Malware Analysis: Collaboration, Automation & Tuning - from Shmoocon 2013

2. Malware Analysis
Collaboration
Automation
Training
Richard Harman @ ShmooCon IX

3. Richard Harman
● Lead Intrusion Analyst @ SRA, Inc SOC
● Started out as a SysAdmin
● Info Sec Analyst for 8 years
● Member of NoVA Hackers group
● Co-Founder of Nova Labs in Reston, VA
xabean warewolf
richard@richardharman.com

4. Ingredients
● Intro to Malware Analysis & Tools
● Open Source Virtualization
● VM Efficiency & Consistency
● Light-weight VMs & Automating them
● Training – You're Doing It Wrong

5. Malware Analysis

6. Brain Food
● Books:
● Filesystem Forensic Analysis
● Windows Forensics Analysis Toolkit
● Malware Analyst's Cookbook
● Practical Malware Analysis
● Reversing: Secrets of Reverse Engineering
● Training:
● SANS GREM FOR610
● ... upcoming classes ; )

7. The Process
1) Baseline System State
2) Monitor & Log System Activity
3) Infect system
4) Suspend, Dump & Terminate Processes
5) Stop Monitoring
6) Review Monitored Activity
7) Compare new state to baseline

8. The Essentials
System Baseline Memory Analysis
● Regshot ● Volatility Framework
● Autoruns
General Analysis Logging / Tracing
● OfficeCat ● OllyDbg & Plugins
● FileInsight ● IDA Pro
● Wireshark ● Procmon
● Didier Stevens's Tools ● Capturebat

9. Front-ends for sweet utilities
Two I use most: Procmon & Autoruns
➔ @DaveHull is working on autorunalyzer on
github.com/davehull/autorunalyzer – .py is a WIP,
.sh version exists
➔ I (@xabean) wrote a Procmon XML processor on
github.com/warewolf/Procmon

10. Virtualization
RAM efficiency

11. 512 MB 1 GB 512 MB
XLS DOC
sample sample

12. 512 MB 1 GB 512 MB
STRESS
XLS DOC
sample sample

13. DEDUPLICATION
1 GB
NO DEDUPLICATON
1 GB

14. RAM De-dupe (Merging) Support
● Linux/QEMU/KVM – Kernel Samepage Merging
● VMware – Transparent page sharing
● VirtualBox – Page Fusion
● (requires guest support)
● Xen – Memory Sharing (tech preview)
● Unmerging – Host swaps, or Host asks Guest
to swap.

15. Virtualization
Consistency &
Disk efficiency

16. Adobe Reader 9
Office XP
Adobe Reader 8
Office 2003 Adobe Reader X
Office 2007
Procmon Regshot
Capturebat Wireshark
IDA Pro FileInsight
OllyDbg Autoruns
OfficeCat Olly Plugins

17. CLONES

18. RAW DISK FILE SYSTEMS
iSCSI NFS
ATAoE GFS
FC GLUSTRE

19. Read Only Copy on Write

20. Copy on Write is an enabler
On shared storage
● Enables live VM migration to another analyst
In a RAM disk (tmpfs)
● Snapshots become REALLY FAST.
● About 1 second! (revert/save, 7 shot test)
Images are only changes – they're small
● Dead-box forensic analysis anyone?

21. CoW (Light-Weight) Disk Clones
in Virtualization Software
● VMware
● Workstation has “linked clones”
● ESX(i) wants VMWare VCenter ($$)
● Xen
● OSS: ?? Commercial: yes?
● VirtualBox
● Linked Clones ala VMWare Workstation
● Libvirt + QEmu
● Libvirt LVM: No, QEmu QCOW2: yes (manual)

22. My Malware Environment
● QEmu/KVM (libvirt)
● Windows disk images in LVM, CoW in RAM
● $ qemu-img create -o
backing_file=/dev/vg/base -o
/tmp/ram/overlay.qcow2
● RAM drive full? VMs auto-pause self!
● MITM “internet” Linux VM
● Apache, iptables -J REDIRECT, dnsmasq, samba
● Apache vhosts of copies of websites – google, etc
● Connected to malware network & public network

23. A cluster, not a cluster- FSCK
Virtualization:
● QEmu/KVM + libvirt for migration
Shared disk access:
● Linux tgtd iSCSI – use gigabit ethernet!
– Clustered LVM for base images
– GFS for CoW storage
● Note: disable cache in tgtd

24. Automation

25. libvirt VM Management
Life cycle management:
● Start / Pause / Stop
● Snapshot management
● Dump VM physical memory
Provisioning Automation:
● Capture “parent” XML config
● Modify & define new VM

26. libguestfs for Guest Management
Guest Disk FS management:
● Supports scripting / automation
● Download & Upload files to guest file system
● Extract analyst data from a standard dir
– C:malwareticket_#* --> upload to IR tracking system
Windows Registry Support:
● Change hostname to prevent NetBIOS name
conflicts on same network

27. Provisioning & Automation
● clone-vm.pl
– Clone an existing VM, generate unique MAC &
UUID, create Copy-On-Write disk image, change
hostname in registry.
● insert-zip.pl & extract-zip.pl
– Insert and extract data
● peek.pl
–Dump physical memory of a VM for analysis
● ksmstat.pl
– Monitor KSM efficiency & CPU usage ala vmstat(1)

28. Collaboration
&
Training

29. VM vncreflector
(host:1) vncreflector
FBS
output
(host:99)
FBS VNC video
capture

30. Screencasting & Playback
Screencasting:
● record-vnc.pl to record & screencast
Playback:
● rfbproxy -c -p in inetd
● inetd makes rfbproxy multi-client and self-service
● Shell script to feed rfbproxy VNC videos
● Extra credit: rfbproxy can export to PPM stream
– PPM -> MPEG2 + instructor audio = Training Video

31. What do you have now?
● Consistent analysis VMs w/ efficient resource
use.
● Multi-participant, interactive, live training
sessions.
● Thin-provisioned VM & Acquire analysis data
● Analysis session recorded for future playback
● HQ VNC jukebox (~300MB)
● Medium quality portable MPEG video
(~1.5G)

32. DEMO

33. Next Steps...
● Diff pre/post infection of RAM and FS
● Identify injected code/new executables
● Dump, generate signatures, scan, detect variants of
the same sample
● Make this all a web-app; snapshots, file mgmt,
java applet vnc display
● Auto-provision private networks & VMs per
analyst & remote (VPN) access

34. Thank you Jamie!
● @gleeda / http://gleeda.blogspot.com
● Blackbelt in Volatility & EnCase
● Released a Differential EnScript – diff two
versions of the same disk & report on 'em

35. Nova-Labs.org
● Malware Analysis Lab
● Classes on Malware Analysis
/ Reverse Engineering
● Expected to start in April/May
● $$ not yet set (but expected to be cheap)
● Various Malware samples
● Learn, Teach, pass it on!

36. How do I ....
It's all at:
● warewolf.github.com / thin-provisioning
● Automation Code
● Documentation (still working on it)
● Configs for MITM:
– Apache
– dnsmasq
– iptables config
– samba