Can You Trust That File? Malware Reverse Engineering

Can you trust that file? More importantly, can you trust that file’s source? Learning to suspect the source and being cautious (see Can You Trust That Web Site) is crucial.

Sometimes you want to confirm the source or authorship of a program, document, spreadsheet, or PDF file. Unfortunately, developers are not required to digitally sign executables (it is recommended, but not enforced). Confirmation of a certificate would help establish trust for a program. Similarly, persons rarely add digital signatures to documents, spreadsheets or PDF files. Again, this would help establish trust. In the absence of a digital signature mechanism, so we need ways to make informed decisions (educated guesses) about whether programs and other files are trustworthy.

If you’re running anti-virus software, then you already have its opinion. You can be too careful, to a point where it interferes with your responsibilities, but it is healthy to be suspicious.

Finding suspicious programs is covered in Simple Malware Discovery Measures.

Send the sample to your anti-virus vendor. They have the analysis procedures and expertise; you don’t.  It doesn’t hurt to get a second opinion, though. Use VirusTotal to test a suspicious file against multiple anti-virus vendors. (Note that VirusTotal accepts submissions through email, offers Windows users a file upload utility and offers Firefox users a plugin.) Expect some vendors to report that a file is malicious while others do not; this does not necessarily indicate that some vendors are more effective than others. For example, Sunbelt Software reports that FlashGet is a Trojan horse program because it contains support for the bittorrent protocol. This, like other peer-to-peer file sharing schemes, introduces a remote control mechanism. You may be unaware of this feature and it can be used to compromise your system; Sunbelt appropriately warns you.

Tools to test suspicious files against anti-virus vendors:

Suppose that no anti-virus vendor reports that the file is malicious. That still does not mean you can trust the file.

  • It may be malicious software, previously unreported to all vendors.
  • It may be benign software, repurposed for malicious purposes. For example, it may appear to be a game and, unknown to you, install a widely used remote management program.

pestudio is a tool that performs the static analysis of 32-bit and 64-bit Windows executable files.

You should maintain your own set of hash codes of known good software. See
Create a SQL Table of Known Good File Hash Values

Retain your own repository of known good software. This can be used to build your own hash set. It can also be used to test anti-virus software pattern files for false positives. Before distributing a pattern file, upgrade a single machine and have it scan your repository of known good software. (See McAfee virus definition file 5958.)

Analyze PDF files

Analyze JavaScript files

  • Caffeine Monkey helps researchers discover different ways hackers hide their malicious JavaScript. The tool unmasks what the code is actually doing and allows researchers to create algorithms/functions to classify in whatever way they might want to. One of the key components of this tool is that it is behavior based, not signature based. It identifies specific behaviors that are indicative of malicious code. Building on the work of several existing client honeypot implementations, their goal is to largely automate the painstaking work of malicious software collection. The focus is on attacks using JavaScript for obfuscation or exploitation.
  • jsbeautifier a service for deobfuscating JavaScript and beautifying JavaScript or HTML files.
  • jsunpack a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files.
  • (discontinued) Wepawet a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files.

Tools to run untrusted software

Sandbox utilities, analyze the program’s behavior for signs of maliciousness

Cuckoo Sandbox open source automated malware analysis system
GFI SandBox Internet Malware Analysis System – submit W32 samples up to 16MB
Norman SandBox Upload suspicious executable to be run and monitored for suspicious behavior (not just scanned). Archive files will not be unpacked, they are only scanned.

Process Hollowing Meets Cuckoo Sandbox

Mandiant Redline

ProcDOT (from the Austrian CERT) processes Sysinternals Process Monitor (Procmon) logfiles and PCAP-logs (Windump, Tcpdump) to generate a graph via the GraphViz suite. This graph visualizes any relevant activities (customizable) and can be interactively analyzed.

More tools can be found at the Collaborative RCE Tool Library.

The Norman Malware Analyzer G2 framework includes:

  • Norman SandBox, a fully emulated Microsoft Windows malware analysis environment.
  • Norman IntelliVM, VM analysis monitors system events for signs of malicious behavior.
  • IntelliVM uses Norman’s KernelScout driver, embedding the intelligence observation agent at the lowest level of the system’s kernel for super performance.
  • Analysis Desktop, a Web Based management and operations console.
  • Appliance or software and APIs.
  • Norman Malware Debugger PRO, performs analysis of suspicious files with all of the functionality of traditional reverse engineering and debugging tools in a single interface, performing analysis of malware threats.

Reverse engineering

Really? You want to spend your time reverse engineering what you suspect may be malware? What are you trying to find? Are you attempting to confirm that it is indeed malware, or are you attempting to learn how the malware works? It is important that you get the suspicious file into the hands of the anti-malware community as quickly as possible. Let them confirm that the sample is malware, let them learn what it does. If you don’t like one anti-virus vendor’s response, submit it to others.

On the other hand, you can gain useful intelligence about what the malware was trying to do. If it had been successful, what would have happened? Was it gathering information in order to ship that information to a central location? If so, then you want to detect (perhaps sinkhole) any traffic going to that destination. Was it targeting you specifically, using information it had gathered (an account, for example)? Then perhaps you want to monitor connections using that account.

If you want to discover that information or you’re just stubborn, then teach yourself reverse engineering by starting with simple software whose behavior you know. Familiarize yourself with the Portable Executable (PE) file structure, with tools like PEBrowse Professional, McAfee FileInsight and tutorials at Larry Zeltser’s FOR610: Reverse-Engineering Malware (REM) site including his video tutorial or  Iczelion’s Win32 Assembly Homepage. Tips can also be gleaned from the Contagio malware dump blog. An overview from Mandiant’s Kris Kendall can be found at Practical Malware Analysis [pdf].

Jake Williams’ Tips on Malware Analysis and Reverse-Engineering part 1, part 2, part 3

DFIR Training Malware Analysis tools

How to Track Your Malware Analysis Findings

Resource: Malware analysis – learning How To Reverse Malware: A collection of guides and tools

See also: List of best sites to learn Malware Analysis ~ BreakTheSec, Reference Guide – Malware Analysis Training Series, Identifying Malicious Code Infections Out of Network [pdf]

Expect to encounter many suspicious files which are poorly written or are corrupt. It may not be your reverse engineering skills, it may be the poorly written code that is frustrating you.

Fortunately, malware consists of fairly small components. Unfortunately, many tools (packers, cryptors) are available to obfuscate the executable. VirSCAN and PEiD can be used to identify which packer, cryptor or compiler was used (if any). Expect UPX was used to compress the executable; this is a benign condition. Any other packer, cryptor or compiler reinforces your suspicions. Then use an appropriate unpacker. Fortunately, once unpacked antivirus software may tell you which malware family you are dealing with.

See FireEye’s Hot Knives Through Butter [pdf] whitepaper for techniques malware authors use to evade signature-based virus detection.

  • VirusTotal has already done the first steps for you. That is, it has computed hash codes (file signatures), reported the PE file structure, used TrID, PEiD and consulted Kaspersky and F-Prot about any packer or cryptor detected. VirusTotal has run your submission through ThreatExpert, which reports any activity you may wish to be investigate further (such as network connections, possible information theft, that it attempts). VirusTotal has run your submission through the CWSandbox instance at Sunbelt Software and reported any activity you may wish to investigate further (such as system changes).
  • FUU (Faster Universal Unpacker) is a GUI Windows Tool with a set of tools (plugins) to help you to unpack, decompress and decrypt most of the programs packed, compressed or encrypted with the very well knowns software protection programs like UPX, ASPack, FSG, ACProtect, etc.
  • Find Evil from Mandiant, by Nick Harbour, is a malware discovery tool which uses disassembly to detect packed executables.
  • Google for the packer PEiD found along with the word “unpacker.”
  • OllyDbg Debugger with the Ollydump plugin reverse engineering utility.
  • Free Disassemblers, Hex Editors & Viewers
  • Generic Unpacker Win32 by Christop Gabler
  • PEBrowse Professional
  • IDA Pro Disassembler with the “Universal Unpacker”, reverse engineering utility, if you wish to analyze malware.
  • Immunity debugger write exploits, analyze malware, and reverse engineer binary files
  • Hook Analyser Malware Tool 2.6 is a hook tool which can be potentially helpful in reversing applications and analyzing malware. It can hook to an API in a process and search for a pattern in memory or dump the buffer.
  • WinDbg, Microsoft’s Windows debugging environment
  • SoftICE Windows debugging environment (manufacturer discontinued)
  • RR0D debugging environment for Microsoft Windows, Linux, OpenBSD, NetBSD, FreeBSD (and awfully similar to SoftICE)
  • Syser Windows debugging environment
  • DJ Java Decompiler to decompile Java CLASS files
  •, PDFiD or PDF Structazer to analyze PDF files
  • Tools from Kahu Security:
    • Converter – Convert data to/from many different formats, format data, search/replace data, extract data, find XOR/ROT/SFT keys, import/export/split/join/convert files, and more. This tool was originally made for analyzing and deobfuscating malicious scripts so it wasn’t designed to handle large datasets.
    • Data Converter – Converts text, hex, or decimal values using XOR, ROTate, and ShiFT methods. You can do an XOR keyword search or enumerate all keys to a file. You can import a binary file, perform add/subtracts before/after an XOR/ROT/SFT action, and write out the results to a text or binary file.
    • File Converter – Converts large binary files to/from hex files with or without XOR encryption/decryption. Supports hex and decimal XOR keys.
    • PHP Converter – Deobfuscates/obfuscates PHP scripts.
    • Revelo – Deobfuscate Javascript using a variety of different methods; includes a built-in JS beautifier, DOM walker, firewall, packet sniffer, and proxy. Note: If analyzing malicious content, please use in a virtual machine. If the script calls Java, Acrobat, or some other plug-in, Revelo won’t protect you.
    • Sandbox Tester – Creates a dropper that deploys several methods to get past automated malware analysis tools. The dropper safely drops an Eicar file and pops up a message upon execution.
    • Secret Decoder Ring – Performs character substitution and position-based character lookups. Several exploit packs use this technique to hide URLs. Now you can analyze, decode, and encode URLs.

Once unpacked and unencrypted, use strings (from Sysinternals). You may find a URL that the program connects to. When you encounter a suspicious URL, you have learned you cannot trust that file.

Analyze Android applications with Agnition, Windows Phone 7 applications with Windows Phone App Analyser; see “Windows Phone App Analyser v1.0 released today“.

Appliance: ValidEdge and its portable Malware Intelligence System (MISbook 2300), has been acquired by McAfee.

Appliance: Norman Shark Malware Analyzer G2

See also:

Comments are closed.