Can you trust that file? More importantly, can you trust that file’s source? Learning to suspect the source and being cautious (see Can You Trust That Web Site) is crucial.
Sometimes you want to confirm the source or authorship of a program, document, spreadsheet, or PDF file. Unfortunately, developers are not required to digitally sign executables (it is recommended, but not enforced). Confirmation of a certificate would help establish trust for a program. Similarly, persons rarely add digital signatures to documents, spreadsheets or PDF files. Again, this would help confirm its source. We don’t get the digital signature mechanism, so we need ways to make informed decisions (educated guesses) about whether programs and other files are trustworthy.
If you’re running anti-virus software, then you already have its opinion. You can be too careful, to a point where it interferes with your responsibilities, but it is healthy to be suspicious.
Finding suspicious programs is covered in Simple Malware Discovery Measures.
Send the sample to your anti-virus vendor. They have the analysis procedures and expertise; you don’t. It doesn’t hurt to get a second opinion, though. Use VirusTotal to test a suspicious file against multiple anti-virus vendors. (Note that VirusTotal accepts submissions through email, offers Windows users a file upload utility and offers Firefox users a plugin.) Expect some vendors to report that a file is malicious while others do not; this does not necessarily indicate that some vendors are more effective than others. For example, Sunbelt Software reports that FlashGet is a Trojan horse program because it contains support for the bittorrent protocol. This, like other peer-to-peer file sharing schemes, introduces a remote control mechanism. You may be unaware of this feature and it can be used to compromise your system; Sunbelt appropriately warns you.
Suppose that no anti-virus vendor reports that the file is malicious. That still does not mean you can trust the file.
- It may be malicious software, previously unreported to all vendors.
- It may be benign software, repurposed for malicious purposes. For example, it may appear to be a game and, unknown to you, install a widely used remote management program.
Tools to test suspicious files against anti-virus vendors:
- Virus Total File Scan multiple vendors and four code analysis utilities, up to 20MB
- #totalhash Malware Analysis Database
- Malwr Malware analysis. Submit a file and receive the results of a complete dynamic analysis. That is, get behavioral as well as static information.
- VirSCAN Submit suspicious file, up to 20 MB, even password protected ZIP or RAR files
- Jotti File Scan much like VirusTotal
- Anubis Iseclab Submit suspicious file, up to 8 MB. Alternately, submit URL.
- Kaspersky File Scan Single vendor, single file, up to 1MB
- Avast! File Scan Single vendor, single file, up to 512kB
- ThreatExpert Submit a suspicious file.
- BitBlaze Malware Analysis Service Submit a suspicious file.
- Offensive Computing Submit a suspicious file.
- UploadMalware Submit up to six suspicious files.
- Comodo Automated Analysis System Submit a suspicious file.
- EUREKA Malware Analysis Internet Service Submit a suspicious file.
- Xandora Submit a suspicious file.
- Information Technology Information Sharing and Analysis Center (IT-ISAC) Submit a suspicious file. Public section with best practices, news, and references. Private section for organizations.
- MalwareHash Hash codes of known bad software. No file size limit, no file limit, since you send hash codes.
- Malware Hash Registry by Team Cymru Hash codes of known bad software. No file size limit, no file limit, since you send hash codes.
- Internet Storm Center (ISC) copy of NIST database Known good software. Your internal applications will not be here. Patched off-the-shelf software will not be here. No file size limit, no file limit, since you send hash codes.
You should maintain your own set of hash codes of known good software. See
Create a SQL Table of Known Good File Hash Values
Retain your own repository of known good software. This can be used to build your own hash set. It can also be used to test anti-virus software pattern files for false positives. Before distributing a pattern file, upgrade a single machine and have it scan your repository of known good software. (See McAfee virus definition file 5958.)
Analyze PDF files
- Malware Tracker: PDF Examiner Upload PDF or submit URL
Tools to run untrusted software
Sandbox utilities, analyze the program’s behavior for signs of maliciousness
|Cuckoo Sandbox||open source automated malware analysis system|
|GFI SandBox||Internet Malware Analysis System – submit W32 samples up to 16MB|
|Norman SandBox||Upload suspicious executable to be run and monitored for suspicious behavior (not just scanned). Archive files will not be unpacked, they are only scanned.|
ProcDOT (from the Austrian CERT) processes Sysinternals Process Monitor (Procmon) logfiles and PCAP-logs (Windump, Tcpdump) to generate a graph via the GraphViz suite. This graph visualizes any relevant activities (customizable) and can be interactively analyzed.
More tools can be found at the Collaborative RCE Tool Library.
The Norman Malware Analyzer G2 framework includes:
- Norman SandBox, a fully emulated Microsoft Windows malware analysis environment.
- Norman IntelliVM, VM analysis monitors system events for signs of malicious behavior.
- IntelliVM uses Norman’s KernelScout driver, embedding the intelligence observation agent at the lowest level of the system’s kernel for super performance.
- Analysis Desktop, a Web Based management and operations console.
- Appliance or software and APIs.
- Norman Malware Debugger PRO, performs analysis of suspicious files with all of the functionality of traditional reverse engineering and debugging tools in a single interface, performing analysis of malware threats.
Really? You want to spend your time reverse engineering what you suspect may be malware? What are you trying to find? Are you attempting to confirm that it is indeed malware, or are you attempting to learn how the malware works? It is important that you get the suspicious file into the hands of the anti-malware community as quickly as possible. Let them confirm that the sample is malware, let them learn what it does. If you don’t like one anti-virus vendor’s response, submit it to others.
If you’re going to be stubborn, then teach yourself reverse engineering by starting with simple software whose behavior you know. Familiarize yourself with the Portable Executable (PE) file structure, with tools like PEBrowse Professional, McAfee FileInsight and tutorials at Larry Zeltser’s FOR610: Reverse-Engineering Malware (REM) site including his video tutorial or Iczelion’s Win32 Assembly Homepage. Tips can also be gleaned from the Contagio malware dump blog. An overview from Mandiant’s Kris Kendall can be found at Practical Malware Analysis [pdf].
See also: List of best sites to learn Malware Analysis ~ BreakTheSec, Reference Guide – Malware Analysis Training Series, Identifying Malicious Code Infections Out of Network [pdf]
Expect to encounter many suspicious files which are poorly written or are corrupt. It may not be your reverse engineering skills, it may be the poorly written code that is frustrating you.
Fortunately, malware consists of fairly small components. Unfortunately, many tools (packers, cryptors) are available to obfuscate the executable. VirSCAN and PEiD can be used to identify which packer, cryptor or compiler was used (if any). Expect UPX was used to compress the executable; this is a benign condition. Any other packer, cryptor or compiler reinforces your suspicions. Then use an appropriate unpacker. Fortunately, once unpacked antivirus software may tell you which malware family you are dealing with.
See FireEye’s Hot Knives Through Butter [pdf] whitepaper for techniques malware authors use to evade signature-based virus detection.
- VirusTotal has already done the first steps for you. That is, it has computed hash codes (file signatures), reported the PE file structure, used TrID, PEiD and consulted Kaspersky and F-Prot about any packer or cryptor detected. VirusTotal has run your submission through ThreatExpert, which reports any activity you may wish to be investigate further (such as network connections, possible information theft, that it attempts). VirusTotal has run your submission through the CWSandbox instance at Sunbelt Software and reported any activity you may wish to investigate further (such as system changes).
- FUU (Faster Universal Unpacker) is a GUI Windows Tool with a set of tools (plugins) to help you to unpack, decompress and decrypt most of the programs packed, compressed or encrypted with the very well knowns software protection programs like UPX, ASPack, FSG, ACProtect, etc.
- Find Evil from Mandiant, by Nick Harbour, is a malware discovery tool which uses disassembly to detect packed executables.
- Google for the packer PEiD found along with the word “unpacker.”
- OllyDbg Debugger with the Ollydump plugin reverse engineering utility.
- Free Disassemblers, Hex Editors & Viewers
- Generic Unpacker Win32 by Christop Gabler
- PEBrowse Professional
- IDA Pro Disassembler with the “Universal Unpacker”, reverse engineering utility, if you wish to analyze malware.
- Immunity debugger write exploits, analyze malware, and reverse engineer binary files
- Hook Analyser Malware Tool 2.6 is a hook tool which can be potentially helpful in reversing applications and analyzing malware. It can hook to an API in a process and search for a pattern in memory or dump the buffer.
- WinDbg, Microsoft’s Windows debugging environment
- SoftICE Windows debugging environment (manufacturer discontinued)
- RR0D debugging environment for Microsoft Windows, Linux, OpenBSD, NetBSD, FreeBSD (and awfully similar to SoftICE)
- Syser Windows debugging environment
- DJ Java Decompiler to decompile Java CLASS files
- pdf-parser.py, PDFiD or PDF Structazer to analyze PDF files
- Tools from Kahu Security:
- Converter – Convert data to/from many different formats, format data, search/replace data, extract data, find XOR/ROT/SFT keys, import/export/split/join/convert files, and more. This tool was originally made for analyzing and deobfuscating malicious scripts so it wasn’t designed to handle large datasets.
- Data Converter – Converts text, hex, or decimal values using XOR, ROTate, and ShiFT methods. You can do an XOR keyword search or enumerate all keys to a file. You can import a binary file, perform add/subtracts before/after an XOR/ROT/SFT action, and write out the results to a text or binary file.
- File Converter – Converts large binary files to/from hex files with or without XOR encryption/decryption. Supports hex and decimal XOR keys.
- PHP Converter – Deobfuscates/obfuscates PHP scripts.
- Sandbox Tester – Creates a dropper that deploys several methods to get past automated malware analysis tools. The dropper safely drops an Eicar file and pops up a message upon execution.
- Secret Decoder Ring – Performs character substitution and position-based character lookups. Several exploit packs use this technique to hide URLs. Now you can analyze, decode, and encode URLs.
Once unpacked and unencrypted, use strings (from Sysinternals). You may find a URL that the program connects to. When you encounter a suspicious URL, you have learned you cannot trust that file.
Appliance: ValidEdge and its portable Malware Intelligence System (MISbook 2300), has been acquired by McAfee.
Appliance: Norman Shark Malware Analyzer G2
- The Use of Malware Analysis in Support of Law Enforcement [pdf], CERT® Coordination Center; Nicholas Ianelli (CERT/CC), Ross Kinder (CERT/CC), Christian Roylo (USSS); July 11, 2007
- Open Reverse Code Engineering (OpenRCE)
- Michael Ligh mnin.org
- Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code by Michael Ligh, Steven Adair, Blake Hartstein, and Matthew Richard
- JL’s stuff Jamie Levy
- Lenny Zeltser SEC-610 Reverse-Engineering Malware
- Lenny Zeltser Analyzing Malicious Documents cheatsheet
- Nick Harbour’s utilities, presentations and reverse engineering cheatsheet (rnicrosoft.net)
- McAfee Labs blog has insight into how malware analysis is done.
- x86 Intel Assembly Cheat Sheet by Nick Harbour
- Win32 x86 Assembly Cheatsheet by Peter Kankowski
- |From: PDF@Exploit| |To: Zeus@Trojan| |Subject: Steals Bank Credentials| walks through how a maliciously crafted PDF installs malware. Illustrates File Insight, Malzilla, and Olly Debugger. (What’s File Insight?)
- See ‘Vulnerability-based Protection and the Google “Operation Aurora” Attacks’ from NSS Labs [pdf].
- Teach Me How To Reverse (Part 0)
- Traversing a ‘DLL’: Financial Crimeware (Banker) walks through a Banker trojan, illustrating a strings enumerator, PEiD and Olly Debugger.
- Visual Malware Reversing: How to Stop Reading Assembly and Love the Code by Danny Quist [m4v]
- Public Replay: The Hacker Academy (THA) Deep Dive – Analyzing Malware in Memory by Andrew Case
- Virus Creation Tools (VX heavens) or http://vx.netlux.org/vx.php?id=tidx (both sites now unreachable)
- Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software by Michael Sikorski and Andrew Honig
- Reversing: Secrets of Reverse Engineering by Eldad Eliam
- The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler by Chris Eagle
- Reverse Engineering Code with IDA Pro by IOActive
- Tripoux: Reverse-Engineering Of Malware Packers For Dummies [pdf] by Joan Calvet
- Art of Assembly Language Programming (Webster)
- Forensic Artifact: Malware Analysis in Windows 8
- The CVE-2012-4792 and the “spear phishing” Rotary domains – part 1, part 2, jsunpack of a sample
- “ThreatGRID provides services to not only prevent exploitation but also to prepare organization’s response to malware threats. Through its Malware Threat Intelligence Platform, ThreatGRID uses proprietary analytic techniques to locate, assess, measure and remediate suspected malware. We work with an organization’s information security teams to better equip them to handle these types of attacks and to help prevent them in the future.”
- Examining the Nap malicious downloader
- Zero Wine: Malware Behavior Analysis distributed as one QEMU virtual machine image with a Debian operating system installed. The image contains software to upload and analyze malware and to generate reports based on the information gathered (this software is stored in /home/malware/zerowine).
- SANS Investigate Forensic Toolkit (SIFT) Workstation
- Avira Rescue System