Page 1
http://www.iaeme.com/IJMET/index.asp 10 [email protected]
International Journal of Mechanical Engineering and Technology (IJMET) Volume 9, Issue 1, January 2018, pp. 10–21, Article ID: IJMET_09_01_002
Available online at http://www.iaeme.com/IJMET/issues.asp?JType=IJMET&VType=9&IType=1
ISSN Print: 0976-6340 and ISSN Online: 0976-6359
© IAEME Publication Scopus Indexed
INTRODUCTION TO DYNAMIC MALWARE
ANALYSIS FOR CYBER INTELLIGENCE AND
FORENSICS
P V Vara Prasad
Assistant Professor, Koneru Lakshmaiah Education Foundation, Department of CSE, India
N Sowmya, K Rajasekhar Reddy and P Jayant Bala
Student, Koneru Lakshmaiah Education Foundation, Department of CSE, India
ABSTRACT:
Day by day cyber threats are increasing and one of the common aspects of all
attacks has a commonality, which is a malware. Almost every systems, networks,
mobile phones breaches has Involvement of Trojans, rootkits, backdoors, spywares, et
cetera. The network security team of certain firm where an attack has happened
cannot respond to zero day attack or day one attack, and hence requires a special
incident response team or Malware analysts. The report incident by Verizon data
Breach of 2015 says, about 80-90% of malwares are unique to an organization. The
Verizon information break episode reaction finished up this year around 40,000
occurrences, including 1,935 affirmed information ruptures. No system is 100% safe,
but understanding the threat we will face will help us to improve our security.
Therefore in order to understand a malware we need to study its behaviour, and that
will be our dynamic analysis of a malware.
Keywords: Static Analysis, Dynamic Analysis, VMware workstation, Ransomware,
Wireshark.
Cite this Article: P V Vara Prasad, N Sowmya, K Rajasekhar Reddy and P Jayant
Bala, Introduction to Dynamic Malware Analysis for Cyber Intelligence and
Forensics, International Journal of Mechanical Engineering and Technology 9(1),
2018, pp. 10–21.
http://www.iaeme.com/IJMET/issues.asp?JType=IJMET&VType=9&IType=1
1. INTRODUCTION
Due to changes in every day software technologies and upcoming requirement it has become
very important to protect our data. The data is very important and every day, Cyber criminals
are hungry to grab their hands over the data. Today internet is flooded with leaked
information and data, which is the reason of a compromised server and lack of qualified
security professionals in an organization. Instead of looking at this as a problem, we can take
this as an opportunity to educate and equip ourselves to defend against such devastating
Page 2
Introduction to Dynamic Malware Analysis for Cyber Intelligence and Forensics
http://www.iaeme.com/IJMET/index.asp 11 [email protected]
attacks. In dynamic analysis of a malware, we will use some set of forensics tools available to
us and understand the malware.
Extracting valuable information, creating logs and events to capture the behaviour of the
malware. Then organization of our collected data and monitoring the activity of a live
malware sample and checking its communication with local machine and remote machine.
Malware have capabilities to hide themselves and even manipulate the registry keys available
in system. So in order to see those changes a proper environment or lab is required. Creating a
proper lab for analysis of a malware is very important to understand the behaviour. We will
use VMware workstation or oracle virtual box for creating a lab in which will have certain set
of operating systems, basic forensic tools, local network connection and snapshot availability.
Ability to manipulate network settings so that our lab should not affect our actual networks is
very important. Basic use of Wireshark networking monitoring packet sniffer to learn how a
malware tries to infect other system present in the network. In the end will be talk about
counter measures and certain steps to take while performing dynamic malware analysis.
Incident response, basic forensics, Malware discovery and basic reverse engineering will be
benefit from this research paper.
2. LITERATURE
Writing and doing Malware investigation is an examination or procedure of dissecting
usefulness, starting point and potential effect and future assault of a given malware test that
could be a worm, Trojan, Rootkit, Spywares, Backdoors, Ransomwares and so on [6].
Malware is a malicious program or software that intend to harm the systems, systems
connected to network or to steal sensitive data from the local drives or servers available in the
area of contact.
Malware analysis generally comprises of few methods,
• Static analysis
• Dynamic analysis
• Hybrid analysis.
A. Static analysis
The static analysis is a very long procedure and it takes a lot of time to understand the nature
of malware but it guarantees the complete removal of the malware and gives us complete
understanding. It will include code analysis of malware, which is achieved through dissection
of the different sources of assembly language code with their connection with binary files.
The binary files can also be dis-assembled by using tools such as IDA 5.0 or IDA pro,
OllyDbg, HT editor, hopper et cetera. Using this tools one can be learned the behaviour and
true nature of malware.
B. Dynamic analysis
The dynamic analysis is very fast and it generally deals with behavioural analysis of a
malware [12]. It shows how the malware affects the host systems and networks. Mostly these
types of malwares analysis will be on virtual machine environment or sand box environment
to prevent the malware from infecting the host systems or networks. Our main area of focus
will be on dynamic analysis by which we can quickly understand the behaviour of a malware
and come with a counter measures.
Page 3
P V Vara Prasad, N Sowmya, K Rajasekhar Reddy and P Jayant Bala
http://www.iaeme.com/IJMET/index.asp 12 [email protected]
C. Hybrid analysis
The Static analysis and Dynamic analysis together called as Hybrid Analysis.
The goal of malware analysis is to understand basic working principle of a malware so
that defences built can protect an organization’s network and systems.
3. TOOLS REQUIREMENT
In order to perform the behavioural malware analysis we need an isolated systems lab and
certain forensic tools. Constructing a virtual lab using VMware or oracle’s virtual box will be
proven beneficial, and in our analysis, we will use VMware. We would need few old and new
operating systems that will be
• Windows XP Professional (either sp2 or sp3).
• Windows 7 (without patches and updates).
• Kali Linux 2016.2 version (Debian package).
Here windows XP will be our target system, because most of the local services still run
windows xp and cyber criminals will upgrade their malware especially to target those system
because Microsoft has dis continued updates and patches for the windows xp service pack.
Windows 7 will contain our all signatures of changes made before and after the infection and
we will store all our catalogues of log files in this operating system. Kali Linux will act as
host server to our guest windows xp. Install all the operating systems and follow the
instruction given by VMware. Please note the windows xp and kali Linux network adapter
should have only NAT connection so it will be able to communicate with each other. There
are three options available for network adapters
• NAT
• Bridged
• Host only
NAT connection will provide internet access to all the virtual guest and host operating
systems but the virtual operating systems will not be able to connect with physical system.
The adapter vm#8 will have NAT settings by default.
Bridge mode will give internet access as well as provide communication between virtual
and physical hosts.
Host only will have connection only to the host adapter, where in VMware adapter vm#1
will have by default host only connection established.
Page 4
Introduction to Dynamic Malware Analysis for Cyber Intelligence and Forensics
http://www.iaeme.com/IJMET/index.asp 13 [email protected]
Always make sure our virtual operating systems connected to NAT or Host only, so that it
should not establish connection with physical system. After the installation of different
operating systems, we need to install certain forensic tools listed below.
• 7zip
• 010 hex editor
• Capture bat
• Map pack
• Notepad ++
• Regshot
• Sysinternals
• Vcredist x86 2005
Once all the programs are available, move them to windows 7. Install the VMware guest
installation tool that will enable drag and drop option from physical system to virtual system
so that moving files, folders, and programs will become easy.
4. METHODOLOGY
Install Vcredist x86 2005 in windows xp so that all the programs can install properly. Install
CaptureBat in windows xp, capture bat is a listener, which will intercept the behaviour of
malware and will create a log file, which will have information related to the programs
activity. Install 010 hex editor, IDA pro, Regshot, sys internals, Notepad ++, map pack,
Cygwin. Once all the tools installed, we will take a live malware sample, we can take any live
malware example but it is preferable for beginners to take malware sample called Dyre
malware [13]. Now create a shortcut for capture bat on the desktop and go to its properties,
then shortcut and get target such as (“C:\Program files\Capture\CaptureBat.exe” –c –l
“C:\Documents and d Settings\Administrator\Desktop\log.txt”) and save it. Here the address
may vary but –c stands for capture and –l stands for listen and save the log entries to the
desktop folder, which contains log.txt, file. Initiate the snapshot available in the work station.
Snap shot is a feature where we can a snapshot of a live machine state and later we can come
back to that state again even if some files or programs damaged, we can revert it again. Now
take snapshot and save it as “Not infected”. Dyre is a Trojan file which is also called as
TrickBot mostly used in the banking sectors to hack their systems. It is used in this paper to
investigate its behavior in the system. To understand the behavior of malware we can use any
Trojan, malware available in the internet. Unzip the Dyre.zip file and save it in desktop, go to
the folder and before running the program make sure we start the CaptureBat shortcut in
desktop. Once CaptureBat is listening to incoming changes, run the malware and wait for 10
seconds then close the CaptureBat. Then automatically the virus file will be deleted. Now
check the log file and see all the entries made there, we will find something like this.
Page 5
P V Vara Prasad, N Sowmya, K Rajasekhar Reddy and P Jayant Bala
http://www.iaeme.com/IJMET/index.asp 14 [email protected]
We can traverse through all the location mentioned above and we will be able to find the
virus folder. Now revert to original state again using snapshot function and once we are back
take MD5 sum signature of the old Dyre malware by right clicking on it and click on MD5
hash sum. We can take MD5 hash sum signature, verify if some string is present there or not
by install Map pack program. Once we had taken MD5 snapshot save it in windows 7, repeat
the infection process again, after browse through, find original virus file, take the MD5 hash
sum, and verify it with old MD5 hash sum. Once the hashes are same, we have located our
virus in the system. Now we can see some changes have made in registry keys. Again, revert
to not infected state and run Regshot program. Once Regshot is live, click on take 1st shot and
save it, then run the virus and wait for 10 seconds and then click on second shot and save it.
Compare both the snap shots and Regshot will generate a custom log file. It will look like
this.
We can see some changes in this HKLM and some keys and values added. We can browse
through registry key directory by going to run and type “regedit” and then directed to registry
key directory. We can find some changes made.
Another alternative is to use Sysinternals tools, revert the state back to original state using
snapshot function, run Sysinternals tools and then run the malware. In the current process a
red line will be appear like this.
We can traverse to the original registry entry made by that malicious program and delete
the registry key. Some malware also try to establish a way connect back to its owner those are
backdoors, using Wireshark packet sniffer can help us analyses the incoming and outgoing
traffic. This is a snapshot of a malware “IllusionBot 2007” [13] trying to setup an IRC.
Page 6
Introduction to Dynamic Malware Analysis for Cyber Intelligence and Forensics
http://www.iaeme.com/IJMET/index.asp 15 [email protected]
We can analyse the behaviour of such malware using all this forensic tools and create a
report.
5. RECENT ATTACKS ANALYSIS:-
Early in May 12th 2017 many Organization around the globe were infected by a ransomware
crypto worm called WannaCry Malware. Their main target were computers running the
windows operation system, and once they are compromised their data will get encrypted
which will later demand their payments in the form of Bitcoins. Once if the hackers launches
the attack, within a day about 230,000 computers were compromised in over 150 countries. A
few Parts of United Kingdom National Health Services (NHS) were infected, making it run a
few administrations on a crisis just premise amid the assault, also in the country of Spain the
Telefonica, FedEx courier and Deutsche bahn organizations got affected along many other
countries and multi-national organizations around the world.
It seems to attack and infect the computer through a recent SMB vulnerability loop hole
available in the Microsoft windows operating systems especially older ones like windows xp
Page 7
P V Vara Prasad, N Sowmya, K Rajasekhar Reddy and P Jayant Bala
http://www.iaeme.com/IJMET/index.asp 16 [email protected]
where they don’t have support to updates and patches anymore. The exploit used the “Eternal
blue” worm file which was available in the internet by the shadow broker’s dump on April
fourteenth, 2017 as a part of MS17-010 for the upheld variant of Microsoft windows
operation frameworks. Unfortunately, the patch was not available in the internet at the time
for the inheritance windows xp, windows 8, as well as in the windows server 2003 systems.
Many organization failed to install the patches at the time. Other campaigns leveraging the
tools leaked by the Shadow Brokers have been identified. While they do
Not deliver ransomware, they might be utilized for some different purposes and represent
a significant threat to the world. The other campaigns share the same infection method –
SMB. It is important to monitor network activity even if no ransomware cases have been
observed.
Once if the system has been compromised by SMB vulnerability [1], it can be persistently
gets activated by sending a crafted packet to targeted SMB servers. It starts to spread initially
through vulnerable computers exposing the port 445 on the Internet, and then using the same
methodology for propagating through the internal networks. The threat [2] arrives containing
a dropper which will have two objectives
• A component that tries to exploit the SMB Eternal Blue vulnerability in other
computers.
• •Ransomware known as WannaCry/WannaCrypt.
The dropper depending upon the version will try to connect one of the following kill
switch domains such a [7, 4]:
iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea [.]com
ifferfsodp9ifjaposdfjhgosurijfaewrwergwea [.]com
ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf [.]com
lazarusse.suiche.sdfjhgosurijfaqwqwqrgwea [.]com
“mssecsvc2.0” is the service created by the threat, whose main objective is to exploit the
SMB vulnerability in the computers which are connected to the internally infected networks.
Once at least one of the computer is been infected, automatically the rest of the computers
will get infected through TCP port number 445.
Let’s take the sample of wannacry malware and open it in ollydbg. Open the folder and
drag the wannacry.exe to the ollydbg.
Page 8
Introduction to Dynamic Malware Analysis for Cyber Intelligence and Forensics
http://www.iaeme.com/IJMET/index.asp 17 [email protected]
Below we will find a section with Address, Hex dump and ASCII. If we look properly we
can find MZ which is a portable executable with PE file type, PE file types can run win32
applications which call functions in the win32 API set. The Portable Executable (PE) arrange
is a record organize or an information structure utilized for executables, question code, DLLs,
FON text style lines, and others used as a part of 32-bit and 64-bit variants of windows
working operating systems. The windows Operating System loader should deal with the
wrapper executable code with the help of PE format data structure, which encapsulates the
information needed to the loader.
After this Right click and search for “All Reference strings” and then you can find many
signatures and information related to comments such as ASCII “%s –m security”, UNICODE
“kernel32.dll” and certain file operations.
Our main objective is to look for kill switch URL, generally executable files makes first
call and if there is no response from the URL, malware continues to execute.
Search for “All inter-modular calls” and find information related to commands,
destination, destination name, and comments. It will execute and the file operations will be
taken from here, creating new process, deleting existing procedure, delaying the procedure et
cetera.
Page 9
P V Vara Prasad, N Sowmya, K Rajasekhar Reddy and P Jayant Bala
http://www.iaeme.com/IJMET/index.asp 18 [email protected]
All the changes made with be stored in registry which can be alter once the malware
infects the system, attacker can modify the time a thread should sleep which can give enough
time for the malware to encrypt the files and apply a encryption algorithm. Other procedure
calls and registry edits can be further explored in the inter-modular calls search at ollydbg.
Ollydbg has an application function where it can run the malware and step by step
checking of breakpoints can be done which were previously found in inter-modular calls.
Once the application is running it will stop a various breakpoint such as when it want to make
connection with kill switch URL, or creating a new procedure which will have certain impact
at kernel. Hiding the files can be observed when the application is in running state and a
report can be created.
Bottom right corner will have information related to breakpoints and can be noted for
creating a report. When the application is running, usage of “process hacker” tool can give us
information if a new process has been started.
Page 10
Introduction to Dynamic Malware Analysis for Cyber Intelligence and Forensics
http://www.iaeme.com/IJMET/index.asp 19 [email protected]
Below the Ollydbg.exe, new processes name winry.exe and tasksche.exe have been
created. Terminate the process tree to stop the process to execute.
Mostly the malware will target the following files extensions such as [2]:
• The office file extensions like (.ppt, .doc, .docx, .xlsx, .sxi).
• The country particular and Less normal office positions like (.sxw, .odt , hwp).
• Archives, media records like (.zip, .rar, .tar, .bz2, .mp4, .mkv).
• Emails and email databases like (.eml, .msg, .ost, .pst, .edb).
• The Database documents like (.sql, .accdb, .mdb, .dbf, .odb, .myd)
• Developers' source code and venture documents like (.php, .java, .cpp, .pas, .asm).
• Encryption keys and testaments like (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
• Graphic architects, craftsmen and the picture takers documents like (.vsd, .odg, .crude,
.nef, .svg, .psd).
• Virtual machine documents like (.vmx, .vmdk, .vdi).
Products Affected: - The below listed following products known to be impacted if
they are not patched [1, 3]:
• Microsoft Windows Vista SP2
• Microsoft Windows Server 2008 SP2 and R2 SP1
• Microsoft Windows 7
• Microsoft Windows 8.1
• Microsoft Windows RT 8.1
• Microsoft Windows Server 2012 and R2
It has been recently confirmed or affirmed [5] that the malware also targets earlier no
longer supported versions of the Microsoft operating systems like:
• Windows XP
• Windows 8
• Windows Server 2003
At the same time, Microsoft has confirmed [5] that Windows 10 will not have any kind of
risk involved at the moment. It is also very important to realize that there is a possibility of
Page 11
P V Vara Prasad, N Sowmya, K Rajasekhar Reddy and P Jayant Bala
http://www.iaeme.com/IJMET/index.asp 20 [email protected]
getting affected by this ransom-ware in future windows 10 unpatched versions. Using the
above dynamic analysis and information, one can create a following report and take necessary
actions such to block access to the kill switch addresses and by patching the windows
operating systems immediately.
6. MALWARE DEFENSE AND COUNTER MEASURES
With the knowledge gained from the malware analysis, it is time to build defences against the
malware using multiple layer of defences, and while preparing defence use in depth
philosophy.
• Web filtering, Intrusion prevention and detection (IPS/IDS).
• Host based intrusion prevention systems (HIPS).
• Avoid opening email attachments received by an unknown/unauthorized sender.
• Block all the unnecessary ports at the host and firewall.
• Run host based antivirus, firewalls, intrusion detection system.
• By avoiding the accepting programs over a network received by instant messaging.
• Monitoring the internal network traffic flow for odd ports or encrypted traffic.
• By avoiding downloading and executing applications from untrusted websites.
• Install patches and security updates for operating system and applications.
• Scan CD/ DVD with antivirus before using it.
• Avoid typing the commands blindly and implementing pre-fabricated programs or
scripts, so that the system can’t be affected by external virus or malwares.
• By regular checking of checksum, auditing, and port scanning of local workstation.
• Keep an anti-malware application so that it notifies if any malware tries to affect the
system.
Page 12
Introduction to Dynamic Malware Analysis for Cyber Intelligence and Forensics
http://www.iaeme.com/IJMET/index.asp 21 [email protected]
By setting up IPS / IDS, firewall and installing regular security updates, we can protect
ourselves from such malware attack and using this behaviour analysis data, we can predict the
future attacks and block such malicious files and outgoing connections.
7. CONCLUSION AND FUTURE SCOPE
Dynamic analysis of a malware can predict the behaviour of malware and we can plan the
strategy to take down the malware as soon as possible, various organization can benefit from
dynamic analysis of malware forensics, because at certain point in life of a network
administrator he/she has to encounter the type of malware affected and should take necessary
steps to counter it. In learning dynamic malware analysis its future scope can be further
extend to static malware analysis where we completely try to unpack and learn the working
principle of a malware, further approach can be to reverse engineer it. Reverse engineering is
an advance procedure in family of malware counter measures, where dynamic analysis and
static analysis supports it, from this paper user gets a proper understanding about dynamic
analysis approach. Many universities will not have study of malware in the academics
curriculum and if a student or faculty wants to learn or wants to get in the field of malware
analysis, they can be benefit from this paper.
REFERENCES
[1] https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/4464-ataque-masivo-
deransomware-que-afecta-a-un-elevado-numero-de-organizaciones-espanolas.html
[2] https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacksall-
over-the-world/
[3] https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
[4] https://www.bleepingcomputer.com/news/security/wannacry-wana-decryptor-wanacrypt0r-
infoand-technical-nose-dive/
[5] https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targetsout-
of-date-systems/
[6] Teaching malware analysis: The design philosophy of a model curriculum Narasimha Shashidhar;
Peter Cooper 2016 4th International Symposium on Digital Forensic and Security (ISDFS) Year:
2016 Pages: 119 – 125
[7] Practical Malware Analysis by Michael Sikorski and Andrew Honig.
[8] Virus Research and Defense by Peter Szor.
[9] Cuckoo Malware Analysis by Digit Octavianto, Iqbal Muhardianto.
[10] Malware Analysis Cookbook by Michael Ligh, Steven Adair, Blake Hartstein.
[11] Practical Malware Analysis by Michael Sikorski and Andrew Honig.
[12] http://www.opensecuritytraining.info/DynamicAnalysis.html
[13] http://www.github.com/rshipp/awesome-malware-analysis
[14] Pratik Karnik, Malwares, Vulnerabilities and Its Analysis and Mitigation, International
Journal Of Computer Engineering & Technology (IJCET), Volume 4, Issue 6, November -
December (2013), pp. 110-120
[15] Anju S, Sheema M, Prof. P.Jayakumar, Dr. S.Sasidhar Babu, Exposing Transient Secrets
and Detecting Malware Variants using Control and Data Flow Analysis, International
Journal of Computer Engineering & Technology (IJCET), Volume 5, Issue 12, December
(2014), pp. 31-36
[16] A.EdwinRobert and Dr.M.Hemalatha, Behavioral and Performance Analysis Model for
Malware Detection Techniques, International Journal of Computer Engineering &
Technology (IJCET), Volume 4, Issue 1, January- February (2013), pp. 141-151