building an automated behavioral malware analysis environment using free and open-source software

© 2009 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

Building an Automated Malware Behavioral Analysis Environment Using Free and Open-Source Tools

Jim Clausing, PMTS, AT&T CSO18 Jun 2009

Thanx up front

AT&T CSO management

• Ed Amoroso, AT&T Chief Security Officer

• Cynthia Cama

• Sanjay Macwan

• Bill O’Hern

The MWA team

• Brian Rexroad

• Dave Gross

• John Hogoboom

Authors of the tools


The Author

Jim Clausing, GCIA, GCFA, GREM, GCIH, GCFW, GSIP, GSOC, SSP-MPA, CISSP

GCIA (Gold) #64 – 2000

GCFA (Gold) #25 – 2002

GREM (Gold) #48 – 2005

And other certs along the way…

SANS Mentor, StaySharp/STAR instructor, CommunitySANS instructor, Internet Storm Center handler since 2002

Instrument-rated private pilot – 2003/2004


The Paper

SANSFIRE 2008

Facilitating SEC 610 for Lenny

GREM Gold paper – wrote it in my head in one evening

Share lessons learned

Share tools/scripts

The patches and scripts

http://handlers.sans.org/jclausing/grem_gold/

http://www.giac.org/certified_professionals/practicals/grem/48.php


The Environment – A Little History

In the beginning

Twiki page

• Unwieldy after a few hundred entries

Not particularly useful to other internal groups/customers

• We generate a lot of information, we need to make it available to the management, the SOC, response teams, forensics, etc.

• Two-way street

No FTEs

• Now, there is me (mostly)

Minimal budget – funded from research

• We must have shown some value, we now have more funding

Malware DB

Malware DB

Sandbox report(s)

A/V reportsMD5/

ssdeep sizeWhich botnet

The binary


Motivation – The Environment

Forest? Trees?

Unpacking may lead to surprises – like no results

We’ve got malware, now what?

We’re a networking company, not an anti-virus company.

• What do we hope to get out of analysis?

• Started with no budget and no full-time staff.

Virtual machines

• VMware

• VirtualBox*

For privacy reasons, we are conservative about what to share and with whom. So, what about the automated portals? Commercial copies?

• Norman sandbox

• CW sandbox

• Anubis

• Threat Expert

• …

Truman (well, and Joe Stewart) FTW

The Analysis Environment


Processing a Sample

Analysis Flow

Submission[jac@fltruman001 ~]$ for i in 090???-*.piz; do sudo submit.sh $i && mv $i old-malware/; sleep 10; done

Archive: 090529-rnd_jpg.piz

inflating: rnd.jpg

*****Processing rnd.jpg - ONEBOOT******

interface: eth1 (4.0.0.0/255.0.0.0)

filter: (ip) and ( not port 45612 and not port 45611 and not tcp port 6987 and not udp port 32785 )

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes

tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 1514 bytes

Starting Faux FTP Server Emulation on port 21

Starting Faux MySQL Server Emulation on port 3306

Starting Faux SMTP Server Emulation on port 25

Starting Faux SMB Server Emulation on port 445

Starting Faux IRC Server Emulation on port 6667

Starting Faux DNS Server Emulation on port 53

Monitoring

[jac@fltruman001 ~]$ alias status

alias status='cat /tmp/current.txt && echo "" && cat /tmp/sandnet*.log | tr -c "[:print:][:blank:]\r\n" "." ; tcpdump -nnr /tmp/sandnet.pcap -w - "not broadcast and (not src net 4.5.6 or not dst net 4.5.6)" | ipaudit -CST -r - -l 4.5.6.7 ; ngrep -I /tmp/sandnet.pcap "GET|POST|HEAD|OPTIONS|JOIN" "tcp port 80 and not host 4.5.6.1" | tr -c "[:print:][:blank:]\r\n" "."‘

Monitoring, cont’d[jac@fltruman001 ~]$ statusServer.exerequest: name=ftp.sickbassline.com, class=IN, type=A, peer=4.5.6.7responseIP: 4.3.2.86responseIP: 4.3.2.63response: rcode=NOERROR, … …, auth=, add=, aa=1request: name=time.windows.com, class=IN, type=A, peer=4.5.6.7responseIP: 4.5.6.1response: rcode=NOERROR, ans=…, auth=, add=, aa=1Connection from 4.5.6.7USER [email protected] smokeweedTYPE APORT 4,5,6,7,4,7STOR User.mpsreading from file /tmp/sandnet.pcap, link-type EN10MB (Ethernet)4.5.6.7 4.3.2.86 6 1030 21 674 578 9 9 2009-06-04-11:24:02.2148 2009-06-04-11:24:03.3459 1 14.5.6.7 224.0.0.22 2 0 0 0 108 0 2 2009-06-04-11:24:09.5569 2009-06-04-11:24:10.4709 1 1input: /tmp/sandnet.pcapfilter: (ip) and ( tcp port 80 and not host 4.5.6.1 )match: GET|POST|HEAD|OPTIONS|JOIN##########exit

Original Truman Analysis Tools

Intelligence

pmodump.pl

dumphivestrings

tcpdump

The 4 Areas of Analysis

Network Traffic Analysis

• ipaudit

• tshark

• ngrep

• tcptrace

• fauxservers –IRC, DNS, SMB, SMTP

Disk Image Analysis

• AIDE

• Alternate Data Streams

• Registry analysis – dumphive, regdiff.pl, regripper

Memory Image Analysis

• pmodump.pl

• Volatility

Minimal Static Analysis of Binary

• A/V

• objdump

• binhash

• ssdeep

• packerid.py


The Report – Tool Output

Identify the OS

Summary report for xxx.xxx-XPSP2-files created at ………

OS info>>>

kern - Determine OS from a Windows RAM Dump (v.0.1_20060914)

Ex: kern <path_to_dump_file>

File Description : NT Kernel & System

File Version : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

Internal Name : ntoskrnl.exe

Original File Name :

Product Name : Microsoft® Windows® Operating System

Product Version : 5.1.2600.2180

Analyzing Network Traffic – fauxdns

DNS>>>

request: name=sslrapidshare.or.tp, class=IN, type=A, peer=4.5.6.7

responseIP: 4.3.2.51


response: rcode=NOERROR, ans=… …, auth=, add=, aa=1

request: name=gfmd1.or.tp, class=IN, type=A, peer=4.5.6.7



response: rcode=NOERROR, ans=… …, auth=, add=, aa=1

request: name=time.windows.com, class=IN, type=A, peer=4.5.6.7

responseIP: 4.5.6.1

response: rcode=NOERROR, ans=…, auth=, add=, aa=1

Analyzing Network Traffic – fauxftp

Connection from 4.5.6.7USER [email protected] smokeweedTYPE APORT 4,5,6,7,4,7STOR User.mps

Analyzing Network Traffic – fauxirc

IRC>>>

2009-05-27-16:49:17: Connection from 4.5.6.7

2009-05-27-16:49:17: PASS lammers

2009-05-27-16:49:17: NICK [00|USA|296161]

2009-05-27-16:49:18: USER XP-8165 * 0 :ATT

2009-05-27-16:49:18: MODE [00|USA|296161] +iB-x

2009-05-27-16:49:18: JOIN #WiFi-a Crypt

2009-05-27-17:00:13: QUIT System shutting down.

2009-05-27-17:00:15: QUIT Leaving

Analyzing Network Traffic – ipaudit

IP traffic>>>

src dst proto sp dp bytes pkts start end 1 / 2

4.5.6.7 4.3.2.51 6 1046 80 748 346 5 5 2009-05-27-16:49:17.1300

2009-05-27-16:49:17.1473 1 2

4.5.6.7 4.3.2.104 6 1047 4242 816 697 10 10 2009-05-27-

16:49:17.1613 2009-05-27-17:00:15.5921 1 2

4.5.6.7 239.255.255.250 17 1050 1900 0 525 0 3 2009-05-27-16:49:17.3746 2009-05-27-16:49:23.3815 1 1

4.5.6.7 224.0.0.22 2 0 0 0 108 0 2 2009-05-27-17:00:14.2087 2009-05-27-17:00:14.9690 1 1

Analyzing Network Traffic – tshark===================================================================Protocol Hierarchy StatisticsFilter: frame

frame frames:602 bytes:733467 eth frames:602 bytes:733467 ip frames:573 bytes:731979 tcp frames:387 bytes:146779 http frames:30 bytes:22708 short frames:5 bytes:17790 data-text-lines frames:3 bytes:644 data frames:8 bytes:849 udp frames:57 bytes:10014 nbdgm frames:11 bytes:2511 smb frames:11 bytes:2511 mailslot frames:11 bytes:2511 browser frames:11 bytes:2511 nbns frames:27 bytes:2538 dns frames:6 bytes:532 http frames:3 bytes:525 ntp frames:2 bytes:180 bootp frames:8 bytes:3728 short frames:127 bytes:575066 igmp frames:2 bytes:120 arp frames:29 bytes:1488===================================================================

Analyzing Network Traffic – tcptraceHTTP>>>mod_http: Capturing HTTP traffic (port 80)1 arg remaining, starting with '../small.pcap'Ostermann's tcptrace -- version 6.6.7 -- Thu Nov 4, 2004

10 packets seen, 10 TCP packets tracedelapsed wallclock time: 0:00:00.002643, 3783 pkts/sec analyzedtrace file elapsed time: 0:00:00.017257Http module output:4.5.6.7:1046 ==> 4.3.2.51:80 (a2b) Server Syn Time: Wed May 27 16:49:17.130145 2009 (1243457357.130) Client Syn Time: Wed May 27 16:49:17.130085 2009 (1243457357.130) Server Fin Time: Wed May 27 16:49:17.146947 2009 (1243457357.147) Client Fin Time: Wed May 27 16:49:17.147323 2009 (1243457357.147) GET /here2 HTTP/1.0 Response Code: 404 (Not Found) Request Length: 66 Reply Length: 468 Content Length: 289 Content Type : text/html; Time request sent: Wed May 27 16:49:17.130584 2009 (…) Time reply started: Wed May 27 16:49:17.146886 2009 (…) Time reply ACKed: Wed May 27 16:49:17.147077 2009 (…) Elapsed time: 16 ms (request to first byte sent) Elapsed time: 16 ms (request to content ACKed)

Analyzing Disk Image – AIDE

---------------------------------------------------Added files:---------------------------------------------------added: /mnt/new/WINDOWS/avmont.exeadded: /mnt/new/Documents and Settings/All Users/Application Data/TEMP

---------------------------------------------------Removed files:---------------------------------------------------

removed: /mnt/new/WINDOWS/system32/CatRoot2/tmp.edb

---------------------------------------------------Changed files:---------------------------------------------------

changed: /mnt/new/WINDOWS/system32/drivers/etc/hostschanged: /mnt/new/WINDOWS/WindowsUpdate.logchanged: /mnt/new/WINDOWS/setupapi.log

Analyzing Disk Image – ADS

Alternate Data Streams>>>/mnt/new/Documents and Settings/All Users/Application Data/TEMP -> 75443743

getfattr --absolute-names -n ntfs.streams.list -PR /mnt/new

Analyzing Disk Image – hosts file*

Host file changes>>>++127.0.0.1 www.symantec.com+127.0.0.1 securityresponse.symantec.com+127.0.0.1 symantec.com+127.0.0.1 www.sophos.com+127.0.0.1 sophos.com+127.0.0.1 www.mcafee.com+127.0.0.1 mcafee.com+127.0.0.1 liveupdate.symantecliveupdate.com+127.0.0.1 www.viruslist.com+127.0.0.1 viruslist.com+127.0.0.1 viruslist.com+127.0.0.1 f-secure.com+127.0.0.1 www.f-secure.com+127.0.0.1 kaspersky.com+127.0.0.1 kaspersky-labs.com+127.0.0.1 www.avp.com+127.0.0.1 www.kaspersky.com+127.0.0.1 avp.com

Memory Image Analysis – Volatility

Primarily used to find the malicious process in the memory image

• Look for processes with open connections or sockets

• Compare with fport/netstat/ps

• Misses processes doing HTTP(S) check-in, etc.

Dump process memory

• Use Stewart’s pmodump.pl

• Use Volatility’s procdump/vaddump

• Compare results

Much more could be done here

Analyzing Memory Image – connectionsOpen Ports>>>Local Address Remote Address Pid 4.5.6.7:1047 4.3.2.104:4242 1484

896 135 6 Wed May 27 20:39:59 2009 1032 1027 17 Wed May 27 20:40:13 2009 1096 1900 17 Wed May 27 20:40:14 2009 1484 1047 6 Wed May 27 20:49:18 2009

< 908 -> 135 TCP > 896 -> 135 TCP 9,11c9,11< 992 -> 1032 TCP > 1484 avmont -> 1047 TCP C:\WINDOWS\avmont.exe 14,15c14,16< 992 -> 138 UDP < 908 -> 445 UDP > 1484 avmont -> 137 UDP C:\WINDOWS\avmont.exe > 0 System -> 138 UDP > 896 -> 445 UDP

Memory/Static Binary Analysis – ssdeep

ssdeep info>>>1536:RVt4qqO5FjciL3KBupEAbAX/e9SP+IaiOW:eu5tciL3KApRbAz+Ia1W,"abod.exe"

768:ruBNNTLa973GMVkIZqqnO5FDvcTsvJesUJDSP+f4/cF1oGoiOWK:YVt4qqO5FjcSe9SP+JaiOW,"/data/forensics/abod.exe-XPSP2-files/0c596000-abod.exe“

--------------------------------------------------------------------------------ssdeep info>>>1536:0BlSTT+JwGgVXGsOkCMGVLwaQyafnSI0OYRr:0BYNlVXGsOtPwFtfm,"1b1e067fdb0f2a44a50d9e290022b9ed.exe"1b1e067fdb0f2a44a50d9e290022b9ed.exe matches e933dbd16c9509418a2212c9d62c7976.exe (80)

3072:0zhQO2dw847UiImHkwebMPK4wRE4pRThKt/94:09QbViEwEM94TThKt14,"/data/forensics/1b1e067fdb0f2a44a50d9e290022b9ed.exe-XPSP2-files/0ca74000-sandnet.exe"/data/forensics/1b1e067fdb0f2a44a50d9e290022b9ed.exe-XPSP2-files/0ca74000-sandnet.exe matches /data/forensics/e933dbd16c9509418a2212c9d62c7976.exe-XPSP2-files/007bc000-sandnet.exe (96)

Static Binary Analysis – binhashBinHash info>>>

File: [/forensics/exes/abod.exe] b826d0f222242c1e48f4e1ebe778a534PE Phdr: af86103672ba3bba2d21f2691465520fPE Opt Hdr: f8ea55a399eeec409874af01ca0cf01d

Import [1] Offset: (f570) Size: (180): 93f613363a9cb87c3a20e3f2e1fc47b7Import [12] Offset: (f000) Size: (608): eafa58275a218a26f92631bf75b10b8f

[0] (.text)(VirtualAddress: 00001000) (PtrToData: 00001000) (SizeOfData: 0000e000) Shdr: aaa4cacbb1cc38713961cc2e5931b982Shdr Data: f571948f8203e66d09c87b00ae748c8d

[1] (.rdata)(VirtualAddress: 0000f000) (PtrToData: 0000f000) (SizeOfData: 00002000) Shdr: 46aa637bbc2c0335c427f6ca42021df9Shdr Data: 3b10f3f4c6012e87d46686464575926c

[2] (.data)(VirtualAddress: 00011000) (PtrToData: 00011000) (SizeOfData: 00003000) Shdr: cff63d398711731f58eee390a6ce8513Shdr Data: 71cc6a0ff1c18b313d21f1f03229738e

Static Binary Analysis – packerid.py

Packer info>>>[['Armadillo v1.71'], ['Microsoft Visual C++ v5.0/v6.0 (MFC)'], ['Microsoft Visual C++']]

Static Binary Analysis – Volatility malfind.py*

## lsass.exe (Pid: 676)#

+ VAD node @821bfb00 Start 00c60000 End 00c6ffff Tag VadS Flags 18+ VAD node @8236b208 Start 00c80000 End 00c96fff Tag VadS Flags 18 - Status: disassembling with pydasm... 0xc80000 call 0x567d 0xc80005 retn 0x8 0xc80008 push ecx 0xc80009 push esi 0xc8000a call 0x1582

Found 2 suspicious Vad entries

Limitations

Point in time

• Miss changes that don’t persist, e.g., miss processes that don’t have open connections at time of memory dump

Static analysis is weak

• Strings

Generic emulation of the internet

• No real connectivity, so we can’t see what the malware might do after successful check-in

Future Work

Volatility plugins

• Brendan Dolan-Gavitt’s in-memory registry stuff

• Michael Hale Ligh’s usermode_hooks

INetSim?

• Zerowine?

Instrument the environment to collect system/library call info?

Other ideas?

More Future Work

Parsing the text

• Automate DB insertion/update

• Summarize ipaudit, etc. output

Correlation/Visualization

• Afterglow

• Learn from A/V community

Questions?

E-mail: [email protected] or [email protected]

SANS Mentor Class – SEC 508 (Forensics)

For those of you from central OH (or folks you work with), I’ll be facilitating another mentor class in the fall.

Thursday evenings from 6:30-8:30PM in Reynoldsburg, OH running 10 Sep-12 Nov.

http://www.sans.org/mentor/details.php?nid=19458

building an automated behavioral malware analysis environment using free and open-source software

Documents

results page

udp port

faux dns server emulation

faux mysql server emulation

faux smtp server emulation

faux smb server emulation

faux irc server emulation

linktype en10mb ethernet4