Monday, October 15, 2012

Preview: Analysing DirtJumper with Joe Sandbox 7.0.0

Since 3 months we are working hard on Joe Sandbox 7.0.0. Among small extensions the biggest improvement is the integration of a static code analysis engine (Joe Sandbox SCAE).

SCAE analyses dynamically generated memory dumps and extracts highly abstracted code functions to the analysis report:

For each code function SCAE detects strings, xrefs, constants, call type and function arguments. In addition we have development an unique and generic algorithm for detecting hidden API calls (e.g. for call eax).

All extracted code functions are connected to dynamic behavior information:

The picture above shows a section of the file open activities (all the files the sample under analysis has opened during execution). By clicking on the source address one gets redirected to the corresponding code function (Function 00414270 shown in the first picture).

What SCAE makes extremely powerful is its ability to detect and analyze code which has not been executed.

One of the big disadvantage of dynamic program analysis is that only a small fraction of the real behavior gets executed and thus can be analyzed. Imagine the dynamic analysis of DirtJumper a DDOS bot. The DDOS functionality only gets executed once the bot herder sends a special command to his bots. Therefore it is normally not possible to analyze and detect any DDOS payload by using dynamic analysis.

To the best of our knowledge all existing dynamic malware analysis system only detect and rate behavior information originating from the execution of the malware (often this is the installation behavior of the malware). They are not able to see any functionalty which has not been executed. Thus they are unable to see the real malicious payload. 

Thanks to SCAE Joe Sandbox 7.0.0 enables to analyze and see what has not been executed:

The picture above shows a code function which is used by DirtJumper to construct different kinds of HTTP headers. Since DirtJumper contains multiple HTTP flood techniques (e.g. POST and GET) it needs to craft different headers. Function 41D0E0 is called by Function 4291FC, which is called by another function in a loop. Sleep is used to control the flood frequency. All those facts are extracted and identified by SCAE and do not appear in any dynamic analysis result!

More facts we found about DirtJumper by looking at SCAE results:

  • Works with IPv6 (Function 4181D8)
  • Uses a fixed but extensive set of user agents (Function 429030, some of them are: Mozilla/3.01Gold (X11; I; Linux 2.0.32 i486) , Mozilla/2.0 (compatible; Ask Jeeves/Teoma), Mozilla/1.22 (compatible; MSIE 2.0d; Windows NT), Mozilla/4.0 (compatible; MSIE 6.0; Windows 98) Web Link Validator 2.x), Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/ Safari/525.19 )
  • Contains an extensive list of VM artifacts to detect VMs (including Xen), techniques are based on registry key lookup and process enumeration (Function 4129B0, 412F30 and 4122B0)
  • Various anti-debug tricks (Function 412190)
  • Contains functionality to infect USB drives (Function 4153C0)

The corresponding Joe Sandbox 7.0.0 report can be found at:

Of course all static function data is passed to the Joe Sandbox signature interface. Be prepared for new and cool code signatures!