how to Analyze/Scan and identify Potential Trojans

how to Analyze/Scan and identify Potential Trojans

Lets get started !

I’m going to use one of many ways in identifying an malware object. as you all know most of the Trojans comes in the form of an executable file. e.g: funny.exe, Spiderman3.scr etc.. even the titles are given very attractive, tempting users to execute them. first in order to understand how to analyze trojans we should know how trojans work. a trojan or a RAT (Remote Administration Tool) is a tool which has 2 parts,
1. Client or the console
2. Server
the way a Trojan works is by configuring the server file (which is a executable) and sending it to a victim and making them execute the server. as soon as the server file is executed it will open a port in the victims machine and start to listen for instructions from the console. which is controlled by a hacker. who can take full control over your system. he can even stream your webcam and see what you are doing..browse your files, Steal passwords, add/edit/delete/upload files etc.. even recored your conversations by VOIP.. this is the basics of how Trojans work…

Now as above said we often run into executable files in Daily life. a friend sends you a nice funny flash program, or you download a crack file from a underground website.. etc.. now the big question how we know if the executable file is infected with a Trojan server or not ? as someone can say as long as their Anti-virus software doesn’t catches the file as a trojan so its all safe ! It’s WRONG ! why ? cause a server executable can be made to undetected by using various ways. such as crypting, changing entry points, Encryption, packing, scrambling, hexing etc.. so the Anti-virus software often fooled by this methods. now there are many ways to analyze and identify trojans. we can do things like dessambling, running them on a VMware etc.. these are often very advanced methods. so im going to use sandboxing method to analyze a suspicious server file… as even a sandboxie software is a bit complicated to use im going to use a web based free analyzing tool !

Ok lets see how we can analyze a suspicious trojan. lets say i downloaded a crack.exe file from a website. first I’m going to scan this file using my anti-virus software to see if its detecting anything..

Scan Results

It seems nothing wrong with the file.. but we can’t be so sure ? lets try sand boxing this

I’m using Sunbelt SandboxFirst you need to go http://research.sunbelt-software.com/Submit.aspxNow you need to give your valid e-mail address and browse open the suspicious file & write some comments. (not compulsory)

Now hit submit sample for analysis

Now after your file is uploaded you will get a message like this,

Now you have to wait. it will take a couple of minutes to get a result. now you have to go and check your mails. you will receive a mail from sunbelt with a Report file attached…

Now the last part. analyzing (the hard part) it’s a bit complicated. but i will try my best to explain how to identify potential trojans. a trojan always drops files to the system. normally system32 directory. it sometimes drops dll files and other support files also. like key logger data files etc. and also a trojan always tries to add a startup key so each and every time a pc is booted the trojan can run always. these are 3 very important things you need to check in the analyzes report.

1. Is the suspicious file dropping any files to the system ?
2. Is it tries to add/modify registry keys ?
3. Is it trying to connect to the internet ?

There are many other things. i took those basic things so everyone can understand. now you have to open the report file sent to you by the Sunbelt systems. open it and carefully analyze it. look for the above 3 identities. (cause they are very common in a trojan)

Lets see the analyze reprt i got on the suspicious file. refer the screen shot below

As you can see in the above screen shot the crack.exe file is dropping a file named svchost.exe to the system which is really strange cause svchost is a system service. and also notice how its adding a key to the registry startup.(keep in mind some legitimate programs do that too) so we can be pretty much sure this file is something wrong. so we can always submit it to a anti-virus company for further analysis and delete it off the computer. keep in mind one thing. there are modern trojans which has the ability to sleep when a sandbox or virtual environment is detected. or they will skip the execution of the actual malicious activity and use a legitimate routine to fool the sandbox. but for most common trojans this trick will do. notice the best thing about this is that even our anti-virus has failed to pick it up. but sandbox did.

Next time before running a executable file think twice. and also this method is not effective against big files. so stop downloading files from warez/cracks/torrents. there is always a risk involves with it Support the developers by buying the software..be safe and leave your constructive comments !!

Written By : maxguy..Reproduction of this material in any way without permission from the author is prohibited. if you share this tutorial please keep the copyrights intact. Thank you

~ by netsecurityfactor on August 19, 2007.