building an automated malware behavioral analysis environment using free and open source tools n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Building an Automated Malware Behavioral Analysis Environment Using Free and Open-Source Tools PowerPoint Presentation
Download Presentation
Building an Automated Malware Behavioral Analysis Environment Using Free and Open-Source Tools

Loading in 2 Seconds...

play fullscreen
1 / 46

Building an Automated Malware Behavioral Analysis Environment Using Free and Open-Source Tools - PowerPoint PPT Presentation


  • 170 Views
  • Uploaded on

Building an Automated Malware Behavioral Analysis Environment Using Free and Open-Source Tools. Jim Clausing , PMTS, AT&T CSO 18 Jun 2009. Thanx up front. The Author. Jim Clausing , GCIA, GCFA, GREM, GCIH, GCFW, GSIP, GSOC, SSP-MPA, CISSP. GCIA (Gold) #64 – 2000 GCFA (Gold) #25 – 2002

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Building an Automated Malware Behavioral Analysis Environment Using Free and Open-Source Tools' - duaa


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
building an automated malware behavioral analysis environment using free and open source tools

Building an Automated Malware Behavioral Analysis Environment Using Free and Open-Source Tools

Jim Clausing, PMTS, AT&T CSO

18 Jun 2009

jim clausing gcia gcfa grem gcih gcfw gsip gsoc ssp mpa cissp
Jim Clausing, GCIA, GCFA, GREM, GCIH, GCFW, GSIP, GSOC, SSP-MPA, CISSP
  • GCIA (Gold) #64 – 2000
  • GCFA (Gold) #25 – 2002
  • GREM (Gold) #48 – 2005
  • And other certs along the way…
  • SANS Mentor, StaySharp/STAR instructor, CommunitySANS instructor, Internet Storm Center handler since 2002
  • Instrument-rated private pilot – 2003/2004
the patches and scripts
The patches and scripts
  • http://handlers.sans.org/jclausing/grem_gold/
  • http://www.giac.org/certified_professionals/practicals/grem/48.php
submission
Submission
  • [jac@fltruman001 ~]$ for i in 090???-*.piz; do sudo submit.sh $i && mv $i old-malware/; sleep 10; done
  • Archive: 090529-rnd_jpg.piz
  • inflating: rnd.jpg
  • *****Processing rnd.jpg - ONEBOOT******
  • interface: eth1 (4.0.0.0/255.0.0.0)
  • filter: (ip) and ( not port 45612 and not port 45611 and not tcp port 6987 and not udp port 32785 )
  • tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  • listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
  • tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 1514 bytes
  • Starting Faux FTP Server Emulation on port 21
  • Starting Faux MySQL Server Emulation on port 3306
  • Starting Faux SMTP Server Emulation on port 25
  • Starting Faux SMB Server Emulation on port 445
  • Starting Faux IRC Server Emulation on port 6667
  • Starting Faux DNS Server Emulation on port 53
monitoring
Monitoring
  • [jac@fltruman001 ~]$ alias status
  • alias status='cat /tmp/current.txt && echo "" && cat /tmp/sandnet*.log | tr -c "[:print:][:blank:]\r\n" "." ; tcpdump -nnr /tmp/sandnet.pcap -w - "not broadcast and (not src net 4.5.6 or not dst net 4.5.6)" | ipaudit -CST -r - -l 4.5.6.7 ; ngrep -I /tmp/sandnet.pcap "GET|POST|HEAD|OPTIONS|JOIN" "tcp port 80 and not host 4.5.6.1" | tr -c "[:print:][:blank:]\r\n" "."‘
monitoring cont d
Monitoring, cont’d
  • [jac@fltruman001 ~]$ status
  • Server.exe
  • request: name=ftp.sickbassline.com, class=IN, type=A, peer=4.5.6.7
  • responseIP: 4.3.2.86
  • responseIP: 4.3.2.63
  • response: rcode=NOERROR, … …, auth=, add=, aa=1
  • request: name=time.windows.com, class=IN, type=A, peer=4.5.6.7
  • responseIP: 4.5.6.1
  • response: rcode=NOERROR, ans=…, auth=, add=, aa=1
  • Connection from 4.5.6.7
  • USER 0wn@sickbassline.com
  • PASS smokeweed
  • TYPE A
  • PORT 4,5,6,7,4,7
  • STOR User.mps
  • reading from file /tmp/sandnet.pcap, link-type EN10MB (Ethernet)
  • 4.5.6.7 4.3.2.86 6 1030 21 674 578 9 9 2009-06-04-11:24:02.2148 2009-06-04-11:24:03.3459 1 1
  • 4.5.6.7 224.0.0.22 2 0 0 0 108 0 2 2009-06-04-11:24:09.5569 2009-06-04-11:24:10.4709 1 1
  • input: /tmp/sandnet.pcap
  • filter: (ip) and ( tcp port 80 and not host 4.5.6.1 )
  • match: GET|POST|HEAD|OPTIONS|JOIN
  • ##########exit
identify the os
Identify the OS
  • Summary report for xxx.xxx-XPSP2-files created at ………
  • OS info>>>
  • kern - Determine OS from a Windows RAM Dump (v.0.1_20060914)
  • Ex: kern <path_to_dump_file>
  • File Description : NT Kernel & System
  • File Version : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
  • Internal Name : ntoskrnl.exe
  • Original File Name :
  • Product Name : Microsoft® Windows® Operating System
  • Product Version : 5.1.2600.2180
analyzing network traffic fauxdns
Analyzing Network Traffic – fauxdns
  • DNS>>>
  • request: name=sslrapidshare.or.tp, class=IN, type=A, peer=4.5.6.7
  • responseIP: 4.3.2.51
  • responseIP: 4.3.2.154
  • response: rcode=NOERROR, ans=… …, auth=, add=, aa=1
  • request: name=gfmd1.or.tp, class=IN, type=A, peer=4.5.6.7
  • responseIP: 4.3.2.104
  • responseIP: 4.3.2.240
  • response: rcode=NOERROR, ans=… …, auth=, add=, aa=1
  • request: name=time.windows.com, class=IN, type=A, peer=4.5.6.7
  • responseIP: 4.5.6.1
  • response: rcode=NOERROR, ans=…, auth=, add=, aa=1
analyzing network traffic fauxftp
Analyzing Network Traffic – fauxftp
  • Connection from 4.5.6.7
  • USER 0wn@sickbassline.com
  • PASS smokeweed
  • TYPE A
  • PORT 4,5,6,7,4,7
  • STOR User.mps
analyzing network traffic fauxirc
Analyzing Network Traffic – fauxirc
  • IRC>>>
  • 2009-05-27-16:49:17: Connection from 4.5.6.7
  • 2009-05-27-16:49:17: PASS lammers
  • 2009-05-27-16:49:17: NICK [00|USA|296161]
  • 2009-05-27-16:49:18: USER XP-8165 * 0 :ATT
  • 2009-05-27-16:49:18: MODE [00|USA|296161] +iB-x
  • 2009-05-27-16:49:18: JOIN #WiFi-a Crypt
  • 2009-05-27-17:00:13: QUIT System shutting down.
  • 2009-05-27-17:00:15: QUIT Leaving
analyzing network traffic ipaudit
Analyzing Network Traffic – ipaudit
  • IP traffic>>>
  • srcdst proto sp dp bytes pkts start end 1 / 2
  • 4.5.6.7 4.3.2.516 1046 80 748 346 5 5 2009-05-27-16:49:17.1300
  • 2009-05-27-16:49:17.1473 1 2
  • 4.5.6.7 4.3.2.104 6 1047 4242 816 697 10 10 2009-05-27-
  • 16:49:17.1613 2009-05-27-17:00:15.5921 1 2
  • 4.5.6.7 239.255.255.250 17 1050 1900 0 525 0 3 2009-05-27-16:49:17.3746 2009-05-27-16:49:23.3815 1 1
  • 4.5.6.7 224.0.0.22 2 0 0 0 108 0 2 2009-05-27-17:00:14.2087 2009-05-27-17:00:14.9690 1 1
analyzing network traffic tshark
Analyzing Network Traffic – tshark
  • ===================================================================
  • Protocol Hierarchy Statistics
  • Filter: frame
  • frame frames:602 bytes:733467
  • eth frames:602 bytes:733467
  • ip frames:573 bytes:731979
  • tcp frames:387 bytes:146779
  • http frames:30 bytes:22708
  • short frames:5 bytes:17790
  • data-text-lines frames:3 bytes:644
  • data frames:8 bytes:849
  • udp frames:57 bytes:10014
  • nbdgm frames:11 bytes:2511
  • smb frames:11 bytes:2511
  • mailslot frames:11 bytes:2511
  • browser frames:11 bytes:2511
  • nbns frames:27 bytes:2538
  • dns frames:6 bytes:532
  • http frames:3 bytes:525
  • ntp frames:2 bytes:180
  • bootp frames:8 bytes:3728
  • short frames:127 bytes:575066
  • igmp frames:2 bytes:120
  • arp frames:29 bytes:1488
  • ===================================================================
analyzing network traffic tcptrace
Analyzing Network Traffic – tcptrace
  • HTTP>>>
  • mod_http: Capturing HTTP traffic (port 80)
  • 1 arg remaining, starting with '../small.pcap'
  • Ostermann'stcptrace -- version 6.6.7 -- Thu Nov 4, 2004
  • 10 packets seen, 10 TCP packets traced
  • elapsed wallclock time: 0:00:00.002643, 3783 pkts/sec analyzed
  • trace file elapsed time: 0:00:00.017257
  • Http module output:
  • 4.5.6.7:1046 ==> 4.3.2.51:80 (a2b)
  • Server Syn Time: Wed May 27 16:49:17.130145 2009 (1243457357.130)
  • Client Syn Time: Wed May 27 16:49:17.130085 2009 (1243457357.130)
  • Server Fin Time: Wed May 27 16:49:17.146947 2009 (1243457357.147)
  • Client Fin Time: Wed May 27 16:49:17.147323 2009 (1243457357.147)
  • GET /here2 HTTP/1.0
  • Response Code: 404 (Not Found)
  • Request Length: 66
  • Reply Length: 468
  • Content Length: 289
  • Content Type : text/html;
  • Time request sent: Wed May 27 16:49:17.130584 2009 (…)
  • Time reply started: Wed May 27 16:49:17.146886 2009 (…)
  • Time reply ACKed: Wed May 27 16:49:17.147077 2009 (…)
  • Elapsed time: 16 ms (request to first byte sent)
  • Elapsed time: 16 ms (request to content ACKed)
analyzing disk image aide
Analyzing Disk Image – AIDE
  • ---------------------------------------------------
  • Added files:
  • ---------------------------------------------------
  • added: /mnt/new/WINDOWS/avmont.exe
  • added: /mnt/new/Documents and Settings/All Users/Application Data/TEMP
  • ---------------------------------------------------
  • Removed files:
  • ---------------------------------------------------
  • removed: /mnt/new/WINDOWS/system32/CatRoot2/tmp.edb
  • ---------------------------------------------------
  • Changed files:
  • ---------------------------------------------------
  • changed: /mnt/new/WINDOWS/system32/drivers/etc/hosts
  • changed: /mnt/new/WINDOWS/WindowsUpdate.log
  • changed: /mnt/new/WINDOWS/setupapi.log
analyzing disk image ads
Analyzing Disk Image – ADS
  • Alternate Data Streams>>>
  • /mnt/new/Documents and Settings/All Users/Application Data/TEMP -> 75443743
  • getfattr --absolute-names -n ntfs.streams.list -PR /mnt/new
analyzing disk image regripper
Analyzing Disk Image – RegRipper
  • Registry Run Key changes>>>
  • Registry Service Key changes>>>
  • +AvMont|Monitor de Antivirus|"C:\WINDOWS\avmont.exe"|0x0|Auto Start|
  • -RemoteRegistry|Remote Registry|%SystemRoot%\system32\svchost.exe -k LocalService|Share_Process|Auto Start|
  • +RemoteRegistry|Remote Registry|%SystemRoot%\system32\svchost.exe -k LocalService|Share_Process|Disabled|
  • -wscsvc|Security Center|%SystemRoot%\System32\svchost.exe -k netsvcs|Share_Process|Auto Start|
  • +wscsvc|Security Center|%SystemRoot%\System32\svchost.exe -k netsvcs|Share_Process|Disabled|
  • Firewall changes>>>
  • -EnableFirewall -> 1
analyzing disk image hosts file
Analyzing Disk Image – hosts file*
  • Host file changes>>>
  • +
  • +127.0.0.1 www.symantec.com
  • +127.0.0.1 securityresponse.symantec.com
  • +127.0.0.1 symantec.com
  • +127.0.0.1 www.sophos.com
  • +127.0.0.1 sophos.com
  • +127.0.0.1 www.mcafee.com
  • +127.0.0.1 mcafee.com
  • +127.0.0.1 liveupdate.symantecliveupdate.com
  • +127.0.0.1 www.viruslist.com
  • +127.0.0.1 viruslist.com
  • +127.0.0.1 viruslist.com
  • +127.0.0.1 f-secure.com
  • +127.0.0.1 www.f-secure.com
  • +127.0.0.1 kaspersky.com
  • +127.0.0.1 kaspersky-labs.com
  • +127.0.0.1 www.avp.com
  • +127.0.0.1 www.kaspersky.com
  • +127.0.0.1 avp.com
analyzing memory image connections
Analyzing Memory Image – connections
  • Open Ports>>>
  • Local Address Remote Address Pid
  • 4.5.6.7:1047 4.3.2.104:4242 1484
  • 896 135 6 Wed May 27 20:39:59 2009
  • 1032 1027 17 Wed May 27 20:40:13 2009
  • 1096 1900 17 Wed May 27 20:40:14 2009
  • 1484 1047 6 Wed May 27 20:49:18 2009
  • < 908 -> 135 TCP
  • > 896 -> 135 TCP
  • 9,11c9,11
  • < 992 -> 1032 TCP
  • > 1484 avmont -> 1047 TCP C:\WINDOWS\avmont.exe
  • 14,15c14,16
  • < 992 -> 138 UDP
  • < 908 -> 445 UDP
  • > 1484 avmont -> 137 UDP C:\WINDOWS\avmont.exe
  • > 0 System -> 138 UDP
  • > 896 -> 445 UDP
memory static binary analysis ssdeep
Memory/Static Binary Analysis – ssdeep
  • ssdeep info>>>
  • 1536:RVt4qqO5FjciL3KBupEAbAX/e9SP+IaiOW:eu5tciL3KApRbAz+Ia1W,"abod.exe"
  • 768:ruBNNTLa973GMVkIZqqnO5FDvcTsvJesUJDSP+f4/cF1oGoiOWK:YVt4qqO5FjcSe9SP+JaiOW,
  • "/data/forensics/abod.exe-XPSP2-files/0c596000-abod.exe“
  • --------------------------------------------------------------------------------
  • ssdeep info>>>
  • 1536:0BlSTT+JwGgVXGsOkCMGVLwaQyafnSI0OYRr:0BYNlVXGsOtPwFtfm,
  • "1b1e067fdb0f2a44a50d9e290022b9ed.exe"
  • 1b1e067fdb0f2a44a50d9e290022b9ed.exe matches e933dbd16c9509418a2212c9d62c7976.exe (80)
  • 3072:0zhQO2dw847UiImHkwebMPK4wRE4pRThKt/94:09QbViEwEM94TThKt14,
  • "/data/forensics/1b1e067fdb0f2a44a50d9e290022b9ed.exe-XPSP2-files/0ca74000-sandnet.exe"
  • /data/forensics/1b1e067fdb0f2a44a50d9e290022b9ed.exe-XPSP2-files/0ca74000-sandnet.exe matches /data/forensics/e933dbd16c9509418a2212
  • c9d62c7976.exe-XPSP2-files/007bc000-sandnet.exe (96)
static binary analysis binhash
Static Binary Analysis – binhash
  • BinHash info>>>
  • File: [/forensics/exes/abod.exe] b826d0f222242c1e48f4e1ebe778a534
  • PE Phdr: af86103672ba3bba2d21f2691465520f
  • PE Opt Hdr: f8ea55a399eeec409874af01ca0cf01d
  • Import [1] Offset: (f570) Size: (180): 93f613363a9cb87c3a20e3f2e1fc47b7
  • Import [12] Offset: (f000) Size: (608): eafa58275a218a26f92631bf75b10b8f
  • [0] (.text)
  • (VirtualAddress: 00001000) (PtrToData: 00001000) (SizeOfData: 0000e000)
  • Shdr: aaa4cacbb1cc38713961cc2e5931b982
  • Shdr Data: f571948f8203e66d09c87b00ae748c8d
  • [1] (.rdata)
  • (VirtualAddress: 0000f000) (PtrToData: 0000f000) (SizeOfData: 00002000)
  • Shdr: 46aa637bbc2c0335c427f6ca42021df9
  • Shdr Data: 3b10f3f4c6012e87d46686464575926c
  • [2] (.data)
  • (VirtualAddress: 00011000) (PtrToData: 00011000) (SizeOfData: 00003000)
  • Shdr: cff63d398711731f58eee390a6ce8513
  • Shdr Data: 71cc6a0ff1c18b313d21f1f03229738e
static binary analysis packerid py
Static Binary Analysis – packerid.py
  • Packer info>>>
  • [['Armadillo v1.71'], ['Microsoft Visual C++ v5.0/v6.0 (MFC)'], ['Microsoft Visual C++']]
static binary analysis volatility malfind py
Static Binary Analysis – Volatility malfind.py*
  • #
  • # lsass.exe (Pid: 676)
  • #
  • + VAD node @821bfb00 Start 00c60000 End 00c6ffff Tag VadS Flags 18
  • + VAD node @8236b208 Start 00c80000 End 00c96fff Tag VadS Flags 18
  • - Status: disassembling with pydasm...
  • 0xc80000 call 0x567d
  • 0xc80005 retn 0x8
  • 0xc80008 push ecx
  • 0xc80009 push esi
  • 0xc8000a call 0x1582
  • Found 2 suspicious Vad entries
questions
Questions?
  • E-mail: jac@att.com or jclausing@isc.sans.org
sans mentor class sec 508 forensics
SANS Mentor Class – SEC 508 (Forensics)
  • For those of you from central OH (or folks you work with), I’ll be facilitating another mentor class in the fall.
  • Thursday evenings from 6:30-8:30PM in Reynoldsburg, OH running 10 Sep-12 Nov.
  • http://www.sans.org/mentor/details.php?nid=19458