Thursday, January 24, 2008
Automated malware analysis
I may be a little late on this, but only today I was presented to NORMAN Sandbox, an automated sandbox that analyses malware that you can submit to it online.(update: credits to Sp0oKeR, who indicated the site to me)Â The system has very nice features. It can identify what the malware does when executed, like registry and file changes, binding to other processes, outbound network access. It can really simplify the job of analyzing malware.I tried some code that I'm using on an Ethical Hacking test and it was perfectly identified by the system. Here is a sample of the report (A piece of malware from one of the thousand phishing scams I usually receive in my gmail account):Torpedovivo.exe : INFECTED with W32/Downloader (Signature: NO_VIRUS) [ DetectionInfo ]* Sandbox name: W32/Downloader* Signature name: NO_VIRUS* Compressed: YES* TLS hooks: YES* Executable type: Application* Executable file structure: OK[ General information ]* File might be compressed.* Decompressing PKLite.* Creating several executable files on hard-drive.* File length: 57344 bytes.* MD5 hash: 0615fc502feef76ac4efe3936de2b2b8.[ Changes to filesystem ]* Creates file C:WINDOWSiexplorerconfigwin.exe.[ Network services ]* Downloads file from http://techevolution.sitesled.com/estrela.exe as C:WINDOWSiexplorerconfigwin.exe.* Connects to "techevolution.sitesled.com" on port 80.* Opens URL: techevolution.sitesled.com/estrela.exe.* Downloads file from as C:WINDOWSiexplorerconfigwin32.exe.* Connects to "" on port 80.* Opens URL: /.[ Security issues ]* Starting downloaded file - potential security problem.[ Process/window information ]* Attemps to NULL http://www.vivo.com.br/portal/home.php .* Attemps to NULL C:WINDOWSiexplorerconfigwin.exe .* Creates process "C:WINDOWSiexplorerconfigwin.exe".* Attemps to NULL C:WINDOWSiexplorerconfigwin32.exe .* Creates process "C:WINDOWSiexplorerconfigwin32.exe".[ Signature Scanning ]* C:WINDOWSiexplorerconfigwin.exe (4096 bytes) : no signature detection.(C) 2004-2006 Norman ASA. All Rights Reserved.The material presented is distributed by Norman ASA as an information source only.
Posted by Augusto Barros at 8:47 PM