Malware Analysis

Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI

The Third Hacking and Digital Forensics Exposed

28 November 2015 | Hotel Indoluxe | Yogyakarta, Indonesia

About Me
Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI
Researcher Information Security Research Group and Lecturer
Swiss German University
Charles.lims [at] gmail.com and charles.lim [at] sgu.ac.id
http://people.sgu.ac.id/charleslim
I am currently doing my doctoral study in Universitas Indonesia
Research Interest
Malware
Intrusion Detection
Threats Intelligence

Vulnerability Analysis
Digital Forensics
Cloud Security

Community
Indonesia Honeynet Project - Chapter Lead
Academy CSIRT member
Asosiasi Digital Forensik Indonesia - member

Agenda

About Honeynet
What is Malware?
Why Malware Analysis?
Types of Malware Analysis
Static Analysis
Dynamic Analysis
Memory Analysis
Case Study
Future Challenges

About Honeynet
Volunteer open source computer security
research organization since 1999 (US 501c3
non-profit)
Mission: learn the tools, tactics and motives
involved in computer and network attacks,
and share the lessons learned http://www.honeynet.org

About Honeynet
Share all of our tools, research and findings, at
no cost to the public Know Your Tools
(KYT)
Know Your Enemy(KYE) white papers
regularly published on current research topics
Members release regular activity status reports
Committed to open source and creative
commons
Partially funded by sponsors, nothing to sell!

About Honeynet

Honeynet Project Workshop | 18-20 May 2015 | Stavanger, Norway

About Honeynet

CONPOT 0.5.0 Release | 13 November 2015

About Honeynet

55 Chapters and 37 Countries

About Indonesia Honeynet Project

15 passionate security
professionals, academicians
and government officials
met signed a petition in 25
November 2011
Indonesia Chapter officially
recognized 9 January 2012
Current members: 130 (20
active members)

About Indonesia Honeynet Project

Yearly Seminar and Workshop since 2012
Focus on Security Awareness and Security
Research
Honeynet communities: Jakarta, Semarang,
Surabaya, Yogya, Denpasar, Palembang,
Lampung
Research Topics: Incident handling,
Vulnerability Analysis, Malware, Digital
Forensics, Penetration Testing, Threats
Intelligence

About Indonesia Honeynet Project

Honeynet Seminar & Workshop | 10-11 Juni 2015 | Lampung, Indonesia

Honeypots Research & Deployment

2009
Learning
Period

2011
Early
Period

2013

2015

Growing
Period

Expanding
Period

Honeypot:
Nepenthes

Honeypot:
Honeypot:
Nepenthes, Dionaea Dionaea

Honeypot:
Dionaea, Kippo,
Glastopf, Honeytrap

Learning How to
install and configure

Deployed 1st
Honeypot in SGU

Target: Academic,
Government, ISP

Coverage: Java, Bali,

Sumatera,

# Honeypots
deployed: None

# Honeypots
deployed: 1

# Honeypots
deployed: 5

# Honeypots
deployed: 16

Hardware: Client

Hardware: Simple
Client and Server

Hardware: Mini PC
and Server

Hardware:
Raspberry Pi and
Dedicated servers

Our Contribution

Our Contribution

Attacker Statistics: Attacker IP, Malware, Targeted Ports, Provinces attacked

Our Contribution

Attacker Statistics: Attacker IP, Malware, Targeted Ports, Provinces attacked

Other Research

Second Hand USB Forensics and Publications

Join Us
Indonesia Honeynet Project
idhoneynet
http://www.honeynet.or.id
http://groups.google.com/group/id-honeynet

What is Malware?
Malware (Malicious Software)
all kind of software that disrupt computer
operations, gather sensitive information, or gain
access to private computer systems

Type of Malware
Viruses
Worms
Trojans
Ransomeware
Rootkits

What is Malware?

Reference: PandaLabs Q2 2015 Report

Why Malware Analysis?

To gain insight into nature and purpose of
malware
To identify host-based and network
indicators Forensics: Indicators of
Compromise (IOC)
To understand malware behaviors and its
persistence mechanism
Extract information used for learning and
malware detection

Types of Malware Analysis

Static
Analysis

A method of examining computer

program/code without executing the
program

Dynamic
Analysis

A method of examining computer

program/code while executing the
program in a real or virtual processor

Memory
Analysis

A method of examining computer

program/code after executing the
program in a real or virtual processor

Static Analysis
To gain insight into nature and purpose of
malware
To identify host-based and network
indicators Forensics: Indicators of
Compromise (IOC)
To understand malware behaviors and its
persistence mechanism
Extract information used for learning and
malware detection

Static Analysis
Input File Type: EXE, DLL, documents, etc.
Output:
Metadata
Code
Data
File
Binaries

Static Analysis
Tools

Static Features:
Metadata
Code
Data

Static Analysis Tools

PEiD (http://bob.droppages.com/projects/peid)
Packer and compiler detector
Pafish (https://github.com/a0rtega/pafish) - checking
for anti sandbox and anti-vm
Yara (https://plusvic.github.io/yara/) pattern
matching for malware analysis
Ssdeep (https://pypi.python.org/pypi/ssdeep) fuzzy
hash
Strings Utility (https://technet.microsoft.com/enus/sysinternals/strings.aspx) Strings extraction tool
Olly Dbg (http://www.ollydbg.de/) Code Debugger
IDA Pro (https://www.hex-rays.com/products/ida/)
Disassembler, Debugger

PE (Portable Executable) Header

PE (Portable Executable) Header

Source: https://code.google.com/p/corkami/wiki/PE101

PE (Portable Executable) Header

Static Analysis
Questions to answer:
Is the malware binary packed?
Can the malware binary be unpacked?
What are the important static features to be
extracted?

If the malware can be unpacked (due to

complexity of packing method), then we can
only rely on Dynamic Analysis

Static Analysis (Packer Landscape)

https://code.google.com/p/corkami/downloads/detail?name=packers.pdf

Static Analysis
PE Header Section

Entropy > 6.67 indicates that data section is packed/encrypted

Static Analysis Static Features

Strings (one of the most important)

Import DLL
Assembly Code
Byte Code

Strings Example - Brute Force Dictionary Password (Allaple Malware Samples)

Dynamic Analysis
To gain insight into malware behaviors
(interactions malware binaries with
operating system)
Important Features:
File System Activities
Process Activities
Network Activities
System Calls

Dynamic Analysis
Input File Type: EXE, DLL, documents, etc.
Output:
File System Activities
Process Activities
Network Activities
System Calls
File
Binaries

Sandbox
Or
Virtual Env.

Dynamic Features:
File System Activities
Process Activities
Network Activities
System Calls

Dynamic Analysis Tools

Detours (http://research.microsoft.com/enus/projects/detours/) Binary instrumentation
for Win32 functions
Sandboxes:
Cuckoo Sandbox (http://www.cuckoosandbox.org/)
Anubis (http://anubis.iseclab.org/)
ThreatTrack
(http://www.threattracksecurity.com/resources/san
dbox-malware-analysis.aspx)
Comodo Automated Analysis
(http://camas.comodo.com/)

Dynamic Analysis

File System Activities, Network Activities, Process Activities

Dynamic Analysis
Questions to answer:
Does the malware seems to execute properly?
Does the malware stop while executed?
Is there any unique execution? (File System,
Process, Network, System Calls)

If the malware has anti-analysis, anti antianalysis must be done first (Pafish is a good
tool)
Maybe sequence of instructions can be good
features

Memory Analysis
To gain insight into malware footprints in
memory
Important Features:
Running Processes
Shared Libraries
Network Connections
Hooking Detection
Rootkit Detection
Code Injection
Hidden artifacts

Memory Analysis Tools

Volatility
(https://code.google.com/p/volatility/)
Framework for memory analysis
Dynamic Binary Instrumentation (DBI)
Pin Tools (https://software.intel.com/enus/articles/pin-a-dynamic-binaryinstrumentation-tool)
Valgrind (http://valgrind.org/)

Memory Analysis

Start with what we know

Memory Analysis

Yara Scan of the known process;

Memory Analysis

Suspicious mutex is making connection

Memory Analysis

File Handles that starts with TDSS

Memory Analysis

File Handles that starts with TDSS and detect the hidden file

Case Study
Huge Traffic detected on MRTG (outbound)

Case Study
Isolate and reconstruct the incident
Sniff the traffic while the server is running

Switch

Desktop as Gateway

Virtual Server with VM1 running

Case Study
Sending Huge Syn Packet to China IP
Address

We found that it was user .Iptables that was

sending the huge traffic

Case Study
The malware must have entered the system through
a service. We noticed that ssh service is running

We also noticed that the root account was enabled

Case Study
ssh authentication was successful

We found that the password for root password

using easy to guess 7 characters (combination of
alpha and numeric)
It was a Korean IP address that made the
connection

Case Study (Lesson Learned)

The user (also an admin) installed the
system, made some simple but devastating
mistakes:
Use a simple (easy to guess) password
Root of account of ssh service was enabled

The malware caused a Denial of Service

attack using Syn Flooding
A Reverse Engineering of the malware
showed that the malware could also
perform DNS Flooding

Current and Future Challenges

Malware Packers or Crypter
Anti-Analysis (Anti-Debugging, AntiDisassembler, Anti-Sandbox, Anti-Emulation,
NO SILVER BULLET
Must use combination of all malware
analysis techniques
Machine Learning is also a big help

Related Publications
Joshua Tommy Juwono, Charles Lim, Alva Erwin, A Comparative Study
of Behavior Analysis Sandboxes in Malware Detection, The 3rd
International Conference on New Media 2015, Jakarta, Indonesia, 2015
Charles Lim, Nicsen, Mal-EVE Static Detection Model for Evasive
Malware, 10th EAI International Conference on Communications and
Networking in China, Shanghai, China, 2015
Charles Lim, Darryl Y. Sulistyan, Suryadi, and Kalamullah Ramli,
Experiences in Instrumented Binary Analysis for Malware, The 3rd
International Conference on Internet Services Technology and
Information Engineering 2015 (ISTIE 2015), Bali, 2015
Charles Lim, Meily, Nicsen, and Herry Ahmadi, Forensics Analysis of USB
Flash Drives in Educational Environment, The 8th International
Conference on Information & Communication Technology and Systems,
Surabaya, 2014
Charles Lim, and Kalamullah Ramli, Mal-ONE: A Unified Framework for
Fast and Efficient Malware Detection, 2014 2nd International
Conference on Technology, Informatics, Management, Engineering &
Environment, Bandung, 2014.

Conclusion
Malware continue to rise in numbers and
sophistication
Malware authors usually combine common
malware modules with few changes
Packers and Anti Analysis are real challenges
Malware analysis usually part of Threats
Intelligence, Incident Response, and Digital
Forensics.
There is no silver bullet for Malware Analysis

Call for More Research

Indonesia Honeynet Project
idhoneynet
http://www.honeynet.or.id
http://groups.google.com/group/id-honeynet