One stop solution for a stunning website.
Education / Reverse Engineeringmalware, malware analysis, Reverse EngineeringOctober 3, 20160 CommentsAuthor Blog
This blog and its series will provides the fundamentals of reversing engineering (RE) Windows malware using a hands-on experience with RE tools and techniques. You will be introduced to RE terms and processes, followed by creating a basic x86 assembly program, and reviewing RE tools and malware techniques.
Malware is any piece of software which is intended to cause harm to your system or network. Malware is different from normal programs in a way that they most of them have the ability to spread itself in the network, remain undetectable, cause changes/damage to the infected system or network, persistence. They have the ability to bring down the machine’s performance to knees and can cause a destruction of the network. Consider the case when the computer becomes infected and is no longer usable, the data inside becomes unavailable – these are some of the malware damage scenarios. Malware attacks can be traced back to the time, even before the internet became widespread. Below are some of the malware attacks in the history:
- Melissa: Melissa was created and released by David L. Smith in the year 1999. It was a macro virus embedded inside a word file. The file was posed to contain passwords for various websites which made the people curious to open it and execute the macro. Once executed the macro would resend the virus to first 50 people in the user’s address book. The virus was later tracked back to the creator and Smith was sentenced to 10 years of prison time.
- My Doom: My Doom was worm and not a virus, hence it required no human intervention to spread in the network. It was one of the fastest spreading email worms in 2004. It was spread by spammers and contained a text. The malware was initially supposed to be a variant of Mimail worm but the theory was rejected. It was named MyDoom basis the presence of the word doom in one of the lines of the code. It affected companies like Google and Microsoft causing damage in billions.
- Stuxnet (2010): Stuxnet can be considered as a one of the advanced malware which caused a hardware level destruction of a nuclear plant in Iran. Stuxnet entered the system via a USB stick and infected all the windows machines, the code used a digital counterfeit certificate which helped to avoid detection. Stuxnet traveled the network to check for control line systems which controlled the nuclear centrifuges. It exploited a zero-day vulnerability to take control of the centrifuges causing them to rotate at uncontrollable speeds and thus destroying them.
- Wannacry (2017): One of the biggest Ransomware attacks till date which infected systems in more than 100 countries. Wannacry exploited a SMB vulnerability which was already identified by Microsoft and patched in the month of March 2017. Most of the systems were running an older version of the patch and hence got affected. The way it was different from other malware is that it spreads in the network without any user intervention and encrypt s the whole system making it unusable unless the ransom is paid. It targeted the healthcare industries and spread to other industries as well. A killing mechanism was discovered by Marcus Hutchins but the malware was updated and released again bypassing that switch. This was a wakeup call for why IT security is important and why we need to have an effective patch management system.
Types of Malware
- Virus: malware which requires human intervention to run and propagate.
- File viruses: Infected executable of files which will infect other files when opened.
- Macro viruses: Excel files which have malware written in VBS, once the file is opened, a macro will get executed and infect other files.
- Master boot record viruses: Changes or deletes the boot records. This might render the system useless.
- Polymorphic viruses Change its form frequently to avoid detection.
- Stealth viruses: Hides itself in other legitimate files or services.
- Trojan: Malware hiding in other legitimate files. Legitimate files and software are bundled with malware so that when the software is installed the malware will also get installed and executed.
- Remote Access Trojans: Allows the hacker to take remote access of your system without your knowledge through covert channels.
- Data Sending Trojans: Steals data saved on your system and transmits it over to the attacker.
- Destructive Trojans: Destroys other files and services.
- Security software disabler Trojans: Disabled system firewall and antivirus so that other malicious files can be downloaded and run without getting detected.
- Worm: Similar to a virus but does not require any human intervention to run and propagate in the network.
- Spam: Malware packed into emails and attachments. A user is tricked to click on these emails so that their systems can be installed with a virus.
- Ransomware: Encrypts the system completely and asks the user for ransom to decrypt the data. There is no surety whether the system will be decrypted even after ransom has been paid.
- Rootkits: Extremely hard to detect and impossible to remove without formatting the system.
- Adware: Generates unnecessary advertisements on your system and web pages.
- Spywares: Sits on your system like a spy and monitors/records the activities.
- Keyloggers: Records all the keystrokes for the keyboard, this might be helpful for password stealing by hackers.
Detection, Prevention and Removal
How to detect whether your system or network is infected by malware of any kind? Check out yourself:
- An extremely slow and unresponsive PC?
- Do you find random folders or shortcuts inside folders?
- Unable to delete certain types of files?
- Issues in shutting down due to certain files/programs running?
- Auto shutdown or reboot issues?
- Change in default settings of PC – like default search engine gets automatically changed without any notification?
- Unnecessary services/programs are running which are using the CPU’s processing power.
- Similar kind of malware alerts by antivirus in the network?
- Unnecessary traffic patterns or traffic to destinations you never targeted.
Now you have detected that the PC or network might have been infected, there are a few steps to be taken:
- First is removal i.e. sanitisation of the PC and network from malware infection. (Removal)
- Ensure that the system and network is safe from similar events in future. (Prevention)
For removal, you can follow some basic steps:
- Remove the system from the network, disconnect all internet and intranet connectivity.
- Do not connect an external drive, this might spread the malware to the drive which in turn will infect other systems.
- Scan the PC with an updated antivirus programme. Perform FULL SCAN.
- Reboot the system and update all the windows patches and software patches.
- If removal does not work, format the PC and follow prevention steps.
Now that you have removed the malware traces, follow a few recommendations to prevent such incidents in future.
- Use a legitimate antivirus and schedule it to perform regular full scans.
- Update windows regularly, without fail.
- Do not use any external drive without scanning.
- Do not download software from illegitimate sources.
- Do not click on emails or attachments which appear to come from untrusted sources.
- Do not enable macro in excel if not required.
- Keep a backup of the critical information to an external drive just incase the data is unrecoverable or corrupt. It’s better to be safe than sorry.
A few words on Malware Analysis
The art of capturing a malware and analyzing its behavior for detection and prevention is called malware analysis. Antivirus companies perform malware analysis to update the signatures so that they can be detected and quarantined. This is the reason why using and updating an antivirus is required. If you are into cybersecurity, malware analysis is one of the career streams you can choose to enter. CAUTION: Do not attempt the below if you are not a malware analyst or researcher, as the below analysis might backfire your system.
Static Analysis: Reverse engineering the dead malicious code to understand the working of the malware and preparing its remediation. This will not cause any damage to your system but it is tough to learn and master for the below reasons:
- Malware is coded and not all security professionals are coders or understand this stuff
- You need to know what you are looking for and that comes with experience.
- Getting the sample is difficult for new malware, you need to have a honeypot to trap malware.
Dynamic Analysis: Relatively easier but more dangerous than the static analysis but not very effective in the case of advanced malware. This technique involves running the malware in an isolated environment so as to identify its behaviour. The behaviour can be categorised into various categories:
- Network behaviour
- File system behaviour
- Registry changes
- System changes
This technique is dangerous as:
- Malware may break out of the confined environment and affect the host system.
- This might cause permanent damage to the system in some cases.
This kind of analysis is also rendered ineffective in some cases. Let’s discuss a few points for why:
- Some malware has the capability to detect whether they are being run in a lab or an open environment. They detect the presence of analysis tools and may not run.
- Malware which is timed to run will not run e.g. run on the 15th of every month.
- Some malware will only run under specific conditions e.g. a piece of software might be malicious to windows in Chinese language but not for the English version. So, dynamic analysis on a machine with English language pack will not be useful.