Reverse Engineering Malware (Part 2)

If you would like to read the other parts in this article series please go to:

In part one of this article series on reverse engineering we discussed a fair amount of background material. Now that the foundation has been laid, we shall begin with the actual process of rev eng, as many call it.

Reverse engineering and you, Part II

We left off in part one having discussed the skills necessary to be able to do reverse engineering at a basic level. The most important skill which is required is that of programming. You need not be an enterprise level programmer to practice reverse engineering. Heck, I would go so far as to say that you need not even be a programmer at all. What you do need is a good understanding of programming functions, and at a minimum the ability to read and understand source code. This ability will naturally lead to understanding what programming functions such as “sprintf” are, for one.

Finally

Well after much stalling and delaying on my part we will now download a malware sample. This will be done from the earlier mentioned Metasploit website, which does a nice job of finding the malware for us. Please surf to the following link, and once again be aware that you download malware at your own risk. Once you have navigated to the link, you should be seeing the below noted screenshot.


Figure 1

Now that you have the homepage there, go ahead and type in the word trojan and hit enter. You will now be presented with a variety of malware samples for your downloading pleasure. Quite nifty isn’t it! Once again, kudos to HDM for his work. In case you are not sure of the results you should be seeing, please view the below noted screenshot.


Figure 2

Now I went ahead and downloaded a trojan last weekend, but it is no longer listed there. That really is of little importance as the steps I will take with the trojan I downloaded can be applied to any malware you choose to download yourself. Please remember again, you download malware at your own risk. Please ensure that you are playing with any malware sample you download in a safe environment ie: don’t do this on a production system! Sorry as I don’t mean to state the obvious, but I want to make sure there is no misunderstanding here.

Now what?

Indeed a fair question. Now what? Well now that you have a malware sample safely downloaded on a VMware image or standalone computer, we can now begin to look at it. Prior to doing this it is a good idea to start off with a methodical approach. What I mean by that is to begin your analysis methodology with the proper steps. It is assumed here that you will likely begin doing cursory reverse engineering on a regular basis. As such, you may come across pieces of malware that you swear are the same ones. Problem is, just how do you differentiate between two pieces of malware definitively? Well, barring hash collisions, one way of doing so is by using an MD5 hash. Malware often has many variants, and telling the difference between them can at times be difficult if your reverse engineering skills are not up to par. So with that in mind, using an MD5 hash as noted can be very helpful.

You can download some utilities which will do this for you in Windows. What I would suggest is that you download the following program called MAP, or Malcode Analyst Pack, that was donated to the community by the good folks at iDefense. This very nifty program will do many things for you, including the ability of running MD5 checksums against files and folders. The program comes in an MSI package and is trivial to install. Once done you will note that once you right click on a specific file or folder, you will be presented with more options than normal. That being, “Hash Files” in our case. You then simply choose that option and let the program do its work. Take a look at the screenshot below for sample output.


Figure 3

You will note that the contents of the “debanot” folder have had an MD5 hash run against them, with that very same value shown. That, plus other key information as the file name and size as measured in bytes. All in all, a very nice feature to have at your fingertips. I would most heartily recommend that you run an MD5 hash against any piece of malware you analyze before you make any possible changes to it. This way you can save yourself a fair amount of work in the future by not analyzing the same piece of malware twice. You may have looked at MAP a little bit more closely and seen that it has many features that lend themselves to malware analysis. This was indeed the design goal when the program was written. I would certainly encourage you to explore MAP’s many other features.

Are we there yet?

Are we any closer to actually cracking open a malware executable? Yes, yes, we are! If you are saying that patience is a virtue that takes far too long to master, I would agree with you. Now that we have our piece of malware in hand, and we have taken an MD5 hash of it, we are ready to move on. What you will now need to continue is a hex editor. There are several good hex editors out there, but the one I will use is from Heaventools. While there are many free hex editors I feel that you often get what you pay for, which is why I use a commercial one. Feel free to use whatever one you like as it will likely still get the job done anyways.

Now I am not sure what the malware file that you downloaded looks like seeing as I didn’t download it for you. What I mean by this is; did the malware you download using the trojan keyword in Metasploit’s malware search engine present you with any specific icon? Does it present to you the typical winzip or winrar icon that we are all used to seeing? That, or are you seeing the icon that typically represents a Microsoft Windows executable aka PE format? You may be saying to yourself the following “Great! Don is setting me up for a long winded explanation of some sorts….”. Well you would indeed be correct for saying that. Rest assured that there is a very good reason for my asking whether or not your downloaded malware shows up as a winzip or winrar icon.

Much as I said before, there is a certain series of steps to take when analyzing malware. Also, don’t always believe what your eyes are telling you. Things in the world of malware are not always as they seem. A large part of the malware world evolves around fooling the user. You and I, however, are not the average security monkey now are we. On that cryptic note I shall end part two of this article series on reverse engineering. Stay tuned for in part three we actually get to the good stuff! Till then.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top