Malware Analysis - Part III(A) - Basic Static Analysis

Malware Analysis

• Malware Analysis - Part I - Basics
• Malware Analysis - Part II - Setting up Lab
• Malware Analysis - Part III(A) - Basic Static Analysis

Hi guys!! In the last part we had setup the lab for malware analysis. Before analysing the malware we must know the basic theory of Static Malware Analysis. In this blog, we will go through the Static Malware Analysis and the techniques to perform the same.

Static Analysis

Static Analysis is the first step in studying malware. To perform Analysis, you must have a malware file on which you can perform the Analysis. Moving forward, you will hear two terms the most, i.e., Malware Analyst and Malware Writers/Authors. Malware Writers/Authors are the ones who write or codes the malware, and Malware Analyst are the ones who analyze the malware and its functionality. Malware Analysts are mostly given executable files to perform Analysis. In this blog, we will understand multiple ways to extract useful information from these executables. For Basic Static Analysis, the following techniques will be discussed:

1. Antivirus Scanning
2. Hashing
3. Extracting Strings
4. Packed and Obfuscated Malware
5. Portable Executable File Format

Each of the above techniques will provide different information, and the ones you will use will depend on your goals. Typically, you'll be using several methods to gather as much information as possible.

Techniques

1. Antivirus Scanning

The first step to analyzing malware is to see if the malware is already identified and publicly known. A good step to do this would be to run it against multiple antivirus programs. Antivirus programs mainly rely on the database, which contains the file signatures of known malwares, as well as behavioral and pattern-matching Analysis to identify suspicious files. Thus running the malware against antivirus tools would allow us to see if they have identified this malware. But antivirus tools are certainly not perfect. One of the main problem is that malware writers can easily modify their code, thereby changing their program's signature and bypassing virus scanners. Also, malwares that are not seen more often goes undetected by antivirus software because it's simply not in the database.

• VirusTotal - VirusTotal inspects items with over 70 antivirus scanners and URL/domain blacklisting services. It allows you to upload a file for scanning by multiple antivirus engines and generates a report which includes the total number of engines that marked the file as malicious, the malware name, and additional information about the malware if available. 
• https://www.virustotal.com/

2. Hashing

Hashing is a common method used to identify malware uniquely. The Hashing program generates a unique hash that identifies the application/malware. The Message-Digest Algorithm 5 (MD5) hash function and Secure Hash Algorithm 1 (SHA-1) is the one most commonly used for malware analysis.  

• Md5deep - Available for Linux and Windows. 
• Md5sum - Available for Linux.
• Winmd5Free - WinMD5Free is a utility to compute MD5 hash value for files which work with Microsoft Windows 2000, XP, 2003, Vista and Windows 7/8/10.

After you have the unique hash for the malware, it can be used as follows:

• The hash can be used as a label.
• Hash can be shared with other analysts to identify malware.
• Hash can be searched online to see if the file has already been identified.

3. Extracting Strings

A program can contain strings if it prints a message, connects to a URL or copies file to a specific location. A string in a program is a sequence of characters such as "the." Take a look at the strings to get hints about the functionality of a program. 

• String - String is a tool that is available for Linux and Windows. Strings search for a three-letter or greater sequence of ASCII and Unicode strings in an executable. Strings may generate a lot of false-positive and leaves it up to the user to filter it out.

4. Packed and Obfuscated Malware

Packing and Obfuscation are used by Malware writers to make their files more difficult to detect or analyze. 

• Obfuscated programs are those whose execution the malware author has attempted to hide. 
• Packed programs are the subset of the Obfuscated program in which malicious code is compressed and cannot be analyzed. 

Note: The below diagram shows the Life Cycle of Packed program.

Diagram 1

Legitimate programs will almost always include many strings. If the malware contains very few strings, it is probably packed or obfuscated. Both techniques will limit your attempts to analyze the malware statically. To investigate these kinds of files, you'll likely need more than Static Analysis. The most common function found in the malicious packed program is LoadLibrary and GetProcAddress used to load and gain access to additional functions. 

• PEiD Program - PEID is a tool used to Detect Packed Files. 
• UPX - UPX can be used to Unpack malware.

5. Portable Executable File Format

For a malware analyst, the format of a file can reveal a lot about the program's functionality. Portable Executable File Format is a file format used by Windows 32-bit and 64-bit Operating System for executables, DLLs, COM files, .NET executables, Object code, .FON Font files, NT's Kernel-mode drivers, etc. The PE file format contains the information that is important for the Windows OS loader to manage the wrapped executable code. Mostly every file with executable code loaded by Windows is in the PE file format, though there may be some exceptions.

Note: For a malware analyst, it's just not important to understand the tools, and it's working but in-depth detail. Read about PE File Format and understand the basic structure of it. 

5.1 Linked Libraries and Functions

The most useful information that can be gathered about an executable during Static Analysis is the list of functions that it imports. Imports are functions used by a program that are actually stored in a different program, such as code libraries that are linked to the main executable. Imports are linked to the programs so that there is no need to re-implement certain functionality in multiple programs. Linking libraries can be done statically, at runtime, or dynamically. 

• Static Linking - It is the least commonly used method for linking libraries, mostly used in UNIX and Linux programs. When all the code from the library is copied into the executable, it can be referred to as Static Linking. Static Linking increases the size of an executable. It can be difficult to differentiate between the Static linked code and the executable's own code since nothing in the PE file header indicates that the file contains linked code.
• Dynamic Linking / Runtime Linking - Malwares that are packed and obfuscated mostly use Runtime Linking. In Runtime Linking, executables use libraries only when that function is needed, not at program start, as with dynamically linked programs.

Common DLLs

• Kernel32.dll - core functionality-access and manipulation of memory, files, hardware.
• Advapi32.dll - Provides access to Service Manager and Registry.
• User32.dll - Contains user-interface for displaying & manipulating graphics.
• Ntdll.dll - Interface to Windows Kernel, Imported by Kernel32.dll
• WSock32.dll & Ws2-32.dll - Networking Dlls.
• Wininet.dll - Higher Level networking functions that implement protocols like FTP, HTTP, NTP.

Functions

• Imports - An executable may use different functions. Viewing the PE file header we can gain information about specific functions used by an executable. This function can be very useful to the Malware Analyst to identify the functionality of the executable. Microsoft Developer Network (MSDN) library documents the Windows API that ships with Microsoft products.
• Exports - DLLs and EXEs export functions to interact with other programs and code. A DLL may implement multiple functions and export them for use by an executable that can then import and use them. Exported functions are most common in DLLs. Exports in an executable can often provide useful information. Exports can be viewed using different tools like Dependency Walker.

Information Revealed in the PE Header -

• Imports Functions - from other libraries that are used by the malware 
• Exports Functions - in the malware that are meant to be called by other programs or libraries 
• Time Date Stamp Time - when the program was compiled 
• Sections Names - of sections in the file and their sizes on disk and in memory 
• Subsystem - Indicates whether the program is a command-line or GUI application 
• Resources - Strings, icons, menus, and other information included in the file.

5.2 Tools

Below are some of the tools to gather information about the PE File -

• PE View
• Dependency Walker

Conclusion

Static Analysis is a very useful step, to begin with, but further analysis is also necessary. Using relatively simple tools, Static Analysis can be performed on malware to gain a certain amount of insight into its function. In the next part, some live examples of static analysis will be shown.