Whats is malware? Short for Malicious Software, software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Malware appears in various file formats like executable files, BAT scripts, VBScript, JavaScript, Macros in Microsoft office files and exploit code in JPG, GIF, SWF, PDF files. Although More than 80% malware samples received by Security Vendors are Windows executables.

Malware Analysis is The art of dissecting malware to understand how it works, how to identify it, and how to defeat it. It is a cat and mice race, as Detection and analysis methods get more advanced, and Malware gets ahead as well.

Malware infection vectors:

  • Social networks – Malware on infected computers may post links on behalf of the connected user for his friends to click.
  • Boot Sector – Infecting the MBR of the physical disk
  • Network file shares – Malware may create autorun files on SMB, and samba shares.
  • P2P networks – Torrents, IM, etc.
  • Removable media – Malware may create autorun files root directory of the media.
  • Vulnerabilities across websites, operating systems and applications.

Why perform malware analysis?

With malware becoming more targeted toward organizations of any size, more malware in the wild is undetectable by common means of protection (Anti-Viruses and Anti-Malware applications).

Malware Types:

  • Backdoor – Malicious code to grant an attacker remote access to a machine
  • Bot – A group of computers compromised with a backdoor, connected to a single (or a group of) control servers. Usually used for distributed denial of service attacks, or sending spam. Recent malware even uses the victim computer resources to mine for bitcoins.
  • Trojan horse – Just like the horse of troy, the malware disguises itself as a normal program to trick the users into installing the malware.
  • Dropper – A piece of malware that downloads additional malicious code  – usually combined with another type of malware.
  • Info-Stealer – Collects specific information from a victim, such as Banking account credentials, online game credentials, PDF Documents, etc.
  • Root-kit – Code used to hide the existence of other code – usually combined with another type of malware.
  • Worms – Spread over computer networks by exploiting operating system vulnerabilities. Worms often spread by mail, or social network posts. Worms may carry payloads, That are pieces of code to perform actions beyond infecting the victim, like stealing data, deleting files, etc.
  • Ransom-ware (Also knows as Scare-ware) – A form of malware that holds the victim computer captive, while requiring a ransom. The malware may encrypt files on the hard-drive, or restrict computer regular operation while forcing the user to pay to the malware author to remove restrictions and regain access. (Usually the malware just remove the restrictions for a month or so, and then activates again.)

Malware can as well be a combination of a few types described above.

Malware Analysis has a few goals:

  • Determine the file (Not necessarily binary ) capabilities – Determine what are the intentions of the malware author. How the malware installs itself, how it distributes, how it achieves persistence, and what data the malware author wanted to aquire or what damage he wanted to make.
  • Do a risk assessment – Check which assets of yours might be compromised by such malware, and protect them accordingly.
  • Create IOCs (Indications Of Compromise) to detect the malware, or malware with similar behavior in the future – use the IOCs to create signatures. Host based or Network based.

Analysis Types:

  • Basic Static analysis – Examining the file, without executing it.
  • Behavioral dynamic analysis – Executing the file in a monitored environment and learning it`s behavior.

Next Post we will dive into the structure of a PE File, (Windows Portable Executable) and perform a basic static analysis on some samples of malware.