Thursday, April 12, 2007

Malware, Packers, Debuggers, OEPs, and... Arrrgggh!

I haven't posted much this week because most of my free time has been spent tearing my hair out.

This past Tuesday I gave a lecture to my friend Tim's computer security class at a local college while he was on vacation. The topic was introductory malware analysis, and I decided I would include a live demo of iDefense SysAnalyzer in VMWare as the big finale. I was extra excited to do this when, last Friday, I found an ANI exploit in the wild and captured not only the exploit file but the alleged malware that the exploit drops on its victims.

The ANI exploit was easy enough to analyze:

$ strings file.jpg
RIFF
ACONanih$
tsil
tsil
anihR
11111111111111111111111111111111
444444444444444444444444444
000000000
CMD >
/C "
T} >
QSPPPPPPWP
hURlm
jlhntdl
huser
l$$6
6;|$(u
http://XXXXXXXXXXXXXX/download/167212/bin.exe

But bin.exe continues to be a pain in my side. So the students got to see my demo with some older malware that my Nepenthes honeypot collected last November. I refuse to admit defeat, now at least in the hopes of learning something.

In VMWare, it simply exits with errorlevel=0. My initial reaction was, "I found vm-aware malware! Sweet!" But now I'm not so sure. Applying some great advice from my friend Matt at IntelGuardians, I tried to disguise the presence of VMWare. Still nothing in SysAnalyzer.

So I decided to venture into new territory and attempt to unpack the bin.exe. I spent several hours yesterday and today trying to unpack the binary. PEID says it's packed with UPX, but UPX won't unpack it straight up. After much searching, I found an excellent flash demonstration by Frank Boldewin on unpacking obfuscated packed executables with OllyDbg, the OllyDump plugin, and ImpRec. But after several hours of trying variations of Frank's method, I still can't find a valid OEP (Original Entry Point - from which the binary can be dumped). I wish I had a point to all of this other than the one I have - malware analysis is hard and people like Frank and Matt that do this stuff for a living are jaw-droppingly smart.

This is me being envious of their giant brains.

2 comments:

Ryan Russell said...

Did you want someone else to have a look, and tell you how to unpack it?

ryan@thievco.com

Stephen Reese said...

Did this end up being VM aware malware?