Static Malware Analysis of From Basic to Advance - Part 1
Malware Analysis is the process of enumerating malware to determine the malware functionality, origin and impact of the malware. Malware Analysts and Threat researchers will analyze the malware to reverse engineer it in order to prevent it from spreading further and help creating Host based signatures or Network based signatures.
Host based indicators or signatures are used to identify the malware in the victim machines. These indicators do not just rely on file formats, rather focus on what malware does to the system like monitoring the system calls, checking if the malware is creating new binaries or downloading malicious code or adding registry keys. This helps in effectively identifying the malware irrespective of it changing forms or deleting itself from the disk.
Network signatures are created from analyzing the network traffic that is originating from the malicious code once its convicted. Network signatures created with help of malware analysis will result in higher detection rate and lesser false positives.
There are different phases that malware will be analyzed. Given below are different phases of analyzing the malware. In this blog post I’m going to explain different ways of statically analyzing the malware.
1.) Static Malware Analysis
2.) Dynamic Malware Analysis
3.) Memory Malware Analysis
Static Malware Analysis is a way of analyzing the malware at rest or in another terms Static Malware Analysis is enumerating the details about malware without executing the sample. Basic static malware analysis lets you identify the simple malware by scanning it with the help of av engines, performing a string search, scanning the imports tables, monitoring the system calls and network activities. This also can help in adding small network-based signatures.
In the case of analyzing sophisticated malware or a new malware, we load the malware to a disassembler which gives the assembly instructions through which we will get to know the behavior of the malware through some extent. Advance static analysis requires the knowledge of assembly instructions and windows operating system concepts which I will be sharing in the upcoming posts.
Different Types of Malware
During the malware analysis, we will make an educated guess to identify the malware category. There are different categories based on what the malware does, its impact, its target etc. Listed below are different types of malware.
Backdoor lets the attacker create a shell on the victim’s system with a privileged access which helps the attacker to access the victim’s machine.
Botnet Similar to backdoor but botnet is a group of compromised devices which receive the same instructions from the attacker.
Downloader Malware that is used only to download other malicious code. First thing attacker uses when they get access to system.
Launcher Malware that is used to execute malicious code in order to achieve stealth or greater privilege.
Rootkit Malicious code designed to hide the existence of other code. Rootkits are usually paired with other malware, such as a backdoor, allow remote access to the attacker and make the code difficult for the victim to detect.
Trojan is a type of malware that is often disguised as legitimate software but stealthy performs malicious operations.
Scareware Malware designed to frighten an infected user into buying something. It usually has a user interface that makes it look like an antivirus or other security program. It informs users that there is malicious code on their system and that the only way to get rid of it is to buy their “software,” when in reality, the software it’s selling does nothing more than remove the scareware.
Spam-sending malware Malware that infects a user’s machine and then uses that machine to send spam. This malware generates income for attackers by allowing them to sell spam-sending services.
Worm or virus Malicious code that can copy itself and infect additional computers.
Different ways of Static Malware Analysis
1.) Identifying the file type
Identifying the file type will help to identify the malware's target operating system. We will use microsoft specified file signatures to identify the file type.Using the tool Hxd we will get the hex dump of the file. As you can see the first few bytes will tell the file signature. We can use find signatures website to find out the file type for unknown signatures. For Microsoft, portable executable [P E such as exe,dll,drv,.sys] files, hex dump starts with 4D 5A i.e 'MZ'.Given below is an image from Hxd tool of a hex dump of pe file.
Here's another screenshot of hexdump having the signature of a msi installer file.
2.) Fingerprinting the malware
Though malware keeps changing forms, we can use this hash to query for known malware signatures across different avs using virustotal , share it to other analysts etc. You can use hash_my_files tool to find out shas of multiple files. powershell also have comands like certutil to find out the hash of the files.
Virus total is a popular web-based malware scanning service that allows you to upload a file and scans it against multiple antivirus engines to check if its convicted or to check if its a known malware. You can either use the website or download pestudio which inturn uses virustotal to scan the file.
Strings are ASCII and Unicode-printable sequences of characters embedded within a file. Extracting strings can give clues about the program functionality and indicators associated with a suspect binary.Hardcoded strings like ip addresses, file paths, URLS, attack commands, registry keys etc can be useful to find out information about malware. You can use tool to extract the strings from the file.
Malware use simple string obfuscation techniques to avoid detection. In such cases, those obfuscated strings are difficult to understand. FireEye Labs Obfuscated String Solver (FLOSS) is a tool designed to identify and extract obfuscated strings from malware automatically. It can help you determine the strings that malware authors want to hide from string extraction tools. FLOSS can also be used just like the strings utility to extract human-readable strings (ASCII and Unicode).
$ floss malware.bin
FLOSS static ASCII strings !This program cannot be run in DOS mode. _YY RichYY MdfQ .text `.rdata [..snip...] FLOSS static UTF-16 strings ,%d FLOSS decoded 4 strings WinSta0\Default Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings ProxyEnable ProxyServer FLOSS extracted 81 stack strings WinSta0\Default '%s' executed. ERR '%s' error[%d]. Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings [..snip...]
4.) Packed and Obfuscated malware
Malware authors often obfuscate malware with the help of packers and crypters to make it more difficult to analyze or detect the malware.
A Packer is a program that takes the executable as input, and it uses compression to obfuscate the executable's content. This obfuscated content is then stored within the structure of a new executable file; the result is a new executable file (packed program) with obfuscated content on the disk. Upon execution of the packed program, it executes a decompression routine, which extracts the original binary in memory during runtime and triggers the execution.
A Cryptor is similar to a Packer, but instead of using compression, it uses encryption to obfuscate the executable's content, and the encrypted content is stored in the new executable file. Upon execution of the encrypted program, it runs a decryption routine to extract the original binary in the memory and then triggers the execution.
The run_me.exe sample was then run through a popular packer UPX, which resulted in a new packed executable file (run_me_packed.exe). The following command output shows the size discrepancy between the original and the packed binary.
Now let us use floss to find out obfuscated strings and see the output.
$ floss32.exe run_me_packed.exe
FLOSS decoded 0 strings
FLOSS extracted 0 stackstrings
Finished execution after 18.562000 seconds
We can use PEid tool to detect packers. As you can see this tool identified the packer used to obfuscate the run_me.exe binary.
When a binary is packed, you have to unpack it in order to analyze the malware file.I will be explaining a detailed info on unpacking the malware that are packed with packers other than UPX tool.
Next Blog Post will be on understanding Portable Executable File structure,Link Libraries and Functions,Tools to analyse the statically/dynamically linked libraries.