real-time static malware analysis using nepenthesfe
DESCRIPTION
My presentation slides for International Malware Conference - Malcon 2010 - held in Mumbai, India on 3rd December, 2010TRANSCRIPT
![Page 1: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/1.jpg)
Visualizing your Honeypot Data
![Page 2: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/2.jpg)
Wasim Halani◦ Security Analyst @ Network Intelligence India
(http://www.niiconsulting.com/)◦ Interests Exploit development Malware Analysis
Harsh Patel◦ Student @ Symbiosis center for Information
technology.◦ Interest Anything and everything about security
![Page 3: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/3.jpg)
A deliberately vulnerable system, placed on the network ◦ Lure attackers towards itself◦ Capture the malwares sent to the network/system◦ Help in offline analysis
Types◦ Low Interaction ◦ High Interaction
![Page 4: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/4.jpg)
NepenthesFE is a front end to the low interaction honeypot ‘nepenthes’
Originally developed by Emre Bastuz
Helps in cataloguing malware collected using nepenthes
Has modules which performs operations to automate some aspects of malware analysis
![Page 5: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/5.jpg)
Our Nepenthes honeypot provided only minimal data about the captured binaries◦ File hash (MD5)◦ Attacker IP◦ File Name◦ ...
What next? Is that all the value a honeypot can provide?
![Page 6: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/6.jpg)
Lenny Zeltser◦ ‘What to include in a Malware Analysis Report?’ http://zeltser.com/reverse-malware/malware-analysis-report.html
Summary of Analysis Identification Characteristics Dependencies Behavioral & Code Analysis Screenshots Recommendations
![Page 7: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/7.jpg)
Once we have captured the binary, we’re still left with doing the routine basic stuff◦ strings, file, virustotal, geo-ip ...
Can’t we automate it!?
Enter ‘NepenthesFE’◦ Basic analysis like filetype, hashes, ASCII strings,
packer information, geographical information
![Page 8: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/8.jpg)
Analyzing malware sample ‘b.aaa’
![Page 9: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/9.jpg)
Provide a statistical output of data collected◦ How many times has ‘a’ malware hit us?
Provide visualization of origin of malware◦ Which malwares originate from a single country
To determine and focus on the number of new attacks on to the system
Provide a framework to automate initial static analysis◦ Is it packed?◦ Any recognizable ASCII strings in the binary
![Page 10: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/10.jpg)
![Page 11: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/11.jpg)
Integrate with the Nepenthes honeypot◦ Integration with multiple sensors possible
Statistical count of malware hits AfterGlow diagrams◦ Country of Origin◦ ASN
Provide details of the attacking IP ◦ GEO IP database ◦ Google maps
![Page 12: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/12.jpg)
Can be extended with custom modules for static malware analysis on real time◦ Packer Information◦ ‘Strings’
Anti-virus scanning (for known malwares)
![Page 13: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/13.jpg)
Based on Sample (malware)◦ VirusTotal Scanning API◦ Bit defender scanning◦ Unix based commands execution like File,
objdump, UPX and string◦ *nix based custom script execution to find out
details like Packer Information, PE information and entropy analyser
![Page 14: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/14.jpg)
Based on Instance (Information about the attacker)◦ GEO IP database◦ ASN Information Mapping of ASN to Robtex Mapping of ASN to Phishtank Visualization of attack vectors from a ASN
number◦ Visualisation of attack vectors from a IP address
![Page 15: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/15.jpg)
![Page 16: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/16.jpg)
![Page 17: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/17.jpg)
Install Nepenthes Honeypot sensor http://nepenthes.carnivore.it/
Refer to our first report at IHP http://www.honeynet.org.in/reports/KK_Project1.pdf
![Page 18: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/18.jpg)
List of packages are :-◦ Build essentials◦ Apache2◦ Libapache2-mod-php5◦ phppear◦ Mysql-server-5.1◦ Php5-msql◦ Php5-mhash◦ Php5-dev◦ Upx-ucl◦ File
![Page 19: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/19.jpg)
List of packages are :-◦ geoip-bin◦ rrdtool (for Graphs)◦ Librrd2 (for Graphs)◦ Librrd2-dev (for Graphs)◦ Python-pefile (for Pefile module)◦ Python-all (for Pefile module)◦ Bitdefender-scanner (for bit-defender
scanning)◦ graphviz (for visualization)
And Lots of Configuration....
![Page 20: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/20.jpg)
Modify the ‘submit-http.conf’ file in /etc/nepenthes
![Page 21: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/21.jpg)
Download the freely available database from MaxMind◦ http://www.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
![Page 22: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/22.jpg)
Get the Google API Key http://code.google.com/apis/maps/signup.html
![Page 23: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/23.jpg)
![Page 24: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/24.jpg)
PEFile◦ http://code.google.com/p/pefile/
Packerid.py◦ Requires ‘peid’ database (signatures)◦ http://handlers.dshield.org/jclausing/
UPX◦ http://upx.sourceforge.net/
‘file’ : apt-get install file ‘strings’ ‘obj-jump’ These executeables (chmod +x) should be accessible to
NFE◦ Place them in /usr/bin/ folder if needed
![Page 25: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/25.jpg)
Analysis Report Nepenthes Nepenthes + FE
File name Yes Yes
Unique Identification –Hashes
MD5,SHA512 MD5, SHA512, (possibly ssdeep)
Malware Name (Family) No VirusTotal, Bitdefender (free Linux AV scanners)
Binary File Type No ‘file’
Malware Origin IP address Geo-location data
Screenshots None GoogleMaps, AfterGlow graphs, Robtex graphs
Is it packed? Which Packer?
No packerid.py, UPX
Statistics No Yes (hit counts,RRD graphs)
![Page 26: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/26.jpg)
Analyzing malware sample‘b.aaa’
![Page 27: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/27.jpg)
![Page 28: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/28.jpg)
![Page 29: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/29.jpg)
![Page 30: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/30.jpg)
![Page 31: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/31.jpg)
![Page 32: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/32.jpg)
Works only with Nepenthes honeypot
No search functionality
VirusTotal functionality is broken (new API released by VT recently)
Report cannot be exported
![Page 33: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/33.jpg)
Open-source◦ Requires volunteers◦ Current version – 0.04 (Releasing v0.05 today)
Complete documentation available at:◦ http://www.niiconsulting.com/nepenthesfe/
Implementation of a central NepenthesFE for multiple Nepenthes sensors ◦ As part of the Indian Honeynet Project (IHP) http://honeynet.org.in/
Submit the malware to a sandbox environment to retrieve more in-depth analysis
![Page 34: Real-Time Static Malware Analysis using NepenthesFE](https://reader034.vdocuments.net/reader034/viewer/2022051816/54543bc6af7959c3128b75ef/html5/thumbnails/34.jpg)