Dynamic malware analysis Part II

Here we are again, after talking in short about Buster Sandox Analyzer. I will not bore you with details about installing Sandobxie or , because they did a great job of covering that on their own website.

I've promised you that we will talk about Virut in this second tutorial. Win32.Virut.C is a dangerous malware, very complicated, but since it's no 0day (actually it was detected back in 2007), there are a lot of good papers about it. 

A basic introduction of the malware you can find here, and a few technical papers that I'd recommend for reading are: Review of the Virus.Win32.Virut.ce Malware Sample written by Vyacheslav Zakorzhevsky from Kaspersky Lab, Virut Encryption Analysis written by the guys from SecureWorks and Under the Hood: Virut written from the guys at TeamFurry.

[Please, take your time to study the analysis of the malware. At least read the basic introduction, because without it, this article with make no sense whatsoever.]

So back to the practical part of this article. If you get a sample of Virut, you'll see that analyzing it in it's form is in vain. What's your next step? Try loading it in a sandbox. We'll try it one by one, and I'll post the results:

CWSandbox

Sandbox analysis: here

Things learned:

- created a C:\8884425.exe file; created a R30S mutex

Anubis

Sandbox analysis: here

Things learned: -

ThreatExpert

Sandbox analysis: here

Things learned:

- please read the report, it covers a lot of details

Comodo Instant Malware Analysis

Sandbox analysis: here

Things learned:

- please read the report, it covers a lot of details

EUREKA Malware Analysis

Sandbox analysis: here

Things learned:

- it tried to unpack the .exe file; provided string and dns of "unpacked" .exe; created an unpacked .asm
[i can't confirm if this output was based on previous analysis, or run-time analysis]

Norman Sandbox

Sandbox analysis: here

Things learned:

- anti debug/emulation code present; mutex, section, modify memory, modify OS kernel function

Let's try the same thing now, except that only this time we use BSA.

Buster Sandbox Analysis
Sandbox analysis: here
Things learned:
- process created, service opened, mutex created, registry keys opened, registry keys modified, privilege escalation
[it totally missed the NtCreateFile and alike functions, and also the port connections].


Conclusions

We can observe that the job of a malware researcher is not easy. PandaLabs reports that it had 22,000 new malware samples to analyze per day in 2008, so if you do the math , you can easily see that the researcher has around few seconds to spend per malware analysis. This is an ongoing battle.
Dinamic analyzing a malware is not easy. There's no one tool available for the public that can tell you all the possible threats that a malware posses.
It's almost impossible for a malware researcher to do the static analysis on the blind (meaning without a basic dynamic analysis up front). It's hard to get right away into the code and have no idea for what to look into.
An old malware like Virut (dated from 2007) is still a problem for the public sandboxes  and we need better tools available for the public, in order to do a better malware research.
Buster Sandbox Analysis gives us overall good results. If we filter the noise and explore the real things that happen, we obtain a good result. Also a plus, is the fact that we have control, and it's offline.
I want to finish this article by asking a question on the AV companies: How do you expect to educate great people regarding malware defense, with so poor quality public sandboxes?

PS: I want to thank Costin Raiu for providing me the Win32.Virut.Ce sample. It helped me a lot!


One final note: feedback is always welcomed, please post your opinions/questions in the comment section.

Dynamic malware analysis Part I

     I was always fascinated by the computer security industry. Smart people on both sides (good/bad) of the baricade, a lot of dreams, ambition and everything i could ever wish.  The best part of it it's the dinamic in this field: if there's a 0-day detected now, in half a minute it's on twitter and after half a day it's already old news.

     I myself strongly believe that a real security guy is one that deals with data and application security, not host or network security (I don't try to be a troll or disrespect Jeremiah's  Grossman/RSnake's/all the talented people's work, but this is my oppinion).

     When faced with the threat of a malware, the course of action is somehow simple:

     1. Identify the malware that infected your system.

     2. Remove the malware(s), backdoor(s) and all the holes in your system.

     3. Asses the damage that has been done and patch your system to avoid further infections.

     I could go into specifics here, to tell you how exactly to do every big step that i've written, but i think that there are a lot of papers that do this already(if you really want and need, i could go into specifics as a future post).

     Learning what a malware does by yourself, that's a whole nother problem. It's just like in real time: there's one thing to see a house design that you like and copy it, and another thing to design your own house from scratch by yourself.

     What do i mean with that example? It's easy to get rid of the malware by using the proper application (or even installing the right antivirus), but it's very hard to try to figure by yourself what that malware does, and how. What are the challenges? Well, let's see:

     1. Get a sample of the malware.

     2. Perform a dynamic and static analysis on the malware, so that you have an ideea what does the malware do.

     If stage (1 & 2 == proper) then "document the analysis" && "write a tool"

else "read from  people smarter than you" && "learn harder" && "repeate stage 1 and 2"

     Modern malware make researchers face many problems, like: advanced obfuscation, anti-debugging, anti-dumping, EPO (Entry Point Obfuscation), resource encryption, virtual machine detection, anti-patching, metamorphism, memory protection, and these are only a few. Running your malware through OllyDbg or attaching it to ImmunityDbg doesn't cut it anymore.

     So let's say you find a malware sample. You create yourself a virtual lab (for obvious reasons). You to dissasemble the malware with IDA, but it get's you nowhere. What do you do? Or better yet, what can you do? Dynamic malware analysis is the answer.

     I've tried a quite large number of sandboxes. Starting with CWSandbox, Anubis, ThreatExpert, Norman Sandbox Analyzer, Zero Wine, Comodo Instant Malware Analysis, EUREKA Malware Analysis and many more. Some do good, others do not so good, but i think i've found a solution that works for me (of course that an antivirus has it's own tools, produced in-house, but you almost never have access to those tools).

     I've once heard of a sandbox called Sandboxie, and i felt in love with the general concept. I thought to myself: what if I could implement this sandbox in order to study malware? For a few minutes i thought: what if i hijack all the API calls that are made and just list them? This would be awesome from a malware researcher POV. 

     And then I totally forgot about it. And good that i did. After spending some time to research, I've found the amazing Buster Sandbox Analyzer (BSA). It integrates everything that I've thought about, even much more.

     Part II will be about a general introduction about Buster Sandbox Analyzer and performing a dynamic malware analysis on Virut as a case study.