Methodology

Analyzing system logs - Advanced In-The-Wild Malware Test

Sample settings of the Sysmon audit policy. Windows 10 allows a user to insight into very detailed information about system events.

Before a potentially harmful sample is qualified for tests, one of the components of a testing system checks if malicious software certainly introduces unwanted modifications to Windows 10. For this purpose, every virus is analyzed for several minutes. The human factor excluded from tests makes it impossible to ascertain whether, for example, malware will finish its activity after 60 seconds. We must establish some time threshold after which we stop an analysis.

We are aware that there’s malicious software that can delay its launch up to several hours before it will be activated. It can also listen to connections with C&C server on an ephemeral port. There were also situations when malware was programmed to infect a specific application, or it was waiting for a website to be opened. For this reason, we took every effort to ensure that our tests are as close to reality as possible, and samples which are “unreliable” won’t be included in a test virus database.

Detailed logs from the activity of malware are transferred to the testing system, which looks for matching indicators corresponding to blocking a virus by a protection product. Potentially dangerous indicators that point to an infection of Windows 10 are also searched. In addition, detection of malware is verified based on the presence of potentially dangerous changes in logs that were introduced by a sample into a system.

Sample XML logs (Sysmon) collected from malware activity.
Sample XML logs (Sysmon) collected from malware activity.

An attempt to modify files in a location:

C:\Users\%USERNAME%\Desktop\Files

An attempt to run a program from a location:

C:\Users\%USERNAME%\AppData\Local\Temp

Checking devices in a virtual machine:

HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0

After analyzing every malicious sample and obtaining logs, developed algorithms decide whether a particular sample is certainly harmful. We publish partial information from an analysis on our website in an accessible form for users and developers. Detailed data are shared with developers.

We can determine with certainty whether a protection product has stopped malicious software with a signature or proactive protection components. Analyzing logs is very time consuming, so we have developed algorithms which do the whole tedious work for a man.

Moving malware to quarantine:

C:\ProgramData\Malwarebytes\MBAMService\Quarantine\

Another way to malware detecting:

C:\ProgramData\Malwarebytes\MBAMService\RtpDetections\
Sample report from the activity of Malwarebytes software.
Sample report from the activity of Malwarebytes software.

Registered logs, among others, about changes in a structure of files, system registry, task scheduler, logging into a system and network shares, and also changes in a network communication of processes, provide necessary information about modifications introduced into a system by malware. For example, if an infected Word document containing several scripts (Visual Basic, CMD, PowerShell) is launched, followed by an action of a file download from a website, and saving a virus in %TEMP%, enabled inspection of the individual components of the operating system will add such information to a log. As a result, every, even the smallest modification introduced by malware, will be recorded. Whether it will be a keylogger, backdoor, rootkit, trojan, macro virus, or ransomware.