Analysing Malicious Code:: Dynamic Techniques

This report starts out discussing a framework for building an API monitoring system. In such a system, malicious code can be run, and its actions can be taken notice of. I look into different analysis tools for stuctural analysis, and API monitoring tools. I will also discuss dynamic analysis using a debugger, and anti-debugging techniques used by modern malware. When using a debugger, API hooking can be implemented using brakepoints as well. In any case, we will need an isolated environment. The best candidate for this is virtual machines. I will look at different ways of controlling a virtual guest from a host system. On VMware, we can use both normal networking interfaces, and a backdoor, which is really an i/o port. I will also look into techniques for detecting virtual machines, and some counter-techniques. Packing mechanisms and ways to undo them is central to malware analysis. In this paper I have unpacked and analysed several samples of the Storm Bot, which is packed using UPX. Additionally, the APIs used by Storm has been determined. Dynamic analysis can be based on API usage. Scripting VMware is a central part of the last chapter. I will demonstrate several ways of doing this. It seems this can be a good foundation for building automated analysis solutions. I will also discuss the PaiMei framework which integrates the most useful analysis tools, and can work as a framework for building programs that automate the process of malware analysis. A report on malware analysis would not be complete without viral code. Cermalus is a recently released virus, which assembly source code has been included in the appendix. The source is well commented, and clearly states what the different routines are used for. You will find many of the terms used in these comments explained throughout this report