On May 19th, we hosted a webcast with AlienVault Labs on reverse engineering malware. The Q&A from the webcast is posted below. Additionally, you can view the recording here.
Q: A lot of malware is in dll format, which are initiated by some unique arguments, which we do not know most of the time after the malware executes. What do you do in such cases?
A: To run a DLL, one would use the rundll32 tool to execute it. To figure out what sort of arguments the functions take one would utilize a tool like Dependency Walker to analyze the various functions.
Q: Are there any free resources you may know of that provide additional training to reverse engineering malware?
A: Yes, there are free online resources/tutorials that you can follow to improve your REM skills. One of them is Malware Analysis course by RPISEC at https://github.com/RPISEC/Malware which includes labs/tutorials and follows the Practical Malware Analysis (PMA) book.
Q: Are you aware of any tools in the vein as IDA pro that are tailored towards mobile devices such as iOS, Android and Windows 7 phone? The development tools are powerful, but primarily geared towards analysing code that is known.
A: Dex2Jar for android phones
Q: Considering the rise in virtual machine environment detection by malware, what is the best sandbox you'd recommend for emulating a physical (or non-analysis) environment? Still Cuckoo or are there other products which are better at this?
A: In my opinion Cuckoo is one of the best out there, if you're willing to manage it. If not, I would recommend one of the many of the paid sandbox services.
Q: Do you have experience with FakeNet? If so, do you find it to be of value?
A: We personally haven't used FakeNet. There are multiple tools available for simulating/controlling DNS request/response. Some of the ones we use are iNetSim, ApateDNS.
Q: Do you see less malware being VM aware now that ESXi etc are commonplace in enterprises?
A: Yes, and no. It depends on the malware authors target demographic. The common approach is "spray and pray" and try to infect as many devices as possible. The other approach is more targeted in which the malware is tailored to that specific environment.
Q: Does your team use the basic version of Cuckoo or a custom fork of it? Is that Cuckoo fork public?
A: We modified the basic version of Cuckoo according to our needs/requirements/environment (this is not public).
Q: Have you seen any OTX integration with Splunk? I'm thinking something along the lines of a Taxii feed.
A: We are continuously evaluating additional integrations for OTX, but do not have an integration with Splunk at this time. More information on the OTX DirectConnect API and SDK is available here.
Q: How can AV be used to identify traffic anomalies related to CryptoLocker hitting a file server? i.e. traffic spike, odd activity
A: AlienVault has NIDS rules that detect various CryptoLocker activity. Learn more here.
Q: How exactly do you come up with names for malware?
A: Generally, vendors pick the malware names from the unique strings/patterns in the binary. Sometimes, the malware name is also derived from the 'target' of the attack.
Q: I have on one occasion seen a false positive in the IOC's associated with an entry on AlienVault. If I am looking at an automated solution that can pull indicators directly from OTX, how can I be sure that no incorrect data is imported.
A: Get the content from trusted accounts like 'AlienVault' and manually review the other indicators.
Q: I know sites like malwr.com will often provide some of malware they have reversed - what other ways do you collect samples to analyze? Honeypots perhaps?
A: We have sharing agreements with various third party vendors. We also like to cherry pick samples out of virustotal (paid subscription) when we're looking at something specific. Internally, we also have things like "honey clients" that browse malicious sites and attempt to pull down malware.
Q: I will receive otx alerts in USM - orange & blue colors. what do they mean?
A: The blue OTX icon alerts the user that one of the IP's in the event has been identified as suspicious from OTX IP Reputation. The orange OTX icon alerts the user that the alarm contains one or more IOC's from an OTX Pulse. Note: If an event contains IP's identified from OTX IP Reputation and one or more IOC's from a pulse, the OTX icon with be orange. And, here's a link to our product documentation around the OTX/USM integration.
Q: Is the cost of IDA Pro worth it? What about IDA Pro "Freeware"?
A: It is definitely worth it if you are analyzing malware regularly. IDA Pro is currently at version 6.9 and the freeware is at version 5.0.
Q: Most malware sandboxes cannot deal with samples that remain dormant for a considerable amount of time before execution (think KeRanger). Any techniques that have been developed to overcome this?
A: There are certain sandboxes such as Joe Sandbox that can automatically replace parameters in common APIs like 'sleep' to activate the malware.
Q: Most of the time malware is compiled without debugging symbols and they are multi-threaded which cannot be handled by some debuggers. What do you do in such cases?
A: If you can't figure out a way to debug your malware, then you can try running it in a sandbox to observe its behavior. If the malware is simple enough, you might be able to patch the binary to avoid anti-debugging mechanisms. If one debugger doesn't work for you, there might be another debugger with other features that work.
Q: What do you do when the code is highly obfuscated?
A: When the malware is highly obfuscated, it's difficult to analyze to get the desired results through static analysis. Obfuscated malware are best analyzed through dynamic analysis and dumping it from memory when it is in deobfuscated form.
Q: What is the general turn around time between the AlienVault team capturing a sample of say, "zero day" attacks, and actually producing signatures?
A: Provided that enough information is published for detection, 24-48 hours is the general turnaround time.
Q: What tools do you use for incident response?
A: While the Labs team does not perform incident response directly, we rely on our own commercial product, AlienVault USM, for this capability. Learn more about the AlienVault Unified Security Management (USM) platform.