View RSS Feed


Malware Emulation - An Introduction

Rating: 2 votes, 4.50 average.

This post discuses the things from the point where reversing of any malware ends.
The analysis of a malware is not enough to satisfy any researcher. There is no point
in analysing a malware and then writing a report on it and forgetting it for eternal times.
Neither just analysing a malware will help stop botnet herders from performing crimes nor it will
help a large population of non technical targets/victims.

If analysing a malware brings you money for one time, then emulation ensures a continuous flow of money
for researchers/(research companies). In malware analysis the researcher analyses the malware behaviour and
its communication with cnc, whereas in emulation, this observation and understanding of malware's communication
with its cnc is emulated/simulated by research's own program/tool/script.

An emulator is a program that emulates any malware's communication with its cnc. A successfull emulation requires
emulator to communicate with cnc intelligently as original malware do without triggering any errors/faults on cnc server.
Emulator's behaviour at cnc server end should be identical to other zombies.

Emulator has generally two parts. First part extracts/analyses binary sample and extracts artifacts. The artifacts
generally containes domain names, IP addresses, URLs, request pages, request methods, cryptographic keys, and all
necessary items contained inside binary which are necessary for a successfully communicating with cnc server.

Second part utilises the extracted information and communicates with cnc servers and fetches commands/directives/configs.
The first part that extracts can also be called as Extractor whereas teh second part that communicates with cnc
server is also called as communicator. The first part is necessary is any family of malware has different cncs or
different networks. Otherwise one time analysed information is enough to emulate any family, if researcher has adequate
supply of samples and different samples contain different artifacts, then extractor part is important to keep providing
communicator with latest CnCs etc.

Upon successfull communication with cnc server, the cnc server dispatches commands to zombies. These commands contains
directives for zombies/bots to work/perform accordingly and control victim system.

In cyberespionage botnets, these commands may have directives for uploading some specific files, keystrokes
etc information to cnc server.

Whereas in cyber crime botnets, these commands may have directives for hijacking financial/banking sessions and exfiltrating
the hijacked information which may contain credit card details, account details etc to cnc server.

Or these directives may contain information about spamming like, whome to spam(target email ids), spam tamplets, spam URLs,
attachments, etc. These attachments may contain another malware. As botnets also send emails to campaign for other malwares.
This also gives us some insite about the relationships among different malware families and their owners/herders.

These commands/directives are precious and important and gives us prior information before any electronic heist/crime actually occurs.
Or in case of spam configs, you may know exactly who will have which email prior to he himself checks his inbox.

The main purpose of an emulator is to fetch these commands/directives also known as configs. The information contained inside
these configs/directives is precious and it could be sold by researchers to the businesses which gets affected by these malware
families directly/indirectly.

The prerequisite for it is you should know atleast any programming language to develop an emulator,
doesnt matter which language you chose, you should be able to perform cryptography, make socket connections
to outer world, you should be able to write application/tools to debug & extract the important information
like cryptographic keys, cnc domain/ip addresses/urls values needed to communicate successfully with cnc
from malware binary samples.

The emulation of a malware is more an art than science. This science is still in its intial stage and is a very good field
of interest for beginners in infosec. Beginners can flourish this field and alongewith can get paid by selling/sharing the
grabbed information by emulators. Companies saves time in investing money and researcher can get very well paid.

This is only an introductory article about malware emulators. With every new emulator by any researcher for any family,
huge ammount of money can be saved from getting exfiltrated to criminals hands.

Team : "Legion Of Xtremers" & G4H


  1. hakooraevil's Avatar
    nice article vinnu, i want to know more information about emulators.


Total Trackbacks 0
Trackback URL: