BEHAVIOR ANALYSIS OF MALWARE IN INSTITUT

TEKNOLOGI SEPULUH NOPEMBER

SURABAYA,INDONESIA

  

Ejaz Karim

Information System Department

Institut Teknologi Sepuluh Nopember

  

Surabaya, Indoensia 60111

jazzi.pisces@gmail.com

Abstrak

  

An almost incomprehensible amount of data and information is stored on millions and millions of

computers worldwide. To be able to defend against the threat imposed by malware we need to

understand both how and why the malware exists. This document presents the nature of malware

today and outlines some analytical techniques used by security experts. Furthermore, a process for

analyzing malware samples with the goal of discovering the behavior and techniques used by the

samples is presented. An analysis is performed on malware samples, disclosing behavior, location,

encryption techniques. So these samples are being analyzed by tools named as Threat Expert and

Anubis. The samples will be also analyzed on real system and results will be compared with Anubis

and Threat Expert. This research is expected to describe and explain how malware and other

malicious software spread through internet, network and computers. The encryption techniques used

by the malware programmers to encrypt malware and to hide these viruses from the users. The

damage done by the malicious code to the target machine, network or computers. It should also show

the techniques used by the programmers and malware vendor to spread through different platforms.

The results are also expected to show that which platforms are being attacked by the malware and

why.

  Keywords: Malware, Encryption Technique, Threat Expert, Behavior Analysis, Anubis, Platforms.

  Introduction

  The story of malicious software began around 1982 when the first virus with replicating abilities and harmful intent was written by a high-school student called Rich Skrenta for the Apple II systems [1][2]. The virus was called “The Elk Cloner”. It infected a computer when the machine was booted from an infected floppy disk, copying itself to the new machine. When an uninfected floppy disk was inserted in an infected machine, it copied itself to the floppy, thus spreading itself. Its behavior was relatively harmless; it displayed a small poem every 50th boot, however it also had the unintended effect of overwriting code on particular systems. Since the first virus was created, much have changed in the world of malware, but some things have remained the same. Viruses are still being created and distributed, by teenagers, students and professionals. However, we are now not just facing viruses of different sorts, but also a wide range of malicious software, from adware to Trojans to software distributing spam. The programmers also appear to have changed. From unorganized individuals more or less playing around with programming for fun, malware is now a big industry where services like DDoS, spam and phishing are on sale [Jaq08, Ber08a]. Not only is the malicious content more diverse than its originators, but it is also vastly more sophisticated. Polymorphism, encryption, advanced exploits, intricate spreading, and proficient developers all make the software more sophisticated, harder to detect and harder to cleanse of. The most recent area of development lies in the way malware spreads and communicates. The Elk Cloner spread via floppy disks, and floppy disks only, no network communication was implemented. Today’s malware spread through various media’s; the Internet, removable drives, network, and seemingly genuine and honest software. Communication is achieved, both between infected machines and controls, by several different communication protocols and organizations, from centralized to peer-to-peer. [3][4]. This development not only makes the malicious software more dangerous, as new ways to make use of the software are found, but it also makes the detection, analysis, and removal of the software increasingly more difficult. Examples are botnets, with the Storm botnet being the most reputed today [3], which run on machines all over the world without the user’s knowledge, rendering the machines at the vim of the botnet controllers.

  Information and computer security are becoming more important as we trust computers with critical and sensitive information and functions. Malware is one of the greatest threats against the security of digital information. To be able to battle malware and malware developers we need to understand why the malware was developed and how it accomplishes its tasks. We achieve this by analyzing current malware samples, disclosing techniques and objectives of the samples, thus improving the ability to combat malware, reduce its significance and improve computer security.

  Background & related work

  A computer virus is a program or segment of an executable computer code that is designed to reproduce itself in computer memory and, sometimes, to damage data. Nowadays, the computer virus term is used as a general term for various harmful programs. Technically, the virus is used to describe the oldest type of harmful programs. A virus is either a stand-alone executable file or can be embedded in larger bodies of code. The virus self-replicates itself inside the same system and cannot spread to other computers without human assistant. A worm is similar to the virus (technicality) but it exploits computer networks to spread from computer to computer over the Internet. In practice, any software that replicates itself may be termed a virus, and most viruses are designed to spread themselves over the Internet and are therefore called worms. [2] Nowadays, malicious software (malware) is the general term that is used to describe viruses, worms and other types of harmful and undesirable programs. Malware is any program that works against the interests of the system’s user or owner to the interest of other people. [3] Most of the previous researches shows that, to check the behavior of malware the frameworks have been used either to detect or to analyze malware[5][6]. Most of the approaches and detection techniques used in the researches have their own way of checking and analyzing malware, some researches have been done in mobile platforms and most are in Windows[7].by checking all of the above papers we can say that no research is been done before like this research shows, that is two online tools(Anubis and Threat Expert) have been used to check behavior and the results from these tools will be compared with the real system which is the contribution of this thesis. By checking previous researches done five out of twenty papers shows that frameworks have been used to detect and analyze malware on Windows and these frameworks use algorithms, machine learning, function hooking, system calls, execution and analysis[8][9]. Two systems like AMAL and Ether uses automatic analysis of malware and virtualization and emulation to check malware behavior[10][11]. One paper shows that Brower help objects has been used to check the behavior with the help of browsing behavior. Six out of twenty researches have been done in Android platforms to check the mobile malware behavior which uses recognizers systems, input output system calls, data mining and anomaly detection.one paper shows that the malware behavior is being detected from web reports and other shows that how malware will be classified and detected through system state changes. By comparing all of the above mentioned researches, some of the researches uses frameworks to analyze and detect malware, some used tools to do the same thing, some researchers focused on mobile malware and on Android platforms and some adapt their own approaches and detection methods[12][13], so the conclusion derived from above researches is that not a single researcher has done the research like this research shows, this thesis uses two online tools and a real system, the results from these tools will be compared to the real system results to satisfy those results. This research will be different from others because the real system will be compromised to check the real behavior of malware, before as mentioned in previous researches the researchers used either virtualization or their own frameworks in which the malware was not applied directly to the real system. Virtualization is the method in which the system has been virtualized, so until we cannot compromise the real system the real behavior cannot be shown th at’s why this research uses real system as a main contribution and also results of two online tools will be compared with the real system to satisfy and to improve the efficiency in analysis. The authors Michael Bailey, Jon Oberheide, Jon Andersen, Z. Morley Mao, Farnam Jahanian, and Jose Nazario also suggest that,

  “Since the malware samples were executed within VMware, samples that employ anti-VM evasion techniques may not exhibit their malicious behavior. To mitigate this limitation, the samples could be run on a real, non-virtualized system, which would be restored to a clean state after each simulation [14]”.

  Methodology and Tools

  In the first part of this paper we will outline some of the theoretical aspects of today’s malware and malware analysis to create an understanding of what malware is, its different forms, and common malware analysis techniques. Samples will be analyzed using tool called as Threat Expert and Anubis which are online tools to check the behavior of malwares and these samples will be also applied to real system to check real behavior of malware. The results from two tools will be compared to real system results for satisfactory results. The analysis will seek to map each sample’s behavior and functionality and to some extent discover techniques used to achieve their functionality. For this task we will use any good system for analysis. Following is the flow chart analysis of malware.

  

Figure 1: Flow chart of methodology of malware analysis.

  3.1 Data Acquiring

  The data acquiring step has been supported by our honorable lecturer through which access has been granted to get the data from Honeypot Server of Institut of Technology Sepuluh Nopember. The malware samples were been acquired through FileZilla software, which is a data sharing software. After that the samples were stored on the disk for further steps.

  3.2 Malware Analysis

  After data acquiring and storing it on the disk, the next step is to do analysis through online tools called as Threat Expert and Anubis which are free and reliable. The samples will be uploaded to the online tool server and after results will be will be saved in pdf format. To check the behavior of malware on real system, this research will do some monitoring processes with the help of Process Monitor and Wireshark. Those processes are Registry monitoring, Network monitoring, to monitor a file and File integrity Check.

  3.3 Conclude the Results

  In this section, further analysis will be done of the reports being generated by the online tools to decide whether the results are satisfying or not. The results will be compared to the real system to satisfy and if satisfied then those will be saved and if the results are not up to task after being analyzed that means the samples have to be analyzed again. This step will be done again and again until the satisfying results are being acquired.

  Analysis of Results

  For the analysis of the samples provided by the Honey pot server of Institut of Teknologi Sepuluh Nopember this research goes through the following procedures. The samples cannot be acquired directly from the honey pot, so for this purpose FileZilla software was used to download samples from remote server through username and password. After downloading from the server the samples were being saved on the system as a zip file. First samples were being analyzed one by one by Threat Expert. The samples were submitted to online database in the Threat Expert website, which allows us to submit samples online to their server in .zip and .exe formats. All the samples were submitted to the server as exe format and the reports were being saved in an online account to access globally. these can be downloaded in xml format. Almost all of the samples were found to be the worms but only two samples were backdoors. Secondly all of the samples were being analyzed by Anubis. The samples were submitted to the online database of Anubis same as Threat Expert. The same samples were submitted to the online server with same format as Threat Expert and the results were same for all the samples except two samples. The last one was difficult task to be accomplished because this research applies the malware to the real system that is the samples were being applied to a live system to check the real behavior. For this a computer system with processor speed of Core i3 with 4GB RAM and the windows 7 was used to check the behavior. To check the file system activity, registry activity and the network activity this research used Process monitor and Wireshark to check the above activities of malware. The malware cannot be executed directly, so the samples were made as exe file with the help of feature available in Windows 7 and after that those were executed to the system.

  Analysis of Results

4.1 Threat Expert Analysis

  4.1.1 Registry Activities

  Worm: Win32/Conficker.B tries to copy itself in the Windows system folder as a hidden DLL file using a random name. If it fails, it can then try to copy itself with the same parameters in the following folders: %ProgramFiles% \Internet Explorer For this case the Threat Expert reports shows that it creates new process called as svchost.exe which runs the windows services which are in form of DLLs. From here it can run on the system It creates the following registry entry to ensure that its dropped copy is run every time Windows starts: HKCU\Software\Microsoft\Windows\CurrentVersion\Run With data: "rundll32.exe <system folder>\<malware file name>.dll, <malware parameters>" The Threat Expert does not show such kind of registry key activity but as mentioned above it uses the various Dlls to run the windows. It can also load itself as a service that is launched when the netsvcs group is loaded by the system file svchost.exe. It can also load itself as a fake service by registering itself under the following key:

  HKLM\SYSTEM\CurrentControlSet\Services

  4.1.2 Network Activities

  The worm can check the vulnerable systems with Network shares with weak passwords, which tries to infect all other PCs available on the network and as it been mentioned in the reports of Threat Expert. As shown by the Threat Expert it first tries to drop a copy of itself in a target PC's ADMIN share using the credentials of the currently logged-on user. If this method is unsuccessful, for example, the current user does not have the necessary rights, it instead obtains a list of user accounts on the target PC. It then tries to connect to the target PC using each user name and the weak passwords.

  4.1.3 File System Activities

  It also changes the system's TCP settings to let a large number of simultaneous connections, where 0x00FFFFFE is hexadecimal, Threat Expert reports does not show such of change in registry keys. HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters Disables TCP/IP tuning, stops and disables services as mentioned in the Threat Expert This worm stops several important services, like the following: Windows Security Center Service (wscsvc)

• – notifies users of security settings (for example, Windows update, Firewall and Antivirus) Windows Update Auto Update Service (wuauserv) Windows Defender (WinDefend) Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience Windows Error Reporting Service (wersvc)

4.2 Anubis Analysis

  4.2.1 Registry Activities

  Anubis does not show or report how it copies or spreads and it also does not shows either it a worm or backdoor. Rather it just shows the registry activities starting from load time Dlls to run time Dlls and what kind of malware if being encrypted inside a single file. It shows in each step the process activities, the registry activities, network activities and the other activities. First it copies itself to the load time and run time Dlls by opening the relevant run time and load time Dlls and after that it modifies deletes and creates the possible registry keys in the system It creates the following registry entry to ensure that its dropped copy is run every time Windows starts: HKCU\Software\Microsoft\Windows\CurrentVersion\Run With data: "rundll32.exe <system folder>\<malware file name>.dll, <malware parameters>" The Anubis report shows that it invokes the dlls, after that it creates the new file in the windows folder and controls the devices needed by communicating with them. It can also load itself as a fake service by registering itself under the following key: HKLM\SYSTEM\CurrentControlSet\Services

  4.2.2 Network Activities

  The worm can check the vulnerable systems with Network shares with weak passwords, which tries to infect all other PCs available on the network and Anubis reports does not shows what kind of weak passwords the worm uses or what kind of user accounts use to take control of the system, perhaps its shows the it queries the server through remotely after being executed on the system. The executable scans a range of IP addresses and also scans and identify the more potential vulnerable targets.

  4.2.3 File System Activities

  It also changes the system's TCP settings to let a large number of simultaneous connections, where 0x00FFFFFE is hexadecimal, this is the difference between Threat Expert and the Anubis, Anubis shows the following changes in its reports but cannot be seen in the Threat Expert reports. HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. Anubis reports also shows the memory being mapped by the malware which is shown as below, C:Windows\System32\regsvr32.dll Through this dll it also creates the remotes threads to control remotely from other system or place. It also creates a lot of temporary internet files in the system windows folder to be able to control the internet and other network settings.

4.3 Real System Analysis

4.3.1 Registry Activities

  As reported by the Threat Expert and Anubis the malware applied on the real system shows the similar behavior as Anubis, in the process monitor it shows the registry activities starting from load time Dlls to run time Dlls. It shows in each step the process activities, the registry activities, file system interaction. First it copies itself to the load time and run time Dlls by opening the relevant run time and load time Dlls and after that it modifies deletes and creates the desired registry keys in the system. It creates the following registry entry to ensure that its dropped copy is run every time Windows starts: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Real system behavior shows that it first invokes the dlls, after that it can also load itself as a fake service by registering itself under the following key: HKLM\SYSTEM\CurrentControlSet\Services

  4.3.2 Network Activities

  The worm can check the vulnerable systems with Network shares with weak passwords, which tries to infect all other PCs available on the network and real system behavior also does not shows what kind of weak passwords the worm uses or what kind of user accounts use to take control of the system.

  4.3.3 File System Activities

  It also changes the system's TCP settings to let a large number of simultaneous connections, where 0x00FFFFFE is hexadecimal. HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters Real system results also shows the Dlls were successfully mapped to the malware location which is shown as below, D:\Malware Analysis\binaries\cabinet.dll It also creates a lot of temporary internet files in the system windows folder to be able to control the internet and other network settings..

  Conclusion The samples analyzed, proved to 95 worms and only two samples were found to be backdoor.

  This shows that malware authors still trust on worms to gain access and compromise systems because of self-replicating characteristics. As this research shows that the malware uses the registry keys to take control of the system. First it run itself on the system through DLLs and after that it reads, creates, modifies, deletes and edits those registry keys. Administrators and group of administrators have access rights to modify, read, write and delete these registry keys, so according to the results shown, the suggestion is to give the rights only to the administrator and group of administrators. Windows has some limited built-in protection designed to safeguard the registry. By default, normal users have only read permissions for most branches of the registry and are only able to modify registry keys that only affect their own account. Administrators should make sure that it should remain same for all users, by doing this it would limit the user to his account and it will not spread to other users. Restrict the executables by unknown users and only administrator can execute it when needed. This will also add the Restricted SID (security identifier) token to the registry access which will limit the program to read permissions and ensure that it does not alter the registry in any way. Running a program under these restrictions does more than just secure the registry. This will also block access to the folders, cookies and temporary internet files. This is useful because malware will be not able to create temporary internet files.

  Limitations

  This research will be limited to the platforms available in Institut of Teknologi Sepuluh Nopember, Surabaya Indonesia. It will be not valid to those platforms which are other than Windows platforms like Mac, Linux etc. Because of the limited resources, this research uses a free tools but the selected number of malware will be applied to an isolated real system, so that results can be compared with the results of free tools. The expected results would be also available for the same platforms and the will be applied for the same network topology as shown in the figure below.

  Figure 2: Network Topology of Honeypot ITS-Net

  Further Research

  As this research is done on Windows platform and using free online tools, further this research can be done on other platforms like Linux, Android and Apple Mac platforms and check behavior on these platforms by more reliable and registered tools available on the internet, more specifically on Android because almost all of the users are using services of internet on Android and smart phones which could be helpful to reveal the behavior on the latest Android cell phones.

  Acknowledgment

  I am deeply grateful to my advisor Sir Bekti Cahyo Hidayanto for the opportunity to work on this thesis. I would further like to thank my Supervisor Dr.Eng. Febriliyan Samopa, M.Kom for his countless suggestions and guidance during the thesis. It was a pleasure to do research in Institut of Teknologi Sepuluh Nopember Surabaya Indonesia.

  Referensi

  [1] Jeremy Paquette, A History of Viruses, March 2008, [2] Ed Skoudis and Lenny Zeltser. Malware: Fighting Malicious Code. Prentice Hall, 2003. [3] Niels Provos, Panayiotis Mavrommatis, Moheeb Abu Rajab, and Fabian Monrose. All Your iFRAMEs Point to Us. Google Technical Report, 2008. [4] Brian Krebs, Washigton post: Hundreds of thousands of microsoft web servers hacked, April

  2008, http://blog.washingtonpost.com/securityfix/2008/04/hundreds_of_thousands_of_micro_1.html [5] A framework for behavior-based malware analysis in the cloud Lorenzo Martignoni, Roberto Paleari , and Danilo Bruschi. [6] An Effective Framework of Behavior Detection-Advanced Static Analysis for Malware Detection by Maya Louk, Hyotaek Lim and HoonJae Lee , Mohammed Atiquzzaman. [7] Crowdroid: Behavior-Based Malware Detection System for Android by Iker Burguera and Urko Zurutuza and Simin Nadjm-Tehrani. [8] Automatic Analysis of Malware Behavior using Machine Learning, Konrad Rieck, Philipp Trinius, Carsten Willems, and Thorsten Holz. [9] Towards Automated Malware Behavioral Analysis and Profiling for Digital Forensic

  Investigation Purposes, Ahmed F.Shosha, Joshua I. James, Alan Hannaway, Chen-Ching Liu and Pavel Gladyshev. [10]

  Ether Malware Analysis via Hardware Virtualization Extensions by Artem Dinaburg, Paul Royal, Monirul Sharif. [11]

  AMAL: High-Fidelity, Behavior-based Automated Malware Analysis and Classification by Aziz Mohaisen. [12]

  Behavioral Analysis of Android Applications Using Automated Instrumentation by Mohammad Karami, Mohamed Elsabagh, Parnian Najafiborazjani, and Angelos.

  [13] Ontology-based Mobile Malware Behavioral Analysis by Hsiu-Sen Chiang, Woei-Jiunn Tsaur.

  [14] Automated Classification and Analysis of Internet Malware by Michael Bailey, Jon Oberheide, Jon Andersen, Z. Morley Mao, Farnam Jahanian, and Jose Nazario .

  [15] A Comparative Assessment of Malware Classification using Binary Texture Analysis and Dynamic Analysis by Lakshmanan Nataraj University of California, Santa Barbara, USA.

  [16] Malware Behavior Feature Extraction Based on Web Information Extraction by Binlin Cheng, Jianming Fu and Ya Liu, Siyang Xiong.

  [17] Automatic Behavior Bases Analysis and Classification System for Malware Detection Jaime Devesa, Igor Santos, Xabier Cantero, Yoseba K. Penya and Pablo G. Bringas.

  [18] Malbehave: Classifying Malware by Observed Behavior by Connor Gilbert, Bryce Cronkite- Ratcliff, and Jason Franklin.

  [19] Behavioral Analysis on IPv4 Malware on different platforms in IPv6 Network Environment by Zulkiflee M., Azirah S.A., Haniza N., Zakiah A., Shahrin S.

  [20] BareBox: Efficient Malware Analysis on Bare-Metal. Dhilung Kirat, Giovanni Vigna, Christopher Kruegel University of California, Santa Barbara.

  [21] Behavior-based Spyware Detection Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna, Greg Banks, Giovanni Vigna, and Richard A. Kemmerer.

  [22] Malware behavior analysis Gérard Wagener Radu State Alexandre Dulaunoy. [23]

  Behavior Classification based Self-learning Mobile Malware Detection by Dai-Fei Guo, Ai- Fen Sui, Yi-Jie Shi, Jian-Jun Hu, Guan-Zhou Lin and Tao Guo. [24]

  RBACS: Rootkit Behavioral Analysis and Classification System by Desmond Lobo, Paul Watters and Xinwen Wu