TTAnalyze A Tool for Analyzing Malware

[ Pobierz całość w formacie PDF ]

C:\WINDOWS.0\system32\dllcache\tcpip.sys
" Changed Files
C:\WINDOWS.0\ServicePackFiles\i386\tcpip.sys
C:\WINDOWS.0\system32\drivers\tcpip.sys
" Started Processes
C:\WINDOWS.0\WinSecurity\services.exe
We downloaded all created files from the virtual system and quickly determined that
the files csrss.exe, services.exe and smss.exe were almost identical copies of the original
file. They only differ in one byte at position 0xA0 (which is an otherwise unused byte in
the PE-file header.). Moreover, we observed that the services.exe process has to be killed
before the InsideTMServer is able to open the file services.exe and send it to the host
system. We concluded that services.exe opens a handle to itself in an exclusive way as one
of its first actions after being started. This way, other programs (including on-demand
virus scanners running later) cannot read the infected file. This reasoning is confirmed by
Michael St. Neitzel s very detailed virus description[27] of Sober Y.
70
TTAnalyze Run 2
As stated in the last section, the Sober Y executable copies itself to the
C:\WINDOWS.0\WinSecurity directory under the name services.exe. Of course, we also
had TTAnalyze analyze this process. This test run differs from the last one in two points:
1. We analyze services.exe that differs in one byte from the original file.
2. We explicitly upload services.exe to the directory C:\WINDOWS.0\WinSecurity in-
2
stead of saving it in the default location .
The results are shown in the following.
" Created Files:
C:\WINDOWS.0\WinSecurity\mssock1.dli
C:\WINDOWS.0\WinSecurity\socket1.ifo
C:\WINDOWS.0\system32\bbvmwxxf.hml
C:\WINDOWS.0\system32\filesms.fms
C:\WINDOWS.0\system32\langeinf.lin
C:\WINDOWS.0\system32\nonrunso.ber
C:\WINDOWS.0\system32\rubezahl.rub
C:\WINDOWS.0\system32\runstop.rst
" Read Files (Excerpt):
C:\WINDOWS.0\WinSecurity\services.exe
C:\WINDOWS.0\system32\MSVBVM60.DLL
C:\WINDOWS.0\DtcInstall.log
C:\WINDOWS.0\FaxSetup.log
C:\WINDOWS.0\Fonts\desktop.ini
C:\WINDOWS.0\Help\access.hlp
We do not show the complete list of read files because it is very long. We can see,
however, that the process reads all files that have a certain file extension such as .ini and
.txt .
2
The default location is C:\InsideTM at the time of writing this chapter.
71
Kasperky s Virus Description
Kaspersky s virus description, which can be found at
http://www.viruslist.com/en/viruses/encyclopedia?virusid=99827, states the following.
When installing, the worm creates a folder named WinSecurity in the Windows root
directory. It copies itself to this folder 3 times under the following names:
%Windir%\WinSecurity\csrss.exe
%Windir%\WinSecurity\services.exe
%Windir%\WinSecurity\smss.exe
The worm also creates the following files in the same folder:
%Windir%\WinSecurity\mssock1.dli
%Windir%\WinSecurity\mssock2.dli
%Windir%\WinSecurity\mssock3.dli
%Windir%\WinSecurity\winmem1.ory
%Windir%\WinSecurity\winmem2.ory
%Windir%\WinSecurity\winmem3.ory
Email addresses harvested from the victim machine will be saved in these files.
The worm then registers itself in the system registry, ensuring that it will be launched
each time Windows is rebooted on the victim machine:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows" = "%Windir%\WinSecurity\services.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"_Windows" = "%Windir%\WinSecurity\services.exe"
The worm also creates copies of itself in base64. The copies have the following names:
%Windir%\WinSecurity\socket1.ifo
%Windir%\WinSecurity\socket2.ifo
%Windir%\WinSecurity\socket3.ifo
The worm also creates empty files in the Windows system directory. The empty files
have the following names:
%System%\bbvmwxxf.hml
%System%\filesms.fms
%System%\langeinf.lin
%System%\nonrunso.ber
%System%\rubezahl.rub
%System%\runstop.rst
72
If one compares Kaspersky s virus description to TTAnalyze s report, one sees that
their list of created files matches. Kaspersky s description is brief and does not mention
that some of the files are only created after the worm has copied itself to the Windows-
\WinSecurity directory and is started from there. The registry modifications as specified in
Kaspersky s virus description are not found by TTAnalyze for the already stated reasons.
Of course, we are only showing parts of Kaspersky s virus description here. In particular,
the complete virus description also covers the text and subject of emails sent by the worm.
73
74
Chapter 6
Conclusion and Future Work
TTAnalyze is a prototype implementation. We believe that it clearly shows that the idea
of running an executable in an emulated environment to monitor and analyze its execution
works and is worth of further research. Of course, many more features would be possible,
but were not realized because of time constraints. For example, the biggest weakness at
the moment is the lack of a detailed network analysis. Many malware samples make use
of email for replication, many malware samples connect to IRC servers or use NTP servers
in order to get the current time. Hence, a network analysis would certainly be useful and
it is one of the first features that will be implemented in the future.
Implementing a network analysis raises the problem that the emulation of one computer
(PC) is not sufficient any longer. Our analysis is primarily based on monitoring the test-
subject s local execution. When extending this analysis to take into account network
connections, the test-subject has to be provided with a network (maybe even the Internet)
so that we can monitor its network activities. We can provide the test-subject with this [ Pobierz całość w formacie PDF ]

Podstrony