dfm covers

Playing With Fire: Dissecting Malicious Software

Playing With Fire: Dissecting Malicious Software

Modern malware is more sophisticated than it used to be and can easily mislead the investigator. Ian Kennedy takes us on a journey of discovery into what makes malware tick.

  Mention the word ‘malware’ in a word association game and few people would think to respond with ‘weapon’. Malware is nearly always a means to an end in a much bigger picture. This could be the sale of information obtained, access to the compromised system or even the denial of access for the right price. Visualising the computer as the battlefield and a network or computer system as a region or country then a malware attack becomes an offensive campaign against targeted systems. Continuing with this analogy, strategic decisions relating to how the campaign is fought become the overall design and execution of a malware attack. Decisions about how individual battles are fought are tactical in nature and equate to the techniques used in the construction and execution of malware tasks. In the midst of this are the forensic practitioners and security researchers. Our job is to be the weapons analyst and reverse engineer these virulent and at times quasi-conscious weapons to understand their capabilities and behaviour.

It is difficult to imagine undertaking any offensive campaign without a range of tactical weapons, each suited to different tasks. The attacker can use a rich selection of arsenal including keyloggers, screen loggers, email redirectors, web Trojans, hostname lookup attacks, proxy attacks and rootkits to name a few. Each is suited to a different objective and each will often contain its own counter-detection measures. To start your campaign you need a weapons supplier.

Descending Underground

Buying weapons on the Black Market is not new. They are there to serve your every need, for a price. Recently appearing in the news, Zeus is an example of a DIY kit for building your own customised malware. With your freshly built malware it’s not enough to simply locate it on a couple of websites and hope for passing surfers to get infected. You need to get it distributed to machines with identified vulnerabilities that can begin making you money quickly. That’s where an Exploitation Pack comes in.

You can expect to pay around $100-250 to get your customised malware installed onto around 1,000 machines in the UK. Three widely used systems are Fiesta, Firepack and Sploit. Now you need somewhere to store all your harvested data and manage your malware distribution. Anonymous ‘bulletproof’ servers offer a variety of packages and typically cost around $150 per month for hosting, with discounts for larger quantities.

Enter the Weapons Analyst

With my practitioner hat on, I am principally motivated by the need to determine the events leading up to a limited set of circumstances when analyzing malware. I need to determine if the suspicious binary discovered on a computer is the cause of a given activity. There are two broad approaches taken to address this question of causality: static and dynamic analysis.

In the static world the malware is lifeless, but not completely harmless as careless handling can be problematic. We must also remember though, that even our tools can be mislead in this exercise by the tactics of the malware author, leading to differing results between tools. Hence, as with computer forensics, cross checking with more than one tool can increase confidence in what you are seeing is accurate. With this knowledge, we can safely commence our autopsy and dissect the specimen.

Online scanners are freely available to help us rapidly scan our suspicious binary in an attempt to identify it. Despite the ease of doing this, we have to stop and consider any legal issues involved, such as privacy and cross-border movement of data. This is especially important in the case of sensitive and government clients for whom we are conducting the investigation. With any legal issues resolved, we can don our gloves and surgical mask and submit our suspicious binary (previously identified by our AV scanner unhelpfully as simply ‘Worm.Win32.Gen’) to online scanner sites such as VirusTotal and Jotti’s malware scanner.

It is important to remember that a vendor’s online scanner tool operates differently to its desktop product and so the precision is not the same. This becomes apparent when we examine how such online tools have identified the binary. The lack of consensus on even the name of the binary may give rise to doubts of what we are dealing with.
Not defeated, we turn to our preferred hex editor tools and examine the ‘Magic Number’ of this file; we see that it is ‘MZP’. This indicates that the file is an executable file produced with Delphi. Knowing that a typical executable file contains varying amounts of string-based data we next apply that ever-useful Unix tool called ‘strings’ which has been ported to run in a Windows environment 6. The ‘BinText’ tool7 offers powerful string filtering and searching options. It will also denote both the file and memory offset of a string.


The full article appears in Issue 3 of Digital Forensics Magazine, published 1st May 2010. You must log in with a valid subscription to read on...



Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

Mark Osborne

Mark Osborne is the author of 'How To Cheat at Managing Information Security'


Coming up in the Next issue of Digital Forensics Magazine

Solving the Security Challenges with a Human Firewall

The Next Generation Human Firewall, fully trained and ready to act on security threats with the right tools at their disposal needs to meet the needs of a securely distributed, flexible, integrated modern workforce.

Fraudulent Use of Digital Images and Detection Survey

This article looks at the basic concepts related to image forgery; the types, detection procedure algorithms and all possible techniques to detect malicious signatures including a comparative analysis.

Subscribe today

Discovery in the Cloud: An Investigator’s Close Look at Unexpected Risks and Challenges

Documents residing in cloud storage accounts are increasingly coming into scope in digital forensic investigations such as IP theft, regulatory, corruption, merger clearance and civil matters. Organisations may be obligated to place preservation holds on data residing in cloud storage, collect documents from cloud accounts and produce this data to regulators or courts.

Every Issue

News, 360, IRQ, Legal