2009-01-04

PE offsets within malware

Building on work mentioned in the previous post couple of more interesting facts were identified. Realizing that implementing the Snort's SO rule may not be feasible in some infrastructures, depending on the design and configuration of the sensors, it would be beneficial to identify most common offsets used by malware and how they compare to legitimate executables.

After reviewing offsets found in an installation of Windows XP SP2 system utilizing 8000 samples, both executable and DLL files, and then comparing with offsets found in malware collected over the last year and a half (450 samples) there were several unique offset identified which were solely used by malware.

As a result of this several regular Snort signatures can be written which will alert on download of binaries which should raise suspicion.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Suspicious Executable (PE under 128)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,<,128,58,relative,little; content:"PE|00 00|"; rawbytes; within:130; sid:62; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Suspicious Executable (PE offset 12)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,12,58,relative,little; content:"PE|00 00|"; rawbytes; within:14; sid:53; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Suspicious Executable (PE offset 16)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,16,58,relative,little; content:"PE|00 00|"; rawbytes; within:18; sid:54; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Suspicious Executable (PE offset 64)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,64,58,relative,little; content:"PE|00 00|"; rawbytes; within:66; sid:55; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Suspicious Executable (PE offset 96)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,96,58,relative,little; content:"PE|00 00|"; rawbytes; within:98; sid:56; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Suspicious Executable (PE offset 124)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,124,58,relative,little; content:"PE|00 00|"; rawbytes; within:128; sid:57; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Suspicious Executable (PE offset 144)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,144,58,relative,little; content:"PE|00 00|"; rawbytes; within:146; sid:58; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Suspicious Executable (PE offset 152)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,152,58,relative,little; content:"PE|00 00|"; rawbytes; within:154; sid:59; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Suspicious Executable (PE offset 160)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,160,58,relative,little; content:"PE|00 00|"; rawbytes; within:162; sid:60; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Suspicious Executable (PE offset 512)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,512,58,relative,little; content:"PE|00 00|"; rawbytes; within:514; sid:61; rev:1;)


Couple of interesting and important notes. There was not a single legitimate binary which contained a PE offset under 128 bytes. The offsets in malware which did not match those of legitimate files occured in %25 of malicious samples.


All offsets found:

Suspicious PE offsets (malware of 467 samples):
-----------------------------------------------
12, 16, 64, 96, 124, 144, 152, 160, 512

Legitimate PE offsets (XP Sp2 8582 samples):
--------------------------------------------
128, 168, 176, 184, 192, 200, 208, 216, 224, 232, 240, 248, 256, 264, 272, 280, 288, 296, 304, 312, 320, 336, 344, 392, 584, 592, 600, 608, 616, 624, 632, 1024, 7680

1 comment:

Anonymous said...

you would also prevent many packers with this rule.