malware analysis using free software
DESCRIPTION
How to build a malware analysis toolbox usinf free softwareTRANSCRIPT
![Page 1: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/1.jpg)
Malware Analysis Free Toolbox
RMLL - Montpellier - July 2014 - Xavier Mertens
![Page 2: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/2.jpg)
TrueSec
$ whoami
• Xavier Mertens (@xme)
!
• Consultant @ day
!
• Blogger, Hacker @ night
!
• BruCON co-organizer2
![Page 3: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/3.jpg)
TrueSec
$ cat ~/.profile
• I like (your) data
• Offensive / defensive security
• Security visualization
• I like to play!
3
![Page 4: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/4.jpg)
TrueSec
$ cat disclaimer.txt
“The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.”
4
![Page 5: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/5.jpg)
TrueSec
Agenda
• Introduction
• Build your lab
• Automate
• Conclusions
5
![Page 6: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/6.jpg)
TrueSec
Why This Talk?
6
![Page 7: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/7.jpg)
TrueSec
Don’t expect this!
7
![Page 8: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/8.jpg)
TrueSec
Today’s Facts
8
29.122.849 unique malicious objects: scripts, web pages, exploits,
executable files, etc.
81.736.783 unique URLs were recognized as malicious by web
antivirus.
Q1 2014(source: Kaspersky Security Network)
![Page 9: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/9.jpg)
TrueSec
Sources
9
• My spam folder (rootshell.be has been registered in 2001)
• Torrents (Keygens)
• P0rn sites
• You & me!
![Page 10: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/10.jpg)
TrueSec
Motivations
10
• Plenty of material
• To improve our security (integration with other tools)
• Because I’m lazy! (automation)
• Because it’s fun!
![Page 11: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/11.jpg)
TrueSec 11
“APT” VS
“BPT”
The Attack Vector
![Page 12: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/12.jpg)
TrueSec
Analysis
12
![Page 13: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/13.jpg)
TrueSec
Be Dynamic
13
• Execute the malware in a safe environment and watch what it does
• Goals
• Understand how malwares work
• Get IOC’s
![Page 14: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/14.jpg)
TrueSec
We Need “IOC”!
14
![Page 15: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/15.jpg)
TrueSec
We Need “IOC”!
15
• Hashes
• IP addresses
• Domain names
• Files
• Registry keys
• URLs
Share!
![Page 16: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/16.jpg)
TrueSec
Today’s Market
16
• A niche market
• Big players(read: $$$)
• Integrated into an existing platform(Many 2.0 or NG firewalls)
![Page 17: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/17.jpg)
TrueSec
An Attack in 5 Steps
17
Persistence
Exploit
Plan a Backdoor
Initial intrusion
Reconnaissance
Pwned!
![Page 18: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/18.jpg)
TrueSec
The Patient “0”
18
The index case or primary case is the initial patient in the population of an epidemiological investigation (Source: Wikipedia)
![Page 19: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/19.jpg)
TrueSec
Agenda
• Introduction
• Build your lab
• Automate
• Conclusions
19
![Page 20: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/20.jpg)
TrueSec
Requirements
20
• Free (because we are @ RMLL!)
• Virtualized (easy & snapshots)
• Open (to interconnect with other tools)
• Automatization
![Page 21: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/21.jpg)
TrueSec
Cuckoo
21
• Dynamic code analysis framework developed in Python
• “Python” means “open, modular, easy to modify”
• Based on the classic “sandboxing” system
![Page 22: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/22.jpg)
TrueSec
Features
22
• Automation
• Capture data
• API calls
• Network traffic
• Screenshots
• Filesystem / Registry operations
• Memory dump
• Reporting in many formats
![Page 23: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/23.jpg)
TrueSec
Cuckoo
23
![Page 24: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/24.jpg)
TrueSec
Architecture
24
![Page 25: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/25.jpg)
TrueSec
Setup
25
![Page 26: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/26.jpg)
TrueSec
Basic Installation
26
• VirtualBox (recommended)
• Lot of Python lib dependencies
• Recommended platform: Ubuntu
• Ninja mode: OSX
![Page 27: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/27.jpg)
TrueSec
We Need Intertubes
27
• Use Host-only networking with Virtualbox
• Connect to the world
# sysctl -w net.ipv4.ip_forward=1 # iptables -A FORWARD -o eth0 -i vboxnet0 \ -s 192.168.1.0/24 -m conntrack -ctstate NEW \ -j ACCEPT # iptables -A FORWARD -m conntrack \ -ctstate ESTABLISHED,RELATED -j ACCEPT # iptables -A POSTROUTING -t nat -j MASQUERADE
OSX Ninja? Visit http://goo.gl/aEM7gO
![Page 28: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/28.jpg)
TrueSec
“Your” Sandbox
28
• Windows XP SP3 or Windows 7 SP1 32bits
• Acrobat Reader, M$ Office, Browsers
• Generate some content (cookies, browsers history)
• Install the Cuckoo agent
• Disable all security features!
![Page 29: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/29.jpg)
TrueSec
VM Hardening
29
• VM must be “vulnerable” but hardened against anti-VM detection
• http://github.com/markedoe/cuckoo-sandbox
• https://github.com/a0rtega/pafish
![Page 30: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/30.jpg)
TrueSec
Attack of the Clones
30
![Page 31: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/31.jpg)
TrueSec
Demo!
31
![Page 32: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/32.jpg)
TrueSec
Agenda
• Introduction
• Build your lab
• Automate
• Conclusions
32
![Page 33: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/33.jpg)
TrueSec
Automation
33
Cuckoo is a nice tool to analyse files on demand but some automation will be helpful to detect more suspicious stuff!
![Page 34: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/34.jpg)
TrueSec
Bro IDS
34
• Bro is a powerful network analysis framework. Bro is not only a IDS
• Bro comes with analysers for many protocols which allow processing at layer-7
• http://bro.org
![Page 35: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/35.jpg)
TrueSec
Bro Scripting
35
Bro has a simple andpowerful scriptinglanguage. All the output generated byBro is based onscripts!
![Page 36: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/36.jpg)
TrueSec
Extract Those Files!
36
• Bro can extract files from network streams and save them on the file system
• There is an “extraction” analyzer to perform this task
![Page 37: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/37.jpg)
TrueSec
Extract Those Files!
37
global ext_map: table[string] of string = { ["application/x-dosexec"] = "exe", } &default =""; !event file_new(f: fa_file) { local ext = “data"; ! if ( f?$mime_type ) ext = ext_map[f$mime_type]; ! local fname = fmt("%s-%s.%s", f$source, f$id, ext); Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]); }
![Page 38: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/38.jpg)
TrueSec
Juicy Files
38
application/x-dosexec application/vnc.ms-cab-compressed application/pdf application/x-shockware-flash application/x-java-applet application/jar application/zip
![Page 39: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/39.jpg)
TrueSec
And URLs?
39
• Extracting URLs from network?
• Flood! (“HTTP is the new TCP”)
• Analysing one-time URLs may break some tools (think about password recovery)
![Page 40: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/40.jpg)
TrueSec
Sniff!
40
# cd /tools/bro/logs # vi extract.bro # mkdir extract_files # ../bin/bro -i eth1 extract.bro listening on eth1, capture length 8192 bytes
![Page 41: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/41.jpg)
TrueSec
Feed Cuckoo!
41
# cd /tools/bro/logs/extract_files # inotifywait -m -q -e create —format %f . | while read F do case “${F##*.}” in “zip|exe|doc|dll|jar|msi”) /tools/cuckoo/utils/submit.py $F esac done
![Page 42: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/42.jpg)
TrueSec
Want Data?
42
• Cuckoo has a REST API
• Useful to automate even more
![Page 43: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/43.jpg)
TrueSec
Get results!
43
# curl http://localhost:8090/tasks/list # curl http://localhost:8090/tasks/view/10 # curl http://localhost:8090/tasks/report/10 # curl http://localhost:8090/files/view/md5/xxxxxx !
![Page 44: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/44.jpg)
TrueSec
Extract IOC’s
44
#curl -s http://localhost:8090/tasks/report/2/json | \ python extract-domains.py premiercrufinewine.co.uk 188.65.114.122 fidaintel.com 216.224.182.75
![Page 45: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/45.jpg)
TrueSec
Feed OSSEC
45
• Create CDB lists (“active lists”) <ossec_config> <rules> <list>lists/baddomains.cdb</list> <list>lists/badips.cdb</list> </rules> </ossec_config>
• Populate them
• Re-generate them /var/ossec/bin/ossec-makelists
![Page 46: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/46.jpg)
TrueSec
Correlate
46
<rule id=“99001” level=“10”> <decoded_as>bind9</decoded_as> <list field=“url”>lists/baddomains</list> <description>DNS query: malicious domain</description> </rule>
![Page 47: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/47.jpg)
TrueSec
Agenda
• Introduction
• Build your lab
• Automate
• Conclusions
47
![Page 48: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/48.jpg)
TrueSec
Conclusions
48
![Page 49: Malware Analysis Using Free Software](https://reader033.vdocuments.net/reader033/viewer/2022051609/547bb157b379596a2b8b4e4b/html5/thumbnails/49.jpg)
TrueSec
Conclusions
49
• We don’t have time to handle such amount of data!
• Know your Enemy!
• Correlate your logs with external content