Malware Analysis – Advanced

The advancement of computer and internet technologies has dramatically reshaped our lives and the way organizations operate. However, this technological progress and digitalization have also sparked a surge in cybercriminal activities. The escalating threat of cyberattacks targeting vital infrastructures such as data centers, across private and public sectors, defense, energy, government, and financial domains, introduces a significant challenge for everyone from individuals to large corporations. These attacks leverage malicious software, known as Malware, for purposes like financial theft, espionage, sabotage, intellectual property theft, and political motives.

Facing adversaries who execute sophisticated malware attacks necessitates that cybersecurity professionals are adept at detecting and responding to such intrusions. As a result, malware analysis has emerged as a critical skill for combating advanced malware and targeted attacks, demanding a comprehensive understanding of various disciplines. Acquiring expertise in malware analysis is a time-consuming endeavor that requires patience.

This article delivers insights into the concepts, tools, and techniques essential for analyzing the behavior and characteristics of malware, with a particular focus on Windows-based malware. It starts with the basics of malware analysis and gradually moves into more complex areas such as code analysis and memory forensics. To facilitate better understanding, it includes examples with real-world malware samples, infected memory images, and illustrative diagrams. The article ensures readers are well-informed about the necessary concepts and provides references for additional reading where applicable.

Suitable for those new to malware analysis as well as experienced professionals looking to expand their knowledge, this article aims to guide readers through starting or advancing in malware analysis. Whether the interest in malware analysis is for professional development, forensic investigation, incident response, or simply for personal enrichment, this article offers the necessary tools to meet those goals.

Target Audience: This article is intended for incident responders, cybersecurity investigators, system administrators, malware analysts, forensic practitioners, students, or security enthusiasts interested in learning or improving their malware analysis skills.

Article Overview:

• Section 1, Introduction to Malware Analysis, acquaints readers with the concept of malware analysis, its types, and setting up an isolated analysis lab.
• Section 2, Static Analysis, focuses on the tools and techniques for extracting metadata from malicious binaries and classifying malware samples without execution.
• Section 3, Dynamic Analysis, explores the tools and techniques for understanding malware behavior and its system interactions.
• Section 4, Assembly Language and Disassembly Primer, introduces assembly language and the skills needed for code analysis.
• Section 5, Disassembly Using IDA, discusses the IDA Pro Disassembler and how to use it for static code analysis.
• Section 6, Debugging Malicious Binaries, details how to debug binaries using x64dbg and IDA Pro debugger.
• Section 7, Malware Functionalities and Persistence, examines various malware functionalities and persistence methods.
• Section 8, Code Injection and Hooking, explains techniques used by malware for code injection and hooking to execute within legitimate processes.
• Section 9, Malware Obfuscation Techniques, covers the methods used by malware to conceal and hide information.
• Sections 10 and 11, focus on using memory forensics for malware detection, including techniques for uncovering advanced malware.

A foundational understanding of programming languages such as C and Python is beneficial, particularly for the more technical sections. Nevertheless, the article is structured to provide a solid grounding in malware analysis for those with varying levels of expertise, complemented by additional resources for those seeking to deepen their understanding.

Conventions used

There are a number of text conventions used throughout this article.

• CodeInText: used for code examples, folder names, filenames, registry keys and values, file extensions, pathnames, dummy URLs, user input, function names, and Twitter handles. Here is an example:

  "Mount the downloaded WebStorm-10*.dmg disk image file as another disk in your system."

Any command-line input is highlighted in bold, and the example is as follows:

$ sudo inetsim
INetSim 1.2.6 (2016-08-29) by Matthias Eckert & Thomas Hungenberg
Using log directory: /var/log/inetsim/
Using data directory: /var/lib/inetsim/

When we wish to draw your attention to a particular part of code or output, the relevant lines or items are set in bold:

$ python vol.py -f tdl3.vmem --profile=WinXPSP3x86 ldrmodules -p 880
Volatility Foundation Volatility Framework 2.6
Pid    Process          Base      InLoad InInit InMem MappedPath
---    -----------      --------  -----  ------ ----- ----------------------------
880    svchost.exe      0x10000000 False False False \WINDOWS\system32\TDSSoiqh.dll
880    svchost.exe      0x01000000 True  False True  \WINDOWS\system32\svchost.exe
880    svchost.exe      0x76d30000 True  True  True  \WINDOWS\system32\wmi.dll
880    svchost.exe      0x76f60000 True  True  True  \WINDOWS\system32\wldap32.dll

Italics: Used for a new term, an important word, or words, malware name, and keyboard combinations. Here is an example: press Ctrl + C to copy

Screen Text: Words in menus or dialog boxes appear in the text like this. Here is an example: Select System info from the Administration panel.

The escalation in cyber attacks targeting various sectors, including government, military, public, and private entities, is a significant concern. These attacks aim to extract valuable information from individuals or organizations and are often linked to cybercriminals or state-sponsored groups. In some cases, they are executed by independent groups with specific agendas. The majority of these cyber attacks employ malicious software, also known as malware, to compromise their targets. Acquiring the knowledge, skills, and tools necessary for analyzing malicious software is crucial for detecting, investigating, and defending against these threats.

This section introduces the following key topics:

• The definition of malware and its role in cyber attacks.
• The importance of malware analysis within the context of digital forensics.
• Various approaches to malware analysis.
• Steps for setting up a laboratory environment conducive to safe malware analysis.
• Sources for procuring malware samples for study.

1. Definition of Malware

Malware refers to any code designed to execute malicious activities. It can manifest in various forms, such as executables, scripts, code snippets, or other software types. Malware is utilized by attackers to steal sensitive data, monitor infected systems covertly, or gain control over these systems. Typically, malware infiltrates systems without the user’s knowledge, delivered through channels like email, the internet, or removable media.

Malware’s Malicious Activities Include:

• Disrupting computer operations.
• Stealing sensitive information, including personal, business, and financial data.
• Gaining unauthorized access to systems.
• Spying on users.
• Distributing spam emails.
• Launching distributed-denial-of-service (DDOS) attacks.
• Encrypting or locking files to demand ransom.

Malware encompasses various types of malicious programs, including trojans, viruses, worms, and rootkits. During malware analysis, these programs are often categorized based on their functionality and attack vectors, such as:

• Virus/Worm: Malware that replicates itself and spreads to other computers, with viruses requiring user interaction for propagation and worms capable of spreading autonomously.
• Trojan: Malware that masquerades as legitimate software to deceive users into installing it, thereafter performing malicious actions.
• Backdoor/Remote Access Trojan (RAT): A Trojan variant that allows attackers to commandeer and execute commands on a compromised system remotely.
• Adware: Malware that displays unwanted advertisements, often bundled with free software.
• Botnet: A network of infected computers, all under the control of an attacker, used for coordinated attacks like DDOS or spam distribution.
• Information Stealer: Malware designed to exfiltrate sensitive data such as banking credentials or keystrokes.
• Ransomware: Malware that restricts access to the system or encrypts files, demanding a ransom for restoration.
• Rootkit: Malware that provides attackers with privileged access while concealing its existence.

2. Malware Analysis Overview

Malware analysis is the practice of examining malware’s behavior to understand its workings and develop detection and mitigation strategies. It involves the analysis of suspect binaries in a secure environment to uncover their characteristics and functionalities, thus enabling the creation of more effective defenses.

3. The Rationale for Malware Analysis

The primary goal of malware analysis is to extract actionable insights from malware samples, assisting in the response to malware incidents by:

• Identifying the malware’s nature and objectives.
• Understanding how the system was compromised and assessing the impact.
• Detecting malware and containing its spread.
• Identifying patterns for future prevention and cure.

4. Malware Analysis Techniques

To comprehend malware’s impact and functionality, analysts employ various analysis methods, classified as:

• Static Analysis: Analyzing the binary without executing it to extract metadata and other informative details.
• Dynamic Analysis (Behavioral Analysis): Observing the malware’s behavior in an isolated environment by executing the suspect binary.
• Code Analysis: An advanced method focusing on examining the code to understand the malware’s inner workings.
• Memory Analysis (Memory Forensics): Analyzing RAM for forensic artifacts post-infection to reveal stealth and evasion techniques used by the malware.

5. Lab Environment Setup

Analyzing malicious programs necessitates a secure lab setup to prevent unintended system or network infections. A basic lab can be established using virtual machines (VMs) on a physical system, allowing for the safe execution and analysis of malware without risking real systems or data. This section outlines the steps for setting up such a lab, including choosing suitable operating systems, configuring network settings, and ensuring a safe analysis space.

This comprehensive overview equips analysts with the foundational knowledge to begin analyzing malware safely and effectively, paving the way for developing robust defense mechanisms against malware threats.

Laboratory Setup Requirements

Prior to initiating your laboratory setup, several key components are essential: a hardware system equipped with a foundational operating system such as Linux, Windows, or macOS X, complemented by virtualization software like VMware or VirtualBox. The analysis of malware will be conducted within a Windows-based virtual machine (VM), offering the benefit that, upon completion of the malware analysis, the VM can be restored to its original, uncontaminated state.

For those using Windows and Linux, VMware Workstation is accessible at VMware’s official site, whereas macOS X users can download VMware Fusion from VMware’s Fusion download page. VirtualBox, compatible with multiple operating systems, is available at VirtualBox’s official download page.

Establishing a secure laboratory environment entails adopting measures to prevent the inadvertent release of malware from the virtual setting to the host system. Essential considerations for safeguarding your virtualized laboratory include:

• Ensuring the virtualization software is consistently updated to mitigate the risk of malware exploiting any vulnerabilities to breach the virtual environment and compromise the host system.
• Installing a pristine operating system version within the VM without storing any sensitive data that could be at risk.
• Opting for a host-only network configuration or limiting network traffic to within the lab’s simulated environment to control the malware’s communication capabilities.
• Avoiding the connection of removable media devices to the VM that may later be used with physical systems, thereby preventing cross-contamination.
• Given the focus on Windows malware analysis, typically involving executables or DLL files, selecting a Linux or macOS X base operating system for the host machine is advisable over Windows. This strategy ensures that, should the malware manage to escape the VM, it will not compromise the host operating system due to incompatibility.

Lab Architecture Summary

Throughout this text, the lab setup described involves a principal hardware system, referred to as the host machine, operating on Ubuntu Linux. This setup is augmented by two virtual machines (VMs): one running Ubuntu Linux (Ubuntu Linux VM) and another running Windows (Windows VM). Both VMs are integrated into a singular network configuration, specifically utilizing Host-only network mode, to ensure that malware cannot establish internet connections, thereby keeping network traffic confined within a secure, isolated lab environment.

The Windows VM serves as the execution ground for malware analysis, whereas the Ubuntu Linux VM is tasked with network traffic monitoring. It’s configured to emulate internet services like DNS and HTTP, providing accurate responses to service requests made by the malware. This setup ensures that, for instance, when malware seeks a DNS service, the Ubuntu Linux VM responds with the correct DNS information, as detailed in Section 3 on Dynamic Analysis.

An illustrative lab setup presented in this article shows the Ubuntu Linux VM pre-set with the IP address 192.168.1.100, and the Windows VM assigned an IP address within the 192.168.1.x range (x represents any number between 1 and 254, excluding 100). The configuration ensures the Windows VM’s default gateway and DNS are directed to the Linux VM’s IP address (192.168.1.100), thus channeling all Windows network traffic through the Linux VM. The subsequent section will provide instructions on configuring the Linux and Windows VMs to adhere to this architecture.

There’s no obligation to adhere strictly to the lab setup depicted in the previous illustration; a variety of lab configurations can be implemented since it’s impractical to outline steps for every conceivable setup. This article will guide you through establishing and utilizing the lab structure as illustrated earlier.

Moreover, you have the option to create a lab that includes several virtual machines (VMs) operating on different versions of Windows. This setup enables the analysis of malware across multiple Windows operating system versions. A sample setup that incorporates numerous Windows VMs would resemble the configuration presented in the subsequent diagram:

Configuring the Ubuntu Linux Virtual Machine

For the Linux VM setup, the chosen distribution is Ubuntu 16.04.2 LTS, which is favored for its pre-installation of many tools, or they can be installed via the apt-get package manager. The Ubuntu version can be downloaded from the Ubuntu releases page. The subsequent guide details the configuration process for Ubuntu 16.04.2 LTS on both VMware and VirtualBox:

If you’re new to virtual machine configuration, refer to the VMware’s guide or the VirtualBox user manual.

1. Start by downloading Ubuntu 16.04.2 LTS from the Ubuntu releases website and install it on VMware Workstation/Fusion or VirtualBox. If you prefer another Ubuntu version, ensure you can handle the package installation and dependency resolution.
2. Install Virtualization Tools on Ubuntu to adjust screen resolution and improve interaction between the host machine and the VM. For guidance, visit VMware’s knowledge base or watch the provided online tutorial. Restart your system post-installation.
3. For VirtualBox users, install the Guest Additions software from the ‘Devices’ menu by selecting ‘Insert guest additions CD image.’ Follow the installation prompts and reboot afterward.
4. With Ubuntu OS and virtualization tools in place, power on the Ubuntu VM to install necessary tools and packages.
5. Install pip, the Python package manager, to manage third-party library installations for running Python scripts in this article. Execute the following commands in the terminal:

$ sudo apt-get update
$ sudo apt-get install python-pip
$ pip install --upgrade pip
  

Proceed to install the required tools and Python packages with these terminal commands:

$ sudo apt-get install python-magic
$ sudo apt-get install upx
$ sudo pip install pefile
$ sudo apt-get install yara
$ sudo pip install yara-python
$ sudo apt-get install ssdeep
$ sudo apt-get install build-essential libffi-dev python python-dev libfuzzy-dev
$ sudo pip install ssdeep
$ sudo apt-get install wireshark
$ sudo apt-get install tshark
  

INetSim is essential for simulating internet services. Install it with the following instructions, with more details to follow in Section 3 on Dynamic Analysis. Refer to the INetSim documentation for installation help.

$ sudo su
# echo "deb http://www.inetsim.org/debian/ binary/" > /etc/apt/sources.list.d/inetsim.list
# wget -O - http://www.inetsim.org/inetsim-archive-signing-key.asc | apt-key add -
# apt update
# apt-get install inetsim
  

To finalize, configure the Ubuntu VM for isolation within your lab by setting the VMware Network Adapter to Host-only mode. Apply the settings and restart the system to complete the setup.

How to install Ubuntu 22.10 LTS in VirtualBox 2023

How To Install Ubuntu 2023 in VirtualBox | Ubuntu Linux

To configure the Linux VM, Ubuntu 16.04.2 LTS distribution will be utilized, accessible at the official Ubuntu releases site. This distribution is chosen because it comes with many of the necessary tools pre-installed or available for installation through the apt-get package manager. Here’s a detailed procedure to set up Ubuntu 16.04.2 LTS on both VMware and VirtualBox:

For those not acquainted with setting up virtual machines, you might find the VMware’s guide or the VirtualBox user manual useful.

1. First, download Ubuntu 16.04.2 LTS from the Ubuntu releases page and install it using VMware Workstation/Fusion or VirtualBox. You have the option to install a different Ubuntu version if you’re comfortable handling package installations and resolving dependencies.
2. Install Virtualization Tools on Ubuntu. This will enhance the virtual environment by automatically adjusting the screen resolution to fit your monitor and enabling features like shared clipboards and file transfer between your host machine and the Linux VM. Instructions for installing these tools on VMware Workstation or VMware Fusion can be found on VMware’s official support page or by watching an instructional video. System reboot is required after installation.
3. If using VirtualBox, install the Guest Additions software. This is done by selecting ‘Devices’ from the VirtualBox menu and then ‘Insert guest additions CD image’. Proceed with the installation and reboot once completed.
4. With Ubuntu OS and virtualization tools installed, power up the Ubuntu VM to begin installing the requisite tools and packages.
5. Install pip, the package manager for Python. This is essential for managing the installation of third-party Python libraries used in this article. Run the following commands in the terminal to install and update pip:

6. Continue with the installation of the tools and Python packages needed for this article. Execute these commands in the terminal:

7. Next, install INetSim, which allows the simulation of various Internet services such as DNS and HTTP. These services are commonly interacted with by malware. To install INetSim, use the following commands. Detailed instructions on using INetSim are provided in Section 3, Dynamic Analysis. If you encounter installation issues, refer to INetSim’s documentation.

8. Isolate the Ubuntu VM within your lab by configuring the network adapter to Host-only mode in VMware. Adjust the settings and reboot the machine.

8. If you’re using VirtualBox and the Host-only adapter option shows the interface as ‘Not selected’, create a host-only interface first. Navigate to ‘File’ > ‘Preferences’ > ‘Network’ > ‘Host-only Networks’ and add a new host-only network. Afterward, adjust the adapter settings to Host-only Adapter and click ‘OK’.
9. To assign a static IP address of 192.168.1.100 to the Ubuntu Linux VM, power on the VM, open the terminal, and run the ifconfig command to identify the interface name. Open the /etc/network/interfaces file with the command sudo gedit /etc/network/interfaces and append the following lines, replacing ‘ens33’ with your interface name, then save the file:

Restart the Ubuntu VM to apply the changes. Verify the IP address assignment by running ifconfig.

11. Finally, configure INetSim to simulate all the services on the specified IP address. Modify the /etc/inetsim/inetsim.conf file to bind the service to the address 192.168.1.100. Also, adjust the DNS default IP to resolve domain names to the Linux VM’s IP address. Save the changes and launch INetSim to ensure it’s listening on the new IP address. Use the sudo inetsim command to start the service.
12. To enable file transfers between the host and the virtual machine, in VMware, access the VM settings, select ‘Options’ > ‘Guest Isolation’, and enable both ‘drag and drop’

Configuring a Windows Virtual Machine

To initiate the configuration of your Windows virtual machine, the initial step involves installing a preferred version of the Windows operating system (e.g., Windows 7, Windows 8) via virtualization platforms like VMware or VirtualBox. Following the installation, proceed with the outlined steps:

1. Initiate by downloading Python from the official site (https://www.python.org/downloads/), selecting version 2.7.x (e.g., 2.7.13), as the scripts featured in this guide are optimized for Python 2.7 and might not function as intended on Python 3. Execute the downloaded installer, ensuring to select the options for pip installation and adding python.exe to the system path, facilitating easier Python execution from any directory and simplifying the installation of third-party Python packages.
2. Adjust the network settings of your Windows VM to operate in Host-only network mode. This can be configured in VMware or VirtualBox by accessing the Network Settings, selecting Host-only mode, saving these modifications, and restarting your machine, mirroring the process described in the Linux VM configuration section.
3. Assign an IP address within the 192.168.1.x range to your Windows VM, avoiding 192.168.1.100 as it is reserved for the Linux VM. Configure the Default gateway and DNS server to point to the Linux VM’s IP address (192.168.1.100), ensuring all network traffic from the Windows VM is routed via the Linux VM for the purposes of executing hostile programs.
4. Ensure both the Linux and Windows VMs are operational and capable of mutual communication, which can be verified through executing a ping command, as demonstrated.
5. Disable the Windows Defender Service on your Windows VM to prevent interference during malware sample execution by opening the Run menu with Windows key + R, typing gpedit.msc, and navigating to the specified policy in the Local Group Policy Editor to enable the policy to turn off Windows Defender.
6. Enable file transfer (drag and drop) and clipboard content copying between the host machine and the Windows VM, following the guidance provided in the Linux VM setup section.
7. Capture a clean snapshot of your VM setup to allow for a return to a base state following each analysis session, as outlined in the Linux VM configuration instructions.

Upon completion, your laboratory environment should be operational, with both VMs set in Host-only network mode and capable of intercommunication. This guide will introduce various malware analysis tools for use within this environment, which should be installed in the clean snapshot for maintenance purposes.

Malware Sample Acquisition

For analysis, malware samples are required. This guide references various real-world malware examples but does not distribute them due to potential legal implications. However, malware samples can be sourced from various repositories, some of which offer free access or require registration. Notable sources include Hybrid Analysis, KernelMode.info, VirusBay, Contagio malware dump, AVCaesar, Malwr, VirusShare, and theZoo, with additional sources listed in Lenny Zeltser’s blog. Should you encounter difficulties in obtaining samples, contacting the author is recommended.

KernelMode.info, which is a forum for reverse engineering, OS internals, and malware analysis. You can visit it at KernelMode.info.

Overview

Establishing a secure, isolated lab is essential for safe malware analysis. Such an environment ensures that the execution of malicious code is contained, preventing unintended spread to your personal or networked systems. The following section will delve into tools and methodologies for extracting information from malware through Static Analysis.

Static analysis involves examining a suspicious file without running it, extracting key information for classification and deeper analysis. This approach identifies the file’s intended platform and architecture, uncovers malware fingerprints, scans with antivirus tools, and extracts embedded strings, functions, and metadata. It also detects obfuscation methods used to evade detection and compares the malware against known samples. The process, not necessarily sequential, is tailored to the analyst’s objectives and the file’s context, utilizing various tools and techniques to reveal insights into the file’s nature and purpose.

Related Posts:

WiFi Password Hacking for Beginners(Opens in a new browser tab)

The Memory Game VB.NET setup install package(Opens in a new browser tab)

1.8 Million Users Attacked by Android Banking Malware, 300% Increase Since 2017(Opens in a new browser tab)

Elon Musk Compares Tesla’s Optimus Robot Lab to HBO’s ‘Westworld,’ Teases Future Developments(Opens in a new browser tab)

Teaching computer code to turn students into ‘creators and innovators’(Opens in a new browser tab)