Jump to content


Photo

Malware Analysis :- How To...


  • Please log in to reply
3 replies to this topic

Poll: Was this article useful? (1 member(s) have cast votes)

How much would you rate this article...

  1. 5: Excelent (0 votes [0.00%])

    Percentage of vote: 0.00%

  2. 4: Good (1 votes [100.00%])

    Percentage of vote: 100.00%

  3. 3: OK (0 votes [0.00%])

    Percentage of vote: 0.00%

  4. 2: Not OK (0 votes [0.00%])

    Percentage of vote: 0.00%

  5. 1: Waste of time (0 votes [0.00%])

    Percentage of vote: 0.00%

Vote Guests cannot vote

#1 .::Malicious Brains::.

.::Malicious Brains::.

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 10 March 2008 - 08:51 PM

The purpose of this article is to help users analyze and determine if an executable\process\binary running in their system is a harmful Malware. We will do the analysis by analyzing it in a controlled environment without the use of antivirus software, debuggers, code disassembly or any other sophisticated tools or applications. However, we would take the help of certain freely available tools and utilities to fulfill our requirements.

Introduction

Traditionally, Malware analysis has been considered to be very complicated, and in fact some of the techniques or methodologies involved are very complicated and way beyond a normal user's access or understanding. However, in context of today’s scenario, we can see that there is a clear need for people to learn how to analyze Malware themselves. But the most important factor is that the analysis techniques should be simplified enough so that even the average computer user can understand it. Unfortunately, information dealing with Malware analysis techniques is either too complicated for the average users to understand or they are in a very much scattered form, beyond the reach of normal users. With the help of this, sort of tutorial, I would try to fill in this disparity and also would like to make it easy and simplified enough for the average users to understand and do hands on themselves.

Basics

Malwares has evolved into the cyber era as the most dangerous, damaging and menacing tantrum. It is not an exaggerated statement that if you are linked to the Internet, there’s every chance of being affected by this nuisance. So, it is very important that we should possess a peripheral view about this threat. We will look into some basic details of this thing called Malware.

What is Malware?

Malware is a malicious software, which is designed specifically to damage your system or interrupt the normal computing environment. A trojan horse, worm, virus or spyware could be classified as malware. Some advertising software can be malicious by trying to re-install itself after you have removed it. A binary is considered Malware on the basis of certain features.

Types of Malware

A Malware can be Viruses, Worms, Trojan horses, Rootkits, Spywares, dishonest Adware or other malicious and unwanted rogue softwares. Hence a Malware is something that usually contaminates the system and carries out malicious activities. The best-known types of Malware are viruses and worms. They are known for the manner in which they spread, rather than any other particular behavior.

Virus: A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. A virus can only spread from one computer to another when its host is taken to the uninfected computer, for instance by a user sending it over a network or the Internet, or by carrying it on a removable medium such as a floppy disk, CD, or USB drive.

Worm: A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program.

Trojan horse: A piece of software which appears to perform a certain action but in fact performs another such as a computer Virus. Trojan horses are notorious for their use in the installation of backdoor programs in the system that can be exploited by the author of such programs. These systems now become zombies and they can be completely controlled by the attacker.

Spyware: A computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user's interaction with the computer, without the user's informed consent. Spyware suggests software that secretly monitors the user's behavior, collect various types of personal information, interfere with user control of the computer in other ways such as installing additional software, redirecting Web browser activity, accessing websites blindly that will cause more harmful viruses, or diverting advertising revenue to a third party.

Adware: Computer software that comes with advertising functions integrated into or bundled with a program. It is usually seen by the programmer as a way to recover programming development costs. Some types of Adware are also Spyware and can be classified as privacy-invasive software. They automatically play, display, or download advertising material to a computer after the software is installed on it or while the application is being used.

There can be many more categories of Malware depending on their characteristics and malicious activities. However, detailed description of those is not within the scope of this article.

Background of Malware Analysis

The threat of malicious software can easily be considered as the greatest threat to Internet security these days. Earlier, Viruses were, more or less, the only form of Malware. However, nowadays, the threat has grown to include a vast range of highly sophisticated applications viz. network-aware worms, Trojans, DDoS agents, IRC Controlled bots, Spywares, Rootkits and many more. The infection vectors have also changed and grown drastically as malicious agents now use mechanisms like email harvesting, browser exploits, operating system vulnerabilities, and P2P networks and many more unknown, unheard and technologically advanced techniques of replication.

A relatively large percentage of the software that a normal internet user encounters in his/her online activities are or can be malicious in some form or other. Most of these Malwares are detected by Antivirus software, Spyware removal applications and other similar tools. However, this protection is not always enough and there are times when a small, benign looking binary sneak through all these levels of protection and compromises the system and the user’s data. The reasons for this breach can be:

> Users not updating their Antivirus signatures regularly
> Users not keeping their systems well patched
> Failure of Antivirus Software’s heuristics engine
> New or low-profile Malware that has not yet been discovered by Antivirus vendors
> Custom coded Malware which cannot be detected by Antivirus
> Firewall not installed or not properly configured

Malwares are continuously evolving, and Antivirus vendors are finding it difficult to keep up with this ever increasing threat list. In some cases, the vendors may opt not to include a signature for a particular piece of Malware. However, this should not prevent knowledge seekers from using freeware tools and techniques to analyze the files and develop their own prevention and detection mechanisms. Though the Antivirus Softwares are continually getting better and more sophisticated, a small but very significant percentage of Malwares escape this predefined screening process and manages to enter and compromise both the system and the network itself. Unfortunately, this percentage of the Malwares escaping this predefined screening process is also growing everyday.

It is essential for users and absolutely essential for administrators to be able to determine if a binary is harmful by examining it manually and without relying on the automated scanning engines. The level of information required after an analysis is done differs according to the user's needs. For instance, a normal user might only want to know if a binary is malicious or not, while an administrator might want to know more like the registry values the binary injects, the copies of infected files it creates, the types of files the binary infects and also the actual payload information and what it does. That means, he may want to completely reverse engineer the binary for his purposes.

Techniques for Malware Analysis

There are basically two techniques that are used for analyzing a Malware:

> Code analysis
> Behavior analysis

In most cases, a combination of both these techniques is used. However, we will consider code analysis first.

Code Analysis

Code analysis is one of the primary techniques used for examining Malwares. The best way of understanding the way a program works is, of course, to study the source code of the program. However, the source code for most Malware is not available. Malicious software is more often distributed in the form of binaries, and binary code can still be examined using debuggers and disassembles. However, the use of these tools is often beyond the ability of all but a small minority because of the specialized knowledge that is required. Given sufficient time, any binary, however large or complicated, can be reversed completely by using code analysis techniques. We will deal with some aspect of code analysis and reverse engineering process later.

Behavior Analysis

Behavior analysis is more concerned with the behavioral aspects of the malicious software. Like a beast kept under observation in a zoo, a binary can be kept in a tightly controlled environment and have its behavior scrutinized. It is mainly done in Virtual OS environment so that the effects of the Malware can be kept under control. Analysis of activities or changes it makes to the environment (file system, registry, network, etc), its communication with the rest of the network, its communication with remote devices, and so on are closely monitored and information is collected. The collected data is properly documented, analyzed and the complete picture is reconstructed from these different bits of information.

The best thing about behavior analysis is that it is within the scope of an average administrator or even a normal user. Though reverse engineering using behavior analysis does not lead to the generation of the binaries code, it is sufficient for most users' needs. For instance, it is not sufficient for an antivirus researcher but for most other users or Administrators, behavior analysis can fulfill all their needs. In this article, we will deal mainly with the behavioral analysis of the Malwares and the ways and tools with which we can do that.

For more details, download zipped PDF article from in my CastleCops post....

http://www.castlecop...To.html#1064340

Please feel free to let me know about your suggestions and feedback about the article...


.:: Malicious Brains ::.
maliciousbrains.blogspot.com

Article on Malware Analysis:
http://www.castlecop...To.html#1064340

"THERE ARE NO PATCHES OR SERVICE PACKS FOR HUMAN IGNORANCE"

Edit to disable link...

Edited by Budfred, 10 March 2008 - 10:09 PM.

.:: Malicious Brains ::.

There are no patches or service packs for ignorance![/color]

#2 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 10 March 2008 - 09:09 PM

It appears that CastleCops is having a problem .. your links just lead to blank pages.

Your simple definitions and explanations may be useful in helping those new to malware to understand the kind of thing that can happen to them. However we definitely advise that anyone who has or even suspects a malware infection post their problem here in the Malware Removal forum and wait for a trained helper to reply and walk them through the removal steps. Do-it-yourself, especially with rootkits, can lead to PC disaster.

CastleCops is a good site too, and also has trained helpers available.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#3 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,529 posts

Posted 10 March 2008 - 10:07 PM

You just posted this same article on CastleCops today and you are a new member there as well as here... It is not clear if you have any credentials anywhere for the information you wish people to look at and "blogspot" is the source of a number of recent scams and infections... I am going to disable those links and I suggest you do not repair them if you wish to remain a member here...

I suggest other Members use extreme caution in taking any advice from this person until it is clear that his/her intentions are legit...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#4 .::Malicious Brains::.

.::Malicious Brains::.

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 11 March 2008 - 03:20 AM

You just posted this same article on CastleCops today and you are a new member there as well as here... It is not clear if you have any credentials anywhere for the information you wish people to look at and "blogspot" is the source of a number of recent scams and infections... I am going to disable those links and I suggest you do not repair them if you wish to remain a member here...

I suggest other Members use extreme caution in taking any advice from this person until it is clear that his/her intentions are legit...



Prevention is better than cure...

I do appreciate your standpoint and agree completely to what has been quoted.

Also, Blogspot being a source of a lot of recent scams is true but its not the blogspot link that I wanted the users to go through... rather, it was my post in CastleCops that I wanted users to read. My personal blog is @ Blogspot, and there is nothing I can do about lol.

Yes @ CastleCops we are facing some issues, but Paul is take care of those keeping in mind that CC can be ever vigilant and proactive in its mission, as it has always been.

I wanted to upload the document here @ SpywareInfo, however, I saw that there was an upload restriction of 100 KB Eventually, I gave the link of my CC post.

With good intensions in heart... Hope people interested in knowing about Malware Analysis will get benefitted by this article...

Anyways, let my article speak the legitimacy of my intensions...

I suggest other Members use extreme caution in taking any advice from this person until it is clear that his/her intentions are legit...



Anyways... Kudos again to the mods here for warning users about the "possibility". Yes... He is absolutely true!!
.:: Malicious Brains ::.

There are no patches or service packs for ignorance![/color]




Member of UNITE
Support SpywareInfo Forum - click the button