-3

a friend called me today because he opened an attachment of an email. It was a double zipped exe file - and malware:

I started to analyze the file: first with virustotal - then with radare2 and the free version of IDA-Pro. I tried to disassemble & decompile the file - but decompilation failed several times. I set up a virtual-machine and tried to do an dynamic analysis of the obvious malware - but it seems that it has VM- and debugging-detection.

Virustotal gave me several results - my sample seems to be new; only 2 engines detected it as malware. Now - some hours later more engines found "something":

Ad-Aware    Gen:Variant.Razy.64218  
Arcabit     Trojan.Razy.DFADA   
Cyren       W32/Trojan.KQSF-4006    
ESET-NOD32  Win32/TrojanDownloader.Nymaim.BA    
GData       Win32.Trojan-Downloader.Nymaim.3J4DDZ   
eScan       Gen:Variant.Razy.64218  
Qihoo-360   HEUR/QVM20.1.0000.Malware.Gen

But what malware do I have here?

Virustotal says that the malware opens/reads/alters following files:

C:\7e1495fc92e7062775399d62cc2a7bc62f54955cd8ce4f8d9af61c9b71b4eadd 
\\.\PIPE\lsarpc
C:\WINDOWS\system32\winsock.dll 
C:\WINDOWS\system32\drwtsn32.exe 
C:\WINDOWS\system32\netmsg.dll 

rpcrt4.dll
shlwapi.dll
version.dll 
shell32.dll 
user32.dll 
advapi32.dll
ntdll.dll
kernel32.dll

and starts the following process:

C:\WINDOWS\system32\drwtsn32 -p 668 -e 172 -g

After disassembly I found some clues that the malware possibly uses HttpOPenRequestA via wininet - so it maybe tries to communicate with the internet.

I found pretty much stuff - but:

How can I proof that the malware was executed and infected the system?

Of course one step is to search for files which were created during the possible execution time. But it should be possible to spoof the timestamps - so comparing the files on the possible infected pc with some clean files via hashsums is maybe the better way.

But where can I find "clean files"? Or is there a better way to proof the infection?

Thank you & cheers!

Edit:

The questions asked & answered here are good as a walkthrough for infected systems. But my question is how can I find out whether my system is compromised or not espacially for this new kind of malware. It cannot be a solution to nuke every system as prevention....

Community
  • 1
rudolf
  • 1
  • 1
  • Has your friend already run a scan of his computer with an antivirus program? I'd say that's a reasonable first step before resorting to manual malware analysis. – tlng05 Jun 14 '16 at 20:53
  • jep - nothing found. I also unzipped it in the vm and scanned it there with avast, avira and avg. All 3 declared the file not as malware... – rudolf Jun 14 '16 at 20:59
  • 1
    The best strategy is to just wipe the computer and reinstall everything. That will protect you from whatever the virus did (assuming it didn't hack firmware or your router or something). Anything less is just guesswork. – Neil Smithline Jun 14 '16 at 21:21
  • Yeah - but that isn't answering my question. I just want to know how to proof if a system is infected or not. My friend isn't sure whether he accepted using admin rights or not - better: whether something got installed or not. And what if there were other computers in a network? Wipe and reinstall each computer connected to the network? For a big company network would that mean: wipe and reinstall all connected computers and hoping that there is no firmware /router hack? – rudolf Jun 14 '16 at 22:43
  • For one you could run tools like `sfc /scannow` and in win 8+ use the `dism` tool to check the integrity of the OS. You can/should use an image (possibly from installation disk) with these tools. If you find corruptions, then you can know something is wrong. However, it's not possible to be 100% confirmed in either direction. You need to cleanup however you choose to and do that based on risk/reward assessments. –  Jun 15 '16 at 03:02
  • @rudolf if you could prove that the system wasn't infected, we wouldn't tell you to wipe it. The problem is that you can never be certain, but a wipe is the best you can do short of trashing the computer – Neil Smithline Jun 15 '16 at 04:37
  • 1
    Possible duplicate of [How do I deal with a compromised server?](http://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) – Neil Smithline Jun 15 '16 at 04:42
  • BTW, even if you found hashes for the binaries, how would you compare the configuration files, registry entries, updates for your computer, device drivers for your hardware, etc... – Neil Smithline Jun 15 '16 at 04:43

1 Answers1

1

From your comments:

I just want to know how to proof if a system is infected or not.

This is what is called a forensic analysis. You must be aware that a well done malware will take specific precautions in order to remain undetectable as much as possible and to hide its inner working.

Therefore, it requires very specific competences to do such an analysis, this is so true that it is now a whole discipline in IT security. Like you would never be able to become security architect or pentester on the fly, you would learn to study procedures, tools and techniques specific to this domain.

I do not say that this is not doable, but if you are interested in this domain and are willing to learn, there are better documented ways than taking a random malware and try to reinvent the wheel.

And if you just want to determine for sure if a computer is infected and you do not find any evidence yourself, you have the choice between assuming that it is or, if for some reasons you cannot take such a decision, contact an IT security company and request a forensic analysis.

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104