To continue the story about the possible implementation of a sandbox for analysis of malicious code. At this time we are concerned with ensuring the regular cyclical running of our sandbox.
So, last time we did an immutable image which is ready to accept a file for inspection. Since the image is reset only when you turn off a virtual machine, we need something that will turn this virtual machine on and off.
The problem goes like this: start the virtual machine and wait for shutting down or turn it off compulsory after a specified period of time. Read more »
VirusTotal is a very useful service. It can quite quickly assess whether a file is malicious. When checking the file is scanned by multiple antiviruses (currently 43, but the number may change). Thus reducing the likelihood that your antivirus can not detect this file. Because the bases of 43 antiviruses will be likely more than any one’s. Also when scanning heuristic analyzers are used to identify the malicious file even if its signature is not yet in the database. Read more »
... The Trojan then sends a request to the following address:
In reply it gets a list of links from which it will download files. At the time of writing, the list was as shown below…
For every virus analyst this is a well-known situation. You have a list of a few dozen malicious programs. You download them using your favorite downloading program (I use Wget in such cases). Thus, you have downloaded files and you need to know how they are detected.
Then the strength test of your mouse begins — right click — “Check for viruses” — to open a report — to copy a detection if it exists — to place a sample into an archive with password and detect as the name ...
At some point you get tired of it. Is it possible to automate this process? The answer to this is absolutely yes! My favorite programming language Perl helps us:
This script is called within the command line (or prepared BAT-file):
In this line:
C:Perlbinperl is the path to the Perl interpreter. There is no need to specify the full path if the Perl is installed correctly by setting the Path environment variable;
D:testdetect.pl is the path and name of the script;
D:testsample is a parameter, which contains the path to the directory containing the files you want to scan;
D:testdetected is a parameter, which contains the path where detected files will be moved.
You need to include the quotes if there are spaces in the path. For example:
Now we can move straight to the script. In the beginning we get the first parameter:
@ARGV is an array that contains the command-line arguments intended for the script.
$ARGV[0] is the first argument. In this case, it contains the path to the directory containing the files you want to scan; i.e. D: testsample.
Check command line argument. If this argument is not present, then the info message that you must to specify the directory with the samples will be displayed.
Then we place this parameter in the variable $DirToNotDetected.
After that, check the presence of the second argument:
The second parameter is not critical. If it is not present, then a directory for detected files named "detect" will be created directly in the directory with samples. Specify this path in the variable $ DirToDetected.
Create a directory for detected files.
Then we place a path to a file archiver in the variable $PathTo7z. I use 7zip.
Next we put the password which will be used for archives in the variable $pass.
Specify a path to Kaspersky Anti-Virus in the variable $PathToKasper.
Then we specify the path to the log file of the anti-virus scanner in the variable $KasperLogDir. In this case, the log will be saved in a directory containing the detected files.
Place a command line from which the scanner will be run in the variable $KasperCMDLine. Consider it in more detail:
"$PathToKasper\avp.com" it will be interpreted as
"C:Program FilesKaspersky LabKaspersky Internet Security 7.0avp.com". You need to use the backslash character before quotes.
SCAN /fa /i0 /RA:"$KasperLogDir\kasperlog.txt" is a scanner settings: "/fa" - to scan all files without exception; "/i0" - only a report without cure; "/RA:" – to save all events, not only critical; "$KasperLogDir\kasperlog.txt" - to save the log-report into the file "kasperlog.txt", placing it by the path indicated in the variable $KasperLogDir.
"$DirToNotDetected" is the path to the detected file.
Launch the command line for execution.
Once the scanning is finished, open the log or display a message that the file can not be opened, if you can not open it. This is possible if a report isn’t created, for example, if the specified for it directory was read-only.
Put the log into the array @file_to_parse, each element of which will be separate lines, and ...
... for each element of the array:
We remove the last character from a string. This is useful in removing the endline from a user-entered string.
Perl enables you to match patterns within strings with the =~ operator. Expression you want to find must be indicated between slashes: / what you are looking for. Symbol "|" means "or."
If the string contains the words "detected" or "suspicion", bounded by tabs (t), then do the following ...
Here we make a slight digression to see how the log of anti- virus scanner looks like. I will cite a part:
Highlighted in red lines will be tested $line =~ /tdetectedt|tsuspiciont/. Notice the line that highlighted in green. This line also contains the word "detected", but it is not limited by tabs. In addition, the words "detected" and "suspicion" can be placed in the paths to files or in the file names. To avoid false alarm conditions we add the characters "t" at the beginning and end of the desired keywords.
Go back to the script. So, if we found the search string, then:
Split a line into pieces by a tab and put the parts in the array @ arr. Consider one of the lines. I use an editor that can display the special characters to make it clear:
At first, it will be removed the newline character (underlined in red). Also, please pay attention - in the previous screenshot the distance between the date and time (underlined in blue) is the same as between the packer and the word "detected" (underlined in green), but in the first case is simply a gap, but in the second is tab character. Dividing the line we obtain four elements:
Put the element of the array number three in a variable $detect. Another important feature that is obvious to programmers, but it often causes errors and confusion for beginners is that elements are numbered from 0. Thus:
16/08/2009 12:32:35 is zero element of the array,
D:testsample1.exe//PE_Patch.UPX//UPX is the first,
detected – is the second,
Trojan-GameThief.Win32.OnLineGames.bmtc is the third element of the array.
That is, "Trojan-GameThief.Win32.OnLineGames.bmtc" will be written in the variable $detect.
Then we substitute underscores for colons in the variable $detect. Thus, some not-a-virus:AdWare.Win32.Agent.pgv will be written as not-a-virus_AdWare.Win32.Agent.pgv. The reason why it is needed will become clear later.
If the first element of the array (in this case this is D:testsample1.exe//PE_Patch.UPX//UPX) contains a forward slash (a slash "/" is interpreted as a special character, so before it we will specify the backslash "\"), this element must be divided by a slash. In this expression we separate the path and detected file name from the packer. Since we've already saved a detect in the variable $detect we do not need the array @arr, so we can again use this name. Thus:
in the zero element of the array @arr ($arr[0]) will be written "D:testsample1.exe",
in the first ($arr [1]) - nothing
in the second ($arr [2]) - PE_Patch.UPX,
in the third ($arr [3]) - nothing
in the fourth ($arr [4]) - UPX.
Write zero in the first element.
Write first element of array, i.e. the name file and path (D: testsample1.exe) into the variable $path_name. Please note that if the condition is false (file not packed), then the name and path obtained when dividing line by the tab will be in $arr [1].
So we have the detect and the path to the file. It remained only to remove the file in the archive with a password:
7-Zip file archiver is run. At the same time all variables will be replaced by their values, and as a result the command will look like this:
"C:Program Files7-Zip7za" a -tzip "$DirToDetectedTrojan-GameThief.Win32.OnLineGames.bmtc.zip" "D:testsample1.exe" -y -ppassword"
Here:
C:Program Files7-Zip7za is the path to the program 7zip
a is a parameter that indicates that the archiver must place it in the archive
-tzip is compression method zip
$DirToDetectedTrojan-GameThief.Win32.OnLineGames.bmtc.zip is the path and name of the archive in which the file should be placed.
D:testsample1.exe is file required to be archived.
-y - answer yes to all questions (effectively making the command non-interactive)
-p – is a parameter that indicates that the archive should be with a password
Here we use a detect as the name of the archive. The file name can’t contain a colon that is why we replaced the colons with underscores.
After that, the processed file can be deleted:
Execute the command del "D:testsample1.exe". This line is not mandatory. Sometimes it may even prevent. For example, when several malicious files are in a self-extracting archive, then this file will have several detects, and if it is removed immediately after the first move, then archive with another detects will be empty.
After that we return to the top of the loop and repeat all described for the next string. As soon as the end of the report file is reached, the while loop will be ended.
Once the processing is complete, close the report file.
Display message on completion.
After that we obtain the directory D:testdetected containing all of our files:
The number of archive files smaller than the number files in the source directory, because some files can be detected identically:
Code :
if( $ARGV[0] eq "" ) {
die "Must specify path to the directory with samples\n"; }
What is "statistics"? Usually, it means data processing and sometimes data collection in large quantities. What is a "verdictor? Something that makes a verdict. But actually I'm not sure if such a word exists. But it's not important. What is a "statistical verdictor"? Obviously, this is something that makes verdicts on the basis of certain statistics. This article is talking about verdicts like "Trojan-Downloader" or "Email-Worm". That’s about belonging to a particular family of malware. If you are interested in this topic – you’re invited to read the full article. Read more ->
When the total eclipse throws the planet into darkness...
No, no - I love "Heroes" TV series too, but today we talk about another eclipse. I can't say why Eclipse Foundation chose exactly this name. But it doesn't matter. It is tmportant that in November 2001, Borland, IBM, MERANT, QNX Software Systems, Rational Software, Red Hat, and SuSE founded a corporate consortium named Eclipse, and later, in early 2004, they reorganized it into a nonprofit organization - Eclipse Foundation.
) 
