Wednesday, October 16, 2013

Dissecting Malware – Static Analysis of Malware

This article will be showing you how doing static malware analysis. Which are the processes involved within a static analysis. Static malware analysis is the first essential step taken by the malware analysts or reverse engineers working under forensics department.

Static Malware Analysis
Best and childish way to analyze malware is to scan it with multiple antivirus services. There are ton of antivirus available in the world, so your malware will surely be identified by at least any of them from the world. What exactly antivirus does that, they have the thousands of malicious file signatures and patterns within themselves. So they scan malware and if the file pattern gets matched with their database, it gets detected.


Scan Malware in Antivirus
One major problem with this technique is a modification of malware. Crackers/Hackers write malware code or modify the malware code in such a way that it will evade the antivirus. However, if one malware evades one antivirus then it is not really necessary that it will also evade all other antivirus. It will be getting detected by any of other antivirus from the world. It very rarely happens it has an ability to evade world’s all antivirus. That is why it is said that it is always useful to scan with more than one antivirus. There are few websites which have a large collection of antivirus with their latest virus definitions. One must scan their suspicious file with these kind of website. I recently downloaded one malware from any forum and I am going to scan this in this website. Before I scan that malware I would like to give the sources like virustotal.com

* www.virustotal.com
* virusscan.jotti.org
* www.virscan.org
Now lets scan our malware with virustotal website.
 Website’s Result is as follows:
    Virustotal Result:

Out of 48 antivirus (with its latest definitions) , virus total service has detected the malware in 7 antivirus. Here is the list of all that antivirus which detected the malware and showing the type of malware.

Most of the antivirus says that it is a trojan which infects other computer by allowing remote execution. Virustotal doesn’t give only these basic information. It also provides the metadata involved within the executable file. For that virustotal uses “ExifTool”. ExifTool is a 3rd party software which fetches the metadata from the executable.

It also revels the PEtype along with code size, file type and the exact date and time of creation. So it's very useful for the forensic analyst to gather all this information.

Virustotal file identification also reveals whether there has been any submission of these files before or not. Lets suppose if someone transfer you this malware by changing names and metadata, so by analyzing signatures, hashes values virustotal gives you the identification information of your executable. So here I came to know the original name of this “master malware.exe”  is “RC server.exe”.

Hashing
Another effective method is to check the hash value. Now hashing is also called as ‘message digest’. The value of hash is generated from the string of text within it. The value of a hash is  produced by the formula. That is the reason that having the same hash for any 2 substance is very rare (almost impossible). (What is hashing? - A Word Definition From the Webopedia Computer Dictionary)

 As we can see here we have got the hash value which is as below:
     2bd10332ae061482d5d505314a97b40c
Now I copied this hash value and searched in google. So google showed me the result as follows:
 It is the same result that we scanned our file in virustotal.com website. So it is clear that if we don’t scan it, we pass the hash value to google and we may able to get information of the malware that we analyzing. It also works same in SHA1 value. The steps are easy, scan SHA1 value by any show analysis tool, grab the hash value pass it to the google and see the results.

Analysis of Strings
This is really very important steps for any forensics investigator & reverse engineer who is dissecting the malware. This has no rocket science String analysis is nothing but you analyze the sequence of all those characters which is written with code. It may contain print messages, URLs, comments. This may reveal information about the website, mawlare’s functionality, author name/nickname and other information.

So with many of garbage collection of random strings I have found some interesting stuffs. These are the URL links which have some sort of coding. So Our assumption says that this malware does something with volume (by analyzing 1st Screenshot), does something with screensaver tool (by analyzing 2nd screenshot) and so on. These are the 4 results I showed here. Like these there are other PHP files which I have found. I am writing the names of those files.

RC\www\emptybin.php
RC\www\exitwin.php
RC\www\force60.php
RC\www\hibernate.php
RC\www\hideall.php
RC\www\hidedesktop.php
RC\www\lock.php
RC\www\logoff.php
RC\www\message.php
RC\www\minimize.php
RC\www\monitor.php
RC\www\monitor2.php
RC\www\mouseright.php
RC\www\mute.php
RC\www\numlock.php
RC\www\opencd.php
RC\www\poweroff.php
RC\www\question.php
RC\www\question1.php
RC\www\reboot.php
RC\www\resize.php
RC\www\restartexplorer.p
RC\www\screensaver.php
RC\www\screensavertimeout.php
RC\www\screenshot.php
RC\www\showall.php
RC\www\showdesktop.php
RC\www\speak.php
RC\www\speak1.php
RC\www\speakfile.php
RC\www\standby.php
RC\www\stdbeep.php
RC\www\stopscreenshot.ph
RC\www\transparent.php
RC\www\transparent2.php
RC\www\trayballoon.php
RC\www\trayballoon2.php
RC\www\trayballoon3.php
RC\www\trayballoon4.php


Now only the filename but string has also managed to revel the code malware or malware’s any component. It also revels the messages to be printed. This information may reveal the user’s desktop/laptop software configuration. It can tell us which system, browser, coding software he/she is using and what is the version of that. It may also revel the time stamp of this work.

String tool is created by Microsoft. It uses broad character string to search strings which are generally stored in ASCII or Unicode format. The only difference in both is ASCII uses 1 byte per character where Unicode uses 2 bytes per character. A basic example of the ASCII representation of the virus is as follows:
                       
As you can see that this ASCII string is stored as byte 0x31 for V, 0x32 for me and so on upto 0x35 for the letter S. Here 0x00 is a null pointer.
                        
This picture shows the letters stored as Unicode. So the first 2 bytes which are 0x31 & 0x32 are occupied for only one letter which is L. So so, on U also occupies 2 bytes and null pointer also occupies 2 bytes. It may possible that many times the string which we get as a result of our scan, is not an actual string. It can be a memory location, or CPU instruction or anything else. As shown in below picture we can ignore first few lines upto certain strings until we get our actual string. 

Now we found the string I simply copy pasted it in google and I found that google has no result of this. Now there can be 2 possibilities here.

1. If this exe file can be a packer in which there are different files which are responsible for executing this malware.
2. There are PHP files on the internet but they are behind some kind of authentication so google can not directly list it in google’s index, this is probably known as “Deep Web”.

So lets just wait and let us carry forward our analysis and we will see if we can find any perfect source or solution to find out this or not.

Checking Malware for Packing Mechanism (Packers)
Crackers many times uses packing mechanism which is also known as obfuscation. The primary reason for doing this is to generate more difficulties in the analysis of that malware by reverse engineers. Generally obfuscated programs hide their execution and packed programs are within the obfuscated programs.
Generally these kind of programs contains mainly 2 functions such as GetProcAddress  &  LoadLibrary. These functionalities are mainly responsible for execution of the program by using outsider or insider sources.
The best way to detect packers is PEiD program. It analyzes that which kind of packer is used in building  applications. Here I am opening my malware in PEiD tool here is the result.

As soon as I came to know that this malware is packed in RAR file which is denoted as exe. So opened that malware in winrar and It actually got opened. Now I can see some files in that. Here is the image of that.

Here as soon as I opened www folder, I see all those files which were listed in string result. Here is the screenshot of that.

See here you can compare this list with our string result. Thus how we can conclude that, this exe file uses the RAR packer to execute all these files inside it.

It is always a good practice that you unpack a program after detecting a packet which is used in it. However it is not always easy though. Here as we got RAR packer so we can simply open it into a rar file and we can extract the contents of it for our further analysis.  Sometimes there can be a packer of which you are not aware though. In that case you need to find an editor to open that file. I found that type of difficulty too in this malware. With this listing of all PHP scripts, I found server.exe file here in the list. So I extracted it and opened it into PEiD and it was showing no packer for that. Once I got an executable and opened in PEid and it showed me “Borland Delphi 6.0 - 7.0 [Overlay]”. Now this is completely new for me. I have to download this software to run that file.

One more thing that all has to keep in mind is “PE file format”. That is known as portable executable file format. That is generally used by executables lying in windows and other DLL files. It is responsible for wrap program execution. It is nothing but a pre program execution which loads libraries and outsider functions to be used in current programs. Malware analyst must check and consider PE header values, because it can be a primary source of information gathering about malware behavior. Here is the malware’s header information.

Source Functions & Libraries
If we are able to find out the source libraries and other functions which are going to be used in the execution of malware, then it will probably the best method for malware behavior analysis. These types of functions and libraries are stored at different places and they are linked with the original program. The link/connection between the original program and those libraries have 3 categories such as:

1. Static Linking
2. Dynamic Linking
3. Runtime Linking

Static linking is very ofetnly used where runtime linking and dynamic linking are widely used. I won't go in depth of this linking as the functionality of this link can be clearly analyzed by their name itself only.


There is a really good tool for malware analyst which is known as “Dependency Walker”. Generally this program links all library functions in the executable. Here I have imported my malware in this program and it shows that in a process of execution of this malware, it imports 9 DLL files listed in below pic.

These are the dlls then if you want to check which are the functions imported within each one you need to just simply click on dll. So here I have clicked on USER32.DLL and in right panel it shows the imported functions within it.


Not only the function details but even more you can get all these DLL details on this website. It is of Microsoft and its very useful. Thus how you can analyze the behavior of any static malware.

Analyzing PE Headers
As we mentioned earlier PE headers are the most important thing to analyze. There are some common extensions in PE header which we need to take in consider. Here I am giving you general information on all those extensions.

1. .reloc – It holds the information about current PE.
2. .text – It has an executable code written in that.
3. .rsrc – It saves the resources which are required by the malware execution.
4. .rdata – It only contains read only data. Generally these data are frequently called during the program.
5. .pdata – It only stores exception handling mechanism information.
6. . data – Stored data only which are stored globally.
7. . edata – Stores only export function information.
8. .idata – Stores only import function information.
Herein I have imported malware into PEview tool and I have got these results of the extension.

So this is also an essential method for information gathering of any malware.

How can we forget Resource Hacker tool?
Resource HackerTM is a freeware utility to view, modify, rename, add, delete and extract resources in 32bit & 64bit Windows executables and resource files (*. res). It incorporates an internal resource script compiler and decompiler and works on all (Win95 - Win7) Windows operating systems. In the above section we have defined .rsrc extension. We can use this tool for finding resources of the malware. As soon as you open your malware in resource hacker tool, it will show you strings, icons, dialog boxes and much more.  (Resource Hacker)

Here is the resource hacker tool result.

You open any executable from the world in this tool, it will give you result in such identical form. Like PE headers there are some sections in this tool which will always be common for any executable which you open in this.

1. Strings are generally stored in the string table.
2. Icon section stores the image which is used for ICON purpose.
3. Version info sections usually store data for a vendor, date and all other vendor information.
==> Generally this version info data you won't be able to see in  malware analysis because there is no stupid malware author who will write his/her company name and all other information within it.
4. File, Edit, View, these kind of menus are listed under menu section.
5. All the dialogue box which will be shown at client side, is listed under Dialougbox Section.

Summary
So as you have seen that with the use of these tools one can perform whole static malware analysis. This is the first important step has to be carried away by malware analysts. However dynamic, runtime malware analysis is also needed. One should not forget to do that in order to gain more information about malware and its author.

Bibliography
  1. (n.d.). Retrieved from https://www.virustotal.com/
  2. ExifTool GUI. (2009, Dec 27). Retrieved from http://freeweb.siol.net/hrastni3/foto/exif/exiftoolgui.htmdddddd
  3. Dependency Walker (depends.exe) Home Page. (2013, August 20). Retrieved from Dependency Walker (depends.exe) Home Page: http://www.dependencywalker.com/
  4. DestroyWindow function (Windows). (2013, 08 26). Retrieved from MSDN – the Microsoft Developer Network: http://msdn.microsoft.com/en-us/library/windows/desktop/ms632682%28v=vs.85%29.aspx
  5. Barak, B. (2003, December 30). Can We Obfuscate Programs? Retrieved from http://www.cs.princeton.edu/~boaz/Papers/obf_informal.html
  6. Distler, D. (2007). Malware Analysis: An Introduction. SANS Institute InfoSec Reading Room.
  7. PEid - Aldied . (n.d.). Retrieved from Aldied: http://www.aldeid.com/wiki/PEiD
  8. Resource Hacker. (n.d.). Retrieved from Angus Johnson's Homepage: http://www.angusj.com/resourcehacker/
  9. Russinovich, M. (2013, June 20). TN Strings. Retrieved from Resources and Tools for IT Professionals | TechNet: http://technet.microsoft.com/en-us/sysinternals/bb897439
  10. VirusTotal - Free Online Virus, Malware and URL Scanner. (n.d.). Retrieved from VirusTotal: www.virustotal.com
  11. What is hashing? - A Word Definition From the Webopedia Computer Dictionary. (n.d.). Retrieved from Webopedia: Online Computer Dictionary for Computer and Internet Terms and Definitions: http://www.webopedia.com/TERM/H/hashing.html