Automatic malware spying
Analyzing malware is a tedious task sometimes. Without proper tools, you can never know what packer surrounds the malware or how to bypass it. Or maybe you’re just getting whacked by the sheer volume of incoming malicious samples.
Atleast the nepenthes-honeypot has an option to automatically submit all captured samples to various sandboxes like Norman sandbox or the CWSandbox. Also Anubis-submission is possible.
The negative side on public sandboxes is that they are available to the attacker also, which means that the guys that actually know what they are doing can test methods to bypass sandboxes, or even falsify the results of the sandboxed run.
Putting together a sandnet or basically any analysis environment is not a huge job, and if done properly, it’ll give you a whole lot more information than a public sandbox report. For example, you can sniff all the traffic from the network and see what is _really_ being transmitted over the wires. You can also build scripts on the goat machine that’ll be running the malware to capture all filesystem/registry modifications. Or then, you can build a custom logger that’ll spy the malicious binary from the inside.
I’ve been meddling with a logger for a while now, and even though it’s still in a very early phase, it’s starting to give more and more accurate picture on what’s really happening. Here’s a log snippet taken when running a malicious sample:
Teamfurry Malware Logger Version 0.2 (c) 2007 Toni Koivunen (toni(_at_)teamfurry.com)
Resolves the function pointer to IsProcessorFeaturePresent
Creates a file: \??\c:\a.bat
Writes 1706h (5894) bytes to file: \Device\HarddiskVolume1\a.bat
Resolves the function pointer to SetErrorMode
Resolves the function pointer to CreateToolhelp32Snapshot
Resolves the function pointer to Process32First
Resolves the function pointer to Process32Next
Resolves the function pointer to Module32First
Resolves the function pointer to GetDiskFreeSpaceExA
Resolves the function pointer to GetLogicalDriveStringsA
Resolves the function pointer to GetDriveTypeA
Resolves the function pointer to SearchPathA
Resolves the function pointer to QueryPerformanceCounter
Resolves the function pointer to QueryPerformanceFrequency
Resolves the function pointer to RegisterServiceProcess
Loads the library user32.dll
Resolves the function pointer to SendMessageA
Resolves the function pointer to FindWindowA
Resolves the function pointer to IsWindow
Resolves the function pointer to DestroyWindow
Resolves the function pointer to OpenClipboard
Resolves the function pointer to GetClipboardData
Resolves the function pointer to CloseClipboard
Resolves the function pointer to ExitWindowsEx
Resolves the function pointer to GetAsyncKeyState
Resolves the function pointer to GetKeyState
Resolves the function pointer to GetWindowTextA
Resolves the function pointer to GetForegroundWindow
Resolves the function pointer to RegOpenKeyExA
Resolves the function pointer to RegCreateKeyExA
Resolves the function pointer to RegSetValueExA
Resolves the function pointer to RegQueryValueExA
Resolves the function pointer to RegDeleteValueA
Resolves the function pointer to RegCloseKey
Resolves the function pointer to OpenProcessToken
Resolves the function pointer to LookupPrivilegeValueA
Resolves the function pointer to AdjustTokenPrivileges
Resolves the function pointer to OpenSCManagerA
Resolves the function pointer to OpenServiceA
Resolves the function pointer to StartServiceA
Resolves the function pointer to ControlService
Resolves the function pointer to DeleteService
Resolves the function pointer to CloseServiceHandle
Resolves the function pointer to EnumServicesStatusA
Resolves the function pointer to IsValidSecurityDescriptor
Resolves the function pointer to GetUserNameA
Resolves the function pointer to CreateDCA
Resolves the function pointer to CreateDIBSection
Resolves the function pointer to CreateCompatibleDC
Resolves the function pointer to GetDeviceCaps
Resolves the function pointer to GetDIBColorTable
Resolves the function pointer to SelectObject
Resolves the function pointer to BitBlt
Resolves the function pointer to DeleteDC
Resolves the function pointer to DeleteObject
Loads the library ws2_32.dll
Resolves the function pointer to WSAStartup
Resolves the function pointer to WSASocketA
Resolves the function pointer to WSAAsyncSelect
Resolves the function pointer to __WSAFDIsSet
Resolves the function pointer to WSAIoctl
Resolves the function pointer to WSAGetLastError
Resolves the function pointer to WSACleanup
Resolves the function pointer to socket
Resolves the function pointer to ioctlsocket
Resolves the function pointer to connect
Resolves the function pointer to inet_ntoa
Resolves the function pointer to inet_addr
Resolves the function pointer to htons
Resolves the function pointer to htonl
Resolves the function pointer to ntohs
Resolves the function pointer to ntohl
Resolves the function pointer to send
Resolves the function pointer to sendto
Resolves the function pointer to recv
Resolves the function pointer to recvfrom
Resolves the function pointer to bind
Resolves the function pointer to select
Resolves the function pointer to listen
Resolves the function pointer to accept
Resolves the function pointer to setsockopt
Resolves the function pointer to getsockname
Resolves the function pointer to gethostname
Resolves the function pointer to gethostbyname
Resolves the function pointer to gethostbyaddr
Resolves the function pointer to getpeername
Resolves the function pointer to closesocket
Loads the library wininet.dll
Creates a file: \??\C:\WINDOWS\WindowsShell.Manifest
Resolves the function pointer to InternetGetConnectedState
Resolves the function pointer to InternetGetConnectedStateEx
Resolves the function pointer to HttpOpenRequestA
Resolves the function pointer to HttpSendRequestA
Resolves the function pointer to InternetConnectA
Resolves the function pointer to InternetOpenA
Resolves the function pointer to InternetOpenUrlA
Resolves the function pointer to InternetCrackUrlA
Resolves the function pointer to InternetReadFile
Resolves the function pointer to InternetCloseHandle
Resolves the function pointer to InitializeCriticalSectionAndSpinCount
Resolves the function pointer to ProcessIdToSessionId
Resolves the function pointer to GetSystemMetrics
Resolves the function pointer to MonitorFromWindow
Resolves the function pointer to MonitorFromRect
Resolves the function pointer to MonitorFromPoint
Resolves the function pointer to EnumDisplayMonitors
Resolves the function pointer to EnumDisplayDevicesW
Resolves the function pointer to GetMonitorInfoW
Loads the library icmp.dll
Resolves the function pointer to IcmpCreateFile
Resolves the function pointer to IcmpCloseHandle
Resolves the function pointer to IcmpSendEcho
Loads the library netapi32.dll
Resolves the function pointer to NetShareAdd
Resolves the function pointer to NetShareDel
Resolves the function pointer to NetShareEnum
Resolves the function pointer to NetScheduleJobAdd
Resolves the function pointer to NetApiBufferFree
Resolves the function pointer to NetRemoteTOD
Resolves the function pointer to NetUserAdd
Resolves the function pointer to NetUserDel
Resolves the function pointer to NetUserEnum
Resolves the function pointer to NetUserGetInfo
Resolves the function pointer to NetMessageBufferSend
Loads the library dnsapi.dll
Resolves the function pointer to DnsFlushResolverCache
Resolves the function pointer to DnsFlushResolverCacheEntry_A
Loads the library iphlpapi.dll
Resolves the function pointer to GetIpNetTable
Resolves the function pointer to DeleteIpNetEntry
Loads the library mpr.dll
Resolves the function pointer to WNetAddConnection2A
Resolves the function pointer to WNetAddConnection2W
Resolves the function pointer to WNetCancelConnection2A
Resolves the function pointer to WNetCancelConnection2W
Loads the library shell32.dll
Resolves the function pointer to ShellExecuteA
Resolves the function pointer to SHChangeNotify
Loads the library odbc32.dll
Resolves the function pointer to SQLDriverConnect
Resolves the function pointer to SQLSetEnvAttr
Resolves the function pointer to SQLExecDirect
Resolves the function pointer to SQLAllocHandle
Resolves the function pointer to SQLFreeHandle
Resolves the function pointer to SQLDisconnect
Loads the library avicap32.dll
Resolves the function pointer to capCreateCaptureWindowA
Resolves the function pointer to capGetDriverDescriptionA
Creates the mutex H-Bot Modded by the sad little wankers called SculenZ & TH Version 3.0
Creates the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Creates the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Creates the registry key HKEY_CURRENT_USER\Software\Microsoft\OLE
Retrieves the computers name
Takes a snapshot of currently running processes
Enumerates through running processes
Creates a file: \??\c:\autoexec.bat
Looks up the IP address(es) for the hostname irc.undernet.org
Tries to connect to 195.197.175.21
Sends 38h (56) bytes over the network
00000000 4e 49 43 4b 20 4d 63 46 61 64 64 65 6e 32 31 34 NICK McFadden214
00000010 33 30 39 0d 0a 55 53 45 52 20 6c 75 72 6c 73 72 309..USER lurlsr
00000020 73 61 20 30 20 30 20 3a 4d 63 46 61 64 64 65 6e sa 0 0 :McFadden
00000030 32 31 34 33 30 39 0d 0a 214309..
Sends 11h (17) bytes over the network
00000000 50 4f 4e 47 20 3a 37 36 38 35 36 37 30 35 33 0d PONG :768567053.
00000010 0a .
Sends 17h (23) bytes over the network
00000000 4a 4f 49 4e 20 23 6e 6f 70 69 63 20 6e 6f 70 69 JOIN #nopic nopi
00000010 63 62 6f 74 73 0d 0a cbots..
The lineformatting seems to fall apart when pasting through the editor, but I think you’ll see the point. A custom logger has the advantage of being easily modifiable, thus providing accurate results fast. And, you can focus on the things you really want to see :)