TECHNICAL Featured

A Guide to Malware Analysis: Day 4

Security researcher fairycn reveals how to conduct malware analysis and mitigate malware threats from Word Macro viruses to Linux viruses, as well as exploit overflow vulnerabilities.

fairycn

Jul 20, 2023 • 10 min read

This spectacular photograph by the talented UK-based photographer Lee Høwell is part of the Namibia Another World collection. It is a mesmerizing work of art that displays the beauty of a glorious woman contrasted by golden hues of the desert in the southwestern coast of Africa.

Today's lesson involves a combination of dynamic and static analysis of viruses. If there are any areas of improvement, I encourage readers to provide feedback so we can work together as partners, and collectively improve our understanding and progress.

FYI: Please note that the content shared in this article is based on my own knowledge base and personal understanding, which may not be accurate. I hope that you can use it as a reference, but remember not to limit your thinking to what's presented here.

Note: This article is an English translation of an article written in another language. If you have are having trouble reading it, I will improve the translation

Practical explanation

Analyse test samples based on a combination of static and dynamic analysis techniques previously learned.

word macro virus

Surface layer

Open an external address en route to download a file

After opening a word document, the calculator program was found to be open (representing malicious behaviour here)

Monitoring

Network monitoring

Analysis:

Launch Program-WINWORD.EXE *64 bit
Request address-http://192.168.86.144/
Response service-web service opened by python3's SimpleHTTPServer module
Request file-

http://192.168.86.144/word.cab
Ans: cab is the windows compression format, I use 7-z to extract it

Behaviour monitoring
Find the main program to open word files
Task Manager:

Same process tree as network monitoring to the initiator to view the execution flow:

Analysis：

Normal: just opening a word document
Suspicious: the control panel program control.exe is called
and the control panel executes a configuration file called msword.inf in a temporary folder, and then opens the calculator program calc.exe by running the cmd program (in this case, the malicious program)

itself

7-z View word document

Found out how to access the suspicious address

Combined with previous network analysis to access this address and then jump to download the suspicious file

Downloaded documents

Unpacking the downloaded file

can open it directly and extract it (7-z extraction is also possible, the effect is the same, but the unpacked size is different) and find the configuration file msword.inf where the control panel program is executed
Run the test

Executed successfully, verifying that the malicious code was loaded by the file

String Viewing
View the downloaded file word.cab using cutter

See calculator-related content (calc.exe here stands in for malicious program)Debug monitoring
The key function has been run and the malicious program has been successfully loaded

essential call:
00007FF67F1128E3 | E8 C8F4FFFF | call control.7FF67F111DB0 |

Go to view (malicious profile loaded).

ShellExecuteExW function (can usually this function to execute external programs or open files)

rundll32.exe (rundll32.exe is used to run DLL files in memory, they will be used in the application, can be used to execute malicious in memory dll)

syscall (this syscall finishes running and loads the malicious configuration file in order to run the dos environment to start the calc program here for the malicious program syscall: indicates a system call)

Disassembly locator: const char Command starts calc.exe

Positioning technique: string search for key information, then double-click to enter the disassembly page to view.

To this debugger trace and monitor the same running process.

Remote control of viruses

Running

Test machine, suspicious processes located

I see RPCRT4.DLL in the module list File description: remote program call runtime Under the explorer.exe process tree Judgment: suspicious module, generally the program will load only if there is a remote requirement, the current test machine has no known remote, test.exe loaded this module is not normal, and therefore the process in the explorer.exe process tree to determine the user to start

Attack aircraft have taken control of the test aircraft

Process tree
Find the location of the suspicious program, run it and monitor it to see the process tree

test calls certain programs ipconfig.exe: (the following command is run: ipconfig, which resolves the behaviour to query the current IP) whoami.exe: (ran the following command: whoami, behavioural parsing to display logged in user information) net.exe: (ran the following command: net user 123 123 add, behavioural resolution to create account behaviour)

At this point it can be determined that test.exe has performed a malicious act

Network traceability

Frequent outreach to this IP: 192.168.86.114
Initially determined to be the IP used by the attacker

Locate and analyse

Find the program and load the analysis tool to analyse it

VirtualAlloc function
Windows API function for requesting memory space
ExitProcess function
Windows API function to end the calling process and all its threads.
Functions
This call will call syscall to send network data to the attacking machine

Linux virus checking

ifconfig command
If the data sent is too large or the difference between the received and sent comparisons is too large (no data downloaded), it is suspicious and requires further investigation.

RX Packets // Number of packets received
TX Packets // Number of packets sent
RX Bytes // Number of bytes received
TX Bytes // Number of bytes sent out

nethogs command (installation required for normal conditions)
Lists the network status of the process

dev network card
sent
received

See process 1 sending and receiving data, see detail
top command
Query the resource usage of a specified process

top -p 7132 //7132 for process pid

At first, the monitoring resources are not high, but at a later stage, they are gradually over-occupied, probably because the remote control Trojan horse resides, and then receives commands to execute attacks such as: search for specified files

Find process path by PID

cd /proc/7132 //7132 is the process pid
ls -ail //exe corresponds to the executable path information
Additional knowledge:
The /proc directory on Linux systems is a file system, the proc file system. Unlike other common file systems, /proc is a pseudo file system (i.e. virtual file system) that stores a series of special files about the current kernel status, through which users can view information about the system hardware and the currently running processes, and even change the kernel status by changing some of these files.
ls -ail [directory name]: prints the directory files of the current/specified directory
Combined query: ls -ail /proc/7132
If you do not have root privileges, some information will not be available, e.g. the following message will be displayed:
ls: Unable to read symbolic link '/proc/7132/cwd': insufficient permissions
ls: Unable to read symbolic link '/proc/7132/root': insufficient permissions
ls: Unable to read symbolic link '/proc/7132/exe': Insufficient permissions

Guess the status query outreach IP

netstat -na|grep ESTABLISHED

Backtracking processes by port

netstat -nap | grep 47074

View process memory based on pid

pmap -d 3885

Shutting down processes based on pid

kill -HUP 3885

Exploiting program overflow vulnerabilities

This is an uncomplicated simulation of an attack program based on a program with an overflow vulnerability.
A brief analysis of the attack program exploit idea and the overflow vulnerability generation

Source Code Analysis

Buffer vulnerability program source code exists:

Note: Modified from STACK1_VS_2017.cpp
Toolchain: Mingw

#include <stdlib.h>
#include <stdio.h>
#include "Windows.h"

int main(int argc, char **argv) {

MessageBoxA((HWND)-0, (LPCSTR) "检测程序是否正常运行\n", (LPCSTR)"功能", (UINT)0);

int cookie;
char buf[2];
int *a = &cookie;
char *b = buf;
printf("buf: %08x cookie: %08x\n", b, a);
u_int64 p =(u_int64)a-(u_int64)b;
printf("程序正常运行，存在缓存区溢出漏洞，其中两变量内存地址之差=%d:\n注意：若超过此值则缓冲区溢出\n",p);
gets(buf);
if (cookie == 0x41424344)
printf("缓冲区溢出，已被成功利用此漏洞,隐藏信息已显示，请排查\n");

}

According to the source code, if the data obtained by the gets function is **DCBA (* wildcard, e.g. 11DCBA, the hexadecimal value of the string DCBA is 44434241, because the order of reading and writing data on the stack is first in and last out, so the real call is ABCD), it proves that the buffer overflow vulnerability of this program is exploited and the hidden message is displayed (according to the code logic, the normal operation of the program does not meet the condition of displaying this hidden message)
The buffer vulnerability is caused by the buf application buffer size of 2, and the buffer is not protected because it is acquired with gets, and if the acquired data exceeds 2, the buffer is overflowed.

Attack exploit code

import sys
from subprocess import Popen, PIPE

payload = b"A" * 2 + b"\x44\x43\x42\x41"

p1 = Popen(r"C:\Users\用户名\Desktop\test\cmake-build-debug\test.exe", stdin=PIPE)
print ("PID: %s" % hex(p1.pid))
print ("Enter para continuar")
p1.communicate(payload)
p1.wait()
input()

Effect: The buffer overflow succeeded and the hidden message was read by entering a specific code

Monitoring：procexp64

Procmon64

Locate the script test.py to use

Disassembly analysis

Run to module value: test.exe

Entry breakpoint broken off, no leaked information related content seen, string search to quickly locate the vulnerable function code block
Note: The compiler adds a lot of code in order to make the executable work and start properly. Therefore, the first entry function breakpoint often does not break to the main function

Decompiler cross-reference:MapoAnalyzer

Snowman

Trace analysis: When entering a string, the two variables are seen next to each other in the stack window

According to the analysis of the decompiled result, the input string is the value of the corresponding buf variable, but now the cookie corresponding also has a value, analysis of data overflow, resulting in the cookie corresponding address has a value and for the input value minus two, that is, DCBA, as shown in the following figure:

00000000004015E1 | 8B45 E4 | mov eax,dword ptr ss:[rbp-1C] | 00000000004015E4 | 3D 44434241 | cmp eax,41424344 | 00000000004015E9 | 75 0C | jne test.4015F7 | 00000000004015EB | 48:8D0D A67A0000 | lea rcx,qword ptr ds:[409098] | 0000000000409098:"缓冲区溢出，已被成功利用此漏洞,隐藏信息已显示，请排查\n" 00000000004015F2 | E8 49630000 | call

You can see the input
The string has met the conditions and the jump was unsuccessful, resulting in the hidden message being retrieved Extended analysis:
The gets function

Web source: gets can read indefinitely without judging the upper limit, that is, the gets function does not check the size of the buffer buffer, and in fact it cannot check the buffer space.
In conjunction with the analysis, an overflow vulnerability exists due to the program's use of the get function to obtain input data, where the program hides certain characters based on this vulnerability.

Practical explanation​

word macro virus​

Surface layer​

Monitoring​

itself​

Downloaded documents​

Remote control of viruses​

Running​

Locate and analyse​

Linux virus checking​

Network Related​