Beginning of the malware analysis adventure. Setting up safe virtual machine! Part 2 (tools)
Hi all!
After dealing with creating a safe environment to analyze malware it's time to introduce tools that are useful for me. I think that most of them are recommended by authors in the book "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software". This lecture is the foundation of my learning way to become good at malware analysis. Firstly, I can show you most of them on the desktop of my main machine:
Some tools are good for static analysis of malware and the others are for dynamic analysis. Static analysis is simply exploring a malicious program without running it so it can be done even on the host machine but there is no reason to do it. In dynamic analysis, malware has to run in order to catch important information about our "enemy".
Static analysis is fast and can give us information about strings within the malware, imported functions, and loaded DLLs. Obviously, we are able to collect such information only if an exemplary malicious program isn't obfuscated or packed. Obfuscation exists to make malware researchers work harder. Why? Because reverse engineering malware is the part of static analysis and obfuscation is the encryption process of the malware's binary. It means that the researcher isn't able to read assembly or C-like code of binary therefore the whole malware analysis is harder. Of course code of the binary is only the part of it. Obfuscation is the encryption process of more than only the .text section of executable. For example, it affects also .idata section where the Import Table resides when we take PE into account. Thus it's only a digression because obfuscation is the topic which I'm going to learn more in future :)
Dynamic analysis has to be done in a safe environment since it's an art of running the suspected executable and examining it "on the fly". For this, we can get information about executed functions, results of these functions, created new processes that can be dangerous too, domains which malware connects to, changes in the registry, and so on. The dynamic analysis also gives us a chance to examine malicious executable memory by running the code step by step using a debugger. It's a great way to know what malware is really doing and create useful signatures.
Description of the first, basic toolset:
Static analysis:
PEView - this program gives information about headers and their contents within the PE executable. From headers and more precisely from the PE structure we can learn a lot about malware. For instance, we can investigate strings within the process or imported functions from DLLs.
pestudio - it's similar to PEView but the interface is more friendly in my opinion. In the case of this tool, you don't have to get deep into the structure of PE file because everything you need is described clearly. In addition, there are indicators to help in the decision if an analyzed file is malware indeed. Moreover, pestudio gives you virustotal section which automatically throws a file into https://www.virustotal.com
Resource Hacker - as the name suggests it's the tool that looks into the resource section of PE file. This section is used by malware writers to hide the module of the whole structure of the malicious programs to make analysis harder.
exeinfope - among others it gives information if the analyzed file is obfuscated. If the exemplary program is indeed obfuscated exeinfope can decide what crypter was used. This tool also states what subsystem is used in the case of the analyzed file - it can be a console or GUI subsystem.
strings - sometimes I prefer to use a simple console program from UNIX called strings to get guess what... strings from a file. But in most cases, pestudio or PEView tools are enough for such work.
Dynamic analysis:
Host machine:
apateDNS - this is such a great tool that takes over the role of the DNS server. It should be running on the host machine while analyzing suspected programs because we must have control over DNS. Each time when the suspected program will try to connect to a malicious domain we will redirect its request to the IP of our fake HTTP server running on the Linux machine simply by using apateDNS tool. Furthermore, apateDNS has the list of all requested domains from the start of this tool to the end. Obviously, a list of domains requested by the suspected programs is very useful information while doing analysis.
procexp - Windows Sysinternals tool which displays the list of currently running processes on Windows. It's useful when we're trying to investigate if the examined program is creating new processes. The tool also provides string finding function in the disk image of the process and in the memory of the same process. This feature is useful when we want to check if the malicious part of the analyzed program is created directly in the memory only after running it. Verify option of the procexp is also very interesting. Using this we can check if the executable is from Microsoft. If this feature verifies the executable we can be sure that this binary is indeed from Microsoft because each of their official binary is digitally signed. Unfortunately Verify function is useless when malware writer decided to use process replacement because it verifies only the images of binaries on the disk and not data in process memory.
procmon - as the name suggest this tool is very useful when we want to monitor processes "on the fly". It allows you to check called functions and their results. procmon provides a way to monitor registry activity, file system, network, process, and thread activity - everything based on called functions.
Regshot - if you want to take a snapshot of the registry here is the tool to do it. Windows registry is a playground for malware writers since the Windows registry is a very big system configuration database. So before running a suspected program it's worth taking a first snapshot of the clear registry and then after calling the program we want to analyze we should take a second snapshot. Then after comparing these two Regshot makes the text file with all changes in the Windows registry done by the suspected program.
Wireshark - it's a very popular and extended program to capture the traffic from a network card. It's an integral part of the whole malware analysis process since it gives us a clear picture of malware's network activity.
netcat - the “TCP/IP Swiss Army knife”, it acts as a listener for outbound connections as well as the server listening for inbound connections. Netcat uses standard input for transmission over the network.
Fake server machine:
INetSim - this tool is created primarily for the malware analysis process to provide network services such as HTTP, HTTPS, FTP, DNS, and others. We can configure INetSim as we want and it has a lot configure options indeed. For example, you can set item or a page returned after the request. When the analyzed malware has to visit the exemplary website for doing further work we can tell INetSim to return this exact website after any request made to HTTP server. This tool is the core of my fake network and I'm happy about it for the time being.
Description of setting fake and isolated network is in Part 1 of this blog post - https://shizz3r.blogspot.com/2020/06/beginning-of-malware-analysis-adventure.html
As I mentioned above most of these tools are described and recommended in the book "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software". This is the beginning of my learning path so I'm sure that the list of tools will increase in the future.
For now on I can start doing exercises from the book and obviously I will describe my solutions in the next articles. After the end of the book, I'm going to analyze real malware. I hope that it will be so much fun. :)
Thank you for reading.
Cheers!
After dealing with creating a safe environment to analyze malware it's time to introduce tools that are useful for me. I think that most of them are recommended by authors in the book "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software". This lecture is the foundation of my learning way to become good at malware analysis. Firstly, I can show you most of them on the desktop of my main machine:
Some tools are good for static analysis of malware and the others are for dynamic analysis. Static analysis is simply exploring a malicious program without running it so it can be done even on the host machine but there is no reason to do it. In dynamic analysis, malware has to run in order to catch important information about our "enemy".
Static analysis is fast and can give us information about strings within the malware, imported functions, and loaded DLLs. Obviously, we are able to collect such information only if an exemplary malicious program isn't obfuscated or packed. Obfuscation exists to make malware researchers work harder. Why? Because reverse engineering malware is the part of static analysis and obfuscation is the encryption process of the malware's binary. It means that the researcher isn't able to read assembly or C-like code of binary therefore the whole malware analysis is harder. Of course code of the binary is only the part of it. Obfuscation is the encryption process of more than only the .text section of executable. For example, it affects also .idata section where the Import Table resides when we take PE into account. Thus it's only a digression because obfuscation is the topic which I'm going to learn more in future :)
Dynamic analysis has to be done in a safe environment since it's an art of running the suspected executable and examining it "on the fly". For this, we can get information about executed functions, results of these functions, created new processes that can be dangerous too, domains which malware connects to, changes in the registry, and so on. The dynamic analysis also gives us a chance to examine malicious executable memory by running the code step by step using a debugger. It's a great way to know what malware is really doing and create useful signatures.
Description of the first, basic toolset:
Static analysis:
PEView - this program gives information about headers and their contents within the PE executable. From headers and more precisely from the PE structure we can learn a lot about malware. For instance, we can investigate strings within the process or imported functions from DLLs.
pestudio - it's similar to PEView but the interface is more friendly in my opinion. In the case of this tool, you don't have to get deep into the structure of PE file because everything you need is described clearly. In addition, there are indicators to help in the decision if an analyzed file is malware indeed. Moreover, pestudio gives you virustotal section which automatically throws a file into https://www.virustotal.com
Resource Hacker - as the name suggests it's the tool that looks into the resource section of PE file. This section is used by malware writers to hide the module of the whole structure of the malicious programs to make analysis harder.
exeinfope - among others it gives information if the analyzed file is obfuscated. If the exemplary program is indeed obfuscated exeinfope can decide what crypter was used. This tool also states what subsystem is used in the case of the analyzed file - it can be a console or GUI subsystem.
strings - sometimes I prefer to use a simple console program from UNIX called strings to get guess what... strings from a file. But in most cases, pestudio or PEView tools are enough for such work.
Dynamic analysis:
Host machine:
apateDNS - this is such a great tool that takes over the role of the DNS server. It should be running on the host machine while analyzing suspected programs because we must have control over DNS. Each time when the suspected program will try to connect to a malicious domain we will redirect its request to the IP of our fake HTTP server running on the Linux machine simply by using apateDNS tool. Furthermore, apateDNS has the list of all requested domains from the start of this tool to the end. Obviously, a list of domains requested by the suspected programs is very useful information while doing analysis.
procexp - Windows Sysinternals tool which displays the list of currently running processes on Windows. It's useful when we're trying to investigate if the examined program is creating new processes. The tool also provides string finding function in the disk image of the process and in the memory of the same process. This feature is useful when we want to check if the malicious part of the analyzed program is created directly in the memory only after running it. Verify option of the procexp is also very interesting. Using this we can check if the executable is from Microsoft. If this feature verifies the executable we can be sure that this binary is indeed from Microsoft because each of their official binary is digitally signed. Unfortunately Verify function is useless when malware writer decided to use process replacement because it verifies only the images of binaries on the disk and not data in process memory.
procmon - as the name suggest this tool is very useful when we want to monitor processes "on the fly". It allows you to check called functions and their results. procmon provides a way to monitor registry activity, file system, network, process, and thread activity - everything based on called functions.
Regshot - if you want to take a snapshot of the registry here is the tool to do it. Windows registry is a playground for malware writers since the Windows registry is a very big system configuration database. So before running a suspected program it's worth taking a first snapshot of the clear registry and then after calling the program we want to analyze we should take a second snapshot. Then after comparing these two Regshot makes the text file with all changes in the Windows registry done by the suspected program.
Wireshark - it's a very popular and extended program to capture the traffic from a network card. It's an integral part of the whole malware analysis process since it gives us a clear picture of malware's network activity.
netcat - the “TCP/IP Swiss Army knife”, it acts as a listener for outbound connections as well as the server listening for inbound connections. Netcat uses standard input for transmission over the network.
Fake server machine:
INetSim - this tool is created primarily for the malware analysis process to provide network services such as HTTP, HTTPS, FTP, DNS, and others. We can configure INetSim as we want and it has a lot configure options indeed. For example, you can set item or a page returned after the request. When the analyzed malware has to visit the exemplary website for doing further work we can tell INetSim to return this exact website after any request made to HTTP server. This tool is the core of my fake network and I'm happy about it for the time being.
Description of setting fake and isolated network is in Part 1 of this blog post - https://shizz3r.blogspot.com/2020/06/beginning-of-malware-analysis-adventure.html
As I mentioned above most of these tools are described and recommended in the book "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software". This is the beginning of my learning path so I'm sure that the list of tools will increase in the future.
For now on I can start doing exercises from the book and obviously I will describe my solutions in the next articles. After the end of the book, I'm going to analyze real malware. I hope that it will be so much fun. :)
Thank you for reading.
Cheers!
Comments
Post a Comment