RSS

Basic Static Malware Analysis

09 Jul

I am taking Conficker executable as malware sample to do all the following steps:

1. Generate the hash and match with virus-total

(http://www.virustotal.com/)

C:\>md5deep c:\WINDOWS\system32\sol.exe

2. Search for strings

download the tool from: http://bit.ly/ic4plL

cd to the place it is installed

strings <path of malware file to be searched>

strings

3. Check if obfuscated

Packed programs are subset of obfuscated programs. When packed programs are run usually a wrapper runs along with it. Wrapper program unpacks the malicious program. PEiD is used to check which compiler or packer is used.

Download from: http://www.download3k.com/Install-PEiD.html

If packer turns out to be UPX-0.89.6-1.02 <etc. etc.>

Download UPX: http://upx.sourceforge.net/ to unpack the exe

Now, one of the very important concepts to know if as following:

4. Exploring Dynamically Linked Functions with Dependency WalkerPortable Executable File Format

“The Portable Executable (PE) file format is used by Windows execut-
ables, object code, and DLLs. The PE file format is a data structure that
contains the information necessary for the Windows OS loader to manage
the wrapped executable code.

Several Microsoft Windows functions allow programmers to import
linked functions not listed in a program’s file header. Of these, the two most
commonly used are LoadLibrary and GetProcAddress . LdrGetProcAddress and
LdrLoadDll are also used. LoadLibrary and GetProcAddress allow a program to
access any function in any library on the system, which means that when
these functions are used, you can’t tell statically which functions are being
linked to by the suspect program.

The PE file header stores information about every library that will be
loaded and every function that will be used by the program. The libraries
used and functions called are often the most important parts of a program,
and identifying them is particularly important, because it allows us to guess
at what the program does.” (from book Practical _Malware_Anlysis by Michael Sikorski and Andrew Honig)

Sections of a PE File for a Windows Executable

.text  Contains the executable code
.rdata Holds read-only data that is globally accessible within the program
.data Stores global data accessed throughout the program
.idata Sometimes present and stores the import function information; if this section is
not present, the import function information is stored in the .rdata section
.edata Sometimes present and stores the export function information; if this section is not present, the export function information is stored in the .rdata section
.pdata Present only in 64-bit executables and stores exception-handling information
.rsrc Stores resources needed by the executable
.reloc Contains information for relocation of library files

Examining PE Files with PEview

Download from : http://wjradburn.com/software/

PEView-Default

1. The first two parts of the PE header—the IMAGE_DOS_HEADER and MS-DOS
Stub Program do not offer much information of particular interest.

2. IMAGE_NT_HEADERS , shows the NT headers. The signature is always the same.

  • IMAGE_FILE_HEADER, Time Date Stamp : tells us when this executable was compiled, which can be very useful in malware analysis and incident response. An old compile time suggests that this is an older attack, and antivirus programs might
    contain signatures for the malware.

PEView-image-file-header

  • Note: All Delphi programs use a compile time of June 19, 1992.  So a compile time of June 19, 1992 means you won’t really know when it was compiled. Also, a malware writer can fake the compile time.
  • The IMAGE_OPTIONAL_HEADER section includes
    • The Subsystem description indicates whether this is a console or GUI program.
    • Console programs have the value IMAGE_SUBSYSTEM_WINDOWS_CUI and run inside a command window.
    • GUI programs have the value IMAGE_SUBSYSTEM_WINDOWS_GUI and run within the Windows system. Less common sub-systems such as Native or Xbox also are used.
    • PEView-subsystem-option-header

 

  • The most interesting information comes from the section headers, which
    are in IMAGE_SECTION_HEADER. They describe each section of a PE file.

    • The compiler generally creates and names the sections of an executable
    • As a result, the sections are usually consistent from executable to executable
      and any deviations may be suspicious.
  • Virtual Size tells us how much space is allocated for a section during the loading process. The Size of Raw Data tells how big the section is on disk. These two values should usually be equal, because data should take up just as much space on the disk as it does in memory. Small differences are normal ( due to alignment in memory and on disk.)
    • The section sizes can be useful in detecting packed executables. For
      example, if the Virtual Size is much larger than the Size of Raw Data, particularly if the .text section is larger in memory than on disk.
  •  Conficker malware findings: (packed malware)
  • In the images instead of .text, .rdata , .data we can just see UPX0, UPX1, UPX2. So for now let us just discuss the possibility of meaning of the differences in virtual space and raw data size
    • eg: The .UPX0 section has a Size of Raw Data value of 0, meaning that it takes up no space on disk, and its Virtual Size value is 7000, which means that space
      will be allocated for the .text segment. This tells us that a packer will unpack
      the executable code to the allocated .text section. PEView-UPX0
    • The .data section may seem suspicious because it has much larger virtual size than raw data size, but this is normal for the .data section in Windows programs. PEView-UPX2
    • if values are almost same it is fine.PEView-UPX1

 

 

  • Conficker malware findings: (unpacked malware)
    • Download UPX http://upx.sourceforge.net/ to unpack the exe

5. Exploring Dynamically Linked Functions with Dependency Walker

http://www.dependencywalker.com/

If a function is not listed in Appendix A,search for it on MSDN online.

dependencyWalker1

About some common DLLs

KERNEL32.dll

The imports from Kernel32.dll tell us that this software can
open and manipulate processes (such as OpenProcess , GetCurrentProcess , and
GetProcessHeap ) and files (such as ReadFile , CreateFile , and WriteFile ).

FindNextFile are particularly interesting ones that
we can use to search through directories.

User32.dll

The function SetWindowsHookEx is commonly used in spyware and is the
most popular way that keyloggers receive keyboard inputs. This function has
some legitimate uses, but if you suspect malware and you see this function,
you are probably looking at keylogging functionality.

The function RegisterHotKey is also interesting. It registers a hotkey (such
as CTRL – SHIFT -P) so that whenever the user presses that hotkey combination,
the application is notified. No matter which application is currently active, a
hotkey will bring the user to this application.

Advapi32.dll

The imports from Advapi32.dll tell us that this program uses the registry,
which in turn tells us that we should search for strings that look like registry
keys. Registry strings look a lot like directories. In this case, we found the
string Software\Microsoft\Windows\CurrentVersion\Run , which is a registry key
(commonly used by malware) that controls which programs are automati-
cally run when Windows starts up.

(dint find string Software\Microsoft\Windows\CurrentVersion\Run in my malware sample)

6. Viewing the Resource Section with Resource Hacker

Resource Hacker tool at http://www.angusj.com/ to browse the .rsrc
section.

resource-hacker

 The .rsrc section includes the resources used by the executable that are not considered part of the executable, such as icons, images, menus, and strings. I could only see a dump of raw byte data as shown in the attachment as shown above may be because a packed version of malware is used here.
(will be continued in next post)
Advertisements
 
Leave a comment

Posted by on July 9, 2017 in Uncategorized

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: