CIS 4615 meeting -*- Outline -*- * tools for analysis of potential malware in binaries Based on chapter 1 of the book by Michael Sikorski and Andrew Honig, Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software, no starch press (San Francisco, 2012). ** context ------------------------------------------ CONTEXT FOR MALWARE ANALYSIS You have isolated a program - seems suspicious (bad effects) - not sure if it's malware (could be) - need to: ------------------------------------------ ... - understand what it does is it malicious? - understand its effects to undo them - understand how/if it spreads ** tools *** antivirus scanning ------------------------------------------ ANTIVIRUS SCANNING A good first step Can use VirusTotal to try several: See http://www.virustotal.com Reports from all engines ------------------------------------------ If VirusTotal identifies it as malware, then you're pretty well done But it can be ambiguous, for example 3 engines report WinMD5 as suspicious, but 35 say it is fine. *** hashing ------------------------------------------ HASHING Use a hashing program (MD5 or SHA-1) Allows one to: - use the hash as a label - share the hash to identify malware - search for the hash online ------------------------------------------ *** strings ------------------------------------------ STRINGS Gives hints about program's functionality - normal programs have lots of strings e.g., URLs Strings utility from Microsoft - download from bit.ly/ic4plL i.e., https://technet.microsoft.com/ en-us/sysinternals/bb897439 - or run from https://live.sysinternals.com/ ------------------------------------------ *** packed and obfuscated malware (PEiD) ------------------------------------------ PACKED AND OBFUSCATED MALWARE Packing idea: |-----------|\ | | \ | original | \-->+---------+ | code | | wrapper | | | |---------| | | | packed | | | | code | | | | | | | /-->+---------+ | | / |-----------|/ - The wrapper unpacks the code to the original size before execution Benefits: - smaller size - information compressed (obfuscated) Used by some legitimate software, and by lots of malware A popular packer is UPX See http://upx.sourceforge.net/ which can also be used for unpacking ------------------------------------------ There have been proposals (e.g., by Viega) to ban such packers from all legitimate software ------------------------------------------ DETECTING PACKERS PEiD is a program that can detect packers See woodmann.com/BobSoft/ But best to run it in a VM as some plug-ins may run the programs! ------------------------------------------ *** dependencies (dynamically linked functions) ------------------------------------------ KINDS OF LINKING static linking: libraries put into executable (PE file) before runtime dynamic linking: libraries found at runtime dynamic linking is common Functions for dynamic linking (Windows): - LoadLibrary - GetProcAddress - LdrGetProcAddress - LdrLoadDll ------------------------------------------ ... in malware (to reduce size) ------------------------------------------ DEPENDENCIES ON DYNAMICALLY LINKED LIBS DependencyWalker (from MS Visual Studio) Shows dependencies from the PE file - can give information about functionality ------------------------------------------ ------------------------------------------ COMMON DLLS (Table 1.1 of PMA) DLL Description ========================================== Kernel32.dll core functionality (memory, files, hardware) Advapi32.dll advanced Windows components (service manager, registry) User32.dll UI components (buttons, scroll bars) Gdi32.dll graphics functions Ntdll.dll interface to kernel (suspicious) WSock32.dll networking Ws2_32.dll (connecting to network) Wininet.dll high-level networking (HTTP, FTP, NTP protocols) ------------------------------------------ ------------------------------------------ WINDOWS FUNCTION NAMING CONVENTIONS Ex suffix (e.g., CreateWindowEx) extends old version in incompatible way Suffixes for string types (don't appear in MS documentation) - A (e.g., CreateDirectoryA) = takes ASCII strings - W (e.g., CreateDirectoryW) = takes wide character strings ------------------------------------------ *** text segments (PEview) ------------------------------------------ DETAILS OF THE PE FILE PEview tool See http://wjradburn.com/software/ Sections may be informative Look in IMAGE_NT_HEADERS under IMAGE_FILE_HEADER compare to IMAGE_SECTION_HEADER vritual size vs. size of raw data if a section has no space on disk (raw data) but has a large virtual size, then may be unpacking into that section ------------------------------------------ Try PEview There are also other tools *** resources segment ------------------------------------------ VIEWING RESOURCES SEGMENT WITH RESOURCE HACKER This is the .rsrc segment Use ResourceHacker from http://angusj.com/ ------------------------------------------ ** exercise ------------------------------------------ EXERCISE ANALYSIS OF A FILE Obtain samples from http://practicalmalwareanalysis.com/labs/ use files Lab01-01.exe and Lab01-01.dll 1. Do they match any existing virus sigs? 2. When were they compiled? 3. Are they packed or obfuscated? 4. Any hints from the imports? 5. What could you look for to find them? - file activity - network activity 6. What is their purpose? ------------------------------------------