introduction to dynamic malware analysis for cyber ...€¦ · introduction to dynamic malware...

http://www.iaeme.com/IJMET/index.asp 10 [email protected]

International Journal of Mechanical Engineering and Technology (IJMET) Volume 9, Issue 1, January 2018, pp. 10–21, Article ID: IJMET_09_01_002

Available online at http://www.iaeme.com/IJMET/issues.asp?JType=IJMET&VType=9&IType=1

ISSN Print: 0976-6340 and ISSN Online: 0976-6359

© IAEME Publication Scopus Indexed

INTRODUCTION TO DYNAMIC MALWARE

ANALYSIS FOR CYBER INTELLIGENCE AND

FORENSICS

P V Vara Prasad

Assistant Professor, Koneru Lakshmaiah Education Foundation, Department of CSE, India

N Sowmya, K Rajasekhar Reddy and P Jayant Bala

Student, Koneru Lakshmaiah Education Foundation, Department of CSE, India

ABSTRACT:

Day by day cyber threats are increasing and one of the common aspects of all

attacks has a commonality, which is a malware. Almost every systems, networks,

mobile phones breaches has Involvement of Trojans, rootkits, backdoors, spywares, et

cetera. The network security team of certain firm where an attack has happened

cannot respond to zero day attack or day one attack, and hence requires a special

incident response team or Malware analysts. The report incident by Verizon data

Breach of 2015 says, about 80-90% of malwares are unique to an organization. The

Verizon information break episode reaction finished up this year around 40,000

occurrences, including 1,935 affirmed information ruptures. No system is 100% safe,

but understanding the threat we will face will help us to improve our security.

Therefore in order to understand a malware we need to study its behaviour, and that

will be our dynamic analysis of a malware.

Keywords: Static Analysis, Dynamic Analysis, VMware workstation, Ransomware,

Wireshark.

Cite this Article: P V Vara Prasad, N Sowmya, K Rajasekhar Reddy and P Jayant

Bala, Introduction to Dynamic Malware Analysis for Cyber Intelligence and

Forensics, International Journal of Mechanical Engineering and Technology 9(1),

2018, pp. 10–21.

http://www.iaeme.com/IJMET/issues.asp?JType=IJMET&VType=9&IType=1

1. INTRODUCTION

Due to changes in every day software technologies and upcoming requirement it has become

very important to protect our data. The data is very important and every day, Cyber criminals

are hungry to grab their hands over the data. Today internet is flooded with leaked

information and data, which is the reason of a compromised server and lack of qualified

security professionals in an organization. Instead of looking at this as a problem, we can take

this as an opportunity to educate and equip ourselves to defend against such devastating

Introduction to Dynamic Malware Analysis for Cyber Intelligence and Forensics


attacks. In dynamic analysis of a malware, we will use some set of forensics tools available to

us and understand the malware.

Extracting valuable information, creating logs and events to capture the behaviour of the

malware. Then organization of our collected data and monitoring the activity of a live

malware sample and checking its communication with local machine and remote machine.

Malware have capabilities to hide themselves and even manipulate the registry keys available

in system. So in order to see those changes a proper environment or lab is required. Creating a

proper lab for analysis of a malware is very important to understand the behaviour. We will

use VMware workstation or oracle virtual box for creating a lab in which will have certain set

of operating systems, basic forensic tools, local network connection and snapshot availability.

Ability to manipulate network settings so that our lab should not affect our actual networks is

very important. Basic use of Wireshark networking monitoring packet sniffer to learn how a

malware tries to infect other system present in the network. In the end will be talk about

counter measures and certain steps to take while performing dynamic malware analysis.

Incident response, basic forensics, Malware discovery and basic reverse engineering will be

benefit from this research paper.

2. LITERATURE

Writing and doing Malware investigation is an examination or procedure of dissecting

usefulness, starting point and potential effect and future assault of a given malware test that

could be a worm, Trojan, Rootkit, Spywares, Backdoors, Ransomwares and so on [6].

Malware is a malicious program or software that intend to harm the systems, systems

connected to network or to steal sensitive data from the local drives or servers available in the

area of contact.

Malware analysis generally comprises of few methods,

• Static analysis

• Dynamic analysis

• Hybrid analysis.

A. Static analysis

The static analysis is a very long procedure and it takes a lot of time to understand the nature

of malware but it guarantees the complete removal of the malware and gives us complete

understanding. It will include code analysis of malware, which is achieved through dissection

of the different sources of assembly language code with their connection with binary files.

The binary files can also be dis-assembled by using tools such as IDA 5.0 or IDA pro,

OllyDbg, HT editor, hopper et cetera. Using this tools one can be learned the behaviour and

true nature of malware.

B. Dynamic analysis

The dynamic analysis is very fast and it generally deals with behavioural analysis of a

malware [12]. It shows how the malware affects the host systems and networks. Mostly these

types of malwares analysis will be on virtual machine environment or sand box environment

to prevent the malware from infecting the host systems or networks. Our main area of focus

will be on dynamic analysis by which we can quickly understand the behaviour of a malware

and come with a counter measures.

P V Vara Prasad, N Sowmya, K Rajasekhar Reddy and P Jayant Bala


C. Hybrid analysis

The Static analysis and Dynamic analysis together called as Hybrid Analysis.

The goal of malware analysis is to understand basic working principle of a malware so

that defences built can protect an organization’s network and systems.

3. TOOLS REQUIREMENT

In order to perform the behavioural malware analysis we need an isolated systems lab and

certain forensic tools. Constructing a virtual lab using VMware or oracle’s virtual box will be

proven beneficial, and in our analysis, we will use VMware. We would need few old and new

operating systems that will be

• Windows XP Professional (either sp2 or sp3).

• Windows 7 (without patches and updates).

• Kali Linux 2016.2 version (Debian package).

Here windows XP will be our target system, because most of the local services still run

windows xp and cyber criminals will upgrade their malware especially to target those system

because Microsoft has dis continued updates and patches for the windows xp service pack.

Windows 7 will contain our all signatures of changes made before and after the infection and

we will store all our catalogues of log files in this operating system. Kali Linux will act as

host server to our guest windows xp. Install all the operating systems and follow the

instruction given by VMware. Please note the windows xp and kali Linux network adapter

should have only NAT connection so it will be able to communicate with each other. There

are three options available for network adapters

• NAT

• Bridged

• Host only

NAT connection will provide internet access to all the virtual guest and host operating

systems but the virtual operating systems will not be able to connect with physical system.

The adapter vm#8 will have NAT settings by default.

Bridge mode will give internet access as well as provide communication between virtual

and physical hosts.

Host only will have connection only to the host adapter, where in VMware adapter vm#1

will have by default host only connection established.



Always make sure our virtual operating systems connected to NAT or Host only, so that it

should not establish connection with physical system. After the installation of different

operating systems, we need to install certain forensic tools listed below.

• 7zip

• 010 hex editor

• Capture bat

• Map pack

• Notepad ++

• Regshot

• Sysinternals

• Vcredist x86 2005

Once all the programs are available, move them to windows 7. Install the VMware guest

installation tool that will enable drag and drop option from physical system to virtual system

so that moving files, folders, and programs will become easy.

4. METHODOLOGY

Install Vcredist x86 2005 in windows xp so that all the programs can install properly. Install

CaptureBat in windows xp, capture bat is a listener, which will intercept the behaviour of

malware and will create a log file, which will have information related to the programs

activity. Install 010 hex editor, IDA pro, Regshot, sys internals, Notepad ++, map pack,

Cygwin. Once all the tools installed, we will take a live malware sample, we can take any live

malware example but it is preferable for beginners to take malware sample called Dyre

malware [13]. Now create a shortcut for capture bat on the desktop and go to its properties,

then shortcut and get target such as (“C:\Program files\Capture\CaptureBat.exe” –c –l

“C:\Documents and d Settings\Administrator\Desktop\log.txt”) and save it. Here the address

may vary but –c stands for capture and –l stands for listen and save the log entries to the

desktop folder, which contains log.txt, file. Initiate the snapshot available in the work station.

Snap shot is a feature where we can a snapshot of a live machine state and later we can come

back to that state again even if some files or programs damaged, we can revert it again. Now

take snapshot and save it as “Not infected”. Dyre is a Trojan file which is also called as

TrickBot mostly used in the banking sectors to hack their systems. It is used in this paper to

investigate its behavior in the system. To understand the behavior of malware we can use any

Trojan, malware available in the internet. Unzip the Dyre.zip file and save it in desktop, go to

the folder and before running the program make sure we start the CaptureBat shortcut in

desktop. Once CaptureBat is listening to incoming changes, run the malware and wait for 10

seconds then close the CaptureBat. Then automatically the virus file will be deleted. Now

check the log file and see all the entries made there, we will find something like this.



We can traverse through all the location mentioned above and we will be able to find the

virus folder. Now revert to original state again using snapshot function and once we are back

take MD5 sum signature of the old Dyre malware by right clicking on it and click on MD5

hash sum. We can take MD5 hash sum signature, verify if some string is present there or not

by install Map pack program. Once we had taken MD5 snapshot save it in windows 7, repeat

the infection process again, after browse through, find original virus file, take the MD5 hash

sum, and verify it with old MD5 hash sum. Once the hashes are same, we have located our

virus in the system. Now we can see some changes have made in registry keys. Again, revert

to not infected state and run Regshot program. Once Regshot is live, click on take 1st shot and

save it, then run the virus and wait for 10 seconds and then click on second shot and save it.

Compare both the snap shots and Regshot will generate a custom log file. It will look like

this.

We can see some changes in this HKLM and some keys and values added. We can browse

through registry key directory by going to run and type “regedit” and then directed to registry

key directory. We can find some changes made.

Another alternative is to use Sysinternals tools, revert the state back to original state using

snapshot function, run Sysinternals tools and then run the malware. In the current process a

red line will be appear like this.

We can traverse to the original registry entry made by that malicious program and delete

the registry key. Some malware also try to establish a way connect back to its owner those are

backdoors, using Wireshark packet sniffer can help us analyses the incoming and outgoing

traffic. This is a snapshot of a malware “IllusionBot 2007” [13] trying to setup an IRC.



We can analyse the behaviour of such malware using all this forensic tools and create a

report.

5. RECENT ATTACKS ANALYSIS:-

Early in May 12th 2017 many Organization around the globe were infected by a ransomware

crypto worm called WannaCry Malware. Their main target were computers running the

windows operation system, and once they are compromised their data will get encrypted

which will later demand their payments in the form of Bitcoins. Once if the hackers launches

the attack, within a day about 230,000 computers were compromised in over 150 countries. A

few Parts of United Kingdom National Health Services (NHS) were infected, making it run a

few administrations on a crisis just premise amid the assault, also in the country of Spain the

Telefonica, FedEx courier and Deutsche bahn organizations got affected along many other

countries and multi-national organizations around the world.

It seems to attack and infect the computer through a recent SMB vulnerability loop hole

available in the Microsoft windows operating systems especially older ones like windows xp



where they don’t have support to updates and patches anymore. The exploit used the “Eternal

blue” worm file which was available in the internet by the shadow broker’s dump on April

fourteenth, 2017 as a part of MS17-010 for the upheld variant of Microsoft windows

operation frameworks. Unfortunately, the patch was not available in the internet at the time

for the inheritance windows xp, windows 8, as well as in the windows server 2003 systems.

Many organization failed to install the patches at the time. Other campaigns leveraging the

tools leaked by the Shadow Brokers have been identified. While they do

Not deliver ransomware, they might be utilized for some different purposes and represent

a significant threat to the world. The other campaigns share the same infection method –

SMB. It is important to monitor network activity even if no ransomware cases have been

observed.

Once if the system has been compromised by SMB vulnerability [1], it can be persistently

gets activated by sending a crafted packet to targeted SMB servers. It starts to spread initially

through vulnerable computers exposing the port 445 on the Internet, and then using the same

methodology for propagating through the internal networks. The threat [2] arrives containing

a dropper which will have two objectives

• A component that tries to exploit the SMB Eternal Blue vulnerability in other

computers.

• •Ransomware known as WannaCry/WannaCrypt.

The dropper depending upon the version will try to connect one of the following kill

switch domains such a [7, 4]:

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea [.]com

ifferfsodp9ifjaposdfjhgosurijfaewrwergwea [.]com

ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf [.]com

lazarusse.suiche.sdfjhgosurijfaqwqwqrgwea [.]com

“mssecsvc2.0” is the service created by the threat, whose main objective is to exploit the

SMB vulnerability in the computers which are connected to the internally infected networks.

Once at least one of the computer is been infected, automatically the rest of the computers

will get infected through TCP port number 445.

Let’s take the sample of wannacry malware and open it in ollydbg. Open the folder and

drag the wannacry.exe to the ollydbg.



Below we will find a section with Address, Hex dump and ASCII. If we look properly we

can find MZ which is a portable executable with PE file type, PE file types can run win32

applications which call functions in the win32 API set. The Portable Executable (PE) arrange

is a record organize or an information structure utilized for executables, question code, DLLs,

FON text style lines, and others used as a part of 32-bit and 64-bit variants of windows

working operating systems. The windows Operating System loader should deal with the

wrapper executable code with the help of PE format data structure, which encapsulates the

information needed to the loader.

After this Right click and search for “All Reference strings” and then you can find many

signatures and information related to comments such as ASCII “%s –m security”, UNICODE

“kernel32.dll” and certain file operations.

Our main objective is to look for kill switch URL, generally executable files makes first

call and if there is no response from the URL, malware continues to execute.

Search for “All inter-modular calls” and find information related to commands,

destination, destination name, and comments. It will execute and the file operations will be

taken from here, creating new process, deleting existing procedure, delaying the procedure et

cetera.



All the changes made with be stored in registry which can be alter once the malware

infects the system, attacker can modify the time a thread should sleep which can give enough

time for the malware to encrypt the files and apply a encryption algorithm. Other procedure

calls and registry edits can be further explored in the inter-modular calls search at ollydbg.

Ollydbg has an application function where it can run the malware and step by step

checking of breakpoints can be done which were previously found in inter-modular calls.

Once the application is running it will stop a various breakpoint such as when it want to make

connection with kill switch URL, or creating a new procedure which will have certain impact

at kernel. Hiding the files can be observed when the application is in running state and a

report can be created.

Bottom right corner will have information related to breakpoints and can be noted for

creating a report. When the application is running, usage of “process hacker” tool can give us

information if a new process has been started.



Below the Ollydbg.exe, new processes name winry.exe and tasksche.exe have been

created. Terminate the process tree to stop the process to execute.

Mostly the malware will target the following files extensions such as [2]:

• The office file extensions like (.ppt, .doc, .docx, .xlsx, .sxi).

• The country particular and Less normal office positions like (.sxw, .odt , hwp).

• Archives, media records like (.zip, .rar, .tar, .bz2, .mp4, .mkv).

• Emails and email databases like (.eml, .msg, .ost, .pst, .edb).

• The Database documents like (.sql, .accdb, .mdb, .dbf, .odb, .myd)

• Developers' source code and venture documents like (.php, .java, .cpp, .pas, .asm).

• Encryption keys and testaments like (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).

• Graphic architects, craftsmen and the picture takers documents like (.vsd, .odg, .crude,

.nef, .svg, .psd).

• Virtual machine documents like (.vmx, .vmdk, .vdi).

Products Affected: - The below listed following products known to be impacted if

they are not patched [1, 3]:

• Microsoft Windows Vista SP2

• Microsoft Windows Server 2008 SP2 and R2 SP1

• Microsoft Windows 7

• Microsoft Windows 8.1

• Microsoft Windows RT 8.1

• Microsoft Windows Server 2012 and R2

It has been recently confirmed or affirmed [5] that the malware also targets earlier no

longer supported versions of the Microsoft operating systems like:

• Windows XP

• Windows 8

• Windows Server 2003

At the same time, Microsoft has confirmed [5] that Windows 10 will not have any kind of

risk involved at the moment. It is also very important to realize that there is a possibility of



getting affected by this ransom-ware in future windows 10 unpatched versions. Using the

above dynamic analysis and information, one can create a following report and take necessary

actions such to block access to the kill switch addresses and by patching the windows

operating systems immediately.

6. MALWARE DEFENSE AND COUNTER MEASURES

With the knowledge gained from the malware analysis, it is time to build defences against the

malware using multiple layer of defences, and while preparing defence use in depth

philosophy.

• Web filtering, Intrusion prevention and detection (IPS/IDS).

• Host based intrusion prevention systems (HIPS).

• Avoid opening email attachments received by an unknown/unauthorized sender.

• Block all the unnecessary ports at the host and firewall.

• Run host based antivirus, firewalls, intrusion detection system.

• By avoiding the accepting programs over a network received by instant messaging.

• Monitoring the internal network traffic flow for odd ports or encrypted traffic.

• By avoiding downloading and executing applications from untrusted websites.

• Install patches and security updates for operating system and applications.

• Scan CD/ DVD with antivirus before using it.

• Avoid typing the commands blindly and implementing pre-fabricated programs or

scripts, so that the system can’t be affected by external virus or malwares.

• By regular checking of checksum, auditing, and port scanning of local workstation.

• Keep an anti-malware application so that it notifies if any malware tries to affect the

system.



By setting up IPS / IDS, firewall and installing regular security updates, we can protect

ourselves from such malware attack and using this behaviour analysis data, we can predict the

future attacks and block such malicious files and outgoing connections.

7. CONCLUSION AND FUTURE SCOPE

Dynamic analysis of a malware can predict the behaviour of malware and we can plan the

strategy to take down the malware as soon as possible, various organization can benefit from

dynamic analysis of malware forensics, because at certain point in life of a network

administrator he/she has to encounter the type of malware affected and should take necessary

steps to counter it. In learning dynamic malware analysis its future scope can be further

extend to static malware analysis where we completely try to unpack and learn the working

principle of a malware, further approach can be to reverse engineer it. Reverse engineering is

an advance procedure in family of malware counter measures, where dynamic analysis and

static analysis supports it, from this paper user gets a proper understanding about dynamic

analysis approach. Many universities will not have study of malware in the academics

curriculum and if a student or faculty wants to learn or wants to get in the field of malware

analysis, they can be benefit from this paper.

REFERENCES

[1] https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/4464-ataque-masivo-

deransomware-que-afecta-a-un-elevado-numero-de-organizaciones-espanolas.html

[2] https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacksall-

over-the-world/

[3] https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

[4] https://www.bleepingcomputer.com/news/security/wannacry-wana-decryptor-wanacrypt0r-

infoand-technical-nose-dive/

[5] https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targetsout-

of-date-systems/

[6] Teaching malware analysis: The design philosophy of a model curriculum Narasimha Shashidhar;

Peter Cooper 2016 4th International Symposium on Digital Forensic and Security (ISDFS) Year:

2016 Pages: 119 – 125

[7] Practical Malware Analysis by Michael Sikorski and Andrew Honig.

[8] Virus Research and Defense by Peter Szor.

[9] Cuckoo Malware Analysis by Digit Octavianto, Iqbal Muhardianto.

[10] Malware Analysis Cookbook by Michael Ligh, Steven Adair, Blake Hartstein.

[11] Practical Malware Analysis by Michael Sikorski and Andrew Honig.

[12] http://www.opensecuritytraining.info/DynamicAnalysis.html

[13] http://www.github.com/rshipp/awesome-malware-analysis

[14] Pratik Karnik, Malwares, Vulnerabilities and Its Analysis and Mitigation, International

Journal Of Computer Engineering & Technology (IJCET), Volume 4, Issue 6, November -

December (2013), pp. 110-120

[15] Anju S, Sheema M, Prof. P.Jayakumar, Dr. S.Sasidhar Babu, Exposing Transient Secrets

and Detecting Malware Variants using Control and Data Flow Analysis, International

Journal of Computer Engineering & Technology (IJCET), Volume 5, Issue 12, December

(2014), pp. 31-36

[16] A.EdwinRobert and Dr.M.Hemalatha, Behavioral and Performance Analysis Model for

Malware Detection Techniques, International Journal of Computer Engineering &

Technology (IJCET), Volume 4, Issue 1, January- February (2013), pp. 141-151