One of the difficulties involved with malware analysis is determining exactly how concerned you should be when you find a new sample on your network. Categorizing malware does not require high cost tools and access to subscription-only databases (although these can help). The following is a list of ways to help determine how concerned you should be when your team discovers a new sample.
It is worth noting that the presence of a single indicator is not necessarily a cause for concern above and beyond that of any other malware infection. Many of the following attrbutes can be associated with commodity malware and individually are not indicative of a targeted attack.
Pay attention to the malware type
Malware is classified into a variety of types, some of which are more concerning than others. For the purposes of this article I will reference the malware classification scheme utilized by the Microsoft Malware Protection Center (MMPC), available here. Most antivirus software companies provide a similar classification methodology, refer to your antivirus software vendor for additional information.
Most malware classifications, such as worm, ransom, or rogue, are usually commodity in nature. Although destructive, these forms of malware are rarely used in a targeted attack. On the other hand, malware classified as Trojan, TrojanDropper, TrojanDownloader, HackTool, BackDoor, Exploit, MonitoringTool, Tool, TrojanNotifier, TrojanProxy, VirTool, or PWS may pose a risk to the integrity of your network.
Was the detection specific or generic?
Malware can be detected as being part of a known family or through generic signatures designed to capture future iterations of the same family. Targeted attacks commonly use customized malware, usually with a specialized command and control channel and occasionally with attributes specific to the target inside the code (such as credentials). In addition, these attacks are usually cognizant of the target’s antivirus software and may have manipulated the tool to dodge detection by that antivirus.
In Microsoft’s malware classification scheme, generic detections can be identified by a variant of ‘.gen’ instead of a letter code.
Was the malware detected by your in-house antivirus product?
As I mentioned in the section on generic detections, an attacker will usually try to obfuscate the tool to ensure that the target’s antivirus software does not detect it. That said, it is very possible that a different antivirus software solution may detect the tool. One way to get a second set of eyes on software on your network is to run one of the various free self-contained antivirus scanners on hosts in your network and aggregate the results in a central location for later review. Malware detected by the out-of-band scanner may indicate an attempt by an attacker to dodge detection by your in-house antivirus scanner.
One example of how to deploy a self-contained scanner is documented in Microsoft KB 891716. As a side note, I would recommend adding the /n switch to the MSERT call to prevent it from removing the malware before it has been thoroughly reviewed.
Has the malware been seen by VirusTotal?
VirusTotal is a great free tool for researching files detected on your enterprise. If you discover a potentially concerning file on your network, try searching for its file has on VirusTotal to see if they have seen the sample before. Samples not detected by file hash on VirusTotal may be targeted in nature, but may aslo be new undetected malware or polymorphic malware. Polymorphic malware, such as the Zbot family, changes its appearance pseudorandomly with every installation and thereby will almost always appear unique.
In addition, VirusTotal will provide great detail on the inner workings of the malware if the file has been previously submitted.
Do you see anything in the file that is specific to your organization?
Another great test is to review the strings table in the malware for information that may pertain specifically to your organization. This can be done either through using a hex editor or by using strings, a free tool from Microsoft Sysinternals designed specifically for this purpose.
In closing, there are many ways you can analyze a file without requiring expensinsive tools or resources. Ultimately, it is best to contact a professional if there is genuine concern over an identified threat. Although helpful, these mechanisms are only designed to help identify a potentially targeted attack. Professional incident response teams have specially-designed capabilities that enable them to detect and track attacker activity and usually employ reverse engineers who specialize in malware analysis to help in the analysis effort.
