Glimpse of Static Malware Analysis
The internet has become an essential part of our day-to-day life. We are using it to communicate,
exchange information, perform bank transactions, etc. Researchers are working around the
clock to expand this service and optimize it. Hackers, on the other hand, are leveraging this
crucial service to perform cybercrime activities, such as stealing credit cards.
Over the past few years, talented and geek computer users were exploiting and identifying applications and operating systems’ vulnerabilities for fun. However, the game has changed and shifted from a fun activity towards a profit-oriented business. Some research [3] indicates that the average global economy loss due to cybercrime and espionage is $500 billion annually.
Hackers use malicious software (malware), e.g., virus, worm, or rootkit, to perform their activities.
Therefore, understanding and analyzing the malware is very important to protect the end users. Moreover, it will help to detect similar types of malware and help in cleaning up the infected machines and network.
Malware can be classified into different types such as virus, worm or rootkit based on how it spreads,
its functionality and dependency on host, i.e., whether it requires a host to run or can run independently. Nowadays, malware can fit under more than one category.
Malware can also be classified based on victim: targeted or mass malware. The former is very difficult to detect since it is developed to hit a specific organization. For this type of attack, security controls will not be able to detect or prevent the malware. The latter type is crafted to hit any machine with specific vulnerability without taking into consideration the organization or country. This type of malware is usually easy to detect and prevent if you keep your security control and systems up-to-date.
Before spending too much time analyzing a malware that might be already analyzed by anti-virus vendors, it is highly recommended to scan it using several antivirus solutions. To do that, you could, for example, use VirusTotal website (http://www.virustotal.com/) to scan the file. Figure 1 shows the result of scanning a virus using VirusTotal service. The result shows that the detection ratio is 42/47. This means that the virus was not recognized and detected by all antiviruses. This is because antivirus solutions use different signatures to detect the malware. This example illustrates how important it is to use more than one antivirus solution to check the suspected malware (Figure 1).
If antivirus solutions did not detect the malware, then you should start analyzing it. There are two major approaches and methodologies to analyze a malware: dynamic and static analysis. To perform the dynamic analysis, malware analysts need to run and execute the malware. This type of analysis should be performed in an isolated lab environment. On the other hand, conducting the static analysis does not require running the malicious code or file.
This article focuses on statically analyzing executable Windows operating system files, since they are widely utilized by hackers to perform cybercrimes.
Static Analysis
There are several tools and techniques that could be used to analyze malware statically. First, we will start by identifying the file type. Then, extracting the Strings in the code. After that I will give a glimpse of using advanced tools to fully understand how malware works.
File Type
First, start by identifying what type of file this is. Do not depend on the file extension in Windows to identify the file type. The file command in *NIX can help you identify the file type.
File
The file command is a *NIX standard utility. It would examine the specific field in the file to identify its type or extension. I used file command in CYGIN to examine malware.ex_ file and the result shows that it is a Portable Executable (PE) 32 bits file for MS Windows as shown in Figure 2.
Extract Strings
Next, start by extracting and reading meaningful information in the malware. This can be done by extracting strings inside the malware using several tools such as Strings [4] and IDA [5].
Strings
Strings is a Microsoft Windows tool used to scan a file to recognize UNICODE (or ASCII) strings. Figure 3 shows part of the result for processing malware1.exe file looking for strings with length greater than 10. Very useful information might be discovered by using such a simple tool, for example, the URL that the malware uses to communicate with.
IDA
IDA is available on several platforms including Linux, Windows, and Mac OS X. IDA is a very powerful software that disassembles, debugs file, and has more features. To use IDA to extract strings in the file you need first to ensure that the string sub-view is open. To do so, go to View – > open subviews -> Strings as shown in Figure 4. By selecting String view as depicted in Figure 5 you will see the extracted strings in the file passed to IDA.
Linked libraries
The next step would be identifying the functions or libraries that the malware imports and file header
information. This would help us identify what libraries this malware is using and what it is doing. Programmers import libraries and link them to their code statically or dynamically. Static linking is used widely in *NIX programs. Using this method to link libraries would generate a large file because the imported libraries are copied in the code. In the dynamic linking approach, the operating system would search for the imported libraries when the program is loaded. A couple of tools are available to identify the imported libraries. Dependency Walker [7] and PE Explorer [8] are used to identify the dynamically linked functions and PE header information.
Note: Malware developers start using packing and obfuscation to complicate malware analysis. The original malware code is hidden/encrypted in the code and it will be decrypted/unpacked during run time by a routine in the malware. There are several tools used to unpack the malware code through different techniques. PE explorer will do it automatically for you.
PE Explorer
PE Explorer is a commercially available tool used to open and edit PE 32 bits files to perform static analysis. It provides several feature such as automatically un-packing file. Figure 6 shows header information for malware.exe. It shows a lot of information such as machine that you can run this file on and time stamp and more. To see the imported libraries and function by this files select view – > import as shown in Figure 7. To understand what this malware will do you have to understand what libraries and functions this malware is importing and using.
File section header (file format)
This part of the file contains metadata about the file. PE file has several sections. The most important
sections are:
To get the file sections you can use PE Explorer to view and delete them. Figure 8 shows file sections using PE Explorer. You can use the resource viewer to see the icons and images included in the .rsrc section as shown in Figure 9 for notepad application.
The internet has become an essential part of our day-to-day life. We are using it to communicate,
exchange information, perform bank transactions, etc. Researchers are working around the
clock to expand this service and optimize it. Hackers, on the other hand, are leveraging this
crucial service to perform cybercrime activities, such as stealing credit cards.
Over the past few years, talented and geek computer users were exploiting and identifying applications and operating systems’ vulnerabilities for fun. However, the game has changed and shifted from a fun activity towards a profit-oriented business. Some research [3] indicates that the average global economy loss due to cybercrime and espionage is $500 billion annually.
Hackers use malicious software (malware), e.g., virus, worm, or rootkit, to perform their activities.
Therefore, understanding and analyzing the malware is very important to protect the end users. Moreover, it will help to detect similar types of malware and help in cleaning up the infected machines and network.
Malware can be classified into different types such as virus, worm or rootkit based on how it spreads,
its functionality and dependency on host, i.e., whether it requires a host to run or can run independently. Nowadays, malware can fit under more than one category.
Malware can also be classified based on victim: targeted or mass malware. The former is very difficult to detect since it is developed to hit a specific organization. For this type of attack, security controls will not be able to detect or prevent the malware. The latter type is crafted to hit any machine with specific vulnerability without taking into consideration the organization or country. This type of malware is usually easy to detect and prevent if you keep your security control and systems up-to-date.
Before spending too much time analyzing a malware that might be already analyzed by anti-virus vendors, it is highly recommended to scan it using several antivirus solutions. To do that, you could, for example, use VirusTotal website (http://www.virustotal.com/) to scan the file. Figure 1 shows the result of scanning a virus using VirusTotal service. The result shows that the detection ratio is 42/47. This means that the virus was not recognized and detected by all antiviruses. This is because antivirus solutions use different signatures to detect the malware. This example illustrates how important it is to use more than one antivirus solution to check the suspected malware (Figure 1).
If antivirus solutions did not detect the malware, then you should start analyzing it. There are two major approaches and methodologies to analyze a malware: dynamic and static analysis. To perform the dynamic analysis, malware analysts need to run and execute the malware. This type of analysis should be performed in an isolated lab environment. On the other hand, conducting the static analysis does not require running the malicious code or file.
This article focuses on statically analyzing executable Windows operating system files, since they are widely utilized by hackers to perform cybercrimes.
Static Analysis
There are several tools and techniques that could be used to analyze malware statically. First, we will start by identifying the file type. Then, extracting the Strings in the code. After that I will give a glimpse of using advanced tools to fully understand how malware works.
File Type
First, start by identifying what type of file this is. Do not depend on the file extension in Windows to identify the file type. The file command in *NIX can help you identify the file type.
File
The file command is a *NIX standard utility. It would examine the specific field in the file to identify its type or extension. I used file command in CYGIN to examine malware.ex_ file and the result shows that it is a Portable Executable (PE) 32 bits file for MS Windows as shown in Figure 2.
Extract Strings
Next, start by extracting and reading meaningful information in the malware. This can be done by extracting strings inside the malware using several tools such as Strings [4] and IDA [5].
Strings
Strings is a Microsoft Windows tool used to scan a file to recognize UNICODE (or ASCII) strings. Figure 3 shows part of the result for processing malware1.exe file looking for strings with length greater than 10. Very useful information might be discovered by using such a simple tool, for example, the URL that the malware uses to communicate with.
IDA
IDA is available on several platforms including Linux, Windows, and Mac OS X. IDA is a very powerful software that disassembles, debugs file, and has more features. To use IDA to extract strings in the file you need first to ensure that the string sub-view is open. To do so, go to View – > open subviews -> Strings as shown in Figure 4. By selecting String view as depicted in Figure 5 you will see the extracted strings in the file passed to IDA.
Linked libraries
The next step would be identifying the functions or libraries that the malware imports and file header
information. This would help us identify what libraries this malware is using and what it is doing. Programmers import libraries and link them to their code statically or dynamically. Static linking is used widely in *NIX programs. Using this method to link libraries would generate a large file because the imported libraries are copied in the code. In the dynamic linking approach, the operating system would search for the imported libraries when the program is loaded. A couple of tools are available to identify the imported libraries. Dependency Walker [7] and PE Explorer [8] are used to identify the dynamically linked functions and PE header information.
Note: Malware developers start using packing and obfuscation to complicate malware analysis. The original malware code is hidden/encrypted in the code and it will be decrypted/unpacked during run time by a routine in the malware. There are several tools used to unpack the malware code through different techniques. PE explorer will do it automatically for you.
PE Explorer
PE Explorer is a commercially available tool used to open and edit PE 32 bits files to perform static analysis. It provides several feature such as automatically un-packing file. Figure 6 shows header information for malware.exe. It shows a lot of information such as machine that you can run this file on and time stamp and more. To see the imported libraries and function by this files select view – > import as shown in Figure 7. To understand what this malware will do you have to understand what libraries and functions this malware is importing and using.
File section header (file format)
This part of the file contains metadata about the file. PE file has several sections. The most important
sections are:
To get the file sections you can use PE Explorer to view and delete them. Figure 8 shows file sections using PE Explorer. You can use the resource viewer to see the icons and images included in the .rsrc section as shown in Figure 9 for notepad application.