Virus Trojan scan: Summary

Virus Trojan scan: Summary
I. Preface The following are some of the knowledge points I have summarized in the analysis of these articles, which are divided into two aspects: static analysis and dynamic analysis. I have added some extended knowledge, check for missing information.


2. Static Analysis of viruses static analysis technology is usually the first step to study malicious code. Static analysis refers to the process of analyzing program commands and structures to determine the functions of the target program. At this time, the virus itself is not in the running status. We generally use the following methods for static analysis:
1. Use an Anti-Virus engine to scan the file. If you are not sure whether the target program is a virus program, you can use multiple anti-virus software to scan the file, check whether any engine can recognize it. For example, some results of virus sample detection on www.virscan.org are as follows:

Figure 1 online detection results of pandatv (Part)
As you can see from the results, 88% of this website's kill software think there is a problem with the sample. Of course, there is a possibility of false positives to kill software, but if multiple kill software products think there is a problem with the target program, then this program is a malicious program.
2. hash calculation is a common method used to uniquely identify the target program. Through a hash program, the target program generates a unique hash value used to identify the sample. We can understand this value as the fingerprint of the target program. Common hash algorithms include MD5, Sha-1, and CRC32. Because only one algorithm, especially the MD5 algorithm, is used, different programs may generate the same hash result. Therefore, to be cautious, multiple hash methods are generally used for calculation, for example, the detection result of "Fire eye" (https://fireeye.ijinshan.com/) contains the calculated hash value:



Figure 2 basic information about pandatv
The hash calculation results can quickly respond to a virus outbreak in a large scale and become a way to detect viruses. I used the CRC32 algorithm to verify whether the target program is a virus program in article 004th "virus Trojan scan: writing a pandatv killing tool.
3. Search for strings in a string program is a string of printable characters. A program usually contains some strings, such as printed output information and connected URLs, or the API function called by the program. Searching from strings is a simple way to get program function prompts. Here I use the Strings program (http://technet.microsoft.com/en-us/sysinternals/bb897439.aspx) launched by Microsoft to search for printable Strings in executable files. Copy the Strings and virus samples to the C root directory, and then enter the following in CMD:
[Plain] view plaincopy
C: \> Strings setup.exe

Some results are as follows:

Figure 3 Use Strings to obtain character information (partial) in a program)

The results show that not all strings are meaningful, but using this result can also bring great convenience to our static analysis. For example, the "URLDownloadToFile" API function is often used by malicious programs to download files. This function requires the support of the URLMON. DLL dynamic link library, which is also reflected in the above.

4. Shell Detection

Virus and Trojan writers often use shelling technology to make their malicious programs difficult to detect or analyze. Normal programs always contain many strings. However, malicious code with shell can produce very few printable strings through analysis. If you use the Strings program to detect a program and find that it has few Strings, the program may be shelled. In this case, you often need to use other methods to further detect their behavior.

For this study object "pandatv", I used PEiD, a static analysis tool, in Article 005th: Reverse Analysis of pandatv (I, it is used to check whether the target program is shelled and what software is written. If the virus sample has a shell, it must be shelled before analysis. By figuring out what software the virus is written by, we can determine the function call methods and stack allocation methods for better analysis. For example, my "pandatv incense" sample was compiled by Delphi. If we do not understand the features of the Delphi compiler, we still look at it from the perspective of C ++, this may cause troubles for the next analysis.

5. Detect Dynamic Links

During the analysis of viruses and Trojans, we must pay attention to the dynamic links in the target program, because the information helps us guess what the target program has done. Dependency Walker is a tool (http://www.dependencywalker.com/) that we use to detect dynamic links. For example, we use it to detect "pandatv incense ":

Figure 4 View DLL using Dependency Walker

It can be seen that Dependency Walker clearly pointed out that "pandatv incense" uses the "URLDownloadToFile" API function in URLMON. DLL. Experienced anti-virus engineers often use this software to completely analyze the general functions of malicious code.

6. PE Analysis

The analysis of the PE Structure of the Target Program often gives us more information. Common tools include PEview and Resource Hacker. Because the analysis of PE is complex, we will not detail it here. Interested readers can refer to the corresponding PE materials.

7. Advanced static analysis using IDA Pro

IDAPro is the first choice for all anti-virus engineers. I used this software for static Reverse Analysis of pandatv virus samples. I believe you have learned from the three previous articles. In addition to disassembling the entire program, it can also execute tasks such as search functions, stack analysis, and local variable identification. IDA Pro is born to be interactive, and all attributes of its disassembly process can be modified, operated, rescheduled, or redefined. In the actual analysis process, we should promptly rename or mark the content that has been analyzed. During the analysis process, all of them are analyzed in text mode, in fact, I think a good thing about this software is that it can reveal the entire execution process of the program on a graphical interface, as shown in:

Figure 5 view in graphic mode in IDA Pro

It can be seen that the graphic mode will bring a more intuitive experience to our analysis work. Of course, this software also has many very powerful functions. I will show them one by one in the future analysis.

 

 

Iii. Dynamic Analysis of Viruses

Dynamic analysis is the process of checking malicious code. It allows you to observe the real functions of malicious code. Although the dynamic analysis technology is very powerful, it should be performed after static analysis and in a virtual environment. There are generally the following methods:

1. Use sandbox

Now there are a lot of automated software that can be used to perform basic dynamic analysis of viruses, the most common is the sandbox technology. Sandbox is an analytical method for running suspicious programs in a secure environment, so you don't have to worry about hurting our real system. Some security enterprises also provide such services online, such as "Eye of Fire" (https://fireeye.ijinshan.com/), the analysis of the "pandatv incense" part of the results are as follows:

Figure 6 "Fire eye" detection results (Part)

It can be seen that the fire eye has completely revealed the behavior of virus samples, which is very helpful for our next analysis. However, the sandbox also has many disadvantages. For example, if we analyze a backdoor program, we need to wait for a control command to start a specific behavior, in the sandbox, this backdoor program cannot be thoroughly analyzed. In addition, the sandbox cannot record all events, because if malicious code sets itself to wait for a day or longer to execute its own behavior, the sandbox will often be powerless. There are still many disadvantages such as sandbox, but in any case, sandbox is an indispensable tool in anti-virus work.

2. Behavior Monitoring

Process Monitor is the most commonly used software in the anti-virus field. I used it in virus Trojan scan 003rd: Behavior Analysis of pandatv incense, and it will be frequently used in future analysis. Once Process Monitor starts running, it monitors all system calls that can be captured, but not all data can be captured. Therefore, it is often necessary to use multiple software at the same time to obtain the complete behavior of malicious programs. For example, we often use Process Explorer to view processes, use Regshot to compare the changes in the registry before and after virus running, and use Netcat for network monitoring. Each software has its own advantages. We should be good at using it in actual analysis.

3. dynamic debugging

 

Using the debugger to analyze viruses plays an important role in anti-virus work. The debugger allows you to view the content of any memory address, register content, and parameters of each function. The debugger also allows you to change anything about program execution at any time. For example, you can change the value of a variable at any time on the premise that you need to obtain sufficient information about the variable, including its location in the memory. In the actual dynamic debugging process, we usually use OllyDBG and WinDbg. The former is the most commonly used Debugger by virus analysts. The disadvantage is that kernel debugging is not supported. If you want to debug the kernel, winDbg is basically the only choice. Although IDA Pro can also perform dynamic debugging, it is far less convenient than OD. Therefore, in the actual analysis process, the two are often used in combination. If IDA Pro is used for static analysis and a very abstract function is encountered, then the function can be viewed at a glance when OD is used for dynamic execution. Iv. Supplements to virus analysis

We should not go into details too much during virus analysis. Most virus and trojan programs are huge and complex, and you cannot or need to understand every detail. What really needs to be concerned about is the most critical and important functions of malicious programs. In the actual analysis process, when you encounter some difficult and complex code segments, you should have an overview before entering the details. In addition, we should be good at using different tools and methods in the face of different work tasks. There is no common practice. If you get stuck at one point, don't take too long on this issue, try to transfer it to another issue, and try to analyze it from different angles. Finally, the analysis of viruses is like a cat-and-mouse game. The so-called high-performance magic, malicious code analysis technology and malicious code writing technology are opposite and unified, both are constantly promoting and developing each other. Therefore, we should be able to understand, understand, and overcome these emerging new technologies and quickly adapt to new changes in this field. Only in this way can we achieve something in this field.