The article also published in: [Url]http://netsecurity.51cto.com/art/200707/52055.htm[/url] The rapid development of the Internet in the daily life of the user to bring great convenience, but also to a variety of malicious software to mention A fertile soil for proliferation. There were reports of serious losses in the mass prevalence of some kind of malicious software in the media. The proliferation of malicious software has long been the focus of information security industry, each security software and anti-virus software manufacturers have a molding solution. However, the replacement of malware always walk in front of the security vendors, malware variants appear faster and faster, the simple use of anti-virus software has not fully guarantee users away from malicious software.
This paper presents a reference method for analyzing the malware and suspicious files of Windows platform, which can judge the nature, behavior and influence of the target samples by observing the behavior after the execution of the target samples.
Malware definition: Malware (malware,malicioussoftware abbreviation) refers to software that can affect and harm users and system operations without the user's permission to install, including viruses (Virus), worms (worm), Trojan horses (Trojan), Backdoor procedures (Backdoor/rootkit), Password theft programs (MAL.PSW), and other software that has the malware features listed above.
Analysis Principles and processes
Keyword definition:
1) Malware samples: Files extracted from various media that are suspected to be malware executables, compressed files that may contain malicious software, Office documents, and so on
2) Software behavior: The operation of the file or system when the document or executable file is opened by the user directly or through other processing software
Principle of Sample Analysis:
In a controlled Windows test environment, by using a specific monitoring tool software, the actions performed after the target sample file is opened are recorded, the results of the record are analyzed and compared with known malware behavior, the nature and impact of the target sample is judged, and finally the cleaning scheme of the system affected by the target sample is provided.
Sample Analysis Process:
1) test Environment setup
2) Preparation and installation of analysis tools software
3) Operation monitoring and data acquisition of the target sample on the test environment system
4) Result processing and documentation
Environment Preparation and construction
1. System Environment:
Test platform can choose to use virtual machine or physical machine to build, the results of the two choices are slightly different: If you use a virtual machine as a platform, you need to install a set of virtual machine software, you can choose VMware ([Url]http://www.vmware.com[/url] ) or VIRTUALPC ([Url]http://www.microsoft.com/windows/virtualpc/[/url]), and then install the Windows operating system in a deployed virtual machine, or, if you use a physical machine, You can install the Windows operating system directly. After the Windows installation is complete, use WindowsUpdate to upgrade the test operating system to the latest patch version status.
This article uses the test environment for the WindowsXPprofessionalSP2 English version on vmwareworkstation and upgrades the patch to the latest version at the end of November 2006.
2. Analysis software:
1) System monitoring software
A) Installrite:
Installrite is a Software Installation monitoring Replication tool that monitors changes to system files, registry execution during software installation. It can be used to monitor changes in the system of the target sample before and after execution. Installrite can be downloaded from its official website: [Url]http://www.epsilonsquared.com/installrite.htm[/url]
b) Processexplorer:
Processexplorer is a tool that monitors the system's current running processes, process creation, process deletions, and gets detailed information about the specified process, which can be used to analyze the operation of the target sample against the process. Processexplorer can be downloaded from its official website: [url]http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx[/ Url
c) Processmonitor:
Processmonitor is an upgraded version of Processexplorer, which, in addition to the functionality of Processexplorer, adds the ability to monitor file and registry operations, However, its process monitoring function is less convenient to use than Processexplorer. It can be used to monitor the operation of the system files and registry during the execution of the target samples in real time. Processmonitor can be downloaded from its official website: [url]http://www.microsoft.com/technet/sysinternals/processesandthreads/ Processmonitor.mspx[/url]
d) TCPView:
TCPView is a tool that monitors network connectivity and process correspondence, and can be used to analyze the network operation of a target sample at execution time. TcpView can be downloaded from its official website: [Url]http://www.microsoft.com/technet/sysinternals/utilities/tcpview.mspx[/url]
2) Sniffer
A) Ethereal:
Ethereal is a powerful open source network protocol analysis software that can be used to store and analyze the specific content of the network transmission of the target sample. Ethereal can be downloaded from its official website:
[Url]http://www.ethereal.com/download.html[/url]
b) Effetechhttpsniffer:
Effetechhttpsniffer is a sniffer tool that specializes in HTTP traffic flow monitoring and analysis, and can be used to analyze downloader a class of target samples that use the HTTP protocol and are encapsulated with HTTP tunneling encapsulation. Effetechhttpsniffer can be downloaded from its official website:
[Url]http://www.effetech.com/download/[/url]
3) System analysis tools
A) RootkitRevealer:
RootkitRevealer is a powerful rootkit detection tool that can be used to detect rootkit classes and target samples with rootkit shadowing capabilities. RootkitRevealer can be downloaded from its official website:
[Url]http://www.microsoft.com/technet/sysinternals/utilities/rootkitrevealer.mspx[/url]
b) Gmer:
Gmer is a rootkit detection tool from Poland that features a bit more functionality than RootkitRevealer, and is faster to detect, and can be used to detect rootkit classes and target samples with rootkit shadowing capabilities. Gmer can be downloaded from its official website:
[Url]http://www.gmer.net/files.php[/url]
c) Autoruns:
Autoruns is a powerful startup item management tool that can directly manipulate the registry and manage common startup methods that can be used to analyze the self-starting mode of the target sample. Autoruns can be downloaded from its official website:
[Url]http://www.microsoft.com/technet/sysinternals/utilities/autoruns.mspx[/url]
d) WinHex:
Winhex is a powerful universal hex editing tool that can be used to view and string find the contents of a target sample. Winhex can be downloaded from its official website:
[Url]http://www.x-ways.net/winhex/[/url]
e) Finalrecovery:
Finalrecovery is a fast undelete tool that can be used to recover files that were deleted during the execution of a target sample. Finalrecovery can be downloaded from its official website:
[Url]http://www.finalrecovery.com/download.htm[/url]
3. Document Preparation:
After completing the installation and debugging of the system environment and analysis software, the document design of the target sample should be done. An example of a record document using a table is as follows: Sample Analysis record table (1)
| Sample Name |
Sample Date |
size (Bytes) |
Sample Number |
Sample Source |
| Sample1.bak |
2006-1-25 |
72052 |
060125a2 |
Customer |
| VirusSample.dat |
2006-1-25 |
21084 |
060125a3 |
Support |
| VirusSample2.dat |
2006-1-25 |
14205 |
060125a4 |
Support |
| Trojansample.bak |
2006-1-25 |
104272 |
060125a5 |
Customer |
Sample Analysis Result Registration Form sample number: 060125a5
| Project |
Properties |
Detailed Description |
Notes |
| Self-Deletion |
Is |
|
|
| Starting mode |
Run Key |
\lmhk\software\windows\currentvers-ion\run\trojanrun Trojan.exe |
|
| Release files |
Whether |
%systemroot%\trojan.exe |
Copy to%SystemRoot% |
| Process Injection |
Is |
Injected into the Iexplore.exe |
|
| Network connection |
Tcp |
Connect to 212.24.55.188:80 |
Nobody.noip.cn (DNS) |
| Other properties |
|
Network connection, file does not hide network connection is not encrypted |
Sample Analysis Examples
The sample is an executable file disguised as a WMV media file, as shown in figure: it uses the icon of a WMV file, because Windows does not display the extensions of known files by default, so the real name of the target sample is WR.wmv.exe.
Analysis Process:
1) test environment to do a recovery snapshot (Snapshot), using the physical machine test environment can use Ghost to achieve the same purpose.
2) Start Installrite and Processmonitor in turn, the first filter configuration for Processmonitor: Configure the exclude way to the target sample-independent programs such as Csrss.exe, Installrite.exe and other programs to filter the operation of the registry, leaving only Explorer.exe, Services.exe, Svchost.exe and other target samples may be used to the program.
Use Installrite to take a snapshot of the System State: NOTE: You can pause the monitoring of processmonitor when using installrite for snapshots.
3) Run the target sample
4) Processmonitor monitoring shows that the target sample is running with Iexplore.exe and Svchost.exe enabled:
Using Installrite to compare the system state before and after the target sample execution, the Installrite interface selected Reviewinstallation to view the results of the comparison:
New files:
New registry key: Deleted files:
The target sample creates 2 new files under the C:\programfiles\CommonFiles\MicrosoftShared\Msinfo path, Paramstr.txt and Svchost.exe, and added a service called Svchost. After both operations are completed, the target sample deletes itself.
5) Use Gmer and processexplorer to check for changes in the system:
The results from Processexplorer and Gmer show that the target sample initiates a hidden Iexplore.exe process.
6) Use TCPView to view network connections
You can see that the target sample initiated by the Iexplore.exe process is connected to the
The HTTP (80) port of the 186.119.232.72.reverse.layeredtech.com.
7) Check network connection data using Ethereal capture packet
Ethereal five-minute grab the results show that the target sample will be queried by the DNS server ([url]www.ifrstats.com[/url]) IP address and sent to it every 30 seconds TCP packet, the packet length is 0, the exact meaning is unknown.
8) Analysis and documentation
Combined with the monitoring results of the above tools, we can summarize the nature of the sample, the target sample is a service installation start-up Trojan horse program, Uses process injection technology (injected Iexplore.exe) to penetrate the firewall's network connection control, with simple rootkit functionality (to hide its initiated iexplore.exe process)
after the analysis results of the target sample are collated, the following records are recorded:Sample Analysis Result record table sample number: TR061125A2
| Project |
Properties |
Detailed Description |
Notes |
| Self-Deletion |
Is |
|
|
| Process Injection |
Is |
Injected into the C:\program files\internet Explorer\iexplore.exe |
Iexplore.exe for hidden processes, use Gmer check. |
| Installation path |
|
Path: C:\program files\common Files\Microsoft Shared\msinfo\ Svchost.exe Paramstr.txt |
|
| Registration Form |
|
\\LMHK\SYSTEM\CurrentControlSet\Services\ New Svchost |
|
| Starting mode |
Service startup |
The system adds a service named Svchost |
|
| Network connection |
Tcp |
186.119.232.72.reverse.layeredtech.com 72.232.119.186 [Url]www.ifrstats.com[/url] (DNS) |
The network connection content is unknown. |
According to the check result registration form, the target sample infected computer can be targeted to clean up, further can write kill program, or the results of the inspection to the emergency response agency, but this is not the content of this article to discuss.
