Tuesday, October 23, 2012

Malware Analysis Tutorial 34: Evaluation of Automated Malware Analysis Tools CWSandBox, PeID, and Other Unpacking Tools

Learning Goals:
  1. Understand Design Principles of Automated Malware Analysis Systems
  2. Hands-on Experiences with CWSandBox and Packer Identification Tools
Applicable to:
  1. Operating System Security
1. CWSandBox

We first examine the performance of another automated malware analysis tool CWSandBox (now named GFI Sandbox). The tool is available at http://www.gfi.com/malware-analysis-tool. CWSandBox uses dynamic API hook technique (DLL injection) to monitor system calls. This is similar to the approach taken by the Anubis system. In this article, we will examine the report generated by CWSandBox. We take a similar approach as the previous tutorial, and submit a modified version of Max++. Unfortunately, the server was not able to generate a report for us in 24 hours.

2. VirusTotal
We then submitted the modified version of Max++ to VirusTotal (http://www.virustotal.com). This is an integration site that runs multiple virus search/malware detection engines. We explicitly requested for an onsite start-from-scratch analysis of the modified version. Figure 1 shows the result from VirusTotal (many virus detection tools listed).

Figure 1. Results by Virus Total on Modified Max++
As shown in Figure 1, most signature based tool (including ClamAV) was not able to discover that the modified version of Max++ is a virus (note that the modified version is functionally equivalent to the original Max++. We only inserted two NOP instructions after the INT2D trick.). Among all the virus tools, DrWeb identified it in the virus familty of MaxPlus.6 and most others either identified it as Smiscer or Sirefef.

 Interesting, if we submit the original version of Max++ to virus total, we have the results shown in Figure 1.5. This time ClamAV is able to identify it as "Trojan.Dropper".

Figure 1.5. Results by Virus Total on Original Version of Max++


2. Packer Identification Tools
As introduced in Malware Analysis Tutorial 6- Self-Decoding and Self-Extracting Code Segment , Max++ has self-unpacking behaviors. It is interesting to see that if the tool has used any existing packers such as UPX. We used three packer identification tools: PeID, RDGPacker Detector, and ExeInfoPE to examine the modified version of Max++. All of these tools are freely available on the Internet.

PeID and RDGPacker did not find any known packers used to pack the Max++ code. Figure 2 and Figure 3 shows the running results of these tools.

Figure 2. Results by PeID

Figure 3. Result by RDGPacker Detector


Only ExeInfoPE reports that Max++ has 3 sections packed using similar algorithms like UPX (however, it does not precisely identify it's UPX). Figure 4 shows the report by ExeInfoPE.
Figure 4. Report by ExeInfoPE


The conclusion is that Max++ did not use any existing packers to directly pack its code. Its multiple layer packing algorithm is a customized algorithm (although it's not too complex).


8 comments:

  1. Thanks for sharing this. I've been looking into security in Calgary. I will have to try this out. Thanks for the help.

    ReplyDelete
  2. Thanks for your grateful informations, am working in, asian affairs news magazine. Try to post best informations like this always
    Global security: Avoiding the wars that never end

    ReplyDelete
  3. Security is the one of the best thing which always give you a sense of Ultra security and protection against the internal as well as external factor
    home security service
    home security solution

    ReplyDelete
  4. Nice course and great information's.

    ReplyDelete
  5. I heard security gates toronto is amazing to work with. Thanks for sharing your blog.

    ReplyDelete
  6. Hi, I have just visited your site and the info you have covered has been of great interest to me. Some of the suggestions you have given have enabled me to apply my own thought
    process to afford a greater understanding of the issue. Some info that is provided on the Web is not very useful but yours has been worthwhile. Some of the points you have
    raised will assist me greatly. Incidentally, I like the way you have structured your site, it is super and very easy to follow. I have bookmarked you and will be back regularly. Thank you

    Neurosurgery Instruments

    ReplyDelete
  7. These blogs are quite incredible that have provided the best knowledge.
    lifeshield security review

    ReplyDelete
  8. Cool blog, I especially enjoyed the kernel mode debugging tutorials. Some tools are missing though in your evaluation (e.g. Malwr). We are working on a malware analysis system right now that implements hybrid analysis technologies (combination of static and dynamic analysis). If you want to read more about the topic or maybe write a blogpost about it, please visit our Payload Security Blog or our company site. Please get in touch if you want to try out the tools we are working on.

    ReplyDelete