Seminar Teknologi dan Rekayasa (SENTRA) 2015
ISBN: 978-979-796-238-6
BEHAVIOR ANALYSIS OF MALWARE IN INSTITUT
TEKNOLOGI SEPULUH NOPEMBER
SURABAYA,INDONESIA
Ejaz Karim
Information System Department
Institut Teknologi Sepuluh Nopember
Surabaya, Indoensia 60111
jazzi.pisces@gmail.com
Abstrak
An almost incomprehensible amount of data and information is stored on millions and millions of
computers worldwide. To be able to defend against the threat imposed by malware we need to
understand both how and why the malware exists. This document presents the nature of malware
today and outlines some analytical techniques used by security experts. Furthermore, a process for
analyzing malware samples with the goal of discovering the behavior and techniques used by the
samples is presented. An analysis is performed on malware samples, disclosing behavior, location,
encryption techniques. So these samples are being analyzed by tools named as Threat Expert and
Anubis. The samples will be also analyzed on real system and results will be compared with Anubis
and Threat Expert. This research is expected to describe and explain how malware and other
malicious software spread through internet, network and computers. The encryption techniques used
by the malware programmers to encrypt malware and to hide these viruses from the users. The
damage done by the malicious code to the target machine, network or computers. It should also show
the techniques used by the programmers and malware vendor to spread through different platforms.
The results are also expected to show that which platforms are being attacked by the malware and
why.
Keywords: Malware, Encryption Technique, Threat Expert, Behavior Analysis, Anubis, Platforms.
Introduction
The story of malicious software began around 1982 when the first virus with replicating abilities
and harmful intent was written by a high-school student called Rich Skrenta for the Apple II systems
[1][2]. The virus was called “The Elk Cloner”. It infected a computer when the machine was booted
from an infected floppy disk, copying itself to the new machine. When an uninfected floppy disk was
inserted in an infected machine, it copied itself to the floppy, thus spreading itself. Its behavior was
relatively harmless; it displayed a small poem every 50th boot, however it also had the unintended
effect of overwriting code on particular systems.
Since the first virus was created, much have changed in the world of malware, but some things have
remained the same. Viruses are still being created and distributed, by teenagers, students and
professionals. However, we are now not just facing viruses of different sorts, but also a wide range of
malicious software, from adware to Trojans to software distributing spam. The programmers also
appear to have changed. From unorganized individuals more or less playing around with programming
for fun, malware is now a big industry where services like DDoS, spam and phishing are on sale
[Jaq08, Ber08a]. Not only is the malicious content more diverse than its originators, but it is also
vastly more sophisticated. Polymorphism, encryption, advanced exploits, intricate spreading, and
proficient developers all make the software more sophisticated, harder to detect and harder to cleanse
of. The most recent area of development lies in the way malware spreads and communicates. The Elk
Cloner spread via floppy disks, and floppy disks only, no network communication was implemented.
Today’s malware spread through various media’s; the Internet, removable drives, network, and
seemingly genuine and honest software. Communication is achieved, both between infected machines
and controls, by several different communication protocols and organizations, from centralized to
peer-to-peer. [3][4].
SENTRA I - 61
� Seminar Teknologi dan Rekayasa (SENTRA) 2015
ISBN: 978-979-796-238-6
This development not only makes the malicious software more dangerous, as new ways to make use of
the software are found, but it also makes the detection, analysis, and removal of the software
increasingly more difficult. Examples are botnets, with the Storm botnet being the most reputed today
[3], which run on machines all over the world without the user’s knowledge, rendering the machines at
the vim of the botnet controllers.
Information and computer security are becoming more important as we trust computers with critical
and sensitive information and functions. Malware is one of the greatest threats against the security of
digital information. To be able to battle malware and malware developers we need to understand why
the malware was developed and how it accomplishes its tasks. We achieve this by analyzing current
malware samples, disclosing techniques and objectives of the samples, thus improving the ability to
combat malware, reduce its significance and improve computer security.
Background & related work
A computer virus is a program or segment of an executable computer code that is designed to
reproduce itself in computer memory and, sometimes, to damage data. Nowadays, the computer virus
term is used as a general term for various harmful programs. Technically, the virus is used to describe
the oldest type of harmful programs. A virus is either a stand-alone executable file or can be embedded
in larger bodies of code. The virus self-replicates itself inside the same system and cannot spread to
other computers without human assistant. A worm is similar to the virus (technicality) but it exploits
computer networks to spread from computer to computer over the Internet. In practice, any software
that replicates itself may be termed a virus, and most viruses are designed to spread themselves over
the Internet and are therefore called worms. [2]
Nowadays, malicious software (malware) is the general term that is used to describe viruses, worms
and other types of harmful and undesirable programs. Malware is any program that works against the
interests of the system’s user or owner to the interest of other people. [3]
Most of the previous researches shows that, to check the behavior of malware the frameworks have
been used either to detect or to analyze malware[5][6]. Most of the approaches and detection
techniques used in the researches have their own way of checking and analyzing malware, some
researches have been done in mobile platforms and most are in Windows[7].by checking all of the
above papers we can say that no research is been done before like this research shows, that is two
online tools(Anubis and Threat Expert) have been used to check behavior and the results from these
tools will be compared with the real system which is the contribution of this thesis.
By checking previous researches done five out of twenty papers shows that frameworks have been
used to detect and analyze malware on Windows and these frameworks use algorithms, machine
learning, function hooking, system calls, execution and analysis[8][9]. Two systems like AMAL and
Ether uses automatic analysis of malware and virtualization and emulation to check malware
behavior[10][11]. One paper shows that Brower help objects has been used to check the behavior with
the help of browsing behavior. Six out of twenty researches have been done in Android platforms to
check the mobile malware behavior which uses recognizers systems, input output system calls, data
mining and anomaly detection.one paper shows that the malware behavior is being detected from web
reports and other shows that how malware will be classified and detected through system state
changes.
By comparing all of the above mentioned researches, some of the researches uses frameworks to
analyze and detect malware, some used tools to do the same thing, some researchers focused on
mobile malware and on Android platforms and some adapt their own approaches and detection
methods[12][13], so the conclusion derived from above researches is that not a single researcher has
done the research like this research shows, this thesis uses two online tools and a real system, the
results from these tools will be compared to the real system results to satisfy those results.
This research will be different from others because the real system will be compromised to check the
real behavior of malware, before as mentioned in previous researches the researchers used either
virtualization or their own frameworks in which the malware was not applied directly to the real
system. Virtualization is the method in which the system has been virtualized, so until we cannot
compromise the real system the real behavior cannot be shown that’s why this research uses real
system as a main contribution and also results of two online tools will be compared with the real
system to satisfy and to improve the efficiency in analysis. The authors Michael Bailey, Jon
Oberheide, Jon Andersen, Z. Morley Mao, Farnam Jahanian, and Jose Nazario also suggest that,
I - 62 SENTRA
� Seminar Teknologi dan Rekayasa (SENTRA) 2015
ISBN: 978-979-796-238-6
“Since the malware samples were executed within VMware, samples that employ anti-VM evasion
techniques may not exhibit their malicious behavior. To mitigate this limitation, the samples could be
run on a real, non-virtualized system, which would be restored to a clean state after each simulation
[14]”.
Methodology and Tools
In the first part of this paper we will outline some of the theoretical aspects of today’s malware
and malware analysis to create an understanding of what malware is, its different forms, and common
malware analysis techniques. Samples will be analyzed using tool called as Threat Expert and Anubis
which are online tools to check the behavior of malwares and these samples will be also applied to real
system to check real behavior of malware. The results from two tools will be compared to real system
results for satisfactory results. The analysis will seek to map each sample’s behavior and functionality
and to some extent discover techniques used to achieve their functionality. For this task we will use
any good system for analysis. Following is the flow chart analysis of malware.
Figure 1: Flow chart of methodology of malware analysis.
3.1 Data Acquiring
The data acquiring step has been supported by our honorable lecturer through which access has been
granted to get the data from Honeypot Server of Institut of Technology Sepuluh Nopember. The
malware samples were been acquired through FileZilla software, which is a data sharing software.
After that the samples were stored on the disk for further steps.
3.2 Malware Analysis
After data acquiring and storing it on the disk, the next step is to do analysis through online tools
called as Threat Expert and Anubis which are free and reliable. The samples will be uploaded to the
online tool server and after results will be will be saved in pdf format. To check the behavior of
malware on real system, this research will do some monitoring processes with the help of Process
Monitor and Wireshark. Those processes are Registry monitoring, Network monitoring, to monitor a
file and File integrity Check.
3.3 Conclude the Results
In this section, further analysis will be done of the reports being generated by the online tools to
decide whether the results are satisfying or not. The results will be compared to the real system to
satisfy and if satisfied then those will be saved and if the results are not up to task after being analyzed
that means the samples have to be analyzed again. This step will be done again and again until the
satisfying results are being acquired.
SENTRA I - 63
� Seminar Teknologi dan Rekayasa (SENTRA) 2015
ISBN: 978-979-796-238-6
Analysis of Results
For the analysis of the samples provided by the Honey pot server of Institut of
Teknologi Sepuluh Nopember this research goes through the following procedures.
The samples cannot be acquired directly from the honey pot, so for this purpose FileZilla software was
used to download samples from remote server through username and password. After downloading
from the server the samples were being saved on the system as a zip file.
First samples were being analyzed one by one by Threat Expert. The samples were submitted to online
database in the Threat Expert website, which allows us to submit samples online to their server in .zip
and .exe formats. All the samples were submitted to the server as exe format and the reports were
being saved in an online account to access globally. these can be downloaded in xml format. Almost
all of the samples were found to be the worms but only two samples were backdoors.
Secondly all of the samples were being analyzed by Anubis. The samples were submitted to the online
database of Anubis same as Threat Expert. The same samples were submitted to the online server with
same format as Threat Expert and the results were same for all the samples except two samples.
The last one was difficult task to be accomplished because this research applies the malware to the real
system that is the samples were being applied to a live system to check the real behavior. For this a
computer system with processor speed of Core i3 with 4GB RAM and the windows 7 was used to
check the behavior. To check the file system activity, registry activity and the network activity this
research used Process monitor and Wireshark to check the above activities of malware. The malware
cannot be executed directly, so the samples were made as exe file with the help of feature available in
Windows 7 and after that those were executed to the system.
Analysis of Results
4.1 Threat Expert Analysis
4.1.1 Registry Activities
Worm: Win32/Conficker.B tries to copy itself in the Windows system folder as a hidden DLL
file using a random name. If it fails, it can then try to copy itself with the same parameters in the
following folders:
%ProgramFiles% \Internet Explorer
For this case the Threat Expert reports shows that it creates new process called as svchost.exe which
runs the windows services which are in form of DLLs. From here it can run on the system
It creates the following registry entry to ensure that its dropped copy is run every time Windows starts:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
With data: "rundll32.exe <system folder>\<malware file name>.dll, <malware parameters>"
The Threat Expert does not show such kind of registry key activity but as mentioned above it uses the
various Dlls to run the windows.
It can also load itself as a service that is launched when the netsvcs group is loaded by the system file
svchost.exe.
It can also load itself as a fake service by registering itself under the following key:
HKLM\SYSTEM\CurrentControlSet\Services
4.1.2 Network Activities
The worm can check the vulnerable systems with Network shares with weak passwords, which
tries to infect all other PCs available on the network and as it been mentioned in the reports of Threat
Expert.
As shown by the Threat Expert it first tries to drop a copy of itself in a target PC's ADMIN share using
the credentials of the currently logged-on user.
If this method is unsuccessful, for example, the current user does not have the necessary rights, it
instead obtains a list of user accounts on the target PC. It then tries to connect to the target PC using
each user name and the weak passwords.
4.1.3 File System Activities
It also changes the system's TCP settings to let a large number of simultaneous connections,
where 0x00FFFFFE is hexadecimal, Threat Expert reports does not show such of change in registry
keys.
I - 64 SENTRA
� Seminar Teknologi dan Rekayasa (SENTRA) 2015
ISBN: 978-979-796-238-6
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Disables TCP/IP tuning, stops and disables services as mentioned in the Threat Expert
This worm stops several important services, like the following:
Windows Security Center Service (wscsvc) – notifies users of security settings (for example, Windows
update, Firewall and Antivirus)
Windows Update Auto Update Service (wuauserv)
Windows Defender (WinDefend)
Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
Windows Error Reporting Service (wersvc)
4.2 Anubis Analysis
4.2.1 Registry Activities
Anubis does not show or report how it copies or spreads and it also does not shows either it a
worm or backdoor. Rather it just shows the registry activities starting from load time Dlls to run time
Dlls and what kind of malware if being encrypted inside a single file. It shows in each step the process
activities, the registry activities, network activities and the other activities.
First it copies itself to the load time and run time Dlls by opening the relevant run time and load time
Dlls and after that it modifies deletes and creates the possible registry keys in the system
It creates the following registry entry to ensure that its dropped copy is run every time Windows starts:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
With data: "rundll32.exe <system folder>\<malware file name>.dll, <malware parameters>"
The Anubis report shows that it invokes the dlls, after that it creates the new file in the windows folder
and controls the devices needed by communicating with them.
It can also load itself as a fake service by registering itself under the following key:
HKLM\SYSTEM\CurrentControlSet\Services
4.2.2 Network Activities
The worm can check the vulnerable systems with Network shares with weak passwords, which
tries to infect all other PCs available on the network and Anubis reports does not shows what kind of
weak passwords the worm uses or what kind of user accounts use to take control of the system,
perhaps its shows the it queries the server through remotely after being executed on the system.
The executable scans a range of IP addresses and also scans and identify the more potential vulnerable
targets.
4.2.3 File System Activities
It also changes the system's TCP settings to let a large number of simultaneous connections,
where 0x00FFFFFE is hexadecimal, this is the difference between Threat Expert and the Anubis,
Anubis shows the following changes in its reports but cannot be seen in the Threat Expert reports.
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters.
Anubis reports also shows the memory being mapped by the malware which is shown as below,
C:Windows\System32\regsvr32.dll
Through this dll it also creates the remotes threads to control remotely from other system or place.
It also creates a lot of temporary internet files in the system windows folder to be able to control the
internet and other network settings.
4.3 Real System Analysis
4.3.1 Registry Activities
As reported by the Threat Expert and Anubis the malware applied on the real system shows the
similar behavior as Anubis, in the process monitor it shows the registry activities starting from load
time Dlls to run time Dlls. It shows in each step the process activities, the registry activities, file
system interaction.
First it copies itself to the load time and run time Dlls by opening the relevant run time and load time
Dlls and after that it modifies deletes and creates the desired registry keys in the system.
It creates the following registry entry to ensure that its dropped copy is run every time Windows starts:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SENTRA I - 65
� Seminar Teknologi dan Rekayasa (SENTRA) 2015
ISBN: 978-979-796-238-6
Real system behavior shows that it first invokes the dlls, after that it can also load itself as a fake
service by registering itself under the following key:
HKLM\SYSTEM\CurrentControlSet\Services
4.3.2 Network Activities
The worm can check the vulnerable systems with Network shares with weak passwords, which
tries to infect all other PCs available on the network and real system behavior also does not shows
what kind of weak passwords the worm uses or what kind of user accounts use to take control of the
system.
4.3.3 File System Activities
It also changes the system's TCP settings to let a large number of simultaneous connections,
where 0x00FFFFFE is hexadecimal.
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Real system results also shows the Dlls were successfully mapped to the malware location which is
shown as below,
D:\Malware Analysis\binaries\cabinet.dll
It also creates a lot of temporary internet files in the system windows folder to be able to control the
internet and other network settings..
Conclusion
The samples analyzed, proved to 95 worms and only two samples were found to be backdoor.
This shows that malware authors still trust on worms to gain access and compromise systems because
of self-replicating characteristics. As this research shows that the malware uses the registry keys to
take control of the system. First it run itself on the system through DLLs and after that it reads, creates,
modifies, deletes and edits those registry keys. Administrators and group of administrators have access
rights to modify, read, write and delete these registry keys, so according to the results shown, the
suggestion is to give the rights only to the administrator and group of administrators. Windows has
some limited built-in protection designed to safeguard the registry. By default, normal users have only
read permissions for most branches of the registry and are only able to modify registry keys that only
affect their own account. Administrators should make sure that it should remain same for all users, by
doing this it would limit the user to his account and it will not spread to other users. Restrict the
executables by unknown users and only administrator can execute it when needed. This will also add
the Restricted SID (security identifier) token to the registry access which will limit the program to read
permissions and ensure that it does not alter the registry in any way. Running a program under these
restrictions does more than just secure the registry. This will also block access to the folders, cookies
and temporary internet files. This is useful because malware will be not able to create temporary
internet files.
Limitations
This research will be limited to the platforms available in Institut of Teknologi Sepuluh
Nopember, Surabaya Indonesia. It will be not valid to those platforms which are other than Windows
platforms like Mac, Linux etc. Because of the limited resources, this research uses a free tools but the
selected number of malware will be applied to an isolated real system, so that results can be compared
with the results of free tools. The expected results would be also available for the same platforms and
the will be applied for the same network topology as shown in the figure below.
I - 66 SENTRA
� Seminar Teknologi dan Rekayasa (SENTRA) 2015
ISBN: 978-979-796-238-6
Figure 2: Network Topology of Honeypot ITS-Net
Further Research
As this research is done on Windows platform and using free online tools, further this research can be
done on other platforms like Linux, Android and Apple Mac platforms and check behavior on these
platforms by more reliable and registered tools available on the internet, more specifically on Android
because almost all of the users are using services of internet on Android and smart phones which could
be helpful to reveal the behavior on the latest Android cell phones.
Acknowledgment
I am deeply grateful to my advisor Sir Bekti Cahyo Hidayanto for the opportunity to work on this
thesis. I would further like to thank my Supervisor Dr.Eng. Febriliyan Samopa, M.Kom for his
countless suggestions and guidance during the thesis. It was a pleasure to do research in Institut of
Teknologi Sepuluh Nopember Surabaya Indonesia.
Referensi
[1] Jeremy Paquette, A History of Viruses, March 2008,
http://www.securityfocus.com/infocus/1286.
[2] Ed Skoudis and Lenny Zeltser. Malware: Fighting Malicious Code. Prentice Hall, 2003.
[3] Niels Provos, Panayiotis Mavrommatis, Moheeb Abu Rajab, and Fabian Monrose. All Your
iFRAMEs Point to Us. Google Technical Report, 2008.
[4] Brian Krebs, Washigton post: Hundreds of thousands of microsoft web servers hacked, April
2008,
http://blog.washingtonpost.com/securityfix/2008/04/hundreds_of_thousands_of_micro_1.html
[5] A framework for behavior-based malware analysis in the cloud Lorenzo Martignoni, Roberto
Paleari , and Danilo Bruschi.
[6] An Effective Framework of Behavior Detection-Advanced Static Analysis for Malware
Detection by Maya Louk, Hyotaek Lim and HoonJae Lee , Mohammed Atiquzzaman.
[7] Crowdroid: Behavior-Based Malware Detection System for Android by Iker Burguera and
Urko Zurutuza and Simin Nadjm-Tehrani.
[8] Automatic Analysis of Malware Behavior using Machine Learning, Konrad Rieck, Philipp
Trinius, Carsten Willems, and Thorsten Holz.
[9] Towards Automated Malware Behavioral Analysis and Profiling for Digital Forensic
Investigation Purposes, Ahmed F.Shosha, Joshua I. James, Alan Hannaway, Chen-Ching Liu
and Pavel Gladyshev.
[10] Ether Malware Analysis via Hardware Virtualization Extensions by Artem Dinaburg, Paul
Royal, Monirul Sharif.
[11] AMAL: High-Fidelity, Behavior-based Automated Malware Analysis and Classification by
Aziz Mohaisen.
[12] Behavioral Analysis of Android Applications Using Automated Instrumentation by
Mohammad Karami, Mohamed Elsabagh, Parnian Najafiborazjani, and Angelos.
SENTRA I - 67
� Seminar Teknologi dan Rekayasa (SENTRA) 2015
ISBN: 978-979-796-238-6
[13] Ontology-based Mobile Malware Behavioral Analysis by Hsiu-Sen Chiang, Woei-Jiunn
Tsaur.
[14] Automated Classification and Analysis of Internet Malware by Michael Bailey, Jon
Oberheide, Jon Andersen, Z. Morley Mao, Farnam Jahanian, and Jose Nazario .
[15] A Comparative Assessment of Malware Classification using Binary Texture Analysis and
Dynamic Analysis by Lakshmanan Nataraj University of California, Santa Barbara, USA.
[16] Malware Behavior Feature Extraction Based on Web Information Extraction by Binlin Cheng,
Jianming Fu and Ya Liu, Siyang Xiong.
[17] Automatic Behavior Bases Analysis and Classification System for Malware Detection Jaime
Devesa, Igor Santos, Xabier Cantero, Yoseba K. Penya and Pablo G. Bringas.
[18] Malbehave: Classifying Malware by Observed Behavior by Connor Gilbert, Bryce Cronkite-
Ratcliff, and Jason Franklin.
[19] Behavioral Analysis on IPv4 Malware on different platforms in IPv6 Network Environment by
Zulkiflee M., Azirah S.A., Haniza N., Zakiah A., Shahrin S.
[20] BareBox: Efficient Malware Analysis on Bare-Metal. Dhilung Kirat, Giovanni Vigna,
Christopher Kruegel University of California, Santa Barbara.
[21] Behavior-based Spyware Detection Engin Kirda and Christopher Kruegel Secure Systems Lab
Technical University Vienna, Greg Banks, Giovanni Vigna, and Richard A. Kemmerer.
[22] Malware behavior analysis Gérard Wagener Radu State Alexandre Dulaunoy.
[23] Behavior Classification based Self-learning Mobile Malware Detection by Dai-Fei Guo, Ai-
Fen Sui, Yi-Jie Shi, Jian-Jun Hu, Guan-Zhou Lin and Tao Guo.
[24] RBACS: Rootkit Behavioral Analysis and Classification System by Desmond Lobo, Paul
Watters and Xinwen Wu
I - 68 SENTRA
