malware analysis [ talal al ismail, ali al kaf, rashid al mehairbi]
Post on 02-Dec-2014
197 Views
Preview:
DESCRIPTION
TRANSCRIPT
Talal Al Ismail | Ali Al Kaf | Rashid Al Mehairbi
Abstract
No single day would pass without the advent of new malware of all types. Anti-virus
websites profile these malwares showing the severity of each one of them. This
paper focuses on one approach of malware analysis that is Behavioral Analysis. An
experiment of three scenarios was performed in a virtualized environment. Where
three computers varying in the level of security had been injected with three
different sorts of malware. These computers underwent observation, to see how
anti-malware software would react and respond and what changes were made to
the system processes, registry and files. Using various malware analysis tools, the
results were extremely interesting. In conclusion, malicious code is one of the
biggest threats to computers and users because of the way it's designed, it spread
very fast from the infected machine to another machine and some of the malicious
codes don’t need to be executed or carried to another machine it's designed to
move by itself.s
Page | 2
Introduction
Malware is an umbrella term that includes several types of malicious codes such as
Viruses, Worms, Zombies, Logic Bombs, Trap Doors, Rootkits and Trojan Horses.
They are all infecting millions of computer networks every year. It seems that our
continuous and increasing reliance on information technology is offset by a steady
increase in the number of malicious codes or malware. According to G Data Security
Labs malware report (2010), the number of new malicious programs is likely to break
through the two million levels. The risk resulting from these malicious software
exceeds the limits of a user to the extent of threatening the national security of
several countries around the world. There are realistic cases that can be taken as
examples. For instance, Estonia cyber attacks, started on April 27, 2007 and these
attacks lasted about three weeks. Estonia is described as the most "wired" and
advanced country in Europe in the terms of e-Government (Mayers, 2007). A series
of attacks targeted government portals, parliament portal, banks, ministries,
newspapers and broadcasters of Estonia. Different types of attacking techniques
were used as some of these attacks took the form of distributed denial of service
(DDoS), to the use of hundreds of thousands of "zombie" computers that rained
Estonian Web sites with thousands of requests causing them to stop working
(Wikipedia, 2007). Stuxnet (2010), another example, is a sophisticated computer
program designed to penetrate and establish control over remote systems in a quasi-
autonomous fashion (Farewell & Rohozinski, 2011). This virus is twenty times more
complex than any previous virus code, had attacked computers at Iran's Natanz
Page | 3
nuclear facility causing immediate suspension of the facility for few days (Stark,
2011). Stuxnet has powerful capabilities; among them the ability to turn off the
pressure inside nuclear reactors or switch off oil pipelines, while system operators
would not be able to identify any changes on their systems as "Stuxnet" makes
everything look normal. Unlike most viruses, "Stuxnet" has a real clearance because
it doesn't carry the usual forged security clearance which helps viruses sneak into
systems. It exploits security gaps that system creators are unaware of, these holes
are known as zero days (FoxNews, 2011).
Mostly, the malware comes from files downloaded over the Internet. Once the
malware is in the system, it does a scan for operating system vulnerabilities, and
then, it slows down the performance of the system by performing unintended
actions. Moreover, malware is able of infecting other executable code, data/system
files, boot partitions of drives, and create excessive traffic on network leading to
denial of service. When the infected file is executed by a user; it becomes resident in
memory and infect any other file executed afterwards. If operating system has a
vulnerability, malware can also take control of system and infect other systems on
network. Such malicious codes (virus is more popular term) are also known as
parasites and adversely affect the performance of machine generally resulting in
slow-down (Vinod & Gaur, 2009).
Malware can be categorized into the following:
1. Viruses
A computer virus is malware that seeks to alter the normal functioning of the
computer, without the permission or knowledge of the user. The virus usually
Page | 4
replaces other executable files infected with this code. Viruses can destroy,
intentionally, the data stored on a computer, and do other harmful actions.
2. Worms
A worm is a malware that has the ability to replicate itself. The worm uses
automated parts of operating system that are generally invisible to the user.
Unlike a virus, a worm does not require programs to alter files but resides
in memory and duplicates itself. Worms almost always cause problems in the
network (even when simply consume band width), whereas viruses always
infect or corrupt files that attack the computer.
3. Spyware
Spyware is software or hardware installed on a computer, usually without
the user's knowledge which gathers information from the user for later sent
across the Internet to a server.
4. Adware
An Adware is software that automatically executes or displays
advertisements on your computer or encourages users to install fake
antivirus software. The adware is generally installed without the permission
of a user.
5. Trojans
A Trojan or Trojan horse is one program that masquerades as a valid program
being actually a malicious program. Trojan horses do multiple actions, some
carry out destructive actions and other simply charge of spying and stealing
information.
Page | 5
6. Rootkits
A rootkit is a collection of programs used by a hacker to avoid detection as
they seek to gain unauthorized access to a computer. This is accomplished in
two ways: by replacing system files or libraries, or by installing a kernel
module. The hacker installs the rootkit after, obtaining similar access to the
user, usually crake password or exploiting a vulnerability, which allows you to
use other credentials to gain access to root or administrator.
Methodology
The methodology of this paper is divided into four stages as follows:
1. Creation of Test Environment
2. Collection of Information
3. Analysis of Information
4. Documentation of Results
Creation of Test Environment
For analyzing any malware, setting up a controlled test environment is
unquestionably essential. For this purpose, an isolated virtual "test lab" is created
using VMware. The "test lab" is created in the following way:
- Three virtual machines will be used for this case.
- Fresh copies of Windows XP will be installed on each virtual machine with all
needed configurations.
Page | 6
- All OS of the three virtual machines shall remain in the same state of
installation with no updates or installed security patches.
- The virtual machines shall not be connected to any physical network to avoid
any problems that may occur.
- One VM will have no anti-virus or firewall, simply no security. The other two
virtual machines, one will have an anti-virus and a firewall shall be mounted
on the other.
- Proper malware analysis tools should be installed and configured on the
relevant virtual machines. Such as Winanalysis, Process Explorer, Process
Monitor, and Process Hacker.
- Three different types of malware shall be used i.e. (Trojan Horse, Virus ,
Worm)
- Each virtual machine shall be tested with only one type of the above
mentioned malware.
The goal of any malware analysis is to understand how a specific malicious
code functions/act so that proper defenses can be established for further
protection. According to Distler (2007), there are two main questions that
must be answered. Firstly: how did this machine become infected with this
malware? Secondly, what exactly does this malware do?
The questions mentioned above weigh differently depending on why the
analysis had been carried out in the first place.
Page | 7
Collection of Information
In this phase, in order to remove all the vagueness surrounding this matter; a lot of
reading should be done to discover the experience of others in this field to make
sure that the experiment will be performed in the right manner. Also, in this stage,
names and types of malware analysis tools should be identified and downloaded for
the sake of personal use related to the experiment. Moreover, malware files to be
used in the experiment should also be downloaded in a proper way and be
quarantined.
Analysis of Information
There are two types of malware analysis: code analysis and behavioral analysis. In
this paper, behavioral analysis is the case; it is how a malware acts or behaves after
its execution, who it talks to, what gets installed, and how it runs (Malware Analysis,
The Basics, 2007). During behavioral analysis, changes to the infected system and
any unusual behavior should be identified and analyzed properly using the
previously mentioned malware analysis tools.
Documentation of Results
Finally in this stage, all the interpreted information, snapshots, and results shall be
documented by writing a detailed report showing these results in a well designed
and appropriate format.
Page | 8
Experiment
In this paper, three scenarios were carried out. Three virtual machines host windows
XP with all the required tools installed on them. The first virtual machine is without
any protection method and the second virtual machine with windows firewall and
Zone alarm firewall the last virtual machine with AVG anti-virus. Moreover, different
tools used in the experiment like Process Explorer, which is designed to find out
what files, registry keys and other objects have open, which DLL’s they have loaded.
Process Monitor used to monitor system files, registry, process, thread and DLL
activity in real-time. Process Hacker used to monitor file system, registry and process
also it link process to the applications to show which application using what service
or if it use network connection. Winalysis – monitors for changes to files, the
registry, users, groups, security policies, services, shares, scheduled jobs, the system
environment and more. In addition, three malicious codes were used for the analysis
purpose in this research. NewFolder.exe which is Trojan horse Generic7.CRT,
veawa.exe identified as Worm/VB.7.E and iahnb.exe identified as virus Win32 all of
the malicious codes have targeted attack and were analyzed using the tools to find
out what changes they do to the machines.
The first scenario, a virtual machine with an installed antivirus showed different interesting results:
Page | 9
The antivirus detected all the threats and gave the name of the malicious code NewFolder.exe also the type of malicious code Trojan horse Gneric7.CRT
Process name found as C:\WINDOWS\explorer. EXE and the process ID: 1844
Process analysis made using Process Hacker, the malicious code found using ID: 1844 and using CPU resources by pretending to be explorer.exe
Process Monitor showed that process ID: 1844 called Explorer.EXE made some changes to the registry file and created different unwanted files
The malicious code did several things to the virtual machine
It didn’t allow copying anything from the flash This executable tampers with the execution of another process. The virus copied itself to different directories and to windows
system files Made some changes to the registry files
Page | 10
The malicious code or the Trojan started process with different legitimate application name
Made new files like (Trashes) when you make show hidden files
The second scenario, a virtual machine with an installed firewall showed several interesting results:
Process name found as C:\WINDOWS\notpad.exe and the process ID: 428
Page | 11
Process analysis made using Process Hacker, the malicious code found using ID: 428 and using CPU resources by pretending to be notpad.exe
Process Monitor and Process Explorer were unable to run because the malicious code affected most of the .exe applications
This virus was designed to attack windows firewall and to connect to the Internet. Zone Alarm showed the Destination IP 58.40.150.204 and the port the virus using is 36117
This malicious code pretended to be different type of processes and applications
iahnb.exe C:\iahnb.exe Analysis reason: Primary Analysis Subject
Explorer.EXE C:\WINDOWS\Explorer.EXE Analysis reason: iahnb.exe wrote to the virtual memory of this process
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe Analysis reason: iahnb.exe wrote to the virtual memory of this process
msmsgs.exe C:\Program Files\Messenger\msmsgs.exe Analysis reason: iahnb.exe wrote to the virtual memory of this process
The malicious code did several things to the virtual machine
Page | 12
This malicious pretended to be a legitimate application by using Notpad.exe
This virus affected different legitimate process like internet explorer and other process
This executable changes some settings of windows firewall and tries to connect to the Internet
Page | 13
This malicious code modifies and destructs exe files and makes them stop working also it modifies files in the windows system directories
This executable registers processes to be executed at system start up. This could result in unwanted actions to be performed automatically.
Changes security settings of Internet Explorer: This system alteration could seriously affect security when surfing the World Wide Web.
Performs Registry Activities: The executable creates and/or modifies registry entries.
Page | 14
The third scenario conducted on virtual machine that doesn’t include any type of protection, different results gathered from this experiment:
Page | 15
Process name found as veawa.exe and the process ID: 4076
Process analysis made using Process Hacker, the malicious code was found using ID: 4076 and using CPU resources by pretending to be explorer.exe also another process activated by veawa.exe called sauozax.exe with process ID: 4084
Process Explorer showed that there is a huge usage of CPU resources by process ID: 4076 and some changes in the registry file
Process Monitor showed that process ID: 40844 called Explorer.EXE made some changes to the registry file and created different unwanted files
Page | 16
The malicious code pretended to be a different type of processes and executed different unwanted applications
veawa.exe C:\veawa.exe Analysis reason: Primary Analysis Subject
ruoitu.exe C:\Documents and Settings\Administrator\ruoitu.exe Analysis reason: Started by veawa.exe
sauozax.exe C:\Documents and Settings\Administrator\sauozax.exe Analysis reason: Started by veawa.exe
The malicious code did several things to the virtual machine
The malicious pretended to be a legitimate application by using explorer.exe
The worm ran different process like sauozax.exe, ruoitu.exe and other unknown process
This malicious code modified and created some new files
Page | 17
The worm changed security settings of Internet Explorer which could affect the safety of surfing using Internet Explorer
The malicious code preformed some registry activities by creating and modifying registry entries
The worm is trying to establish Internet connection using different protocol TCP/UDP to infect another network
Page | 18
Conclusions
Malicious codes are very difficult to notice, there are many new viruses, worms and
Trojans that infect millions of computers around the world. In addition, hackers use
different malicious codes to get the control over different computers creating
something called Botnet, which contains a group of infected computers with
malicious codes each called a "Zombie", hackers take advantage of infected
computer to conduct different attacks like distributed denial of service attack
(DDOS). Moreover, malicious codes are available on the net for free any one can
download it and reprogram it to use it for different purposes. Malicious codes
became a big issue around the world it cost companies and individuals a lot of
money, because of this a lot of companies started to build different anti-virus
programs, also governments and cybercrime agencies started to analyze different
types of malicious codes to understand how it work and what it’s the aim of this type
of codes. Furthermore, malicious code is one of the biggest threats to computers
and users because of the way it's designed, it spread very fast from the infected
machine to another machine and some of the malicious codes don’t need to be
executed or carried to another machine it's designed to move by itself. Also, with the
proliferation of the Internet, malware is employed extensively to generate website
traffic, generate invalid links that forward the unsuspecting to infected web sites,
launch DDoS attacks and to pilfer credentials and personally identifiable information.
Beside, new techniques used by malicious codes like zero day attack to enable the
code spread more rapidly. Moreover, malware analysis is an important field for
Page | 19
forensics examiners and analysis because hackers and cybercriminals use malicious
codes to conduct their activities which raise the need of people who are specialized
in malware analysis. Authors of malicious codes are getting huge profit from
distributing and selling their codes as they try to make their codes strong and
undetectable as much as possible using different techniques which made them very
successful in establishing a lot of dangers malicious codes. Beside, professional
programmers who are very knowledgeable and expert in their craft they have very
good understanding of digital forensic methods which allow them to design different
types of malicious codes which could not be detected by different analysis and
forensics tools. Also the knowledge domain required to competently analyze
malware is very broad and need very special knowledge to be conducted. This
research present a brief introduction to malicious code analysis using different tools
freely available on the internet like Process Explore, Process Monitor and Winalysis.
Additionally, most of the tools showed the changes happened by malicious codes in
the registry, files and folders, services and system environment. The goal of this
research is to find out how find out how to defend users from malicious attacks and
to understand how the system gets compromised also what the malware exploits.
According to the type of malware and its analysis different interesting result were
generated, one of them showed that using the best practices by installing antivirus,
firewall, updating the operating system users can protect themselves from different
types of malicious codes.
Future Work
Page | 20
In this paper, the automated classification of malware based on behavioral analysis
has been addressed. Moreover, future malware analysis should be carried out on the
basis of static analysis that is looking at the actual code of the malware to gain a
better understanding of how it functions. Further analysis should be extended to
include different types of malware such as Spyware, Adware, and Logic Bombs. As
well as, more tools like iDEFENSE, IDA Pro, and OllyDBG should be taken into
consideration when performing future malware static analysis to authenticate
results and have better heuristics.
References
FoxNews. (2011, Oct 19). Stuxnet Clone 'Duqu': The Hydrogen Bomb of Cyberwarfare? Retrieved from http://www.foxnews.com/scitech/2011/10/19/stuxnet-clone-duqu-hydrogen-bomb-cyberwarfare/
Farwell, J. & Rohozinski, R. (2011) 'Stuxnet and the Future of Cyber War', Survival, 53: 1, 23 — 40
G Data. (2010, Sep 9). Number of new computer viruses at record high. Retrieved from http://www.gdatasoftware.co.uk/about-g-data/press-centre/news/news-details/article/1760-number-of-new-computer-viruses.html
Myers, S. (2007, May 18). Cyberattack on Estonia stirs fear of 'virtual war' Retrieved from http://www.nytimes.com/2007/05/18/world/europe/18iht-estonia.4.5774234.html
Stark, H. (2011, Aug 8). Stuxnet Virus Opens New Era of Cyber War. Retrieved from http://www.spiegel.de/international/world/0,1518,778912,00.html
Vinod, P. & Gaur, V. (2008) Survey on Malware Detection Methods. Malaviya National Institute of Technology.
Page | 21
top related