Getting started with static malware analysis

From time to time your anti-virus product will detect and kill some malware. You live day after day, year after year, trusting your anti-virus….then, perhaps twice every decade you will be unfortunate to deal with an infection that your anti-virus product is not detecting. In my time I’ve had to deal with Slammer (a network worm which hit most of the world’s vulnerable SQL servers within a few minutes of the initial infection) and more recently, PinkSlip, a fairly harmless but persistent Trojan worm, which just wouldn’t die.

Your first call could be to the support desk of your anti-virus vendor. However, you may feel the need to take things into your own hands to answer questions like: What is the payload; what ports do I block to prevent spreading; what are the characteristics of infection…

So let’s assume that you’ve got your hands on an infected system. I would advise that you disconnect it from the network, but don’t shut it down. Take a moment to note the operating system version (Windows XP or Windows 7?), service packs. Write down your observations in a log book for future reference. Look at the file you suspect. If its an EXE, is there any evidence of it running in task manager?

Grab a copy of the suspect file(s), and any associated files such as DLL’s, or log files, and keep them in a compressed archive file called infected.zip. By calling it infected.zip you, or anyone else who stumbles across the file, should know not to execute the contents.

Run Process Explorer from Microsoft SysInternals suite, which is like task manager on steroids. What happens if you kill the suspect process? Does another process immediately spawn? This can indicate that you’ve got two processes looking out for one-another.

Submit your sample to www.virustotal.com for analysis. Virus Total will scan your sample against loads of anti-virus engines, including the most popular, and tell you what they detect.

If you need more information, like how it is propagating, what ports to block, or anything else about the payload, I found www.threatexpert.com very useful.

Once you know what you are dealing with, you can start developing a malware virus removal strategy. For the most part, the easiest way to guarantee that you’ve removed all the nasties, is to FDISK the system, and start again. Obviosuly, make sure that you have a good backup of your data, and take care with that backup.

Another option for a desktop computer is physically removing the disk and adding it to a known clean PC for scanning and cleaning. If you have encrypted disks, this may be problematic.

If the machine is remote to you, can consider using something like the Ulimate Boot CD for Windows (UBCD4WIN) which can get a remote machine to an IP address, just by booting with removable media. A USB boot is an option. Once you have it on the network, you can map a network drive and just us known clean machine to scan over the network. The problem here could be impact on network bandwidth and just how long a scan of a large disk may take.