Antiemulation Techniques (Malware Tricks II)
From time to time, when reversing malware, I find new antiemulation techniques as they are widely used by malware to evade detection by AVs that uses emulation, however, it seems that no one wrote about them maybe because there are a lot or, maybe, because they aren't very interesting. Anyway, a friend and I decided to look for antiemulation techniques and we found a bunch of them in just about 2 days. Surprise. Well, the following is a list of antiemulation techniques "found" by us.
Pyew! A Python tool to analyze malware
Working in a disassembler with code analysis to speed up (graph) analysis of malware dumps (malware dumped from memory while running) I decided to write a tool using this core oriented to malware analysis and the result is Pyew!
Malware Tricks I
Today, while analyzing a family of malwares (the familiy called by some vendors as "Krap") I noticed a good and new, at least for me, antiemulation technique. What do you think this sample code does?
-
; Do stuff...
-
-
start:
-
push offset some_func
-
jmp edx
Zerowine: Better reports, network conversations and bug fixes
Single user version of Zerowine
Yesterday I finished the (surely) last single-user version of Zerowine and added some interesting features to it. Many Zerowine users told me that the reports were very confusing and, yes, that's true. I fixed this problem by adding new debugging channels to the currently latest stable version of Wine (1.1.10) and, well, the reports now are less confusing and more readable. The new debugging channels I added to Wine are the following:
- humanmalware: This channel shows in human readable format what the malware is doing.
- malware: Quite similar to the TRACE channel, but just logs the calls to APIs interesting for malware research.
- malwaredump: This channel shows the network conversations.
- malwarereg: Shows registry operations.
- malwarelib: Shows what libraries the malware is loading/unloading.
The following is an example report of running a malware in the sandbox with the latest features:
Zerowine reports with the new channels
We can see how the malware connects to some remote web server, the HTTP query executed, the local file downloaded, etc... This in the "Report" section, in the "Signature" section we get just the "human readable" format of the report (as is normal, not as detailed as the "Report" section, however).
I also fixed various bugs (in both Wine and Zerowine) and Zerowine now is able to detect more anti-debugging techniques, to dump new malware formats and more secure. I removed some features in the patched version of Wine that are a bit insecure for malware analysis.
Well, and that's all for the mono-user version (I will be releasing it this week, or at least I hope to do so). I will update this entry when the file I'm uploading to the Sourceforge.net finishes, and it's very slow (really, a pain in the ass).
Multiuser Version of Zerowine
The new multi-user version of Zerowine will take a long while because it requires a lot of changes, however, many features are implemented right now (Queues, multiple malware analysis nodes, database support, etc...). The changes will be, mainly, architectural ones but not all. In example, I'm implementing right now new "engines" to analyze malware in other platforms: One IDA Pro based agent to execute the malware with the Bochs Debugger inside IDA, dump & analyze it and get an unpacked IDB database.
Other (possible) agent I'm planning is a Windows hooker to analyze the malware in a real Windows box (but the problem that comes to my mind is how to clean the environment automatically after the malware execution...).