Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Month - Day 14 - Poor Man's File Analysis System - Part 1

Published: 2012-10-14
Last Updated: 2012-10-14 23:57:58 UTC
by Pedro Bueno (Version: 1)
2 comment(s)

 

Update: In an attempt to get the link  for the first script, I mistakenly put the link for another script. Fixed now. Thanks Michael for the "oops" :)

Ok ok the "System" on the title may be a bit too much for what this diary will show, but it will give you a nice idea on how to start to build your own analysis system using open source and free tools.

For the first part of this Diary we will focus on PE files, using three different tools for Static Analysis:

1) Malware.py - http://code.google.com/p/malwarecookbook/source/browse/trunk/malware.py

1) Pescanner.py - http://code.google.com/p/malwarecookbook/source/browse/trunk/3/8/pescanner.py

2) Adobe Malware Classifier - http://blogs.adobe.com/asset/tag/malware-classification

3) sigcheck.exe (via Wine) - http://technet.microsoft.com/en-us/sysinternals/bb897441

The first tool is from the great book Malware Cookbook, and the authors made all the code available via Google Code. It is a collection of python scripts used during the several chapters. The one I will show here is called PescannerMalware.py.

This PescannerMalware.py script will give you several pieces of information that will help you on your static analysis. 

The following example is the output of a known malware:

 

 

Meta-data

============================================================

File:    wire-report.pdf.exe

Size:    190464 bytes

MD5:     0a0b73f2652f242e255ac9c1a7724dda

SHA1:    5ad43440eaf1c30b9e320a0ea06754ad67e9d66f

Date:    0x29EB59F0 [Tue Apr 14 22:17:20 1992 UTC] [SUSPICIOUS]

EP:      0x402a00 (.text)

 

Resource entries

============================================================

Name               RVA          Size         Type

------------------------------------------------------------

RT_VERSION         0x3b058      0x3ec

 

Suspicious IAT alerts

============================================================

CreateProcessW

CreateProcessA

 

Sections

============================================================

Name       VirtAddr     VirtSize     RawSize      Entropy

------------------------------------------------------------

.text      0x1000       0x7000       0x7000       2.397724

.rdata     0x8000       0x2e000      0x23800      7.231950    [SUSPICIOUS]

.data      0x36000      0x3000       0x2600       2.536738

.ndata     0x39000      0x1000       0x800        3.405680

.ndata     0x3a000      0x1000       0x800        3.405680

.rsrc      0x3b000      0x444        0x600        3.980035

 

Version info

============================================================

LegalCopyright: Copyright (C) 2000-2010 TightVNC Group

InternalName: vncviewer

FileVersion: 1.5.2.0

CompanyName: TightVNC Group

PrivateBuild:

LegalTrademarks:

Comments: Based on VNC by AT&T Research Labs Cambridge, RealVNC Ltd.

ProductName: TightVNC Win32 Viewer

SpecialBuild:

ProductVersion: 1.5.2.0

FileDescription: vncviewer

OriginalFilename: vncviewer.exe

Translation: 0x0409 0x04b0

 ---

 

This report shows a weird creation date, of 1992. Second, it shows a high entropy on the second PE section of this file, suggesting that it may be packed. Third, while the file name is Wire-report.pdf.exe, the version section shows information as  it is a VNC application...

This script also allows you to integrate with YARA if you want, making it even more powerful.

Also, if you want to check the Packer, you may want to consider the Python script that the fellow Handler Jim Clausing created a few years ago: http://handlers.sans.org/jclausing/packerid.py

--

The second tool was created by a former co-worker, now working at Adobe. He created another python script that checks different characteristics of the PE file, and returns one of the three different results:

1,0,Unknown. 

 

According the Adobe page, the "Malware Classifier uses machine learning algorithms to classify Win32 binaries – EXEs and DLLs – into three classes: 0 for “clean,” 1 for “malicious,” or “UNKNOWN.” "

 

Example:

pedros-MacBook-Pro:samples ppbuen0$ python AdobeMalwareClassifier.py -f wire-report.pdf.exe

1

Which means Malicious.

---

The third tool is a tool from Sysinternals. It is called Sigcheck. This tool helps you to identify file signed or not and help you on your assessment.

If you want to run it on Linux together with the other Python tools, you may want to consider Wine :) .

The output below is from our same exe from previous examples:

 

        Verified:       Unsigned

        File date:      10:59 AM 8/9/2011

        Publisher:      TightVNC Group

        Description:    vncviewer

        Product:        TightVNC Win32 Viewer

        Version:        1.5.2.0

        File version:   1.5.2.0

        Strong Name:    Unsigned

        Original Name:  vncviewer.exe

        Internal Name:  vncviewer

        Copyright:      Copyright (C) 2000-2010 TightVNC Group

        Comments:       Based on VNC by AT&T Research Labs Cambridge, RealVNC Ltd.

Just to compare, these are two outputs from other files:

 

1) Malware:

        Verified:       Unsigned

        File date:      5:41 AM 9/28/2012

        Publisher:      Microsoft Corporation

        Description:    Microsoft (R) Internet Common

        Product:        Microsoft(R) Windows(R) Operating System

        Version:        6, 0, 2900, 3138

        File version:   6, 0, 2900, 3138

2) Windows ARP:

        Verified:       Signed

        Signing date:   10:07 PM 4/13/2008

        Publisher:      Microsoft Corporation

        Description:    TCP/IP Arp Command

        Product:        Microsoft« Windows« Operating System

        Version:        5.1.2600.0

        File version:   5.1.2600.0 (xpclient.010817-1148)

 

--

Hopefully this will help you to start your own analysis system. The next part of this diary we will check tools/scripts for non-PE files, and integrate them.

 

--

Pedro Bueno (pbueno /%%/ isc. sans. org)

Twitter: http://twitter.com/besecure

2 comment(s)
Diary Archives