Compiling Malware Features
0 likes561 views
This document summarizes Muhammad Najmi bin Ahmad Zabidi's presentation on compiling features for malicious software given at the SIGINT-HITB-KUL-2011 conference. The presentation covered static analysis techniques like string analysis and DLL scanning to detect interesting API calls and malware behaviors. It also discussed detecting anti-debugging, anti-VM, and bot-like behaviors using regular expressions and entropy analysis of binary sections. Python scripts were demonstrated to automate many of these static analysis tasks.
![Regular Expression search using re
import re provides regexp capability to find strings in the
binary This array of calls INTERESTING_CALLS =
["CreateMutex"...], provides ranges of calls to be fetched
The following fetched the represented strings
for calls in INTERESTING_CALLS:
if re.search(calls, line):
if not calls in performed:
print "[+] Found an Interesting call to: ",calls
performed.append(calls)
Muhammad Najmi SIGINT-HITB-KUL-2011 11/29](https://image.slidesharecdn.com/hitbnajmi-13371510698745-phpapp01-120516024749-phpapp01/85/Compiling-Malware-Features-11-320.jpg)
![Contents of kernel32.dll
1. CopyFileA
2. CopyFileExA
3. CopyFileExW
4. CopyFileW
5. CreateFileA
6. CreateFileW
7. DeleteFileA
8. DeleteFileW
9. MoveFileA
10. MoveFileExA
11. MoveFileExW
12. MoveFileW
13. MoveFileWithProgressA
14. MoveFileWithProgressW
15. OpenFile
16. ReadFile
17. ReadFileEx
18. ReadFileScatter
19. ReplaceFile
20. ReplaceFileA
21. ReplaceFileW
22. WriteFile
23. WriteFileEx
24. WriteFileGather
Source: [Marhusin et al., 2008]
Muhammad Najmi SIGINT-HITB-KUL-2011 13/29](https://image.slidesharecdn.com/hitbnajmi-13371510698745-phpapp01-120516024749-phpapp01/85/Compiling-Malware-Features-13-320.jpg)
![Using Python PE
import hashlib
import time
import binascii
import string
import os, sys
import commands
import pefile
import peutils
import string
pe = pefile.PE(sys.argv[1])
print "DLL tt API NAME"
for imp in pe.DIRECTORY_ENTRY_IMPORT:
print imp.dll
for api in imp.imports:
print "tt%s" %api.name
Muhammad Najmi SIGINT-HITB-KUL-2011 14/29](https://image.slidesharecdn.com/hitbnajmi-13371510698745-phpapp01-120516024749-phpapp01/85/Compiling-Malware-Features-14-320.jpg)
![Detect Anti VMs
$python comp-detect.py vm-detect-malware/bfe00ca2aa27501cb4fd00655435555d
DLL API NAME
WS2_32.dll
KERNEL32.dll
USER32.dll
GDI32.dll
ole32.dll
CoCreateInstance
[+]Detecting Anti Debugger Tricks...
***Detected trick TWX (TRW detection)
***Detected trick isDebuggerPresent (Generic debugger detection)
***Detected trick TRW (TRW detection)
[+]Detecting VM tricks..
***Detected trick VirtualPc trick
***Detected trick VMCheck.dll for VirtualPC
Analyzing registry...
Check whether this binary is a bot...
Analyzing interesting calls..
[+] Found an Interesting call to: CreateMutex
[+] Found an Interesting call to: GetEnvironmentStrings
[+] Found an Interesting call to: LoadLibraryA
[+] Found an Interesting call to: GetProcAddress
[+] Found an Interesting call to: IsDebuggerPresent
Muhammad Najmi SIGINT-HITB-KUL-2011 19/29](https://image.slidesharecdn.com/hitbnajmi-13371510698745-phpapp01-120516024749-phpapp01/85/Compiling-Malware-Features-19-320.jpg)
![Detect Bots, Detect Debugger
Detector
Analyzing 013a6dd86261acc7f9907740375ad9da
DLL API NAME
KERNEL32.dll
USER32.dll
ADVAPI32.dll
MSVCRT.dll
GDI32.dll
ole32.dll
SHELL32.dll
DuplicateIcon
Detecting VM existence...
No trick detected.
Analyzing registry...
Check whether this binary is a bot...
[+] Malware Seems to be IRC BOT: Verified By String : Port
[+] Malware Seems to be IRC BOT: Verified By String : SERVICE
[+] Malware Seems to be IRC BOT: Verified By String : Login
Analyzing interesting calls..
[+] Found an Interesting call to: LoadLibraryA
[+] Found an Interesting call to: GetProcAddress
[+] Found an Interesting call to: IsDebuggerPresent
[+] Found an Interesting call to: http://
Muhammad Najmi SIGINT-HITB-KUL-2011 20/29](https://image.slidesharecdn.com/hitbnajmi-13371510698745-phpapp01-120516024749-phpapp01/85/Compiling-Malware-Features-20-320.jpg)
![With registry addition
Analyzing e665297bf9dbb2b2790e4d898d70c9e9
Analyzing registry...
[+] Malware is Adding a Key at Hive: HKEY_LOCAL_MACHINE
^G^@Label11^@^A^AÃˇ^Nreg add "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
R
File Execution OptionsRx.exe" /v debugger /t REG_SZ /d %systemrot%repair1sass.exe /f^M
....
[+] Malware Seems to be IRC BOT: Verified By String : ADMIN
[+] Malware Seems to be IRC BOT: Verified By String : LIST
[+] Malware Seems to be IRC BOT: Verified By String : QUIT
[+] Malware Seems to be IRC BOT: Verified By String : VERSION
Analyzing interesting calls..
[+] Found an Interesting call to: FindWindow
[+] Found an Interesting call to: LoadLibraryA
[+] Found an Interesting call to: CreateProcess
[+] Found an Interesting call to: GetProcAddress
[+] Found an Interesting call to: CopyFile
[+] Found an Interesting call to: shdocvw
Muhammad Najmi SIGINT-HITB-KUL-2011 21/29](https://image.slidesharecdn.com/hitbnajmi-13371510698745-phpapp01-120516024749-phpapp01/85/Compiling-Malware-Features-21-320.jpg)
![Checking entropy
• Looking at randomness in the binary
• Entropy - referring to Shannon’s
entropy[Lyda and Hamrock, 2007]
• If the score is X>0 and X<1 or X>7, it is being denoted as
suspicious
• python-pefile modules provides get_entropy() function
for this
Muhammad Najmi SIGINT-HITB-KUL-2011 22/29](https://image.slidesharecdn.com/hitbnajmi-13371510698745-phpapp01-120516024749-phpapp01/85/Compiling-Malware-Features-22-320.jpg)
![Binary file structure
Figure: Structure of a file[Pietrek, 1994]
Muhammad Najmi SIGINT-HITB-KUL-2011 24/29](https://image.slidesharecdn.com/hitbnajmi-13371510698745-phpapp01-120516024749-phpapp01/85/Compiling-Malware-Features-24-320.jpg)
![print "n[+]Now check for binary entropy.."
for sec in pe.sections:
#s = "%-10s %-12s %-12s %-12s %-12f" % (
s = "%-10s %-12s" %(
’’.join([c for c in sec.Name if c in string.printable]),
sec.get_entropy())
if sec.SizeOfRawData == 0 or (sec.get_entropy() > 0
and sec.get_entropy() < 1) or sec.get_entropy() > 7:
s += "[SUSPICIOUS]"
print "",s
Muhammad Najmi SIGINT-HITB-KUL-2011 25/29](https://image.slidesharecdn.com/hitbnajmi-13371510698745-phpapp01-120516024749-phpapp01/85/Compiling-Malware-Features-25-320.jpg)
![Checking entropy. . .
[+]Now check for binary entropy..
%s .text 6.84045277182
%s rdata 0.0 [SUSPICIOUS]
%s .data 7.99566735324[SUSPICIOUS]
%s .ice 6.26849761461
Muhammad Najmi SIGINT-HITB-KUL-2011 26/29](https://image.slidesharecdn.com/hitbnajmi-13371510698745-phpapp01-120516024749-phpapp01/85/Compiling-Malware-Features-26-320.jpg)
Compiling Malware Features
- 1. Compiling Features for Malicious Software Muhammad Najmi bin Ahmad Zabidi SIGINT Hack In The Box 2011 Kuala Lumpur 12th Oct 2011 Muhammad Najmi SIGINT-HITB-KUL-2011 1/29
- 2. Malware in short • is a software • maliciousness is defined on the risks exposed to the user • sometimes, when in vague, the term ‘‘Potentially Unwanted Program/Application’’ (PUP/PUA) being used Muhammad Najmi SIGINT-HITB-KUL-2011 2/29
- 3. Methods of detections • Static analysis • Dynamic analysis Muhammad Najmi SIGINT-HITB-KUL-2011 3/29
- 4. This talk is more static analysis Muhammad Najmi SIGINT-HITB-KUL-2011 4/29
- 5. Analysis of strings • Important, although not foolproof • Find interesting calls first • Considered static analysis, since no executing of the binary Muhammad Najmi SIGINT-HITB-KUL-2011 5/29
- 6. Methods to find interesting strings • Use strings command (on *NIX systems) • Editors • Checking with Import Address Table (IAT) Muhammad Najmi SIGINT-HITB-KUL-2011 6/29
- 7. Python • a scripting language • a robust, powerful programming language Muhammad Najmi SIGINT-HITB-KUL-2011 7/29
- 8. My Python scripts • Based from several existing Python scripts - malware analyzer, zerowine sandboxes,PE scanner • I merged them and modified some parts so that it will be able to produce single page of report • This tool is needed for my research work(bigger objective) • Analysis of the binary while it is still packed Muhammad Najmi SIGINT-HITB-KUL-2011 8/29
- 9. Stuffs to look at • ‘‘Interesting’’ Application Programming Interface-API calls • Virtual Machine(VM) detector • Outbound connect, especiall Internet Relay Chat-IRC commands. Possibbly a member of botnets Muhammad Najmi SIGINT-HITB-KUL-2011 9/29
- 10. python-pefile module • Written by Ero Carrera • python-pe provides quite a number of functions • Everything can be dumped by print pe.dump_info() Muhammad Najmi SIGINT-HITB-KUL-2011 10/29
- 11. Regular Expression search using re import re provides regexp capability to find strings in the binary This array of calls INTERESTING_CALLS = ["CreateMutex"...], provides ranges of calls to be fetched The following fetched the represented strings for calls in INTERESTING_CALLS: if re.search(calls, line): if not calls in performed: print "[+] Found an Interesting call to: ",calls performed.append(calls) Muhammad Najmi SIGINT-HITB-KUL-2011 11/29
- 12. Looking at Dynamic Link Library -DLL Some DLLs are interesting to look at, they contain functions that me be used for malicious activities. For e.g: Kernel32.dll, provides ‘‘low-level operating system functions for memory management and resource handling" Muhammad Najmi SIGINT-HITB-KUL-2011 12/29
- 13. Contents of kernel32.dll 1. CopyFileA 2. CopyFileExA 3. CopyFileExW 4. CopyFileW 5. CreateFileA 6. CreateFileW 7. DeleteFileA 8. DeleteFileW 9. MoveFileA 10. MoveFileExA 11. MoveFileExW 12. MoveFileW 13. MoveFileWithProgressA 14. MoveFileWithProgressW 15. OpenFile 16. ReadFile 17. ReadFileEx 18. ReadFileScatter 19. ReplaceFile 20. ReplaceFileA 21. ReplaceFileW 22. WriteFile 23. WriteFileEx 24. WriteFileGather Source: [Marhusin et al., 2008] Muhammad Najmi SIGINT-HITB-KUL-2011 13/29
- 14. Using Python PE import hashlib import time import binascii import string import os, sys import commands import pefile import peutils import string pe = pefile.PE(sys.argv[1]) print "DLL tt API NAME" for imp in pe.DIRECTORY_ENTRY_IMPORT: print imp.dll for api in imp.imports: print "tt%s" %api.name Muhammad Najmi SIGINT-HITB-KUL-2011 14/29
- 15. najmi@vostro:~/rogue-av$ avgscan BestAntivirus2011.exe AVG command line Anti-Virus scanner Copyright (c) 2010 AVG Technologies CZ Virus database version: 271.1.1/3943 Virus database release date: Fri, 07 Oct 2011 14:34:00 +08:00 BestAntivirus2011.exe Trojan horse FakeAlert.ACN Files scanned : 1(1) Infections found : 1(1) PUPs found : 0 Files healed : 0 Warnings reported : 0 Errors reported : 0 najmi@vostro:~/rogue-av$ md5sum BestAntivirus2011.exe 7f0ba3e7f57327563f0ceacbd08f8385 BestAntivirus2011.exe Muhammad Najmi SIGINT-HITB-KUL-2011 15/29
- 16. $ python ../dll-scan.py BestAntivirus2011.exe DLL API NAME ADVAPI32.dll USER32.dll KERNEL32.dll ole32.dll OLEAUT32.dll GDI32.dll COMCTL32.dll SHELL32.dll WININET.dll WSOCK32.dll None None None None None None None None Muhammad Najmi SIGINT-HITB-KUL-2011 16/29
- 17. Anti Virtual Machine Malware "Red Pill":"x0fx01x0dx00x00x00x00xc3", "VirtualPc trick":"x0fx3fx07x0b", "VMware trick":"VMXh", "VMCheck.dll":"x45xC7x00x01", "VMCheck.dll for VirtualPC":"x0fx3fx07x0bxc7x45xfcxffxffxffxff", "Xen":"XenVMM", # Or XenVMMXenVMM "Bochs & QEmu CPUID Trick":"x44x4dx41x63", "Torpig VMM Trick": "xE8xEDxFFxFFxFFx25x00x00x00xFF x33xC9x3Dx00x00x00x80x0Fx95xC1x8BxC1xC3", "Torpig (UPX) VMM Trick": "x51x51x0Fx01x27x00xC1xFBxB5xD5x35 x02xE2xC3xD1x66x25x32 xBDx83x7FxB7x4Ex3Dx06x80x0Fx95xC1x8BxC1xC3" Source: ZeroWine source code Muhammad Najmi SIGINT-HITB-KUL-2011 17/29
- 18. Strings detector Muhammad Najmi SIGINT-HITB-KUL-2011 18/29
- 19. Detect Anti VMs $python comp-detect.py vm-detect-malware/bfe00ca2aa27501cb4fd00655435555d DLL API NAME WS2_32.dll KERNEL32.dll USER32.dll GDI32.dll ole32.dll CoCreateInstance [+]Detecting Anti Debugger Tricks... ***Detected trick TWX (TRW detection) ***Detected trick isDebuggerPresent (Generic debugger detection) ***Detected trick TRW (TRW detection) [+]Detecting VM tricks.. ***Detected trick VirtualPc trick ***Detected trick VMCheck.dll for VirtualPC Analyzing registry... Check whether this binary is a bot... Analyzing interesting calls.. [+] Found an Interesting call to: CreateMutex [+] Found an Interesting call to: GetEnvironmentStrings [+] Found an Interesting call to: LoadLibraryA [+] Found an Interesting call to: GetProcAddress [+] Found an Interesting call to: IsDebuggerPresent Muhammad Najmi SIGINT-HITB-KUL-2011 19/29
- 20. Detect Bots, Detect Debugger Detector Analyzing 013a6dd86261acc7f9907740375ad9da DLL API NAME KERNEL32.dll USER32.dll ADVAPI32.dll MSVCRT.dll GDI32.dll ole32.dll SHELL32.dll DuplicateIcon Detecting VM existence... No trick detected. Analyzing registry... Check whether this binary is a bot... [+] Malware Seems to be IRC BOT: Verified By String : Port [+] Malware Seems to be IRC BOT: Verified By String : SERVICE [+] Malware Seems to be IRC BOT: Verified By String : Login Analyzing interesting calls.. [+] Found an Interesting call to: LoadLibraryA [+] Found an Interesting call to: GetProcAddress [+] Found an Interesting call to: IsDebuggerPresent [+] Found an Interesting call to: http:// Muhammad Najmi SIGINT-HITB-KUL-2011 20/29
- 21. With registry addition Analyzing e665297bf9dbb2b2790e4d898d70c9e9 Analyzing registry... [+] Malware is Adding a Key at Hive: HKEY_LOCAL_MACHINE ^G^@Label11^@^A^AÃˇ^Nreg add "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion R File Execution OptionsRx.exe" /v debugger /t REG_SZ /d %systemrot%repair1sass.exe /f^M .... [+] Malware Seems to be IRC BOT: Verified By String : ADMIN [+] Malware Seems to be IRC BOT: Verified By String : LIST [+] Malware Seems to be IRC BOT: Verified By String : QUIT [+] Malware Seems to be IRC BOT: Verified By String : VERSION Analyzing interesting calls.. [+] Found an Interesting call to: FindWindow [+] Found an Interesting call to: LoadLibraryA [+] Found an Interesting call to: CreateProcess [+] Found an Interesting call to: GetProcAddress [+] Found an Interesting call to: CopyFile [+] Found an Interesting call to: shdocvw Muhammad Najmi SIGINT-HITB-KUL-2011 21/29
- 22. Checking entropy • Looking at randomness in the binary • Entropy - referring to Shannon’s entropy[Lyda and Hamrock, 2007] • If the score is X>0 and X<1 or X>7, it is being denoted as suspicious • python-pefile modules provides get_entropy() function for this Muhammad Najmi SIGINT-HITB-KUL-2011 22/29
- 23. PE sections to look for TEXT DATA .idata .rdata .reloc .rsrc .tls Muhammad Najmi SIGINT-HITB-KUL-2011 23/29
- 24. Binary file structure Figure: Structure of a file[Pietrek, 1994] Muhammad Najmi SIGINT-HITB-KUL-2011 24/29
- 25. print "n[+]Now check for binary entropy.." for sec in pe.sections: #s = "%-10s %-12s %-12s %-12s %-12f" % ( s = "%-10s %-12s" %( ’’.join([c for c in sec.Name if c in string.printable]), sec.get_entropy()) if sec.SizeOfRawData == 0 or (sec.get_entropy() > 0 and sec.get_entropy() < 1) or sec.get_entropy() > 7: s += "[SUSPICIOUS]" print "",s Muhammad Najmi SIGINT-HITB-KUL-2011 25/29
- 26. Checking entropy. . . [+]Now check for binary entropy.. %s .text 6.84045277182 %s rdata 0.0 [SUSPICIOUS] %s .data 7.99566735324[SUSPICIOUS] %s .ice 6.26849761461 Muhammad Najmi SIGINT-HITB-KUL-2011 26/29
- 27. najmi.zabidi@gmail.com Muhammad Najmi SIGINT-HITB-KUL-2011 27/29
- 28. Special thanks Thanks to Joxean,Beenu Arora Muhammad Najmi SIGINT-HITB-KUL-2011 28/29
- 29. Bibliography Lyda, R. and Hamrock, J. (2007). Using entropy analysis to find encrypted and packed malware. Security & Privacy, IEEE, 5(2):40--45. Marhusin, M. F., Larkin, H., Lokan, C., and Cornforth, D. (2008). An evaluation of api calls hooking performance. In Proc. Int. Conf. Computational Intelligence and Security CIS ’08, volume 1, pages 315--319. Pietrek, M. (1994). Peering inside the pe: A tour of the win32 portable executable file format. http://msdn.microsoft.com/en-us/library/ms809762.aspx. Muhammad Najmi SIGINT-HITB-KUL-2011 29/29