Malware Analysis

Since the “virus” caused a Blue Screen of Death, this implies it tousled somewhere. Malware aims to cause as very little disruption as potential, since events like a blue screen will alert the user to the actual fact that one thing is wrong.

The malware engineer isn’t advanced. A seasoned malware author wouldn’t be foolish enough to cause a BSOD. BSODs ar sometimes caused by mistakes like null pointers, and different memory reference problems. By understanding the author, you’ll be able to higher perceive his work.

Just from the actual fact that the virus caused a Blue Screen of Death, I learned plenty regarding the program and its author. By higher understanding the malware and author, I will take educated guesses relating to its level of complexness, in addition as motivation and goals.

File operation

After gazing the symptoms, I next took a really transient examine elements of the program itself. I ran all of this on a Linux system so as to stop accidental infection. Even then, I ran the tests on a non work connected pc, and one that was isolated from all networks. Like all different cases involving malware analysis, it pays to take care. The very last thing you wish to happen is to accidentally infect yourself, solely to unfold it to your different, additional vital computers. Later, I find yourself victimization VMware for this terribly reason.

File: I 1st run the “file” utility to work out what specifically i am handling. The results showed this:

w89e85t5.exe: PE32 workable for MS Windows (console) Intel 80386 32-bit Mono/.Net assembly

The output tells Maine a couple of things. First, it’s a conveyable workable, which means it’s created for optimum movability. within the context of this malware analysis, this is smart, as a result of the malware author goes to require to own this run on as several pc sorts as potential. The half of the output shows U.S. that it’s created to run on thirty two bit computers, and is was created victimization Mono with the.Net Framework.

Another useful gizmo in malware analysis could be a program referred to as PEiD, that scans Associate in Nursing workable for signs of being packed. Packers ar utilities employed in order to change the workable, creating it tougher for reverse engineers to destruct the malware victimization programs like IDA professional. PEiD came back a results of ”Microsoft Visual C# / Basic.NET”, confirming that.NET was employed in making the malware. The Visual C# portion conjointly gave Maine some additional data relating to the language accustomed produce the virus.

2. Malware Analysis: Virtual ADPS

After finding some preliminary data relating to the malware, I next needed to maneuver onto one thing a touch additional risky, particularly running the malware underneath a virtual pc. Rerversing malware underneath virtual systems has many benefits:

No worry of poignant production computers
No risk of infecting different computers on network
“Sandbox” setting
View the malware in its native environs
However, there also are a couple of negative points related to running malware in virtual computers:

Some malware is aware that it’s running underneath a virtual machine
Malware will plan to exploit and escape of the virtual machine
If networking access is not cut, worms will plan to compromise different systems on the network
That being same, I felt assured that the advantages outweighed the risks. From before, I had a sense that this individual piece of malware wasn’t advanced, that the risk of it detection that it absolutely was in a very virtual machine and truly exploiting it appeared slim. However, i used to be running the VM on prime of Linux, therefore notwithstanding it did escape, it absolutely wasn’t within the system it was designed to use (Windows).

I started up VMware on Ubuntu, and loaded a Windows XP disk image. the foremost vital step is fitting the network properly. I set it up with a NAT affiliation, in order that VMware can send the requests through the host machine to the particular hardware. However, I created absolute to keep disconnected from the network in the least times. this can be critical! The very last thing you wish to try and do once analyzing a worm is to unleash it on your own systems.

With the virtual machine established, I rapt everything into position, together with victimization Wireshark to smell traffic from VMware, that uses traffic on the vmnet8 interface.

3. Malware Analysis: Network Traffic Analysis

The initial running failed to show a great deal of something. No Blue Screen of Death was encountered, and really very little network information was sent. Here’s what Wireshark showed:

The packets clearly show the malware making an attempt to get a reference to 23U.NO-IP.INFO from the DNS requests it’s creating. Since it is not receiving a reply, we tend to don’t get something quite that for currently. A WHOIS search terminated up showing no results for this domain. My instincts were telling Maine that this was possibly some style of script kiddie try at a botnet. So, i attempted trying a touch additional into the network traffic. Since I wasn’t planning to get anyplace while not contacting the server itself, i attempted connecting the virtual machine to the network. underneath the careful eye provided by Wireshark, I watched what specifically this malware was doing. observe that this is not the popular technique, however I had taken all different computers on my network down for the period of this small experiment. Here’s what Wireshark shows now:

Now that the malware will sent packets to and receive packets from the server it’s making an attempt to attach to, i used to be ready to see specifically what this specific program was making an attempt to try and do. I uploaded the packet capture file on top of. Packets 1-8 show some style of affiliation being established between the remote server and our victim pc. Packet nine seems to indicate a countersign being sent to the remote server, with the countersign being “\google_cache2.tmp”. Then, packet seventeen shows a goldmine of information: it seems to be the welcome message of Associate in Nursing IRC channel. Bingo! The malware is Associate in Nursing IRC botnet recruiter. to induce additional data, I checked out the communications protocol stream:

:FBI.GoV NOTICE AUTH:*** trying up your hostname…
:FBI.GoV NOTICE AUTH:*** could not resolve your hostname; victimization your IP address instead
PASS \google_cache2.tmp
USER 1854 “” “TsGh”:1854
:FBI.GoV 001 NEWXP085587
:FBI.GoV 002 NEWXP085587: M0dded by uNkn0wn Crew
:FBI.GoV 003 NEWXP085587
:FBI.GoV 004 NEWXP085587: uNkn0wn – iD@ uNkn0wn
:FBI.GoV 005 NEWXP085587
:FBI.GoV 005 NEWXP085587
:FBI.GoV 005 NEWXP085587
:FBI.GoV 422 NEWXP085587:MOTD File is missing
JOIN #Cheese#
:NEWXP085587!1854@ JOIN:#Cheese#

So, from this we are able to see that the IRC channel countersign is “\google_cache2.tmp”, our victim’s nickname is NEWXP085587, the channel we tend to take part #Cheese#. All this from the Wireshark traffic analysis!

Now, being the swaggering person i’m, i used to be inquisitive about this botnet. So, I took it upon myself to aim to attach to the IRC and have a loot for myself, hopefully talking the author of the malware himself. So, I headed on an internet IRC consumer in order that the botnet master would not be ready to see my very own IP address and presumably launch a DDos attack against Maine. I logged in victimization the countersign and different data found from the packet capture file. I logged in and waited. each currently then, i’d see a user issue commands taking the shape of “UDP “. I assumed that he was leading his bots to DDos the victim with UDP packets. Eventually, I really started typewriting, and caught the botmaster’s attention. The spoken communication went one thing like this:

Me: Hello? Anyone there?
Botmaster: lulz you arnt too sensible
Botmaster: u shoulda used a vpn
Me: don’t fret, i am victimization Associate in Nursing net IRC, therefore i am smart. therefore what specifically goes on here?

At this time, i used to be shod from the chat. I patterned my work was done, therefore I did not trouble reconnecting. a couple of days later, I checked back in, and also the IRC channel and also the host itself went down. I figure he thought he was caught, and simply shut everything down.

4. Malware Analysis: Conclusions

All in all, my 1st wild malware analysis proven rather attention-grabbing. i used to be ready to take the unknown file and run a couple of basic utilities to seek out out what specifically it absolutely was activity. This gave Maine a reasonably smart plan of what the program was capable of, and from here I ran it in a very confined system to check it in action. additional investigation brought Maine to Associate in Nursing IRC botnet channel, wherever I actual chatted with the botmaster. outstanding for a primary attempt. Anyway, all of the techniques I employed in this instance ar applicable to different malware samples. The vital factor it to use caution, and wait. usually times, merely looking at network traffic will not fully reveal what a worm or trojan is doing, and instead you may find yourself wanting to reverse engineer the file. Reversing malware is very time overwhelming, particularly if the file was obfuscated victimization Associate in Nursing exe packer. smart luck along with your own endeavors, and that i hope this helped!

Article courtesy of kevin at


Etechone Author

Leave a Reply

Your email address will not be published. Required fields are marked *