Malware Forensic Field Guides: Tool Box 

Chapter 6     Analysis of a Malware Specimen





Environment Baseline


 Host Integrity Monitors

    

Name: ESET SysInspector
Page Reference:  367
Author/Distributor:  ESET
Available From: http://www.eset.com/us/download/free-antivirus-utilities;
http://download.eset.com/download/sysinspector/32/ENU/SysInspector.exe
Description: ESET SysInspector is a graphical Windows diagnostic tool that takes a “snapshot” of the
system state of a target computer, including running processes, Registry, network connections, and
startup contents. Once a snapshot has been taken, ESET applies heuristics to assign a “risk level” for each item logged allowing the digital investigator to conduct a number of analytical processes, including log generation, log comparison (diffing), and filtering based upon risk color-coding.

                         



|
Name: FingerPrint v2.1.3
Page Reference: 367
Author/Distributor: 2BrightSparks
Available From: http://www.2brightsparks.com/assets/software/FingerPrint_Setup.zip
Description: A lightweight GUI-based utility that monitors files and directories for modifications and
deletions.









Name:  Regshot
Page Reference: 367
Author/Distributor:  TiANWEi
Available From:  http://sourceforge.net/projects/regshot
Description: A free and open source Registry comparison tool that allows the user to take a snapshot of the Registry prior to the execution of a program, and a second snapshot after execution. Using the compare feature, RegShot provides the digital investigator with a report detailing the differences in the Registry as a result of executing the program.





Name: Winalysis
Page Reference:  367
Author/Distributor:  Winalysis Software
Available From:  <This URL has been removed as it was flagged as malicious by Google Safe Browsing>
Description: A favorite of digital investigators, Winalysis is a program that enables the user to save a
snapshot of a subject system’s configuration and then monitor for changes to files, the Registry, users,
local and global groups, rights policy, services, the scheduler, volumes, shares resulting from software
installation, or unauthorized access.

           




 Installation Monitors




Name:  InCntrl5
Page Reference:  368
Author/Distributor:  PC Magazine
Available From: http://www.pcmag.com/article2/0,1759,9882,00.asp
Description: A favorite of many digital investigators, InCtrl5 monitors the changes made to the host
system as a result of installing software. InCtrl5 offers an intuitive GUI and Hypertext Markup Language (HTML) reporting.





Name:  InstallSpy
Page Reference:  368
Author/Distributor:  2BrightSparks
Available From:http://www.2brightsparks.com/assets/software/InstallSpy_Setup.zip
Description: A utility enabling the user to track any changes to the Registry and file system when a
program is executed, installed, or uninstalled.






Name:  InstallWatch
Page Reference:  368
Author/Distributor: Epsilon Squared
Available From:  http://web.archive.org/web/20090216115249/http://www.epsilonsquared.com/
Description:  Software utility developed by Epsilon Squared, Inc., that records modifications made to a subject system during the installation of software, or as a result of hardware and configuration changes.





Name:    SysAnalyzer
Page Reference:  368
Author/Distributor:  Verisgn iDefense Labs
Available From:  http://sandsprite.com/blogs/index.php?uid=7&pid=185
Description:  An automated malicious code runtime analysis application, SysAnalyzer enables the digital investigator to execute an unknown binary, and then monitors various aspects of the host system, including running processes, open ports, loaded drivers, injected libraries, file modifications, Registry changes, API calls made by the target process, and certain network traffic (HTTP; IRC; and DNS). SysAnalyzer quickly builds an intuitive report identifying the changes made as a result of execution of the program on the host system.
         




 Environment Emulation





Name:  Internet Services Simulation Suite (INetSIM)
Page Reference:  388
Author/Distributor:  Thomas Hungenberg and Matthias Eckert
Available From:  http://www.inetsim.org/
Description: For use on Linux and FreeBSD/OpenBSD systems. INetSIM is a software suite for simulating common Internet services in a laboratory environment. Specifically developed to assist in the analysis of network behavior of unknown malware specimens, INetSIM provides the digital investigator with a common control and logging platform for environment adjustment during dynamic analysis.





Name:  SimpleDNS
Page Reference: 388
Author/Distributor:  JH Software
Available From:   http://www.simpledns.com/
Description:  A lightweight and intutive DNS server with a GUI front-end. DNS emulation and
adjustment within the digital investigator’s laboratory environment can be configured quickly and easily
using the Quick Zone Wizard feature, shown in the following digram.

       




Dynamic Analysis —Active System and Network Monitoring




Process Monitoring

 


Name: CurrProcess
Page Reference:  372
Author/Distributor:  Nir Sofer/NirSoft
Available From:  http://www.nirsoft.net/utils/cprocess.html
Description: A GUI and command-line utility, CurrProcess displays a list of all processes running on a
target system. By selecting a target process, CurrProcess displays PE version information (from the PE resources) and details relating to modules loaded into memory associated with process image. The
memory of a target process can be dumped to a text file using the toolbar button or by pressing Ctrl+M, and details associated with the process can be quickly copied to the clipboard by right-clicking the target process and selecting “Copy Selected Processes” from the menu.






Name:  Explorer Suite
Page Reference: 372
Author/Distributor:  Daniel Pisteli/NTCore
Available From:  http://www.ntcore.com/exsuite.php
Description:  A freeware suite of tools developed by Daniel Pisteli, Explorer Suite comes with a series of tools to assist the digital investigator in conducting malware forensics, including a rich PE Viewer (CFF Explorer), a packing detection framework (PE Detective/Signature Explorer), and a process viewer (Task Explorer). Task Explorer is a dual-paned graphical process analysis tool. The top pane reveals the running processes along with respective PIDS, system paths, and PE version information; the lower pain displayes modules loaded into memory by a selected process. Right clicking on a target process provides the digital investigator with a shell context menu of additional options, including PE dumping and analysis in CFF
Explorer.

                                                                                         





Name:  Mitec Process Viewer
Page Reference:  372
Author/Distributor:  Michael Mutl/MiTeC
Available From:  http://www.mitec.cz/Downloads/PV.zip
Description:  A lightweight graphical process analysis utility, the Process Viewer interface provides
distinct tabs for isolated analysis of processes, drivers, and services. Upon selecting a target process, the “details” button provides an additional analysis interface enabling the digital investigator to drill down into the handles, performance, loaded modules, threads, and child processes, among other details, associated with the process.






Name:   Process Hacker
Page Reference:  372
Author/Distributor:  wj32
Available From:  http://processhacker.sourceforge.net/ and http://sourceforge.net/projects/processhacker/
Description:  A robust graphical process analsysis tool, Process Hacker gives granular visibility into
running processes, services, and network activity. Right-clicking on process offers additional analytical
options including threads, handles, process memory, and environment details.
 




File System Monitoring





Name: ProcessActivityView
Page Reference:  372
Author/Distributor:  Nir Sofer/NirSoft
Available From:  http://www.nirsoft.net/utils/process_activity_view.html
Description:  A useful tool for monitoring file system interaction by a target process, ProcessActivityView displays the system path and files accessed by the process, associated statistics, and the module in memory responsible for accessing the file. Right-clicking on a target file system artifact presents the digital investigator with a shell context menu of additional analytical options, as displayed in the following diagram.
 






Name:  DirMon (included in GiPo@FileUtilities)
Page Reference:  373
Author/Distributor:  Gibin Software House
Available From:  http://www.gibinsoft.net/
Description:  DirMon provides the digital investigator with a practical and simple way to track changes in a target directory. After configuring the granularity of monitoring, DirMon provides real-time insight into changes made to the directory, including an event listing and statistical ticker. Analytical results are saved and compiled into an HTML report.
 





Name:  FileMon
Page Reference:  372
Author/Distributor:  Mark Russinovich and Bryce Cogswell (Sysinternals)/Microsoft
Available From:  http://web.archive.org/web/20090801183050/http://technet.microsoft.com/en-
us/sysinternals/bb896642.aspx
Description: A legacy tool discontued by Microsoft (and replaced with Process Monitor), FileMon is a
powerful GUI-based file-monitoring utility that reveals the files and .dlls opened, read, or deleted by
each running process as well as a status column, which advises of the failure or success of the monitored activity. FileMon also provides the investigator with filter options, a search function, and the ability to save the results to a file for offline analysis. Identified artifacts of interest can quickly be accessed on the file system by double-clicking on a target entry in the user interface. Although obsolete and unavailable for download from Microsoft, the utility is still a favorite among digital investigators and available from Web archives on Archive.org.

 





Name:  Tiny Watcher
Page Reference:  373
Author/Distributor:  Olivier Lombart
Available From:  http://kubicle.dcmembers.com/watcher/
Description:  A graphical file, directory, and registry monitoring tool, Tiny Watcher takes a baseline
snapshop of the subject system state and then makes notifications when a change is detected on the
system. For example, in the following figure, Tiny Watcher captured the invocation of a new process, the system path to the suspect executable (winhelp.exe), and the resulting system changes.
 




Registry Monitoring



Name:  RegMon
Page Reference: 374
Author/Distributor: Mark Russinovich and Bryce Cogswell (Sysinternals)/Microsoft
Available From: http://web.archive.org/web/20090627020908/http://technet.microsoft.com/en-
us/sysinternals/bb896652.aspx

Description: A legacy tool discontinued by Microsoft (and replaced with Process Monitor), RegMon actively reveals which processes are accessing the host system’s Registry, keys, and the Registry data that is being read or written. The tools includes a filter function and can either provide time stamps for captured events, or simply show the amount of time that has elapsed since the last time the event window was cleared. Unlike static Registry analysis tools, the advantage of using RegMon during dynamic analysis of a malicious code specimen is that it provides the digital investigator with the ability to trace how programs are interacting with the Registry in real time. Although obsolete and unavailable for download from Microsoft, the utility is still available from Web archives on Archive.org.
 




 Autostart Monitoring



Name:  Autoruns
Page Reference: 375
Author/Distributor: Mark Russinovich and Bryce Cogswell (Sysinternals)/Microsoft
Available From:  http://technet.microsoft.com/en-us/sysinternals/bb963902
Description:  Autoruns is a program that can run against a live system or a forensic duplicate to extract details from various locations that will launch programs when a Windows computer starts up. In addition to providing a categorized interface to this information, Autoruns can be useful for identifying unusual startup entries. For example, Autoruns can show executables that have not been signed, which may be an indication of malware.
 





Name:  Autostart Explorer
Page Reference:  375
Author/Distributor:  Mischel Internet Security
Available From:  http://www.misec.net/products/autostartexplorer/
Description: A triple-paned graphical autostart insepction utility, Autostart Explorer provides an
expandable tree listing of Registry keys, Startup Folders, .bat, and.ini files on a target system on a left-
side viewing pane. Upon selecting an item of interest, the top right pane displays all discovered
autostarted files, while the bottom left pane provides a description of the selected item.

 





Name:  Autostart and Process Viewer
Page Reference: 375
Author/Distributor:  Konrad Papala Software
Available From: http://www.konradp.com/products/autostart-and-process-viewer/
Description: Useful for quickly auditing running processes and autostart locations on a target system,
Autostart and Process Viewer is a graphical utility that succinctly separates data into distinct tabs in the user interface. Once a target autostart location or process is selected, further details can be acquired using the toolbar menu options.







Name: WhatinStartup
Page Reference:  375
Author/Distributor:  Nir Sofer/NirSoft
Available From:  http://www.nirsoft.net/utils/what_run_in_startup.html
Description:  The successor tool to Nirsoft’s now obsolete StartupRun utility, WhatinStartup is an ituitive graphical utility that reveals detailed information about programs identified on a target system as having a autostart mechanism. In a one-pane GUI with numerous data columns, WhatinStartup identifies a program, along with the respective autostart type (startup folder or Registry), command-line
properties/system path to executable, PE version information in memory, autostart location, file system metadata (created time and modified times), file attributes, and process creation date/time.

 




 Network Forensics





Name:  Capsa Network Analyzer
Page Reference: 376
Author/Distributor:  Colasoft
Available From:  http://www.colasoft.com/capsa/

Description: Capsa is powerul and robust GUI-based network packet capture and analysis tool. The free version of the tool (Colasoft Capsa 7 Free) includes additional network forensic tools, Mac Scanner, Packet Builder, Packet Player, and Ping Tool. A great companion utility to Wireshark, in addition to full traffic capture, Capsa has predefined filters for HTTP, e-mail, DNS, FTP and Instant Messenger traffic capture; these filters are conversely available in the “Replay” analysis options of Capsa. Rich with real- time and post-processing analysis features, Capsa can be used to quickly and effectively gain visibilityinto network traffic resulting from the dynamic analysis of a malware specimen.

           





Name: Network Miner
Page Reference:  376
Author/Distributor: Erik Hjelmvik
Available From: http://sourceforge.net/projects/networkminer/

Description: A valuable tool for network traffic capture and analysis, Network Miner is a graphical
network forensic analysis tool (NFAT) for Windows. Like Wireshark and Capsa, Network Miner can be
used passively to collect network traffic to and from target systems in the digital investigator’s malware laboratory for later reconstruction and analysis. Network Miner offers unique network forensic analysis features, such as OS fingerprinting of network hosts (using the p0f and Ettercap databases), keyword search functionality, and data extraction/reconstruction, including files, images, messages, and credentials. As shown in the following figure, Network Miner reconstructed network trace evidence files acquired from malicious network traffic.

 




 Port Monitoring




 Embedded Artifacts Revisited





Name: ActivePorts
Page Reference:  378
Author/Distributor:  DeviceLock
Available From:  http://www.devicelock.com/freeware.html

Description: A light-weight graphical port monitoring utility that displays process-to-port mapping,
executable-to-process filepath, local connection details, remote connection details, connection state, and network protocol. As displayed in the following figure, a newly opened port associated with the process winhelp.exe is highlighted green by ActivePorts for ease of elucidating port activity.







Name:   CurrPorts
Page Reference: 378
Author/Distributor: Nir Sofer/NirSoft
Available From: http://www.nirsoft.net/utils/cports.html

Description:  A flexible graphical port monitoring utility, CurrPorts offers detailed information about the
status of TCP/UDP ports on a target system and the processes associated with the opened ports. In
addition to a myriad of analytical options, collected information can be saved to HTML, XML, or tab delimited reports. For ease of analysis, CurrPorts automatically highlights suspicious port activity, such as unidentified processes/applications. As shown in the following figure, the recently spawned malicious process winhelp.exe is identified as opening a TCP port and attempting to connect to a Web server over port 80

 





Name:   TCPView
Page Reference:  378
Author/Distributor:  Mark Russinovich (Sysinternals)/Microsoft
Available From:  http://technet.microsoft.com/en-us/sysinternals/bb897437
Description:  A favorite GUI-based port monitoring utility of many digital investigators, TCPView
displays open ports, connection, and associated process details.
 




 API Monitoring





Name: API Monitor v2
Page Reference:  379
Author/Distributor: Rohitab Batra
Available From: http://www.rohitab.com/apimonitor
Description:  Although currently in Alpha stage of development, API Monitor v2 is a feature-rich
graphical API monitoring tool that implements an eight-window “dashboard” of distinct data viewing
panes: API Capture Filter, Running Processes, Hooked Processes, Summary of API Calls, Hex Buffer, Output Statistics, Call Stack, and Parameters. API Monitor v2 provides for intutive API Capture Filter options, a process monitor for selecting a target process to hook, and granularity in trace output. “Digital investigator friendly” shell context menus contain numerous shortcuts for ease of researching API calls of interest.
 




 Defeating Obfuscation




 Process Memory Dumping Tools





Name:   ProcDump
Page Reference:  405
Author/Distributor: Mark Russinovich (Sysinternals)/Microsoft
Available From: http://technet.microsoft.com/en-us/sysinternals/dd996900

Description:  A command-line process memory acquisition tool.

C:\Malware Lab\ProcDump>procdump.exe –ma winhelp

ProcDump v3.04 - Writes process dump files
Copyright (C) 2009-2011 Mark Russinovich
Sysinternals - www.sysinternals.com

Writing dump file C:\Malware Lab\ProcDump\winhelp_110710_215805.dmp ...
Dump written.


Helpful Switches:
 

Switch

Function

 -64

Overrides the default memory capture of a 32-bit dump for
a 32-bit process on 64-bit Windows and instead generates
a 64-bit dump.

-ma

Generates a dump file containing all process memory,
including thread and handle information.

-mp

Generates a dump file of read/write memory with process
and handle information.

-r Reflect (clone) a target process (Windows 7 and higher)





 PE Import Address Table Reconstruction



Name:  ReVirgin
Page Reference:  411
Author/Distributor: +Tsehp
Available From: Numerous underground reverse engineering sites—download with care

Description:  Similar to ImpREC, ReVirgin is a graphical Import Address Table (IAT) rebuilding utility,
popular in the “reverse engineering underground.” Like many "underground” tools from unverified origins
(often developed by anonymous authors referenced only by unusual monikers), exercise common sense and due care in acquiring and implementing this tool.

 




  Disassembly Visualization



Name:  BinNavi
Page Reference: 415
Author/Distributor:  Zynamics
Available From:  http://www.zynamics.com/binnavi.html
Description:  BinNavi is the de facto tool for binary code reverse engineering tools through graph
visualization. Used inextricably with IDA Pro, a MySQL database, and other third-party utilities, BinNavi
enables the digital investigator to import IDA database files (.idb) and navigate the disassembled code
in a visually stunning graph form. Once in graph form, BinNavi offers a myriad of analytical features to
view, analyze, and annotate the code of the target module (BinNavi nomenclature for a single
disassembled file). In addition, using debug clients, the BinNavi debugger offers robust functionality for
controlling and analyzing the execution of a target process.

 




 PE Resource Viewers





Name:  Resource Hacker
Page Reference:  417
Author/Distributor:  Angus Johnson
Available From:  http://www.angusj.com/resourcehacker/
Description:  An easily navigable, dual-paned graphical PE Resource analysis (and editing) tool. Resource Hacker displays available PE Resources in an expandable tree menu in the left-hand viewing pane, while selected content is displayed in the right-hand viewing pane. Resources can be extracted and saved to disk using the shell context menu or the “Action” toolbar.
 




Interacting with and Manipulating the Malware Specimen




Prompting Trigger Events


Name: WinHTTrack
Page Reference:  425
Author/Distributor: Xavier Roche
Available From: http://www.httrack.com
Description: WinHTTrack is the Windows version of the graphical Web site copying tool, HTTrack. A
valuable tool for copying Web site content for offline browsing and reconstructing Web content locally,
WinHTTrack offers granular configuration options for copying depth and content acquisition.
 




Digital Virology



Context Triggered Piece-Wise Hashing and Indicators of Likeness



Name:  SSDeep
Page Reference:  435
Author/Distributor:  Jesse Kornblum
Available From:  http://ssdeep.sourceforge.net/
Description:  A fuzzy hashing tool that computes a series of randomly sized checksums for a file, allowing file association between files that are similar in file content but not identical.
 Helpful Switches:

Switch

Function

 -v

Verbose mode. Displays filename as its being processed.

-p

Pretty matching mode. Similar to -d but includes all
matches.

-r

Recursive mode.

-d Directory mode; compares all files in a directory.
 -s  Silent mode; all errors are suppressed.
 -b  Uses only the bare name of files; all path information
omitted.
 -l  Uses relative paths for filenames.
 -c  Prints output in CSV format.
 -t  Only displays matches above the given threshold.
 -m  Match FILES against known hashes in file.






Name: Scout Sniper
Page Reference:  437
Author/Distributor:  Don C. Weber/Security Ripcord
Available From:  http://www.cutawaysecurity.com/blog/scout-sniper
Description:  Sniper Scout (sniperscout) is a wrapper program (.exe and Python script) for two
tools that can be used during digital virology analysis—ssdeep and YARA. In particular,
sniperscout can be run against a target directory of specimens using a specific YARA rule or the
contents compared with contextual piecewise hashing using the Fuzzy dynamic link library
(fuzzy.dll) from ssdeep (as shown in the following figure).


C:\Python25>python scoutsniper.py -s c:\Malware\specimens\Crvhost.exe -d
c:\Malware\specimens
sdir: c:\Malware\specimens
There is no warrenty for this program. User at your own risk and only with permission.
If you use the deletion option you may damage your system, programs or applications.
Enter YES to indicate you have read and understand this warning and with to proceed.
-> YES
Scout Sniper: Happy Hunting
Start Time: 2011-07-10.01:59:10.546000
Searching Local: c:\Malware\specimens
Sample File Hash: '49152:duXwKHOwaabc/8DCBq4QI4hSPFEK8FzVzAQ2YMgE:due/Suq4R4IElAQ29'
Checking: c:\Malware\specimensavhelper
Alert: avhelper scored 91
Checking: c:\Malware\specimensCrvhost.exe
Alert: Crvhost.exe scored 100
Checking: c:\Malware\specimenshelpfile.exe
Alert: helpfile.exe scored 96
Checking: c:\Malware\specimensupdatehelp.exe
Alert: updatehelp.exe scored 96
Checking: c:\Malware\specimensWindowsUpdate.exe
Alert: WindowsUpdate.exe scored 96
Checking: c:\Malware\specimenswinhelp.exe
Alert: winhelp.exe scored 96
Checking: c:\Malware\specimenswinsrv.exe
Alert: winsrv.exe scored 96
Checking: c:\Malware\specimensWinUpdate.exe
Alert: WinUpdate.exe scored 96
Finish Time: 2011-07-10.01:59:14.750000
Scout Sniper Done
 Helpful Switches:

Switch

Function

 -y

Perform a YARA scan using the default rule location
(\yara_rules\yara_rules.yr)

-Y

Perform a YARA scan using the YARA rule location
provided

-s

Performs ssdeep scan

-S Lowest score to use when alerting on like files using
ssdeep scan mode (integer between 1–100)
-d
 Directory to search
 -r Remote host(s) to search; can be single IP/host name or
multiple separated by commas with no spaces
 -u Username for the account to access remote systems
 -p  Password for account to access remote systems