Tuesday, October 23, 2012

Malware Analysis Tutorial 34: Evaluation of Automated Malware Analysis Tools CWSandBox, PeID, and Other Unpacking Tools

Learning Goals:
  1. Understand Design Principles of Automated Malware Analysis Systems
  2. Hands-on Experiences with CWSandBox and Packer Identification Tools
Applicable to:
  1. Operating System Security
1. CWSandBox

We first examine the performance of another automated malware analysis tool CWSandBox (now named GFI Sandbox). The tool is available at http://www.gfi.com/malware-analysis-tool. CWSandBox uses dynamic API hook technique (DLL injection) to monitor system calls. This is similar to the approach taken by the Anubis system. In this article, we will examine the report generated by CWSandBox. We take a similar approach as the previous tutorial, and submit a modified version of Max++. Unfortunately, the server was not able to generate a report for us in 24 hours.

2. VirusTotal
We then submitted the modified version of Max++ to VirusTotal (http://www.virustotal.com). This is an integration site that runs multiple virus search/malware detection engines. We explicitly requested for an onsite start-from-scratch analysis of the modified version. Figure 1 shows the result from VirusTotal (many virus detection tools listed).

Figure 1. Results by Virus Total on Modified Max++
As shown in Figure 1, most signature based tool (including ClamAV) was not able to discover that the modified version of Max++ is a virus (note that the modified version is functionally equivalent to the original Max++. We only inserted two NOP instructions after the INT2D trick.). Among all the virus tools, DrWeb identified it in the virus familty of MaxPlus.6 and most others either identified it as Smiscer or Sirefef.

 Interesting, if we submit the original version of Max++ to virus total, we have the results shown in Figure 1.5. This time ClamAV is able to identify it as "Trojan.Dropper".

Figure 1.5. Results by Virus Total on Original Version of Max++

2. Packer Identification Tools
As introduced in Malware Analysis Tutorial 6- Self-Decoding and Self-Extracting Code Segment , Max++ has self-unpacking behaviors. It is interesting to see that if the tool has used any existing packers such as UPX. We used three packer identification tools: PeID, RDGPacker Detector, and ExeInfoPE to examine the modified version of Max++. All of these tools are freely available on the Internet.

PeID and RDGPacker did not find any known packers used to pack the Max++ code. Figure 2 and Figure 3 shows the running results of these tools.

Figure 2. Results by PeID

Figure 3. Result by RDGPacker Detector

Only ExeInfoPE reports that Max++ has 3 sections packed using similar algorithms like UPX (however, it does not precisely identify it's UPX). Figure 4 shows the report by ExeInfoPE.
Figure 4. Report by ExeInfoPE

The conclusion is that Max++ did not use any existing packers to directly pack its code. Its multiple layer packing algorithm is a customized algorithm (although it's not too complex).