121 Proj X13: Dynamic Analysis of Malware (10 pts.)

What you need:

Purpose

Dynamic analysis is a powerful but imperfect way to analyze malware. It's sloppy, like a live forensic acquisition.

To perform dynamic analysis, you run a clean OS with tools running that measure the system state, and then you infect it with malware. You measure the real changes made on the system as the malware infects it.

This technique is easy and fast, but it has some disadvantages:

Despire these disdvantages, dynamic analysis is a good technique to know and use carefully.

This Project is "Safe"

I'm not giving students real malware at this point--we'll use the Yahoo toolbar. That thing is pretty nasty, but it's not exactly malware.

Remove Yahoo Toolbar

If you already have Yahoo Toolbar installed, open Control Panel, "Add or Remove Programs", and uninstall it, as shown below:

Download Process Monitor

Process Monitor shows all the actions taking place on your computer and logs them.

Open a browser and go to http://technet.microsoft.com/en-us/sysinternals/bb896645

Download Process Monitor onto your desktop, and unzip it. The executable should appear in a folder, as shown below:

Download RegShot

RegShot takes before-and-after measurements of the Registry so you can easily see what a program has changed.

Open a browser and go to http://sourceforge.net/projects/regshot/

Download RegShot and unzip it. A folder opens with several files, as shown below:

If you are using a 32-bit system, which is likely, you will use the regshot.exe file.

Open Internet Explorer

In Internet Explorer, go to http://toolbar.yahoo.com

You should see a "Download Now" button on the right side of the window, as shown below. DO NOT CLICK IT YET!

Leave the Internet Explorer window open.

Launch Process Monitor

In the folder you unzipped Process Monitor into, double-click Procmon.exe.

If a Security Warning box pops up, allow the software to run.

Agree to the license.

You should see Process Monitor, with a lot of processes visible, as shown below:

Getting the First Shot in RegShot

In the folder you unzipped RegShot into, double-click regshot.exe.

If a Security Warning box pops up, allow the software to run.

Regshot opens, as shown below:

Click the "1st shot" button. In the pop-up menu, click Shot.

You can see the progress as numbers count up in the lower portion of the Regshot window. When the shot is complete, the numbers will stop changing and the "2nd shot" button will stop being grayed out, as shown below:

Excluding Harmless Processes

To make the analysis easier, we will ignore all the processes that are already running before the malware starts.

In Process Monitor, right-click the name of one of the visible processes, such as lsass, and click "exclude 'lsass.exe'", as shown below:

Wait while the event filter is applied.

Right-click a remaining process, such as "svchost.exe" and exclude it too.

Repeat the process until all current processes are hidden, as shown below. When I did it, the remaining processes to exclude were csrss.exe, explorer.exe, services.exe, vmtoolsd.exe, iexplore.exe, VMwareTray.exe, verclsid.exe, winlogon.exe, wmiprvse.exe, wuauclt.exe, regshot.exe, spoolsv.exe, alg.exe, rundll.exe, WMIADAP.EXE, GoogleUpdate.exe, GoogleCrashHandler.exe, chromeinstaller.exe, and setup.exe.

Saving the Image

Make sure the empty "Process Monitor" window is visible.

Save this image with the filename Proj X13a from YOUR NAME

Installing Yahoo Toolbar

In Internet Explorer, click the "Download Now" button. Agree to the agreement. Click "Yes" to help Yahoo. Install the software, approving everything it asks for.

When you are done, Internet Explorer will show the new toolbar, as shown below:

In Regshot, click the "2nd shot" button. In the pop-up menu, click Shot.

When the snapshot is complete, click the Compare button.

You will see a report, showing a number of added keys -- 511 when I did it, as shown below:

Scroll down until you find a key installing Yahoo\Companion, as shown below:

Saving the Image

Highlight Yahoo\Companion so it's easy to see.

Save this image with the filename Proj X13b from YOUR NAME

Viewing the Processes

In Process Monitor, scroll down until you find a path containing "yahoo_toolbar_install_helper", as shown below:

Saving the Image

Highlight "yahoo_toolbar_install_helper" so it's easy to see.

Save this image with the filename Proj X13c from YOUR NAME

Turning in your Project

Email the images to cnit.121@gmail.com with the subject line: Proj X13 from YOUR NAME

Credits

This is based on a class I took at the HoneyNet conference, from Felix Leder.
Last modified 4-11-11 12:32 am