lunes, 21 de septiembre de 2009

Example of the importance of unpacking

Hi, malware collectors of the world!

Today I will make an entry in the blog to talk about the importance of unpacking packed samples.

Remember that with packed samples I mean setup, installations, embedded files, files that can be dropped to disk, auto-extractable files (Rar, ZIP, etc).

KAV can help you to identify that kind of files. Just enable the "Show pack info in the report" option. You can find it at "Options" menu.

To prove the importance of unpacking I will show an example.

9E3F66B6.EX_ is a packed file. Let´s see how many time needs KAV to scan it:

c:\test\9E3F66B6.EX_/file7 Infected Backdoor.Win32.PcClient.bdud
Scan time 05:50

Almost 6 minutes to scan the packed file! And that is in a Core i7 computer!!!

Imagine you have 300 files like that one. Scan them would take over a complete day, probably much more in slower computers, to scan just 300 files. Crazy!

Now let´s see how many time is required to detect the detected sample inside the packed file:

c:\test\MSDN_VC.EXE Infected Backdoor.Win32.PcClient.bdud
Scan time 00:00

The file is scanned in no time.

Big big difference, isn´t it?

Now you should realize the real importance and impact that unpacking stuff may have in the required time to scan your collection.

See you in next post!

viernes, 18 de septiembre de 2009

Speed up collection scanning

Hi, malware collectors of the world!

Nowadays one of the problems that collectors have is the required amount of time to generate new logs. Today I will discuss several methods to speed up collection scanning times.

In the past virus collections used to take around 200 or 300 MB. With that size it was possible to generate new logs every day, even using several antivirus.

After year 2000 the amount of samples started to increase heavily and collectors began to generate new logs weekly instead of daily. At the same time all the antivirus used to exchange were dropped and only KAV remained, being the standard antivirus to exchange.

Actually KAV is still the standard antivirus for malware exchange as I commented in other post. So apart of generic ways, I will focus in methods to speed up KAV scanning.

1.- The most obvious way to boost things is to use the best available hardware. The Intel Core i7 is a good choice. The amount of RAM is not so important but a fast H.D. is.

2.- An even more obvious way to speed up log creation is to use several computers. Just share the task load between several computers.

3.- If you are creating logs to trade scan only your exchange collection.

The exchange collection will be formed by unique samples. Don´t keep several copies of the same identified sample.

4.- Something that slows down KAV very much are the packed samples, so unpack all possible packed samples.

Extract detected files from setups/installations, embedded and dropper files.

Examples of that kind of samples are setups created with: NSIS, Setup Factory, autoextractable files (RAR, ZIP, ...), etc.

Don´t extract compressed files. I mean files packed with UPX, Armadillo, Themida, MEW, etc. Only extract that kind of files when a setup or installation file is compressed with any of them.

You will recognize what stuff you must unpack looking at KAV log. Here you can see some examples of the kind of stuff you should process:

c:\test\ASTRUM.EX_/data0004 Infected Backdoor.IRC.Seiseni 
c:\test\ASTRUM.EX_/data0008 Infected Backdoor.IRC.Seiseni
c:\test\ASTRUM.EX_/data0009 Infected not-a-virus:Client-IRC.Win32.mIRC.601
c:\test\HMIMYS.EX_/123.exe Infected Backdoor.Win32.Hupigon.ejub
c:\test\INIT1.EX_/data0000 Infected Trojan.Win32.Chinaad.ni
c:\test\INIT2.EX_/data0000 Infected Trojan.Win32.Chinaad.ne
c:\test\INNO.EX_/file19 Infected not-a-virus:FraudTool.Win32.AntiSpywareSoldier.b
c:\test\INNO2.EX_/data0032 Infected not-a-virus:Monitor.Win32.ParentsFriend.a
c:\test\INSTYLER.EX_/astem.as Infected Backdoor.IRC.Zapchast
c:\test\INSTYLER.EX_/bstem.as Infected Backdoor.IRC.Zcrew
c:\test\INSTYLER.EX_/oystem.er Infected Backdoor.IRC.Zcrew
c:\test\KAOS.EX_/data0000.cab/2.exe Infected Backdoor.Win32.Hupigon.ehnx
c:\test\MSC.EX_/MSC.EX_ Infected Trojan-Downloader.Win32.Banload.ddh
c:\test\NBINDER1.EX_/ppp.exe Infected Backdoor.Win32.Turkojan.bkn
c:\test\NBINDER2.EX_/testxxx4.exe/rbot2.exe Infected Backdoor.Win32.Rbot.wnl
c:\test\NBINDER3.EX_/server.exe-crypted.exe Infected Trojan-Dropper.Win32.VB.azv
c:\test\NBINDER4.EX_/svchost.exe Infected Backdoor.Win32.SdBot.ewp
c:\test\NBINDER5.EX_/crypted1.exe Infected Backdoor.Win32.Bifrose.uzu
c:\test\NBINDER6.EX_/dl.exe Infected Trojan-Downloader.Win32.Agent.ahbi
c:\test\NSIS.EX_/data0002 Infected Backdoor.Win32.Visel.afy
c:\test\NSPACKER.EX_/data0000.cab/SERVER~1.EXE Infected Backdoor.Win32.Hupigon.dsx
c:\test\ORIEN.EX_/data0000.cab/SERVER~1.EXE Infected Backdoor.Win32.Hupigon.dsx
c:\test\ORIEN2.EX_/data0000.cab/7.exe Infected Trojan-GameThief.Win32.OnLineGames.tkws
c:\test\PCGUARD1.EX_/data0000.cab/server.exe Infected Trojan.Win32.Midgare.aamx
c:\test\PCGUARD2.EX_/data0000.cab/server.exe Infected Trojan.Win32.Midgare.aadg
c:\test\QBFC.EX_/1 Infected Flooder.Win32.Assault.10
c:\test\QBFC2.EX_/0 Infected Backdoor.Win32.Netbus.170
c:\test\RAP.EX_/rinst.exe Infected Trojan.Win32.KillAV.dt
c:\test\SEA.EX_/setup.zip/1/ver.2/AUR.exe Infected IM-Flooder.Win32.AUR.c
c:\test\SEA.EX_/setup.zip/5/HM_comC.exe Infected Trojan.Win32.Delf.kl
c:\test\SEA.EX_/setup.zip/6/icq-brute.exe Infected HackTool.Win32.BruteForce.u
c:\test\SEA.EX_/setup.zip/8/1.5.191_Pro/IPDbrute_1.5.191.exe Infected not-a-virus:PSWTool.Win32.IpdBrute.15
c:\test\SEA.EX_/setup.zip/8/IPDbrute_2.0_Lite/IPDbrute_2.0_Lite.exe Infected not-a-virus:PSWTool.Win32.IpdBrute.20
c:\test\SEA.EX_/setup.zip/8/IPDbrute_2.0_Pro_old/IPDbrute2.exe Infected not-a-virus:PSWTool.Win32.IpdBrute.20
c:\test\SEA.EX_/setup.zip/11/recover.exe Infected not-a-virus:PSWTool.Win32.ICQ.y
c:\test\SEA.EX_/setup.zip/12/UIC.exe Infected Flooder.Win32.Agent.bb
c:\test\SEA.EX_/setup.zip/16 Infected not-a-virus:PSWTool.Win32.ICQ.v
c:\test\SEA2.EX_/setup.zip/25 Infected not-a-virus:Client-IRC.Win32.mIRC.603
c:\test\SEA2.EX_/setup.zip/26 Infected not-a-virus:RiskTool.Win32.HideWindows
c:\test\SIM.EX_/data1 Infected Trojan.BAT.KillFiles.ge
c:\test\SVKP.EX_/data0000.cab/4_BK_BK.exe Infected Packed.Win32.PolyCrypt.b
c:\test\THINSTAL.EX_/AQ.exe Infected Trojan-Downloader.Win32.Small.akjq
c:\test\UPACK.EX_/data0000.cab/lin2.exe Infected Trojan-Downloader.Win32.BHO.un
c:\test\UPACK.EX_/data0000.cab/rmt-live.exe Infected Trojan.Win32.Inject.ihr
5.- Don´t scan very old files.

Move apart old files (files you got from year 2002 and older) and don´t scan them every week. Maybe once per month will be enough.

Why this? Because KAV probably will not change the identification names of that samples, so the ID will remain equal week after week.

If anyone have any other trick to speed up log creation he will be welcome.

viernes, 4 de septiembre de 2009

Hi, malware collectors of the world. I hope you have had nice holidays!

After a vacational stop I continue the activity of the blog.

Today I will make an entry commenting how many collections you should have and what kind of trader you can be.

I suggest you build two malware collections:

Collection number one would be a collection used to exchange with other collectors. This collection must contain only unique samples; That means one file for each uniquely identified malware, virus, worm or whatever. We will call this collection the 'trading collection'.

Collection number two would be a collection containing all the malware samples you got minus the samples you already have in the collection number one. We will call this collection as the 'main collection'.

You should scan and make new log of trading collection weekly. Depending of the size of this collection and the hardware you use, it should not take more than a few hours to scan it.

Main collection, depending also of its size and the hardware you use, will take much more time than trading collection to scan. You will have to evaluate the amount of time required to scan main collection and decide how often you want to scan it.

The objective of scanning main collection should be to find new unique malwares and add them to trading collection.

There are two types of malware collectors: there is the traditional collector that only exchanges new unique samples and there is a collector that will exchange samples using a hash to know if a sample is new for him.

In the first case, the collector that exchanges for unique samples uses KAV log to know what he has in the collection and what he misses from other trader´s logs.

In the second case, the collector does not need to make KAV logs because he uses MD5, SHA-1 or whatever hash to exchange. This kind of collector would not need to make a trading and a main collection. He only would build a main collection.

Mainly you will meet traditional collectors, people that will exchange for unique samples using KAV log. Some of them will accept to make hash trades also. The problem with hash trades is the amount of information that must be exchanged. Doing hash trades over internet will be really difficult.

See you soon!