Malware Forensic Field Guides: Tool Box 

Chapter 6     Analysis of a Malware Specimen

 Environment Baseline




 Host Integrity Monitors




 Name:  Advanced intrusion Detection Environment (AIDE)
 Page Reference: 414
 Author/Distributor:  Rami Lehti, Pablo Virolained (original developers); Richard van den Berg (maintainer); Hannes von Haugwitz (maintainer)
 Available From:  http://aide.sourceforge.net/
 Description:  File integrity based intrusion detection system
 Helpful Switches:

Switch

Function

--init Initialize the database
-C Check the database
--compare Compare two databases
-D Test the configuration file






  Name:  Samhain
  Page Reference: 414
  Author/Distributor:  Samhain Labs
  Available From:  http://la-samhna.de/samhain/
 Description: A flexible and powerful open-source host-based intrusion detection system (HIDS) that provides file integrity checking, log file monitoring, rootkit detection, port monitoring, detection of rogue executables and hidden processes.
 Helpful Switches: 

Switch

Function

samhain -t init
Initialize the database
samhain -t update
Updates the database
samhain -t check
Check system integrity
samhain -D -t
check
Checks system integrity again to confirm files,
hashes and database matches





 Installation Monitors




 Name:  Checkinstall
 Page Reference: 415
 Author/Distributor: Felipe Eduardo Sánchez Díaz Durán
 Available From: http://asic-linux.com.mx/~izto/checkinstall/
 Description:  Command-line installation monitor based upon installwatch
 Helpful Switches:

Switch

Function

-t,--type=<slackware|rpm|debian> Choose target packaging system



Environment Emulation




Name:  Internet Services Simulation Suite (INetSIM)
Page Reference: 433
Author/Distributor: Thomas Hungenberg and Matthias Eckert
Available From: http://www.inetsim.org/
Description:  For use on  Linux, FreeBSD/OpenBSD systems, INetSIM is a software suite for simulating common Internet services in a laboratory environment. Specifically developed to assist in the analysis of network behavior of unknown malware speciments, INetSIM provides the digital investigator a common control and logging platform for environment adjustment during dynamic analysis. As shown below in the figure (left), once INetSIM is invoked, emulated services are initiated  causing local network sockets associated with the service to listen for network activity (shown on the figure, right).






Name:  fakedns
Page Reference: 437
Author/Distributor: Francisco Santos
Available From: http://code.activestate.com/recipes/491264-mini-fake-dns-server/
Description:  A Python script that creates a light-weight, fake, DNS server to direct DNS queries to a target system in your malware laboratory, demonstrated in the figure below.

 

malwarelab@MalwareLab:/$ python fakedns.py

pyminifakeDNS:: dom.query. 60 IN A 192.168.1.1








Active System and Network Monitoring


 Process Monitoring


Name:  ps
 Page Reference: 447
Author/Distributor: Branko Lankester et. al.
Available From:  Native to Linux systems
Description:   Displays information about active processes
Helpful Switches:

Switch

Function

-A All processes; output includes PID, TTY, Time and
process name
a Displays all processes except session leaders and
processes not associated with a terminal (tty)
-c Displays true command name
 e Same as –A option; displays all processes; output
includes PID, TTY, Time and process name
 f  “Forest” mode displays ASCII-art process hierarchy
-H
 Displays process hierarchy
-u
Shows user ID








Name:  pstree
Page Reference:  448
Author/Distributor:  Werner Almesberger and Craig Small
Available From:  Native to most Linux distributions
Description:  Displays a textual tree hierarchy of running processes (parent/ancestor and child processes).
Helpful Switches: 

Switch

Function

-a Show command line arguments
-A Use ASCII characters to draw tree
-h Highlights the current process and its ancestors
-H Highlights the specified process
 -l  Displays long lines
 -n  Sorts processes with the same ancestor by PID
instead of by name.
 -p  Displays PIDs
 -u Displays uid transitions





Name:  pslist
Page Reference:  447
Author/Distributor:  Peter Penchev
Available From: http://devel.ringlet.net/sysutils/pslist/;
https://launchpad.net/ubuntu/lucid/i386/pslist/1.3-1

Description:A command-line tool to gather target process details, including process ID (PID), command name, and the PIDS of all child processes. Target processes may be specificed by name or PID.

Helpful Switches:

Switch

Function

No
switches
Displays all processes and respective PIDs

pslist
<pid>
Displays process name associated with target PID






Name: ips
Page Reference:  447
Author/Distributor:  David I. Bell
Available From: http://freecode.com/projects/db-ips
Description:  A command-line tools that displays the status of actives processes. While the data displayed by ips is similar to ps, ips provides very granular control over output columns, selections and sorting. Similarly, like top, the output of ips can be continuously refreshed.





Name: Process Dumper
Page Reference:  450
Author/Distributor:  Tobias Klein
Available From:  http://www.trapkit.de/research/forensic/pd/pd_v1.1_lnx.bz2; the companion analysis
tool, Memory Parser, can be found at http://www.trapkit.de/research/forensic/mmp/index.html.

Description: Process Dumper 1.1 is freeware, but is closed source and is used in tandem with the
analytical tool developed by Tobias Klein, Memory Parser. To use Process Dumper, provide the PID
assigned to the target file and supply a name for the new dump file, shown in the figure below.


 $./pd_v1.1_lnx -v -p 6194 > 6194.dump
pd, version 1.1 tk 2006, www.trapkit.de
Wrote: map-000.dmp
Wrote: map-001.dmp
Wrote: mem-002.dmp
Wrote: mem-003.dmp
Wrote: mem-004.dmp
Wrote: mem-005.dmp
Dump complete.




After dumping a target process with Process Dumper, load it into Memory Parser to analyze the contents. Memory Parser (at the time of this writing is available for Windows systems and requires Microsoft .NET Framework Version 2.0) can currently only be used to examine dumps that have been created with Process Dumper. After successfully loading the process dump file, and clicking on the “Parse Process Dump” button to process the file, the Memory Parser interface provides the digital investigator with an upper and lower pane to examine the dump contents. The upper pane displays details pertaining to the process mappings, and the lower pane provides six different tabs to further explore the dump contents as
shown in the figure, below.

        




 File System Monitoring




Name: lsof (list open files)
Page Reference:   420-421, 453-453
Author/Distributor: Victor A. Abell
Available From: Native to Linux distributions; ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
Description: A command-line utility that displays open files and sockets.

Helpful Switches:

Switch

Function

-V Verbose
-o Display file offset
-n Does not display host names
-p Does not display port names
-l Display UID numbers
-r Repeat/refresh every 15 seconds
-i Display network sockets





Name:   fuser
Page Reference:  421
Author/Distributor:  Werner Almesberger; Craig Small
Available From:  Native to most Linux distributions.
Description: Displays processes using files or sockets.
Helpful Switches:

Switch

Function

-u “user”; Appends the user name of the process owner to
each PID.
For example a query for the user and PID associated with
the suspicious file libnss_dns-2.12.1.so, use:

$fuser -u /lib/libnss_dns-2.12.1.so

/lib/libnss_dns-2.12.1.so:  5365m(victim)


For example a query for the PID associated with the
suspicious UDP port 52475, use:

$fuser –u 52475/udp

-n “Name space” variable. The name spaces file (a target file
name, which is the default), udp (local UDP ports), and
tcp (local TCP ports) are supported.

For example, to query for the PID and user associated with
suspicious TCP port 3329, use:
fuser -nuv tcp 3329

-v Verbose mode





 Name:   inotify
 Page Reference:  421
 Author/Distributor:  Rohan McGovern
 Available From:  Native to most Linux distributions as a part of inotify-tools;
http://inotify-tools.sourceforge.net/
 Description:  Command-line file and directory monitoring tool. Inotify provides the digital investigator
a simple and effective way to monitor target files and directories and gather meaningful information about file access, modification, creation, among other data, as shown in the figure below.

malwarelab@MalwareLab:/#inotifywatch /var/log/
Establishing watches...
Finished establishing watches, now collecting statistics.
total  access   modify  close_write  close_nowrite open create filename
141      22      6           2     78          32   1    /var/log/










 
 Name:   File Alteration Monitor (FAM)
 Page Reference:  421
 Author/Distributor:  SGI
 Available From:   http://oss.sgi.com/projects/fam/; http://oss.sgi.com/projects/fam/download.html
 Description:  A file and directory monitoring tool that reveals when a file is created, modified,
executed, and removed.






 Name:   Gamin
 Page Reference:  412
 Author/Distributor:   Daniel Veillard
 Available From:  https://people.gnome.org/~veillard/gamin/
 Description:   File and directory monitoring system defined to be a subset of the FAM system.




  Network Monitoring and Forensics




 Name:   tcpdump
 Page Reference:  426
 Author/Distributor:  Tcpdump Team
 Available From: http://www.tcpdump.org/; native to most Linux distributions
 Description:  A powerful and flexible command-line network sniffer and packet analyzer.
 Helpful Switches:

Switch

Function

-A
 Displays captured packets in ASCII
-i  Target interface to monitor
-XX
 Displays captured packets in hexadecimal and ASCII
-w  Write captured packets to file
-r  Read packets from file
-v  Verbose
-vv  Very Verbose
-n Don’t resolve ports and IP addresses to port
names/hostnames
-ttt Displays a timestamp in default format proceeded by date
on each dump line.





 Name:   jpcap
 Page Reference:  427
 Author/Distributor:  Patrick Charles
 Available From:  http://sourceforge.net/projects/jpcap/
 Description:  A Java-based network packet capture and visual analysis tool.





 Name:  Network Miner
 Page Reference: 484
 Author/Distributor:  Netresec
 Available From: http://www.netresec.com/?page=NetworkMiner
 Description: A robust graphical network forensics tool that extracts, and in some instances reconstructs salient network artifacts into 11 different investigative aspects, including DNS queries, Files, Images, Messages, Cleartext, among others.

Although primarly desgined to run in Windows environments, Network Miner can be run in Linux using
Mono (http://www.netresec.com/?page=Blog&month=2011-12&post=No-more-Wine---NetworkMiner-
in-Linux-with-Mono).


              




Port Monitoring





 Name:  netstat
 Page Reference:  428-429
 Author/Distributor:  Fred Baumgarten, et. al.
 Available From:  Native to Linux systems
 Description:  Displays information pertaining to established and “listening” network socket connections on the subject system.
  Helpful Switches:

Switch

Function

-a Displays all sockets
-n “Numeric” output, does not resolve names
--numeric-hosts Does not resolve host names
--numeric-ports Does not resolve port names
 --numeric-users Does not resolve user names
 -p Displays PID/Program name for sockets
 -e “Extended” (more/other) information
 -c Continuous mode, output refreshes
 -l Displays listening sockets





Name:   KConnections
Page Reference:  429
Author/Distributor:  Dmitry Baryshev
Available From:  http://kde-apps.org/content/show.php/KConnections?content=71204

Description:  Lightweight graphical wrapper for netstat.

                           





System Call Monitoring and System Profiling





Name: strace
Page Reference:  430, 456-459
Author/Distributor: Paul Kranenburg, Branko Lankester, et. al.
Available From: Native to Linux systems but the project is maintained on SourceForge,
http://sourceforge.net/projects/strace/
Description: native utility on Linux systems that intercepts and records system calls that are made by a target process.

Helpful Switches:

Switch

Function

-o Writes trace output to filename
-e trace=file Traces all system calls which take a file name as
an argument
 -e trace=process
Traces all system calls which involve process
management
 -e trace=network
Traces all the network related system calls
 -e trace=desc
Traces all file descriptor related system calls
 -e read=set
Performs a full hexadecimal and ASCII dump of
all the data read from file descriptors listed in
the specified set
 -e write=set
Performs a full hexadecimal and ASCII dump of
all the data written to file descriptors listed in the
specified set
-f Traces child processes as they are created by
currently traced processes as a result of the
fork() system call
 -ff
Used with –o option; writes each child processes
 trace to filename.pid where pid is the numeric
process id respective to each process
 -x Print all non-ASCII strings in hexadecimal
string format
 -xx Print all strings in hexadecimal string format






 Name: SysProf
 Page Reference:  430
 Author/Distributor: Søren Sandmann Pedersen
 Available From:  http://sysprof.com/; http://sysprof.com/sysprof-1.2.0.tar.gz
 Description:  GUI-based system-wide profiler allowing the digital investigator to gather detailed
statistical information about kernel and userspace applications, including functions used.



  Automated Malware Analysis FrameworksMonitoring





  Automated Malware Analysis Frameworks/Sandboxes

Automated malware analysis frameworks are a helpful solution for efficiently triaging and processing malicious code specimens in an effort to gain quick intelligence about the specimens, automating the behavioral analysis process. Over the last few years, a number of researchers have developed automated malware analysis frameworks, which combine and automate a myriad of processes and tools to collectively monitor and report on the runtime behavior of a target malicious code specimen. While many of these tools are developed for installation on Linux platforms, at the time of this writing there are no automated malware analysis frameworks that process ELF files.  However, these solutions may be useful during the file profiling process when seeking to triage suspected files prior to knowing the respective file type, target operating system, nature, and purpose of the specimen.




 Name: Buster Sandbox Analyzer ("Buster")
 Page Reference:  470
 Author/Distributor:  Buster
 Available From:  http://bsa.isoftware.nl/
 Description:  A flexible and configurable sandbox platform based upon Sandboxie, a utility that creates an isolated abstraction area (sandbox) on a host system preventing changes from being made to the system. Buster monitors and analyzes the execution trajectory and behavior of malicious code specimens, including PE files, PDF files, Microsoft Office Documents, among others. Unlike many automated solutions, Buster allows the digital investigator to interact with the specimen when required (such as clicking on a dialogue box button or supplying missing libraries where needed).





Name:  ZeroWine and ZeroWine Tryouts
Page Reference: 470
Author/Distributor:  Joxean Koret
Available From:    http://zerowine.sourceforge.net/ and http://zerowine-tryout.sourceforge.net/
Description:  Developed by Joxean Koret, both ZeroWine and ZeroWine Tryouts (an offshoot of the
original ZeroWine project) are open source malicious code behavioral analysis platforms built on Debian
Linux in QEMU virtual machines that emulate Windows systems using WINE. Intuitive to use, both
systems provide the digital investigator with Web based upload and reporting consoles. While both
systems can dynamically analyze Windows executable files, ZeroWine Tryouts can also conduct
automated static analysis of PDF files.


    





 Name:  Minibis
 Page Reference:  470
 Author/Distributor:  Christian Wojner/Austrian Computer Emergency Response Team (CERT.at)
 Available From:  http://cert.at/downloads/software/minibis_en.html
 Description:  Developed by the Austrian Computer Emergency Response Team (CERT.at), Minibis is a malicious code behavioral analysis framework based upon Oracle VirtualBox virtualization and scripting of third party malicious code monitoring utilities.





 Name:  The Reusable Unknown Malware Analysis Net ("TRUMAN")
 Page Reference:  470
 Author/Distributor:  Joe Stewart
 Available From:  http://www.secureworks.com/cyber-threat-intelligence/tools/truman/
 Description:  A native hardware-based solution developed by malware expert Joe Stewart of
SecureWorks, TRUMAN operates on a client-server model with a custom Linux boot image to restore a
fresh Windows “victim” system image after each malware specimen is processed. At the core of
TRUMAN is a series of scripts to emulate servers (DNS, Web, SMTP, IRC, SQL, etc) and pmodump, a
perl-based tool that parses physical memory for malicious process artifacts. Although TRUMAN is no
longer supported, in 2009, Jim Clausing of the SANS Institute developed and published enhancements for the platform.



 Name:  Cuckoo Sandbox
 Page Reference:  470
 Author/Distributor:  Claudio Guarnieri
 Available From:  http://www.cuckoosandbox.org/
 Description: An open source malicious code behavioral analysis platform that uses a Cuckoo Host
system (core component that handles execution and analysis); Analysis Guests (isolated virtual machines on which malware is safely executed and behavior is reported back to the Cuckoo Host); and analysis packages (scripts that define automated operations that Windows should conduct during the analysis of a target specimen).




Online Malware Analysis Sandboxes
Online malware sandboxes are a helpful analytical option to either quickly obtain a behavioral analysis overview of suspect program, or to use as a correlative investigative tool. These services (which at the time of this writing are free of charge) are distinct from vendor-specific malware specimen submission Web sites, or online virus scanners (such as VirusTotal, Jotti Online Malware Scanner, and VirScan, as discussed in Chapter 5). Unlike online malware scanners, online malware sandboxes execute and process the malware in an emulated Internet, or “sandboxed” network, and generally provide the submitting party a comprehensive report detailing the system and network activity captured in the sandboxed system and network. While at the time of this writing there are no online malware analysis sandboxes that process Linux ELF files, these services can nonetheless be useful as a pre-analysis triage platform to identify file types
and files of interest.

As we discussed in Chapter 5 with the submission of samples to virus scanning Web sites, submission of any specimen containing personal, sensitive, proprietary, or otherwise confidential information, may violate a victim company’s corporate policies or otherwise offend the ownership, privacy, or other corporate or individual rights associated with that information. Seek the appropriate legal guidance in this regard before releasing any such specimen for third-party examination. Similarly, remember that by submitting a file to a third party Web site, you are no longer in control of that file or the data associated with that file. Savvy attackers often conduct extensive open source research and search engine queries to determine if their malware has been detected. The results relating to a file submitted to an online malware analysis service are publicly available and easily discoverable—many portals even have a search function. Thus, as a result of submitting a suspect file, the attacker may discover that his malware and nefarious actions have been discovered, resulting in the destruction of evidence, and potentially damaging your investigation.


Web Service

Features

ThreatTrack (Formerly GFI Sandbox/ Sunbelt Sandbox)

http://www.threattracksecurity.com/resources/sandbox-malware-analysis.aspx

-Conducts cursory file profiling, including file name, MD5 and SHA1 hash values.

-Conducts behavioral analysis of .dll, .doc, .docx, .exe, .htm, .html, .jar, .msg, .pdf, .ppt, .pptx, .url, .xls, .xlsx files; monitors and reports on process, file system, Registry, and network activity.

-Provides report via e-mail address supplied by user.

Malwr

https://malwr.com/submission/

-Based upon Cuckoo Sandbox

-Conducts cursory file profiling, including file name, MD5 and SHA1 hash values.

-Conducts cursory file profiling, behavioral and static analysis of Windows portable executable files, malicious document files, among others; monitors and reports on process, file system, Registry, and network activity.

Anubis

http://anubis.iseclab.org/index.php

-Conducts cursory file profiling, including file name, MD5 hash value, time last submitted (if previously received) and a description of the suspect file’s identified behavioral characteristics.

-Conducts behavioral analysis of Windows portable executable files; monitors and reports on process, file system, Registry, and network activity.

-Malicious URL Scanner.

ThreatExpert

http://www.threatexpert.com/submit.aspx

-Conducts cursory file profiling, including file size, MD5 and SHA1 hash values, submission details, duration of processing, identified anti-virus signatures, and a threat categorization based upon the suspect file’s identified behavioral characteristics.

-Conducts behavioral analysis of Windows portable executable files; monitors and reports on process, file system, Registry, and network activity.

XecScan

http://scan.xecure-lab.com/

-Conducts cursory file profiling, including file size, MD5 and SHA1 hash values, file type, identified anti-virus signatures.

-Conducts behavioral analysis of PDFs, Flash, ZIP/RAR archives, and Office documents files; monitors and reports on file system, Registry, and network activity.

-Provides basic text report

Joe Sandbox

http://file-analyzer.net/

(Analyzes the behavior of Windows executable files such as *.exe, *.dll and *.sys files)

http://document-analyzer.net/

(Analyzes the behavior of Adobe PDF and MS Office files)

-Two distinct Sandbox services based upon Joe Sandbox

-Conducts extensive file profiling, including file size, MD5 and SHA1 hash values, packing detection, PE file analysis, and metadata extraction.

-Conducts robust behavioral analysis of Windows executable files (exe, dll, sys) Microsoft Office Document and PDF files; monitors and reports on memory, process, file system, Registry, and network activity.

-Provides HTML report, session screenshot and session pcap file via e-mail address supplied by user.

NSI Malware Analysis Sandbox

http://www.netscty.com/malware-tool

-Sandbox based upon TRUMAN automated malware analysis framework.

-Link to analytical report is report provided via e-mail address supplied by user.

Eureka

http://eureka.cyber-ta.org/

-Conducts behavioral and static analysis of Windows portable executable files; provides assembly code analysis of unpacked specimen, strings, control flow exploration, API calls, capabilities graph, and DNS queries.

-Unpacked executable specimen is made available for download.

Comodo

http://camas.comodo.com/

(Automated Analysis System)

http://valkyrie.comodo.com/

(File Verdict Service)

-Conducts cursory file profiling, including file size, MD5, SHA1 and SHA256 hash values

-Conducts behavioral analysis of Windows portable executable files; monitors and reports on process, file system, Registry, and network activity.

BitBlaze

http://bitblaze.cs.berkeley.edu/

-Conducts behavioral and static analysis of Windows portable executable files; provides assembly code analysis of unpacked specimen, strings, and API calls.

Malfease

https://malfease.oarci.net/

-Conducts extensive file profiling, including file size, MD5 and SHA1 hash values, identified file signatures, packing detection, PE file analysis, byte frequency analysis and metadata extraction.

-User portal.

ViCheck.ca

https://www.vicheck.ca/

-Processes PE files, document files (PDF, MS Office, CHM), images, archive file, among others.

-Queries a submitted file against viCheck malware database, as well as Virustotal.com, ThreatExpert.com, and Team-Cymru malware hash databases.

-Conducts file profile of target specimen, including file format identification; file size; and MD5/SHA1/SSDEEP hash values. Provides a hexdump for submitted PE files.

-Processes target file in Sandbox.

-Link to analytical report is report provided via e-mail address supplied by user.

-Tool portal that allows users to search the malware database for MD5/SHA1/SHA256 hash values; Master Decoder; IP header processing; and IP/Domain Whois.


Embedded Artifact Extraction Revisited
 Disassemblers





Name:  Objdump
 Page Reference:  472
 Author/Distributor:  GNU
 Available From:   Native to most Linux distributions as a part of binutils;
http://www.gnu.org/software/binutils/
 Description:  Command-line utility to display the structure and contents of object files.

 Helpful Switches:

Switch

Function

-a Displays archive file header/file format
information
-d Disassemble
-f Displays summary information about
file, such as file format, target
architecture, starting address, etc.
-g Display debugging information.
-j <name> Display information only for specific
section name
-p (or --private-headers) Displays header information specific to
the target object file format
-s Display full content of a target section
-S Display source code and respective
disassembly if possible
 -t Displays the content of the symbol
table(s)
 




Name:  Dissy
Page Reference:  472
Author/Distributor:  Simon Kagstrom
Available From:     http://dissy.googlecode.com
Description:  GUI frontend to the objdump disassembler.

          
 Interacting with and Manipulating the Malware Specimen





 Prompting Trigger Events
Name:  HTTrack
Page Reference:  477
Author/Distributor:  Xavier Roche
Available From:  http://www.httrack.com
Description:  HTTrack is a graphical web site copying tool. A valuable tool for copying web
site content for offline browsing and reconstructing web content locally, HTTrack offers granular
configuration options for copying depth and content acquisition.



Digital Virology
Context Triggered Piecewise Hashing and Indicators of Likeness





 Name:  SSDeep
 Page Reference:  499-500
 Author/Distributor: Jesse Kornblum
 Available From:  http://ssdeep.sourceforge.net/
 Description: A fuzzy hashing tool which computes a series of randomly sized checksums for a file,
allowing file association between files that are similar in file content but not identical.
 Helpful Switches:

Switch

Function

-v Verbose mode. Displays file name as its being processed
-p Pretty matching mode. Similar to -d but includes all
matches
-r Recursive mode
-d Directory mode, compare all files in a directory
-s Silent mode; all errors are suppressed
-b Uses only the bare name of files; all path information
omitted
-l Uses relative paths for file names
-c
Prints output in CSV format
-t Only displays matches above the given threshold
-m Match files against known hashes in file