PURPOSE
The main goal of laboratory report is to identify three analyses of malware files from the
archive file send by the lecture. The archive contains 89 malware files. The way how we
choice 3 files is by following algorithm:
1. Soft them by name
2. First use last number of your student code + your birthday day
3. Second, generate random number from http://www.random.org/ and only if it does not match first number use it for choosing the file
4. Third, use random number generator again and if it does not match first or second
number use it.
Malware archive can be download from the following link:
https://sim.cert.ee/hw/pahadus.zip
WARNING FILE CONTAINS LIVE VIRUSES
Task that need to be complete for this laboratory assignment:
• Pick your malware
• Run your malware against 2 of next online analysis tools
◦ http://www.virustotal.com/
◦ http://camas.comodo.com/
◦ http://www.threatexpert.com/submit.aspx
• Find additional 2 online analysis tools where to analyse virus
Things that should be presented in the laboratory report are:
• Chosen numbers
• General information about malware
◦ name
◦ md5
◦ sha1
• link to analysis result if it is possible
• link to disinfecting instructions – if not possible explanation why it is not
• Analysis tools – links
• Your opinion about each analysis tool and comparison results.
Firstly, we are going to analyse the chosen files in section Chosen files and each file
with the above required information and detail analysis results, links to disinfecting
instructions, analysis tools used for this purpose. Secondary, expression about each
analysis tool used and comparison results will be presented in section Analysis. In
addition, in section Appendixes its provides what virtual environment has been used for
this laboratory report. Because we know that if we open this file in our real machine we will
get infected. That is why we are using an Linux virtual environment.
Furthermore, each file will be analysed with two different tools, in case to gather
more information and solution for disinfecting process.
Finally the conclusion made of all collected data will be concise in conclusion
section.
CHOSEN FILES
Number of files are listed bellow and the name of the file that is going to be analysed:
1. Number: 71; File name: sales.exe; Size: 454.7 KB
2. Number: 57; File name: mgre.exe; Size: 61.4 KB
3. Number: 60; File name: moos3.ee; Size: 91.6 KB
FILE 1
File name: sales.exe; Size: 454.7 KB; Number: 71.
MD5: 093e72cbc78b46e977561c5874cfab4c
SHA1 Hash: e79a730b01b6689c336138f39c79fbd2ea45b6c1
SSDeep Hash: 12288:2Pqr7eKhHvZ3NSYqHMsD+vgp0pQe1lhJ:283vhN1qHMsD+Ip8QEz
Links to analyse report:
1. http://www.netscty.com/report/690/e12093ea-3ae7-4fac-a 218-5721b1aabded-347
2. http://www.virustotal.com/file-scan/report.html?
id=6f47a1f72fa005900f40803ede1a2a55167e641011271b49543eef748ffcb5a1-
1318408947#
The above malware file has been reported that is capable to send out e-mail
message with the built in SMTP client engine. Second, it contains characteristics of
Waledac, a worm that spreads by sending an e-mail containing links to copies of itself. And finally, creates a startup registry entry.
Links provided, are demonstrating which anti virus software/application can
disinfected the malware infection.
Tools for analysing the malware are:
1. Netscty – Online Sandbox: http://netscty.com/malware-tool
2. Virustotal.com – http://www.virustotal.com/index.html
FILE 2
File name: mgre.exe; Size: 61.4 KB; Number: 57.
MD5: 1375a8e437db6acafe2b0419cfbff7ec
SHA1:b48f702a5a0fa8558c278dd97ecfbd0d637fefd3
SHA256: 89294d70e80547aac5b506915d2e8fc0309c0e578ab16fc9875c9a4668e63709
Links to analyse report:
1. http://camas.comodo.com/cgi-bin/submit?
file=89294d70e80547aac5b506915d2e8fc0309c0e578ab16fc9875c9a4668e63709
2. http://wepawet.iseclab.org/view.php?
hash=1375a8e437db6acafe2b0419cfbff7ec&type=js
From above analysed links we can conclude that the file creates keys, it changes values in registry, it change only one file, creates process called sample.exe and adds value to the modules.
The links do not show any way of disinfecting the following malware file. My personal opinion of the above links is good that they can show you that this file is malware, but still they do not show you enough information. Which can help you for further instructions and actions that should be consider. Not even providing you an information or
links which anti virus software can help you.
Tools for analysing the malware are:
1. Comodo Instant Malware Analysis – http://camas.comodo.com/
2. Wepawe – http://wepawet.iseclab.org/
FILE 3
File name: moos3.exe; Size: 91.6 KB; Number: 60.
MD5: 4ddade6548142d5fd5b742f34b71e1da
SHA-1: 5345bdd52591b0fcd8e9a81fed7a7b588e24a15d
Links to analyse report:
1. http://anubis.iseclab.org/?
action=result&task_id=13e22805d763a08d4d158904eae5e709d&format=html
2. http://www.threatexpert.com/report.aspx?
md5=4ddade6548142d5fd5b742f34b71e1da
The malware file, contains characteristics of an identified security risk. Possible
security risk is Backdoor.Agent.AJU [Backdoor.Agent.AJU]. The threat category is
network-aware worm and malicious trojan horse. Its modifying file system, memory and
registry. The origin of this malware indicates possible country, Russian Federation.
From the reports we can conclude that most of the known anti virus software has hit
of this malware infection and it can disinfected.
Tools for analysing the malware are:
1. Anubis: Analyzing Unknown Binaries – http://anubis.iseclab.org/
2. ThreatExpert – http://www.threatexpert.com/
ANALYSIS
The web tool that we have used to analysis three of random chosen files are listed bellow.
Moreover, we will compare each one of those service, what kind of information they show,
provide and do they supply with disinfected solution, if so how, and why not.
1. Netscty – Online Sandbox: http://netscty.com/malware-tool
2. Virustotal.com – http://www.virustotal.com/index.html
3. Comodo Instant Malware Analysis – http://camas.comodo.com/
4. Wepawe – http://wepawet.iseclab.org/
5. Anubis: Analyzing Unknown Binaries – http://anubis.iseclab.org/
6. ThreatExpert – http://www.threatexpert.com/
To compare our results from the above list of online analysing tools I have setup an
score from 1 to 5 of each section. Where the highest score is better solution. With the
following attributes:
| Easy to use | Provides enough information |
Disinfected information |
TOTAL | |
| Netscty | 4 | 5 | 4 | 13 |
| Virustotal.com | 5 | 4 | 5 | 14 |
| Comodo | 5 | 3 | 2 | 10 |
| Wepawe | 4 | 1 | 1 | 6 |
| Anubis | 5 | 3 | 1 | 9 |
| ThreatExpert | 5 | 5 | 5 | 15 |
The above table give as an perfect over view, which tool is easy to use, provides enough information, disinfected information and gain the highest mark.
CONCLUSION
I would like to generalize that from the above information we see that each online analysing tool has own means, criteria and different information to distribute. On the whole, some of them were not that easy and simple to use, yet they provide as with expectant information and disinfected solutions. Therefore, our succeeder for this test is ThreatExpert. But bear in mind that I have not measure and compare all the online tool-kits for analysing the files, just the ones listed in the previous section. For furthermore, please refer to the following article that was publish in 2010 by Lenny Zeltser [MalwareAnalysisToolkit].
In summary, we found out that the chosen files are malware. Likewise, can harm
our computer in different methods. Yet we got an information for some, for instance how to
disinfected the computer. Therefore, we made a comparison table to scale the best online
analysing tool for malware. Where total number is 6 tools, and different score rank. The first one is TheratExpert, secondly is Virustotal.com and the third is Netscty. Still all of mentioned tools score difference with one point.
APPENDIXES
Appendix 1 is configuration of the virtual environment.
APPENDIX 1
Virtual environment: Oracle VirtualBox Version 4.1.2 r73507. Downloadable from the
following link: https://www.virtualbox.org/wiki/Downloads
Security Fedora 14 32 bit – Client: http://spins.fedoraproject.org/security/
• Base Memory: 512 MB
• Acceleration: VT-x/AMD-V, Nested Paging
• Display – Video memory: 12 MB
• Storage: SATA Controller, Port 0: 8 GB
• Network:
◦ Adapter 1: Adapter 1: Parvirtualized Network (NAT)
◦ Adapter 2: Adapter 2: Inter PRO/1000 MT Desktop (Host-only adapter,
„VirtualBox Host- Only Enternet Adapter“)
Bibliography
Backdoor.Agent.AJU: ThreatExpert, ThreatExpert’s Statistics for Backdoor.Agent.AJU [PC Tools], 2011, http://www.threatexpert.com/threats/backdoor-agent-aju.html
MalwareAnalysisToolkit: Lenny Zeltser, 5 Steps to Building a Malware Analysis Toolkit Using Free Tools, January 2010, http://zeltser.com/malware-analysis-toolkit/
Facebook
LinkedIn
Twitter
GooglePlus
Last
FourSquare
Cleaning up the rgisetry will also speed up computers. As time goes by, many “trashes” get stucked up inside the rgisetry which slows down PC performance.