The Complete Magazine on Open Source

Malware Analysis Using REMnux

SHARE
/ 292 0

File with magnifying glass

In this second article of the series, we focus on eliminating XOR patterns. Malware tends to employ XOR patterns for self-encryption/decryption because they obfuscate malicious code which, in turn, helps malware avoid detection.

This article gives you an overview of malware code obfuscation. Nowadays, malware tends to remain hidden during infection and operation, avoiding detection and analysis by security tools. Generally, code obfuscation is malware’s best friend. It provides high persistence to the malware samples. Code obfuscation is a technique that uses binary and textual data in an unreadable format that cannot be reverse engineered.

Figure 1- NomoreXor

Figure 1: NoMoreXor

Figure 2- NomoreXor - XOR key

Figure 2: NoMoreXor for extracting possible XOR keys in the sample ‘malware.exe’

A lot of malware have the capability of self-encryption and high persistence. Most malware use the XOR self-encryption/decryption routine. XOR patterns for obfuscating the malicious code are very similar in working patterns:

i) Out of a possible 255 keys ranging from 0–255, the attacker picks a 1 byte key
ii) The attacker obfuscates the code by encoding it with the 1 byte key value, iteratively
iii) The attacker can pick the longer key size to obfuscate the code for better persistence
iv) The attacker protects the code (encoded string) by iteratively XORing each byte with the key
XOR is basically very simple, symmetric and easily reversible with a single functionality for both encryption and decryption. Encrypted malware is hard to detect by the traditional security solutions like anti-virus software, intrusion detection systems and intrusion prevention systems. The only pattern that can be recognised is the XOR pattern used for the encryption/decryption routine. Here, REMnux is used to analyse the malware samples for possible XOR patterns.

Figure 3- balbuzard

Figure 3: Balbuzard

Figure 4 -bbcrack.py

Figure 4: Bbcrack

NoMoreXor
NoMoreXor is a command line utility used to analyse and guess the 256 byte XOR key using the frequency analysis technique. The utility is bundled in REMnux and is freely available on Git at https://github.com/hiddenillusion/NoMoreXOR
The syntax is:

NoMoreXor.py -a –o [outputfile.extension] [malwaresample.extension]

Here’s an example:

NoMoreXor.py -a –o malware.hex malware.exe

Balbuzard
Balbuzard is a malware analysis tool that is used to extract patterns from malicious files and to crack obfuscated code using XOR. It is also used to extract strings/patterns and embedded files.
The syntax is:

Balbuzard.py [option] [filename.extension]

Here’s an example:

Balbuzard.py --csv malware.csv malware.exe
Figure 5 - bbharvest

Figure 5: Bbharvest

Bbcrack
Bbcrack is a supplementary tool used to brute-force XOR keys based on patterns of interest.
The syntax is:

bbcrack.py [option] [filename.extension]

An example is:

bbcrack.py –l 2 malware.exe

Bbharvest
Bbharvest is also a brute force tool used to extract XOR keys that are specifically targeted against single obfuscated strings/patterns in malware.
The syntax is:

Bbharvest [option] [filename.extension]

Here’s an example:

bbharvest.py –l 2 malware.exe
Figure 6 -bbtrans

Figure 6: Bbtrans

Figure 7 - XOrsearch

Figure 7: Xorsearch

Bbtrans
Bbtrans is used to apply transforms over the malware samples.
The syntax is:

Bbtrans.py [option] [filename.extension]

And an example is:

bbtrans.py –l 2 malware.exe

Xorsearch
Xorsearch tools help to find all possible 1 byte key values. However, the particular string that we are looking for is known and one good value is ‘smtp’, because some malware samples often send mail to the command and control server.
The syntax is:

Xorsearch [option] [filename.extension] <string>

An example is:

Xorsearch –s malware.exe smtp

References
[1] https://en.wikipedia.org/wiki/Malware
[2] www.threattracksecurity.com/enterprise-security/malware-analysis-sandbox-software.aspx
[3] https://zeltser.com/build-malware-analysis-toolkit/
[4] https://isc.sans.edu/forums/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+Part+1/15394/
[5] http://digital-forensics.sans.org/blog/2013/05/14/tools-for-examining-xor-obfuscation-for-malware-analysis?reply-to-comment=15387
[6] http://www.decalage.info/python/balbuzard