Analysis on Unknown Malware - Assistance Requested

Vir Gnarus · 14 Feb 2013

Hi,

Currently snagged a bit of malware trying to run its course on my workstation. However, instead of cleaning it, I have pacified it and am now attempting to gut and analyze it out of personal interest and to further knowledge of security analysis. I've already done the initial data collection and a bit of sleuthing but ran into a couple snags that I'd like assistance on if possible. If anyone here is capable and curious I'd like to proceed on this thread, otherwise if they have any other forum or resource they'd like to recommend to direct my attention too that will better suit this kind of request then I'd gladly accept that too.

I'll post details I've garnered so far under condition that I receive notice that others are interested in it. I will say that Trend Micro detected only some of its activity (attempting to access certs on illegitimate sites) but not the actual offending items (I have, however). I have not ran it through other AV software yet to determine virus definitions, so for now it is considered an unknown strain.

Thank you for your consideration in the matter. I hope this ends up becoming a worthy adventure that people may profit from.

Jacee · 14 Feb 2013

Upload the file to Jotti's malware scan and have it scanned and analyzed by several anti-virus companies.

Vir Gnarus · 14 Feb 2013

Trend Micro does not like the javascript on that website. I will have to find an alternative.

cottonball · 14 Feb 2013

You can also upload the file to VirusTotal for a security check:
http://www.virustotal.com/

Select: Choose File, and a prompt opens for you to locate the file.

Then, click the Scan it! button.

If the file is listed as already analyzed, click on: Reanalyse file now.

When done, you can post the http:// link to the scan results, if you wish.

Additional resources:
Online Scanners - Scan Suspicious Files on your PC

Vir Gnarus · 15 Feb 2013

https://www.virustotal.com/en/file/5...is/1360948659/

Also for another item of it, a file named '1.0' with no extension:

https://www.virustotal.com/en/file/2...is/1360948834/

Looks like a pretty new strain. Timelines for various virus databases said it was added either late January or early Feb this year. I've discovered no detailed analysis on the item yet. Guess I'm working with something fresh!

While it's unfortunate I have no further information on it to work with, I still wish to pick it apart and analyze it personally. Again, you all are welcome to assist in the endeavor, or perhaps direct me to a forum that has people doing this frequently?

cottonball · 16 Feb 2013

Vir Gnarus,

Malware Analysis needs a system of its own that you can infect without affecting your Operating System.

The following article may give you some insight.
5 Steps to Building a Malware Analysis Toolkit Using Free Tools by Lenny Zeltser

Also, there are many other websites offering tutorials on the subject.

There may be some forums in the malware community that have a Malware Analysis subforum, but I cannot think of one with access for the general public. At a minimum, I believe you need to be a trained malware removal advisor which has worked at the malware removal forums, an expert in the field of Malware Analysis, or something in-between.

This forum does not have a Malware Analysis subforum (that I have seen). There may be someone in this forum that engages in malware analysis, but, that person will have to come forward.

Some of the members here may analyze certain reports to determine if malware is present on a computer, but, like for myself, providing assistance on malware removal is as far as it goes.

Analyzing the actual malware is a different ball game.

Good luck in your endeavour.

Jacee · 16 Feb 2013

Vir Gnarus said:

Also for another item of it, a file named '1.0' with no extension:

You might look at these keys
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Random.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Random.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer
“EnableShellExecuteHooks”= 1 (0×1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\Random.exe

Vir Gnarus · 18 Feb 2013

Jacee, thanks, I checked and came up clean on that. From looking at Procmon I can see WUDFHost.exe creating the 1.0 file and loading the image of it into memory then calling into the code on that file. I have not seen any file by the name of Random.exe showing up on Procmon, so I'm at least clean there.

Thanks for the tips, Cotton. I'll peruse further to see what I can do. I am also well aware of the need to have an isolated system in a non-production environment with a VM to look further into this without any repercussions. No need jeopardizing any of my work for a pursuit out of curiosity!

Thanks again fellas for at least kicking this off with me.

UsernameIssues · 18 Feb 2013

Vir Gnarus said:

....I am also well aware of the need to have an isolated system in a non-production environment with a VM to look further into this without any repercussions.....

From a 2009 blog post:
Virtual machines are widely used by malcode researchers to analyse new malware or to see what it does without risking a real machine. However, virtual-machine-aware malware now exists, which makes using them more problematic.

Virus Bulletin : VB2009 - Virtual machines for real malware capture and analysis

That is not the article that I went hunting for, but it will do.

A VM is still where I play with things like this - knowing that they might not give up all of there secrets until they think that they are on a real computer.

Vir Gnarus · 18 Feb 2013

Yeah, that's why I figured it best to actually create an isolated rig with a VM on it if necessary (at least to see if it is VM-aware). I wouldn't put it past them to be able to go beyond VMs, sandboxing and other relevant forms of software-based isolation measures. Best way is always through hardware.