Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, 2014

Malware
Analysis
N00b to Ninja in 60 Minutes*
@grecs
NovaInfosec.com
* Most listeners do not become Ninjas in under 60 minutes.

Disclaimer
• Opinions expressed do not express the views
or opinions of my
– my employers
– my customers,
– my wife,
– my kids,
– my parents
– my in-laws
– my high school girlfriend from Canada
Malware Analysis: N00b to Ninja in 60 Mins NovaInfosec.com@grecs,

Pic of hacked sites; news articles of breaches, mid-2000s

Infosec COTS

Agenda
• Introduction
• Environment
• Methodology
• Where to Learn
More
• Conclusion

Introduction
WARNING!!!
DO NOT ANALYZE MALWARE
ON PRODUCTION SYSTEMS
Security Analysts Looking to Expand Skills
beyond Event Monitoring & Basic Analysis
General Security Practitioners Interested in
Getting Started in Malware Analysis

Introduction
What Is Malware Analysis
• The Analysis of Malware ;)
• Reverse Engineering Malware to Understand
How It Works and What It Does
• Types
– Triage
– Dynamic Analysis
– Static Analysis
“Mastering 4 Stages of Malware Analysis” – Lenny Zeltser

Introduction
What Is Triage?
• Definition
– Quickie Analysis To Understand as Much as
Possible about the Malware
• Goals
– Gain Gist of What Malware Is & What Could Do
What How
Determine Basic Running Properties Automated Analysis
See If Others Found Hash Search
Analyze File Props (type, imports) PE Examination
Find Textual Clues of Activity (if packed) Strings

Introduction
Triage
Is That Enough?

Introduction
What Is Dynamic Analysis?
• Definition
– Execute Malware & Watch What It Does
• Goals
– Acquire Understanding of How Malware Acts
What How
Sense Host Changes Registry, File, Log, … Monitoring
Uncover Runtime Properties Process Monitoring, Memory Analysis*
Reveal Network Activity TCP/UDP Monitoring (DNS, HTTP, HTTPS)

Introduction
Dynamic Analysis
• Process
– Establish Baseline of Environment
– Start Monitoring Applications & Execute Malware
– Monitor Activities & Stop Monitoring Applications
– Analyze Differences & Activity Recorded

Introduction
Dynamic Analysis
Is That Enough?

Introduction
What Is Static Analysis?
• Definition
– Disassemble Malware Down to Computer Instructions
• Goals
– Reverse Engineer to Understand Exactly What It Does
Easy
Hard

Environment
• Platform
– Virtual
– Physical
• Options
– Automated
– Single Box
– Dual Box

Environment
Platform
• Virtual
– Efficient & Easy to Setup
– Snap-Shots to Revert Back To
– Malware Detecting VM & Terminating
– Note: Use Non-Host Connected Interface (host-
only doesn’t count)
• Physical
– VM Detection Not Possible
– Resource Intensive

Environment
Options
• Automated
– Triage Analysis Performed in Automated Environment
– Emulates User Execution of & Interaction with Malware
– Collects Artifacts on Malware Activity
• Single Box
– Triage and/or Dynamic Analysis Performed on One Machine
– Potential Risk of Malware Sabotaging
• Dual Box
– Mitigates Some Sabotage Risk
– Gateway to Simulate a Network
– Realistic External View (ports
open, network traffic)

Environment
Automated Analysis
• Online
– Malwr.com
– Norman Sandbox
– GFI Sandbox
– Anubis
– ThreatExpert.com
• In-House
– Commercial Products – e.g., Companies Above
– Open Source – e.g., Cuckoo Sandbox
– Minimum: Machine Loaded with Several AV Products
Pic here showing one online form

Environment
Automated Analysis
• Cuckoo Sandbox
– Automated Dynamic Analysis of Malware
– Data Captured
• API Calls: Trace of Relevant Win32 API Calls Performed
• Network Traffic: Dump of Traffic Generated During Analysis
• Screenshots: Taken During Analysis
• Files: Created, Deleted, and Downloaded by Malware
• Assembly Instructions: Trace of Assembly Instructions
Executed
– Setup
• Can Be Frustrating
CuckooBox: http://cuckoobox.org/

Environment
Automated Analysis

Environment
Single Box
• Start with Base Unpatched Win XP SP2 Box in VMware
– Similar to First Set of Post-Install Instructions for
Metasploit Unleashed
– Turn Off Automatic Updates
– Disable Alerts
• Where to Get
– eBay, NewEgg, etc.
– Windows Evals
• Current Eval: http://technet.microsoft.com/en-us/evalcenter/default
• Previous Vs: http://technet.microsoft.com/en-us/evalcenter/dn407368
• Modern IE: http://www.modern.ie/ (even Windows XP)
– AWS (servers only)

Environment
Single Box
• Install Triage Analysis Tools
– Strings
• Strings from Sysinternals (also strings2)
• BinText from McAfee
– PeStudio
– FileInsight
• Hex Editor & Analysis Tool by McAfee

Environment
Single Box
• Install Dynamic Analysis Tools
– Process Monitor
• Exposes File System, Registry & Process Activity that Started
During Malware Execution
– Process Explorer
• Advanced Task Manager Replacement
• Reveals Info about Handles/DLLs Processes Opened/Loaded
– WireShark (along with WinPCAP)
• Sniffer to Capture Malware-Initiated Network Traffic
– RegShot
• View Changes Malware Makes in the Registry/File System
Process Monitor: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653
WireShark: https://www.wireshark.org/
RegShot: http://sourceforge.net/projects/regshot/

Environment
Single Box
• Install Dynamic Analysis Tools (cont)
– TCPView
• Allows Detection of Malware Initiated Network
Connections
– FakeNet
• Aids Dynamic Analysis of Malicious Software
• Simulates Network so Malware Thinks Its Interacting
with Remote Hosts
• DNS, HTTP, SSL, Dummy Listener
TCPView: http://technet.microsoft.com/en-us/sysinternals/bb897437
FakeNet: http://practicalmalwareanalysis.com/fakenet/

Environment
Single Box
• Install Static Analysis Tools
– OllyDbg with OllyDump Plugin
• General Disassembler/Debugger for Windows Used to
Analyze Malware in Assembly
• Plugin to View Encrypted Malware When In Memory
– Specialized Tools
• PDFs: Didier Stevens’s pdfid.py & pdf-parser.py
• Flash: SWFTtools
• Others: Office, Java, JavaScript
OllyDbg: http://www.ollydbg.de/
OllyDump: http://www.openrce.org/downloads/details/108/OllyDump
Didier Stevens PDF Tools: http://blog.didierstevens.com/programs/pdf-tools/

Environment
Single Box - Others
• Other Ideas for Base Install or On-the-Fly
– Several AV Products
– Users of Various Permissions
– Malware Analysis Pack (FakeDNS, Right-Click Opts – MD5, strings, VT)
– CaptureBAT
• File Analysis Tools
– WinHex (restrictions under eval version; priced high for hobbyist)
– 010 Editor (30 day eval; priced high for hobbyist)
– FileAlyzer (similar to PeStudio but different capabilities)
• Forensics
– FTK Imager Lite
– Autopsy/The Sleuth Kit
– DumpIt
– Volatility

Environment
Single Box
• Baseline
– Configure VM to "Host-Only” Mode Secluded Network
• Temporarily Change to NAT to Download Malware
• Write-Once Media (e.g., CDs)
• USB Key with Physical Write-Protect Switch
– Imation USB 2.0 Clip Flash Drive
– Kanguru Flashblu 2
– Snapshot VM
• Rinse & Repeat
– Library of Different OSs at Various SPs (XP SP1, 2, & 3)

Environment
Dual Box – Fake Gateway Server
• Second Machine for Target to Connect To
– Additional Advantage of Examining Network Traffic without
Possible Malware Sabotage
– Implement Linux Server in VMware & Configure to Be Default
Route on Victim Machine
– Should Have Fixed IP Addresses
• Enable or Install Software that Provides Needed Services
– DNS: Configured to Return Fake Servers IP for All Queries
– HTTP
– IRC
– Others: DHCP, FTP, SSH
– Other Services Depending on
Goal of Analysis

Environment
• Install Network Analysis Tools
– WireShark: Records Network Traffic from Victim
– Netcat: Start Needed Ad-Hoc Services
– Nmap: Scan for Open Ports External to Victim
• Snapshot Fake Server Revert Back To

Environment
• REMnux
– Created by Lenny Zeltser
– ISO or Virtual Appliance
– Triage
• Load Malware on & Analyze
• Web-Based Malware (e.g., Malicious JavaScript, Java Programs, &
Flash Files)
• Malicious Documents (e.g., Microsoft Office & Adobe PDF files)
• Utilities for Reversing Malware through Memory Forensics
• Emulate Network Services Used as Fake Gateway Server
• Emulate Services in Isolated Lab Environment
• Infects Another Laboratory System with Malware Sample
• Directs Potentially-Malicious Connections to REMnux that's Listening
on Appropriate Ports
REMnux: http://zeltser.com/remnux/
v4

Environment

Environment
Malware Sources – To Learn With+
• PracticalMalwareAnalysis.com/labs
• ContagioDump.blogspot.com
• VirusShare.com (request invite)
• Malwr.com (if select share)
• Malware-Traffic-Analysis.net

Methodology
1. Triage
2. Dynamic Analysis
3. Static Analysis

Methodology
1. Triage Checklist
 Run through External/Internal
Sandbox Services for QnD Results
• Goals: Rough Understanding of
Malware Activities
• Tools: Cuckcoo, Malwr.com, Norman,
GFI Sandbox, Anubis, ThreatExpert.com
 b. MD5 Hash Comparison (can run
live is possible)
• Goals: When Compiled, Packed or
Obfuscated)
• Tools: VirusTotal.com, PeStudio, Google
Hash
 c. Determine Real File Type
• UNIX “file” Command and/or TrID
• Open in FileInsight & Look for Magic
Numbers: Win Exe (MZ), PDF (%PDF),
ZIP (PK), … (more at Wikipedia)
 Analyze Imports
• Goals: Discovery Interesting Libs
Malware May Be Importing (networking
APIs for non-networking app)
• Tools: PeStudio, PEView
 Extract Readable Strings
• Goals: Discover Interesting Data Points
like Host Name & IP Addresses
• Tools: strings, strings2
 Unpack If Needed
• Tools: OllyDump, PE Explorer (UPX built-
in)
 Specialized Tools
• E.g., pdfid.py, pdf-parser.py, SWFTtools
a.
b.
c.
d.
e.
f.
e.
MASTIFF: Open Source Linux Tool Automates Much of Above
(on REMnux)
v4

Methodology
2. Dynamic Analysis Checklist
 Establish Baseline of Environment
• Add Target Software: Reader, Java,
Flash, browsers (OldVersion.com /
OldApps.com)
• Disable Windows Firewall
• Create Snapshot if Testing Multiple
Times
 Start Monitoring Apps & Execute
Malware
• Take RegShot & Start WireShark,
Process Monitor, Process Explorer,
FakeNet & TCPView
• Monitors File and Registry Access,
Network Traffic, Process Creation, etc.
• Execute Malware & Let it Run for 15
Minutes or Until Activity Dies Down
 Monitor Activities & Stop Monitoring
Applications
• Watching WireShark, Process Monitor,
& TCPView for Anything Interesting
• Take Second RegShot & Stop WireShark,
Process Monitor, FakeNet
 Analyze Differences & Activity
Recorded
• Compare Initial & Final RegShots
• Review All Monitoring Tool Logs
a.
b.
c.
d.
RegShot: Set Scan dir1 option to c:

Methodology
3. Static Analysis
• Use OllyDbg or IDA Pro to Disassemble &
Analyze Deobfuscated Malware
 Just Stare at It
 ...
 Stare Some More
 ...
 And Some More
a.
b.
c.
d.
e.

Where to Learn More
OpenSecurityTraining.info

Where to Learn More
• OpenSecurityTraining.info
– “Intro x86”
• http://opensecuritytraining.info/IntroX86.html
– “Reverse Engineering”
• http://opensecuritytraining.info/IntroductionToR
everseEngineering.html
– “Malware Dynamic Analysis
• http://opensecuritytraining.info/MalwareDynami
cAnalysis.html
– “Malware Static Analysis”
• http://opensecuritytraining.info/ReverseEngineer
ingMalware.html
• Matt Briggs & Frank Poz
• “Practical Malware Analysis” by M. Sikorski/A.
Honig

Where to Learn More
• Hacker Academy
– “Reverse Engineering”
• Foundation RE Material
& Concepts
• Covers Many Malware
Analysis Tech & Tools
– PE File Format
– Packers & Unpackers
– Ollydbg
– Digital Forensics
– Other Classes
• “Ethical Hacking”
• “Penetration Testing”
• “Cutting Edge”
Annual Pro Enrollment: $699
NovaInfosec.com Discount: $599
Free 30-Day Trial
http://bit.ly/grecshackerdeal

Where to Learn More
• Zeltser.com
– Malware Analysis Toolkit: http://zeltser.com/malware-analysis-
toolkit/
– Intro to Malware Analysis: http://zeltser.com/reverse-
malware/intro-to-malware-analysis.pdf
• Certifications: SANS GREM, EC-Council CHFI
• NIST: 800-94, 800-83, 800-61
• NovaInfosec
– Workshop Style? Here?
– Follow @grecs for Announcement

Where to Learn More
• MAnux
– Pre-Build VM with Cuckoo Sandbox Installed
– Future
• Dynamic Analysis Tools as Different Snapshot
• …

Conclusion
• Introduction
• Environment
– Platform
– Automated
– Single Box - Analysis
– Dual Box – Fake Gateway
• Methodology
– Triage
– Static Analysis
• Where to Learn More
– OpenSecurityTraining.info
– NovaInfosec/Hacker Academy
– Zeltser.com
• Conclusion

Questions?
• Presentation http://bit.ly/grecsbsideslv
• Twitter @grecs
• Website NovaInfosec.com
• Contact http://bit.ly/nispcontact
• Hacker Academy http://bit.ly/grecshackerdeal

Backup

DYNAMIC ANALYSIS
Step-by-Step

Methodology
2. Dynamic Analysis (Setup)
Be Careful

Methodology
2. Dynamic Analysis (Regshot & Wireshark)
b-1.
b-3.
b-2.

Methodology
2. Dynamic Analysis (Process Monitor)
b-4. b-5.
b-6.

Methodology
2. Dynamic Analysis (Process Explorer)
b-7. Just Start

Methodology
2. Dynamic Analysis (FakeNet)
b-8. Just Start

Methodology
2. Dynamic Analysis (TCPView)
b-9. Just Start

Methodology
2. Dynamic Analysis (Execute Malware)
• Double-Click EXE
• Rundll32.exe DLLName, Export arguments
– PE Explorer to Discover Export arguments
– E.g., rundll32.exe rip.dll, Install
• Visit Website
• Watch All Monitoring Tools & Stop When
Activity Dies Down
b-10. Execute Malware
c-1. Just Monitor

Methodology
2. Dynamic Analysis (Spin Down)
c-2.
c-4.
c-3.

Methodology
c-5.

Methodology
c-6.

Methodology
2. Dynamic Analysis (Analysis)
• Save Logs for Future Reference
• Compare Initial & Final RegShots & Review All
Monitoring Tool Logs
c-7.
d.

Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, 2014

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, 2014

Ähnlich wie Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, 2014 (20)

Mehr von grecsl

Mehr von grecsl (7)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, 2014