lab for malware
TRANSCRIPT
-
7/29/2019 lab for malware
1/7
Malware & Viruses Harold
4055-760 Chelchowski
Prof. Yuan 1/6/13
LAB2: Virus Behavioral Analysis
The purpose of this lab is to examine a malware through behavioral analysis by using various tools such
as process explorer, file monitor, registry monitor, winanalysis and wireshark. The following are the
results obtained from this experiment.
Q1: Does the malware copy itself or infect any files? If it does, what file or files does it copy or infect?
The File Monitor program was used to answer this question:
The malware does not infect any files. Instead it makes a lot of queries for many dll files, especially those
related to windows sockets and windows networking such as WS2_32.dll, mswsock.dll, iphlpapi.dll, and
others (underlined as green in the image below). Also, the malware copies itself as avserve2.exe to the
following path, C:\\WINDOWS\avserve2.exe (Red Box in the image below). Below are the results after
the victim pc was infected with the malware. Make sure to zoom into the file in order to see the imagebetter.
Q2: Does the malware modify the Windows Registry Keys? If it does, which registry keys does it modify?
The Registry Monitor program was used to answer this question:
The malware does modify the windows registry keys. According to Registry Monitor, the malware
accesses many registry keys related to windows network services and connections. The malware tries to
query, open, close and create registry keys. For example, the malware creates the following registry key:
-
7/29/2019 lab for malware
2/7
- HKLM\System\CurrentControlSet\Services\Tcpip\Parameters (First Red Box in the Image Below)
The malware also queries for registry values such as:
- HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Domain
- HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Hostname
- HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Linkage\Bind
There were other registry keys which were manipulated by the malware. The capture below shows the
results.
-
7/29/2019 lab for malware
3/7
Q3: Does the malware create any accounts\shares on the victim system? If it does, what
accounts\shares does it create?
The malware did not create any accounts\shares on the victim system. We used the Winalysis toolbefore and after the victim pc was infected and we see that no new accounts\share are created. We also
used the command net users to see if any new user accounts were created. Below are the captutes:
Before:
-
7/29/2019 lab for malware
4/7
After:
Q4: Did the Innocent machine get infected? Describe the behavior of the innocent machine if it did get
infected.
The innocent machine got infected with the malware. The behavior of the innocent machine is that
there is a lot of lag due to 100% CPU utilization (Green Box in the Capture Below). The processes that
take over the CPU areftp.exeand the malware under the name ofavserve2.exe (Red Box in the Capture
Below). Below is a capture of the Task Manager from the innocent machine.
ftp://ftp.exe/ftp://ftp.exe/ftp://ftp.exe/ftp://ftp.exe/ -
7/29/2019 lab for malware
5/7
Then after the lag a window pops up stating that the computer will shut-down because the Local
Security Authentication Server process (lsass.exe) terminated unexpectedly, and it gives us one minute
before the system shuts down and restarts. Below is the capture of the window that pops up.
The computer keeps restarting after 3 to 5 minutes.
Q5: What did you observe in the Wireshark captures on the Monitor machine backtrack?
The wireshark capture from Backtrack shows that a lot of ARP requests were coming from the victim
machine querying for IP addresses within the victims subnet. There were also RARP requests that
-
7/29/2019 lab for malware
6/7
queried for the MAC address of the victim machine. Also, there were NETBIOS over TCP/IP (NBT)
broadcast packets coming from the victim machine. The services of NETBIOS that were observed
included the following: name service for name registration and resolution using port 137 and datagram
distribution service for connectionless communication using port 138. Then we saw that the malware
tried to access other computers on the network via port 445, which is used by the SMB protocol. The
SMB protocol is used for providing shared access to files, printers and other resources between nodes
on a network. The following are captures from the experiment.
ARP Requests:
RARP Requests:
NBT Broadcast:
SMB Protocol:
The capture below actually shows how the victim PC (192.168.0.1) tries to communicate with the
monitor pc (backtrack 192.168.0.12) via port 445. But every time that the victim machine with the
malware tries to establish a connection with backtrack, backtrack sends a [RST, ACK], meaning that the
port is closed. Thus the malware cannot get a hold of the backtrack machine.
-
7/29/2019 lab for malware
7/7
Q6: Did the victim and the innocent machines restart during the lab? What did they do after restart?
Both the innocent and victim machines restart during the lab. After they restarted they experienced the
same results as described in Question 4, where the processesftp.exeand avserve2.exe took over the
CPU causing it to work 100% of the time, which led to a lot of lag on both computers.
Q7: Use the Wireshark captures to explain how the malware infects the innocent machine.
From the wireshark captures above, it seems that the malware first checks to see what machines are
available in the network by sending ARP requests on all possible IP addresses that are available on thesubnet. Once a host is found, then the malware uses NETBIOS in order to establish a communication
session with the new host. Then through this session the malware tries to exploit any security hole
found in the new host via port 445 which the SMB protocol uses for file and other resource sharing.
Hence, this allows the malware to replicate itself on the new host. Below is a capture of the innocent
machine (192.168.0.11) already infected with the malware, and trying to infect the backtrack machine
(192.168.0.12). But given that port 445 is blocked in backtrack probably because of a firewall rule, the
infected innocent machine is unsuccessful.
Q8: Based on your findings about the malware in this lab, what do you classify this malware as a virus, a
worm, a trojan, or a combination of these types?
This malware is a worm because it follows the definition of a worm as stated from the lecture slides:
Self-replicating but a stand-alone program that exploits security holes to compromise other computers
and spread copies of itself through the network.
ftp://ftp.exe/ftp://ftp.exe/ftp://ftp.exe/ftp://ftp.exe/