Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Analysis on Unknown Malware - Assistance Requested


14 Feb 2013   #1

Microsoft Community Contributor Award Recipient

Windows 7 64-bit
 
 
Analysis on Unknown Malware - Assistance Requested

Hi,

Currently snagged a bit of malware trying to run its course on my workstation. However, instead of cleaning it, I have pacified it and am now attempting to gut and analyze it out of personal interest and to further knowledge of security analysis. I've already done the initial data collection and a bit of sleuthing but ran into a couple snags that I'd like assistance on if possible. If anyone here is capable and curious I'd like to proceed on this thread, otherwise if they have any other forum or resource they'd like to recommend to direct my attention too that will better suit this kind of request then I'd gladly accept that too.

I'll post details I've garnered so far under condition that I receive notice that others are interested in it. I will say that Trend Micro detected only some of its activity (attempting to access certs on illegitimate sites) but not the actual offending items (I have, however). I have not ran it through other AV software yet to determine virus definitions, so for now it is considered an unknown strain.

Thank you for your consideration in the matter. I hope this ends up becoming a worthy adventure that people may profit from.


My System SpecsSystem Spec
.

14 Feb 2013   #2
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Upload the file to Jotti's malware scan and have it scanned and analyzed by several anti-virus companies.
My System SpecsSystem Spec
14 Feb 2013   #3

Microsoft Community Contributor Award Recipient

Windows 7 64-bit
 
 

Trend Micro does not like the javascript on that website. I will have to find an alternative.
My System SpecsSystem Spec
.


14 Feb 2013   #4

Windows 7 Home Premium
 
 

You can also upload the file to VirusTotal for a security check:
http://www.virustotal.com/

Select: Choose File, and a prompt opens for you to locate the file.

Then, click the Scan it! button.

If the file is listed as already analyzed, click on: Reanalyse file now.


When done, you can post the http:// link to the scan results, if you wish.


Additional resources:
Online Scanners - Scan Suspicious Files on your PC
My System SpecsSystem Spec
15 Feb 2013   #5

Microsoft Community Contributor Award Recipient

Windows 7 64-bit
 
 

https://www.virustotal.com/en/file/5...is/1360948659/

Also for another item of it, a file named '1.0' with no extension:

https://www.virustotal.com/en/file/2...is/1360948834/

Looks like a pretty new strain. Timelines for various virus databases said it was added either late January or early Feb this year. I've discovered no detailed analysis on the item yet. Guess I'm working with something fresh!

While it's unfortunate I have no further information on it to work with, I still wish to pick it apart and analyze it personally. Again, you all are welcome to assist in the endeavor, or perhaps direct me to a forum that has people doing this frequently?
My System SpecsSystem Spec
16 Feb 2013   #6

Windows 7 Home Premium
 
 

Vir Gnarus,

Malware Analysis needs a system of its own that you can infect without affecting your Operating System.

The following article may give you some insight.
5 Steps to Building a Malware Analysis Toolkit Using Free Tools by Lenny Zeltser

Also, there are many other websites offering tutorials on the subject.

There may be some forums in the malware community that have a Malware Analysis subforum, but I cannot think of one with access for the general public. At a minimum, I believe you need to be a trained malware removal advisor which has worked at the malware removal forums, an expert in the field of Malware Analysis, or something in-between.

This forum does not have a Malware Analysis subforum (that I have seen). There may be someone in this forum that engages in malware analysis, but, that person will have to come forward.

Some of the members here may analyze certain reports to determine if malware is present on a computer, but, like for myself, providing assistance on malware removal is as far as it goes.

Analyzing the actual malware is a different ball game.

Good luck in your endeavour.
My System SpecsSystem Spec
16 Feb 2013   #7
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Quote   Quote: Originally Posted by Vir Gnarus View Post

Also for another item of it, a file named '1.0' with no extension:
You might look at these keys
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Random.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Random.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer
“EnableShellExecuteHooks”= 1 (0×1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\Random.exe
My System SpecsSystem Spec
18 Feb 2013   #8

Microsoft Community Contributor Award Recipient

Windows 7 64-bit
 
 

Jacee, thanks, I checked and came up clean on that. From looking at Procmon I can see WUDFHost.exe creating the 1.0 file and loading the image of it into memory then calling into the code on that file. I have not seen any file by the name of Random.exe showing up on Procmon, so I'm at least clean there.

Thanks for the tips, Cotton. I'll peruse further to see what I can do. I am also well aware of the need to have an isolated system in a non-production environment with a VM to look further into this without any repercussions. No need jeopardizing any of my work for a pursuit out of curiosity!

Thanks again fellas for at least kicking this off with me.
My System SpecsSystem Spec
18 Feb 2013   #9

W7 Pro SP1 64bit
 
 

Quote   Quote: Originally Posted by Vir Gnarus View Post
....I am also well aware of the need to have an isolated system in a non-production environment with a VM to look further into this without any repercussions.....
From a 2009 blog post:
Virtual machines are widely used by malcode researchers to analyse new malware or to see what it does without risking a real machine. However, virtual-machine-aware malware now exists, which makes using them more problematic.

Virus Bulletin : VB2009 - Virtual machines for real malware capture and analysis

That is not the article that I went hunting for, but it will do.

A VM is still where I play with things like this - knowing that they might not give up all of there secrets until they think that they are on a real computer.
My System SpecsSystem Spec
18 Feb 2013   #10

Microsoft Community Contributor Award Recipient

Windows 7 64-bit
 
 

Yeah, that's why I figured it best to actually create an isolated rig with a VM on it if necessary (at least to see if it is VM-aware). I wouldn't put it past them to be able to go beyond VMs, sandboxing and other relevant forms of software-based isolation measures. Best way is always through hardware.
My System SpecsSystem Spec
Reply

 Analysis on Unknown Malware - Assistance Requested




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 10:31 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33