Tuesday, October 23, 2012

Malware Analysis Tutorial 34: Evaluation of Automated Malware Analysis Tools CWSandBox, PeID, and Other Unpacking Tools

Learning Goals:
  1. Understand Design Principles of Automated Malware Analysis Systems
  2. Hands-on Experiences with CWSandBox and Packer Identification Tools
Applicable to:
  1. Operating System Security
1. CWSandBox

We first examine the performance of another automated malware analysis tool CWSandBox (now named GFI Sandbox). The tool is available at http://www.gfi.com/malware-analysis-tool. CWSandBox uses dynamic API hook technique (DLL injection) to monitor system calls. This is similar to the approach taken by the Anubis system. In this article, we will examine the report generated by CWSandBox. We take a similar approach as the previous tutorial, and submit a modified version of Max++. Unfortunately, the server was not able to generate a report for us in 24 hours.

2. VirusTotal
We then submitted the modified version of Max++ to VirusTotal (http://www.virustotal.com). This is an integration site that runs multiple virus search/malware detection engines. We explicitly requested for an onsite start-from-scratch analysis of the modified version. Figure 1 shows the result from VirusTotal (many virus detection tools listed).

Figure 1. Results by Virus Total on Modified Max++
As shown in Figure 1, most signature based tool (including ClamAV) was not able to discover that the modified version of Max++ is a virus (note that the modified version is functionally equivalent to the original Max++. We only inserted two NOP instructions after the INT2D trick.). Among all the virus tools, DrWeb identified it in the virus familty of MaxPlus.6 and most others either identified it as Smiscer or Sirefef.

 Interesting, if we submit the original version of Max++ to virus total, we have the results shown in Figure 1.5. This time ClamAV is able to identify it as "Trojan.Dropper".

Figure 1.5. Results by Virus Total on Original Version of Max++

2. Packer Identification Tools
As introduced in Malware Analysis Tutorial 6- Self-Decoding and Self-Extracting Code Segment , Max++ has self-unpacking behaviors. It is interesting to see that if the tool has used any existing packers such as UPX. We used three packer identification tools: PeID, RDGPacker Detector, and ExeInfoPE to examine the modified version of Max++. All of these tools are freely available on the Internet.

PeID and RDGPacker did not find any known packers used to pack the Max++ code. Figure 2 and Figure 3 shows the running results of these tools.

Figure 2. Results by PeID

Figure 3. Result by RDGPacker Detector

Only ExeInfoPE reports that Max++ has 3 sections packed using similar algorithms like UPX (however, it does not precisely identify it's UPX). Figure 4 shows the report by ExeInfoPE.
Figure 4. Report by ExeInfoPE

The conclusion is that Max++ did not use any existing packers to directly pack its code. Its multiple layer packing algorithm is a customized algorithm (although it's not too complex).


  1. Thanks for sharing this. I've been looking into security in Calgary. I will have to try this out. Thanks for the help.

  2. Thanks for your grateful informations, am working in, asian affairs news magazine. Try to post best informations like this always
    Global security: Avoiding the wars that never end

  3. Security is the one of the best thing which always give you a sense of Ultra security and protection against the internal as well as external factor
    home security service
    home security solution

  4. Nice course and great information's.

  5. I heard security gates toronto is amazing to work with. Thanks for sharing your blog.

  6. Hi, I have just visited your site and the info you have covered has been of great interest to me. Some of the suggestions you have given have enabled me to apply my own thought
    process to afford a greater understanding of the issue. Some info that is provided on the Web is not very useful but yours has been worthwhile. Some of the points you have
    raised will assist me greatly. Incidentally, I like the way you have structured your site, it is super and very easy to follow. I have bookmarked you and will be back regularly. Thank you

    Neurosurgery Instruments

  7. These blogs are quite incredible that have provided the best knowledge.
    lifeshield security review

  8. Cool blog, I especially enjoyed the kernel mode debugging tutorials. Some tools are missing though in your evaluation (e.g. Malwr). We are working on a malware analysis system right now that implements hybrid analysis technologies (combination of static and dynamic analysis). If you want to read more about the topic or maybe write a blogpost about it, please visit our Payload Security Blog or our company site. Please get in touch if you want to try out the tools we are working on.

  9. Nice series of articles. Would me nice to know more about who you are etc

  10. sir, i m doing m tech project in dynamic analysis of trojan. i want to use pin (intel) instrumentation tool, please suggest any better tool or pros and cons of using this

  11. Explain , how to read diagnose infos from Exeinfo PE :

    - unknown Packer-Protector = no signature in Exeinfo Pe base but looks like protected or packed program
    - 3 sections like UPX = This is info only , 3 sections like in upx packer
    - S-Structure other = Not a Upx , another section structure , this is not UPX !


  12. If you are leasing a commercial property and the lease allows for "24 hour onsite security", how many people are you allowed to keep onsite for that purpose?
    trucking company business plan

  13. My grandparents house was robbed this weekend. We are now looking for a security camera system for added security. What's a good product we can get that's not too expensive but will offer 24 hour surveillance? They currently have ADT alarms but they want to set up a camera on their own. What's the best method as far as price and efficiency? Buying and setting up our own systems or using a security company's camera?

  14. I have just visited your website and found it very useful and informative. Your information is very useful for the readers. Thanks for sharing and please keep sharing.

    Home Automation Vancouver | vancouver security | Best Security Vancouver

  15. I think that i can consider this article as a reference for me because it contains many important information at once and shortcut too much time , instead of reading more articles .

    Android Training in Chennai

  16. I really like the fresh perpective you did on the issue. I will be back soon to check up on new posts! Thank you!
    internal vulnerability assessment