Background

Two days ago one of my friends contacted me and told me that his organization is receiving suspicious-looking emails. They think that the infection was conducted via “spear phishing” emails. Then I decided to take a deeper look into it.

I went there and saw escalation not only in numbers of created malware files but also in targets. Then I started the investigation and followed the following steps.…

But, before going much deeper, we have to understand about malware and malware analysis.

What Is Malware?

Any software that causes harm to a user, computer, or network can be considered malware, including viruses, Trojan horses, worms, and spyware.

Types of Malware

These are the categories that most malware falls into:

  • Backdoor — Malicious code that installs itself on a computer to allow the attacker access. Backdoors usually let the attacker connect to the computer and execute commands on the local system with little or no authentication.
  • Botnet— Similar to a backdoor, in that it allows the attacker access to the system, but all computers infected with the same botnet receive the same instructions from a single command-and-control server.
  • Downloader — Malicious code that exists only to download other malicious code. Downloaders are commonly installed by attackers when they first gain access to a system. The downloader program will download and install additional malicious code.
  • Information-stealing malware — Malware that collects information from a victim’s computer and usually sends it to the attacker. Examples include sniffers, password hash grabbers, and keyloggers. This malware is typically used to gain access to online accounts, such as email or online banking.
  • Launcher — Malicious program used to launch other malicious programs. Launchers usually use nontraditional techniques in order to ensure stealth or greater access to a system.
  • Spam-sending malware — Malware that infects a user’s machine and then uses that machine to send spam. This malware generates income for attackers by allowing them to sell spam-sending services.
  • Worm or virus — Malicious code that can copy itself and infect additional computers.

What Is Malware Analysis?

Malware analysis is the art of dissecting malware to understand how it works, how to identify it, and how to defeat or eliminate it.

Goal of Malware Analysis

The goal of malware analysis is to gain an understanding of how a specific piece of malware functions so that defenses can be built to protect an organization’s network. There are two key questions that must be answered:

  • How did this machine become infected with this piece of malware?
  • What exactly does this malware do? After determining the specific type of malware, you will have to determine which question is more critical to your situation.

Approaches to Malware Analysis

There are two fundamental approaches to malware analysis: static and dynamic.

  • Static analysis involves examining the malware without running it.
  • Dynamic analysis involves running the malware.

Following are some terms commonly used in malware analysis, with their definitions.

  • Spear phishing — To send emails with malicious content (attachments, links, or fraudulent messages) to specific persons of particular interest
  • Exploit — An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch, or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized).
  • Drop — The online location where malware delivers stolen information.
  • FUD — FUD means “fully undetectable,” i.e., the program cannot be detected by antivirus tools
  • SFX — Self-extracting, referring to executable programs that are also archives, which extract and sometimes execute the archive content when run.
  • MD5 — A so-called hash, i.e., a number calculated on the basis of data that identifies these with high confidence. MD5s in this paper are used to identify files.

Steps Involved in Malware Analysis:

When performing malware analysis, the first step is to have malware so that we could analyze one of the pieces of malware previously obtained. So a malware sample was collected from the organization.

After obtaining malware, I prepared a safe analytical environment in which to perform malware analysis. This is done by creating a virtual environment with the help of VMware; this protects the host machine from the malware. One of the most convenient aspects of using virtualization software is its support for snapshots. They allow you to preserve the current state of the virtual machine with a click of a button, and return to it with another click. VMware Workstation supports multiple snapshots, which comes in very handy for “bookmarking” different stages of your analysis, so you can move back and forth during your experiments without losing important runtime details. A snapshot of the state of the machine’s file system and the registry was taken. This allowed me to quickly see what major changes have occurred on the system after execution of malware. RegShot can be used as an effective tool for this purpose. Process Monitor can be used to monitor all file registry and process activity on Windows systems. You also need to install Wireshark, a protocol analyzer that captures and decodes network traffic. Process Monitor and Wireshark are used to quickly reveal the behavior of malicious programs.

The initial spear phishing mail contained an attachment named “Important_Scan_Document.” In the “Folder” option, click on “View” and then check the option “Show hidden files, folder and drives” and uncheck the option to hide empty drives, extensions, and protected operating system files.

Then I found that it’s an SFX (self-extracting executable).

I simply extracted it using Winrar.

I found two files: One is an executable file and the other is a Word file.

When I double click the SFX, the installer will execute the included “tskmgr.exe” file and open the decoy document; they are actually specially crafted RTF files designed to trigger software vulnerability (CVE-2012-0158) in Microsoft Common Controls, typically triggered in Microsoft Word. At the CMD prompt, run the netstat command. This command is used to show detailed network status information. The tskmgr.exe will start in the background and establish a TCP connection to a IP address.

Once the system got infected with the malicious program, I checked the system configuration to find whether tskmgr.exe will load on startup or not. I found that tskmgr.exe had automatically made an entry in system start-up.

Visit virustotal.org, which is a free virus, malware, and URL online scanning service in which file checking is done with more than 40 antivirus solutions. I checked tskmgr.exe and it was found to be a Trojan.

Then I found that it modifies the Windows registry entries, takes screenshots of the infected system in the background, and uploads this information to a website.

Then I visited networktools.nl. It is used to query whois records, ping hosts, query DNS records, trace hosts, display host information, domains on ip, reverse ip, and check spam. When I did the lookup for the domain I got the following information. In almost all cases, the domains registered by the attackers are “privacy protected.” This means that the registrant has paid the domain registrar to withhold identity information related to the registration. This is done almost to perfection.

However, by searching reverse IP data for the IP addresses of domains known to be involved I found a number of other domains likely belonging to the same infrastructure.

Running Wireshark on the infected system when it is trying to send screenshots to the website reveals the following type of behavior:

Once we noted the path of the file upload, we simply navigated to the URL and noted our own system’s screenshot being nicely saved as a PNG file on the server.

It is interesting to note that the malware author was uploading files to a folder called ScreenShot. I found that the site had a number of directory listing vulnerabilities. The attacker doesn’t have their robots.txt set to “disallow” to stop them from being crawled.

By listing the files and downloading the data present in the site, I easily figured out the organization behind this cyberattack.

Many other folders were found. The names and structures of these sub-folders shows that these are the names of systems compromised.

The folders contain the IP address of the compromised system, and each of them contains text files called “Pass_logs.txt,” which contain captured passwords and other key phrases.

While surfing the domain, I also found some phishing pages that are used to do spear phishing. When I opened the PHP script of phishing pages, I found the email ids where the passwords of victims were sent.

Myths about Malware

  • I will know if I am infected.
  • I can protect myself from malware by not going on porn/warez sites.
  • Email attachments from known persons are safe.
  • Malware is only a problem on Windows.
  • Malware is created by antivirus vendors.
  • Most malware is spread through e-mail.
  • My firewall can protect my PC from drive-by-download attacks.
  • If you don’t open an infected file, you can’t get infected.
  • Cybercriminals aren’t interested in the PCs of consumers.

How to Protect Yourself from Malware

1. Make Sure Your PC Is Updated and Secure

The software on your PC isn’t perfect. It may contain exploits or security holes that make it possible for your machine to be infected easily. You need to make sure you have your applications updated or you’re increasing your risk of infection.

Of course, we also recommend always running updated Internet security that includes anti-virus, spyware, and firewall. Browsing protection is another layer of security that can keep you from clicking on the wrong links.

2. Be Very Skeptical of Random Pop-Up Windows, Error Messages and Attachments

Avoid clicking on any pop-ups that imitate your Windows error messages or error messages that come up when you try to close a page. If any software begins to install itself, close immediately and run a scan with your Internet security software. You can also use our online scanner for free.

Avoid opening attachments at all unless you were expecting them and they come from a source you trust. If you can’t verify the source or if you feel anxious about a particular attachment, yet you feel that you have to open it, you can download it to your hard drive and have your updated Internet security scan the file before you open it.

3. Remove Spam from Your Life

If you get a piece of spam, let your mail software know. Identify it as spam. Better to let your software handle it.

4. Think Thrice before Installing Any New Software

Installing software should never be an impulse decision. Some people say think twice before downloading any software from a source you do not trust 100%. I say think three times.

At the very least, Google the name of a product you want to install. If you’re at all uncertain about whether to click download, consult with a tech savvy friend or your company’s IT guy.

Conclusion

Malware attack incidents are happening very often these days. This article should assist you to reveal the truth behind them. Malware analysis is a very important step toward knowing about each malware that aims at your destruction. This enables you to think over the incidents happening around you and then you can think about the solution you can go for. There are certain myths that people follow but that are not true. By following the proper methodology of malware analysis, you can find the attacker/hacker.

Reference