How to analyze a virus

Tinytony

Hoping someone can help me here.

I have isolated a virus on my network. I have taken the infected machine off the network and located the files related to it. Now I would like to analyze the virus and see where it was communicating with. I've never tried something like this before but wouldn't mind giving it a shot. My programming knowledge would be very limited, would I be wasting my time trying something like this or is there any handy programmes out there that would allow me to monitor the actions of the file?

Thanks

Martyr

You could setup vmware with winxp or vista..whatever you had installed.
Use wireshark to watch network activity and process monitor for file system access.

Use compiler/crypter/packer detection utilities aswell as debuggers and disassemblers for analysing the code.

The debugging and disassembly requires knowledge of programming for that particular operating system aswell as understanding low-level assembly language and the PE format, various anti-debugging / anti-disassembly tricks.

If it's a kernel based rootkit, you're gonna need knowledge of kernel programming, driver development for example, just to understand how it works.
detailed knowledge of the registry, file system, how everything functions, where things can be hidden.

i've never had the privilege of analysing viruses in the wild, but i've done enough assembly programming which helps in disassembling/analysing code.

Once you've done enough programming on windows and you're familiar with assembly language, disassembling programs isn't as difficult as you'd think.

reverse engineering is a huge subject nowadays so it might be easier to get an anti-virus company which get paid to spend time analysing this, rather than you do it yourself.

you might also want to check out virustotal site, it uses 40 odd scanners to check out the executable for anything malicious.

Tinytony

Thanks Martyr,

I wouldn't be concerned with sending it away to a security company, i'm more just interest in doing it as a little project for myself. I know the file is malicious (it's ms18_word.exe and contains Backdoor.Win32.Harehop.ho)

I obviously don't want to contect the machine back up to the internet via my own network so I'll see if I can track a 3G card I have somewhere and run wireshark on it to see if there is any traffic running on it. Only started exploring wireshark last week so still getting to grips with it. I suppose this would be a good way to see what is going on alright.

Martyr

try the sysinternals site also.

3 tools there i find very useful are process explorer, autoruns and process monitor.

you can obtain a freeware edition of IDA Pro

PEiD is quite useful for signatures.

ap0x made up a reversing labs kit if you want a look

himself and couple of other guys are also working on a generic unpacking software, called Titan

windows debugging tools are very useful too.

JimmyCrackCorn!

Step one

Unless you need/really want to reverse engineer it all dont its allot of effort (see step 1)

1.Use this:
http://www.norman.com/security_center/security_tools/submit_file/54583/en


2. The fooker is smart
Break out the cracking tools listed above (Virtual machines are good for this but not great)


3. profit


If its something you want to try to learn start with ollydebug tutorials or some of the links below may also help. (there are other debuggers if you want to dig around)

http://www.ollydbg.de/
http://www.securityfocus.com/infocus/1880
http://www.learnsecurityonline.com/forums?func=view&catid=16&id=76
http://www.openrce.org/articles/


Best of luck

Tinytony

Some great advice here lads, thanks.

I connected the laptop with the virus to the internet via a 3G card today, and used Wireshark to do a packet capture for a couple of minutes. Nothing out of the ordinary (as far as I could see) was happening, just some communication between the machine and Vodafone (3G card provider).

Then I clicked on my suspected virus .exe file and noticed some strange traffic and I'm just wondering if you guys could help me confirm my suspicisions?

In the space of the minute or so that it was running after clicking the exe file, Wireshark captured a lot of SMTP traffic. Would I be right in thinking my computer was attempting to SPAM other mail servers? I've listed a few lines of the capture below. At this time I was doing nothing else on the machine.

4919 47.187500000 88.214.192.192 78.152.206.46 SMTP S: 554 mail.hqhost.net ESMTP not accepting messages | 250 mail.hqhost.net Hello [78.152.206.46], pleased to meet you
4874 46.890625000 78.152.206.46 88.214.192.192 SMTP C: HELO xveltbiqxfnuckqxfnudkrahpxfmubip
4805 46.343750000 78.152.206.46 206.161.193.131 SMTP C: HELO xyhpxfnucjryhpwfmtaipxgovemudksa
4683 45.500000000 78.152.206.46 217.112.42.216 SMTP C: QUIT
4681 45.500000000 217.112.42.216 78.152.206.46 SMTP S: 221 2.0.0 Bye

Gavin

It tried to send an email alright, but the email could have been anything. That server wasn't recieving any emails. It didn't respond to the HELO command.

Use Process Explorer/procmon/filemon as Martyr says and you'll see what other activity the virus is doing. Perhaps it's pulling information off your machine and attempting to e-mail that back to base.

Tinytony

Ya, that was just a sample of the SMTP packets. There were hundreds of SMTP packets generated in the space of 30 seconds or so. I'm away from that machine until tomorrow now so will have to wait until then until I can look at it with FileMon.

I found a second suspect file on the machine as well today and when I ran that it fairly mangled the machine. Created 4 extra processes, randomly rebooted the machine, disabled zone alarm and wouldn't let me open task manager etc. I don't know if it is linked to the original virus. I'm going to be wiping and reimaging the machine anyways so I don't mind doing all this damage to it.