Zerowine 2.0 preview

2010, Oct 22    

Hi!

I plan to release in a month or so the newest version of ZeroWine focused on automation. This new version consists in the following components:

  • A modified version of Wine 1.10.
  • One XMLRPC Server.
  • One XMLRPC client tool.

WINE Changes

Wine was patched to add more debugging channels and to remove noise from the output of ZeroWine as in the previous version the behavior reports were not as good as people wanted. In this version, however, the following new debugging channels were added to Wine:

humanmalware: Shows a human understandable message about what the malware did.

malware: A more technical message about what was done.

malwarelibs: Libraries loaded by the malware.

malwaredump: Dump network data.

regmalware: Dump every registry operation (very noisy).

The following is an example report’s extract generated with the latest version of ZeroWine:

0009:malware:Call to CreateMutex(L"_AVIRA_21099") returned 72
0009:humanmalware:Creating mutex L"_AVIRA_21099"
0009:malware:Call to CreateToolhelp32Snapshot(2)
0009:humanmalware:Enumerating system processes (this may indicate anti-tracing activity)
0009:malware:Call to NtQuerySystemInformation(SystemProcessInformation)
0009:humanmalware:Process enumerates running processes (this may indicate anti-debugging and anti-monitoring activity)
0009:malware:Call to GetFileAttributesW ( L"C:\\windows\\system32" )
0009:malware:Call to SetFileAttributesW ( L"C:\\windows\\system32\\sdra64.exe", 32 )
0009:malware:Call to DeleteFileW ( L"C:\\windows\\system32\\sdra64.exe" ) failed with error code -1073741772
0009:humanmalware:Deleting file L"C:\\windows\\system32\\sdra64.exe" failed with error code -1073741772
0009:malware:Call to CopyFileW(L"Z:\\tmp\\vir\\62bb9091a3c7e692e26b3061cce67595\\malware.exe", L"C:\\windows\\system32\\sdra64.exe")
0009:humanmalware:Copying file L"Z:\\tmp\\vir\\62bb9091a3c7e692e26b3061cce67595\\malware.exe" to L"C:\\windows\\system32\\sdra64.exe"
0009:malware:Call to CreateFileW(L"Z:\\tmp\\vir\\62bb9091a3c7e692e26b3061cce67595\\malware.exe", GENERIC_READ FILE_SHARE_READ FILE_SHARE_WRITE , creation 3 attributes 0x0)

Zerowine XMLRPC Server

The XMLRPC server (zerowined) that will be distributed with ZeroWine 2.0 is a very simple python script that serves as a gateway between the VM and the client application. The sample client application (xmlrpc_client.py) receives the following arguments:

$ ./xmlrpc_client.py
Usage: ./xmlrpc_client.py <url | auto> <filename> <output directory>

The very first argument the client application receives is the URL of the XMLRPC server to connect or the keyword “auto” which means that a server from the list of servers stored in the file ”servers.conf’ must be selected randomly (as you may have a lot of ZeroWine VM servers distributed in your organization). The next argument is the “malware file” to be analyzed and the last argument a directory where all the data gathered by ZeroWine 2.0 will be stored. In this version, the data we gather is the following:

  • A memory dump of every running process (there may be more than just one malware running at the same time).
  • A behavior report.
  • A *.tar.gz file with every file either created or modified.

And that’s all! The new version will be released (if all goes well) in a month. Cheers!