Malware & Viruses 4055-760 Prof.

Yuan LAB2: Virus Behavioral Analysis

Harold Chelchowski 1/6/13

The purpose of this lab is to examine a malware through behavioral analysis by using various tools such as process explorer, file monitor, registry monitor, winanalysis and wireshark. The following are the results obtained from this experiment. Q1: Does the malware copy itself or infect any files? If it does, what file or files does it copy or infect? The File Monitor program was used to answer this question: The malware does not infect any files. Instead it makes a lot of queries for many dll files, especially those related to windows sockets and windows networking such as WS2_32.dll, mswsock.dll, iphlpapi.dll, and others (underlined as green in the image below). Also, the malware copies itself as avserve2.exe to the following path, C:\\WINDOWS\avserve2.exe (Red Box in the image below). Below are the results after the victim pc was infected with the malware. Make sure to zoom into the file in order to see the image better.

Q2: Does the malware modify the Windows Registry Keys? If it does, which registry keys does it modify? The Registry Monitor program was used to answer this question: The malware does modify the windows registry keys. According to Registry Monitor, the malware accesses many registry keys related to windows network services and connections. The malware tries to query, open, close and create registry keys. For example, the malware creates the following registry key:

- HKLM\System\CurrentControlSet\Services\Tcpip\Parameters (First Red Box in the Image Below) The malware also queries for registry values such as: - HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Domain - HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Hostname - HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Linkage\Bind There were other registry keys which were manipulated by the malware. The capture below shows the results.

Q3: Does the malware create any accounts\shares on the victim system? If it does, what accounts\shares does it create? The malware did not create any accounts\shares on the victim system. We used the Winalysis tool before and after the victim pc was infected and we see that no new accounts\share are created. We also used the command net users to see if any new user accounts were created. Below are the captutes: Before:

After:

Q4: Did the Innocent machine get infected? Describe the behavior of the innocent machine if it did get infected. The innocent machine got infected with the malware. The behavior of the innocent machine is that there is a lot of lag due to 100% CPU utilization (Green Box in the Capture Below). The processes that take over the CPU are ftp.exe and the malware under the name of avserve2.exe (Red Box in the Capture Below). Below is a capture of the Task Manager from the innocent machine.

Then after the lag a window pops up stating that the computer will shut-down because the Local Security Authentication Server process (lsass.exe) terminated unexpectedly, and it gives us one minute before the system shuts down and restarts. Below is the capture of the window that pops up.

The computer keeps restarting after 3 to 5 minutes. Q5: What did you observe in the Wireshark captures on the Monitor machine backtrack? The wireshark capture from Backtrack shows that a lot of ARP requests were coming from the victim machine querying for IP addresses within the victims subnet. There were also RARP requests that

queried for the MAC address of the victim machine. Also, there were NETBIOS over TCP/IP (NBT) broadcast packets coming from the victim machine. The services of NETBIOS that were observed included the following: name service for name registration and resolution using port 137 and datagram distribution service for connectionless communication using port 138. Then we saw that the malware tried to access other computers on the network via port 445, which is used by the SMB protocol. The SMB protocol is used for providing shared access to files, printers and other resources between nodes on a network. The following are captures from the experiment. ARP Requests:

RARP Requests:

NBT Broadcast:

SMB Protocol: The capture below actually shows how the victim PC (192.168.0.1) tries to communicate with the monitor pc (backtrack 192.168.0.12) via port 445. But every time that the victim machine with the malware tries to establish a connection with backtrack, backtrack sends a [RST, ACK], meaning that the port is closed. Thus the malware cannot get a hold of the backtrack machine.

Q6: Did the victim and the innocent machines restart during the lab? What did they do after restart? Both the innocent and victim machines restart during the lab. After they restarted they experienced the same results as described in Question 4, where the processes ftp.exe and avserve2.exe took over the CPU causing it to work 100% of the time, which led to a lot of lag on both computers. Q7: Use the Wireshark captures to explain how the malware infects the innocent machine. From the wireshark captures above, it seems that the malware first checks to see what machines are available in the network by sending ARP requests on all possible IP addresses that are available on the subnet. Once a host is found, then the malware uses NETBIOS in order to establish a communication session with the new host. Then through this session the malware tries to exploit any security hole found in the new host via port 445 which the SMB protocol uses for file and other resource sharing. Hence, this allows the malware to replicate itself on the new host. Below is a capture of the innocent machine (192.168.0.11) already infected with the malware, and trying to infect the backtrack machine (192.168.0.12). But given that port 445 is blocked in backtrack probably because of a firewall rule, the infected innocent machine is unsuccessful.

Q8: Based on your findings about the malware in this lab, what do you classify this malware as a virus, a worm, a trojan, or a combination of these types? This malware is a worm because it follows the definition of a worm as stated from the lecture slides: Self-replicating but a stand-alone program that exploits security holes to compromise other computers and spread copies of itself through the network.