1. Behavioral Analysis
2. Code Analysis
This is the first part of Malware Analysis i.e: Behavioral Analysis,
means we will analyse the behavior of the malware and monitor the
activities by malware. So here is the list of tools you will need for
Behavioral Analysis.
Requirements:
- VMware server with XP installed
- Regshot
- Process Monitor
- Process Explorer
- Wireshark
- CaptureBAT
- Fake DNS
Download them from here.
OK, let's start it right away.
First, take a snapshot of the state of the machine’s file system and the
registry. This will allow you to quickly see what major changes have
occurred on the system after you infect it. For this you have to use
"Regshot". To use it, enable the “Scan dir1” option, and in the
corresponding window type “C:\”. Click “1st shot”.
After Regshot take the snapshot, run the malware program as
"Administrator" privileges to allow the program to get the highest
privileges. Now interact with the program a bit to make it functioning.
Then end the malicious program and click on the 2nd shot from Regshot
and click on compare. Now you’ll see a report that describes the major
changes to the system’s state. In this case, we see that a few files
were added to the system.
The two files that appeared on the system after we infected it are
pas.txt and msnsettings.dat. Take a look at them using notepad. It looks
like pas.txt has captured the logon credentials we used when logging
into the malicious executable.The msnsettings.dat file looks like a
configuration file of some sort.
Let us understand how the malicious program interacts with the file
system and the registry with the help of Process Monitor. To use
Process Monitor, run it while infecting the system. Process Monitor
records API calls that deal with file system, registry and other local
activities. In the screen shot on this slide, you see attempts by our
malware specimen to create pas.txt file and to locate the
msnsettings.dat file.
Reverse-engineering malware can help you become better at incident
response and forensic analysis. In our scenario, we have already
discovered that Windows Live Messenger trojan makes use of the
msnsettings.dat file. Now you know to look for it on the compromised
system, even if you didn’t initially realize that this file
was important.
Once you have a copy of msnsettings.dat, you can open it to see whether
it reveals additional details about the program. As shown in the figure:
One is a string “test,” which we may be able to use later when trying to
understand how the trojan processes the msnsettings.dat file. Another
line, “gsmtp185.google.com” specifies an SMTP mail server; this suggests
that our specimen has the ability to send email. The file also includes
an email address, “[email protected]”. This may be the recipient
of the information that the trojan might attempt to send out.
Another tool which is very helpful in Malware Analysis is CaptureBat.
CaptureBAT is similar to Process Monitor in that it records local
processes’ interactions with their environment. CaptureBAT’s logs tend
to be less noisy than those created by Process Monitor. This is because
CaptureBAT comes with filters that eliminate the majority of standard,
non-malicious activities from the logs.
If you launch CaptureBAT with the “-c” parameter, it will capture any
files deleted in the background, allowing you to look at and restore
even those files that the Windows Recycle Bin cannot capture.
Launching CaptureBAT with the “-n” parameter tells the tool to capture
network traffic, like a sniffer would, saving the result into a local
.cap file. As you can see in the picture, CaptureBAT confirmed our
earlier findings about the malware specimen.
You can load the .cap file created by CaptureBAT into a full-feature network sniffer, such as Wireshark.
As you can see in the picture, the sniffer shows that the infected
system has issued a DNS query, attempting to resolve the hostname
“gsmtp185.google.com”. The “smtp” in the hostname suggests that the
malware specimen is looking for a mail server to connect to, reinforcing
our earlier theory of how the trojan might use this hostname.
To confirm how the specimen wishes to use “gsmtp185.google.com”, allow the trojan to resolve this hostname. Once it can resolve it, it will presumably attempt connecting to it, and you will be able to use a network sniffer to see what service the specimen is trying to access.To set up name resolution, insert an entry for the hostname into the “hosts” file on the infected system. A faster alternative is to use a tool called ApateDNS.
To confirm how the specimen wishes to use “gsmtp185.google.com”, allow the trojan to resolve this hostname. Once it can resolve it, it will presumably attempt connecting to it, and you will be able to use a network sniffer to see what service the specimen is trying to access.To set up name resolution, insert an entry for the hostname into the “hosts” file on the infected system. A faster alternative is to use a tool called ApateDNS.
ApateDNS is a DNS server that you can configure to answer any DNS query
with a single IP address of your choice. I usually suggest picking an IP
address of some system in your lab on which you can run the service
that malware may look for. This will redirect the connection to the host
where you’d set up the listener, allowing the connection to be
completed so you can learn about its purpose.
In our example, captured in the above picture, the network sniffer now
confirmed that the infected system is attempting to connect to TCP port
25 on “gsmtp185.google.com”.
OR YOU CAN USE "FAKENET"
OR YOU CAN USE "FAKENET"
FakeNet automatically redirects network traffic, so there is no need to
modify the hosts file or use ApateDNS with this tool. FakeNet emulates
various common services, including HTTP and SMTP.
In our example, illustrated in the picture, FakeNet pretends to be a
mail server, intercepting the email message that our trojan attempts to
send though “gsmtp185.google.com”.
Now you can see the contents of the message that the trojan is mailing
to the attacker. As highlighted on this slide, the message includes the
victim’s Windows Live Messenger username and password. We also see that
the exfiltrated data is directed to “[email protected]”.
So this was the Behavioral Analysis of our malware. In this article we
just analyzed the behavior of malware, processes, network services etc.
to get the details about the malware. So as far we found these things:
1. Malware creates 2 files after launching, those files are: pas.txt and msnsettings.dat
2. It sends the Live messenger's credentials of user to the following mail server:
Attacker's Mail server: gsmtp185.gmail.com
Attacker's email id: [email protected]
After this article I'm working on Code Analysis of Malwares. I will do the code analysis of the same application that was used in this tutorial. So you can say this one is the first part of malware analysis. Second part will come soon.
After this article I'm working on Code Analysis of Malwares. I will do the code analysis of the same application that was used in this tutorial. So you can say this one is the first part of malware analysis. Second part will come soon.
About the Author:
This article has been posted by Kislay Bhardwaj, He is a security researcher and specialized in Penetrating Testing, Cyber forensic, Linux security and other Security Assessments and Training.
0 comments:
Post a Comment
Note: only a member of this blog may post a comment.