6.4 Malware Reverse Engineering
What is Sheep Dip Computer?
- Sheep dipping refers to the analysis of suspect files, incoming messages, etc. for malware.
- A sheep dip computer is installed with port monitors, file monitors, network monitors and antivirus software and connects to a network only under strictly controlled conditions.
- A computer used for sheep dipping should have, for example:
- Run user, group permission and process monitors
- Run port and network monitors
- Run device driver and file monitors
- Run registry and kernel monitors
Anti-Virus Sensor Systems
- Anti-virus sensor system is a collection of computer software that detects and analyzes malicious code threats such as viruses, worms, and Trojans. They are used along with sheep dip computers.
Malware Analysis Procedure: Preparing Testbed
- Install Virtual machine (VMware, Hyper-V, etc.) on the system.
- Install guest OS into the Virtual machine.
- Isolate the system from the network by ensuring that the NIC card is in "host only" mode.
- Disable the "shared folders", and the "guest isolation".
- Copy the malware over to the guest OS.
Malware Analysis Procedure
- Perform static analysis when the malware is inactive.
- Collect information about:
- String values found in the binary with the help of string extracting tools such as BinText.
- The packaging and compressing techniques used with the help of compression and decompression tools such as UPX.
- Set up network connection and check that it is not giving any errors.
- Run the virus and monitor the process actions and system information with the help of process monitoring tools such as Process Monitor and Process Explorer.
- Record network traffic information using the connectivity and log packet content monitoring tools such as NetResident and TCPView.
- Determine the files added, processes spawned, and changes to the registry with the help of registry monitoring tools such as RegShot.
- Collect the following information using debugging tools such as OllDbg and ProcDump:
- Service requests and DNS tables information
- Attempts for incoming and outgoing connections
- PeStudio (靜態)
- Process Monitor (動態)
Malware Analysis Tool: IDA Pro
Online Malware Testing: VirusTotal
- VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the detection of viruses, worms, Trojans, etc.
Online Malware Analysis Services
Trojan Analysis: Neverquest
- A new banking Trojan known as Neverquest, is active and being used to attack a number of popular banking websites.
- This Trojan can identify target sites by searching for specific keywords on web pages that victims are browsing.
- After infecting system, the malware gives an attacker control of the infected machine with the help of a Virtual Network Computing (VNC, for remote access) and SOCKS proxy server.
- The Trojan targets several banking sites and steals sensitive information such as login credentials that customers enter into these websites.
- The Trojan also steals login information related to social networking sites like Twitter, and sends this information to its control server.
- Once it infects a system, the Trojan drops a random-name DLL with a .dat extension in the %APPDATA% folder.
- The Trojan then automatically runs this DLL using regsvr32.exe /s [DLL PATH] by adding a key under "Software\Microsoft\Windows\CurrentVersion\Run\"
- The Trojan tries to inject its malicious code into running processes and waits for browser processes such as iexplorer.exe or firefox.exe
- Once the victim opens any site with these browsers, then Trojan requests the encrypted configuration file from its control server.
- The Trojan generates a unique ID number that will be used in subsequent requests.
- The reply is encrypted with aPLib compression
- The reply data is appended to an "AP32" string, followed by a decompression routine.
- If the Trojan finds any of the keywords on a web page, it will steal the full URL and all user-entered information and sends this data to the attacker.
- The Trojan sends a unique ID number followed by the full URL containing username and password.
- The Trojan also sends all web page contents compressed with aPLib to the attacker in the following format.
Virus Analysis: Ransom Cryptolocker
- Ransom Cryptolocker is a ransom-ware that on execution locks the user's system thereby leaving the system in an unusable state.
- It also encrypts the list of file types present in the user system.
- The compromised user has to pay the attacker with ransom to unlock the system and to get the files decrypted.
- Infection and Propagation Vectors:
- The malware is being propagated via malicious links in spam e-mails which leads to pages exploiting common system vulnerabilities.
- These exploit pages will drop Ransom Cryptolocker and other malicious executable files on the affected machine.
- Characteristics and Symptoms:
- The contents of the original files are encrypted using AES Algorithm with a randomly generated key.
- Once the system is infected, the malware binary first tries to connect to a hard coded command and control server with IP address 188.8.131.52
- If this attempt fails, it generates a domain name using random domain name algorithm and appends if with domain names such as .org, .net, .co.uk, .info, .com, .biz, and .ru.
- Encryption Technique:
- The malware uses an AES algorithm to encrypt the files. The malware first generates a 256 bit AES key and this will be used to encrypt the files.
- In order to be able to decrypt the files, the malware author needs to know that key.
- To avoid transmitting the key in clear text, the malware will encrypt it using an asymmmetric key algorithm, namely the RSA public/private key pair.
- This encrypted key is then submitted to the C&C server.
- Once the system is compromised, the malware displays the below mentioned warning to the user and demand ransom to decrypt the files.
- It maintains the list of files which was encrypted by this malware under the following registry entry
- On execution, this malware binary copies itself to %AppData% location and deletes itself using a batch file
Worm Analysis: Darlloz (Internet of Things (IoT) Worm)
- Darlloz is a Linux worm that is engineered to target the "Internet of things."
- It targets computers running Intel x86 architectures and also focuses on devices running the ARM, MIPS, and PowerPC architectures, which are usually found on routers, set-top boxes, and security cameras.
- Darlloz Execution:
- The main purpose of the worm is to mine crypto currencies.
- Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known IDs and passwords, and also sends HTTP POST requests which exploit the vulnerability.
- If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target.
- Currently, the worm infect only Intel x86 systems because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures.
Q1) What is a sheepdip?
- It is another name for Honeynet
- It is a machine used to coordinate honeynets
- It is the process of checking physical media for virus before they are used in a computer
- None of the above
A1) Also known as a footbath,a sheepdip is the process of checking physical media, such as floppy disks or CD-ROMs, for viruses before they are used in a computer. Typically, a computer that sheepdips is used only for that process and nothing else and is isolated from the other computers, meaning it is not connected to the network. Most sheepdips use at least two different antivirus programs in order to increase effectiveness.
Q2) If you come across a sheepdip machine at your client’s site, what should you do?
- A sheepdip computer is used only for virus-checking.
- A sheepdip computer is another name for a honeypot
- A sheepdip coordinates several honeypots.
- A sheepdip computers defers a denial of service attack.