Friday, December 28, 2012

Malware Analysis #1 Protip

As someone who does malware analysis and reversing one of the first things I do to get some quick intel on a sample is I run it against a virus engine. Specifically, I use (VT). A lot of people are already familiar with and use VT. If you are not familiar, VT is an aggregation of virus scanning engines that anyone can submit their samples to online and receive a report of which engine detected what signature. VT has many practical uses within information security, and has two methods of submitting samples. You can upload the file, or you can submit a hash of the file. VT also has two important features that are more to the point of this post. VT has a public API that allows anyone to automate submissions, as well as a database feature which archives all the submission and records their results. This database feature is what allows for the hash search function.

One of the biggest mistakes I see people making when using VT as a malware analysis tool is uploading the sample, period. Below is a screen shot of a sample submitted to VT. Notice the last data point, the ‘Analysis date’:

This date shows when the sample was analyzed. This is a big deal because if you can see that date, then so can the bad guy that sent you the malware! For a while I've explained this to people but haven’t been able to prove it until I saw a tweet from @mubix today where he released a ruby script called VT-Notify (link here) to do exactly this. The script runs in a loop that periodically checks VT for the file and reports back via a log or email once the file has been detected. Not just detected in by A/V in general, but actually detected by your target since VT is a manual process that requires a user with suspicion to upload the file.

Since VT is usually my first stop performing malware analysis, if I upload the file, and it warns the bad guy, then by the time I get to actually reversing the malware and understanding its purpose, the bad guy could have easily packed up shop, crafted a new payload and re-engaged me.

Without further ado, the #1 Malware Analysis Protip is STOP uploading your files to VT. Start with a hash search. If nothing was found then chances are it is custom malware targeted to just a few people; handle with care. The longer the attacker thinks their payload is not detected, the longer they will try and use it and the more time you have!

I hope this helps anyone beginning their journey into malware analysis or anyone that realizes how much they are tipping their hand by submitting those files. Also, a big thanks to @mubix for creating a well written script that showcases the issue with this problem. Mubix makes a point that the script can be used in other do-good style fashions for monitoring critical directories. Definitely take some time to check it out.