CIS 4615 meeting -*- Outline -*- * tools for analysis of potential malware in binaries Based on chapters 2-3 of the book by Michael Sikorski and Andrew Honig, Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software, no starch press (San Francisco, 2012). ** preparation ------------------------------------------ PREPARAIONS FOR DYNAMIC ANALYSIS Need a safe environment to - a virtual machine (VM) - air-gapped network Virtual Machines: - VMWare - VirtualBox - Parallels - Microsoft Virtual PC - Microsoft Hyper-V - Xen See http://www.cs.ucf.edu/~leavens/ CIS4615/analysis-tools.shtml#dynamic and chapter 2 of Practical Malware Analysis for setting up your own VM ------------------------------------------ ... isolate the malware from the rest of the network Q: What problems could using a VM cause? Malware may be able to detect it is in a VM and execute differently. This is possible by looking for devices or files that are not usually on "real" machines. ------------------------------------------ TIPS FOR VMWARE - make clones and snapshots - connect the network VM > Settings > Hardware in Network Adapter, use NAT - download your favorite browser first OR make a shared directory with host VM > Settings > Options in Shared Folders ------------------------------------------ ** Running DLLs ------------------------------------------ RUNNING DLLs To run a Dynamic Link Library (DLL) do rundll32.exe DLLname,ExportName args where ExportName is the name of an entry point (use PEview or PE Explorer to find) ------------------------------------------ ** dynamic analysis tools *** sandboxes **** Threat Analyzer (GFI) Sandbox ------------------------------------------ THREAT ANALYZER SANDBOX See http://www.threattracksecurity.com/ enterprise-security/ malware-analysis-sandbox-tools.aspx Attempts to automate malware analysis Advantages: - quick results - automates much of the work Drawacks: - doesn't use command line options - doesn't get network inputs ------------------------------------------ There are others... *** procmon ------------------------------------------ PROCMON Process Monitor See https://technet.microsoft.com/en-us/ sysinternals/bb896645.aspx Monitors: - file system, - registry - processes/threads - stacks Principles: - records a set of events and shows a filtered subset of them - by default includes all events - shows you all events in your filter - include filters - exclude filters subtract from view - can save events to a file, then analyze later using - can erase before starting a trace - best to use a backing file so it doesn't die when too many events happen ------------------------------------------ ... union into view ("or") ... File > "Open..." menu ------------------------------------------ PROCMON DEMO - start procmon - from the Options > "Column Selection" menu add the "Command Line" column maybe reorder the columns (drag with mouse) - Select the autoscroll option button - show only file events (top, file cabinet) 1. Start a cygwin terminal, see all the file events 2. Switch to having procmon show registry events 3. Note the time 4. In the terminal window do touch junk see the registry events happening 4. Switch to showing file events turn off autoscroll and go back to see the file events (or use find) 5. Switch to showing network and then thread activity 6. Back to file activity, filter for operations containing File, then Directory 7. Show Tools > "File Summary..." and Tools > "Registry Summary..." 8. Show how to save a file and open it ------------------------------------------ Step 4, see the registry events happening In step 7, (be sure the window is wide enough) Q: What does it mean if you aren't seeing any events? Nothing is happening, or more likely the filter is not showing you anything. Q: What should you do if you aren't seeing events, change the filter! They are already there! *** process explorer ------------------------------------------ PROCESS EXPLORER Part of the Windows sysinternals suite See https://technet.microsoft.com/en-us/ sysinternals Lists: active processes DLLs loaded by processes Principles: - gives instantaneous view of processes and their properties Look for: new processes changed binaries (verify button) compare strings in executable (memory) vs. strings on disk (image) processes launched by opening documents ------------------------------------------ Q: What is a process in Windows? An address space Q: What is a thread? A flow of control (part of a process) Q: What does it tell you if there are new processes? The program you are running is creating them Q: What does it tell you if some of the binaries are not genuine? That some process has replaced them Q: What does it tell you if the strings change? That there may have been unpacking or a process replacement ------------------------------------------ PROCESS EXPLORER DEMO - Use View > "Select Columns" to add "Command Line", Company Name", and "Verified Signer" - start cygwin terminal - run echo hi | cat - double click on "bash.exe", open image tab - press the verify button - open the strings tab - compare strings in image and memory - right click on bash and select "depends..." ------------------------------------------ (move the terminal out of the way) (see the processes running) (or right click and select properties to see properties) *** Dependency Walker ------------------------------------------ DEPENDENCY WALKER Can be launched from Process Explorer Process Explorer can also search for DLLs Demo: - launch from process explorer on bash.exe - Show full paths using "C:\" button ------------------------------------------ Q: Why would you want to look for a DLL in a process? See which processes are using it... *** Registry Snapshots with Regshot ------------------------------------------ COMPARING REGISTRY SNAPSHOTS WITH REGSHOT Idea: take a snapshot of the registry - at beginning of program execution - later during execution then see what changed ------------------------------------------ *** faking a network ------------------------------------------ FAKING A NETWORK Why? - see what program does on the net - intercept (and turn on) network control ------------------------------------------ Q: Why not just turn off the network? The program may not work Q: Why not use the real network? This may be malware! **** ApateDNS ------------------------------------------ APATEDNS Spoofs DNS responses you specify the response See mandiant.com/products/research/ mandiant_apatedns/download Can redirect to local host or fake internet ------------------------------------------ Needs MS .NET framework to run (see dependencies in the .exe file!) **** Netcat ------------------------------------------ NETCAT Used for: port scanning, tunneling, proxying, port forwarding, etc. ------------------------------------------ **** WireShark ------------------------------------------ WIRESHARK Used for sniffing packet capture logging ------------------------------------------ **** INetSim ------------------------------------------ INETSIM Linux-based simulation of network services Need to install in a Linux VM Emulates lots of services records: - inbound requests - connections Have to run in Linux ------------------------------------------ ** usage receipe See also the file BasicAnalysisChecklist.rtf in this directory ------------------------------------------ START WITH BASIC STATIC ANALYSIS 0. get the sample into the VM's directories 1. Enable network (NAT interface). 2. Upload to virustotal.com - get MD5 and results 3. Get information from PEView - when compiled - how to start it (for a DLL)? 3. Use strings & PEiD to see if packed - is it a .NET program or a PE file? - what entropy? 4. Use dependency walker to see DLLs used - is it directly calling low level DLLs? - Does it do networking? - Can it change the registry? - Does it use mutexes? Questions to answer: - Does it look like malware? - known? - cyrptic strings? - packed? ------------------------------------------ ------------------------------------------ USE OF BASIC DYNAMIC TOOLS 0. Isolate the VM instance - Make sure you have a backup/clone! - Turn off network (use VMnet0) - Disable file shares 1. Start the process explorer 2. Run procmon - enable file and registry tracking - Command Line filter to look for the executable name 3. Set up virtual network - start Linux to run INetSim - Edit Menu > Virtual Network Editor - run ApateDNS in guest OS 4. Log network traffic using wireshark 5. Take a snapshot of the registry (regshot) 6. Start running it - You don't need to authorize it... Questions to answer: - Does it write files/mutexes? especially - Does it change the registry? especially - Does it send information on the network? ------------------------------------------ ... installing programs ... setting autoruns ** practice ------------------------------------------ PRACTICE Try the Labs for chapter 3 - What imports and strings? - Is it packed? - What host-based indicators are there? - Are there any network signatures? ------------------------------------------