You are on page 1of 20

2011

Malware Analysis
Behavioral Analysis Approach
No single day would pass without the advent of new malware of all types. Antivirus websites profile these malwares showing the severity of each one of them. This paper focuses on one approach of malware analysis that is Behavioral Analysis. An experiment of three scenarios was performed in a virtualized environment. Where three computers varying in the level of security had been injected with three different sorts of malware. These computers underwent observation, to see how anti-malware software would react and respond and what changes were made to the system processes, registry and files. Using various malware analysis tools, the results were extremely interesting and unexpected. In conclusion, , malicious code is one of the biggest threats to computers and users because of the way it's designed, it spread very fast from the infected machine to another machine and some of the malicious codes dont need to be executed or carried to another machine it's designed to move by itself.

Talal Al Ismail | Ali Al Kaf | Rashid Al Mehairbi

Abstract
No single day would pass without the advent of new malware of all types. Anti-virus websites profile these malwares showing the severity of each one of them. This paper focuses on one approach of malware analysis that is Behavioral Analysis. An experiment of three scenarios was performed in a virtualized environment. Where three computers varying in the level of security had been injected with three different sorts of malware. These computers underwent observation, to see how anti-malware software would react and respond and what changes were made to the system processes, registry and files. Using various malware analysis tools, the results were extremely interesting. In conclusion, malicious code is one of the biggest threats to computers and users because of the way it's designed, it spread very fast from the infected machine to another machine and some of the malicious codes dont need to be executed or carried to another machine it's designed to move by itself.s

Page | 2

Introduction
Malware is an umbrella term that includes several types of malicious codes such as Viruses, Worms, Zombies, Logic Bombs, Trap Doors, Rootkits and Trojan Horses. They are all infecting millions of computer networks every year. It seems that our continuous and increasing reliance on information technology is offset by a steady increase in the number of malicious codes or malware. According to G Data Security Labs malware report (2010), the number of new malicious programs is likely to break through the two million levels. The risk resulting from these malicious software exceeds the limits of a user to the extent of threatening the national security of several countries around the world. There are realistic cases that can be taken as examples. For instance, Estonia cyber attacks, started on April 27, 2007 and these attacks lasted about three weeks. Estonia is described as the most "wired" and advanced country in Europe in the terms of e-Government (Mayers, 2007). A series of attacks targeted government portals, parliament portal, banks, ministries, newspapers and broadcasters of Estonia. Different types of attacking techniques were used as some of these attacks took the form of distributed denial of service (DDoS), to the use of hundreds of thousands of "zombie" computers that rained Estonian Web sites with thousands of requests causing them to stop working (Wikipedia, 2007). Stuxnet (2010), another example, is a sophisticated computer program designed to penetrate and establish control over remote systems in a quasi-autonomous fashion (Farewell & Rohozinski, 2011). This virus is twenty times more complex than any previous virus code, had attacked computers at Iran's Natanz nuclear facility causing immediate suspension of the facility for few days

Page | 3

(Stark, 2011). Stuxnet has powerful capabilities; among them the ability to turn off the pressure inside nuclear reactors or switch off oil pipelines, while system operators would not be able to identify any changes on their systems as "Stuxnet" makes everything look normal. Unlike most viruses, "Stuxnet" has a real clearance because it doesn't carry the usual forged security clearance which helps viruses sneak into systems. It exploits security gaps that system creators are unaware of, these holes are known as zero days (FoxNews, 2011). Mostly, the malware comes from files downloaded over the Internet. Once the malware is in the system, it does a scan for operating system vulnerabilities, and then, it slows down the performance of the system by performing unintended actions. Moreover, malware is able of infecting other executable code, data/system files, boot partitions of drives, and create excessive traffic on network leading to denial of service. When the infected file is executed by a user; it becomes resident in memory and infect any other file executed afterwards. If operating system has a vulnerability, malware can also take control of system and infect other systems on network. Such malicious codes (virus is more popular term) are also known as parasites and adversely affect the performance of machine generally resulting in slow-down (Vinod & Gaur, 2009). Malware can be categorized into the following: 1. Viruses A computer virus is malware that seeks to alter the normal functioning of the computer, without the permission or knowledge of the user. The virus usually

Page | 4

replaces other executable files infected with this code. Viruses can destroy, intentionally, the data stored on a computer, and do other harmful actions. 2. Worms A worm is a malware that has the ability to replicate itself. The worm uses automated parts of operating system that are generally invisible to the user. Unlike a virus, a worm does not require programs to alter files but resides in memory and duplicates itself. Worms almost always cause problems in the network (even when simply consume band width), whereas viruses always infect or corrupt files that attack the computer. 3. Spyware Spyware is software or hardware installed on a computer, usually without the user's knowledge which gathers information from the user for later sent across the Internet to a server. 4. Adware An Adware is software that automatically executes or displays

advertisements on your computer or encourages users to install fake antivirus software. The adware is generally installed without the permission of a user. 5. Trojans A Trojan or Trojan horse is one program that masquerades as a valid program being actually a malicious program. Trojan horses do multiple actions, some carry out destructive actions and other simply charge of spying and stealing information.
Page | 5

6. Rootkits A rootkit is a collection of programs used by a hacker to avoid detection as they seek to gain unauthorized access to a computer. This is accomplished in two ways: by replacing system files or libraries, or by installing a kernel module. The hacker installs the rootkit after, obtaining similar access to the user, usually crake password or exploiting a vulnerability, which allows you to use other credentials to gain access to root or administrator.

Methodology
The methodology of this paper is divided into four stages as follows: 1. Creation of Test Environment 2. Collection of Information 3. Analysis of Information 4. Documentation of Results Creation of Test Environment For analyzing any malware, setting up a controlled test environment is unquestionably essential. For this purpose, an isolated virtual "test lab" is created using VMware. The "test lab" is created in the following way: Three virtual machines will be used for this case. Fresh copies of Windows XP will be installed on each virtual machine with all needed configurations.

Page | 6

All OS of the three virtual machines shall remain in the same state of installation with no updates or installed security patches.

The virtual machines shall not be connected to any physical network to avoid any problems that may occur.

One VM will have no anti-virus or firewall, simply no security. The other two virtual machines, one will have an anti-virus and a firewall shall be mounted on the other.

Proper malware analysis tools should be installed and configured on the relevant virtual machines. Such as Winanalysis, Process Explorer, Process Monitor, and Process Hacker.

Three different types of malware shall be used i.e. (Trojan Horse, Virus , Worm)

Each virtual machine shall be tested with only one type of the above mentioned malware.

The goal of any malware analysis is to understand how a specific malicious code functions/act so that proper defenses can be established for further protection. According to Distler (2007), there are two main questions that must be answered. Firstly: how did this machine become infected with this malware? Secondly, what exactly does this malware do?

The questions mentioned above weigh differently depending on why the analysis had been carried out in the first place.

Page | 7

Collection of Information In this phase, in order to remove all the vagueness surrounding this matter; a lot of reading should be done to discover the experience of others in this field to make sure that the experiment will be performed in the right manner. Also, in this stage, names and types of malware analysis tools should be identified and downloaded for the sake of personal use related to the experiment. Moreover, malware files to be used in the experiment should also be downloaded in a proper way and be quarantined. Analysis of Information There are two types of malware analysis: code analysis and behavioral analysis. In this paper, behavioral analysis is the case; it is how a malware acts or behaves after its execution, who it talks to, what gets installed, and how it runs (Malware Analysis, The Basics, 2007). During behavioral analysis, changes to the infected system and any unusual behavior should be identified and analyzed properly using the previously mentioned malware analysis tools. Documentation of Results Finally in this stage, all the interpreted information, snapshots, and results shall be documented by writing a detailed report showing these results in a well designed and appropriate format.

Page | 8

Experiment
In this paper, three scenarios were carried out. Three virtual machines host windows XP with all the required tools installed on them. The first virtual machine is without any protection method and the second virtual machine with windows firewall and Zone alarm firewall the last virtual machine with AVG anti-virus. Moreover, different tools used in the experiment like Process Explorer, which is designed to find out what files, registry keys and other objects have open, which DLLs they have loaded. Process Monitor used to monitor system files, registry, process, thread and DLL activity in real-time. Process Hacker used to monitor file system, registry and process also it link process to the applications to show which application using what service or if it use network connection. Winalysis monitors for changes to files, the registry, users, groups, security policies, services, shares, scheduled jobs, the system environment and more. In addition, three malicious codes were used for the analysis purpose in this research. NewFolder.exe which is Trojan horse Generic7.CRT, veawa.exe identified as Worm/VB.7.E and iahnb.exe identified as virus Win32 all of the malicious codes have targeted attack and were analyzed using the tools to find out what changes they do to the machines.

The first scenario, a virtual machine with an installed antivirus showed different interesting results:

Page | 9

The antivirus detected all the threats and gave the name of the malicious code NewFolder.exe also the type of malicious code Trojan horse Gneric7.CRT Process name found as C:\WINDOWS\explorer. EXE and the process ID: 1844

Process analysis made using Process Hacker, the malicious code found using ID: 1844 and using CPU resources by pretending to be explorer.exe Process Monitor showed that process ID: 1844 called Explorer.EXE made some changes to the registry file and created different unwanted files The malicious code did several things to the virtual machine
It didnt allow copying anything from the flash This executable tampers with the execution of another process. The virus copied itself to different directories and to windows system files Made some changes to the registry files

The malicious code or the Trojan started process with different legitimate application name

Page | 10

Made new files like (Trashes) when you make show hidden files

The second scenario, a virtual machine with an installed firewall showed several interesting results:

Page | 11

Process name found as C:\WINDOWS\notpad.exe and the process ID: 428

Process analysis made using Process Hacker, the malicious code found using ID: 428 and using CPU resources by pretending to be notpad.exe

Process Monitor and Process Explorer were unable to run because the malicious code affected most of the .exe applications This virus was designed to attack windows firewall and to connect to the Internet. Zone Alarm showed the Destination IP 58.40.150.204 and the port the virus using is 36117

This malicious code pretended to be different type of processes and applications


iahnb.exe C:\iahnb.exe Analysis reason: Primary Analysis Subject Explorer.EXE C:\WINDOWS\Explorer.EXE Analysis reason: iahnb.exe wrote to the virtual memory of this process ctfmon.exe C:\WINDOWS\system32\ctfmon.exe Analysis reason: iahnb.exe wrote to the virtual memory of this process

Page | 12

msmsgs.exe C:\Program Files\Messenger\msmsgs.exe Analysis reason: iahnb.exe wrote to the virtual memory of this process

The malicious code did several things to the virtual machine


This malicious pretended to be a legitimate application by using Notpad.exe This virus affected different legitimate process like internet explorer and other process

This executable changes some settings of windows firewall and tries to connect to the Internet

This malicious code modifies and destructs exe files and makes them stop working also it modifies files in the windows system directories

Page | 13

This executable registers processes to be executed at system start up. This could result in unwanted actions to be performed automatically.

Changes security settings of Internet Explorer: This system alteration could seriously affect security when surfing the World Wide Web.

Performs Registry Activities: The executable creates and/or modifies registry entries.

The third scenario conducted on virtual machine that doesnt include any type of protection, different results gathered from this experiment:

Page | 14

Process name found as veawa.exe and the process ID: 4076

Process analysis made using Process Hacker, the malicious code was found using ID: 4076 and using CPU resources by pretending to be explorer.exe also another process activated by veawa.exe called sauozax.exe with process ID: 4084

Process Explorer showed that there is a huge usage of CPU resources by process ID: 4076 and some changes in the registry file

Process Monitor showed that process ID: 40844 called Explorer.EXE made some changes to the registry file and created different unwanted files

Page | 15

The malicious code pretended to be a different type of processes and executed different unwanted applications
veawa.exe C:\veawa.exe Analysis reason: Primary Analysis Subject ruoitu.exe C:\Documents and Settings\Administrator\ruoitu.exe Analysis reason: Started by veawa.exe sauozax.exe C:\Documents and Settings\Administrator\sauozax.exe Analysis reason: Started by veawa.exe

The malicious code did several things to the virtual machine


The malicious pretended to be a legitimate application by using explorer.exe The worm ran different process like sauozax.exe, ruoitu.exe and other unknown process

This malicious code modified and created some new files

Page | 16

The worm changed security settings of Internet Explorer which could affect the safety of surfing using Internet Explorer The malicious code preformed some registry activities by creating and modifying registry entries

The worm is trying to establish Internet connection using different protocol TCP/UDP to infect another network

Conclusions
Malicious codes are very difficult to notice, there are many new viruses, worms and Trojans that infect millions of computers around the world. In addition, hackers use different malicious codes to get the control over different computers creating something called Botnet, which contains a group of infected computers with malicious codes each called a "Zombie", hackers take advantage of infected computer to conduct different attacks like distributed denial of service attack (DDOS). Moreover, malicious codes are available on the net for free any one can download it and reprogram it to use it for different purposes. Malicious codes
Page | 17

became a big issue around the world it cost companies and individuals a lot of money, because of this a lot of companies started to build different anti-virus programs, also governments and cybercrime agencies started to analyze different types of malicious codes to understand how it work and what its the aim of this type of codes. Furthermore, malicious code is one of the biggest threats to computers and users because of the way it's designed, it spread very fast from the infected machine to another machine and some of the malicious codes dont need to be executed or carried to another machine it's designed to move by itself. Also, with the proliferation of the Internet, malware is employed extensively to generate website traffic, generate invalid links that forward the unsuspecting to infected web sites, launch DDoS attacks and to pilfer credentials and personally identifiable information. Beside, new techniques used by malicious codes like zero day attack to enable the code spread more rapidly. Moreover, malware analysis is an important field for forensics examiners and analysis because hackers and cybercriminals use malicious codes to conduct their activities which raise the need of people who are specialized in malware analysis. Authors of malicious codes are getting huge profit from distributing and selling their codes as they try to make their codes strong and undetectable as much as possible using different techniques which made them very successful in establishing a lot of dangers malicious codes. Beside, professional programmers who are very knowledgeable and expert in their craft they have very good understanding of digital forensic methods which allow them to design different types of malicious codes which could not be detected by different analysis and forensics tools. Also the knowledge domain required to competently analyze malware is very broad and need very special knowledge to be conducted. This
Page | 18

research present a brief introduction to malicious code analysis using different tools freely available on the internet like Process Explore, Process Monitor and Winalysis. Additionally, most of the tools showed the changes happened by malicious codes in the registry, files and folders, services and system environment. The goal of this research is to find out how find out how to defend users from malicious attacks and to understand how the system gets compromised also what the malware exploits. According to the type of malware and its analysis different interesting result were generated, one of them showed that using the best practices by installing antivirus, firewall, updating the operating system users can protect themselves from different types of malicious codes.

Future Work
In this paper, the automated classification of malware based on behavioral analysis has been addressed. Moreover, future malware analysis should be carried out on the basis of static analysis that is looking at the actual code of the malware to gain a better understanding of how it functions. Further analysis should be extended to include different types of malware such as Spyware, Adware, and Logic Bombs. As well as, more tools like iDEFENSE, IDA Pro, and OllyDBG should be taken into consideration when performing future malware static analysis to authenticate results and have better heuristics.

Page | 19

References
FoxNews. (2011, Oct 19). Stuxnet Clone 'Duqu': The Hydrogen Bomb of Cyberwarfare? Retrieved from http://www.foxnews.com/scitech/2011/10/19/stuxnetclone-duqu-hydrogen-bomb-cyberwarfare/

Farwell, J. & Rohozinski, R. (2011) 'Stuxnet and the Future of Cyber War', Survival, 53: 1, 23 40 G Data. (2010, Sep 9). Number of new computer viruses at record high. Retrieved from http://www.gdatasoftware.co.uk/about-g-data/press-centre/news/newsdetails/article/1760-number-of-new-computer-viruses.html Myers, S. (2007, May 18). Cyberattack on Estonia stirs fear of 'virtual war' Retrieved from http://www.nytimes.com/2007/05/18/world/europe/18iht-estonia.4.5774234.html Stark, H. (2011, Aug 8). Stuxnet Virus Opens New Era of Cyber War. Retrieved from http://www.spiegel.de/international/world/0,1518,778912,00.html Vinod, P. & Gaur, V. (2008) Survey on Malware Detection Methods. Malaviya National Institute of Technology.

Page | 20