Cyber Security Awareness Month - Day 14 - Poor Man's File Analysis System

Cyber Security Awareness Month - Day 14 - Poor Man's File Analysis System - Part 1
Update: In an attempt to get the link for the first script, I mistakenly put the link for another script. Fixed now. Thanks Michael for the "oops" :) Ok ok the "System" on the title may be a bit too much for what this diary will show, but it will give you a nice idea on how to start to build your own analysis system using open source and free tools. For the first part of this Diary we will focus on PE files, using three different tools for Static Analysis: 1) ~~Malware.py - http://code.google.com/p/malwarecookbook/source/browse/trunk/malware.py~~ 1) Pescanner.py - http://code.google.com/p/malwarecookbook/source/browse/trunk/3/8/pescanner.py 2) Adobe Malware Classifier - http://blogs.adobe.com/asset/tag/malware-classification 3) sigcheck.exe (via Wine) - http://technet.microsoft.com/en-us/sysinternals/bb897441 The first tool is from the great book Malware Cookbook, and the authors made all the code available via Google Code. It is a collection of python scripts used during the several chapters. The one I will show here is called Pescanner~~Malware~~.py. This Pescanner~~Malware~~.py script will give you several pieces of information that will help you on your static analysis. The following example is the output of a known malware: Meta-data ============================================================ File: wire-report.pdf.exe Size: 190464 bytes MD5: 0a0b73f2652f242e255ac9c1a7724dda SHA1: 5ad43440eaf1c30b9e320a0ea06754ad67e9d66f Date: 0x29EB59F0 [Tue Apr 14 22:17:20 1992 UTC] [SUSPICIOUS] EP: 0x402a00 (.text) Resource entries ============================================================ Name RVA Size Type ------------------------------------------------------------ RT_VERSION 0x3b058 0x3ec Suspicious IAT alerts ============================================================ CreateProcessW CreateProcessA Sections ============================================================ Name VirtAddr VirtSize RawSize Entropy ------------------------------------------------------------ .text 0x1000 0x7000 0x7000 2.397724 .rdata 0x8000 0x2e000 0x23800 7.231950 [SUSPICIOUS] .data 0x36000 0x3000 0x2600 2.536738 .ndata 0x39000 0x1000 0x800 3.405680 .ndata 0x3a000 0x1000 0x800 3.405680 .rsrc 0x3b000 0x444 0x600 3.980035 Version info ============================================================ LegalCopyright: Copyright (C) 2000-2010 TightVNC Group InternalName: vncviewer FileVersion: 1.5.2.0 CompanyName: TightVNC Group PrivateBuild: LegalTrademarks: Comments: Based on VNC by AT&T Research Labs Cambridge, RealVNC Ltd. ProductName: TightVNC Win32 Viewer SpecialBuild: ProductVersion: 1.5.2.0 FileDescription: vncviewer OriginalFilename: vncviewer.exe Translation: 0x0409 0x04b0 --- This report shows a weird creation date, of 1992. Second, it shows a high entropy on the second PE section of this file, suggesting that it may be packed. Third, while the file name is Wire-report.pdf.exe, the version section shows information as it is a VNC application... This script also allows you to integrate with YARA if you want, making it even more powerful. Also, if you want to check the Packer, you may want to consider the Python script that the fellow Handler Jim Clausing created a few years ago: http://handlers.sans.org/jclausing/packerid.py -- The second tool was created by a former co-worker, now working at Adobe. He created another python script that checks different characteristics of the PE file, and returns one of the three different results: 1,0,Unknown. According the Adobe page, the "Malware Classifier uses machine learning algorithms to classify Win32 binaries – EXEs and DLLs – into three classes: 0 for “clean,” 1 for “malicious,” or “UNKNOWN.” " Example: pedros-MacBook-Pro:samples ppbuen0$ python AdobeMalwareClassifier.py -f wire-report.pdf.exe 1 Which means Malicious. --- The third tool is a tool from Sysinternals. It is called Sigcheck. This tool helps you to identify file signed or not and help you on your assessment. If you want to run it on Linux together with the other Python tools, you may want to consider Wine :) . The output below is from our same exe from previous examples: Verified: Unsigned File date: 10:59 AM 8/9/2011 Publisher: TightVNC Group Description: vncviewer Product: TightVNC Win32 Viewer Version: 1.5.2.0 File version: 1.5.2.0 Strong Name: Unsigned Original Name: vncviewer.exe Internal Name: vncviewer Copyright: Copyright (C) 2000-2010 TightVNC Group Comments: Based on VNC by AT&T Research Labs Cambridge, RealVNC Ltd. Just to compare, these are two outputs from other files: 1) Malware: Verified: Unsigned File date: 5:41 AM 9/28/2012 Publisher: Microsoft Corporation Description: Microsoft (R) Internet Common Product: Microsoft(R) Windows(R) Operating System Version: 6, 0, 2900, 3138 File version: 6, 0, 2900, 3138 2) Windows ARP: Verified: Signed Signing date: 10:07 PM 4/13/2008 Publisher: Microsoft Corporation Description: TCP/IP Arp Command Product: Microsoft« Windows« Operating System Version: 5.1.2600.0 File version: 5.1.2600.0 (xpclient.010817-1148) -- Hopefully this will help you to start your own analysis system. The next part of this diary we will check tools/scripts for non-PE files, and integrate them. -- Pedro Bueno (pbueno /%%/ isc. sans. org) Twitter: http://twitter.com/besecure	Pedro 155 Posts ISC Handler Oct 14th 2012
Thread locked Subscribe	Oct 14th 2012 8 years ago
For the not so hands on, what are your thoughts on using virustotal, wepawet and other online systems to diagnose files and URLs?	Dean 135 Posts
Quote	Oct 15th 2012 8 years ago
Never thought I'd see the handlers recommend Wine.	Dean 39 Posts
Quote	Oct 15th 2012 8 years ago