The first step in my investigation was looking for the symptoms that the program causes. My friend told Pine Tree State once he 1st ran the program, it elicited a Blue Screen of Death, however nothing out of the standard occurred once he rebooted the pc. This told Pine Tree State a pair of things regarding the malware:
Since the “virus” caused a Blue Screen of Death, this implies it tousled somewhere. Malware aims to cause as very little disruption as potential, since events like a blue screen will alert the user to the very fact that one thing is wrong.
The malware computer programmer isn’t advanced. A seasoned malware author wouldn’t be foolish enough to cause a BSOD. BSODs square measure typically caused by mistakes like null pointers, and alternative memory reference problems. By understanding the author, you’ll be able to higher perceive his work.
Just from the very fact that the virus caused a Blue Screen of Death, I learned heaps regarding the program and its author. By higher understanding the malware and author, I will take educated guesses relating to its level of complexness, likewise as motivation and goals.
After watching the symptoms, I next took a awfully temporary explore elements of the program itself. I ran all of this on a UNIX system system so as to stop accidental infection. Even then, I ran the tests on a non work connected laptop, and one that was isolated from all networks. Like all alternative cases involving malware analysis, it pays to use caution. The last item you would like to happen is to accidentally infect yourself, solely to unfold it to your alternative, a lot of vital computers. Later, I find yourself mistreatment VMware for this terribly reason.
File: I 1st run the “file” utility to work out what specifically i am managing. The results showed this:
w89e85t5.exe: PE32 viable for MS Windows (console) Intel 80386 32-bit Mono/.Net assembly
The output tells Pine Tree State some things. First, it’s a transportable viable, which means it’s created for optimum movability. within the context of this malware analysis, this is sensible, as a result of the malware author goes to need to own this run on as several laptop sorts as potential. The half of the output shows North American nation that it’s created to run on thirty two bit computers, and is was created mistreatment Mono with the.Net Framework.
Another useful gizmo in malware analysis could be a program known as PEiD, that scans AN viable for signs of being packed. Packers square measure utilities employed in order to modify the viable, creating it tougher for reverse engineers to take apart the malware mistreatment programs like International Development Association professional. PEiD came a results of ï»¿ï»¿ï»¿ï»¿”Microsoft Visual C# / Basic.NET”, confirming that.NET was employed in making the malware. The Visual C# portion conjointly gave Pine Tree State some a lot of data relating to the language wont to produce the virus.
- Malware Analysis: Virtual computing system
After finding some preliminary data relating to the malware, I next wished to maneuver onto one thing a bit a lot of risky, specifically running the malware below a virtual laptop. Rerversing malware below virtual systems has many benefits:
No worry of touching production computers
No risk of infecting alternative computers on network
View the malware in its native home ground
However, there are some negative points related to running malware in virtual computers:
Some malware will be aware that it’s running below a virtual machine
Malware will arrange to exploit and flee of the virtual machine
If networking access is not cut, worms will arrange to compromise alternative systems on the network
That being same, I felt assured that the advantages outweighed the risks. From before, I had a sense that this individual piece of malware wasn’t advanced, that the risk of it sleuthing that it had been during a virtual machine and truly exploiting it appeared slim. However, i used to be running the VM on prime of UNIX system, therefore notwithstanding it did flee, it had beenn’t within the system it was designed to take advantage of (Windows).
I started up VMware on Ubuntu, and loaded a Windows XP disk image. the foremost vital step is putting in place the network properly. I set it up with a NAT association, so VMware can send the requests through the host machine to the particular hardware. However, I created certain to keep disconnected from the network in any respect times. this can be critical! The last item you would like to try to to once analyzing a worm is to unleash it on your own systems.
With the virtual machine got wind of, I touched everything into position, together with mistreatment Wireshark to smell traffic from VMware, that uses traffic on the vmnet8 interface.
- Malware Analysis: Network Traffic Analysis
The initial running failed to show substantially of something. No Blue Screen of Death was encountered, and really very little network information was sent. Here’s what Wireshark showed:
The packets clearly show the malware trying to come up with a reference to 23U.NO-IP.INFO from the DNS requests it’s creating. Since it is not receiving a reply, we tend to don’t get something quite that for currently. A WHOIS search complete up showing no results for this domain. My instincts were telling Pine Tree State that this was presumably some style of script kiddie try at a botnet. So, i attempted trying a bit any into the network traffic. Since I wasn’t aiming to get anyplace while not contacting the server itself, i attempted connecting the virtual machine to the network. below the careful eye provided by Wireshark, I watched what specifically this malware was doing. note that this is not the popular methodology, however I had taken all alternative computers on my network down for the length of this tiny experiment. Here’s what Wireshark shows now:
Now that the malware will sent packets to and receive packets from the server it’s trying to attach to, i used to be able to see specifically what this specific program was trying to try to to. I uploaded the packet capture file higher than. Packets 1-8 show some style of association being got wind of between the remote server and our victim laptop. Packet nine seems to indicate a secret being sent to the remote server, with the secret being “\google_cache2.tmp”. Then, packet seventeen shows a goldmine of information: it seems to be the welcome message of AN IRC channel. Bingo! The malware is AN IRC botnet recruiter. to urge a lot of data, I checked out the protocol stream:
:FBI.GoV NOTICE AUTH:* trying up your hostname…
:FBI.GoV NOTICE AUTH:* could not resolve your hostname; mistreatment your informatics address instead
USER 1854 “” “TsGh”:1854
:FBI.GoV 001 NEWXP085587
:FBI.GoV 002 NEWXP085587: M0dded by uNkn0wn Crew
:FBI.GoV 003 NEWXP085587
:FBI.GoV 004 NEWXP085587: uNkn0wn – iD@ uNkn0wn
:FBI.GoV 005 NEWXP085587
:FBI.GoV 005 NEWXP085587
:FBI.GoV 005 NEWXP085587
:FBI.GoV 422 NEWXP085587:MOTD File is missing
So, from this we will see that the IRC channel secret is “\google_cache2.tmp”, our victim’s nickname is NEWXP085587, the channel we tend to take part #Cheese#. All this from the Wireshark traffic analysis!
Now, being the sporting person i’m, i used to be inquisitive about this botnet. So, I took it upon myself to try to attach to the IRC and have a loot for myself, hopefully talking the author of the malware himself. So, I headed on an internet IRC shopper so the botnet master would not be able to see my very own informatics address and presumably launch a DDos attack against Pine Tree State. I logged in mistreatment the secret and alternative data found from the packet capture file. I logged in and waited. each currently so, i’d see a user issue commands taking the shape of “UDP “. I assumed that he was leading his bots to DDos the victim with UDP packets. Eventually, I really started typewriting, and caught the botmaster’s attention. The language went one thing like this:
Me: Hello? Anyone there?
Botmaster: lulz you arnt too sensible
Botmaster: u shoulda used a vpn
Me: don’t be concerned, i am mistreatment AN net IRC, therefore i am smart. therefore what specifically goes on here?
At this time, i used to be shod from the chat. I patterned my work was done, therefore I did not trouble reconnecting. some days later, I checked back in, and also the IRC channel and also the host itself went down. I figure he thought he was caught, and simply shut everything down.
- Malware Analysis: Conclusions
All in all, my 1st wild malware analysis proved rather attention-grabbing. i used to be able to take the unknown file and run some basic utilities to search out out what specifically it had been activity. This gave Pine Tree State a reasonably smart plan of what the program was capable of, and from here I ran it during a confined system to envision it in action. any investigation brought Pine Tree State to AN IRC botnet channel, wherever I actual chatted with the botmaster. great for a primary attempt. Anyway, all of the techniques I employed in this instance square measure applicable to alternative malware samples. The vital issue it to use caution, and wait and see. usually times, merely looking at network traffic will not fully reveal what a worm or trojan is doing, and instead you may find yourself eager to reverse engineer the file. Reversing malware will be extraordinarily time intense, particularly if the file was obfuscated mistreatment AN exe packer. smart luck together with your own endeavors, and that i hope this helped!