Attributes of a Zero Dollar Malware Analysis System

Please note this environment is not meant to be a sandbox but rather an environment where one can conduct research on malware while most likely not executing the malware (unless you consider malicious code on a website malware then it will execute). ?However, most downloaded critters won’t execute in this environment. ?Please visit the upcoming desktop support article for detailed instructions on how to set up and leverage this environment without spreading infections.

Virtual Environment

Selecting a virtual environment is fairly easy, however, it does bring about a lot of debate. Personally I don’t understand the argument. If you are looking for a desktop virtual environment but not willing to pay for it, go with Sun XvM. Sometimes the networking can cause some issues but on the whole it seems to work a lot better than Virtual Player. I have a copy of VMware Workstation and I prefer that, so VMware Server is also a valid choice but requires more set up than I felt like doing. Thus, here are the primary desktop virtualization options for the basic Malware Analysis Environment we’re going to set up today.

Sun XvM (AKA Virtual Box)?http://www.virtualbox.org/wiki/Downloads

VMware Virtual Player?https://www.vmware.com/tryvmware/?p=player&lp=1&sourceid=chrome&ie=UTF-8&q=VMware%20Virtual%20Player

The Operating System: Ubuntu

A generic copy of Ubuntu 9.10 can be very easy to use and extremely powerful. In addition, many of the tools necessary for observing malware are open-source or Linux specific tools. Unfortunately however, a Linux system will most likely not execute the actual malware. This is both a positive and a negative in that it creates a little bit safer environment for dissecting the malware, however it also makes things a touch more difficult. ?It is for the ladder that it is recommended that users utilize resources such as CW Sandbox and Threat Report for analyzing execution of malware.

Traffic Analysis Tools

Wireshark (#apt-get install wireshark)

Wireshark is somewhat of an industry standard in packet sniffing through a graphical user interface. Utilizing Wireshark can be extremely useful in analyzing malware delivered through web applications. Wireshark will record aspects such as unauthorized redirects and attempts at delivering payloads and/or attempts to pull down malware on a machine.

EtherApe (#apt-get install etherape)

Following what is happening during full packet capture can often be difficult however. That’s where EtherApe comes in. EtherApe monitors network activity through graphical representation. The visual representation of network traffic is essential in detecting unauthorized channels that should be tracked down.

NetWitness Investigator (http://www.n etwitness.com)

Although NetWitness Investigator is not necessarily a Linux utility it is extremely useful in analyzing malware. Packet captures can be loaded into NetWitness Investigator in order to forensically investigate network traffic as well as run the entire packet capture against multiple threat feeds. This helps in determining IP reputation for systems involved in a malware attack.

Snort (http://www.snort.org)

The inclusion of the worlds most recognizable open-source Intrusion Detection System is obvious. Snort can help detect the type of attack that is being run as well as serve as an excellent resource for determining what aspects of captured traffic to analyze. Snort can either be run actively while attempting to observe how malware is delivered or it can be run against packet captures.

Malware Analysis Tools

PDF-Parser (http://blog.didierstevens.com/programs/pdf-tools/)

A lot of exploits currently targ et Adobe Reader exploits. As a result a large amount of malware infects machines through the delivery of malciously crafted .pdf documents. Thus, tools like pdf-parser which allow investigators to better analyze what is housed within pdf documents are essential.

jsunpack-n (http://jsunpack.jeek.org/jsunpack-n.tgz)

Jsunpack is a tool specifically designed for assisting security researchers in the analysis of malware infected websites. Specifically jsunpack cited as being a “generic javascript unpacker.” However, jsunpack has several features that go well-beyond unpacking.

Paros Proxy (http://www.parosproxy.org/download.shtml)

Paros Proxy is a web proxy that can be locally stored. Paros allows investigators to trap specific server requests and responses in order to more easily traffic what is being delivered to a system. Paros Proxy can also be leveraged to spider web applications should a detected piece of malware be called as function of a full attack. For example, many malware infected sites utilize separate scripts to call things such as heap sprays or shellcode. In these situations alerts that detect the heap spray attempt or the shellcode may sound, however, the controlling page may be difficult to find. In such a scenario spidering a site may be able to detect the controlling malware infection.

Burp Suite (http://www.portswigger.net/suite/)

Burp Suite is similar to Paros Proxy in it’s usage for malware analysis as it too is a web proxy that can be stored locally. However, Burp Suite is much more powerful than Paros. In the opinion of SecAnalysis however, the user interface is not nearly as pretty or user friendly however.

Assembly Language Debugger (http://ald.sourceforge.net/)

SecAnalysis preferences for graphical debuggers include ImmunitySec debugger, Ollydbg, and IDA Pro. However, getting any of these to run in an Ubuntu environment can be somewhat challenging and often times requires Windows emulation. Thus, Assembly Language Debugger is preferred for this type of malware analysis environment.

String (Pre-installed on Ubuntu)

String can help pull code from files such as .jpg’s in an easy to read fashion. This can be essential in manual source code analysis.

Firefox & Plugins

User Agent Switcher (https://addons.mozilla.org/en-US/firefox/addon/59)

Sometimes malware infected websites will first detect the browser version that is attempting to access the site. Once the site detects the browser version, it determines what malware to deliver or whether to deliver malware at all. Thus, utilizing user agent switcher to spoof IE 6, IE 7, IE 8, searchbots and even iPhones can help circumvent these detection mechanisms.

Web Developer (https://addons.mozilla.org/en-US/firefox/addon/60)

Web developer has a ton of uses in observing malware. It can be especially helpful in tracking down pesky iFrames and hidden form fields. Essentially web developer allows users to control the representation of client side code as well as assist in reviewing malware infected web sites.

Websites

Analysis of an Obfuscated iFrame

Introduction

Obfuscated attacks against iFrames are wildly out of control in the IT world today. Legitimate enterprise websites and personal websites alike are unknowingly hosting these attacks. The attacks simply redirect users to a third party website hosting an exploit and more often than not pieces of malware. I have been given uncomfirmed reports that malware writers earn $1.50 for every system they deliver this malware to, which means that people are more than willing to deliver the attacks. In this research report we will look at a piece of obfuscated javascript in order to understand how attackers are hiding their activities on legitimate websites.

Below is a real iframe attack found on an exploited website.

Simple Analysis

It is rare that attack will be found in such readable form. In fact it is usually all put onto a single line, I simply broke it out into a more readable format. In some cases it is easy to find this code because it is by far the longest line in page. Regardless, below is the simple flow of this code works.

1. Initialize variables k1, k2, t1,t2, and h.

2. Deobfuscate k1 and k2

3. Write h to the user

Resulting deobfuscated code (*note that the frame is set to be virtually invisible 1×1 pixel)

Indepth Analysis

Variable Initalization

Let’s take a look at what’s happening here. First we have two hideous and large javascript string variables called “k1″ and “k2″ These variables contain obfuscated strings (I know tough to believe). Next we have two integer variables t1 and t2. Both variables are initialized to zero, these are dumb variables are meant to fuel the while loops later on in the code. Finally we have a string variable “h” which is initialized to NULL. h is basically the end variable that combines “behgczzazbzc” with the decoded k1 and k2 variables this provides the actual attack.

While Loops

The while Loops are relatively unimportant as they are merely deobfuscating the k1 and k2 variables and adding the deobfuscated information to the h string. In order to do this the attacker is using two predefined functions, the “String.FromCharCode()” function and the charCodeAt() attribute of the k1 string.

String.FromCharCode() is a function that returns the characters that correspond to the ISO-Latin-1 numerical position passed to the function. E.G. String.FromCharCode(65) = A

A reference sheet for ISO-Latin-1 characters and their numeric position can be viewed here.

In order to get the proper position to insert into the String.FromCharCode() the attack code first converts the current ISO-Latin-1 character into it’s corresponding position. This is done by using the string attribute charCodeAt() function. The while loops add a small amount of complication to this action by shifting the ISO-Latin-1 character position by -3 and -2.

Adding To the String

In the attack code (between the while loops), there is a simple addition to the string that adds the domain to the actual attack. There is no way to determine this is the domain until after the code is deobfuscated. The reason this is segmented in the code is because the attacker can quickly change the domain of the attack while preserving the overall attack extension.

Putting it All Together

The attack code finishes up by writing the document to the victim with the document.write() function. This is important to recognize because by the time the variable k1 reaches this function, it is deobfuscated. Therefore, an analyst can simply change this function to be none malicious in order to see what is actually obfuscated in the code. For example instead of document.write() one could use document.alert()

Detecting/Defending Against These Attacks

Anti-virus/Anti-malware

Some anti-virus and anti-malware solutions flag and stop these attacks from affecting end-users. Unfortunately however, research points to the fact that very few are actually capable of detecting these attacks.? I rolled this attack up into an HTML file and submitted it to virus total where 41 anti-virus/anti-malware scanners assessed the file. Of those 41 scanners, only three detected there was an issue.

Browser Protection Software:

• Trusteer Browser Protection Software
• Kace Browser Protection Software
• HP/Symantec/Mozilla Browser Sandboxing Software
• Various Virtual Browser Sandboxing Solutions

Content Filtering Technology

Content filtering technology could help in two ways, first it could detect the issue on the page to begin with and proactively categorize the page to preven tthe victim from accessing the attack code. Second, if the attack code is delivered to the victim the content filtering system could still prevent the victim from actually accessing the malicious website hosting the exploit and malware.

Example Content Filtering System Software:

• BlueCoat WebFilter
• WebSense WebFilter
• ScanSafe WebFilter/Malware Scanner
• Many many other

IPS Technology

Intrusion Prevention Systems can be used to block the exploit from getting to the victim. Unfortunately, in many cases the actual prevention is often based on the exploit and not the vulnerability. This means that the exploit can be altered to bypass the IPS fairly easily by altering the signature and/or behavior of the attack. Of course finely tuned and sophisticated IPS’ have less issues with this.

Example IPS:

• Sourcefire SNORT
• IBM Internet Security Systems Proventia
• McAfee Network Security Platform (formerly Intrushield IPS)
• TippingPoint Digital Vacine
• Many many others