Malware Analysis 0

Obfuscated and packed malware

 The malware writers often try to make the static analysis difficult
 Most common techniques:
• Obfuscation – the act of making something unclear and confusing
• Packing – compressing or encrypting the code that is decompressed at
run time
Malware Analysis 1

Obfuscated and packed malware

 Obfuscation example: Are these code snippets functionally the
same?
for (i=0; i<M.length; i++){
var ML=(ns)?document.layers['nsMinutes'+i]:ieMinutes[i].style;
ML.top=y[i]+HandY+(i*HandHeight)*Math.sin(min)+scrll;
ML.left=x[i]+HandX+(i*HandWidth)*Math.cos(min);
}

for(O79=0;O79<l6x.length;O79++){var O63=(l70)?document.layers["nsM
\151\156u\164\145s"+O79]:ieMinutes[O79].style;O63.top=l61[O79]+O76+(O79
*O75)*Math.sin(O51)+l73;O63.left=l75[O79]+l77+(O79*l76)*Math.cos(O51);}

Source: http://www.semdesigns.com/Products/Obfuscators/
Malware Analysis 2

Obfuscated and packed malware

 Packed malware: Makes use of a wrapper function
• When a packed program is run, the wrapper executes first
• The wrapper unpacks the original code and then executes it

Image taken from “Practical malware analysis” by Sikorsky and Honig

Malware Analysis 3

Identifying obfuscated and packed malware

 If you only see a few strings in the program being analyzed, it is
most probably a packed or obfuscated malware. Why?
 Packed and obfuscated malware will always include functions
LoadLibrary and GetProcAddress
• These library functions are used to load and use additional external
functions
• Any idea what the external functions will do?
 Some malware creation kits use some common packer programs
 There are tools available which can identify packed malware which
have used such common packers
Malware Analysis 4

Identifying obfuscated and packed malware

 PEid is one such tool:

 If you can see a packer program used by the malware, just use the
same program to unpack the code!
 We’ll further use the tool later in the course
Malware Analysis 5

Linked libraries and functions

 What is linking?
• Use of external code (most commonly libraries) for
Keeping the program size small
Re-using the tested and verified code
 When a code executes, it needs to link to the external functions so
that it can complete its function
 Malware writers also use external libraries and functions
 The libraries used and functions imported by a malware give very
useful hints about the functionality of malware
• If a program imports the function URLDownloadToFile, we can guess
that it connects to the Internet to download some content and stores it
in a local file
Malware Analysis 6

Linked libraries and functions

 Several Windows functions allow programmers to import
linked functions not listed in a program’s file header
 The two most commonly used are LoadLibrary and GetProcAddress
• LdrGetProcAddress and LdrLoadDll are also used
 LoadLibrary and GetProcAddress allow a program to access any
function in any library on the system
• When these functions are used, you can’t tell statically which functions
are being linked to by the malware being analyzed
Malware Analysis 7

Linked libraries and functions

 Code libraries can be linked in three different ways:
• Static linking
Least commonly used method of linking libraries
When a library is statically linked to an executable, all code from that
library is copied into the executable
– Results in large code size
When analyzing code, it’s difficult to differentiate between statically
linked code and the executable’s own code
– because nothing in the PE file header indicates that the file contains
linked code
Malware Analysis 8

Linked libraries and functions

 Code libraries can be linked in three different ways:
• Runtime linking
Executables connect to libraries only when that function is needed
– Not when the program loads
Unpopular in common programs
Commonly used bymalware, especially when it’s packed or
obfuscated
• Dynamic linking
The most common linking used by malware
When libraries are dynamically linked, the host OS searches for the
necessary libraries when the program is loaded
Malware Analysis 9

Finding linked libraries and imported functions

 Tools are available that can extract information about linked
libraries and imported/exported functions used by a program
 Dependency Walker is one such tool
 It lists dynamically / runtime linked functions in an executable
 Shows a list of DLLs being imported
 Dependency Walker may show a module more than once
• Because it is a dependency for more than one reason
• In reality, only one copy of the module resides in memory during
runtime
Malware Analysis 10

1
2 3

Functions imported by the executable

All functions exported by DLL 4

Function details Ordinal

Malware Analysis 11

Finding linked libraries and imported functions

 Figure shows the Dependency Walker’s analysis of SERVICES.EX_ 1
 The pane at 2 shows the program name as well as the DLLs being
imported, namely KERNEL32.DLL and WS2_32.DLL
 Clicking KERNEL32.DLL shows the functions imported by
SERVICES.EX_ in the PI pane at 3
• PI stands for Parent Import
 We see several functions, but the most interesting is CreateProcessA
• This tells us that the program will probably create another process
• When running the program, we should watch for the launch of
additional programs
Malware Analysis 12

Finding linked libraries and imported functions

 The middle right pane at 4 lists all functions exported by
KERNEL32.DLL
• This information is not particularly useful to us
 Did you notice the columns labeled Ordinal in panes 3 and 4 ?
Malware Analysis 13

Finding linked libraries and imported functions

 Executables can import functions by ordinal instead of name
 When importing a function by ordinal, the name of the function
never appears in the original executable
• It can be harder for an analyst to figure out which function is being used
 When malware imports a function by ordinal, you can find out
which function is being imported by looking up the ordinal value in
the pane at 4
 Example:
int ordinal = 123;
HANDLE dll = LoadLibrary("MyDLL.dll");
FARPROC fn = GetProcAddress(dll, MAKEINTRESOURCE(ordinal));
Malware Analysis 14

Common Windows linked libraries and functions

Malware Analysis 15

Windows function naming conventions

 When analyzing executables, it is helpful to know naming
conventions
 For example, you will often encounter function names with an Ex
suffix, such as CreateWindowEx
 When Microsoft updates a function and the new function is
incompatible with the old one, Microsoft continues to support
the old function
 The new function is given the same name as the old function,
with an added Ex as suffix
• Functions that have been significantly updated twice have two Ex
suffixes in their names
Malware Analysis 16

Windows function naming conventions

 Many functions that take strings as parameters include an A or a
W at the end of their names, such as CreateDirectoryW
 This letter does not appear in the documentation for the function
• It simply indicates that the function accepts a string parameter
• Furthermore, there are two different versions of the function
one for ASCII strings and one for wide character strings
 Remember to drop the trailing A or W when searching for the
function in the Microsoft documentation
Malware Analysis 17

Imported and exported functions

 Imported functions provide clues to the executable’s functionality
• You’ll get detailed information about Windows functions from MSDN
 Exported functions provide functionality to other executables
• Usually seen in DLLs
• If an exeuctbale exports functions, this can be interesting!
 If a malware exports any functions, it can be hard to determine its
functionality with basic analysis
• The malware authors avoid using naming conventions
• They can choose misleading names for their functions!