Thursday, August 20, 2009

Introduction to Malware Dissection

This October 29-30th the annual Ohio Information Security Summit will be held. I highly recommend attending it if you can. The conference features two days of great talks, keynotes, labs and networking. It has been going on for a few years now and never fails to disappoint anyone who attends, especially for the price ($275 until Oct 1, $350 after). In addition to the normal talks, the summit is offering a number of pre-conference training courses.

I will be teaching a 2 day introduction to malware analysis class as one of the pre-conference training courses. The course is geared to those who want to learn malware analysis or are just starting out. We'll cover all of the basics for malware analysis including setting up your analysis lab, static analysis and dynamic analysis. In the end, you'll walk out of the class with the knowledge of how to take a malware sample and determine what it does, who it contacts and what risk it poses.

In the courses I have taken, I've found that I learn alot more by actually doing things rather than watching a powerpoint presentation for 8 hours. Because of this, the class will be structured around a number of labs which have you do the analysis using various tools on actual malware. I've collected a number of cool malware samples which will be analyzed in the course in various ways and I'm really excited about it. At the end of the class they'll also be an analysis contest where prizes will be given out.

Since we will be handling live malware there are some laptop requirements listed in the course description.

If anyone has any questions on the course or the laptop requirements, please contact me. I look forward to seeing you there!

Sunday, August 16, 2009

Its Not Always A Security Issue

I've been spending this weekend fixing my in-laws computer. Like most of you, I'm the family "tech support" for anything that goes wrong with a computer. This past week I received a call from my mother-in-law that she was getting pop ups on her computer stating that it was infected and that the program would remove it if they paid for the full version. Classic sign of fake anti-virus.

After some quick research, we were able to determine that it was Advanced Virus Remover. It appeared to be pretty simple to get off (delete some files, clear out some of the registry, etc) but since I was not there I decided the best way was to have her reboot into safe mode and perform a system restore. (Unlike some of my relatives, my m-i-l can actually do things like that without me hand-holding.) Of course, when she tried to go into safe mode, it blue screened.

The next day I went over to see if I could figure out what was going on. I was able to remove the malware (and two others) fairly quickly, but we were still getting errors. In short time I realized that part of the hard drive had gotten corrupted and was causing the BSODs - not the original malware.

This made me remember another story from a job in a previous life. I had been called down to another department by a friend. The entire department were having some odd problems. Whenever they tried to print their machines would BSOD. Since I was the resident "malware guy", they decided to call me in to see if I could find anything. When I got there, some Windows admins were also there looking at some of the systems. My friend took me to the system with the original problem and I started to examine it.

After a few minutes I couldn't find anything indicative of malware on the sytem. I even booted with a Helix CD just in case there was a rootkit on the system. Nothing. After a few minutes the Windows admins came over and asked me what I thought. I replied I didn't see anything but there were reports of a 0-day attack against the Windows printer system that day which were indicative of what we were seeing. However, I stressed, I didn't know and didn't think this was related.

Of course, within minutes the Windows admins had me on a call where they were explaining how I thought we had been hacked using a Windows 0-day attack against the printers. It took at least 45 minutes for me to sort through everything that was being said and to finally point out that I had not found any proof of any attack and that I didn't think this was the problem. When the Windows admins finally went back to troubleshooting the problem, they found that a corrupt Windows printer driver had gotten pushed to these systems and thats what was causing the issue.

I learned two things that day:

1. Never say that you think something has been compromised (or even could be compromised) until you have some type of proof. People love to over-react in a situation like that and that just provides fuel for the fire.

2. Not everything is a security incident. Just like my in-laws computer, the presence of malware may not be the reason for the overall problem. A corrupt hard drive could just be a corrupt hard drive. If you start reading compromises into everything you see, you may miss what is actually there.

Friday, August 7, 2009

Automating Malware Analysis Part 2

I've heard rumors that the latest issue of Hakin9 is on stands now. This issue contains the second part of my article on automating malware analysis and adds memory analysis and sandnet capabilities to the analysis script.

In the script, memory analysis is performed by suspending the virtual machine (as opposed to shutting it down as the first script did). When a VMWare VM is suspended, the memory for the machine is dumped into a file which can then be analyzed. This file is analyzed using the Volatility Framework.

Volatility is an amazing tool which can extract information from Windows XP SP2 & SP3 memory images. The analysis script in the article uses Volatility to extract the process list, network connections, list of loaded DLLs and list of loaded modules of the VM memory. However, Volatility can do so much more that I highly recommend extended what is in the article.

In addition to memory analysis, the article adds sandnet capabilities to the script. In the original script, the VM was set up in host-only networking mode which prevented the malware from communicating to anything over the network. This really limited the analyst in what they could see. For example, if the malware wanted to download additional files from a web server, the analyst would never see it.

To allow network connectivity, and still keep the network the analyst was on safe from infection, the script uses a tool set called InetSim to create a fake Internet for the malware to interact with. InetSim loads a number of localized servers (DNS, HTTP, etc) and logs any data sent to it. Now, when malware attempts to connect to a web server it will be able to and the analyst will see what it is attempted to download. I blogged about InetSim and how to install InetSim back in February.

I hope everyone enjoys the article. Please send me any feedback on the article or enhancements to the script. It does not appear that Hakin9 has posted the code listing for it yet, but as soon as they do I'll link to it from here. Of course, feel free to contact me to get the code if you want.

Tuesday, August 4, 2009

Black Hat Recap

Wow...its been a few months since I've last posted. Sorry about that! Things have been nuts IRL which has kept me away from posting, but if you actually read my blog you'll be happy to know I have some things lined up.

Last week I had the opportunity to attend Black Hat USA in Las Vegas. While I won't go over every single talk I attended, the highlights are below.

Advanced Malware Deobfuscation - This was actually a training course written by Scott Lambert and Jason Geffner. The course is essentially about the different techniques used to unpack malware, an area I needed some training on. If you know how to RE and are comfortable in a debugger, I highly recommend this course.

Win at Reversing - This talk was given by Nick Harbour from Mandiant on a new tool called API Thief. When performing behavioral analysis of a malware sample, the analyst typically wants to see what calls the malware is making and uses a program like Process Monitor to do so. The problem with this only system calls are grabbed and misses some potentially important API calls. Nick's tool uses inline hooking to record API calls instead of system calls. This allows the analyst to get more information and potentially do some tricks to unpack the software. I'm going to be checking out the tool more to see how I can utilize it. Currently it can be downloaded at

Reverse Engineering by Crayon - The next talk was on performing hypervisor based malware analysis and visualization. Essentially, the presenters used a software called Ether which integrates with a Xen VM in order to perform malware analysis. To be honest, I had not looked into using Xen for sandnets, but after this presentation I think it has alot of promise and will be doing some more research into it. All of the slides and notes are posted on

Fast & Furious Reverse Engineering with TitanEngine - This was the last talk of the con I attended and it really didn't get the attention it deserved. TitanEngine is an open-source SDK and framework the authors are releasing which is used to perform and automate a large number of tasks needed when unpacking malware. The framework is very impressive in what it can do and how mature it is for something that is just being released. The presenters gave a number of live demos of programs written with the framework being used to unpack programs. The last demo they gave was done using TheMida, a packer which is notoriously difficult to unpack. They packed a sample program during the presentation turning on all capabilities of the packer and then unpacked it in a few seconds with a program they made with TitanEngine. This is definitely a program I will be looking into.

I had a great time at Black Hat and met alot of people. Unfortunately, I wasn't able to stay for Defcon but maybe another year.