Sunday, October 31, 2010

Intro to Static Analysis Part 2

This week I plan to go a bit more in detail on each of the steps from last week. I was going to get into deeper items such as using disassemblers and such, but I will go there in the next two posts. I really wanted everyone to see just how much you can learn from just doing the simple things I discussed on the last post.

Here are the steps from last post step by step with screen shots. For the sample, I just went to Malware Domain List and grabbed a suspected malware sample from that page.

I  will warn you now as always. You should only be downloading and executing the following sample in a lab environment. If you don't know how to do that, watch for Jamy's next post where he will start you down that path.

This weeks sample can be downloaded here.

I don't know what this sample does right now. I'm looking at it for the first time just as you are :)

First I'm going to boot my lab environment and pull the sample into it. Then I'm going to run a hash application to get the digital fingerprint of the binary.

I just installed the Malcode Analyst Pack. This will give us a handy right click menu to obtain the MD5 Hash and Strings. So I right click the file and choose MD5 Hash. Here is the result:


As you can see, the hash value of our sample is 121340AA444B4D4153510C0BE58D4D61. We will jot this down in our notes.

Next we will take our fuzzy hash with SSDEEP. In this example we will use the SSDEEP Front End. This is a nice little GUI to make things easy. When we first open the application, we need to choose Create or Append Hash Value. We will choose Single File as our Input. Click the Choose Input button and navigate to where you have your sample, as seen below:

Next, we click the Choose Output button. This will open an Explorer window, where you can choose where you would like your output to go. Here we are going to choose to put it on the Desktop so we can find it easy. I generally name the file: <filename>_exe (or dll if it's a dll). This is just my method to know what the name is and what that sample it goes with. Click the Open button. You then need to click the Execute button.

A dialog box will pop up telling you that you are about to run a batch file, and that a DOS box is about to pop up. Click the yes button to continue.

A DOS box will pop up for a second and go away. You will be left back at the main screen of the SSDEEP Front End. You can choose Exit at this time.

You now have the file on your desktop. Double Click to open it. Windows will ask you what application you would like to use to open the file. Choose to select a program from a list and click OK. I normally use the Notepad application for these, but you can use any text editor or viewer that you want. I generally also choose to always use the selected program to open this type of file. That way I don't need to choose every time.

As you can see from the screen shot below. Our fuzzy hash is

3072:HPZJsRgSmHWii6X4/QDDu3vDTw/hkfSUJjLTJra:vZJkjiie44DC/A/hkfSUJjPJr,"mdktask.exe"


The next thing we are going to do is take our Hash value and search Virus Total to see if anyone has submitted this sample before. So we navigate to http://www.virustotal.com. We will click the Search link and paste our Hash value in and hit search.

As you can see from the following screen shot someone has submitted this sample and 25 our of 41 anti virus applications say it's a virus.



Next, we want to classify the file. To do this, we are going to use TRiD. Ensure you download the latest definition files from here. Once you run TriD, you will need to point to your definition xml file. Choose the Browse button on the bottom right of the application. Navigate to your definition files and choose the first listed xml file in the directory. I generally put the xml files in a folder called Defs in the TRiD application folder.

You will want to choose Browse on the top to choose our sample we want to analyze. After choosing the file, we click the Analyze button and get the results. As you can see below we have a match of 86% of a Windows 32 Executable file, potentially written in Visual Basic 6.

Normally at this point, we would run the sample through a few other similar applications to see if anything new is found. To keep this post relatively short, I'm going to bypass that. I'm also not going to upload the sample to any sites to be scanned for known virus signatures. Mainly because I've seen by our search on Virus Total that we can be pretty sure it is known.

The next step we will do is to open the file with BinText. Choose the Browse button and choose our sample. After that we hit the go button. This will show us some of the strings available in the binary file. In some cases you may not see what you like here due to packing or encryption. We will go into that more later. In the case of this sample we are able to see a good bit of detail as seen below:





Below are some of the things I saw that should be added to our notes as items of interest:

Form1. This tells us that potentially there is a visual form
Timer1. This lets us know there is a timer or countdown of some sort.
Winsock.
WinsockAPI. These two tell us there is some sort of network component.
modSMTP. This would let us know there could be an email component which starts to corroborate what we have found from our search on Virus Total earlier.
mod_Variaveis. A quick Google of this word looks like it translates to variables from Portuguese. We now have an idea of where it may have come from. Maybe from Brazil or somewhere like that.
 getpeername. This function will retrieve a name of a socket that was created. This starts to show there are more facts to prove network connectivity.



I could go through each, but I'm going to shorten this to only pull out the remainder of very interesting points that I see.



C:\Arquivos de programas\Messenger\msmsgs.exe\3 (Microsoft Messenger...interesting)
DownloadFile. Looks like we are getting more malware.

Crypt. Looks like some hashing or encryption going on.
GetWinPlatform. Looking for a specific Windows version maybe?
strEmailTO
strEmailTO1
strEmailTO2
strEmailTO3. Now we see some email capabilities which shows us why VirusTotal called this an email worm possibly
D:\Programas Daniel\infect\infect Interlig - rato\Project1.vbp. Humm is this guy called Daniel? gatta love when people don't clean up :)
GOD DAMNIT, the internet doesn't work... Little bit of error checking?
catia@oticasopcao.com. Source Email maybe?
showbol2010.log. Log for us to see how things went maybe?
http://www.youtube.com/. Maybe a link used in the email?
www.youtube.com. A link to more malware sent in the email possibly.
InternetBanking.exe. The next executable file name to download if you click the link or when the executable file executes. InternetBanking is interesting. Maybe we have something trying to steal banking credentials?



There are plenty of other links in there as well as you will see if you go through this sample yourself.


atualizahook.cfg. A config file on how to set things up?
Subject:
From:  more email functions
EHLO
AUTH LOGIN
MAIL FROM:<
RCPT TO:<. Email server communications.
 Norton AntiVirus. Possibly to look like it's been scanned in transit?
lhe enviou o link do video no youtube. sent the video link on youtube in Portuguese.
This program cannot be run in DOS mode. We know this shows up at the beginning of PE files, but this is in the middle. Maybe this is our worm sending a copy of itself. Going through the rest of that section takes use through what we just went through previously. We may assume this is the case until we find out more.


Everything we have seen, and believe me there is a lot more in there, shows us that our results at Virus Total were pretty close so far. We could finish by looking at the PE format with PEiD or attempt to look for packing or encryption, but I think you can see we really don't need to at this time.



I will end this post here. As you can see we didn't need to know any programming to find out what this thing does so far. For the APIs we may not have known, a quick search on Google or MSDN gave use the capability of those pieces of code. Not all code is this simple and to be honest I'm happy I choose one so simple randomly as it made our day a bit easier.

In the next post I will take you into the debugger and disassembler. We will start by showing IDA Pro free version and OllyDBG. These are 2 of the more popular tools in this field. The fourth part of our introduction to static analysis will show some examples with a new sample much like we showed more details on the first post's tools.


I hoped you enjoyed the post. Look for the next post in a week or so. In the mean time, if you have any questions or comments, feel free to leave them on the blog. We will respond to all comments and questions that are reasonable. We are here to share the knowledge, so don't hesitate if you desire to understand something in more detail!

If you see a possible mistake, please let us know as well. We are not perfect and to be quite frank, I'm not a programmer and I don't play one on the Internet. Therefore, I may make assumptions or come to conclusions that might be debatable by others who may know more than I.










7 comments:

  1. Thanks for this blog, its short and informative.

    I have a question-
    For static or dynamic analysis you need to know where the infected file is. What if you know your computer is infected, how do you find the malware (obviously we are talking AV can't detect it)?

    Also I wish you guys would post more often :)

    Thanks,
    Bono.

    ReplyDelete
  2. @Bono

    Thank you for the comment. This blog does not go into detail on how to find the malware on your system. There are many blogs, books, articles etc. out there that detail this forensic analysis to find these things. We will only be focusing on finding out what the malware does on this blog.

    I wish we could post more often as well, but we are both pretty busy with our jobs. We will see how things progress as time goes one. Possibly if we could get some volunteers, we could do that.

    ReplyDelete
  3. Really great blog, as a young college grad just stepping into the malware analysis field I appreciate little things like this.

    I am currently started to do some of this stuff for work, but I would also like to get a setup going at home for my to do malware Analysis, was wondering what you think the ideal setup would be for doing this. I see you use mac with a windows VM. At work we use windows 7 and then have access to several different windows OS VM's. Any suggestions on what I should go with?

    ReplyDelete
  4. Whoops, Should have scrolled down further... Hadn't seen the intro to dynamic analysis yet.

    ReplyDelete
  5. Zachary,

    Yes we covered this a bit in the intro to Dynamic Analysis. Personally I would recommend using a few different versions of Windows. Some good analysis tools don't run well under Windows 7 yet. I would keep an XP around for that. If you plan on executing malware in a lab for dynamic analysis, I would recommend first to run an image that mimics your company image so you know potential impact given the settings you have in production. You might then have a couple other versions running different Apps, Adobe X, Adobe 9, Adobe 8 etc. Maybe MS Office 2010, 2007, 2003. Just to get a feel if malware is targeting a specific build. I would also highly recommend downloading Lenny Zeltser's REMnux (http://zeltser.com/remnux/). That has some good tools for Linux analysis and flash analysis along with items you might find useful like an IRC Server, Web Server, DNS Server and mail honeypot for interacting with malware.

    HTH

    Curt

    ReplyDelete
  6. Hi Curt ShafferHi, hi Jamy Klein,

    I find your blog very relevent, clear, & trustworthy.
    I liked also the way you spoke about Mind Mapping/Note-Taking & Malware-Collecting.

    Thanks a lot for this series of tuts, hope u will keep writting ...

    Noteworthy/FAT

    ReplyDelete
  7. Please someone can upload the simple for this article coz it's no more available.

    ReplyDelete