Skip to content

Notes on Malware

Windows Executables

Windows executables are called PE files and their format conforms to PE/COFF (Portable Executables / Common Object File Format).

They start with bytes 4D 5A and consist of a series of structures containing the information required by the O.S. for loading the executable data in memory, including:

  • Content of code and data section;
  • Position in virtual memory where each section should be placed;
  • List of required libraries (Import table);
  • List of exported functions (Export table);
  • Address of entry point.

Several tools exist for analyzing an executable, i.e., for translating the PE information in human-readable way:

  • CFFExplorer, pestudio, PPEE, PE Internals, PEBrowse.

Static Analysis

File hashing

Computing hash values of files:

  • Linux md5sum, sha256sum, sha1sum
  • Windows HashMyFiles
  • Windows pestudio, PPEE also query VirusTotal by uploading only the hash.

File similarity

Methods for detecting files that are a "small variation" of each other (they will have entirely different hashes):

  • Fuzzy hashing is an efficient method for similarity comparison (files that differ only for a few bytes will be detected as highly similar). Tool: ssdeep.
  • Import hashing computes hashes based on the import tables. Malware samples developed by the same actor and compiled in the same way tend to have similar import tables. Tool: python pefile.
  • Section hashing computes hashes of each section separately. Tool: pestudio.

YARA

Rule combining strings and boolean operators. Usual precision/recall tradeoff.

It can be applied to a file, whose content may or may not fire the rule.

The file may be an executable, a DLL, a network capture, whatever.

Extracting strings from executables

Strings stored in an executable can give clues about its functionality. If a malware creates a file (contacts a domain) then the filename (domain name) is likely stored in the executable.

It is useful to extract both ASCII strings and UNICODE strings.

  • Linux strings
  • Windows pestudio

Obfuscated strings can be extracted with FLOSS (FireEye Labs Obfuscated String Solver).

Malware Obfuscation

Obfuscation of an executable is not necessarily an indicator of malicious activity. In practice it is a very useful indicator, though.

Hints of obfuscation:

  • Executable with very few imports.
  • Uncommon section names.
  • Sections with virtual-size much greater than raw-size.

Main techniques:

  • Packer. The executable consists of an uncompressing routine (entry point) and of a compressed malware. The malware is reconstructed in memory at runtime.

    • UPX is a popular packer for Windows/Linux/MacOS.
    • ExeinfoPE is a packer detector for Windows, often able to unpack automatically. It uses thousands of signatures.
    • Cryptor. Like packing, except that the malware is encrypted.

Dynamic analysis

Monitoring of:

  • Process activity
  • File system
  • Registry
  • Network

Tools: Process Hacker, Process Monitor, Noriben (Python script that filters output of Process Monitor), Wireshark.

INetSim, FakeNet-NG emulate services for attempting to impersonate C&C servers.

  • Process Hacker Examine what is going on (processes and other o.s. activity)