Zero Wine: Malware Behavior Analysis

**ajaysinghnegi** · 12-14-2010, 01:25 PM

Zero wine just runs the malware using WINE in a safe virtual sandbox (in an isolated environment) collecting information about the APIs called by the program.

The output generated by wine (using the debug environment variable WINEDEBUG) are the API calls used by the malware (and the values used by it, of course). With this information, analyzing malware's behavior turns out to be very easy.

Website:
http://zerowine.sourceforge.net

Download:
http://sourceforge.net/projects/zerowine

Direct Download:
http://space.dl.sourceforge.net/proj...-2.0.0.tar.bz2

**"vinnu"** · 12-15-2010, 08:20 AM

Some API detection antivirus modules detect the API calls listed in import table of the PE section of the executable.
Such modules can be easily fooled by using the encrypted API strings and decrypting them right before rendering the api pointer via GetProcAddress.

But in some cases like in sand boxed or virtual environment even it can also be caught red handed.
But still there are hopes.
The GetProcAddress method or any other method gets caught because the antiviral environment already hooks the suspected functions and checks it against its list of the chained or grouped bad api calls chain.

This can also be thwarted....malware can make each and every suspectable API's call to land 2bytes or more (depending on the API code) right after the beginning of the api function. The hook will get bypassed, because, cpu will not land on the hooked memory address..."vinnu"

**prashant_uniyal** · 12-15-2010, 04:37 PM

Awesome Research Bhai..so much to learn

**ajaysinghnegi** · 12-15-2010, 05:04 PM

Thanks for your invaluable guidance bro.... learning a lot from you

Thread: Zero Wine: Malware Behavior Analysis

LinkBack

Thread Tools

Search Thread

Display