Understanding Malware Analysis

Questions and Answers

According to NIST, what is malware primarily intended to compromise?

• Physical hardware of the victim's computer
• The speed of internet connection
• The aesthetic appearance of the user interface
• Confidentiality, integrity, or availability of the victim's data, applications, or operating system (correct)

The term 'malware' can be used as both a singular and a plural noun.

True (A)

What is the main goal of malware analysis?

To determine its origin, functionality, and potential impact

________ analysis is essential for cybersecurity practices, such as Forensic Analysis and Incident Response (FAIR).

Malware

Which of the following is NOT a typical reason for performing malware analysis?

To improve the computer's processing speed (A)

Analyzing malware on production devices connected to production networks is a safe practice if proper antivirus software is installed.

False (B)

What is the purpose of a 'Testbed' in malware analysis?

To provide a secure environment for examining malware without risking the main network

Looking at a malware's code without executing the program to gain initial insights refers to ________ analysis.

Static

Match each analysis type with its main focus:

Preparing Testbed = Setting up a safe environment to examine malware Static Analysis = Examining malware code without running it Dynamic Analysis = Observing malware behavior in a controlled environment

Which of the following is not a step of preparing a testbed for malware analysis?

Installing anti-virus software on the host system (C)

Disabling 'shared folders' and 'guest isolation' helps prevent malware from accessing the host system.

True (A)

Why is generating the hash value of each OS and tool important when preparing a testbed?

For integrity checking; to ensure that the operating systems and tools have not been tampered with

During basic static analysis, you ______ the malware file; during advanced static analysis, you ______ the malware file.

don't run, don't run

Which type of malware analysis involves observing the behavior of malware on a system to identify its actions?

Basic Dynamic Analysis (B)

It is safe to ignore essential features during software analysis in order to understand every single detail.

False (B)

Why is handling malware specimens with extreme caution crucial in malware analysis?

Because malware has the potential to cause significant harm to systems

The first step in Basic Static Analysis is identifying the file ______ using the manual method.

type

Match the tool used for identifying file type using manual method with the operating system:

Hex Editor = Windows xxd = Linux

You used a hex editor, and the output 4D 5A appeared at the start of the hex dump. What type of file did you most likely examine?

Windows Executable (B)

Antivirus tools are always perfect at identifying malware.

False (B)

What is one limitation of local antivirus scanning for identifying malware?

Malware authors can modify signatures to avoid detection; uncommon malware may not be present in databases

File ________ is described as the computing hash values for a given binary code.

Fingerprinting

What is primarily achieved by computing hash values for malware files?

Uniquely identifying malware and verifying if changes have been made. (C)

Changing a single bit in a file's binary code will not alter its hash value.

False (B)

What is the purpose of using online services such as VirusTotal in malware analysis?

To scan the file with a variety of different antivirus engines

Examining embedded strings within executable files can uncover program behavior and potential ________ intent.

malicious

Which action is NOT part of string analysis?

Replacing suspicious strings to neutralize the malware (D)

APIs is the only type of information you can get from strings.

False (B)

Identifying function imports can be helpful in understanding malware intent. Name three.

OpenProcess/CreateProcess - process management; ReadFile/WriteFile - steal/corrupt data; GetSystemDirectory etc - techniques

Malware authors use ________ to conceal their malware's functionality.

obfuscation

What is the name of some tool(s) to detect most common packers, cryptors and compilers for PE files?

PEiD (D)

Once a file is packed, static analysis becomes easier because the malware is compressed.

False (B)

Other than PEiD, what other tools exist if a file is packed / obfuscated (for Windows)?

Exeinfo PE DetectionID RDG Packer Detector, CFF Explorer

Runtime Linking connects to library functions as ________ during the Program's execution.

needed

Static linking results in _______

Larger executable size (A)

WSock32.dll could indicated that this is probably a gaming distribution.

False (B)

Name at least two Common Windows DLLs.

Kernel32/Advapi32/User32/Gdi32/Ntdll

In looking at sections, some typical sections are .text, .rdata. Tell me another two?

.data and .bss

Which of these following is probably MOST suspicious (select 2)?

sleep (A), GetProcessWindowStation (C)

During analysis you want to remain alert about encoded data. Besides A]A_[ what is another nonsensical string often encoded?

UVWATAUAVAWH

________ analysis is a game of cat-and-mouse.

Malware

Flashcards

Malware Definition

Malware, also known as malicious code, refers to a program that is covertly inserted into another program with the intent to destroy data or compromise system integrity.

Malware Analysis

Analyzing malware to determine its origin, functionality, and potential impact.

Determine What Happened

Establish the sequence of events to determine what happened during an infection.

Determine Malicious Intent

Understand the motives behind the malware (e.g., data theft).

Identify Indicators of Compromise (IoCs)

Identify indicators that show evidence of an infection (e.g., suspicious files).

Determine Complexity Level

Assess how advanced an attacker is based on the malware's sophistication.

Identify Exploited Vulnerability

Discover security weaknesses leveraged to gain unauthorized access.

Identify Extent of Damage

Quantify the impact, such as data loss or financial damage.

Evaluate Harm from Intrusion

Assess overall harm and potential risks from the malware.

Distinguish Intrusion Source

Identify whether an attack comes from external entities or internal users.

Catch Perpetrator

Identifying and apprehending the source responsible for distributing the malware.

Find Signatures

Patterns/signatures to detect and prevent, based on behaviors, registry changes, and network traffic.

Pay attention to the essential features

Essential features instead of understanding every software analysis detail.

Try Multiple Tools

Use various methods to analyze malware, as single method is not enough.

Testbed

A testing environment on an isolated network to analyze malware samples.

Preparing Testbed

Setting up secure environment to examine the malware without risking the main network.

Static Analysis

Looking at the malware's code without actually running the program.

Dynamic Analysis

Running the malware in a controlled setting to observe its behavior.

Allocate a Physical System

Involves setting aside a dedicated system to analyze malware.

Install a Virtual Machine

A virtual machine creates an isolated environment that does'nt affect host system.

Install Guest OS

System is installed environment for analysis where the malware will be executed and analyzed.

Isolate from Network

Prevents malware from communicating, setting the network interface card to only communicate with the host system.

Simulate Internet Services

Simulate network services for malware using tools like INetSim.

Disable Shared Folders

Prevent malware from accessing the host system or other virtual machines, containing any potential damage.

Install Malware Analysis Tools

Various tools are installed to analyze the behavior and characteristics of malware.

Generate Hash Value

Integrity checking by generating hash values of the operating systems and tools, ensuring they have not been tampered with.

Copy Malware to Guest OS

The core of the process. Transferring actual malware samples to the guest operating system for analysis

Basic Static Analysis

Analyze characteristics of the file itself without analyzing behaviors.

Advanced Static Analysis

Reverse engineering by loading the executable into a disassembler and looking at the instructions.

Basic Dynamic Analysis

Running the malware and observing behavior to remove the infection and identify the threat.

Advanced Dynamic Analysis

Using a debugger to examine the internal state of a running malicious executable.

Manual File Type Identification

Examining the raw data of a file using a hex editor.

Local Antivirus Scan

A scan to identify it

File Fingerprinting

Hash values are numerical for a given binary code & used uniquely to identify it.

Online Malware Scanning

Scanning with a variety of different antivirus engines.

String Analysis

Uncover program behavior and intent by examining embedded strings.

Obfuscation

Methods to conceal the malware's functionality from reverse engineers.

Packers

Compress and encrypt the malware binary, changing the file's makeup.

Cryptors

Encrypt entire contents of the malware; hinder static analysis.

Study Notes

• Malware is malicious code covertly inserted into other programs to destroy data, run destructive programs or compromise system integrity as defined by NIST SP 800-83.
• Malware is both a singular and plural noun.
• Malware analysis is reverse-engineering malware to determine its origin, functionality, and potential impact.
• Malware analysis is an essential part of cybersecurity practices like Forensic Analysis and Incident Response (FAIR) and penetration testing.

Why Malware Analysis is Important

• To determine the sequence of events leading to the malware infection.
• To determine the purpose behind the malware.
• To identify indicators of compromise like suspicious network traffic or files.
• To assess the attacker's sophistication based on the malware's complexity.
• To discover exploited security weaknesses that were leveraged to gain unauthorized accesss.
• To quantify the data loss, financial cost, or reputational damage impact.
• To assess the overall damage and potential future risks posed by the malware.
• To identify whether the attack came from an external entity or an insider with authorized access.
• To identify and apprehend the source of the malware.
• To develop patterns or signatures to detect and prevent future infections for intrusion detection systems.

Host-Based Signatures (or Indicators)

• Focus on what the malware does to a system.
• Based on behaviors, not the malware's characteristics itself.
• Involve files created or modified and changes to registry.

Network-Based Signatures

• Monitoring network traffic.
• Signatures can be created even without static malware analysis.
• Using static malware analysis makes network-based signatures more effective.

General Analysis Guidelines

• During software analysis, focus on essential features instead of every detail.
• Use different tools and approaches for analysis because a single method may not be sufficient.
• Malware analysis is similar to a cat-and-mouse game.

Main Objective

• To figure out how malware works.

Book Reference

• "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software" by Michael Sikorski and Andrew Honig is available in the RIT online Library.

Malware Analysis Procedure Steps

• Preparing Testbed setup a safe environment to study malware without affecting the main network.
• Static Analysis examines the malware's code without running it for initial insights.
• Dynamic Analysis runs the malware in a controlled environment to observe its behavior.

Preparing a Testbed

• Allocate a dedicated computer for analyzing malware which ensures any harm does not affect systems.
• Install a Virtual Machine to create an isolated environment where malware can run without affecting the host.
• Install a guest OS in the Virtual machine because it is where the environment will be executed and analyzed.
• Ensure the NIC card is in "host only" mode to isolate the system from the network.
• Simulate internet services using tools such as INetSim, providing fake network services for malware needing them.
• Disable "shared folders" and "guest isolation" to prevent malware from accessing the host or other VMs.
• Generate the hash value of each OS and tool for integrity checking to ensure they have not been altered.
• Copy the malware over to the guest OS for analysis.

Malware Analysis Techniques

• Basic Static Analysis - Analyze file characteristics without analyzing behavior.
• Advanced Static Analysis - Reverse-engineer malware internals by loading the executable into a disassembler.
• Basic Dynamic Analysis - Run malware and observe its behavior on the system.
• Advanced Dynamic Analysis - Use a debugger to examine a running malicious executable's internal state.

Basic Static Analysis

• Crucial to handle all specimens carefully, especially a malware file.
• The steps of basic static analysis include;
  • Identifying File Type Using Manual Method
  • Local Antivirus Scanning
  • File Fingerprinting
  • Online Malware Scanning
  • Strings
  • Identifying Packing/ Obfuscation Methods
  • Finding the Portable Executable (PE) information
  • Identifying File Dependencies

Identifying File Type Using Manual Method

• Examining raw file data via a hex editor is involved.
• On Windows, you can use a hex editor like HxD hex editor, available at mh-nexus.de/en/hxd/.
• On Linux, use commands like xxd to generate a hex dump.
• An output of "4D 5A" at the start of the hex dump implies the file is likely a Windows executable.

Local Antivirus Scanning

• Run the file through multiple antivirus programs.
• This may identify the the malware, however, antivirus tools aren't perfect.
• They depend on databases, and malware authors can modify signatures.

Challenges of Antivirus Detection

• Heuristics also can miss uniquely coded malware.

File Fingerprinting

• File fingerprinting computes hash values for binary code.
• A hash value is the shorter, fixed-length sequence derived from the file's data.
• Hash values uniquely identify malware, verifying that the code wasn't altered during analysis.
• HashMyFiles calculates various hash values (MD5, SHA1, CRC32, SHA-256, SHA-512, and SHA-384).
• The website fileformat.info/tool/hash.htm, can be used to calculate the unique has for malware samples.

Other tools useful for this include:

• Mimikatz (extracting passwords).
• HashCalc (supporting many hash calculations).
• hashdeep (computing checksums and message digests).
• tools4noobs (an online hash calculator).

Once with a unique hash

• The hash can be used as a label.
• It can be shared to other analysts to help identify malware.
• Search for that hash online to see if the file has already been identified.

Online Malware Scanning

• Uploaded suspicious files (or hashes) to online services like VirusTotal.
• VirusTotal scans files with a variety of antivirus engines.

List of Tools

• Hybrid Analysis.
• Cuckoo Sandbox.
• Jotti's Malware Scan.
• Valkyrie Comodo.
• FortiGuard Online Scanner.
• These tools run suspicious files in contain sandbox environments to scan it

Strings Examination

• String analysis uncovers program actions and intent by looking at strings inside executable files.

Key Actions in String Analysis:

• Searching and analyzing strings reveals program operations.
• Identifying harmful actions via extracted URL strings.
• Being alert to suspicious, hidden, or encrypted strings.

Recommended Tools:

• BinText - Extracts ASCII and Unicode strings.
• FLOSS, Strings (Microsoft), Free EXE DLL Resource Extract, FileSeek, and Hex Workshop are also recommended.
• The standard program signature begins with !This program cannot be run in DOS mode,.
• Section names are text, rdata, data, pdata, rsrc, and reloc.
• WATAUH, A]A, and UVATAVAWH are examples of Garbled or Encoded Data.
• Error and Status Messages include the runtime errors and the Microsoft Visual C++ Runtime Library.
• API functions like GetProcessWindowStation, MessageBoxW, RegSetValueExA examples of Functionality Indicators.

Strings examination might give clues like:

• The references sleep, encode, and specific patterns of API calls might potentially indicate malicious activity.
• File paths are (APPDATA), temporary are (brbconfig.tmp) and include internet-related strings (Mozilla/4.0, HTTP/1.1).
• Timestamps and language data represent dates, times (HH:mm:ss), and months (December, November
• Malware and Botnet Identification are brbbot, which is the name of the executable.
• Executable runtime are ntdll.dll, ADVAPI32.dll, WININET.dll, WS2_32.dll, KERNEL32.dll, USER32.dll, and mscoree.dll.
• There are references like Debug(UnhandledException Filter and IsDebuggerPresent)

If Strings look suspicious they might be the following:

• Encoded or Obfuscated Strings, this shows that the program uses tactics to identify malicious activity.
• Registry Manipulation Functions, which shows API the program modifies the registry.
• Cryptographic Functions where the program is designed to encrypt data.

It also might indicate:

• Botnet or Malware Name means this may be the name of a botnet/malware.
• Sleep Function which says to avoid dynamic analysis, the malware sleeps during analysis.
• System Information Gathering indicating the program collects system information.

Suspicious activities include:

• API calls such as "GetLastActivePopup", "GetActiveWindow", and "GetProcessWindowStation" for keylogging.

• Use of the API calls "CreateFileA", "FindResourceA", "WriteFile

• Other API, which shows that the program can suggest malicious activity through accessing file or creating file for payloads

• IsDebugger Present , shows that those APIs is being analyzed by the malware

• The presence of strings alone does not 100% conclude that the intent is malicious. It must be investigated.

Identifying Packing/ Obfuscation Methods

• String extraction is an excellent technique to harvest valuable information.
• Malware authors obfuscate.
• Obfuscation means to conceal the malware functionality from security experts.
• Obfuscation then reduces number of extractable strings, and leaving behind strings make it incomprehensible.
• Packers are used to compress and encrypt malware which changes file structure and appearance.
• Cryptors encrypt the contents of the malware which hinders static analysis measures.

Identify Packing using PEiD tool

• It is known that *PE files are executable binaries in Windows operating systems.

PEiD Tool

• It can detect common packers, compilers, cryptors for PE files.
• PEiD identifies over 600 different packer and compiler signatures.
• ProtectionID, RDG Packer Detector, and CFF Explorer are alternative tools that can identify packers.
• The tool Detect It Easy "DIE" is used for Linux system.

List of tools that packaging/obfuscation, includes is:

• Macro Pack a tool that can be found in GitHub used for obfuscation.
• UpX- a free portable extendable packer
• ASPack
• VM Protect a tool that protects files using a standard
  software architecture
• ps2 packer available in Github

PE (Portable Executable) information

• The PE format is used for executables, object code, DLLs, FON Font files, and others.
• It is used for 32 and 64 bit versions of Windows.
• When a file is executed, the operating system loader reads data from the PE header and then loads the file content into memory.

The PE header contains information such as:

• Where to load the executables in the memory
• The address from the executables
• Libraries on which applications rely on
• resources used by the binary.
• The files, have several section to compile data.
• Size, entry points and file source as a single header as it's code.

Structure of a PE File:

• The headers are the size, entry and resource directory.
• The sections have text sections or initialized data.

Some of PE common sections include:

• .tet holds the source code.
• .data holds initialized global and static variables.
• .rdata hold read-only data is string literals and constant data.
• .bss hold non initialized data.
• .idata contains import data for libraries or pointers to them.
• .edata contains exported data.
• .rsrc section has icons, menus etc.
• .reloc stores relocation information.

Common Tools for PE Analysis:

• PE Explorer is a comprehensive tool that views 32 bit files such as EXEs, DLLs and Active controls.
• Analysis tools are for finding and scanning PE files.
• Resource hacker is an efficient way to be used in Windows.
• Allows inspection of the PE file’s structure.

Identifying File Dependencies Static Linking

• Incorporates all necessary library code at compile time.
• Results in a larger executable file.
• Can be hard to distinguish PE files due to the source code used.

Runtime Linking

• Connects to library functions as needed during the execution.
• Less predictable and often used to disguise

Dynamic Linkers

• Resolves dependencies at what has installed to the programs to use it.
• More space efficient and the programs potential actions.
• This is a common DLL.

Description types:

• kernel32.dl which accesses and handles hardware and memory
• advapi32dll which accesses and uses Windows components.
• user32 handles any UI component being used, along side components used to react to any user control.
• Gdi32dll handles displaying any images, etc

NTDLL

• Is the connector to all Windows kernels.
• This only executes it’s known to certain programs.

WinSock 23.dlk

• These connect to any network or task when needed

Internet Dll

• implements to protocols such as HTTP, NTO etc.

To know what the malware might be capable of, you can analyze functions from various libraries include:

• Management access, utilized by the system during control CreateProcessA, OpenProcess, and TerminateProcess from KERNEL32.dll .
• Reading other files may access and adjust data which may be potential data that has been stolen.
• Gaining potential elevated permissions