Revealing Hacker through Malware Analysis

Background

Two days ago one of my friends contacted me and told me that his organization is receiving suspicious-looking emails. They think that the infection was to be conducted via “spear phishing” emails. Then I decided to take a deeper look into it.

I went there and saw escalation not only in numbers of created malware files but also in targets. Then I started the investigation and followed the following steps:

Before going into much deeper first we have to understand about malware and malware analysis.

What is malware?

Any software that does something that causes harm to a user, computer, or network can be considered malware, including viruses, Trojan horses, worms, and spyware.

Types of Malware

These are the categories that most malware falls into:

• Backdoor: Malicious code that installs itself onto a computer to allow the attacker access. Backdoors usually let the attacker connect to the computer with little or no authentication and execute commands on the local system.
• Botnet: Similar to a backdoor, in that it allows the attacker access to the system, but all computers infected with the same botnet receive the same instructions from a single command-and-control server.
• Downloader: Malicious code that exists only to download other malicious code. Downloader’s are commonly installed by attackers when they first gain access to a system. The downloader program will download and install additional malicious code.
• Information-stealing malware: Malware that collects information from a victim’s computer and usually sends it to the attacker. Examples include sniffers, password hash grabbers, and keyloggers. This malware is typically used to gain access to online accounts such as email or online banking.
• Launcher : Malicious program used to launch other malicious programs. Usually, launchers use nontraditional techniques to launch other malicious programs in order to ensure stealth or greater access to a system.
• Spam-sending malware : Malware that infects a user’s machine and then uses that machine to send spam. This malware generates income for attackers by allowing them to sell spam-sending services.
• Worm or virus : Malicious code that can copy itself and infect additional computers.

What is malware analysis?

Malware analysis is the art of dissecting malware to understand how it works, how to identify it, and how to defeat or eliminate it.

Goal of malware analysis

The goal of malware analysis is to gain an understanding of how a specific piece of malware functions so that defenses can be built to protect an organization’s network. There are two key questions that must be answered.

· How did this machine become infected with this piece of malware?

· What exactly does this malware do? After determining the specific type of malware, you will have to determine which question is more critical to your situation.

Approaches to malware analysis

There are two fundamental approaches to malware analysis: static and dynamic.

· Static analysis involves examining the malware without running it.

· Dynamic analysis involves running the malware.

Following are the terms with their definitions those are involved during malware analysis.

• Spear phishing: To send emails with malicious content (attachments, links, or fraudulent messages) to specific persons of particular interest
• Exploit: Exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized).
• Drop: The online location where malware delivers stolen information.
• FUD: FUD means Fully Undetectable, i.e. the program is not detected by antivirus tools
• SFX: Self-extracting. Executable programs that are also archives, and which extract and sometimes execute the archive content when run.
• MD5: A so-called hash – i.e. a number calculated on the basis of data that identifies these with high confidence. MD5’s in this paper are used to identify files.

Steps involved in malware analysis:

When performing malware analysis, the first step would be to have malware so that we could analyze one of the pieces of malware previously obtained. So firstly malware sample was collected from the organization.

After obtaining malware, I prepared a safe analytical environment to perform malware analysis. This is done by creating virtual environment with the help of VMware, this protects the host machine from the malware. One of the most convenient aspects of using virtualization software is its support for snapshots. They allow you to preserve the current state of the virtual machine with a click of a button, and return to it with another click. VMware Workstation support multiple snapshots, which comes in very handy for “bookmarking” different stages of your analysis, so you can move back and forth during your experiments without losing important runtime details. A snapshot of the state of the machine’s file system and the registry was taken. This allows me to quickly see what major changes have occurred on the system after execution of malware. RegShot can be used as an effective tool for this purpose. Process monitor can be used to monitor all file registry and process activity on windows system. You also need to install wireshark, a protocol analyzer that captures and decodes network traffic. Process monitor and wireshark is used to quickly reveal the behavior of malicious program.

The initial spear phishing mail contained attachment named “Important_Scan_Document” In the Folder option, click on view and then check the option show hidden files, folder and drives and uncheck the option to hide empty drives, extensions and protected operating system files.

Then I found that it’s a SFX (self-extracting executables).

I simply extracted it using Winrar.

I found two files out of which one is an executable file and other is a word file.

                                       

When I double click the SFX the installer will execute the included “tskmgr.exe” file and open the decoy document they are actually specially crafted RTF files designed to trigger software vulnerability (CVE-2012-0158) in Microsoft Common Controls, typically triggered in Microsoft Word. In CMD prompt run the netstat command. Netstat command is used to show detailed network status information. The tskmgr.exe will start in the background and establishes a TCP connection to a IP address.

Once the system got infected with the malicious program, check the system configuration to find whether tskmgr.exe will load on startup or not. I found that tskmgr.exe had automatically made entry in system start-up.

Visit virustotal.org which is a free virus, malware and URL online scanning service in which file checking is done with more than 40 antivirus solutions. I checked tskmgr.exe and it was found to be a Trojan.

Then I found that it is modifying the Windows registry entries and taking screenshots of the infected system in the background and uploading this information to a website.

Then visit networktools.nl. It is used to query whois records, ping hosts, query dns records, trace hosts, display host information, domains on ip reverse ip, check spam. When I do the domain lookup of domain I got the following information. In almost all cases, the domains registered by the attackers are “privacy protected”. This means that the registrant has paid the domain registrar to with hold identity information related to the registration. This is done almost to perfection.

However, by searching reverse IP data for the IP addresses of domains known to be involved I found a number of other domains likely belonging to the same infrastructure.

Running Wireshark on the infected system when it is trying to send screenshots to website reveals the following type of behavior

Once we noted the path of the file upload, we simply navigated to the URL and noted our own system’s screenshot being nicely saved as a png on the server.

It is interesting to note that the malware author was uploading files to a folder called ScreenShot. I found that the site had a number of directory listing vulnerabilities. The attacker doesn't have their robots.txt set to “disallow” to stop them from being crawled.

By listing the files and downloading the data present in site. I easily figured out the organization behind this cyber attack.

Many other folders were found. The names and structured of these sub-folders shows that these are the names of systems compromised.

The folders contain the IP address of the compromised system, and each of them contains text files called as Pass_logs.txt, which are captured passwords and other key phrases.

While surfing the domain, I also found some phishing pages that are used to do spear phishing. When I open the Php script of phishing pages I found the email ids where the passwords of victims were sent.

Myths about malware

· I will know if I am infected

· I can protect myself from malware by not going on porn/warez sites.

· Email Attachments from known persons are safe

· Malware is only a problem on Windows.

· Malware is created by antivirus vendors

· Most malware is spread through e-mail

· My firewall can protect my PC from drive-by-download attacks

· If you don’t open an infected file, you can’t get infected

· Cyber criminals aren’t interested in the PC’s of consumers

How to protect yourself from malware

1. Make sure your PC is updated and secure:

The software on your PC isn’t perfect. It may contain exploits or security holes that make it possible for your machine to be infected easily. You need to make sure you have these updates on your applications running or you’re increasing your risk of infection.

Of course, we also recommend always running updated Internet security that includes anti-virus, spyware and firewall. Browsing Protection is another layer of security that can keep you from clicking on the wrong links.

2. Be very skeptical of random pop-up windows, error messages and attachments:

Avoid clicking on any pop-ups that imitate your Windows error messages or error messages that come up when you try to close out of a page. If any software begins to install itself, close out immediately and run a scan of your Internet security software. You can also use our Online Scanner for free.

Avoid opening attachments at all unless you were expecting them and they come from a source you trust. If you can’t verify the source or feel anxious about a particular attachment yet have to open it, you can download it to your hard drive and have your updated Internet security scan the file before you open it.

3. Remove spam from your life:

If you get a piece of spam, let your mail software know. Identify it as spam.Better to let your software handle it.

4. Think thrice before installing any new software:

Installing software should never be an impulse decision. Some people say think twice before downloading any software from a source you do not trust 100%. I say think three time.

At the very least, Google the name of a product you want to install. If you’re at all uncertain about whether to click download, consult with a tech savvier friend or your company’s IT guy.

Conclusion

Malware attack incidents are happening very often these days. This article would assist you to reveal the truth behind them. Malware Analysis is very important step to know about the each malware used in your destruction. This enables you to think over the incidents happening around you and then you can think over the solution you can go for. There are certain myths, people follows but don’t exist in reality. By following proper methodology of Malware Analysis, you can find the attacker/hacker.

Reference

• http://zeltser.com/reverse-malware/intro-to-malware-analysis.pdf
• http://it-ebooks.info/go.php?id=2227-1382536386-596f70159e9c9e5803bbf9cf6a21a42a
• www.sans.org/reading-room/whitepapers/malicious/malware-analysis-introduction-2103?show=malware-analysis-introduction-2103&cat=malicious
• http://safeandsavvy.f-secure.com/2011/01/20/how-to-protect-from-malware/#.UmeZK1M3vBJ