One particular behavior of this malware family is its capability to spread to all hard drives including USB. This made it possible for this malware to be carried out somewhere including outer space . Its just a matter of time that someone could write virus that could sabotage some of the most critical infrastractures that affect our lives. Scary isn't it?
Typically, we do static analysis with Hiew or Ida. Then dynamic analysis to analyze viruses. Static analysis is basically just browsing the structures of the file, disassembly codes and trying to understand the overall behavior. Some strings can also give help of its nature, like my previous post.
Dynamic analysis can be divided into 2 parts: (a) behavioral analysis by running the malware in a sanbox.
and (b) tracing, running the malware under the debugger, watching the behavior by breaking to some predetermined
part of the code, and supplementing other additional "baits" (eg. required files, proces, etc). In tracing mode, you have the choice to examine only parts of the code.
Example: how the malware gather email address for spamming, some decryption routines, and other algorithmic code that may require special attention to fully understand the malware, or other code that you need to verify because other analysis say something that you didnot observe.
Ill show some practical tips that can help you in analyzing (malware in general and ) OnlineGames trojan through behavioral analysis, that I can roughly describe as follows:
0. Most of them are working fine on VMware, so using VMware is a good idea to analyze malware, especially if you analyze large volume of malware due to VMwar's snapshot capabilities. Reverting to your "sandbox" snapshot is way much faster than restoring real machine by using, say GHOST.
1. Use lightweight network/packet sniffer to capture the traffic as most of them are downloading components from remote locations. Im using my own tool pcaps32:
pcaps32 in action
This is particularly useful to check the inbound/outbound traffic generated by the malware such as communication with its C&C, download websites, spammed emails, traffic redirection or if the contacted IP is unreachable or not.2. Process viewer program like process explorer sysinternals, to see process activities like hiddenly spawned ie process, etc. Pretty obvious.
3. Registry and file monitoring programs are obviously valuable to easily spot the modification in the system after running the malware.
4. And last but not the least, Virtual Hard drive, thats why the subject name :) As virus analyst, you have to be quick and resourceful in utilizing the right tools. One time, while analyzing "OnlineGames" trojan, I thought I've whether its mutating for very infection. Onlinegames are known to drop INF file and a copy of itself (or other components) to all accessible hard drives. So the trick is to provide the trojan more accessible hard drives to see other behavior to some extent. This is essential for us to know if the dropped files to other hard drives are mutating or polymorphic. But my VMware setup has only one drive and I didnt want to resetup just for this malware.
For this purpose, I tried Virtual Hard Drive software from farstone. So grab a trial version and install it to your sandbox machine. Creating a virtual hard drive is easy. Just run "Virtual Hard Drive Pro" from Start->Programs->Virtual Hard Drive Pro. A wizard will guide you to create virtual hard drive:
Just specify the drive letter for your new hard drive and the allocated space for it. The licensed version I believe would allow you to create more virtual hard drives.
Now you are ready to run the malware. This is where the behavioral analysis commence.
OK. Lets say youre done with the analysis, and would like to check the effect of the virtual hard drive (VHD). Just goto your bait hard drive and check for system modification, which is usually dropped or copy of the malicious program. Take note that some monitoring program will not be able to catch added programs to the VHD, so will manually check it.
Some variants may turn off the "show hidden file" option via registry, but you can use "dir /ah" or "attrib *" if you know the drop point, usually at the root dir similar below:
It will help the analyst to verify if the malware is polymorphic or mutating on every infection, and so the analyst can provide better signature coverage against each variant or family.
On my next posts, I will present how to analyze complex malware that would require tracing and hacking the malware code. Stay tuned.
Posts
No comments:
Post a Comment