Workshop on Setting up Malware Lab

Malware L b S
M l Lab Setup

25 Mei 2011,
Workshop Ac cademy CERT
CERT,
Institut Teknologi Sepuluh Nopember
Surabaya, Indonesia
y ,
Charles Lim, Msc., ECSA ECSP, ECIH, CEH, CEI
A,
Dipl-inf. Randy Annthony, S.Kom, CEH
Mich l
Michael
Willia Ang
am

Agenda
A
Background
The Search for Malwar Samples
re
SGU Malware Researc & Malware Lab
ch
Honeypot – Randy An
nthony
Dionaea – Michael & W
William Ang
Malware Sample Resu
ults
The call for Indonesia Honeynet
Dionaea – Setting up (
(step by step)
(step-by-step)
Questions & Answers

SWISS GERMAN UNIVERSITY Malware Setup Workshop
e 2

Bac
ckground
It all began with …
Students wants to learn about analyzing malware
using data mining techniques
We contacted Thorsten Holz (U of Mannheim), he
gave us their malware sa
amples
But we need Indonesian (local) samples
n( ) p
We invited Aat Shadew (virologi.info) to
wa
share his experience
He had several local s
samples that we can use
to
t analyze
l
But, we need more sam
mples …

e 3

The search for malware samples
After discussing with several experts, the
best ways to collect m
malware is the following:
User submitting malware (e.g.
e
http://anubis.iseclab.org, http://virustotal.com)
Collect from public sites (Copy Center, Warnet,
People Flash Disk)
Purchase email account on several ISP and begin
ts
get malware from SPAM email etc.
M
Catch your own malware using honeypot (more about
e
this later)

e 4

SGU M
Malware Lab
We began with our goals:
To be able to obtain mal
lware samples
To be able to analyze malware using static analysis
To be able to analyze malware using behavior
analysis
Our Research focuses on using Data Mining
s
techniques to classify Local Malware.
y
The results have been p
published in IEEE International
Conference in Decembe 2010.
er

e 5

SGU M
Malware Lab
Our Methodology
Static
Analysis

Malware Reporting
Capture

Dyna
amic
Analysis

e 6

SGU M
Malware Lab
Our Methodology (in d
detail)

e 7

SGU M
Malware Lab
We began with the Room Blueprint

e 8

SGU M
Malware Lab
We simulate using 3D images of the room

e 9

SGU M
Malware Lab
SGU Malware Lab

e 10

SGU M
Malware Lab
We design the isolated network
d

e 11

SGU M
Malware Lab
Our Hardware Spec
cification
Processor: Dual Core 2 5 Ghz
e 2.5
RAM 2GB DDRII
Hard Disk 160GB
The tools for analys that used:
sis
Debugger : OllyDBG
Packer Detector : PEiD
Monitoring tools ( g stry, network, process):
g (regi y, ,p )
Regshot, Wireshark, Process Monitor

e 12

SGU Malware Re
esearch Publications
Firdausi I., Lim C., Erwin A., Nugroh A. S., “Analysis of Machine learning
ho
Techniques Used in Behavior-Base Malware Detection,” 2010 Second
ed
International Conference on Advances in Computing, Control, and
Telecommunication Technologies, J k t 2 D
T l i ti T h l i Jakarta, December 2010
b 2010.
Simanjuntak D. A., Ipung H. P., Lim C., Nugroho A. S., “Text Classification
Techniques Used to Faciliate Cyber Terrorism Investigation,” 2010
r
Second International Conference on Advances in Computing, Control,
and Telecommunication Technolog gies, Jakarta, 2 December 2010.
Christian R., Lim C., Nugroho A. S., Kisworo M., “Integrating Dynamic
, Integrating
Analysis Using Clustering Techniqu for local Malware in Indonesia,”
ues
2010 Second International Conferen on Advances in Computing,
nce
Control, and Telecommunication Te echnologies, Jakarta, 2 December
2010.
Endy, Lim C., Eng K.I., Nugroho A.S “Implementation of Intelligent
S.,
Searching Using Self Organizing M for Webmining Used in Document
Self-Organizing Map
Containing Information in Relation to Cyber Terrorism,” 2010 Second
International Conference on Advances in Computing, Control, and
Telecommunication Technologies, Jakarta, 2 December 2010.

e 13

SGU Curr
rent Research
Indonesia Malware Profiling
Forensic Research on Remnant Data
Cloud Security
y

e 14

Agenda
A
Background
re
ch
nthony
William Ang
Malware Sample Resu
ults
(step by step)
(step-by-step)
Questions & Answers

e 15

Ho
oneypot

e 16

Why Using Honeypo in Malware Analysis Lab
ot

Used to capture Autono
omous Spreading
Malware / Worm.
We as a CERT ( Compu Emergency
uter
Response Team) must find a way to stop the
spreading and the counter measure.
Late response on Worm infection can cause
m
massive damage.
Example : Conficker Wo (2008 – 2009)
orm
Caused around 9.1 Billion USD /
78 triliun Rupiah

e 17

Introductio to Honeypot
on

“Is a decoy that is used to lu
ured malware or attacker
(hacker).”

“It is a computer that have n production value, so if it is
no
compromised or destroyed sh hould not affect the activities
of the companies.”

e 18

Honeypot Bas on Interaction
sed

Two kinds of honeypo :
ot

Low Interaction Honeypo
ot

High Interaction Honeyp
pot

e 19

Low Interaction Honeypot
Do not implements actual service
Disguise as a real s
system
Good for finding known attack and
g
expected behavior
Usually automated
Lower cost needed
Example : Nepenthe Amun, Dionaea
es,

e 20

High Intera
action Honeypot
It is a “real” system usually with
m
different configuration than the real
g
system.
Riskier than Low-Interacti it d e to
Lo Interactivity due
“Allow all” configur
ration
Difficult to maintain and manually
n
configure
Higher cost needed
Example : Physical HIH, Virtual HIH

e 21

Table of Comparison
f

Low-inte
eraction High-interaction

Degree of interaction Lo
ow High

Real operating system No
N Yes

Risk Lo
ow High

Knowledge gain Connectio
on/Request Everything

Can be conquered No
N Yes

Maintenance time Lo
ow High

e 22

Choosin Honeypot
ng
Must know the pu
urpose :
Detecting attacker ?
Risk Identification ?
Risk Mitigation & AAnalysis ?
Identifying
Id tif i new thre t ?
th eats
Research ?

e 23

SWISS GERMA UNIVERSITY
AN
HONEYPOT 2010 - NEPENTHES

e 24

Nep
penthes
Low interaction Hon
neypot
Resource needed : Low
New Vulnerabilities : No
New Exploits : Yes
Maintenance Time : Low
Risk : Low
Installed
I t ll d on VMW re
VMWar
Windows -> Ubuntu - Nepenthes
-> p

e 25

SGU Honeyne Physical Design
et

e 26

SGU Honeyn Logical Design
net

e 27

Malware Capture ( 3.06.10 – 24.07.10)
ed

427 Malwares and 111 Uniqu Malwares
ue

e 28

Dynamic Ana
alysis Using AVG
Type Na
ame Total
Trojan Horse Backdoor Rbot.IN 1
Trojan Horse Generic15.EHT 1
Trojan Horse Generic17.ASMD D 1
Trojan Horse Generic2_c.AGVVC 1
Trojan Horse IRC/Backdoor SdBot2.HHB 7
Trojan Horse IRC/Backdoor SdBot2.KWD 4
Trojan Horse IRC/Backdoor SdBot2.RJW 19
Trojan Horse SpamTool.EZW 1
Virus
Vi BackDoor.Rbot
B kD Rb t 1
Win32 Virus Heur 2
Win32 Virus Virut 7
Win32 Virus Virut.AA
Virut AA 3
Worm Allaple.A 9
Worm Allaple.B 30
Worm Allaple.C 7
Worm Allaple.D 11
Worm Allaple.E 3
Worm Allaple.L
p 1
Unknown Unknown 2

e 29

Dynamic Analys Using Kaspersky
sis
Type Na
ame Total
Backdoor FlyAgent.k 1
Backdoor Nepoe.mk
Nepoe mk 1
Backdoor Nepoe.tv 1
Backdoor Rbot.adqd 7
Backdoor Rbot.advj 1
Backdoor Rbot.aftu 21
Backdoor Rbot.bni 4
Backdoor Rbot.bqj 6
Net-Worm Allaple.b 39
Net-Worm
N tW Allaple.d
All l d 2
Net-Worm Allaple.e 17
Trojan-PSW Kukudva.ad 1
Trojan Agent.ayuc 1
Trojan VB.ahzy 1
Virus Virut.av
Virut av 3
Unknown Unknown 5

e 30

Agenda
A
Background
re
ch
nthony
William Ang
Malware Sample Resu
ults
(step by step)
(step-by-step)
Questions & Answers

e 31

Dionaea

e 32

Dionaea
Dionaea is Nephe entes predecessor.
Dionaea is lo int
low teraction hone pot
honeypot
Dionaea has many new functions,
y
such as using libeemu, support TLS
and IPv6.
IPv6
Dionaea using Py yhton as scripting
language

e 33

How Dio
onaea works
Dionaea works like Nephentes.
Dionaea intentison is to trap malware
exposed by services offered by a
network.
net ork
In order to minimize the possible of
e p
bugs, dionaea can ddrop privileges and
chroot.
Dionaea using SMB protocol as the main
B
protocol
t l

e 34

How Diona Work(Cont.)
aea
Dionaea using SMB protocol as the
B
p
protocol.
Dionaea using libem to detect and
mu
evaluate
e al ate the pa load.
payloa
Once dionaea gaine the location of the
g ed
file, the attacker wants it to downloads
from the shellcode, dionaea will try
download the file.

e 35

ollected in a day
Malwares co

70

60

64
50
62

40
56 53

30

20

10
10
1
0
1

12/5/2011 13/5/2011 14/5/2011 18/5/2011 19/5/2011 20/5/2011

e 36

Attack in a week (List every one hour)
k
1600

1400

1200

Attack in a week (List every one hour)
w
1000

800

600

400

200

0
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

e 37

Agenda
A
Background
re
ch
nthony
William Ang
Malware Sample Resu
ults
(step by step)
(step-by-step)
Questions & Answers

e 38

Malware Map in Indonesia

e 39

Future Malwar Map in Indonesia
re

Indonesia Honeynet
Malwar Repository
re

e 40

The call for In
ndonesia Honeynet
Malware collected from all universities in
Indonesia

All malware sample sent to IDSIRTII for
es
Malware repository
p y

Lots of research can be performed on
these malware samples
p

e 41

Agenda
A
Background
re
ch
nthony
William Ang
Malware Sample Resu
ults
(step by step)
(step-by-step)
Questions & Answers

e 42

La Time
ab

Setup D
Dionaea
(step-b
by-step)

e 43

Setup Information
Requirement:
Ubuntu 9.10 or 10 10
9 10 10.1
Honeypot ( Dionaea)
y a)
Internet Connection (IP Public)
n

Software download from:

e 44

Question & Answers
ns

e 45

Workshop on Setting up Malware Lab

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (13)

Destacado

Destacado (9)

Similar a Workshop on Setting up Malware Lab

Similar a Workshop on Setting up Malware Lab (20)

Último

Último (20)

Workshop on Setting up Malware Lab