7.19.2010

Dynamic malware analysis Part II

Here we are again, after talking in short about Buster Sandox Analyzer. I will not bore you with details about installing Sandobxie or , because they did a great job of covering that on their own website.
I've promised you that we will talk about Virut in this second tutorial. Win32.Virut.C is a dangerous malware, very complicated, but since it's no 0day (actually it was detected back in 2007), there are a lot of good papers about it. 
A basic introduction of the malware you can find here, and a few technical papers that I'd recommend for reading are: Review of the Virus.Win32.Virut.ce Malware Sample written by Vyacheslav Zakorzhevsky from Kaspersky Lab, Virut Encryption Analysis written by the guys from SecureWorks and Under the Hood: Virut written from the guys at TeamFurry.

[Please, take your time to study the analysis of the malware. At least read the basic introduction, because without it, this article with make no sense whatsoever.]

So back to the practical part of this article. If you get a sample of Virut, you'll see that analyzing it in it's form is in vain. What's your next step? Try loading it in a sandbox. We'll try it one by one, and I'll post the results:


CWSandbox
Sandbox analysis: here
Things learned:
- created a C:\8884425.exe file; created a R30S mutex



Anubis
Sandbox analysis: here
Things learned: -



ThreatExpert
Sandbox analysis: here
Things learned:
- please read the report, it covers a lot of details



Comodo Instant Malware Analysis
Sandbox analysis: here
Things learned:
- please read the report, it covers a lot of details



EUREKA Malware Analysis
Sandbox analysis: here
Things learned:
- it tried to unpack the .exe file; provided string and dns of "unpacked" .exe; created an unpacked .asm
[i can't confirm if this output was based on previous analysis, or run-time analysis]


Norman Sandbox
Sandbox analysis: here
Things learned:
- anti debug/emulation code present; mutex, section, modify memory, modify OS kernel function



Let's try the same thing now, except that only this time we use BSA.

Buster Sandbox Analysis
Sandbox analysis: here
Things learned:
- process created, service opened, mutex created, registry keys opened, registry keys modified, privilege escalation
[it totally missed the NtCreateFile and alike functions, and also the port connections].


Conclusions

We can observe that the job of a malware researcher is not easy. PandaLabs reports that it had 22,000 new malware samples to analyze per day in 2008, so if you do the math , you can easily see that the researcher has around few seconds to spend per malware analysis. This is an ongoing battle.
Dinamic analyzing a malware is not easy. There's no one tool available for the public that can tell you all the possible threats that a malware posses.
It's almost impossible for a malware researcher to do the static analysis on the blind (meaning without a basic dynamic analysis up front). It's hard to get right away into the code and have no idea for what to look into.
An old malware like Virut (dated from 2007) is still a problem for the public sandboxes  and we need better tools available for the public, in order to do a better malware research.
Buster Sandbox Analysis gives us overall good results. If we filter the noise and explore the real things that happen, we obtain a good result. Also a plus, is the fact that we have control, and it's offline.
I want to finish this article by asking a question on the AV companies: How do you expect to educate great people regarding malware defense, with so poor quality public sandboxes?

PS: I want to thank Costin Raiu for providing me the Win32.Virut.Ce sample. It helped me a lot!


One final note: feedback is always welcomed, please post your opinions/questions in the comment section.

4 comments:

  1. The link http://claudiufrancu.ro/files/BSAReport.rar does not work. Please fix that.

    Could you please upload the malware to somewhere, such as OffensiveComputing? I would like to try that with my sandbox, and compare that with your result.

    Thanks a lot,
    N

    ReplyDelete
  2. Anonymous,

    I have fixed the link now, everything should be in order. Thank you for your feedback!

    ReplyDelete
  3. Hi.

    Glad to hear you like my tool, Claudiu.

    You commented about BSA: "it totally missed the NtCreateFile and alike functions, and also the port connections."

    If I file is created or modified at the sandbox folder BSA will not miss it.

    Could you give more details about what you mean with that it totally missed the NtCreateFile, please?

    Port connections will not be missed when BSA is properly configured. For this you must select the adapter at "Packet sniffer" config.

    Maybe you missed to configure it properly.

    Regards.

    ReplyDelete
  4. Hi,

    I'll look more into it and i'll post my findings. Thank you for your feedback!

    ReplyDelete