malware detection with ossec @santiagobassett. setting up a malware lab collection analysis...
TRANSCRIPT
Malware detectionwith OSSEC
@santiagobassett
Setting up a malware lab
Collection Analysis Detection
@santiagobassett
MW collection techniques
@santiagobassett
Honeypots
Web spiders - honeyclients
Malware crawlers
Honeypot
@santiagobassett
Dionaea: Low interaction honeypot that emulates vulnerable network services.https://github.com/rep/dionaea (written in C)
santiago@cuckoo:~$ nmap dionaea
Starting Nmap 6.00 ( http://nmap.org ) at 2014-09-07 21:04 PDTNmap scan report for dionaea (54.235.216.XXX)Host is up (0.070s latency).Not shown: 992 closed portsPORT STATE SERVICE21/tcp open ftp42/tcp open nameserver80/tcp open http135/tcp open msrpc443/tcp open https445/tcp open microsoft-ds1433/tcp open ms-sql-s3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 1.16 seconds
Honeypot results
@santiagobassett
• Captured 126 unique binaries in 3 months• Highly detected by clamav (80%)
santiago@dionaea:/opt/dionaea/var/dionaea/binaries# clamscan *022aeb126d2d80e683f7f2a3ee920874: Trojan.Spy-78857 FOUND05800e1eb163994359e4c946d4a0fecb: Backdoor.Floder-3 FOUND06267149140c0bc9ba51222c165f2d61: Worm.Autorun-7683 FOUND0682f3dfbdab7c040ac9307c50792d0a: Trojan.Buzus-9369 FOUND074b815d9ded01b516a62e3b739caa10: Win.Trojan.Agent-372503 FOUND07fea379703307c5addc20e237cdd0f0: Win.Trojan.Jorik-1388 FOUND09481313331ff5a8b8bfa4e25cbaa524: Worm.Autorun-7516 FOUND0a9f1cd12f1b34ca71fa585e87e91c7d: OK0b4c4078231ee36731080858187a49b8: Win.Trojan.Injector-8166 FOUND0feae931ee71a495614f14f3c1d37246: Trojan.Mybot-5073 FOUND10ec7cb47314a2c08decb25e53fedcfa: Trojan.Injector-558 FOUND1205a52e42687c922aa4d3700d778398: Trojan.Kazy-1372 FOUND12fb7332920a7797c2d02df29b57c640: Trojan.Spy-78857 FOUND16b0357b804d9651d9057b61d78bee08: Win.Trojan.Agent-368816 FOUND1a813b6ea08a47f2997e2e4215eba96b: WIN.Trojan.IRCBot-1225 FOUND…
----------- SCAN SUMMARY -----------Known viruses: 3517573Engine version: 0.98.1Scanned directories: 0Scanned files: 126Infected files: 101Data scanned: 17.65 MBData read: 18.11 MB (ratio 0.97:1)Time: 56.447 sec (0 m 56 s)
Honeyclient
@santiagobassett
Thug: Low interaction honeyclient, used to detect drive-by-download attacks.https://github.com/buffer/thug (Python)
Thug emulates:• Core browser functionality• ActiveX controls• Browser plugins
Drive by download attack
@santiagobassett
http://urlquery.net/report.php?id=1410227505197
Honeyclient results
@santiagobassett
santiago@mwcollector:~/thug/src$ ./thug.py webgalleriet.no/
[2014-09-11 22:58:31] [HTTP] URL: http://www.webgalleriet.no/wordpress/wp-includes/js/comment-reply.js?ver=20090102 (Status: 200, Referrer: http://www.webgalleriet.no/)
[2014-09-11 22:58:31] [HTTP] URL: http://www.webgalleriet.no/wordpress/wp-includes/js/comment-reply.js?ver=20090102 (Content-type: application/javascript, MD5: d484fa08997df765852c6ad283ec52c6)
[2014-09-11 22:58:31] <iframe align="center" frameborder="no" height="2" name="Twitter" scrolling="auto" src="http://168bet.com/cocs.html?j=1095012" width="2"></iframe>
[2014-09-11 22:58:31] [iframe redirection] http://www.webgalleriet.no/ -> http://168bet.com/cocs.html?j=1095012
[2014-09-11 22:58:31] [URL Classifier] URL: http://168bet.com/cocs.html?j=1095012 (Rule: Redkit 1, Classification: Landing page, Exploit Kit)
Malware crawlers
@santiagobassett
Retrieve files using malware tracking sites.https://github.com/technoskald/maltrieve (Python)https://code.google.com/p/malware-crawler/ (Python)
http://malc0de.com/rss http://www.malwareblacklist.com/mbl.xml
http://www.malwaredomainlist.com/hostslist/mdl.xml
http://vxvault.siri-urz.net/URL_List.php
http://urlquery.net/ http://support.clean-mx.de/clean-mx/xmlviruses.php
Malware tracking site
Malware crawlers results
@santiagobassett
• Captured 345 unique binaries in 15 minutes• Poorly detected by clamav (16%)
santiago@mwcollector:~/binaries/maltrieve$ clamscan *02d36dff08b63b123d2d2a36089e3d97: OK03a6ac145099cf77bf5c7af127696687: OK03e49fb415aacf9d2c90821ff0596024: OK0568a72d4c5a2eb510207ca45b8d8799: OK06ddb91e1d5f056590dfeef71a2da264: JS.Iframe-2 FOUND074fbceca8fe84bae582a7a114b2ce94: HTML.Iframe-63 FOUND0889504acc370f2adec7869b9bc5bc5c: OK08d53833d032d71c1e7ffd3cddcd2a5e: JS.Iframe-2 FOUND0ac790c459a0ef9bb4959321918a2d57: OK0cc1c5c2ef510bd9f587abbc402d04a3: OK0e3c692048a35c06ffe81a473ffd1d41: OK136264a09b94bf8f08278b0045a84905: OK13e78b2bab4a0ae9a3c2003d3f004dd1: JS.Obfus-31 FOUND
----------- SCAN SUMMARY -----------Known viruses: 3517100Engine version: 0.98.4Scanned directories: 0Scanned files: 235Infected files: 38Data scanned: 164.24 MBData read: 143.86 MB (ratio 1.14:1)Time: 254.462 sec (4 m 14 s)
Malware database - Viper
@santiagobassett
Binary analysis and management framework.https://github.com/botherder/viper (Python)
Static Analysis - Yara
@santiagobassett
Flexible, human-readable rules for identifying malicious streams.
Can be used to analyze:• files• memory (volatility)• network streams.
private rule APT1_RARSilent_EXE_PDF { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1"
strings: $winrar1 = "WINRAR.SFX" wide ascii $winrar2 = ";The comment below contains SFX script commands" wide ascii $winrar3 = "Silent=1" wide ascii
$str1 = /Setup=[\s\w\"]+\.(exe|pdf|doc)/ $str2 = "Steup=\"" wide ascii condition: all of ($winrar*) and 1 of ($str*)}
Static Analysis - Yara
@santiagobassett
viper > find name 3f2fda43121d888428b66717b984a7fb+---+----------------------------------+-----------------------+----------------------------------+------+| # | Name | Mime | MD5 | Tags |+---+----------------------------------+-----------------------+----------------------------------+------+| 1 | 3F2FDA43121D888428B66717B984A7FB | application/x-dosexec | 3f2fda43121d888428b66717b984a7fb | apt |+---+----------------------------------+-----------------------+----------------------------------+------+viper > open -l 1[*] Session opened on /home/santiago/viper/binaries/6/a/f/2/6af2116c4b59c69917e0e25efe4530a127830e2ed383ea91e0eebfa1cae4b78eviper 3F2FDA43121D888428B66717B984A7FB > yara scan[*] Scanning 3F2FDA43121D888428B66717B984A7FB (6af2116c4b59c69917e0e25efe4530a127830e2ed383ea91e0eebfa1cae4b78e)+------------------+--------+--------+----------------------------------+| Rule | String | Offset | Content |+------------------+--------+--------+----------------------------------+| APT1_WEBC2_TABLE | $msg1 | 440032 | Fail To Execute The Command || APT1_WEBC2_TABLE | $msg2 | 440060 | Execute The Command Successfully || APT1_WEBC2_TABLE | $gif1 | 440100 | sdwefa.gif || APT1_WEBC2_TABLE | $gif1 | 440101 | dwefa.gif || APT1_WEBC2_TABLE | $gif1 | 440102 | wefa.gif || APT1_WEBC2_TABLE | $gif1 | 440103 | efa.gif || APT1_WEBC2_TABLE | $gif1 | 440104 | fa.gif || APT1_WEBC2_TABLE | $gif1 | 440105 | a.gif || APT1_WEBC2_TABLE | $gif2 | 440112 | GIF89 |+------------------+--------+--------+----------------------------------+
rule APT1_WEBC2_TABLE{ meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1"
strings: $msg1 = "Fail To Execute The Command" wide ascii $msg2 = "Execute The Command Successfully" wide ascii $gif1 = /\w+\.gif/ $gif2 = "GIF89" wide ascii condition: 3 of them}
viper 3F2FDA43121D888428B66717B984A7FB > yara rules+----+-----------------------------------+| # | Path |+----+-----------------------------------+| 1 | data/yara/hangover.yara || 2 | data/yara/citizenlab.yara || 3 | data/yara/APT_NGO_wuaclt_PDF.yara || 4 | data/yara/kins.yara || 5 | data/yara/themask.yara || 6 | data/yara/vmdetect.yara || 7 | data/yara/index.yara || 8 | data/yara/GeorBotBinary.yara || 9 | data/yara/leverage.yar || 10 | data/yara/apt1.yara || 11 | data/yara/GeorBotMemory.yara || 12 | data/yara/rats.yara || 13 | data/yara/embedded.yara || 14 | data/yara/urausy_skypedat.yar || 15 | data/yara/fpu.yara |+----+-----------------------------------+
Static Analysis – Trojan Dropper
@santiagobassett
viper 0A37D49E798F50C8F1010D5CFDE0E851 > pe sections[*] PE Sections:+--------+---------+-------------+-------------+---------------+| Name | RVA | VirtualSize | RawDataSize | Entropy |+--------+---------+-------------+-------------+---------------+| .text | 0x1000 | 0xbe8f | 49152 | 6.52204488284 || .rdata | 0xd000 | 0x1855 | 6656 | 5.17849300065 || .data | 0xf000 | 0x19cb8 | 512 | 1.31023024266 || .CRT | 0x29000 | 0x10 | 512 | 0.21310128451 || .rsrc | 0x2a000 | 0x7fd8 | 32768 | 5.79943302325 |+--------+---------+-------------+-------------+---------------+viper 0A37D49E798F50C8F1010D5CFDE0E851 > pe imports...[*] DLL: ADVAPI32.dll - 0x40d000: RegCloseKey - 0x40d004: RegOpenKeyExA - 0x40d008: RegQueryValueExA - 0x40d00c: RegCreateKeyExA - 0x40d010: RegSetValueExA...viper 0A37D49E798F50C8F1010D5CFDE0E851 > pe compiletime[*] Compile Time: 2010-03-14 23:27:58viper 0A37D49E798F50C8F1010D5CFDE0E851 > yara scan[*] Scanning 0A37D49E798F50C8F1010D5CFDE0E851 (dbf0436908c9d900e69ea2a108f08061786d299b511265b78620a4401361084b)viper 0A37D49E798F50C8F1010D5CFDE0E851 > fuzzy[*] 1 relevant matches found+-------+----------------------------------+------------------------------------------------------------------+| Score | Name | SHA256 |+-------+----------------------------------+------------------------------------------------------------------+| 68% | 003EE3D21DF82975337AE976F8BA67CC | 2803fba5fbe908f6151597c2a387caef8f00a5f0f194bfc6b4d9f89026d53621 |+-------+----------------------------------+------------------------------------------------------------------+
viper 0A37D49E798F50C8F1010D5CFDE0E851 > virustotal[*] VirusTotal Report:+----------------------+----------------------------------------------+| Antivirus | Signature |+----------------------+----------------------------------------------+| nProtect | Trojan.Downloader.JKVR || McAfee | Artemis!0A37D49E798F || K7GW | Trojan-Downloader || NANO-Antivirus | Trojan.Win32.Agent.hbmsz || Symantec | Downloader || TotalDefense | Win32/FakeDoc_i || TrendMicro-HouseCall | TROJ_DLOADER.VTG || Avast | Win32:Trojan-gen || ClamAV | Trojan.Downloader-83571 || Kaspersky | Trojan-Downloader.Win32.Agent.thb || BitDefender | Trojan.Downloader.JKVR || Agnitum | Trojan.DL.Agent!virRS0ijj7k || Emsisoft | Trojan.Downloader.JKVR (B) || Comodo | TrojWare.Win32.TrojanDownloader.Agent.thb_30 || F-Secure | Trojan.Downloader.JKVR || TrendMicro | TROJ_DLOADER.VTG || McAfee-GW-Edition | Artemis!0A37D49E798F || Sophos | Troj/DwnLdr-IYR || Jiangmin | TrojanDownloader.Agent.boly || Antiy-AVL | Trojan/Win32.Agent.gen || Microsoft | TrojanDownloader:Win32/Pingbed.A || Commtouch | W32/Downloader.NIHT-8726 || AhnLab-V3 | Dropper/Malware.101512 || VBA32 | TrojanDownloader.Agent || ESET-NOD32 | a variant of Win32/Agent.TUJ || Fortinet | W32/Scar.SJU!tr || AVG | Downloader.Agent2.HEL || Panda | Trj/Downloader.MDW |+----------------------+----------------------------------------------+
Fuzzy hash match info
@santiagobassett
Dynamic Analysis - Cuckoo
@santiagobassett
Automated malware analysis. Runs binary files in virtual machines to study their behavior.
• Traces Win32 API calls• Files created, deleted and downloaded• Memory dumps of malicious processes• Network traffic pcaps
Integrated with yara, virustotal and volatility among other tools. Supports Virtualbox KVM and Vmware.
Dynamic Analysis – Trojan Dropper
@santiagobassett
Behavioral Analysis – Filesystem
@santiagobassett
Behavioral Analysis - Filesystem
@santiagobassett
Behavioral Analysis – Network
@santiagobassett
Behavioral Analysis – Network
@santiagobassett
Behavioral Analysis - Network
@santiagobassett
santiago@cuckoo:~/Cuckoo/cuckoo/storage/analyses/34$ sudo tcpdump -s 0 -XX -AA -nn -r dump.pcap | grep -A 4 63.233.155.6reading from file dump.pcap, link-type EN10MB (Ethernet)23:32:20.655808 IP 8.8.8.8.53 > 192.168.56.103.63943: 53551 1/0/0 A 63.233.155.6 (50)
0x0000: 0800 2723 f165 0a00 2700 0000 0800 4500 ..'#.e..'.....E.0x0010: 004e eca8 0000 2d11 97d7 0808 0808 c0a8 .N....-.........0x0020: 3867 0035 f9c7 003a ef52 d12f 8180 0001 8g.5...:.R./....0x0030: 0001 0000 0000 0377 7777 0867 6172 7968 .......www.garyh
--23:32:20.662766 IP 192.168.56.103.49166 > 63.233.155.6.80: Flags [S], seq 2615622815, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
0x0000: 0a00 2700 0000 0800 2723 f165 0800 4500 ..'.....'#.e..E.0x0010: 0034 10ab 4000 8006 161a c0a8 3867 3fe9 [email protected]?.0x0020: 9b06 c00e 0050 9be7 3c9f 0000 0000 8002 .....P..<.......0x0030: 2000 e231 0000 0204 05b4 0103 0302 0101 ...1............
--23:32:23.663174 IP 192.168.56.103.49166 > 63.233.155.6.80: Flags [S], seq 2615622815, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
0x0000: 0a00 2700 0000 0800 2723 f165 0800 4500 ..'.....'#.e..E.0x0010: 0034 10c2 4000 8006 1603 c0a8 3867 3fe9 [email protected]?.0x0020: 9b06 c00e 0050 9be7 3c9f 0000 0000 8002 .....P..<.......0x0030: 2000 e231 0000 0204 05b4 0103 0302 0101 ...1............
--23:32:29.661778 IP 192.168.56.103.49166 > 63.233.155.6.80: Flags [S], seq 2615622815, win 8192, options [mss 1460,nop,nop,sackOK], length 0
0x0000: 0a00 2700 0000 0800 2723 f165 0800 4500 ..'.....'#.e..E.0x0010: 0030 10dc 4000 8006 15ed c0a8 3867 3fe9 [email protected]?.0x0020: 9b06 c00e 0050 9be7 3c9f 0000 0000 7002 .....P..<.....p.0x0030: 2000 f63a 0000 0204 05b4 0101 0402 ...:..........
Behavioral Analysis – Registry
@santiagobassett
Memory Analysis - Volatility
@santiagobassett
santiago@cuckoo:~/Cuckoo/cuckoo/storage/analyses/34$ vol.py psxview --profile=Win7SP1x86 -f memory.dmpVolatility Foundation Volatility Framework 2.4Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd---------- -------------------- ------ ------ ------ -------- ------ ----- ------- --------0x7b6fa500 audiodg.exe 960 True False True True True True True 0x7b7afd40 sppsvc.exe 1780 True False True True True True True 0x779fb808 svchost.exe 724 True False True True True True True 0x7b7be710 svchost.exe 1892 True False True True True True True 0x7c4ea7d8 VBoxService.ex 624 True False True True True True True 0x7b6f4030 svchost.exe 900 True False True True True True True 0x7b7bb618 svchost.exe 3376 True False True True True True True 0x7cd99a58 AcroRD32.exe 3080 True False True True True True True 0x7b4fa030 SearchIndexer. 360 True False True True True True True 0x7b94a858 taskhost.exe 2920 True False True True True True True …
santiago@cuckoo:~/Cuckoo/cuckoo/storage/analyses/34$ vol.py memdump --profile=Win7SP1x86 -f memory.dmp -D ./ -p 3080Volatility Foundation Volatility Framework 2.4************************************************************************Writing AcroRD32.exe [ 3080] to 3080.dmp
santiago@cuckoo:~$ strings 3080.dmp | grep -i garyhartwww.garyhart.comw.garyhart.comw.garyhart.comw.garyhart.comwww.garyhart.comst: www.garyhart.comw.garyhart.comtp://www.garyhart.com/nfuse.htmtp://www.garyhart.com/nfuse.htmtp://www.garyhart.com/nfuse.htmtp://www.garyhart.com/nfuse.htmtp://www.garyhart.com/nfuse.htmtp://www.garyhart.com/nfuse.htmwww.garyhart.comhttp://www.garyhart.com/nfuse.htm
Memory Analysis - Yara
@santiagobassett
santiago@cuckoo:~/Cuckoo/cuckoo/storage/analyses/34$ yara /home/santiago/viper/data/yara/apt1.yara 3080.dmp APT1_WEBC2_UGX 3080.dmp
rule APT1_WEBC2_UGX{ meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1” strings: $persis = "SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN" wide ascii $exe = "DefWatch.exe" wide ascii $html = "index1.html" wide ascii $cmd1 = "!@#tiuq#@!" wide ascii $cmd2 = "!@#dmc#@!" wide ascii $cmd3 = "!@#troppusnu#@!" wide ascii condition: 3 of them}
OSSEC - Rootcheck
@santiagobassett
Used for rootkits and malware detection. It can be used to:• Look for suspicious files.• Inspect files and registry keys for common
rootkits/malware entries.• Look for hidden processes and network ports.
OSSEC – Rule for Trojan Dropper
@santiagobassett
[Trojan Dropper] [all] [0A37D49E798F50C8F1010D5CFDE0E851]
f:C:\Users\IEUser\AppData\Local\Temp\AcroRD32.exe;
r:HKEY_USERS\S-1-5-21-3463664321-2923530833-3546627382-1000\Software\Microsoft\Windows\CurrentVersion\Run -> Acroread -> r:AcroRD32.exe;
p:r:AcroRD32.exe;
/var/ossec/etc/shared/win_malware_rcl.txt
OSSEC – Alert for Trojan Dropper
@santiagobassett
alienvault:/var/ossec/bin# ./rootcheck_control -L -i 001Policy and auditing events for agent 'Windows7 (001) - 172.16.126.134':
Resolved events: ** No entries found.
Last scan: 2014 Sep 12 18:54:24Windows Audit: Null sessions allowed.
Windows Malware: Trojan Dropper. File: C:\Users\IEUser\AppData\Local\Temp\AcroRD32.exe. Reference: 0A37D49E798F50C8F1010D5CFDE0E851 .
Demo – Alert for Trojan Dropper
@santiagobassett
Future Work
@santiagobassett
• Use/create Cuckoo signatures to identify different malware patterns (droppers, downloaders, trojans, rootkits, …)
• Create Cuckoo reporting module to report (JSON) on those patterns that OSSEC can detect.
• Python tool to parse module output and generate rootcheck rules.
• Add/improve OSSEC malware detection capabilities.
