Sorting Out The Trash

19
© FRISK Software International 1/23 Sorting out the malware trash Sorting out the malware trash Michael St. Neitzel, [email protected] Out of Section IAT striped Invalid Opcode Corrupted Header Compiler Source Non-malicious Reference Non-Viral Commented Out

description

Presented at the International Antivirus Testing Workshop 2007 by Michael St. Neitzel, Senior Antivirus Architect, FRISK Software

Transcript of Sorting Out The Trash

Page 1: Sorting Out The Trash

© FRISK Software International 1/23

Sorting out the malware trashSorting out the malware trash

Michael St. Neitzel, [email protected]

Out of Section

IAT striped

Invalid Opcode

Corrupted Header

Compiler Source

Non-malicious

Reference Non-Viral

Commented Out

Page 2: Sorting Out The Trash

© FRISK Software International 2/23

QuickTime™ and aH.264 decompressor

are needed to see this picture.

Page 3: Sorting Out The Trash

© FRISK Software International 3/23

Why to sort out the trash

• To archive more accurate testing results

• To prevent exchanging trash with other testers

• To prevent unneeded additional work for vendors

• To prevent confusion regarding important sample detection

• To improve your ability and to extend your knowledge

• To keep your own test-sets “clean”

You collect trash at home, you remove it, so do it here too!

Page 4: Sorting Out The Trash

© FRISK Software International 4/23

Essential tools• Disassembler / Debugger ( for example IDA )• Hex-Editor/Viewer ( for example UltraEdit )• Comfortable Filemanagement-Tool ( for example TC )• Virtual Machine for quick “Try & Error” purposes• Real Machine for Non-VM-Malware• Checksummer • Own developed tools (eg. Win32 Broken Filechecker)• If available professional Replication System• Database-driven trash system • Testing Network / Email / Internet Environment

Page 5: Sorting Out The Trash

© FRISK Software International 5/23

Essential knowledge• Deep understanding of Operating System Architecture• Deep understanding of File-Formats (eg. Win32 PE)• Deep understanding of Assembly language• Deep understanding of Scripting languages• Classification and Determination of malicious software• Typical Malware “Variant-behavior” knowledge

Page 6: Sorting Out The Trash

© FRISK Software International 6/23

The Rules• #1: Respect the Rules• #2: You must be able to Defend your decisions• #3: You must be able to sort the trash out yourself• #4: You promise to take this task serious• #5: Consider in difficult cases other opinions• #6: Spend extra attention to important samples• #7: Inform yourself about problems with specific malware• #8: Don’t relay only on automatic-sort-out• #9: Know the scan engine technologies• #10: Put questionable files into a specific set

Page 7: Sorting Out The Trash

© FRISK Software International 7/23

Let’s get started: Bring it on

• We have 4 different cases:

• Non-Malicious at all• Clean Files

• Malicious• Malware

• Malicious only in combination with other files

• So called “Helper Files”

• “Supposed to be malicious” files• Virus and Malicious Simulators

Page 8: Sorting Out The Trash

© FRISK Software International 8/23

The Trial & Error Approach• Choosing the correct test environment

• CPU Type (Example: Machine ID after PE Sign)

• OS Version (Example: Some RTPS only work on 9X)

• Real Machine vs. Virtual Machine

• Configuring the correct test environment

• Reverting Files / Registry

• Setting Hooks / Logger

• Activating Error Handling Hooks (eg. DLL not found)

• Activating Virtual Network / Internet

Page 9: Sorting Out The Trash

© FRISK Software International 9/23

Problems with Trial & Error• Date/Time Dependency (eg. Timed Downloaders)• Network Dependency ( eg. no real internet IP )• Randomized Dependency (eg. ExitProcess randomly)• File Dependency (eg. Wrong Service Pack Files )• Speed Dependency (eg. Virtual Environments)• Specific Action Dependency (eg. IE HTML Keylogger)• Event Dependency (eg. At least 5 open applications)• Registry Dependency (Won’t run if spec. Regkeys found)• Timed Duration Dependency (runs after spec. time)• Remote File Dependency (Tries to access remote files)• Missing Components (eg. Backdoor DLL not found)

Page 10: Sorting Out The Trash

© FRISK Software International 10/23

The Disassembling Approach• PROS:

• Reveals more hidden Secrets if done in a proper way

• You can step with a debugger through the file• You don’t need a particular System Setup

• CONS:• Not enough assembly knowledge leads to wrong

results• You need to know deeply all system tricks• Time consuming task• Doesn’t work without unpacking / decrypting first

• Conclusion: Disassembling should be used for files which activity is unclear on a “Trial & Error” System or gives errors on such a system. Priority of samples always over-rides the trial & error system. Important samples (including parasitic viruses) should be *ALWAYS* checked in a disassembler for the reason why they are not infecting or doing nothing.

Page 11: Sorting Out The Trash

© FRISK Software International 11/23

The Live Example

Page 12: Sorting Out The Trash

© FRISK Software International 12/23

Page 13: Sorting Out The Trash

© FRISK Software International 13/23

Page 14: Sorting Out The Trash

© FRISK Software International 14/23

Let’s see what happens

Page 15: Sorting Out The Trash

© FRISK Software International 15/23

What should be sorted out?• Files containing remainings of uncalled viral code• Damaged, not workable files (Emulator issues etc.)• Simulation files• Non-Malicious Files• Non-Malicious Files if stand alone (Helper Components)• Source Code for Binary Malware• Files in unusual archiv / container Formats (That includes a lot of cases, such as Quarantine Files from other products)• So called Sandwich Infections• Technically “impossible” combinations of parasitic & RTP• Commented out code (eg. Scripts)• False Positives (Similar to Non-Malicious)• Minor-Annoyance Files (eg. Cookies in Pro-Active Tests)• Depending on the test (eg. ItW Test) manually manipulated Samples (Example: Repacked ItW Worm)

Page 16: Sorting Out The Trash

© FRISK Software International 16/23

The goal for automatism• Split your results into

• Approved, malicious files• Approved working files, but action unclear• Approved non-working files• Unidentified files (Unclear status & Action)

• And start sorting with the most secure results• Approved, malicious files• Approved non-working files

• Sort questionable files for further manual steps

• Approved working files, but action unclear• Unidentified files (Unclear status & Action)

Page 17: Sorting Out The Trash

© FRISK Software International 17/23

The flexible solution• Script driven “self learning” system to apply rules• Use already available resources (Replication System)• Create and archive logfiles for every sample• Store MD5 Sums to catch “everyday repeating trash”• Use / Create a “User Simulator” for such purposes (RS)• Maintain a global trash DB System for submission reply

Page 18: Sorting Out The Trash

© FRISK Software International 18/23

How to do that in praxis?Let’s discuss this now during the next 30 min in details

(Source code examples & Live Demonstration)

Page 19: Sorting Out The Trash

© FRISK Software International 19/23

Thank you for your attentionAnd feel free to inspect the trashcans here during your next coffee break ;-)

References:

The Antivirus Compendium (Book 3) (Antivirus Testing & Evaluating)Michael St. Neitzel & Peter J. Ferrie (upcoming Qua. 4 2007)

Michael St. Neitzel,Techn. Spokesman & Senior Antivirus ArchitectFRISK Software [email protected]