Step 1. there are 4 rules of thumb in which you can immediately know within seconds that the unknown file is a malware file:
1) The name of the file or folder is randomly generated or makes absolutely no sense. These type of files would typically display zero results in search engines.
Ex: c:\p0sdn8flqy.exe
2) The malware uses a name that is similar to the name of a legitimate file (commonly windows file) within the same folder.
Ex: legitimate = c:\windows\system32\lsass.exe
malware = C"\windows\system32\lsasss.exe
3) The malware uses the exact name of a legitimate file, commonly a windows file but in another folder.
Ex: legitimate = C:\windows\explorer.exe
malware = c:\windows\system32\explorer.exe
4) The malware uses a name that are commonly only used by malware. Ex. startup file names with controversial words somewhere within its name, the names of celebrities, the use of non-alphanumeric characters, or white spaces.
Ex: c:\windows\system32\crack.dll
Step 2. Searching the file name or CLSID on www.systemlookup.com
Step 3. Using google search for file name, service name, md5 and CLSID. UNITE schools provide an excellent guide on how to use google to identify malware files in diagnostic logs. You will need to join a school to access the guides.
Step 4. Below is a list of websites where you can upload and scan individual files to make sure that they are safe or not:
http://www.virustotal.com/en/indexf.html
However, no detections from the antimalware scanners, does not necessarily mean that the file could be safe.. The file could be new malware released to the wild. On the other hand, due to false positives, a legitimate file could be possibly detected by 5 or less antimalware scanners.
Step5. Disassembling the file and check for hints within the strings of the file. This step would require a bit of an expertise. One simple way to distinguish a legitimate file from a malware is to look for keywords, IP addresses or a web url. The strings would also provide hints on the file functionality and behavior. Most dissassemblers have features to populate the strings in the file. Examples are Filealyzer 2 and PE-Explorer.
To demonstrate using a dissembler in analyzing a legitimate file, I randomly chose a strange file name that had no description from the drivers folder:
C:\windows\system32\drivers\wssbtr1f.sys
A screenshot of the list of strings is shown below:
At one place of the results, it is somewhat related to hardware card. Could be either a PCMCIA or a memory card. Another place it mentions a Bluetooth device. Based on the results, we can conclude that this file is related to a Bluetooth card which is exactly what I have.
On the other hand, the string results of a malware file would populate malware-related keywords, urls or IP addresses. Example below is the strings list of a P2P worm. This worm uses keywords as shown in the screenshot as a social engineering tactic for attracting new victims.
Also a file with an .scr extension is an executable. So having a file named AVI.scr or MP4.scr would definitely indicate suspicious behavior.
Step 6. Running the unknown file in a test machine or in a virtual environment and analyze the file and network behaviour. Analysis can be done with a combination of regshot, procmon, netstat, wireshark, tcpview and/or dirmon. However, since most people do not have a test machine or a VM, you can upload the unknown file to an online malware analyzer such as Sunbeltlabs and ThreatExpert. Within minutes or hours, the online malware analyzer would provide a report that includes; file/folders created, windows registry modifications, network traffic and system modifications.
Posts
No comments:
Post a Comment