Hacking the Malware– A reverse-engineer’s analysis
A nice, thorough analysis of a Yahoo! instant messaging worm by Rahul Mohandas, showing how he decoded the exploit, reverse engineered it, and it's effects. Very good example, and something you can learn from.
This paper attempts to document an approach on how the hackers make use of the vulnerabilities to install malicious software on the vulnerable machine. A comprehensive reverse code engineered analysis of the malicious software (Win32.Qucan.a) and the various protection schemes against the worm by various security products are also discussed.
I also describe an approach to setting up a flexible laboratory environment using virtual workstation software such as VMware, and demonstrate the process of reverse engineering a worm using a range of system monitoring tools in conjunction with a disassembler.
I hope this document will help the Malware researchers, Intrusion Analysts and other Security professionals to conduct a more viable and comprehensive research.
Source: Hacking the Malware– A reverse-engineer’s analysis, by Rahul Mohandas. Pointed out by B on IRC. Thanks!
SIS Analysis Toolkit
A departure from the normal, boring academic stuff, and actually on to something I've never featured here before (I think): mobile phone malware. The SIS Analysis Toolkit, according to the website, "consists of a base Perl module, SisDump, and a number of perl scripts and utilities useful for analyzing malware." I have to admit I've never looked at mobile phone malware. Surprisingly, it seems to be a growth niche in the past couple of years, from the early days of things like Caribe to more recent SIS malware likeMabir and more, mobile phone malware has been evolving. Most of it seems to target the Symbian60 platform, which is popular with Nokia phones and is a rich mobile computing environment.
I haven't played with these tools (I don't own a Symbian60 phone), but if you're curious about exploring your phone or any of the malware that may be on it, this looks like the right place to start.
Enabling Internet Worms And Malware Investigation And Defense Using Virtualization
While lengthy, it's good reading if you're wondering about large-scale studies of real malware in a controlled laboratory network setting.
Source: Enabling Internet Worms And Malware Investigation And Defense Using Virtualization, a Ph.D. thesis by Xuxian Jiang.
Internet worms and malware remain a threat to the Internet, as demonstrated by a number of large-scale Internet worm outbreaks, such as the MSBlast worm in 2003 and the Sasser worm in 2004. Moreover, every new wave of outbreak reveals the rapid evolution of Internet worms and malware in terms of infection speed, virulence, and sophistication. Unfortunately, our capability to investigate and defend against Internet worms and malware has not seen the same pace of advancement.
In this dissertation, we present an integrated, virtualization-based framework for malware capture, investigation and defense. This integrated framework consists of a frontend and a back-end. The front-end is a virtualization-based honeyfarm architecture, called Collapsar, to attract and capture real-world malware instances from the Internet. Collapsar is the first honeyfarm that virtualizes full systems and enables centralized management of honeypots while preserving their distributed presence. The back-end is a virtual malware "playground," called vGround, to perform destruction-oriented experiments with captured malware or worms, which were previously expensive, inefficient, or even impossible to conduct.
On top of the integrated framework, we have developed a number of defense mechanisms from various perspectives. More specifically, based on the unique infection behavior of each worm we run in vGround, we define a behavioral footprinting model for worm profiling and identification, which complements the state-of-the-art content-based signature approach. We also develop a provenance-aware logging mechanism, called process coloring, that achieves higher efficiency and accuracy than existing systems in revealing malware break-ins and contaminations.
A FastWorm Scan Detection Tool for VPN Congestion Avoidance
Speaking of DIMVA, here's a set of slides from last year's conference that describe a scanning worm detection system. While none of the foundations are new (detect scanning by looking for failed connection requests and unanswered packets), this is a real- world demonstration of it's efficacy. Not surprisingly, P2P apps tend to give false positives. From a slide deck, A FastWorm Scan Detection Tool for VPN Congestion Avoidance, by Arno Wagner,Thomas Dubendorfer, Roman Hiestand, Christoph Goldi, and Bernhard Plattner, from DIMVA 2006.
Detecting Worms with OurmonAgain from Kamal, and again something that's been sitting in my inbox for far too long.
The folks over at Ourmon (a play on RMON, get it?) have been coming up with ways to use statistics to do anomaly detection. Obviously, one of the things you can do with such a tool is detect ... worms lose on a network. Or bots.
Here's a description of the Ourmon tool:
Ourmon is a statistically oriented open-source network monitoring and anomaly detection system. Ourmon is based on promiscuous mode packet collection on Ethernet (typically) interfaces. A probe collects packets deemed important and sends internally defined tuples back to a graphics display system which may or may not be on the same host. Ourmon does not collect all the packets because one principle design goal is to extract signal from noise, not store all the noise in a giant bag under the assumption that you can peruse it "later" (there is no later).Kamal, who attended the 2005 Freenix event, notes that they had a paper on Ourmon describing the system and its applications.
Ourmon analyzes data using both multiple instances of the Berkeley Packet Filter, and also various hashed top N lists and then displays the data using RRDTOOL graphs, histograms, and perl reports. Data is produced in near realtime every thirty seconds.
Charlie Schluting has a two part article on using Ourmon to detect worms. Something Wormy on Your Net? Investigate with Ourmon (part 1) and part 2 is available over at the EnterpriseNetworkingPlanet website.
All in all a neat project (but the web interface could use some work ...).
Updated Microsoft Malicious Software Removal Tool (March, 2006)
Microsoft has updated their malware removal tool. This is a tool that runs at Windows Update time and can also be downloaded and run on-demand. It is not a continual defense, unlike most AV products. Updates for March, 2006, include:
Source: Malicious Software Removal Tool, updated March 14, 2006.
Updated Microsoft Malware Removal Tool (Jan, 2006)It's Patch Tuesday, and that means that Microsoft has updated their Malware Removal Tool. Detection this month focuses on some of the more prolific but "beneath the radar" malware: listed on the website. The team responsible for the product are also blogging their work.
VX reversing II, sasser B
The Sasser worm from May of 2004 provides an excellent example of modern malware in a reverse engineering setting. Eduardo Labir's article for the CodeBreakers Journal is a nice tutorial on how to really get into code, analyze it, and understand what is going on.
Tools you'll want to have handy: VMware, so that you don't trash your main machine (another throwaway machine may also be used, but a virtual system is most often a handy way to keep the number of physical machines down); OllyDbg, a (free) 32-bit debugger with plenty of nice features; and IDApro, one of the best disassembler tools I can find (it's commercial, and sometimes the HT editor can do in a pinch).
The well known worm Sasser has been one of the viruses which has received more attention in the press in the latest months. It's author, an 18 years old student from Germany, after causing lots of troubles to many home users and small enterprises faces up to several years of prison. Sasser is not a well programmed virus, it's success is entirely due to the exploit it implements, which was announced by Microsoft in one of their security bulletins. In this paper, we will reverse Sasser.B - the second of its variants - showing how it works and also how to clean your computer after infection.
Updated Windows Malware Removal Tool (December, 2005)
The Microsoft Malware Removal Tool has been updated for December, 2005, with three new families:
As always, this is only a "catch the most obvious signs" tool, and up-to-date antivirus will be useful for real-time detection and defense, and also for any variants that may not be known to the tool.
Users of Microsoft's automatic updates will have the tool automatically run and installed, but you can also download it and run it manually.
Los Alamos enters market with worm defenseFrom Federal Computing Weekly via DE, a press release that says that the Los Alamos National Laboratory is going to be making their worm defense tool Network Automated Response and Quarantine ("NARQ") available via licensing to the general technical community. Probably not for end users, but instead software makes and integrators.
Los Alamos developed NARQ after it failed to find a ready-made commercial product to help stymie the specific threat it faced from worms. Unlike viruses, worms don't directly infect programs and files. Instead they make copies of themselves and then propagate via the network to other machines, bringing the network down through denial of service.Source: Los Alamos enters market with worm defense, FCW, Nov. 16, 2005.
NARQ detects such worms and then instantly quarantines all the affected machines and devices on the network at the port level.
For more information on the LANL NARQ project, see the LANL NARQ website. The website describes NARQ thusly:
Network Automated Response and Quarantine (NARQ™)When they put it like this, it sounds more like Packetfence than anything else, although I have yet to really review the technology.
Los Alamos National Laboratory (LANL) has developed a semi-automated and instantaneous layer-2 (Ethernet) network mapping and quarantine system. The Network Automated Response and Quarantine (NARQ™) software is designed to locate infected systems and reconfigure ports to remove the infected devices from the network.
See the Wormblog paper archives for discussions about the effectiveness o quarantne approaches.