Jump to content
Sign in to follow this  
Master_Scythe

Virus Auditing?

Recommended Posts

Hey guys, just curious what tools companies use to actually assess what a virus does.

 

for example, this recently did the rounds:

https://www.reverse.it/sample/0e5d90d9efe46c490c1919e48a63bf8145cfcf2a7879ca48b92754fd89fd6d04?environmentId=100&lang=id

 

I'd never have caught all the OLE objects and what not without that sort of assessment.

 

Surely they're using a tool\toolbox of some kind, they can't be doing this manually?

Share this post


Link to post
Share on other sites

It'd be much the same as reverse engineering a piece of code you've lost the source for or want to analyse (competitors) how it works. Also similar to cracking games and software - often you're trapping system calls and looking for the unusual or stuff that just doesn't look like it belongs there.

 

Of course for stuff like VBScripts and Office Macros it's just sitting there in front of you ready to analyse.

 

Supposedly in older times they had quarantined machines where they'd run suspicious software on but I imagine these days the paranoia isn't really required as you could use virtualisation and sandboxing to ensure you don't pollute your infrastructure.

 

I think a big part of clamping down on viruses is that so many of them are just produced by amateurs and just evolutions or modifications of stuff that's already out there. Which means in some cases heuristics flag them before you even bother to start deeper analysis.

Share this post


Link to post
Share on other sites

So there's no more 'advanced' version of... say...... the oldschool "Norton Cleansweep" which will monitor keys, files and hooks and report back?

 

I can understand if there's not, I just really expected a toolbox.

Share this post


Link to post
Share on other sites

I suppose you could assess what a virus does by extensive before/after analysis where you have a snapshot of system + registry files but it would be a pretty drawn out process and vague in it's findings.

 

Given that the actual virus and even for stuff like malware/keyloggers the "payload" as in the actual tacked on part doing the nasty stuff is usually not a huge program, it's entirely feasible to just isolate it and disect it down to the machine instruction level. Such a thing would be necessary given that some nasties are time/date dependant for their activation, or rely on random event or certain number of executions before they do their thing.

Share this post


Link to post
Share on other sites

My understanding is that Splunk is one of the tools that's most widely-used in a commercial context.

 

IMO virtualisation/sandboxing is the way to go. Essentially, you set up a honeypot VM - a VM with all the vulnerabilities that worms/viruses/trojans love to exploit. Many of the more advanced forms of malware are actually selective about their targets and are designed to go for the lowest-hanging fruit - i.e. the machine that is going to be most likely to let the virus do its thing. So you set up a VM that has all these vulnerabilities built into it. You also set up very comprehensive, debugging-level logging and monitoring on that VM, so that you can see exactly what the virus is doing. The better honeypot VMs that are available are also designed to emulate a real machine - this is because lots of malware starts by detecting whether it's running inside a VM - if the answer is yes, then the malware simply self-destructs, for obvious reasons. It's important not to interconnect the VM to any trusted/secure network to avoid the risk of the malware infecting the said network - in my view, the only 100% secure way of doing this is to use an air-gapped network in addition to the VM - i.e. have a testing network that's physically separated from the machines that you actually use for important things.

 

After the malware has done its thing, you look at the logs and the output of the monitoring tools to reverse engineer the cunt. With the more advanced forms of malware, this can sometimes be like finding a needle in a haystack, but I still reckon it's good fun. I used to hate viruses but now I actually enjoy letting them run wild and free on my testing platform so that I can find out how they work.

 

If you'd like some linkage to some of the honeypot software that's available, let me know which platform you're using and I'll send you through some links to downloads and tutorials on how to set them up. Obviously there are different ones available for Windows and Linux.

Share this post


Link to post
Share on other sites

Why would malware ignore VMs? Sure, it's likely the case that a VM is 2-3 times more likely than a native box to be just running a test or unimportant environment but absolute shiteloads of production stuff runs on VM - half the reason for using VM is to make multi client enterprise computing more flexible.

Share this post


Link to post
Share on other sites

Why would malware ignore VMs? Sure, it's likely the case that a VM is 2-3 times more likely than a native box to be just running a test or unimportant environment but absolute shiteloads of production stuff runs on VM - half the reason for using VM is to make multi client enterprise computing more flexible.

 

Depends on the malware in question, but exactly because VMs are often run in a test environment. Though I'm sure that the newer malware doesn't ignore VMs because so much production stuff is run in a virtualised environment these days - really I was referring to the viruses I've experimented with, which are older and have been around for a while, well before VMs became so widely-used for production builds.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×