On this static malware evaluation, we carry out an evaluation on a Zeus Trojan file (to know its interior workings) however, we aren’t going to run the file as an executable. It’s because malware authors have change into (extra) crafty as they attempt to make evaluation of their useful work harder. They’re encrypting some (or all) of the referenced “strings” in reminiscence (such because the registry keys used to auto-start, hosts and ports the malware connects to). Once they do that, we will not simply dump the method reminiscence and run “strings”, when the “strings” are encrypted. We’re even seeing “strings” encryption after the malware executable is unpacked. The values that are all saved encrypted is not going to present up within the unpacked EXE or a dump of the method. It’s tough to look at particular person capabilities once we cannot work out what they’re doing. The best scenario would have A Seasoned Administrator operating “Ida Pro” to create and run a script to decrypt encrypted “strings” used within the “Zeus Trojan”. We might prosecute the decrypt and encrypt capabilities and as soon as the bot was able to entry its “strings”, the pointer can be handed to the decrypt to decrypt the string in-place in reminiscence. After the code calls to re-encrypt the information, the “strings” will not present up in a course of reminiscence dump. The operate is irrelevant but it surely depends on a key that is calculated when the bot begins. It is an MD5 of another information embedded within the EXE file. However let’s break this right into a Primer… Strings In Home windows, if we aren’t confronted with encrypted malware “strings”, one of many first issues that we will do is make use of a Home windows utility referred to as “strings” to see if we will get some data out of the file. That is truly a “Sysinternals” device that means that you can extract UniCode or ASCII “strings”. When the file is sitting on disk and we’re not going to really run it (which truly protects our system), we will run “strings”. Once we do that, we might also get some further details about this system we’re operating. On the command line kind: C:usersAdministrator>z: Z:>y: Y:>cd Downloads Y:>Downloadsstringsdir Y:Downloadsstrings We will run “strings” by typing “strings”.exe” where you are prompted to agree to “Sysinternals Software program License’s” terms. “Strings” will undergo an executable and discover sections the place there are “strings” or printable ASCII characters which are null terminated. Because it finds these, it could print them out. The output will make it clear what now we have occurring as we observe the person capabilities. If now we have Microsoft code we might even see “Microsoft Company”, “Redmond Washington,” “Microsoft Code Signing”, etc. written out. We may see Microsoft URLs and timestamps all built into the code. We may even see the name of the codes author. “Strings” can actually provide us with some pretty useful information. Exe Explorer Another program we can employ is “Exe Explorer” which will give us a different set of information. It is software designed to read and display executable file’s properties and structure. EXE Explorer is mainly focused on gathering data about the targeted file. The user is given the ability to read the properties of the EXE file such as its code page and the raw data offset. “Exe Explorer” opens up an executable and allows us to see its directory called Zeus (from the Zeus botnet) where we can go and open up “bot.exe”. “Exe Explorer” pulls that executable are part and gives up information showing the “bot” is destined for a 32-bit machine, which means we are dealing with 32-bit code. On the signature line we will see that this “bot” is a “moveable executable”. This means it is an executable design for the Windows operating system. There is a tab in “Exe Explorer” referred to as “strings” which does the very same factor the “Methods Internals” utility does. This specific “strings” in “Exe Explorer” truly gives further data. The “strings” in “Exe Explorer” has a lot of function calls within it like “Gdiplus start-up”and “Gdiplus shut-down” which are a graphics device. The “Gdi” (suite of functions) have to all do with graphics. A malware program with this suite will have a graphical component. If you can see a create stream, it would probably indicate some sort of file or network communication (“on H World”). It might be grabbing some pictures or graphics. You’ll be able to search for different capabilities within the file however additionally, you will see a whole lot of rubbish within the file. Generally the rubbish is Opcodes and typically it’s simply different sorts of information. Additionally, you will run throughout encrypted “strings”. You additionally see information that seems to be “strings” however isn’t. You will note a tab for the completely different sections. “Exe Explorer” pulls all the executable aside and exhibits you a unified view of what’s going on inside the file. You get a whole lot of detailed details about the executable. PEid and Packers Now that you’ve data through the “strings” which will present data in regards to the actions being taken by the executable you may run an utility referred to as “PEid.exe”. This program will examine the algorithm and tell you if a piece of software is packed or not. Once we have located the file we will open up with “PEid.exe” and search for Packers, we’re stepping into the meat of the executable. Packers are often situated through deep scans. Packers obscure a chunk of code to make it more durable to see what’s being carried out by the executable. Rubbish within the “strings” might have been the results of packers being current in a chunk of code. We will not see what is occurring as a result of the “strings” have been compressed or encrypted which we would not be capable to see. Whenever you see an executable piece of code that’s packed you might be most likely coping with a chunk of malware. Totally different Packers are related to completely different variations of malware. We may very well get some data on the malware primarily based on the actual Packer that’s current inside the executable file and the model of the Packer that’s in use. Static evaluation simply appears at elements of the recordsdata. You’ll be able to click on on the properties of the file and have a look at the main points to see what is on the market. A standard program developed by a good vendor goes to have an outline, a copyright, a product identify, a product model and probably even a file model. It will have data alongside these strains. If this data is lacking, it’s both written by somebody who would not wish to set that data or somebody who would not know the best way to set that data. You’ll be able to principally discover out some details about the writer of the executable by wanting within the properties beneath the main points. Conclusion We’ve noticed a number of methods and ways for analyzing Home windows malware in a static means (the place it’s truly not being run). The logic of that is we keep away from the hazard of operating the malware in our system. Dynamic evaluation of Home windows malware (which permits us to run the executable and observe its traits) would require both a sandbox or standalone system the place it poses no hazard to your operational community. Dynamic malware evaluation provides us the possibility to investigate the malware whereas it’s in operation. Static malware evaluation permits us to look at hints from the executable or the file itself to see it we will work out what is occurring (simply by wanting on the file), what’s in it and the data we will pick of an executable by digging in and observing the traits.