This document introduces tools and techniques for preliminary malware analysis. It discusses examining malware behavior through static analysis, behavioral tracing, and sandboxing. Specific tools are presented for observing malware snapshots, tracing its behavior, and containing it in a sandbox. Process-based and stealthy malware are discussed, along with vulnerabilities of rootkits and tools for rootkit detection. The goal is to present a model for beginning reverse engineering of malware through observation and experimentation in a contained environment.

1. Basic Malware AnalysisAlbert Hui, GCFA, CISAalbert.hui@gmail.com

2. GoalsPresent tools and techniques for preliminary malware analysisIntroduce the model and mindset for beginning reverse engineeringDoes NOT cover intermediate/advanced techniques such as hooking, DLL attachment, code injection, detour patching, DKOM, ring-0 debugging, entropy analysis and so onCopyright © 2007 Albert Hui

3. TerminologyMalware – malicious softwareVirus – infect a host program to reproduceWorm – self-replicating program (e.g. NIMDA, Code Red, SQL Slammer, MyDoom)Trojan – malicious program disguised as harmless木馬(China usage) != trojan, but == BackdoorBackdoor – remote control softwareRootkit – cover up backdoor and forensic evidence (e.g. Sony XCP Rootkit)Spyware – calls homeCopyright © 2007 Albert Hui

4. Black-Box ExaminationSnapshot ObservationBehavioral TracingSandboxingCopyright © 2007 Albert Hui

5. Snapshot ObservationIncludes static analysis (executable image examination, program code disassembly, filesystem forensics, memory dump, running states, etc.)Pros:Gather consistent big pictureSome info only uncovered by static analysisCons:Can lose sight of small/transient changesDifficult to cover every avenues Copyright © 2007 Albert Hui

6. Snapshot Observation Tools (runtime)Process/Thread:Process ExplorerWindows Objects:WinObjOpenedFilesViewCopyright © 2007 Albert Hui

7. Snapshot Observation Tools (static)Executable:XN Resource EditorFile:hexplorerFileAlyzerCopyright © 2007 Albert Hui

8. Snapshot Observation Tools (executable)PEBrowseDependency WalkerPEiDDumper:LordPEUniversal ExtractorRL!depackerDecompiler/Disassembler:IDA ProOllyDbg/OllyICEJADSpices.DecompilerCopyright © 2007 Albert Hui

9. Behavioral TracingIncludes debugging, tracing, network traffic analysis, etc.Pros:Detailed time-domain infoCan drill down to system call levelCons:Can lose sight of the big pictureDifficult to cover every avenuesCopyright © 2007 Albert Hui

10. Behavioral Tracing ToolsProcess/Thread/File/Registry Tracing:ProcMonNetwork Tracing:TCPViewTDImonWiresharkDebugger:OllyDbg/OllyICESoftICECopyright © 2007 Albert Hui

11. SandboxingContainment of execution in protected environmentOne kind of virtualization, techniques in common with virtual machine, honeypot/tarpit, and forceful uninstallersSandboxing can occur at various levels: network, application, OS, down to bare metalPros:Total coverage possibleLocal containment of harmsCons:Difficult to discern incremental changesCopyright © 2007 Albert Hui

12. Sandboxing ToolsMachine Level:VMwareOS Level:Altiris SVSPowerShadowShadowUserApplication Level:SandboxieNetwork Level:HoneydCopyright © 2007 Albert Hui

13. DemoUse FileAlyzer to determine file type.Rename to .exe, use Dependency Walker to determine functions.Use PEiD to detect signature – UPX packed.Use Universal Extractor to unpack file.Use Dependency Walker to determine functions.Use FileAlyzer to read embedded strings.Detach network, use Sandboxie to execute file.Use Wireshark and ProcMon, execute file again.Use OllyDbg to understand program flow – program connects to a server on port 6667.Set up our own IRC server, edit hosts file on guest to fool malware into connecting to it.Try out commands found in embedded strings.Copyright © 2007 Albert Hui

14. Process-Based Malwaree.g. BO2K, Sub7, Netbus, 冰河, 灰鴿子Technically equivalent to VNC, Remote Desktop, PCAnyware etc.Copyright © 2007 Albert Hui

15. Tricks of Process-Based MalwareMelting – deletes installer or deletes entirely from disk Sticky Process – multiple execution units reviving each otherSticky Image – reinstall itself upon system shutdownAntidetection/免殺:Polymorphism – packing/encryption or other superficial changesMetamorphism – radically changing the codes, includes 加花 (addition of fake signatures)Copyright © 2007 Albert Hui

16. Stealthy MalwareThe 2nd Generation

17. Processless (無進程) MalwareParasite Approach (exist only as threads)DLL attachmentCreateRemoteThreadCode injection, detour patchingRookit Approach (hide process)HookingDKOMCopyright © 2007 Albert Hui

18. Vulnerabilities of RootkitsCommunications can always be captured on external network linksAlways changes OScompare observation with known-good statescompare observations from different approaches (e.g. Linux ls vs. opendir())Copyright © 2007 Albert Hui

19. Rootkit Detection ToolsRootkit Detection冰刃 IceSwordDarkSpyGMERCopyright © 2007 Albert Hui

20. ConclusionFirst perform static analysisThen let malware loose in contained environmentDrill down with expert knowledge to further fool the malware into doing moreCopyright © 2007 Albert Hui