1 / 24

Automated Malware Analysis

Automated Malware Analysis. A Look at Cuckoo Sandbox. Introduction. What is Malware? ( mãl'wâr ') - Malicious computer software that interferes with normal computer functions

tadhg
Download Presentation

Automated Malware Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Automated Malware Analysis A Look at Cuckoo Sandbox

  2. Introduction • What is Malware?(mãl'wâr') - Malicious computer software that interferes with normal computer functions • What is Automated Malware Analysis?Taking what has been done by highly skilled professionals in extremely time consuming tasks and making it, quick, easy and repeatable. Automated Malware Analysis is being touted as the “Next Generation Anti-Virus” solution. • Why automate malware analysis?To free up the time from those highly skilled professionals to focus on other things.

  3. Difficulties to Overcome • Malware can be generic or targeted, adding that it can be polymorphic, packed or self modifying code, the number of possibilities are infinite • Manual malware analysis is time consuming • Traditional static analysis takes a very strong and specific set of skills • Manually performing dynamic analysis is tedious at best

  4. Sandboxing • Protected runtime environment • Containment • Monitoring • Automation • Complete command execution • Ease of Use

  5. Predicaments of Sandboxing • Commercial solutions are not always cost effective (FireEye, Dambala) • No guarantee the malware will work the same as in the real world • Sandbox can be detected • Results can be confusing or overwhelming • Automation of exploit analysis is not trivial

  6. Sandboxing Questions • Why are you doing this? • What do you expect to achieve? • What information is most relevant to me or to my organization? • Who is the intended audience for the results to be presented to? • What kind of malware do you want to analyze (Adobe, Office, browser, etc…)? • Where are the malware samples coming from?

  7. Cuckoo Sandbox • Open source automated malware analysis system • Uses virtualization (VirtualBox, KVM, VMWare) • Python based, easy to customize • Multiple report types (JSON, HTML, MAEC) • NOT a drop in replacement for commercial solutions at this point. No automated malware identification or loading.

  8. Cuckoo Sandbox Data Captured • Native functions and Windows API calls traces • Copies of files created and deleted from the filesystem • Dump of the memory of the selected process • Screenshots of the desktop during the execution of the malware analysis • Network dump generated by the machine used for the analysis

  9. Cuckoo Components • Scheduler • Analyzer • Cmonitor • Chook • Virtual Machine

  10. Scheduler • Main component • 100% Python, easily customizable • Dispatches the pending tasks to the pool of virtual machines available • Runs all the modules

  11. Analyzer • Executes the malware • Chosen depending on the platform of the selected machine (Windows only at this time) • 100% Python • Monitors and records systems calls • Meat of the analysis

  12. Cmonitor • DLL using chook to install hooks on predefined win32 functions inside process memory • Gets injected into the target process (QueueUserAPC or CreateRemoteThread) • Logs the functions calls to files

  13. Chook • Custom inline hooking library • Allows definition of custom hook trampolines • Replaced Microsoft Detours

  14. Virtual Machine Usage • Any VM product can be used • Works with Windows as the client (though 7 and 2008 server are still buggy) • Snapshots are used and returned to snapshot state when completed (no infected machine left after analysis) • Client VM can have any configuration or applications installed to test

  15. Execution flow

  16. Submitting New Tasks • Web Interface • Command Line • Options: • VM to use • Platform (windows only as of v.4) • Timeout • Package • Priority • Malware to be Analyzed

  17. Modules and Customization • Analysis • Packages • Machine Managers • Processing • Reporting • Signatures

  18. Analysis • Again 100% Python • Defines how the analyzer should start and interact with the malware • Specified at submission or selected upon file type • Can be written to perform any tasks deemed necessary

  19. Packages • EXEDefault – Windows executables • DLLYou can specify a function to use otherwise DllMain • PDFLaunches Acrobat Reader • DOC or XLSOffice, Need to verify path in package is the same as host OS • IEHTML/JS Browser testing • BINShell code or other generic binary data

  20. Machine Managers • Used to manage the Virtual Machines being used Processing • Modules used to generate a container of normalized information on the analysis that report generation will use

  21. Reporting • Use the normalized results and do something with them • Can use MongoDB for customized reporting and tracking • Built in report types that include all relevant data • Can pull in data from VirusTotal based on MD5

  22. Signatures • Look for patterns or specific events • Assign them a description and severity level • Give context to the reports • Help non-malware experts understand

  23. DEMO

  24. References • Cuckoo Sandbox is a malware analysis system.http://cuckoosandbox.org/ • Malwr.com is a free malware analysis service based on Cuckoo Sandboxhttp://www.malwr.com/ • VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware.https://www.virustotal.com/ • Honeynet Project is a leading international 501c3 non-profit security research organization, dedicated to investigating the latest attacks and developing open source security tools to improve Internet securityhttp://www.honeynet.org/ • The Pros and Cons of Dynamic Malware Dissectionhttps://www.damballa.com/downloads/r_pubs/WP_Next_Generation_Anti-Virus.pdf

More Related