Malware

Analysis: * N00b to Ninja in 60 Minutes

@grecs

* Most listeners do not become Ninjas in under 60 minutes.

Pic of hacked sites; news arBcles of breaches, mid-2000s

Infosec COTS

Thanks
Great security equipment for small businesses @MiltonSecurity

@BulbSecurity

@PenTestTraining

Tweet/Post: Thanks for sponsoring @grecs & @novainfosec

Internships

Research Security/Tools Write about Security News No $$$ but Mentorship, Lots of Exposure in DC Area, & Part-Time Hit Me Up on Twi[er: @grecs

Looking for Bloggers Pay in Beer or $$$ h[p://bit.ly/nispsubarBcle

Agenda
IntroducBon Environment Methodology Where to Learn More Conclusion

IntroducBon
Am Not Malware Analysis Expert (or even a novice for that ma[er) Just Trying to Learn & Learn Best by Teaching Looking for Feedback & RecommendaBons

WARNING!!! DO NOT ANALYZE MALWARE ON PRODUCTION SYSTEMS

Environment
Setup
Virtual Physical

OpBons
Single Box Dual+ Box

Environment Setup
Virtual
Ecient & Easy to Setup Snap-Shots to Revert Back To Malware DetecBng VM & TerminaBng

Physical
VM DetecBon Not Possible Resource Intensive

Environment Setup Virtual

Network Adapter

Be Careful

Environment Setup Virtual

Add Network Interface Not Connected to Host

Environment Setup Virtual

Set Guest to Use Non-Host Connect Interface

Environment OpBons
Single Box
All Analysis Performed on One Machine Risk of PotenBal Malware Sabotage

Dual+ Box
MiBgates Some PotenBal Sabotage Gateway to Simulate More Real Network RealisBc External View (ports open, network trac)

Environment

OpBons Single Box

Start with Base Unpatched Windows XP SP2 Box in VMware
Similar to First Set of Post-Install InstrucBons for Metasploit Unleashed Switch to Classic View Disable Windows Firewall Turn O AutomaBc Updates Disable Alerts Uncheck Simple File Sharing

Add Target Sojware

Older Versions If Needed

StarBng Points: OldVersion.com & OldApps.com Google for Others

Environment

OpBons Single Box Install Dynamic Analysis Tools

Process Monitor
Show Processes that Started During Malware ExecuBon

Process Explorer
Shows Files, Registry Keys, Opened by Malware

WireShark
Snier to Capture Network the Malware May Make

RegShot
View Changes Malware May Make in the Registry
Process Monitor: h[p://technet.microsoj.com/en-us/sysinternals/bb896645.aspx Process Explorer: h[p://technet.microsoj.com/en-us/sysinternals/bb896653 WireShark: h[ps://www.wireshark.org/ RegShot: h[p://sourceforge.net/projects/regshot/

Environment
TCPView

OpBons Single Box

Install Dynamic Analysis Tools (cont)
Allows DetecBon of Malware IniBated Network ConnecBons

Malware Analysis Pack

MAP FakeDNS MAP Right-Click (MD5 Hash, Strings, VirusTotal)

FakeNet
Aids Dynamic Analysis of Malicious Sojware Simulates Network so Malware Thinks Its InteracBng with Remote Hosts DNS, HTTP, SSL, Dummy Listener
TCPView: h[p://technet.microsoj.com/en-us/sysinternals/bb897437 MAP: h[p://www.woodmann.com/collaboraBve/tools/index.php/Malcode_Analysis_Pack FakeNet: h[p://pracBcalmalwareanalysis.com/fakenet/

Environment
OllyDbg

OpBons Single Box

Install StaBc Analysis Tools
General Disassembler/Debugger for Windows Used to Analyze Malware in Assembly Plugin that Dumps AcBve Process to PE File to Executable Malware Can Be Analyzed Windows Disassembler/Debugger with Freeware AlternaBve Finds ASCII, Unicode & Resource Strings in that Malware May Reference

OllyDump IDA Pro BinText

OllyDbg: h[p://www.ollydbg.de/ OllyDump: h[p://www.openrce.org/downloads/details/108/OllyDump IDA Pro Freeware: h[p://www.hex-rays.com/products/ida/support/download_freeware.shtml BinText: h[p://www.mcafee.com/us/downloads/free-tools/bintext.aspx

Environment

OpBons Single Box Install StaBc Analysis Tools (cont)

010 Editor
Standard Hex Editor

Specialized Tools
PDFs: Didier Stevenss pdd.py & pdf-parser.py Flash: SWFTtools Others: Java, JavaScript

Didier Stevens PDF Tools: h[p://blog.didierstevens.com/programs/pdf-tools/

Environment
Baseline

OpBons Single Box

Congure VM to "Host-Only Mode Secluded Network
Temporarily Change to NAT to Download Malware Write-Once Media (e.g., CDs) USB Key with Physical Write-Protect Switch
ImaBon USB 2.0 Clip Flash Drive Kanguru Flashblu 2

Snapshot VM

Environment

Dual+ Box Fake Server

Second Machine for Target to Connect To
AddiBonal Advantage of Examining Network Trac without Possible Malware Sabotage Implement Linux Server in VMware & Congure to Be Default Route on VicBm Machine Should Have Fixed IP Addresses DNS: Congured to Return Fake Servers IP for All Queries HTTP IRC Others: DHCP, FTP, SSH Other Services Depending on Goal of Analysis

Enable or Install Sojware that Provides Needed Services

Environment

Dual+ Box Fake Server Install Network Analysis Tools

WireShark: Records Network Trac from VicBm Netcat: Start Needed Ad-Hoc Services Nmap: Scan for Open Ports External to VicBm

Snapshot Fake Server Revert Back To

Environment
Precongured
REMnux
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the le again. If the red x still appears, you may have to delete the image and then insert it again.

Created by Lenny Zeltser ISO or Virtual Appliance StaBc Analysis

v4

Load Malware on & Analyze Web-Based Malware (e.g., Malicious JavaScript, Java Programs, & Flash Files) Malicious Documents (e.g., Microsoj Oce & Adobe PDF les) UBliBes for Reversing Malware through Memory Forensics Emulate Network Services Used as Fake Server Emulate Services in Isolated Lab Environment Infects Another Laboratory System with Malware Sample Directs PotenBally-Malicious ConnecBons to REMnux that's Listening on Appropriate Ports

Dynamic Analysis

REMnux: h[p://zeltser.com/remnux/

Environment
Precongured

Environment
Precongured SANS InvesBgate Forensic Toolkit (SIFT) WorkstaBon
Development Led by Rob Lee ISO or Virtual Appliance Useful for Both StaBc & Dynamic Analysis More Comprehensive in Terms of Tools but Focused on Forensics

SIFT WorkstaBon: h[p://computer-forensics.sans.org/community/downloads/

Environment
Precongured

Environment
Precongured CuckooBox
Automated Dynamic Analysis of Malware Data Captured
Trace of Performed Relevant Win32 API Calls Dump of Network Trac Generated During Analysis CreaBon of Screenshots Taken During Analysis Dump of Files Created, Deleted and Downloaded by the Malware During Analysis Trace of Assembly InstrucBons Executed by Malware Process

CuckooBox: h[p://cuckoobox.org/

Environment
Precongured

Methodology
1. Triage 2. Dynamic Analysis 3. StaBc Analysis

Methodology 1. Triage
Run through External Sandbox Services for QnD Results If Possible
Goals: Establish Rough Idea of Malware AcBviBes Tools: Norman Sandbox, GFI Sandbox, Anubis, ThreatExpert, Resources: VirusTotal.com, Goals: When Compiled, Packed or Obfuscated) Tools: MAP, FileAlyzer, Google Hash

MD5 Hash Comparison (can run live is possible)

Determine Real File Type Unpack If Needed

UNIX le Command and/or TrID Open in 010 & Look for Magic Numbers: Win Exe (MZ), PDF (%PDF), ZIP (PK), (more at Wikipedia) Tools: OllyDump, PE Explorer (UPX built in) Goals: Discovery InteresBng Things Malware May Be ImporBng (networking APIs for non-networking app) Tools: FileAlyzer (PD Imports tab) Goals: Discover InteresBng Data Points like Host Name & IP Addressess Tools: MAP or BinText (e.g., for PDFs, Java, or Flash) MASTIFF (Linux): Automate much of the above plus more for EXEs & PDFs

Analyze Imports

Extract Readable Strings Specialized Tools

Methodology

2. Dynamic Analysis
Take RegShot & Start WireShark, Process Monitor, Process Explorer, FakeNet & TCPView
Monitors File and Registry Access, Network Trac, Process CreaBon, etc. Watching WireShark, Process Monitor, & TCPView for Anything InteresBng

Execute Malware & Let it Run for 15 Minutes or UnBl AcBvity Dies Down Take Second RegShot & Stop WireShark, Process Monitor, FakeNet Compare IniBal & Final RegShots & Review All Monitoring Tool Logs

Methodology

2. Dynamic Analysis (Regshot & Wireshark)

a.

c. b.

Methodology
d. e.

2. Dynamic Analysis (Process Monitor)

f.

Methodology

2. Dynamic Analysis (Process Explorer)

g. Just Start

Methodology

2. Dynamic Analysis (FakeNet)

h. Just Start

Methodology

2. Dynamic Analysis (TCPView)

i. Just Start

Methodology

2. Dynamic Analysis (Execute Malware) Double-Click EXE Rundll32.exe DLLName, Export arguments
PE Explorer to Discover Export arguments E.g., rundll32.exe rip.dll, Install

Watch All Monitoring Tools & Stop When AcBvity Dies Down

j. Just Monitor

Methodology

2. Dynamic Analysis (Spin Down)

m.

k. l.

Methodology
n.

2. Dynamic Analysis (Spin Down)

Methodology
o.

2. Dynamic Analysis (Spin Down)

Methodology

2. Dynamic Analysis (Analysis) p. Save Logs for Future Reference q. Analyze

Methodology
3. StaBc Analysis Use OllyDbg or IDA Pro to Disassemble & Analyze Deobfuscated Malware
Just Stare at It ... Stare Some More ... And Some More

Specialized Tools (e.g., for PDFs, Java, or Flash)

Where to Learn More

OpenSecurityTraining.info

Where to Learn More

OpenSecurityTraining.info
Introductory Intel x86: Arch, Assembly, Apps, & AlliteraBon
Xeno Kovah Professional Assembly Language by R. Blum h[p://opensecuritytraining.info/IntroX86.html

IntroducBon To Reverse Engineering Sojware

Ma[ Briggs Reversing: Secrets of Reverse Engineering by E. Eilam The IDA Pro Book by C. Eagle Materials (videos, ) h[p://opensecuritytraining.info/ IntroducBonToReverseEngineering.html

Where to Learn More

OpenSecurityTraining.info
Reverse Engineering Malware
Ma[ Briggs & Frank Poz PracBcal Malware Analysis by M. Sikorski/A. Honig h[p://opensecuritytraining.info/ ReverseEngineeringMalware.html Videos?

Where to Learn More

Nova-Labs.org Binary Bash
Monthly Similar to Packet Party where Do PCAP Challenges Focused on Reverse Engineering, Especially Malware

In-Person Class

Where to Learn More

Malware Analysis Toolkit: h[p://zeltser.com/malware-analysis-toolkit/ OpenRCE: h[p://www.openrce.org/ TrainACE
Advanced Malware Analysis (AMA)

NoVA Infosec
Workshop Style

Conclusion
IntroducBon Environment
Setup Single Box - VicBm Dual+ Box Fake Server Precongured

Methodology

Triage Dynamic Analysis StaBc Analysis OpenSecurityTraining.info Nova-Labs.org Binary Bash Zeltser.com, OpenRCE.org

Where to Learn More

Conclusion

QuesBons?

Twi[er Website Contact

@grecs NovaInfosec.com h[p://bit.ly/nispcontact