Can malware detect that it is running inside a VM?
Overall YES
- If the malware detects that it is working inside the VM, it will terminate its activity immediately. For modern malware, they tend to change the behavior of the malware, so the analyst doesn’t know how it works.
- Also, it tries to escape the VM to infect the host machine.
How does the malware detect that it's running inside a VM?
The previous picture talks about the ways that the malware detects that it is working inside a virtual machine, like the system uptime, the programs that are opened alongside the malware, there are tons of ways like that, and they increase every day.
So, can malware escape the VM and infect the host?
YES
- Called Privilege Escalation, maybe the host and the guest are on the same network, so it tries to scan the host and find a vulnerability, or zero-day exploit, in the VM itself, which happens every year.
Now am going to speak about the analysis itself.
Static Analysis
You will use tools to do the work for you, mostly all the tools follow those steps.
- Online antivirus scanning
- Search by hash, But the hash can be changed easily.
- analyze PE file formats, like using
strings. - Unpacking file
Antivirus scanning methods.
There are like four ways that we will see.
Signature-based detection: fast but does not detect new threats.
Heuristics-based detection: It looks for specific instructions using a rule or weight-based system. For example, it looks for the compile time of the file or the size and some rules, and if the score of the file exceeds 70%, it will trigger as malware.
Behavior-based detection: It looks for software attempting to perform malicious functions. The problem is that it only identifies what the malware does when the files are open.
Machine learning: analyze the code of applications and decide based on its understanding of malicious and benign programs.
Note: Antivirus use all the methods together NOT just one.
Using Strings
When you use strings, you will see the readable strings in the file, whether it is a PE file or any other type of file.
Either you use strings or PE Studio to automate the process.
Malware developers always use ways to hide the strings from the analyst, like encryption using “Stack String”, or encrypted using “Simple XOR”, There are actually a lot of ways.
We can defeat that using FLOSS (FireEye Labs Obfuscated String Solver), which just reverses the operation to get the actual string.
We have talked about PE files, so what is that?
it is an executable file which contains the PE structure format which has this form.
The PE header contains information about the file, like:
- number of sections
- Time Data Stamp
- Characteristics
Also, the PE header contains an optional header that contains:
- AddresseOfEntryPoint
- ImageBase
- SizeOfImage
For the section part
You will have probably most of these sections.
For the .rsrc, it is very important, as the malware developer may use different executables in there in case there are multiple cases of the malware or something.
We use “Resource Hacker” to analyze this section, or you can analyze it using CFF Explorer.
Common DLL
The library or the function name tells you the purpose of the code, so you have to be familiar with the common ones like:
Also, I have to mention that the last letter of the name of the DLL has a meaning.
DLL files always export functions that “can be imported too”, EXE files import these functions.
As we said before, hackers use ways to hide strings from the analyst, so he can’t do his static analysis.
Packing
When the hacker tries to hide its strings, or make the analyst miss the opportunity of the static analysis, so if you are doing analysis and you didn’t find many strings, either this program is obfuscated or packed “not normal.”
So, the malware is packed until it gets to memory, then it is unpacked to run normally. Under the supervision of dynamic analysis :)
There is a program inside the malware called unpacker that the developer points the entry point to, so when you run the malware, you will just unpack the program.
The next picture will give you a graphical explanation of a packed file.
As a summary, the packing forms an extra layer of code that’s wrapped around a piece of malware to conceal it. This is done to make it harder for anti-malware researchers to reverse engineer the code or to hinder analysis of the code using heuristics.
Knowing what is packing, as malware analysts, we have to know how to deal with this.
Tools to identify Packers.
- PEID
has three modes.
- Normal Mode: Scan the entry point for all documented signatures.
- Deep Mode: Scan the section that contains the entry point. …..
- Hardcore Mode: Complete scan of the entire PE file You should use this mode as a last option, as it causes a lot of false positives.
2. Exeinfo PE
The updated version of PEID
3. DIE (Detect It Easy)
has the Entropy feature, as it measures the entropy of the file.
More Entropy Score, more probability that this file is packed.
There are tools to automate the whole process. of identifying and unpacking:
1. Rl!dePacker
2. AspackDie
You can use the Exinfo recommendation tool for every packed file.
We have to ask ourselves an important question.
What if we can’t unpack the file because the packer is advanced or unknown?
The answer is that you just use the autometer unpacker; if it is unpacked only 10%, it is okay. It will give us more information than totally packed :)
Packing is done just to hide from the static analysis not the dynamic one.
Thank you for making it this far. In the next section, we will look at dynamic analysis, sandboxes, and some tips that you need to be aware of.
