---

  Mention the word ‘malware’ in a word association game and few people would think to respond with ‘weapon’. Malware is nearly always a means to an end in a much bigger picture. This could be the sale of information obtained, access to the compromised system or even the denial of access for the right price. Visualising the computer as the battlefield and a network or computer system as a region or country then a malware attack becomes an offensive campaign against targeted systems. Continuing with this analogy, strategic decisions relating to how the campaign is fought become the overall design and execution of a malware attack. Decisions about how individual battles are fought are tactical in nature and equate to the techniques used in the construction and execution of malware tasks. In the midst of this are the forensic practitioners and security researchers. Our job is to be the weapons analyst and reverse engineer these virulent and at times quasi-conscious weapons to understand their capabilities and behaviour.

It is difficult to imagine undertaking any offensive campaign without a range of tactical weapons, each suited to different tasks. The attacker can use a rich selection of arsenal including keyloggers, screen loggers, email redirectors, web Trojans, hostname lookup attacks, proxy attacks and rootkits to name a few. Each is suited to a different objective and each will often contain its own counter-detection measures. To start your campaign you need a weapons supplier.

Descending Underground

Buying weapons on the Black Market is not new. They are there to serve your every need, for a price. Recently appearing in the news, Zeus is an example of a DIY kit for building your own customised malware. With your freshly built malware it’s not enough to simply locate it on a couple of websites and hope for passing surfers to get infected. You need to get it distributed to machines with identified vulnerabilities that can begin making you money quickly. That’s where an Exploitation Pack comes in.

You can expect to pay around $100-250 to get your customised malware installed onto around 1,000 machines in the UK. Three widely used systems are Fiesta, Firepack and Sploit. Now you need somewhere to store all your harvested data and manage your malware distribution. Anonymous ‘bulletproof’ servers offer a variety of packages and typically cost around $150 per month for hosting, with discounts for larger quantities.

Enter the Weapons Analyst

With my practitioner hat on, I am principally motivated by the need to determine the events leading up to a limited set of circumstances when analyzing malware. I need to determine if the suspicious binary discovered on a computer is the cause of a given activity. There are two broad approaches taken to address this question of causality: static and dynamic analysis.

In the static world the malware is lifeless, but not completely harmless as careless handling can be problematic. We must also remember though, that even our tools can be mislead in this exercise by the tactics of the malware author, leading to differing results between tools. Hence, as with computer forensics, cross checking with more than one tool can increase confidence in what you are seeing is accurate. With this knowledge, we can safely commence our autopsy and dissect the specimen.

Online scanners are freely available to help us rapidly scan our suspicious binary in an attempt to identify it. Despite the ease of doing this, we have to stop and consider any legal issues involved, such as privacy and cross-border movement of data. This is especially important in the case of sensitive and government clients for whom we are conducting the investigation. With any legal issues resolved, we can don our gloves and surgical mask and submit our suspicious binary (previously identified by our AV scanner unhelpfully as simply ‘Worm.Win32.Gen’) to online scanner sites such as VirusTotal and Jotti’s malware scanner.

It is important to remember that a vendor’s online scanner tool operates differently to its desktop product and so the precision is not the same. This becomes apparent when we examine how such online tools have identified the binary. The lack of consensus on even the name of the binary may give rise to doubts of what we are dealing with.
Not defeated, we turn to our preferred hex editor tools and examine the ‘Magic Number’ of this file; we see that it is ‘MZP’. This indicates that the file is an executable file produced with Delphi. Knowing that a typical executable file contains varying amounts of string-based data we next apply that ever-useful Unix tool called ‘strings’ which has been ported to run in a Windows environment 6. The ‘BinText’ tool7 offers powerful string filtering and searching options. It will also denote both the file and memory offset of a string.

 

The full article appears in Issue 3 of Digital Forensics Magazine, published 1st May 2010. You must log in with a valid subscription to read on...