Tip Of The Day - Virtual Drive

"OnLineGames" trojans are one of todays most popular malware, occupying large chunk of ItW( In-The-Wild) list. Note: Some malware, like Autorun are also behaving similar to OnlineGames trojan. They are designed to steal confidential information from online gamers particularly addicted to massively multiplayer online role-playing game (MMORPG) types of games.
One particular behavior of this malware family is its capability to spread to all hard drives including USB. This made it possible for this malware to be carried out somewhere including outer space . Its just a matter of time that someone could write virus that could sabotage some of the most critical infrastractures that affect our lives. Scary isn't it?

Typically, we do static analysis with Hiew or Ida. Then dynamic analysis to analyze viruses. Static analysis is basically just browsing the structures of the file, disassembly codes and trying to understand the overall behavior. Some strings can also give help of its nature, like my previous post.
Dynamic analysis can be divided into 2 parts: (a) behavioral analysis by running the malware in a sanbox.
and (b) tracing, running the malware under the debugger, watching the behavior by breaking to some predetermined
part of the code, and supplementing other additional "baits" (eg. required files, proces, etc). In tracing mode, you have the choice to examine only parts of the code.
Example: how the malware gather email address for spamming, some decryption routines, and other algorithmic code that may require special attention to fully understand the malware, or other code that you need to verify because other analysis say something that you didnot observe.

Ill show some practical tips that can help you in analyzing (malware in general and ) OnlineGames trojan through behavioral analysis, that I can roughly describe as follows:

0. Most of them are working fine on VMware, so using VMware is a good idea to analyze malware, especially if you analyze large volume of malware due to VMwar's snapshot capabilities. Reverting to your "sandbox" snapshot is way much faster than restoring real machine by using, say GHOST.

1. Use lightweight network/packet sniffer to capture the traffic as most of them are downloading components from remote locations. Im using my own tool pcaps32:

pcaps32 in action

This is particularly useful to check the inbound/outbound traffic generated by the malware such as communication with its C&C, download websites, spammed emails, traffic redirection or if the contacted IP is unreachable or not.

2. Process viewer program like process explorer sysinternals, to see process activities like hiddenly spawned ie process, etc. Pretty obvious.

3. Registry and file monitoring programs are obviously valuable to easily spot the modification in the system after running the malware.


4. And last but not the least, Virtual Hard drive, thats why the subject name :) As virus analyst, you have to be quick and resourceful in utilizing the right tools. One time, while analyzing "OnlineGames" trojan, I thought I've whether its mutating for very infection. Onlinegames are known to drop INF file and a copy of itself (or other components) to all accessible hard drives. So the trick is to provide the trojan more accessible hard drives to see other behavior to some extent. This is essential for us to know if the dropped files to other hard drives are mutating or polymorphic. But my VMware setup has only one drive and I didnt want to resetup just for this malware.

For this purpose, I tried Virtual Hard Drive software from farstone. So grab a trial version and install it to your sandbox machine. Creating a virtual hard drive is easy. Just run "Virtual Hard Drive Pro" from Start->Programs->Virtual Hard Drive Pro. A wizard will guide you to create virtual hard drive:



Just specify the drive letter for your new hard drive and the allocated space for it. The licensed version I believe would allow you to create more virtual hard drives.
Now you are ready to run the malware. This is where the behavioral analysis commence.

OK. Lets say youre done with the analysis, and would like to check the effect of the virtual hard drive (VHD). Just goto your bait hard drive and check for system modification, which is usually dropped or copy of the malicious program. Take note that some monitoring program will not be able to catch added programs to the VHD, so will manually check it.
Some variants may turn off the "show hidden file" option via registry, but you can use "dir /ah" or "attrib *" if you know the drop point, usually at the root dir similar below:


It will help the analyst to verify if the malware is polymorphic or mutating on every infection, and so the analyst can provide better signature coverage against each variant or family.

On my next posts, I will present how to analyze complex malware that would require tracing and hacking the malware code. Stay tuned.

Tip Of The Day - AutoHotkey malware

Yesterday, I found a piece of malware to analyze. I checked the file structure and it looks like a UPX packed executable (eg. from section names, entry point disassembly and even some signature checker tools).

Original file

Unpacked version


UPX v3.0 marker

So I grabbed a copy of upx.exe that can decompress the file which says its UPX version 3.00. Everything was ok and the file was successfully unpacked. So I opened the unpacked version to HIEW and check the entry point again.

Entry point disassembly in Hiew

Entry point disassembly in Ida

From its disassembly, it really is unpacked and you can tell that it looks the normal entry point of a program. Maybe if you're analyzing malware for a while, you can tell this based from the first API calls, etc. Most of the time its game over..but sometimes, it gets even more.

So I ran the file on my sandbox machine and wait for some interesting behavior. But nothing happened. So I opened it again and started to trace. But hey, I forgot to check the strings that can lead me somewhere. I've browsed the binary under Hiew and started looking for some strings.

"AutoHotkey" strings

Indeed, there were some interesting strings (Assembly Manifest) inside the binary.
With that in mind, its most likely an autohotkey script that is converted into executable, just like autoit, remember? Hmmm...so I opened my browser and search for "autohotkey". Viola! From its website it says:

"Convert any script into an EXE file that can be run on computers that don't have AutoHotkey installed."

The EXE is actually a hyperlink to download its decompiler ahk2exe. Download it and you can revert back the exe to its original script format, that can be opened on any text viewer/editor to view the contents. The decompiled script is pretty much straightforward and it would make your life 10x faster to analyze the file.
Then thats game over!

Decompiled script

Check the AV detections in VT

Conclusion: People can now easily create malware without learning ASM or C by just learning simple syntax from scripting languages like autohotkey then convert it into executable format.

Judy Array

Hmm...Ive found this code interesting..I can use it in some of my coding adventures :)

More Paris Hilton Malware..

My inbox has several emails purportedly a video of Paris Hilton.
The email is a simple html that contains link to a photo (Paris), but when you click the hyperlink enticing the users to view the video, it will download an EXE file from another remote location.


An example of the email is below:

And the email body in text mode is similar below:
Highlighted in red is the actual location of the executable file. You can see the links of the photo is different from the location of the binary file.

Some of the download links are as follows:
http://patuash.yoyo.pl/video_4.exe
http://www.odakoptik.com.tr/video_3.exe
http://baupol.net/video_1.exe


Example output from VT is here.

IE7 update is now Paris Hilton video

The fake IE7 who actively circulated a couple of weeks ago is back. This time, it disguises as video of no other than the favorite celebrity by malware authors - Paris Hilton.

hexdump codes for python

http://hex-dump.blogspot.com/2006/02/hex-dump-tools-written-in-python.html

Sandbox & Virtualization & Lockdown Technologies

http://www.offensivecomputing.net/?q=node/569

good read

http://bitblaze.cs.berkeley.edu/

Traditional sig-based AV is dead

Maybe not (yet)..but its worth to mention that some AVs are starting to give up the traditional way of virus scanning and moving towards "cloud-based" threat scanning:

First, TMI's Smart Protection:
- http://trendmicro.mediaroom.com/index.php?s=43&item=642

Then, Panda has the so called Collective Intelligence approach:
- http://research.pandasecurity.com/blogs/images/wp_pb_collective_intelligence.pdf

And just recently, even academic sector also believes to the "in-the-cloud" strategy:
- http://blogs.zdnet.com/emergingtech/?p=1008

I wont be surprised if other vendors would follow the steps :-)

Latest IE7 version is nothing but a malware

The message body runs as below:

-----------------------------------------------------------------------------------------------
Download the latest version Internet Explorer 7.0! About this mailing:
You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the "Unsubscribe" link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service advertised. Prices and item availability subject to change without notice.

�2008 Microsoft | Unsubscribe | More Newsletters | Privacy

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052
-----------------------------------------------------------------------------------------------


Warning: Dont click the link above; it will download a malware, that even AV vendors are confused how they gonna name it :) See: http://www.virustotal.com/analisis/18b97fb3bc30251051a8542a90401b6f

AV's have good coverage though for this piece of malware :-)

Christina Aguilera Interesting video

Video of Christina Aguilera is currently being spammed by some malware.
Dont temp to download if you dont like to be infected :-)

The mail looks like below:


When you click the link, it will go to a website that will download the file videoXXX67h8.exe (72,704 bytes). Virustotal shows several AV vendors detecting it as malicious: http://www.virustotal.com/analisis/fa5924ec4f51bc1c16a83b280756b3da

You can ofcourse check the header to manually search and download the malware from the link in the screenshot: