These were the slides used in in my presentation at TakeDownCon St. Louis on June 3, 2013.
Abstract: Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a “ninja” per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
More on various aspects of this talk can be found at the following URL:
https://www.novainfosec.com/tag/malware-analysis/
21. Introduction
WARNING!!!
DO NOT ANALYZE MALWARE
ON PRODUCTION SYSTEMS
SOC Analysts Looking to Expand Skills beyond
Event Monitoring & Basic Analysis
General Security Practitioners Interested in
Getting Started in Malware Analysis
23. Environment
Setup
• Virtual
– Efficient & Easy to Setup
– Snap-Shots to Revert Back To
– Malware Detecting VM & Terminating
• Physical
– VM Detection Not Possible
– Resource Intensive
NoVA Infosec https://www.novainfosec.com/
25. Environment
Options
• Single Box
– All Analysis Performed on One Machine
– Risk of Potential Malware Sabotage
• Dual+ Box
– Mitigates Some Potential Sabotage
– Gateway to Simulate More Real Network
– Realistic External View (ports open, network
traffic)
NoVA Infosec https://www.novainfosec.com/
26. Environment
Options – Single Box
• Start with Base Unpatched Windows XP SP2 Box in VMware
– Similar to First Set of Post-Install Instructions for Metasploit
Unleashed
– Switch to Classic View
– Disable Windows Firewall
– Turn Off Automatic Updates
– Disable Alerts
– Uncheck Simple File Sharing
• Add Target Software
– Older Versions If Needed
• Starting Points: OldVersion.com & OldApps.com
• Google for Others
27. Environment
Options – Single Box
• Install Dynamic Analysis Tools
– Process Monitor
• Show Processes that Started During Malware Execution
– Process Explorer
• Shows Files, Registry Keys, … Opened by Malware
– WireShark
• Sniffer to Capture Network the Malware May Make
– RegShot
• View Changes Malware May Make in the Registry
Process Monitor: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653
WireShark: https://www.wireshark.org/
RegShot: http://sourceforge.net/projects/regshot/
28. Environment
Options – Single Box
• Install Dynamic Analysis Tools (cont)
– TCPView
• Allows Detection of Malware Initiated Network Connections
– Malware Analysis Pack
• MAP FakeDNS
• MAP Right-Click (MD5 Hash, Strings, VirusTotal)
– FakeNet
• Aids Dynamic Analysis of Malicious Software
• Simulates Network so Malware Thinks Its Interacting with
Remote Hosts
• DNS, HTTP, SSL, Dummy Listener
TCPView: http://technet.microsoft.com/en-us/sysinternals/bb897437
MAP: http://www.woodmann.com/collaborative/tools/index.php/Malcode_Analysis_Pack
FakeNet: http://practicalmalwareanalysis.com/fakenet/
29. Environment
Options – Single Box
• Install Static Analysis Tools
– OllyDbg with OllyDump Plugin
• General Disassembler/Debugger for Windows Used to Analyze
Malware in Assembly; Plugin to View Encrypted Malware
– IDA Pro
• Windows Disassembler/Debugger with Freeware Alternative
– 010 Editor
• Standard Hex Editor
– Specialized Tools
• PDFs: Didier Stevens’s pdfid.py & pdf-parser.py
• Flash: SWFTtools
• Others: Java, JavaScript
OllyDbg: http://www.ollydbg.de/
OllyDump: http://www.openrce.org/downloads/details/108/OllyDump
IDA Pro Freeware: http://www.hex-rays.com/products/ida/support/download_freeware.shtml
Didier Stevens PDF Tools: http://blog.didierstevens.com/programs/pdf-tools/
30. Environment
Options – Single Box
• Baseline
– Configure VM to "Host-Only” Mode Secluded
Network
• Temporarily Change to NAT to Download Malware
• Write-Once Media (e.g., CDs)
• USB Key with Physical Write-Protect Switch
– Imation USB 2.0 Clip Flash Drive
– Kanguru Flashblu 2
– Snapshot VM
NoVA Infosec https://www.novainfosec.com/
31. Environment
Dual+ Box – Fake Gateway Server
• Second Machine for Target to Connect To
– Additional Advantage of Examining Network Traffic without
Possible Malware Sabotage
– Implement Linux Server in VMware & Configure to Be Default
Route on Victim Machine
– Should Have Fixed IP Addresses
• Enable or Install Software that Provides Needed Services
– DNS: Configured to Return Fake Servers IP for All Queries
– HTTP
– IRC
– Others: DHCP, FTP, SSH
– Other Services Depending on Goal of Analysis
NoVA Infosec https://www.novainfosec.com/
32. Environment
Dual+ Box – Fake Gateway Server
• Install Network Analysis Tools
– WireShark: Records Network Traffic from Victim
– Netcat: Start Needed Ad-Hoc Services
– Nmap: Scan for Open Ports External to Victim
• Snapshot Fake Server Revert Back To
NoVA Infosec https://www.novainfosec.com/
33. Environment
Preconfigured
• REMnux
– Created by Lenny Zeltser
– ISO or Virtual Appliance
– Static Analysis
• Load Malware on & Analyze
• Web-Based Malware (e.g., Malicious JavaScript, Java Programs, &
Flash Files)
• Malicious Documents (e.g., Microsoft Office & Adobe PDF files)
• Utilities for Reversing Malware through Memory Forensics
– Dynamic Analysis
• Emulate Network Services Used as Fake Gateway Server
• Emulate Services in Isolated Lab Environment
• Infects Another Laboratory System with Malware Sample
• Directs Potentially-Malicious Connections to REMnux that's Listening
on Appropriate Ports
REMnux: http://zeltser.com/remnux/
v4
35. Environment
Preconfigured
• CuckooBox
– Automated Dynamic Analysis of Malware
– Data Captured
• Trace of Performed Relevant Win32 API Calls
• Dump of Network Traffic Generated During Analysis
• Creation of Screenshots Taken During Analysis
• Dump of Files Created, Deleted and Downloaded by the
Malware During Analysis
• Trace of Assembly Instructions Executed by Malware
Process
CuckooBox: http://cuckoobox.org/
38. Methodology
1. Triage
Run through External Sandbox
Services for QnD Results If Possible
• Goals: Establish Rough Idea of Malware
Activities
• Tools: Norman Sandbox, GFI Sandbox,
Anubis, ThreatExpert, …
b. MD5 Hash Comparison (can run
live is possible)
• Goals: When Compiled, Packed or
Obfuscated)
• Tools: VirusTotal.com, MAP, FileAlyzer,
Google Hash
c. Determine Real File Type
• UNIX “file” Command and/or TrID
• Open in 010 & Look for Magic Numbers:
Win Exe (MZ), PDF (%PDF), ZIP (PK), …
(more at Wikipedia)
Unpack If Needed
• Tools: OllyDump, PE Explorer (UPX built-
in)
Analyze Imports
• Goals: Discovery Interesting Things
Malware May Be Importing (networking
APIs for non-networking app)
• Tools: FileAlyzer (PD Imports tab)
f. Extract Readable Strings
• Goals: Discover Interesting Data Points
like Host Name & IP Addresses
• Tools: MAP
Specialized Tools
• E.g., pdfid.py, pdf-parser.py, SWFTtools,
…
a.
b.
c.
d.
e.
f.
e.
MASTIFF: Open Source Linux Tool Automates Much of Above
(on REMnux)
v4
39. Methodology
2. Dynamic Analysis
• Take RegShot & Start WireShark, Process Monitor,
Process Explorer, FakeNet & TCPView
– Monitors File and Registry Access, Network Traffic, Process
Creation, etc.
• Execute Malware & Let it Run for 15 Minutes or Until
Activity Dies Down
– Watching WireShark, Process Monitor, & TCPView for
Anything Interesting
• Take Second RegShot & Stop WireShark, Process
Monitor, FakeNet
• Compare Initial & Final RegShots & Review All
Monitoring Tool Logs
a.
b.
c.
d.
NoVA Infosec https://www.novainfosec.com/
45. Methodology
2. Dynamic Analysis (Execute Malware)
• Double-Click EXE
• Rundll32.exe DLLName, Export arguments
– PE Explorer to Discover Export arguments
– E.g., rundll32.exe rip.dll, Install
• Watch All Monitoring Tools & Stop When
Activity Dies Down
b. Just Monitor
49. Methodology
2. Dynamic Analysis (Analysis)
• Save Logs for Future Reference
• Analyze
c-6.
c-7.
NoVA Infosec https://www.novainfosec.com/
50. Methodology
3. Static Analysis
• Use OllyDbg or IDA Pro to Disassemble &
Analyze Deobfuscated Malware
– Just Stare at It
– ...
– Stare Some More
– ...
– And Some More
d.
NoVA Infosec https://www.novainfosec.com/
52. Where to Learn More
• OpenSecurityTraining.info
– “Reverse Engineering Malware”
• Matt Briggs & Frank Poz
• “Practical Malware Analysis” by M. Sikorski/A. Honig
• http://opensecuritytraining.info/ReverseEngineeringM
alware.html
53. Where to Learn More
• Malware Analysis Toolkit:
http://zeltser.com/malware-analysis-toolkit/
• OpenRCE: http://www.openrce.org/
• TrainACE
– Advanced Malware Analysis (AMA)
• NoVA Infosec
– Workshop Style
– Posts
• Videos, how-tos, etc. on news, process,es, REMnux, Noriben,
and more
• http://novainfosec.com/tag/malware-analysis
54. Conclusion
• Introduction
• Environment
– Setup
– Single Box - Victim
– Dual+ Box – Fake Server
– Preconfigured
• Methodology
– Triage
– Dynamic Analysis
– Static Analysis
• Where to Learn More
– OpenSecurityTraining.info
– Zeltser.com
– OpenRCE.org
• Conclusion
NoVA Infosec https://www.novainfosec.com/