Reverse Engineering Malware: Using Data Carving in Incident Response
Information security professionals, especially those who serve as “blue teamers” or enterprise defenders, are dealing with an evolving array of malware threats. In the blue team toolkit, one of the most important and difficult techniques is the ability to reverse engineer malware.
Joe Gray, enterprise security consultant for Sword & Shield Enterprise Security, writes about his experience learning the techniques of reverse engineering malware using data carving, and offers some insights he’s learned along the way.
The information in this article originally appeared in a blog post for AlienVault about reverse engineering malware.
What is data carving?
Simply put, data carving (also known as file carving) is the act of carving files out of disk images and packet captures. This can be conducted to recover lost files or to restore files forensically. Alternatively, under the right conditions, this can also be used offensively to intercept files during a man-in-the-middle attack.
We use REMnux, which is a Linux toolkit for reverse engineering and analyzing malware, for our analysis. If you’re a glutton for punishment, you could use regular expressions to attempt to carve the packets manually. If you want to do so, you’ll need to know the header and footer information for the file types you’re carving and have some level of familiarity with them.
In talking with experts about carving from packet captures, I discovered another awesome tool, Network Miner. It does much more than carving, but that is the icing on the cake. This tool not only allows you to carve files out of packets, but it also views the network traffic organized by host sent and received. It can view credentials, parameters, images, and DNS lookups (which is what helped a security analyst discover the Wannacry ransomware kill switch). You can also seamlessly query sites like VirusTotal for the actual file since Network Miner puts it in a directory on your system or you can search OTX or VirusTotal for the hash.
What do you do with the carved data?
This will depend on what kind of data you’ve carved. Was it from an image or a pcap? In either circumstance, your intention will dictate what you do with the data. If you’re operating under defensive parameters, you’ll return the files and/or include them in your report. If you’re operating with malice or simulated malice (penetration testing), you will see what is in the file and how you can use it to your advantage. Alternatively, if you’re carving malware out of file systems or pcaps, you could begin to reverse engineer it to create indicators of compromise.
This is my journey — not my destination. I will continue to learn more tools and techniques to help secure networks, identify and assess the damage of incidents, and resolve incidents. Check back in the future for more installments.
Joe Gray is an enterprise security consultant with Sword & Shield Enterprise Security, Inc. He has worked as a systems engineer, information systems auditor, senior UNIX administrator, information systems security officer and director of IT security.