Investigating Malicious Software Steve Romig The Ohio State University April 2002
Malware Analysis Got a piece of *something*, what does it do? In our case, an attachment Not recognized by "usual" anti-virus scanners
Run UNIX "strings" Sometimes useful, sometimes misleading Do Google searches on what turns up Try to determine what it does by symbol names, included libraries, include files, etc. Nothing useful here, that I remember - self-extracting UPX file
Try Running It Danger, Danger!! It Might Do “Bad Things”(tm) –To the computer it is running on –To other computers –Tip off the perpetrators?
So, You Should... Create a clean test machine… Detached from network… Run malware there Don't reuse this for other tests –Hard to figure out what changes are due to what malware –Might screw up subsequent tests
VMWare! Create a virtual machine Install the host operating system, patches, applications as needed *Make a snapshot* of the virtual disk Squirrel your snapshots away somewhere
VMWare (continued) To create a clone: –make a directory –restore files –change config as needed –boot I use a read-only "airlock" with host-only access to pass files back and forth.
Run the Malware No net access, of course System, library call tracers lsof, handlex filemon, regmon (windows only) tcpdump, ethereal
In Our Case Malware makes some registry changes Installs something that starts at login Apparently checks a web site every minute
Create a Fake Network Attempts to resolve an IP Address –We create a fake DNS entry, try again Attempts to connect to tcp/80 at that IP –Web traffic? Create a fake web server, try again Attempts to Download nethief_connect.htm –Search the real web site (found it, but risky) –Search on web (Google)
Google, Babelfish are Your Friends! Got the zip file (finally) It has a readme! (let’s see) Install the application (let’s see) The application web site is down :-(
Google caching, Archive.org to the Rescue! Google caches pages that it has searched, which can be useful Archive.org caches pages (when?) It is (unfortunately) messy dealing with pages cached in archive.org that need to be translated
What Does This Thing Do - Attacker End Install, run application Configure –web site –ftp address, account, password for updating web site Updates web site once a minute with current IP Create the trojan Infect someone
What Does This Thing Do - Victim End Get infected :-) Runs at login Checks web site once a minute Sends "hey, I'm here" traffic to indicated IP address –Shows up on attacker's console
Attacker Selects a Target Click on it in list of active victims Inserts instructions on the web site Intended victim downloads the instructions, connects to tcp/80 on the host where the console is currently running Can now read, write, modify any file
Interesting Notes Works "just fine" behind firewalls There appear to be virus populations that are "known" to only parts of the Internet.