Nov 4, 2009

Counter malware analysis

As a malware researcher (during leisure), we face a constant challenge from the malware writers trying to outsmart us by using many anti analysis technique in their malware. Deter and confuse researchers from analysing the malware.

These techniques include:
  • Obfuscation/hiding of codes & scripts

  • Obfuscation of script, commonly using "unescape" function and various encoding (e.g Base64) to hide malicious javascript (e.g unescape(dz+cz+op+st)+'dw(dz+cz($+st));')}else{$=''};function sc(cnm,v,ed)). Source codes can be obfuscation using packer such as UPX

  • Encryption of Source code & data

  • Packer (Compressed executable) uses proprietary methods of compression and encryption to hinder malware analysis. Configuration data may also be obfuscated or encrypted.

  • Junk code (useless instructions and rountine)

  • Useless instructions were inserted between real instructions. Jumping into middle of instructions will sometime cause a debugger to halt with error.

  • Detection of analysis tools (virtual system, monitoring tools, debugger)

  • Malware can react differently when analysis tools were detected in the system to fool the analyst. Some sample methods shown below.

  • Conduct integrity checks (Prevent tampering and patching)

  • Malware may contain checksum and protection routine to prevent any tampering to their program.
Below are some sample code used by malware to detect analysis tools.

Detect OllyDbg
The function IsODBGLoaded will return true if debugger is detected

__inline bool IsODBGLoaded() {
char *caption="DAEMON";
_asm {

push 0x00
push caption

mov eax, fs:[30h]
movzx eax, byte ptr[eax+0x2]
or al,al
jz normal_
jmp out_
normal_:

xor eax, eax
leave
ret
out_:

mov eax, 0x1
leave
ret
}
}

Detect VMWare
It checks the version and see if it is running inside the virtual

/* Check VMware version only */

int VMGetVersion() {

unsigned long version, magic, command;
command=VMCMD_GET_VERSION;
VMBackDoor(&version, &magic, &command, NULL);
if(magic==VMWARE_MAGIC) return version;
else return 0;
}
/* Check if running inside VMWare */

int IsVMWare() {

int version=VMGetVersion();
if(version) return true; else return false;
}

Detecting Breakpoints
The function IsBPX checks if the given memory address is a breakpoint.

__inline bool IsBPX(void *address) {

_asm {

mov esi, address
mov al, [esi]
cmp al, 0xCC
je BPXed

xor eax, eax
jmp NOBPX
BPXed:

mov eax, 1
NOBPX:
}
}