Tuesday, October 23, 2012

Malware Analysis Tutorial 34: Evaluation of Automated Malware Analysis Tools CWSandBox, PeID, and Other Unpacking Tools

Learning Goals:
  1. Understand Design Principles of Automated Malware Analysis Systems
  2. Hands-on Experiences with CWSandBox and Packer Identification Tools
Applicable to:
  1. Operating System Security
1. CWSandBox

We first examine the performance of another automated malware analysis tool CWSandBox (now named GFI Sandbox). The tool is available at http://www.gfi.com/malware-analysis-tool. CWSandBox uses dynamic API hook technique (DLL injection) to monitor system calls. This is similar to the approach taken by the Anubis system. In this article, we will examine the report generated by CWSandBox. We take a similar approach as the previous tutorial, and submit a modified version of Max++. Unfortunately, the server was not able to generate a report for us in 24 hours.

2. VirusTotal
We then submitted the modified version of Max++ to VirusTotal (http://www.virustotal.com). This is an integration site that runs multiple virus search/malware detection engines. We explicitly requested for an onsite start-from-scratch analysis of the modified version. Figure 1 shows the result from VirusTotal (many virus detection tools listed).

Figure 1. Results by Virus Total on Modified Max++
As shown in Figure 1, most signature based tool (including ClamAV) was not able to discover that the modified version of Max++ is a virus (note that the modified version is functionally equivalent to the original Max++. We only inserted two NOP instructions after the INT2D trick.). Among all the virus tools, DrWeb identified it in the virus familty of MaxPlus.6 and most others either identified it as Smiscer or Sirefef.

 Interesting, if we submit the original version of Max++ to virus total, we have the results shown in Figure 1.5. This time ClamAV is able to identify it as "Trojan.Dropper".

Figure 1.5. Results by Virus Total on Original Version of Max++

2. Packer Identification Tools
As introduced in Malware Analysis Tutorial 6- Self-Decoding and Self-Extracting Code Segment , Max++ has self-unpacking behaviors. It is interesting to see that if the tool has used any existing packers such as UPX. We used three packer identification tools: PeID, RDGPacker Detector, and ExeInfoPE to examine the modified version of Max++. All of these tools are freely available on the Internet.

PeID and RDGPacker did not find any known packers used to pack the Max++ code. Figure 2 and Figure 3 shows the running results of these tools.

Figure 2. Results by PeID

Figure 3. Result by RDGPacker Detector

Only ExeInfoPE reports that Max++ has 3 sections packed using similar algorithms like UPX (however, it does not precisely identify it's UPX). Figure 4 shows the report by ExeInfoPE.
Figure 4. Report by ExeInfoPE

The conclusion is that Max++ did not use any existing packers to directly pack its code. Its multiple layer packing algorithm is a customized algorithm (although it's not too complex).


  1. Thanks for sharing this. I've been looking into security in Calgary. I will have to try this out. Thanks for the help.

  2. Thanks for your grateful informations, am working in, asian affairs news magazine. Try to post best informations like this always
    Global security: Avoiding the wars that never end

  3. Security is the one of the best thing which always give you a sense of Ultra security and protection against the internal as well as external factor
    home security service
    home security solution

  4. Nice course and great information's.

  5. I heard security gates toronto is amazing to work with. Thanks for sharing your blog.

  6. Hi, I have just visited your site and the info you have covered has been of great interest to me. Some of the suggestions you have given have enabled me to apply my own thought
    process to afford a greater understanding of the issue. Some info that is provided on the Web is not very useful but yours has been worthwhile. Some of the points you have
    raised will assist me greatly. Incidentally, I like the way you have structured your site, it is super and very easy to follow. I have bookmarked you and will be back regularly. Thank you

    Neurosurgery Instruments

  7. These blogs are quite incredible that have provided the best knowledge.
    lifeshield security review

  8. Cool blog, I especially enjoyed the kernel mode debugging tutorials. Some tools are missing though in your evaluation (e.g. Malwr). We are working on a malware analysis system right now that implements hybrid analysis technologies (combination of static and dynamic analysis). If you want to read more about the topic or maybe write a blogpost about it, please visit our Payload Security Blog or our company site. Please get in touch if you want to try out the tools we are working on.

  9. Nice series of articles. Would me nice to know more about who you are etc

  10. sir, i m doing m tech project in dynamic analysis of trojan. i want to use pin (intel) instrumentation tool, please suggest any better tool or pros and cons of using this

  11. Explain , how to read diagnose infos from Exeinfo PE :

    - unknown Packer-Protector = no signature in Exeinfo Pe base but looks like protected or packed program
    - 3 sections like UPX = This is info only , 3 sections like in upx packer
    - S-Structure other = Not a Upx , another section structure , this is not UPX !


  12. If you are leasing a commercial property and the lease allows for "24 hour onsite security", how many people are you allowed to keep onsite for that purpose?
    trucking company business plan

  13. My grandparents house was robbed this weekend. We are now looking for a security camera system for added security. What's a good product we can get that's not too expensive but will offer 24 hour surveillance? They currently have ADT alarms but they want to set up a camera on their own. What's the best method as far as price and efficiency? Buying and setting up our own systems or using a security company's camera?

  14. I have just visited your website and found it very useful and informative. Your information is very useful for the readers. Thanks for sharing and please keep sharing.

    Home Automation Vancouver | vancouver security | Best Security Vancouver

  15. I think that i can consider this article as a reference for me because it contains many important information at once and shortcut too much time , instead of reading more articles .

    Android Training in Chennai

  16. I really like the fresh perpective you did on the issue. I will be back soon to check up on new posts! Thank you!
    internal vulnerability assessment

  17. Well, i will try to install at night because i am reading some goods reviews from the customers, thanks for share

  18. Great post....Thank you for posting the great content……I found it quiet interesting, hopefully you will keep posting such blogs…
    If you Want more seo course in chennai


  19. Thank you for taking the time to provide us with your valuable information. We strive to provide our candidates with excellent care and we take your comments to heart.As always, we appreciate your confidence and trust in us.

    SAP Training in Chennai

  20. This is really a very good article. Thanks for taking the time to discuss with us, I feel happy about learning this topic. keep sharing your information regularly for my future reference.
    ROI Services in Chennai

  21. The site contains a very great article. the information present in this site will be very useful for us. thank you for sharing the blog with us.
    ROI Services in Chennai


  22. Great and useful article. Creating content regularly is very tough. Your points are motivated me to move on.

    Manual testing training in Chennai

    Selenium training in Chennai

    Software testing training in Chennai

  23. This is one of the most important blogs that I have seen, keep it up!

    locksmith in sacramento

  24. Thank you for sharing such a nice and interesting blog with us. Hope it might be much useful for us. keep on updating...!!
    seo company in india
    digital marketing company in india
    seo company in chennai
    digital marketing company in chennai

  25. Very nice post here and thanks for latest smartphone applications it .I always like and such a super colors of phone for these post.Excellent and very cool idea and great models and different kinds of the more information's.

    digital marketing course in chennai
    hadoop training in chennai

  26. This blog is having the general information. Got a creative work and this is very different one.We have to develop our creativity mind.This blog helps for this. Thank you for this blog. This is very interesting and useful. Android App Development Company in Chennai

  27. telasmosquiteira-sp.com.br

    telas mosquiteiras sp
    telas mosquiteira sp

    As telas mosquiteiras sp , telas mosquiteiro sp garantem ar puro por toda casa livrando-a completamente dos mosquitos e insetos indesejáveis. As telas mosquiteira garantem um sono tranquilo a toda família, livrando e protegendo-nas dos mais diversos insetos. Muitos destes insetos são transmissores de doenças e a tela mosquiteira é indispensável no combate a mosquitos transmissores de doenças.
    A dengue, por exemplo, já matou centenas de pessoas só na capital de São Paulo e um pequeno investimento em nossas telas mosquiteiras podem salvar vidas. As telas mosquiteiras também impedem a entrada de insetos peçonhentos como as aranhas e os escorpiões, estes insetos também oferecem risco, pois seu veneno em poucos minutos podem levar uma criança a morte.
    telas mosquiteira jundiai
    telas mosquiteiro jundiai
    telas mosquiteira São Paulo
    telas mosquiteiro São Paulo
    telas mosquiteiras sp
    telas mosquiteiras Jundiai
    telas mosquiteira sp
    telas mosquiteiro Jundiai
    telas mosquiteira sao paulo
    telas mosquiteiro sao paulo

    A chegada da temporada Primavera/Verão traz consigo a elevação da temperatura e a maior ocorrência de chuvas. Mas não é só isso. As estações mais quentes do ano causam muita dor de cabeça e muitos zumbidos indesejáveis em função das pragas urbanas – pernilongos, baratas, cupins e outros insetos -, que afetam todas as regiões brasileiras.

    Nossa missão é oferecer telas mosquiteiras de qualidade a um preço acessível, fazendo com que as telas mosquiteiras sejam uma opção viável para muitas pessoas.

    telas mosquiteiras Jundiaí
    telas mosquiteiro Jundiai
    telas mosquiteiras jundiai
    telas mosquiteiro industria
    telas mosquiteira restaurante
    telas mosquiteiro restaurante
    telas mosquiteira empresa
    telas mosquiteiro empresa

  28. Thanks for sharing this information and keep updating us. This is more informatics and it really helped me to know the Android.

    Android Training in Chennai
    Android Course in Chennai
    Android Training Chennai

  29. It's an outstanding blogger post I choose the way of your ideas in really good. I've done looking for this plans to improved my sites and overall your site's information is very good.
    Digital Marketing Training in Chennai
    SEO Training in Chennai
    SEO Training Course in Chennai

  30. Replies
    1. I find this post very interesting too, its great to read. Thank you for the share. If you need the best Blog Content Writing Service, check the link for the most professional assistance.

  31. Its a wonderful post and very helpful, thanks for all this information. You are including better information regarding this topic in an effective way.Thank you so much

    Installment loans
    Payday loans
    Title loans
    Cash Advances

  32. I have been for a long time been looking for certain type of content, and even though this post does not contain the exact information i can say that you have shared a very nice and interesting post. This is a post that's worth revisiting, since the content is similar to what i was looking for. It is very necessary to keep on Correcting Grammatical Errors in Content of a Marketing Website, in order to increase the ranking of your post with quality and informative content. Clients needs to see very relevant information, therefore do the best thing and look for professional services.

  33. Interesting blog which attracted me more.I hope you will post more update like this.
    Digital marketing company in Chennai

  34. Thank you for taking the time and sharing this information with us. It was indeed very helpful and insightful while being straight forward and to the point.
    mcdonalds gutscheine.net | startlr.com/ | saludlimpia.com/

  35. Thank you for sharing. And if you are looking for the best relocation process can make easier by our beneficial services with Frigate Logistics and Movers Pte Ltd

  36. Thanks Great Post. We are professional, delivering a world-class moving, relocation, removal, and storage solutions at highly competitive market prices in Dubai-UAE.
    movers in dubai
    best movers in dubai
    villa movers in dubai
    best movers and packers in dubai
    best storage in dubai
    office movers in dubai

  37. This information is impressive; I am inspired with your post writing style & how continuously you describe this topic.

    Pawn Shop

    Pawn Loans

    Pawn Shops

    Pawn Loan

    Pawn Shop near me

  38. BlueHost is definitely one of the best website hosting provider for any hosting plans you might need.

  39. I'm using AVG protection for a couple of years, I would recommend this product to everybody.

  40. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts.

    Movers in Singapore

    Van Rental Singapore

    Relocation Companies in Singapore

  41. Really it was an awesome article...very interesting to read..You have provided an nice article....Thanks for sharing..
    Android Training in Chennai
    Ios Training in Chennai

  42. Thank you for sharing the information here. And if you are looking for the best relocating and logistics support can benefit through our Frigate Logistics and Movers Pte Ltd. For detailed information you may choose from our

    Movers and Packers in Singapore

    Lorry Rental Singapore

  43. Create an exoskeletal recumbent bicycle. any such motorbike would encompass the bicyclist with the motorbike's physique retaining the rider in case of a destroy.

    disintegrating critical infrastructure

  44. Thank for your very good article! i always enjoy & read the post you are sharing!


  45. Hello Admin.
    This is one of the best content I have ever come across on this topic.
    Do know the besics of what is shortcut virus? and how do we remove shortcut virus from our computer?
    Here is all the information about best anti adware.
    The best information about how to remove crysis ransomware.

  46. I really found this post informative and I enjoyed reading it! Will look forward to such stuff in future too! Content Push News Pop- Up

  47. Hi there I am so thrilled I found your website, I really found you by mistake, while I was browsing on Yahoo for something else, Anyhow I am here now and would just like to say thanks a lot for a tremendous post and an all-round exciting blog (I also love the theme/design), I don’t have time to go through it all at the minute but I have saved it and also added in your RSS feeds, so when I have time I will be back to read more, Please do keep up the awesome job.

    Aws Training in Chennai

  48. Great Article… I love to read your articles because your writing style is too good, its is very very helpful for all of us and I never get bored while reading your article because, they are becomes a more and more interesting from the starting lines until the end.
    Data Science Training in Chennai
    Data science training in bangalore
    Data science online training
    Data science training in pune
    Data science training in kalyan nagar
    Data science training in Bangalore
    Data science training in tambaram

  49. It’s great to come across a blog every once in a while that isn’t the same out of date rehashed material. Fantastic read.

    Digital Marketing Training in Mumbai

    Six Sigma Training in Dubai

    Six Sigma Abu Dhabi

  50. Great Article… I love to read your articles because your writing style is too good, its is very very helpful for all of us and I never get bored while reading your article because, they are becomes a more and more interesting from the starting lines until the end.
    java training in annanagar | java training in chennai

    java training in marathahalli | java training in btm layout

    java training in rajaji nagar | java training in jayanagar

  51. This comment has been removed by the author.

  52. Great Article… I love to read your articles because your writing style is too good, its is very very helpful for all of us and I never get bored while reading your article because, they are becomes a more and more interesting from the starting lines until the end.
    angularjs Training in chennai

    angularjs Training in bangalore

    angularjs-Training in tambaram

    angularjs-Training in sholinganallur

    angularjs-Training in velachery