Merovingio: Mislead the MalwareReturn to TOC presented at FIRST 2014

by Juan Carlos Montes,

Summary : The main problem when our teams need to analyze malware incidents is the limitation imposed by using virtual machines, because we need to analyze each sample in a different virtual machine.
Our main objective with Merovingio, although it's not the only one, has been to mitigate this limitation.
Merovingio is an automatic analysis system that allows the parallel execution of more than 25 samples for each GB of RAM in a virtual machine. And each of these samples does not affect the system or the execution of another sample, so our limitation is the amount of samples that our virtual machine can hold at the same time.
It works with an insulated system at execution level and their behavior is tied to a directory structure which cannot leave, and to improve the system we can use real machines to avoid the virtual machine detections.
Moreover, as all their actions are monitored by the technique of PEBHooking, presented in Phrack #65, we can control the actions of all the APIs used by the sample, so we can capture all the parameters' information of each API used, and we can modify the behavior of any API that we consider interesting.
In this line we have run the system with more than 50 controlled APIs allowing us to control the sample when it did actions like process creation, working with files, execution of other samples, using windows registry, communication using sockets, and reading/write between processes.
We have also added a system to capture and read everything written, which would allow us to reconstruct the execution of such a sample that is being modified from a remote process, as in some samples to use as a packer armadillo. All this information is encoded in base64 and stored in our database.
In addition, we can also simulate a sample's behavior without the sample itself. Thus if the sample tries to create the file, we can give it a handle and say that the file is created correctly, but actually the handle has been registered in our database as a file only and that file does not exist on disk.
At the time that the sample tries to write something in that file, using the same process, we say it has written it and all this information is recorded in our database but the hard disk has not been modified.
This technique is more useful if we face communication systems with C&C panels. When a sample try to connect to the C&C panel, although the panel being inactive, we can simulate the communication, or route it directly to another IP without the sample itself to realize this.
Our objective for Merovingio is to increase the sample analysis capabilities having our incident response team, and also investigate and detect novel behaviors samples.
The last part of our system includes an analyzer of behaviors that allow us to say whether a sample is malicious or not a function of its interaction with the operating system. Logically if the notepad tries to write in the explorer process and after that creates a remote thread in the process, is not a good behavior. This is our aim.