Friday, December 28, 2012

Malware Analysis #1 Protip


As someone who does malware analysis and reversing one of the first things I do to get some quick intel on a sample is I run it against a virus engine. Specifically, I use VirusTotal.com (VT). A lot of people are already familiar with and use VT. If you are not familiar, VT is an aggregation of virus scanning engines that anyone can submit their samples to online and receive a report of which engine detected what signature. VT has many practical uses within information security, and has two methods of submitting samples. You can upload the file, or you can submit a hash of the file. VT also has two important features that are more to the point of this post. VT has a public API that allows anyone to automate submissions, as well as a database feature which archives all the submission and records their results. This database feature is what allows for the hash search function.

One of the biggest mistakes I see people making when using VT as a malware analysis tool is uploading the sample, period. Below is a screen shot of a sample submitted to VT. Notice the last data point, the ‘Analysis date’:

This date shows when the sample was analyzed. This is a big deal because if you can see that date, then so can the bad guy that sent you the malware! For a while I've explained this to people but haven’t been able to prove it until I saw a tweet from @mubix today where he released a ruby script called VT-Notify (link here) to do exactly this. The script runs in a loop that periodically checks VT for the file and reports back via a log or email once the file has been detected. Not just detected in by A/V in general, but actually detected by your target since VT is a manual process that requires a user with suspicion to upload the file.

Since VT is usually my first stop performing malware analysis, if I upload the file, and it warns the bad guy, then by the time I get to actually reversing the malware and understanding its purpose, the bad guy could have easily packed up shop, crafted a new payload and re-engaged me.

Without further ado, the #1 Malware Analysis Protip is STOP uploading your files to VT. Start with a hash search. If nothing was found then chances are it is custom malware targeted to just a few people; handle with care. The longer the attacker thinks their payload is not detected, the longer they will try and use it and the more time you have!

I hope this helps anyone beginning their journey into malware analysis or anyone that realizes how much they are tipping their hand by submitting those files. Also, a big thanks to @mubix for creating a well written script that showcases the issue with this problem. Mubix makes a point that the script can be used in other do-good style fashions for monitoring critical directories. Definitely take some time to check it out.

2 comments:

  1. This is a very good writing JC. You explained a double sided blade of VT in a well described words.

    Understanding this, I always do not upload my sample BEFORE I analyzed and make BEFORE make the reports/precaution related to the infections.That is why I always do and urge to do analysis of sample manually to everyone.

    In my personal opinion. It is morally impossible for an analyst to submit such evidence to public view before doing a proper analysis & reports. Furthermore, uploaded sample w/o putting useful comment into it.

    Tried hard to explain the same words but too bad, a lot of good guy think by uploading sample to VT will stop the infection further.

    Read this blog well friends, and in the future, please take effort to understand what the sample is, where it came from, how those evil thing works, and report to the experts or authority before submitting to VT (with writing useful comments on it to be used for tracking evidence).

    ReplyDelete
  2. Good point unixfreaxjp, I agree and may not have been clear. The point of this post was that you should never upload to VT, but only after you have done your own analysis, containment, eradication and recovery within your network as well as updated your defenses to protect against the threat.

    At this point, once you ensure your environment is secured, you should definitely contribute back to the community through uploading the sample as well as comments.

    ReplyDelete