Malware Analysis D.I.Y.

luntrus · Post by **luntrus** » Mon Sep 21, 2009 8:48 pm

Hi forum friends,

Malware Analysis for Malware Fighters

1. Malware Analysis In Case You Have Encountered Malware.
2. Security Incident Response - Whenever your computer has been compromised you have to analyse this situation.
3. Why Not Focus On Prevention?
* You Should on all circumstances! It is a question of updating, patching of the OS and third party software.
Use Secunia PSI to keep a track on this. Use anti-malware software and tools. Use normal user rights,
Use in-browser protection - You can read about this extensively here in these forums.
So I am not going on extensively about NS, RP etc. But you all know how vital that is!
* If you do not have that activem nothing however is full proof, so incidents occur...
* When such an incident occurs, one should have a responsible plan:
o Respond here quickly
o Be thorough to make the right decisions of how to handle the malicious incident.
4. Read the appropriate links.
5. Why Do Malware Analysis?
6. Malware is A Number 1 Thing! We all agree that come here, and We dislike it...
* Client-side attacks that install malware are the first and foremost external threat.
* It’s not slowing down it is increasing rapidly and malcreants adopt:
7. Malware Trends should be studied to know what you are up against.
8. Firewalls & Antivirus Have Lost in A Sense.
* Client-side attacks, web browsing and e-mail, may go right through most firewall policies.
* Antivirus detection rates for current malware files are averaging 30-50% for main-stream av.
* If you’re not adapting to new methods, you certainly have lost.
9. Malware is Adapting Quickly
* Take away Local Admin?
o Malware that persists in non-admin accounts via HKLU Registry hive
* Whitelist apps with Windows Firewall?
o Malware that hooks into browser plugin APIs
* Block IRC at the firewall?
o Malware that uses encrypted HTTP/HTTPS back-channels
* This list is growing - malceants will use XML attacks soon..
10. “ But we are just talking spyware, is notr it?”
No malware through Cybercrime spam and DDos, try to launch rogue software (av)
Try to gain full desktop remote control through exploits all sorts...
Will Search “Documents and Settings” for SSNs, credit cards, and saved IE passwords
Record all screen text and input and report it in near-real time to servers in hacker territories..
11. Detection should be maximal - layered defense is a way to close the vulnerability gap.
12. Anatomy of a Drive-By Download Dropper Malware Servers More Malware JScript Exploit, study examples....

13. Log Files One should analyse
* Firewall Logs
o Outbound SMTP from workstations (lots!)
o Outbound IRC connections
o Peer-to-peer file sharing traffic, better refrain from these activities....
o Sustained high-volume traffic from workstations
* Proxy / Web Filter Logs
o Monitor URL’s ending in “.exe”
14. n.a.h.
15. IDS/IPS Alerts
* Most products attempt to detect post-infection traffic, such as IRC or Winny C&C channels
* EmergingThreats.net for Snort, huge list of trojan/malware signatures, all free
* If your IDS can, write some custom rules:
o Look for “.exe” downloads on ports where web filters won’t
o Win32 PE headers in HTTP traffic (renamed files)
o JavaScript obfuscation techniques - Should be flagged as a rule...
o Packers and Crypters should be analyzed (and frowned upon)
16. Snort Rules
o alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg: "LOCAL .exe file download on port other than 80"; flow:established; content: "GET"; depth:4; content:".exe"; nocase; classtype:misc-activity; sid:9000160; rev:1;)
o alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL Obfuscated JavaScript document.write"; flow:from_server,established; content:"document.write“; nocase; pcre:"/document.write("\[0-9][0-9]/i"; classtype:trojan-activity; sid:9000110; rev:1;)
o alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL Obfuscated JavaScript unescape"; flow:from_server,established; content:"script>"; nocase; content:"unescape("; nocase; classtype:trojan-activity; sid:9000111; rev:2;)
o alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL Obfuscated JavaScript eval"; flow:from_server,established; content:"script>"; nocase; content:"eval("; nocase; classtype:trojan-activity; sid:9000112; rev:2;)
17. Antivirus?! Yes, Antivirus! - We already know why and what we choose.
Always be vigilant...
* Many droppers will install multiple pieces of malware. Your antivirus might detect not all flaws. Use additional scanning....
* When you see AV alerts from, check proxy logs for what else could be downloaded.
18. Analysis
19. For Starters
* VirusTotal
o http://www.virustotal.com
* Norman Sandbox
o http://www.norman.com/microsites/nsic/Submit/en-us
* CWSandbox
o http://www.cwsandbox.org
20. Web based analysis Webpage Security analysis Google, Jutakys Badd Stuff Detektor - Wepaweb,
21. Detecting Packed Files
* Packers are used to obfuscate malware executables from antivirus scanners.
* PEiD
o http://www.peid.info/
* pefile
o http://code.google.com/p/pefile/
* Jim Clausing’s packerid.py
o http://handlers.dshield.org/jclausing/
22. Analyzing Binary Files
* Utilities perform deeper scans of executables to determine the likelihood that they are suspicious/malicious
* Mandiant Red Curtain
o http://www.mandiant.com/mrc
* Resource Hacker
o http://angusj.com/resourcehacker/
23. Some av may flag tools as risktools because they can be abused if not self installed...
24. Behavioral Analysis
* Utilities analyze system activity while malware is running to identify suspicious or malicious behavior
* SysAnalyzer
o http://labs.idefense.com/software/malcode.php
* AMIR
o http://www.malwareinfo.org/Utilities/
25. Online resources for processes, CLSIDs etc.
26. Network Analysis
* Analyzing network traffic can identify the presence of malware based on the connections the machine is generating.
* SniffHit
o http://labs.idefense.com/software/malcode.php
* WireShark
o http://www.wireshark.org
* TCPView
o http://technet.microsoft.com/en-us/sysinternals/
27. Analyzing System Hooks
* Analyzing system startup/execution hooks can determine if malware/rootkits are present.
* OSAM Autorun Manager
o http://www.online-solutions.ru/en/osam_ ... anager.php
* StartupCPL
o http://www.mlin.net/StartupCPL.shtml
* HiJackThis! And StartupList
o http://www.merijn.org/programs.php
28. Special anti-malware tools like ComboScript etc.
29. Building Toolkits and writing special cleansing scripts to be used with tools...
30. Response Toolkit: CD
* You could use a thumb drive, but read-only media is helpful here.
* Trusted Shell
o Copy of Windows CMD.EXE on CD
* Behavioral Analysis: AMIR
* Network Analysis: TCPView
* Startup Analysis: OSAM, HiJackThis!
31. Analysis Toolkit: VM
* Use a VM tool that supports snapshots
* “ Thwarting VM Detection” by Ed Skoudis
* Packer Analysis: PEiD, packerid.py
* Behavioral Analysis: SysAnalyzer
* Network Analysis: Wireshark on HOST
* Binary Analysis: Mandiant Red Curtain
32. Prevention & Recovery Not always feasible - Study manual removal instructions whenever available...
33. Prevention – High Risk Malware..
* Add malicious web sites and file names to your web content filter rules.
* Block malicious web site addresses with your firewall.
* If your AV/HIPS supports it, blacklist malicious file names and hashes as you find them.
34. Prevention: Local Admin?
* Restricting local admin access used to work well to prevent malware from persisting on a machine. Some won’t run at all.
* More and more malware can persist in user space via HKLU Registry and StartUp group.
* But recovery is still easier!
* Develop & test a procedure for renaming local user profiles in Windows to enable quick recovery from infection for non-admins.
* Save downtime costs by not re-imaging.
35. Finally: Best Practices
* Active monitoring all the time and always.
* Develop response procedures for malware incidents. Focus on response times.
* Contain potential incidents first, then analyze to determine impact.
Adopted and worked around largely from a txt by Paul Melson,

luntrus