Malware Behavior Analysis: Zero Wine
As a research project, I decided to create a "sandbox" to analyze malware and generate reports automatically based in the behavior. The sandbox is a Debian based distribution with WINE and various python libraries and tools.
Generally, it works quite well to analyze malware even when it's packed (as is pretty common in today's malware). However, WINE fails with some packers as, in example, with Armadillo when the "Compatibility Mode" is disabled. Anyway, almost all the packers I tried are working (themida, aspack, upx, etc...).
Zero Wine is distributed in source code form or as a prebuilt QEmu virtual machine: Download, unpack and run the virtual machine. Using the scripts supplied in the tar.gz file the vm's port 8000 will be redirected to your computer's 8000 port and the following very simple web page will be presented:
Quite simple: Just select the malware to upload, specify a timeout and click the submit button. After a while a report's summary with 4 options will be presented:
The options available are the following:
- Report: The complete raw report of all the APIs called by the malware. Hard to follow and hard to understand (a 10mb report is not uncommon).
- Strings: Just the output of the typical unix command "strings".
- File headers: All the information gathered from the PE using the library PEFile.
- Signature: The signature report is an extract of the full raw report with the most interesting calls.
When the malware was correctly analyzed the "Signature" report is all what you want. A sample malware's report would be like the following:
In this very first release, the reports aren't saved in the virtual machines and you can analyze just one malware at a time (as the malware runs in a fixed WINEPREFIX) however, in future releases all the malware's reports will be added to an SQLite format database and a new WINEPREFIX specific for every malware will be created.
The project is hosted in Sourceforge and, well, that's all at the moment. Bye!
Joxean Koret
December 30th, 2008 - 02:09
Nice work!!! But if the malware is able to bypass the sandbox restrictions, then the whole of the web server may be compromised. Targeted attack worms may be out where the attacker may upload them to zero wine website and then compromise the whole webserver. This may be a future scenario. Correct me if I am wrong.
December 30th, 2008 - 05:00
Hi, What is the login id and password for the image?
December 30th, 2008 - 05:32
@w0lf.
I think that it’s possible, as well as it’s possible with CWSandbox or Norman. However, you should run zerowine in a virtual machine in an isolated environment. Even if a specific and targeted malware finds a way to bypass the sandbox and exit from Wine, the malware must also exit from the virtual machine exploiting a 0day flaw with a low level (unprivileged) user so, it’s highly unlikely.
However, it might be possible.
December 30th, 2008 - 11:53
Cool work !!
December 30th, 2008 - 14:24
@Dinesh
Oops, sorry! For the user “malware” the password is “malware” and the root’s password is zerowine.
January 4th, 2009 - 18:21
[...] A new malware behaviour analysis tool called Zero Win has poped up. The tool was developed by Joxean Koret and released under GPL v2.0. Zero Wine uses [...]
June 16th, 2009 - 17:57
Great work! Great setup and tool! Very good start to this project. Just a thought of something perhaps to add to the project…
It would be very neat too if you incorporated Volatility and their python scripts into the project and allow you to parse through a lot of information on memory dumps too. Processes any malware that might only be persistent in memory. Just a thought! Keep up the good work.
July 10th, 2009 - 11:47
Intriguing. I found this page while searching for information about analyzing (actually confirming) suspected exploited web sites from a VM. I need what ZW can do, but I also need that capability. If I installed one or more additional AV tools (ones that detect Trojan Droppers, etc. on web pages) into the ZW VM, could I do both tasks from this tool? Thanks.
-SAM