CS6038/CS5138 Malware Analysis, UC

Course content for UC Malware Analysis

View on GitHub
21 February 2017

Demo of Static Analysis Using Strings

by

Demo of Static Analysis Using Strings

This lecture primarily focused on building yara signatures for detection through static analysis, and also documenting interesting findings from your analysis. In particular, we focused on cataloging the sample, creating an initial malware report template, and performing analysis of the strings data from the file.

Unfortunately, lecture video needs to be re-recorded for this topic

We analyzed the following malware sample:

1bc9ab02d06ee26a82b5bd910cf63c07b52dc83c4ab9840f83c1e8be384b9254 VirusShare_f7f85d7f628ce62d1d8f7b39d8940472

Our findings were documented in the following malware report

We initially decided to use the strings utility that ships with Remnux to display the strings from the malware sample. Frequently, ASCII-encoded human readable strings are present in plain-text within even EXE files. These frequently reflect data that is symbol names used for referencing objects and functions within the IDE, but also run-time messages intended to inform a human operator during program use. A common approach I may use is to execute the following command in the Linux terminal, within the folder containing the artifact I intend to analyze:

bash$ strings  VirusShare_f7f85d7f628ce62d1d8f7b39d8940472 | less

The above gives you a paginated view of the strings contained within the malware sample. I want to review the content in the file for anything that sticks out to me as identifying. Some examples of this might be:

When browsing through the strings list, I found the following strings suggesting network addresses:

YYYYYXYYYYYhttp://media.tzafrir.org.il/blog/index2.html
BBBBBBBBBBBBBBBBBBBBBBBBB
XXXXXYXXXXXhttp://media.aunewsonline.com/blog/index2.html
AAAAAAAAAAAAAAAAAAAAAAA

Also, I found the following strings suggesting commands that the user can type to operate the malware. In particular, the following extracted ones appear to be descriptions of their syntax to be queried at run-time if the operator forgets or is confused:

seturl2 internelurl
seturl1 internelurl
setsleep 60000
makefile filename
mkcmdshell ip [clientid]
mkcmdload filename [clientid]
mkcmdrun filename [clientid]
mkcmddown interneturl [clientid]
mkcmddownrun interneturl [clientid]
mkcmdsleep 60000 [clientid]

Additionally, it is frequently helpful to ensure that the information you are extracting from an EXE is not information that would also be identifiable on non-malware EXE’s, such as those which ship with Windows or are installed as third-party applications. A good way to help inform oneself about these is to attempt practice analysis on legitimate Windows programs (such as iexplore.exe) to baseline what normal application data looks like so that you may more easily spot these in the future, and do not include these in your analysis. For example, the EXE I chose has 294 strings parsed from it using this tool, but I only selected 10 of these strings (less than 4% of the strings) as “interesting”. Surely, there are more and my example was intentionally brief for the teaching exercise, but even after analyzing the whole file not much more than 15% of the available strings could be considered “interesting”.

Once I was finished extracting these artifacts, I created a signature out of my findings using the yara signature langauge below.

Here is documentation for Yara on the syntax below: http://yara.readthedocs.io/en/v3.5.0/writingrules.html

rule ex1_rule {
 meta:
  author = "Coleman Kane"

 strings:
  /* Malicious strings */
  $mal_seturl2 = "seturl2"
  $mal_seturl1 = "seturl1"
  $mal_setsleep = "setsleep"
  $mal_makefile = "makefile"
  $mal_mkcmdshell = "mkcmdshell"
  $mal_mkcmdload = "mkcmdload"
  $mal_mkcmdrun = "mkcmdrun"
  $mal_mkcmddown = "mkcmddown"
  $mal_mkcmddownrun = "mkcmddownrun"
  $mal_mkcmdsleep = "mkcmdsleep"

 condition:
  4 of them

}

Additionally, if I want to exclude matching on any file containing a specific string, I can use the signature logic to build exclusions as well.

rule ex1_rule {
 meta:
  author = "Coleman Kane"

 strings:
  /* Malicious strings */
  $mal_seturl2 = "seturl2"
  $mal_seturl1 = "seturl1"
  $mal_setsleep = "setsleep"
  $mal_makefile = "makefile"
  $mal_mkcmdshell = "mkcmdshell"
  $mal_mkcmdload = "mkcmdload"
  $mal_mkcmdrun = "mkcmdrun"
  $mal_mkcmddown = "mkcmddown"
  $mal_mkcmddownrun = "mkcmddownrun"
  $mal_mkcmdsleep = "mkcmdsleep"

  /* Strings identifying legit programs. */
  $legit_mcafee = "McAfee Anti-Virus"

 condition:
  4 of ($mal_*) and 0 of ($legit_*)

}

Our yara rule identified two more “similar” samples in our library:

13e40ee7c6874e2f1ed58bc09738a5525f86361f1a85387b2110f114d8f3272a  VirusShare_0149b7bd7218aab4e257d28469fddb0d
f79e4adc2cd11f9e44023cbdb827777a0c44af44bb19b494bef2d2d8e6e3be02  VirusShare_1415eb8519d13328091cc5c76a624e3d

I provided a very simple malware analysis LaTeX template here, that could be used for future work:

My current approach has been to use the following steps to create a new report from the above template and generate a PDF from it:

cp mw_report.ltx sample1_exe.ltx
vim sample1_exe.ltx # Open new report in editor, and make changes

Once you’ve filled in your report details, then you could use latex to author it into a PDF document named sample1_exe.pdf:

latex sample1_exe.ltx
latex sample1_exe.ltx
dvipdf sample1_exe.dvi

A common problem that can arise is when you are analyzing your malware samples and extracting interesting content, it is not always readily apparent what is and is not a significant finding. A non-significant finding would be, for example, a string from a malware sample that also happens to show up in NOTEPAD.EXE, CMD.EXE, or any other common windows program. In order to determine whether something is significant or not, it is helpful to build up a folder of benign program samples which you can use to tune and test your yara rules against.

There are many ways to build such a database, but a very quick method that yields pretty good results is to simply copy all of the EXE and DLL files from a windows installation. So, I have put together a database to test my rules using VirtualBox and my Windows XP VM. You can, however, use whatever works best for you.

Following the below steps, I was able to export all of these EXE’s and DLL’s into on big folder. Make sure you are using one of the “clean” Windows VM images, and not one that you may have already loaded malware into.

  1. Create a new folder called “benign-exe” on your host system
  2. Using VirtualBox VM Shared Folder settings, map this new directory to a shared folder of the same name
  3. Boot up your VM (if it is not already running)
  4. Once Windows is up and running, open a new explorer window and enter “\\VBOXSVR" in the location bar
  5. You should see the folder named “benign-exe” in the window
  6. Right click on the “benign-exe” and choose “Map Network Drive…” and a dialog will pop up asking you what drive letter you’d like to map it to.
  7. Choose Z: (or whatever you want, but keep track of the choice you’ve made)

Once the above is done, you should open a command prompt. A common way to do this is using the Start menu and choosing “Run” and then entering “CMD.EXE”, or navigating to the Command Prompt shortcut in the menu.

Following that, type the following command into the prompt, and it will take some time but eventually it will finish copying all of your Windows EXE’s and DLL’s into the VBox shared folder:

C:
CD \
FOR /R %x in (*.exe, *.dll) DO COPY /Y %x Z:\

Once the job is complete, you will no longer need to be running your Windows VM. Your host system will now have a copy of all of the DLLs and EXEs from your windows VM, and you may share this folder with your Remnux VM.

Once mounted in Remnux (at a folder named benign-exe), you may test any yara signature against this data set using the following command (the -s option displays all matching content, while the -r option recursively searches all files in the directory):

yara -s -r myrule.yar benign-exe/

In this case, your goal is to make sure that you can build a yara rule with the following characteristics:

home

tags: malware lecture yara strings static-analysis