160 likes | 323 Views
Investigating Malicious Software. Steve Romig The Ohio State University April 2002. Malware Analysis. Got a piece of *something*, what does it do? In our case, an email attachment Not recognized by "usual" anti-virus scanners. Run UNIX "strings". Sometimes useful, sometimes misleading
E N D
Investigating Malicious Software Steve Romig The Ohio State University April 2002
Malware Analysis • Got a piece of *something*, what does it do? • In our case, an email attachment • Not recognized by "usual" anti-virus scanners
Run UNIX "strings" • Sometimes useful, sometimes misleading • Do Google searches on what turns up • Try to determine what it does by symbol names, included libraries, include files, etc. • Nothing useful here, that I remember - self-extracting UPX file
Try Running It • Danger, Danger!! • It Might Do “Bad Things”(tm) • To the computer it is running on • To other computers • Tip off the perpetrators?
So, You Should... • Create a clean test machine… • Detached from network… • Run malware there • Don't reuse this for other tests • Hard to figure out what changes are due to what malware • Might screw up subsequent tests
VMWare! • Create a virtual machine • Install the host operating system, patches, applications as needed • *Make a snapshot* of the virtual disk • Squirrel your snapshots away somewhere
VMWare (continued) • To create a clone: • make a directory • restore files • change config as needed • boot • I use a read-only "airlock" with host-only access to pass files back and forth.
Run the Malware • No net access, of course • System, library call tracers • lsof, handlex • filemon, regmon (windows only) • tcpdump, ethereal
In Our Case • Malware makes some registry changes • Installs something that starts at login • Apparently checks a web site every minute
Create a Fake Network • Attempts to resolve an IP Address • We create a fake DNS entry, try again • Attempts to connect to tcp/80 at that IP • Web traffic? Create a fake web server, try again • Attempts to Download nethief_connect.htm • Search the real web site (found it, but risky) • Search on web (Google)
Google, Babelfish are Your Friends! • Got the zip file (finally) • It has a readme! (let’s see) • Install the application (let’s see) • The application web site is down :-(
Google caching, Archive.org to the Rescue! • Google caches pages that it has searched, which can be useful • Archive.org caches pages (when?) • It is (unfortunately) messy dealing with pages cached in archive.org that need to be translated
What Does This Thing Do - Attacker End • Install, run application • Configure • web site • ftp address, account, password for updating web site • Updates web site once a minute with current IP • Create the trojan • Infect someone
What Does This Thing Do - Victim End • Get infected :-) • Runs at login • Checks web site once a minute • Sends "hey, I'm here" traffic to indicated IP address • Shows up on attacker's console
Attacker Selects a Target • Click on it in list of active victims • Inserts instructions on the web site • Intended victim downloads the instructions, connects to tcp/80 on the host where the console is currently running • Can now read, write, modify any file
Interesting Notes • Works "just fine" behind firewalls • There appear to be virus populations that are "known" to only parts of the Internet.