Can you trust that file? More importantly, can you trust that file’s source? Learning to suspect the source and being cautious (see Can You Trust That Web Site) is crucial.
Sometimes you want to confirm the source or authorship of a program, document, spreadsheet, or PDF file. Unfortunately, developers are not required to digitally sign executables (it is recommended, but not enforced). Confirmation of a certificate would help establish trust for a program. Similarly, persons rarely add digital signatures to documents, spreadsheets or PDF files. Again, this would help confirm its source. We don’t get the digital signature mechanism, so we need ways to make informed decisions (educated guesses) about whether programs and other files are trustworthy.
If you’re running anti-virus software, then you already have its opinion. You can be too careful, to a point where it interferes with your responsibilities, but it is healthy to be suspicious.
Finding suspicious programs is covered in Simple Malware Discovery Measures.
Send the sample to your anti-virus vendor. They have the analysis procedures and expertise; you don’t. It doesn’t hurt to get a second opinion, though. I use VirusTotal to test a suspicious file against multiple anti-virus vendors. (Note that VirusTotal accepts submissions through email, offers Windows users a file upload utility and offers Firefox users a plugin.) Expect some vendors to report that a file is malicious while others do not; this does not necessarily indicate that some vendors are more effective than others. For example, Sunbelt Software reports that FlashGet is a Trojan horse program because it contains support for the bittorrent protocol. This, like other peer-to-peer file sharing schemes, introduces a remote control mechanism. If you are unaware of this feature it can be used to compromise your system and Sunbelt appropriately warns you.
Suppose that no anti-virus vendor reports that the file is malicious. That still does not mean you can trust the file.
- It may be malicious software, previously unreported to all vendors.
- It may be benign software, repurposed for malicious purposes. For example, it may appear to be a game and, unknown to you, install a widely used remote management program.
Tools to test suspicious files against anti-virus vendors:
|Virus Total File Scan||multiple vendors and four code analysis utilities, up to 20MB|
|VirSCAN||Submit suspicious file, up to 20 MB, even password protected ZIP or RAR files|
|Anubis Iseclab||Submit suspicious file, up to 8 MB. Alternately, submit URL.|
|Kaspersky File Scan||Single vendor, single file, up to 1MB|
|Avast! File Scan||Single vendor, single file, up to 512kB|
|Jotti File Scan|
|ThreatExpert||Submit a suspicious file.|
|BitBlaze Malware Analysis Service||Submit a suspicious file.|
|Offensive Computing||Submit a suspicious file.|
|UploadMalware||Submit up to six suspicious files.|
|Comodo Automated Analysis System||Submit a suspicious file.|
|EUREKA Malware Analysis Internet Service||Submit a suspicious file.|
|Joebox||Submit a suspicious file.|
|Xandora||Submit a suspicious file.|
|Information Technology Information Sharing and Analysis Center (IT-ISAC)||Submit a suspicious file. Public section with best practices, news, and references. Private section for organizations.|
|Malware Tracker: PDF Examiner||Upload PDF or submit URL|
|MalwareHash||Hash codes of known bad software. No file size limit, no file limit, since you send hash codes.|
|Malware Hash Registry by Team Cymru||Hash codes of known bad software. No file size limit, no file limit, since you send hash codes.|
|You||Maintain your own set of hash codes of known good software. See
Create a SQL Table of Known Good File Hash Values
|Internet Storm Center (ISC) copy of NIST database||Known good software. Your internal applications will not be here. Patched off-the-shelf software will not be here. No file size limit, no file limit, since you send hash codes.|
Tools to run untrusted software
Retain your own repository of known good software. This can be used to build your own hash set. It can also be used to test anti-virus software pattern files for false positives. Before distributing a pattern file, upgrade a single machine and have it scan your repository of known good software. (See McAfee virus definition file 5958.)
Sandbox utilities, analyze the program’s behavior for signs of maliciousness
|Cuckoo Sandbox||open source automated malware analysis system|
|GFI SandBox||Internet Malware Analysis System – submit W32 samples up to 16MB|
|Norman SandBox||Upload suspicious executable to be run and monitored for suspicious behavior (not just scanned). Archive files will not be unpacked, they are only scanned.|
The Norman Malware Analyzer G2 framework includes:
- Norman SandBox, a fully emulated Microsoft Windows malware analysis environment.
- Norman IntelliVM, VM analysis monitors system events for signs of malicious behavior.
- IntelliVM uses Norman’s KernelScout driver, embedding the intelligence observation agent at the lowest level of the system’s kernel for super performance.
- Analysis Desktop, a Web Based management and operations console.
- Appliance or software and APIs.
- Norman Malware Debugger PRO, performs analysis of suspicious files with all of the functionality of traditional reverse engineering and debugging tools in a single interface, performing analysis of malware threats.
Really? You want to spend your time reverse engineering what you suspect may be malware? What are you trying to find? Are you attempting to confirm that it is indeed malware, or are you attempting to learn how the malware works? It is important that you get the suspicious file into the hands of the anti-malware community as quickly as possible. Let them confirm that the sample is malware, let them learn what it does. If you don’t like one anti-virus vendor’s response, submit it to others.
If you’re going to be stubborn, then teach yourself reverse engineering by starting with simple software whose behavior you know. Familiarize yourself with the Portable Executable (PE) file structure, with tools like PEBrowse Professional, McAfee FileInsight and tutorials at Larry Zeltser’s FOR610: Reverse-Engineering Malware (REM) site including his video tutorial or Iczelion’s Win32 Assembly Homepage. Tips can also be gleaned from the Contagio malware dump blog.
Expect to encounter many suspicious files which are poorly written or are corrupt. It may not be your reverse engineering skills, it may be the poorly written code that is frustrating you.
Fortunately, malware consists of fairly small components. Unfortunately, many tools (packers, cryptors) are available to obfuscate the executable. VirSCAN and PEiD can be used to identify which packer, cryptor or compiler was used (if any). Expect UPX was used to compress the executable; this is a benign condition. Any other packer, cryptor or compiler reinforces your suspicions. Then use an appropriate unpacker. Fortunately, once unpacked antivirus software may tell you which malware family you are dealing with.
- VirusTotal has already done the first steps for you. That is, it has computed hash codes (file signatures), reported the PE file structure, used TrID, PEiD and consulted Kaspersky and F-Prot about any packer or cryptor detected. VirusTotal has run your submission through ThreatExpert, which reports any activity you may wish to be investigate further (such as network connections, possible information theft, that it attempts). VirusTotal has run your submission through the CWSandbox instance at Sunbelt Software and reported any activity you may wish to investigate further (such as system changes).
- FUU (Faster Universal Unpacker) is a GUI Windows Tool with a set of tools (plugins) to help you to unpack, decompress and decrypt most of the programs packed, compressed or encrypted with the very well knowns software protection programs like UPX, ASPack, FSG, ACProtect, etc.
- Find Evil from Mandiant, by Nick Harbour, is a malware discovery tool which uses disassembly to detect packed executables.
- Google for the packer PEiD found along with the word “unpacker.”
- OllyDbg Debugger with the Ollydump plugin reverse engineering utility.
- Free Disassemblers, Hex Editors & Viewers
- Generic Unpacker Win32 by Christop Gabler
- PEBrowse Professional
- IDA Pro Disassembler with the “Universal Unpacker”, reverse engineering utility, if you wish to analyze malware.
- Immunity debugger write exploits, analyze malware, and reverse engineer binary files
- WinDbg, Microsoft’s Windows debugging environment
- SoftICE Windows debugging environment (manufacturer discontinued)
- RR0D debugging environment for Microsoft Windows, Linux, OpenBSD, NetBSD, FreeBSD (and awfully similar to SoftICE)
- Syser Windows debugging environment
- DJ Java Decompiler to decompile Java CLASS files
- pdf-parser.py, PDFiD or PDF Structazer to analyze PDF files
- Tools from Kahu Security:
- Converter – Convert data to/from many different formats, format data, search/replace data, extract data, find XOR/ROT/SFT keys, import/export/split/join/convert files, and more. This tool was originally made for analyzing and deobfuscating malicious scripts so it wasn’t designed to handle large datasets.
- Data Converter – Converts text, hex, or decimal values using XOR, ROTate, and ShiFT methods. You can do an XOR keyword search or enumerate all keys to a file. You can import a binary file, perform add/subtracts before/after an XOR/ROT/SFT action, and write out the results to a text or binary file.
- File Converter – Converts large binary files to/from hex files with or without XOR encryption/decryption. Supports hex and decimal XOR keys.
- PHP Converter – Deobfuscates/obfuscates PHP scripts.
- Sandbox Tester – Creates a dropper that deploys several methods to get past automated malware analysis tools. The dropper safely drops an Eicar file and pops up a message upon execution.
- Secret Decoder Ring – Performs character substitution and position-based character lookups. Several exploit packs use this technique to hide URLs. Now you can analyze, decode, and encode URLs.
Once unpacked and unencrypted, use strings (from Sysinternals). You may find a URL that the program connects to. When you encounter a suspicious URL, you have learned you cannot trust that file.
ValidEdge has unveiled a real-time malware analysis engine built into a standard laptop, delivering the power to analyze up to 1000 malware samples per day in a fully functional laptop without compromising the integrity of the laptop’s functions, data or operating system. Housed on a standard quad-core laptop, the ValidEdge MISbook 2300 uses a military grade virtualization platform to create two secure partitions that are exclusively used to manage and run malware samples in real-time for analysis, without risk of compromising the standard Linux or Microsoft Windows operating system that is running in its own secure partition alongside. ValidEdge Malware Intelligence Systems provide comprehensive information about new and unknown malware even when packed, encrypted and obfuscated, and the new MISbook delivers this capability in a portable and usable laptop.
The ValidEdge MISbook 2300 provides malware analysts, incident response teams and Enterprise security teams with a detailed report on malware in real-time, including assembly source code, customizable warning level and information about latent payloads even when away from the office or the corporate network.
The MISbook runs malware on a real Windows system within a secure partition, and then uses both static and dynamic analysis to get full information about the malware and its payloads. A complete simulation of all network services can be included, to capture all internet activity, and corporate images, OS versions and applications can be pre-loaded.
The ValidEdge MISbook 2300 incorporates several analysis engines for classification, decryption, unpacking, reverse engineering, and combined dynamic and static analysis. Its partitions provide a secure environment to expose malware, allowing responders to fully grasp the malware’s intention and learn what it was trying to target.
It will also identify any logic bombs hidden in the malware waiting for a trigger to cause damage at a later time. Once the new malware has been identified, security professionals receive several detailed reports about the behavior of the malware.
Like its sibling MIS1300 appliance, the ValidEdge MISbook 2300 makes use of military grade separation-kernel technology developed by LynuxWorks to meet the highest requirement of security critical systems. This technology allows complete isolation of the Windows environment so that malware cannot penetrate and corrupt the platform while it is being analyzed.
- The Use of Malware Analysis in Support of Law Enforcement [pdf], CERT® Coordination Center; Nicholas Ianelli (CERT/CC), Ross Kinder (CERT/CC), Christian Roylo (USSS); July 11, 2007
- Open Reverse Code Engineering (OpenRCE)
- Michael Ligh mnin.org
- Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code by Michael Ligh, Steven Adair, Blake Hartstein, and Matthew Richard
- JL’s stuff Jamie Levy
- Lenny Zeltser SEC-610 Reverse-Engineering Malware
- Lenny Zeltser Analyzing Malicious Documents cheatsheet
- Nick Harbour’s utilities, presentations and reverse engineering cheatsheet (rnicrosoft.net)
- McAfee Labs blog has insight into how malware analysis is done.
- x86 Intel Assembly Cheat Sheet by Nick Harbour
- Win32 x86 Assembly Cheatsheet by Peter Kankowski
- |From: PDF@Exploit| |To: Zeus@Trojan| |Subject: Steals Bank Credentials| walks through how a maliciously crafted PDF installs malware. Illustrates File Insight, Malzilla, and Olly Debugger. (What’s File Insight?)
- See ‘Vulnerability-based Protection and the Google “Operation Aurora” Attacks’ from NSS Labs [pdf].
- Traversing a ‘DLL’: Financial Crimeware (Banker) walks through a Banker trojan, illustrating a strings enumerator, PEID and Olly Debugger.
- Visual Malware Reversing: How to Stop Reading Assembly and Love the Code by Danny Quist [m4v]
- Public Replay: The Hacker Academy (THA) Deep Dive – Analyzing Malware in Memory by Andrew Case
- Virus Creation Tools (VX heavens) or http://vx.netlux.org/vx.php?id=tidx (both sites now unreachable)
- Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software by Michael Sikorski and Andrew Honig
- Tripoux: Reverse-Engineering Of Malware Packers For Dummies [pdf] by Joan Calvet
- Art of Assembly Language Programming (Webster)
- Forensic Artifact: Malware Analysis in Windows 8
- The CVE-2012-4792 and the “spear phishing” Rotary domains – part 1, part 2, jsunpack of a sample
- “ThreatGRID provides services to not only prevent exploitation but also to prepare organization’s response to malware threats. Through its Malware Threat Intelligence Platform, ThreatGRID uses proprietary analytic techniques to locate, assess, measure and remediate suspected malware. We work with an organization’s information security teams to better equip them to handle these types of attacks and to help prevent them in the future.”
- Examining the Nap malicious downloader
- Zero Wine: Malware Behavior Analysis distributed as one QEMU virtual machine image with a Debian operating system installed. The image contains software to upload and analyze malware and to generate reports based on the information gathered (this software is stored in /home/malware/zerowine).
- SANS Investigate Forensic Toolkit (SIFT) Workstation