This blog entry is going to lay down the ground work for some of the more advanced malware analysis topics that will be covered in future entries. This is a brief introduction to basic static and dynamic analysis techniques of malware.
Malware analysis can be lumped into two categories: static and dynamic. Static analysis is essentially analyzing the code without actually allowing it to run. Static analysis can range from simple techniques like file identification, and strings to more advanced techniques such as analyzing the disassembled code with IDA Pro. Dynamic analysis involves executing the code in a controlled environment and monitoring system changes. Dynamic analysis can be as simple as executing the malware in a VM and monitoring changes with Sysinternals, to more advanced techniques leveraging a debugger to single step through the code.
Basic Static Analysis
When analyzing malicious software it’s a best practice to start with basic static analysis to identify the file type. Depending on the file type you will move into more advanced static and dynamic analysis techniques. Below is an example of utilizing both Linux utilities and Python to perform file identification:
The most common file format you will encounter when performing malware analysis is the Windows 32-bit Portable Executable (PE) format. The PE header can yield useful information for analysis. Several tools exist to aid in this type of analysis (pefile, pescanner.py, CFF Explorer, YARA, etc.). Below is an example of utilizing pefile to examine the sections and imports within the PE header:
By analyzing the sections and imports within the PE header you can start to identify if the file is packed and get a basic idea of what functionality this binary is leveraging within the Windows API. Packed code will obfuscate strings and more advanced static and dynamic analysis with disassemblers (IDA Pro) and debuggers (OllyDbg). Normally packed code will only have a few imports (LoadLibraryA, and GetProcAddress), and it may also have odd section names such as UPX. In addition, there is a large array of tools for packer identification (PEID, YARA, etc.).
Assuming the code isn’t packed, examining the binaries imports can give you a clue into it’s function. A tool called pescanner.py does a good job at pointing out interesting imports for analysis. Assuming the code isn’t packed we might be able to get useful information from the strings. Strings can be examined using the Linux utility “strings”. Simply type the following:
strings <filename> | less –S
The image below illustrates how a packer can obfuscate the strings in a binary (Left – Unpacked, Right – packed):
These stages of analysis can be easily automated with Python. Below is a quick example of how you can create a function to automate some of the techniques discussed so far:
Basic Dynamic Analysis:
Primal Security prefers VirtualBox as a virtualization platform because it can be controlled from the command line and Python easily. Python’s OS module can be used to invoke system commands within Python. Below is an example of starting a VM with VirtualBox from both Linux CLI and Python:
Executing the malicious sample can sometimes take some work. The sample might run just fine when double-clicking it within Windows explorer; however you may need to invoke the binary with CLI arguments. In addition, DLLs may require additional kung-fu to include installing as a service, or loaded with regsvr32.exe and rundll32.exe. Examples are below:
If you have trouble executing the malware using the techniques discussed above the best solution is to turn to static analysis of the code with IDA Pro.
Sysinternals is a useful suite of tools to be used for basic dynamic analysis. Three popular Sysinternals tools are Process Explorer, Process Monitor, and Autoruns.
Process Explorer is a more verbose version of task manager.
- It provides the ability to search for strings in a process – Can be helpful in identifying malicious process if you have some strings from static analysis
- It provides the ability to search for DLLs or handles loaded by a process – This can be helpful in locating DLL injection, involves the malware loading malicious DLLs to perform functions in a legitimate process
- Process Explorer monitors Windows processes in the same fashion as Task Manager in Windows, by monitoring the doubly-linked list “EPROCESS” that Microsoft Windows maintains.
- For this reason it can still be fooled by rootkits that modify the EPROCESS list
Process Monitor is a verbose tool that monitors system events.
- To filter within the Process Monitor GUI simply type: Ctrl+L and the filtering dialog box will pop up.
- A very useful filter is “Category” “Is” “Write”. This will show attempts to write to both the registry and file system. You can also filter by operation, which corresponds to the Windows API calls. Below is an example of looking for WriteFile operations:
Autoruns is a tool that will scan the file system and registry for Auto-Start Extensibility Points (ASEPs). Since malware wants to remain persistence on the compromised system it will likely modify one of these locations. The idea is you can take a snapshot of your VM baseline with autoruns and then compare against that snapshot after the malware’s execution. The changes are in green:
CaptureBat is another useful tool, its strength comes into play with switch “-c” because it will save off any files deleted during the malware’s execution.
During your analysis within the VM it’s also beneficial to emulate various network services on your Linux host (DNS, HTTP, HTTPS, etc.). This is as basic as it gets with regards to static and dynamic analysis and you’ll likely find yourself unable to pull out indicators of compromise from some more advanced malware samples. Future blog posts will go into more advanced topics for analyzing malware, such as memory forensics, YARA, IDA Pro, OllyDbg, and automation with Python.