1 / 46

Building an Automated Malware Behavioral Analysis Environment Using Free and Open-Source Tools

Building an Automated Malware Behavioral Analysis Environment Using Free and Open-Source Tools. Jim Clausing , PMTS, AT&T CSO 18 Jun 2009. Thanx up front. The Author. Jim Clausing , GCIA, GCFA, GREM, GCIH, GCFW, GSIP, GSOC, SSP-MPA, CISSP. GCIA (Gold) #64 – 2000 GCFA (Gold) #25 – 2002

duaa
Download Presentation

Building an Automated Malware Behavioral Analysis Environment Using Free and Open-Source Tools

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Building an Automated Malware Behavioral Analysis Environment Using Free and Open-Source Tools Jim Clausing, PMTS, AT&T CSO 18 Jun 2009

  2. Thanx up front

  3. The Author

  4. Jim Clausing, GCIA, GCFA, GREM, GCIH, GCFW, GSIP, GSOC, SSP-MPA, CISSP • GCIA (Gold) #64 – 2000 • GCFA (Gold) #25 – 2002 • GREM (Gold) #48 – 2005 • And other certs along the way… • SANS Mentor, StaySharp/STAR instructor, CommunitySANS instructor, Internet Storm Center handler since 2002 • Instrument-rated private pilot – 2003/2004

  5. The Paper

  6. SANSFIRE 2008

  7. The patches and scripts • http://handlers.sans.org/jclausing/grem_gold/ • http://www.giac.org/certified_professionals/practicals/grem/48.php

  8. The Environment – A Little History

  9. In the beginning

  10. Malware DB

  11. Motivation – The Environment

  12. Forest? Trees?

  13. Unpacking may lead to surprises – like no results 

  14. We’ve got malware, now what?

  15. Truman (well, and Joe Stewart) FTW

  16. The Analysis Environment

  17. Processing a Sample

  18. Analysis Flow

  19. Submission • [jac@fltruman001 ~]$ for i in 090???-*.piz; do sudo submit.sh $i && mv $i old-malware/; sleep 10; done • Archive: 090529-rnd_jpg.piz • inflating: rnd.jpg • *****Processing rnd.jpg - ONEBOOT****** • interface: eth1 (4.0.0.0/255.0.0.0) • filter: (ip) and ( not port 45612 and not port 45611 and not tcp port 6987 and not udp port 32785 ) • tcpdump: verbose output suppressed, use -v or -vv for full protocol decode • listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes • tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 1514 bytes • Starting Faux FTP Server Emulation on port 21 • Starting Faux MySQL Server Emulation on port 3306 • Starting Faux SMTP Server Emulation on port 25 • Starting Faux SMB Server Emulation on port 445 • Starting Faux IRC Server Emulation on port 6667 • Starting Faux DNS Server Emulation on port 53

  20. Monitoring • [jac@fltruman001 ~]$ alias status • alias status='cat /tmp/current.txt && echo "" && cat /tmp/sandnet*.log | tr -c "[:print:][:blank:]\r\n" "." ; tcpdump -nnr /tmp/sandnet.pcap -w - "not broadcast and (not src net 4.5.6 or not dst net 4.5.6)" | ipaudit -CST -r - -l 4.5.6.7 ; ngrep -I /tmp/sandnet.pcap "GET|POST|HEAD|OPTIONS|JOIN" "tcp port 80 and not host 4.5.6.1" | tr -c "[:print:][:blank:]\r\n" "."‘

  21. Monitoring, cont’d • [jac@fltruman001 ~]$ status • Server.exe • request: name=ftp.sickbassline.com, class=IN, type=A, peer=4.5.6.7 • responseIP: 4.3.2.86 • responseIP: 4.3.2.63 • response: rcode=NOERROR, … …, auth=, add=, aa=1 • request: name=time.windows.com, class=IN, type=A, peer=4.5.6.7 • responseIP: 4.5.6.1 • response: rcode=NOERROR, ans=…, auth=, add=, aa=1 • Connection from 4.5.6.7 • USER 0wn@sickbassline.com • PASS smokeweed • TYPE A • PORT 4,5,6,7,4,7 • STOR User.mps • reading from file /tmp/sandnet.pcap, link-type EN10MB (Ethernet) • 4.5.6.7 4.3.2.86 6 1030 21 674 578 9 9 2009-06-04-11:24:02.2148 2009-06-04-11:24:03.3459 1 1 • 4.5.6.7 224.0.0.22 2 0 0 0 108 0 2 2009-06-04-11:24:09.5569 2009-06-04-11:24:10.4709 1 1 • input: /tmp/sandnet.pcap • filter: (ip) and ( tcp port 80 and not host 4.5.6.1 ) • match: GET|POST|HEAD|OPTIONS|JOIN • ##########exit

  22. Original Truman Analysis Tools

  23. The 4 Areas of Analysis

  24. The Report – Tool Output

  25. Identify the OS • Summary report for xxx.xxx-XPSP2-files created at ……… • OS info>>> • kern - Determine OS from a Windows RAM Dump (v.0.1_20060914) • Ex: kern <path_to_dump_file> • File Description : NT Kernel & System • File Version : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) • Internal Name : ntoskrnl.exe • Original File Name : • Product Name : Microsoft® Windows® Operating System • Product Version : 5.1.2600.2180

  26. Analyzing Network Traffic – fauxdns • DNS>>> • request: name=sslrapidshare.or.tp, class=IN, type=A, peer=4.5.6.7 • responseIP: 4.3.2.51 • responseIP: 4.3.2.154 • response: rcode=NOERROR, ans=… …, auth=, add=, aa=1 • request: name=gfmd1.or.tp, class=IN, type=A, peer=4.5.6.7 • responseIP: 4.3.2.104 • responseIP: 4.3.2.240 • response: rcode=NOERROR, ans=… …, auth=, add=, aa=1 • request: name=time.windows.com, class=IN, type=A, peer=4.5.6.7 • responseIP: 4.5.6.1 • response: rcode=NOERROR, ans=…, auth=, add=, aa=1

  27. Analyzing Network Traffic – fauxftp • Connection from 4.5.6.7 • USER 0wn@sickbassline.com • PASS smokeweed • TYPE A • PORT 4,5,6,7,4,7 • STOR User.mps

  28. Analyzing Network Traffic – fauxirc • IRC>>> • 2009-05-27-16:49:17: Connection from 4.5.6.7 • 2009-05-27-16:49:17: PASS lammers • 2009-05-27-16:49:17: NICK [00|USA|296161] • 2009-05-27-16:49:18: USER XP-8165 * 0 :ATT • 2009-05-27-16:49:18: MODE [00|USA|296161] +iB-x • 2009-05-27-16:49:18: JOIN #WiFi-a Crypt • 2009-05-27-17:00:13: QUIT System shutting down. • 2009-05-27-17:00:15: QUIT Leaving

  29. Analyzing Network Traffic – ipaudit • IP traffic>>> • srcdst proto sp dp bytes pkts start end 1 / 2 • 4.5.6.7 4.3.2.516 1046 80 748 346 5 5 2009-05-27-16:49:17.1300 • 2009-05-27-16:49:17.1473 1 2 • 4.5.6.7 4.3.2.104 6 1047 4242 816 697 10 10 2009-05-27- • 16:49:17.1613 2009-05-27-17:00:15.5921 1 2 • 4.5.6.7 239.255.255.250 17 1050 1900 0 525 0 3 2009-05-27-16:49:17.3746 2009-05-27-16:49:23.3815 1 1 • 4.5.6.7 224.0.0.22 2 0 0 0 108 0 2 2009-05-27-17:00:14.2087 2009-05-27-17:00:14.9690 1 1

  30. Analyzing Network Traffic – tshark • =================================================================== • Protocol Hierarchy Statistics • Filter: frame • frame frames:602 bytes:733467 • eth frames:602 bytes:733467 • ip frames:573 bytes:731979 • tcp frames:387 bytes:146779 • http frames:30 bytes:22708 • short frames:5 bytes:17790 • data-text-lines frames:3 bytes:644 • data frames:8 bytes:849 • udp frames:57 bytes:10014 • nbdgm frames:11 bytes:2511 • smb frames:11 bytes:2511 • mailslot frames:11 bytes:2511 • browser frames:11 bytes:2511 • nbns frames:27 bytes:2538 • dns frames:6 bytes:532 • http frames:3 bytes:525 • ntp frames:2 bytes:180 • bootp frames:8 bytes:3728 • short frames:127 bytes:575066 • igmp frames:2 bytes:120 • arp frames:29 bytes:1488 • ===================================================================

  31. Analyzing Network Traffic – tcptrace • HTTP>>> • mod_http: Capturing HTTP traffic (port 80) • 1 arg remaining, starting with '../small.pcap' • Ostermann'stcptrace -- version 6.6.7 -- Thu Nov 4, 2004 • 10 packets seen, 10 TCP packets traced • elapsed wallclock time: 0:00:00.002643, 3783 pkts/sec analyzed • trace file elapsed time: 0:00:00.017257 • Http module output: • 4.5.6.7:1046 ==> 4.3.2.51:80 (a2b) • Server Syn Time: Wed May 27 16:49:17.130145 2009 (1243457357.130) • Client Syn Time: Wed May 27 16:49:17.130085 2009 (1243457357.130) • Server Fin Time: Wed May 27 16:49:17.146947 2009 (1243457357.147) • Client Fin Time: Wed May 27 16:49:17.147323 2009 (1243457357.147) • GET /here2 HTTP/1.0 • Response Code: 404 (Not Found) • Request Length: 66 • Reply Length: 468 • Content Length: 289 • Content Type : text/html; • Time request sent: Wed May 27 16:49:17.130584 2009 (…) • Time reply started: Wed May 27 16:49:17.146886 2009 (…) • Time reply ACKed: Wed May 27 16:49:17.147077 2009 (…) • Elapsed time: 16 ms (request to first byte sent) • Elapsed time: 16 ms (request to content ACKed)

  32. Analyzing Disk Image – AIDE • --------------------------------------------------- • Added files: • --------------------------------------------------- • added: /mnt/new/WINDOWS/avmont.exe • added: /mnt/new/Documents and Settings/All Users/Application Data/TEMP • --------------------------------------------------- • Removed files: • --------------------------------------------------- • removed: /mnt/new/WINDOWS/system32/CatRoot2/tmp.edb • --------------------------------------------------- • Changed files: • --------------------------------------------------- • changed: /mnt/new/WINDOWS/system32/drivers/etc/hosts • changed: /mnt/new/WINDOWS/WindowsUpdate.log • changed: /mnt/new/WINDOWS/setupapi.log

  33. Analyzing Disk Image – ADS • Alternate Data Streams>>> • /mnt/new/Documents and Settings/All Users/Application Data/TEMP -> 75443743 • getfattr --absolute-names -n ntfs.streams.list -PR /mnt/new

  34. Analyzing Disk Image – RegRipper • Registry Run Key changes>>> • Registry Service Key changes>>> • +AvMont|Monitor de Antivirus|"C:\WINDOWS\avmont.exe"|0x0|Auto Start| • -RemoteRegistry|Remote Registry|%SystemRoot%\system32\svchost.exe -k LocalService|Share_Process|Auto Start| • +RemoteRegistry|Remote Registry|%SystemRoot%\system32\svchost.exe -k LocalService|Share_Process|Disabled| • -wscsvc|Security Center|%SystemRoot%\System32\svchost.exe -k netsvcs|Share_Process|Auto Start| • +wscsvc|Security Center|%SystemRoot%\System32\svchost.exe -k netsvcs|Share_Process|Disabled| • Firewall changes>>> • -EnableFirewall -> 1

  35. Analyzing Disk Image – hosts file* • Host file changes>>> • + • +127.0.0.1 www.symantec.com • +127.0.0.1 securityresponse.symantec.com • +127.0.0.1 symantec.com • +127.0.0.1 www.sophos.com • +127.0.0.1 sophos.com • +127.0.0.1 www.mcafee.com • +127.0.0.1 mcafee.com • +127.0.0.1 liveupdate.symantecliveupdate.com • +127.0.0.1 www.viruslist.com • +127.0.0.1 viruslist.com • +127.0.0.1 viruslist.com • +127.0.0.1 f-secure.com • +127.0.0.1 www.f-secure.com • +127.0.0.1 kaspersky.com • +127.0.0.1 kaspersky-labs.com • +127.0.0.1 www.avp.com • +127.0.0.1 www.kaspersky.com • +127.0.0.1 avp.com

  36. Memory Image Analysis – Volatility

  37. Analyzing Memory Image – connections • Open Ports>>> • Local Address Remote Address Pid • 4.5.6.7:1047 4.3.2.104:4242 1484 • 896 135 6 Wed May 27 20:39:59 2009 • 1032 1027 17 Wed May 27 20:40:13 2009 • 1096 1900 17 Wed May 27 20:40:14 2009 • 1484 1047 6 Wed May 27 20:49:18 2009 • < 908 -> 135 TCP • > 896 -> 135 TCP • 9,11c9,11 • < 992 -> 1032 TCP • > 1484 avmont -> 1047 TCP C:\WINDOWS\avmont.exe • 14,15c14,16 • < 992 -> 138 UDP • < 908 -> 445 UDP • > 1484 avmont -> 137 UDP C:\WINDOWS\avmont.exe • > 0 System -> 138 UDP • > 896 -> 445 UDP

  38. Memory/Static Binary Analysis – ssdeep • ssdeep info>>> • 1536:RVt4qqO5FjciL3KBupEAbAX/e9SP+IaiOW:eu5tciL3KApRbAz+Ia1W,"abod.exe" • 768:ruBNNTLa973GMVkIZqqnO5FDvcTsvJesUJDSP+f4/cF1oGoiOWK:YVt4qqO5FjcSe9SP+JaiOW, • "/data/forensics/abod.exe-XPSP2-files/0c596000-abod.exe“ • -------------------------------------------------------------------------------- • ssdeep info>>> • 1536:0BlSTT+JwGgVXGsOkCMGVLwaQyafnSI0OYRr:0BYNlVXGsOtPwFtfm, • "1b1e067fdb0f2a44a50d9e290022b9ed.exe" • 1b1e067fdb0f2a44a50d9e290022b9ed.exe matches e933dbd16c9509418a2212c9d62c7976.exe (80) • 3072:0zhQO2dw847UiImHkwebMPK4wRE4pRThKt/94:09QbViEwEM94TThKt14, • "/data/forensics/1b1e067fdb0f2a44a50d9e290022b9ed.exe-XPSP2-files/0ca74000-sandnet.exe" • /data/forensics/1b1e067fdb0f2a44a50d9e290022b9ed.exe-XPSP2-files/0ca74000-sandnet.exe matches /data/forensics/e933dbd16c9509418a2212 • c9d62c7976.exe-XPSP2-files/007bc000-sandnet.exe (96)

  39. Static Binary Analysis – binhash • BinHash info>>> • File: [/forensics/exes/abod.exe] b826d0f222242c1e48f4e1ebe778a534 • PE Phdr: af86103672ba3bba2d21f2691465520f • PE Opt Hdr: f8ea55a399eeec409874af01ca0cf01d • Import [1] Offset: (f570) Size: (180): 93f613363a9cb87c3a20e3f2e1fc47b7 • Import [12] Offset: (f000) Size: (608): eafa58275a218a26f92631bf75b10b8f • [0] (.text) • (VirtualAddress: 00001000) (PtrToData: 00001000) (SizeOfData: 0000e000) • Shdr: aaa4cacbb1cc38713961cc2e5931b982 • Shdr Data: f571948f8203e66d09c87b00ae748c8d • [1] (.rdata) • (VirtualAddress: 0000f000) (PtrToData: 0000f000) (SizeOfData: 00002000) • Shdr: 46aa637bbc2c0335c427f6ca42021df9 • Shdr Data: 3b10f3f4c6012e87d46686464575926c • [2] (.data) • (VirtualAddress: 00011000) (PtrToData: 00011000) (SizeOfData: 00003000) • Shdr: cff63d398711731f58eee390a6ce8513 • Shdr Data: 71cc6a0ff1c18b313d21f1f03229738e

  40. Static Binary Analysis – packerid.py • Packer info>>> • [['Armadillo v1.71'], ['Microsoft Visual C++ v5.0/v6.0 (MFC)'], ['Microsoft Visual C++']]

  41. Static Binary Analysis – Volatility malfind.py* • # • # lsass.exe (Pid: 676) • # • + VAD node @821bfb00 Start 00c60000 End 00c6ffff Tag VadS Flags 18 • + VAD node @8236b208 Start 00c80000 End 00c96fff Tag VadS Flags 18 • - Status: disassembling with pydasm... • 0xc80000 call 0x567d • 0xc80005 retn 0x8 • 0xc80008 push ecx • 0xc80009 push esi • 0xc8000a call 0x1582 • Found 2 suspicious Vad entries

  42. Limitations

  43. Future Work

  44. More Future Work

  45. Questions? • E-mail: jac@att.com or jclausing@isc.sans.org

  46. SANS Mentor Class – SEC 508 (Forensics) • For those of you from central OH (or folks you work with), I’ll be facilitating another mentor class in the fall. • Thursday evenings from 6:30-8:30PM in Reynoldsburg, OH running 10 Sep-12 Nov. • http://www.sans.org/mentor/details.php?nid=19458

More Related