Monday, March 9, 2009

A Step into Automated Behavioral Malware Analysis (Zero Wine, the after math!)

Today's typical botnet architectures which have been ported from IRC C&C envrionment to web, has put forward more challanges in dealing with more sophisticated malware. Although in contribution to my previous post of "Malware Analysis Tools and Techniques", this post will put spotlight on examining thoroughly into specific malware behavior. Following toolset and envrionment needed to be set-up before pushing any experiments:

- Zero Wine VM Image (
- QEMU (
- PEiD (

ZeroWine runs a dynamic analysis under WINE based virtual sandbox envrionment (completely isolated from host operating system). ZeroWine is currently avaiable as an independent Debian operating system. Once deployed correctly, will give web interface access to upload any PE(portable executable) file and generate a report on the basis of malware execution process under various API calls.

As we can its has more details under "Report", "Strings" detected, "Headers" identified and "Signatures" matched. Looking into complete report set will give an idea on malware execution process:

Going step by step, finding common strings, headers and relevant signatures will identify the malware activites. But on the other side, intercepting the communication launched by these suspicious programs can lead the actual traceback operation done. To notice, today's malware development is getting more complex that a single point of clue may conclude wrong results. This is far more unacceptable when special/private packers, cryptors or compilers are used to wrap the PE files. In order to overcome these problems at certain level, programs like PEiD were developed to identify common signatures of any known packers or cryptors used for compiling unique or variants of similar malware.

However, an increase in number of anti-virtualization and anti-debugging techniques has proved to thawrt many defensive gates. As discussed in paper, "Towards an Understanding of Anti-virtualization and Anti-debugging Behavior in Modern Malware".

A study conducted at Av-Test has provided the unique sampling statistics of different malwares collected since early 90's and 2007. The total range cross over 5.5 million as shown in the figure below.

The overall outcome of this discussion is to let the infosec community to know that where we are standing and what more advanced procedures required to achieve the final goal. Although, the movement of underground economy has never stopped or affected instead changing the digital face by the time and standing with the new challanges.