Malware Behavior Analysis: Zero Wine
As a research project, I decided to create a “sandbox” to analyze malware and generate reports automatically based in the behavior. The sandbox is a Debian based distribution with WINE and various python libraries and tools.
Generally, it works quite well to analyze malware even when it’s packed (as is pretty common in today’s malware). However, WINE fails with some packers as, in example, with Armadillo when the “Compatibility Mode” is disabled. Anyway, almost all the packers I tried are working (themida, aspack, upx, etc…).
Zero Wine is distributed in source code form or as a prebuilt QEmu virtual machine: Download, unpack and run the virtual machine. Using the scripts supplied in the tar.gz file the vm’s port 8000 will be redirected to your computer’s 8000 port and the following very simple web page will be presented:
Quite simple: Just select the malware to upload, specify a timeout and click the submit button. After a while a report’s summary with 4 options will be presented:
The options available are the following:
- Report: The complete raw report of all the APIs called by the malware. Hard to follow and hard to understand (a 10mb report is not uncommon).
- Strings: Just the output of the typical unix command “strings”.
- File headers: All the information gathered from the PE using the library PEFile.
- Signature: The signature report is an extract of the full raw report with the most interesting calls.
When the malware was correctly analyzed the “Signature” report is all what you want. A sample malware’s report would be like the following:
In this very first release, the reports aren’t saved in the virtual machines and you can analyze just one malware at a time (as the malware runs in a fixed WINEPREFIX) however, in future releases all the malware’s reports will be added to an SQLite format database and a new WINEPREFIX specific for every malware will be created.
The project is hosted in Sourceforge and, well, that’s all at the moment. Bye!
Joxean Koret