Tuesday, May 22, 2012

Basic Information Gathering of Analysis on Malware (Part 1)


Basic Information Gathering of Analysis on Malware (Part 1)
--------------------------------------------------------------------
Malware (spyware,Rootkits,worms,trojans,virus etc.), a malicious software designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems.

The first thing you do when your system is infected is scan with some antivirus softwares and anti malwares and so on , This tut shows how to analyse
it and bring out its functionality . This first thing we are doing here is info gathering of analysis of malware , its the first basic part to start with and go on advanced depending on the complexity of malware.

We have 2 types of Analysis Static and Dynamic.
Static :- Analyzing code or structure of program.
Dynamic:- Actually running the program to see wat its doing.

Note:
-----
This tut is not on advanced part of analyzing malware or disassembly . Hope if my study goes on learning advanced things will be first to post here... :)

note 2:
-------
first go through PE (portable executable) file format and structure. basically PE contains inofrmation necessary for windows os loader.
for analyzing we need actually to concentrate on PE file header which includes information about code ,type of application , required library functions and space requirements. And know about dll and its functions (import and export funstions).

Basic info Gathering of Static Analysis:
----------------------------------------

Now lets take a malware ... 

or create urself a trojan 

malware is uniquely identified by a hash.The malicious software is run through hashing program that produces hash which produces a hash that identifies a malware.

to fingerprint it we use a tool called md5deep there are other tools also.

usage: md5deep 123.exe (malware file name).



in the above screen shot u see a hash this hash can be used to search online to see if its already been identified.

Now here comes the problem u donno that the malware is packed or not.beacuse wen its packed , it becomes difficult to analysor detect it.
its normally packed with some kind of wrapper program . to identify or detect with wat packer that this malware has been packed we use tool called...

PEiD



from this we can know its packed with upx paker.

to unpack it there's program called upx (you will get it in sourceforge.net)
to unpack usage :  upx -d filename.exe


now its been unpacked.

now the next step goes like we ned to see that what kind of linked functions (loading dlls)its using. 

we have tool called dependency walker. now load the file on it (see below)


1.)here in right pane u can observe many dll's u its the dll's u imported
2.)imported functions
3.)when malware imports function by ordinal you can find which function is being imported by looking at ordinal value.
4.)additional info about the dll tat would be load if you run the program.

A common trojan or keylogger has interesting dll and fuctions will have like

Kernel32.dll: user32.dll  GDI32.dll,Shell32.dll,Advapi32.dll etc.
------------- -----------
(functions) Setwindowshookexw
CreateFilew Registerclassexw
findfirstfilew registerhotkey
findnextfilew setwindoetextw
etc .......... etc......

)Kernel32 tells us that software can create and manipulate process.here above findnextfile and firstfile functions
which are interesting as we can search through directories.

)User32.dll has function like setwindowhook is commonly used in spyware and keyloggers.
)GDI32 is for graphics related tat program probably has GUI 
)shell32 can lauch other programs
)Advapi32 uses the registry.


As we said that to take a look at PE headers 

We have sections in PE file like:
.text (contains executable code) , .rdata(holds read only data), .data(global data throughout) , .rsrc (resources needed by executable
.idata(stores important function information & if not present it will be in rdata) , .reloc (info. for relocation of library files) etc...

we have a tool called PEview (see below)


u can observe the machine info and time stamp when it wa compiled which is useful.
we can ingnore the DOS_Header and signature.
Image_Optinal_Header includes important information and has subsystem ,which shows there is console or GUI program.
Image_Section_Header also contains important info.These are used to describe each section in PE file.Sections cn be consistent
from exe to other exe files.



here u can observer on thing is the .data section is that
virtual size is much large than raw data size (u can ignore if there is small difference)
this alone will not tell its suspicious. it is likely unpacked.

{{Continued with Basic info gathering of Dynamic Analysis. sooon }}




7 comments:

Thanks for this great tutorial :)

very informative man salute to you

Dear Sudhir,
I'm impressed by the security information you post on the blog. I've been into Unix OS security for quite a while and would like to contact(either phone or email) you for seeking suggestions. If it's fine with you, please do let me know how do I get in touch with you.

Thank you.
Regards,
Nitin

This comment has been removed by a blog administrator.

Post a Comment

Twitter Delicious Facebook Digg Stumbleupon Favorites More