Real-time Static Malware Analysis Using NepenthesFE

2,340 views
2,240 views

Published on

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,340
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
105
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Real-time Static Malware Analysis Using NepenthesFE

  1. 1. Visualizing your Honeypot Data
  2. 2.  Wasim Halani ◦ Security Analyst @ Network Intelligence India (http://www.niiconsulting.com/) ◦ Interests  Exploit development  Malware Analysis Harsh Patel ◦ Student @ Symbiosis center for Information technology. ◦ Interest  Anything and everything about security
  3. 3.  A deliberately vulnerable system, placed on the network ◦ Lure attackers towards itself ◦ Capture the malwares sent to the network/system ◦ Help in offline analysis Types ◦ Low Interaction ◦ High Interaction
  4. 4.  NepenthesFE is a front end to the low interaction honeypot ‘nepenthes’ Originally developed by Emre Bastuz Helps in cataloguing malware collected using nepenthes Has modules which performs operations to automate some aspects of malware analysis
  5. 5.  Our Nepenthes honeypot provided only minimal data about the captured binaries ◦ File hash (MD5) ◦ Attacker IP ◦ File Name ◦ ... What next? Is that all the value a honeypot can provide?
  6. 6.  Lenny Zeltser ◦ ‘What to include in a Malware Analysis Report?’  http://zeltser.com/reverse-malware/malware-analysis-report.html Summary of Analysis Identification Characteristics Dependencies Behavioral & Code Analysis Screenshots Recommendations
  7. 7.  Once we have captured the binary, we’re still left with doing the routine basic stuff ◦ strings, file, virustotal, geo-ip ... Can’t we automate it!? Enter ‘NepenthesFE’ ◦ Basic analysis like filetype, hashes, ASCII strings, packer information, geographical information
  8. 8. Analyzing malware sample ‘b.aaa’
  9. 9.  Provide a statistical output of data collected ◦ How many times has ‘a’ malware hit us? Provide visualization of origin of malware ◦ Which malwares originate from a single country To determine and focus on the number of new attacks on to the system Provide a framework to automate initial static analysis ◦ Is it packed? ◦ Any recognizable ASCII strings in the binary
  10. 10.  Integrate with the Nepenthes honeypot ◦ Integration with multiple sensors possible Statistical count of malware hits AfterGlow diagrams ◦ Country of Origin ◦ ASN Provide details of the attacking IP ◦ GEO IP database ◦ Google maps
  11. 11.  Can be extended with custom modules for static malware analysis on real time ◦ Packer Information ◦ ‘Strings’ Anti-virus scanning (for known malwares)
  12. 12.  Based on Sample (malware) ◦ VirusTotal Scanning  API ◦ Bit defender scanning ◦ Unix based commands execution like File, objdump, UPX and string ◦ *nix based custom script execution to find out details like Packer Information, PE information and entropy analyser
  13. 13.  Based on Instance (Information about the attacker) ◦ GEO IP database ◦ ASN Information  Mapping of ASN to Robtex  Mapping of ASN to Phishtank  Visualization of attack vectors from a ASN number ◦ Visualisation of attack vectors from a IP address
  14. 14.  Install Nepenthes Honeypot sensor  http://nepenthes.carnivore.it/ Refer to our first report at IHP  http://www.honeynet.org.in/reports/KK_Project1.pdf
  15. 15.  List of packages are :- ◦ Build essentials ◦ Apache2 ◦ Libapache2-mod-php5 ◦ phppear ◦ Mysql-server-5.1 ◦ Php5-msql ◦ Php5-mhash ◦ Php5-dev ◦ Upx-ucl ◦ File
  16. 16.  List of packages are :- ◦ geoip-bin ◦ rrdtool (for Graphs) ◦ Librrd2 (for Graphs) ◦ Librrd2-dev (for Graphs) ◦ Python-pefile (for Pefile module) ◦ Python-all (for Pefile module) ◦ Bitdefender-scanner (for bit-defender scanning) ◦ graphviz (for visualization) And Lots of Configuration....
  17. 17.  Modify the ‘submit-http.conf’ file in /etc/nepenthes
  18. 18.  Download the freely available database from MaxMind ◦ http://www.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
  19. 19.  Get the Google API Key  http://code.google.com/apis/maps/signup.html
  20. 20.  PEFile ◦ http://code.google.com/p/pefile/ Packerid.py ◦ Requires ‘peid’ database (signatures) ◦ http://handlers.dshield.org/jclausing/ UPX ◦ http://upx.sourceforge.net/ ‘file’ : apt-get install file ‘strings’ ‘obj-jump’ These executeables (chmod +x) should be accessible to NFE ◦ Place them in /usr/bin/ folder if needed
  21. 21. Analysis Report Nepenthes Nepenthes + FEFile name Yes YesUnique Identification – MD5,SHA512 MD5, SHA512, (possibly ssdeep)HashesMalware Name (Family) No VirusTotal, Bitdefender (free Linux AV scanners)Binary File Type No ‘file’Malware Origin IP address Geo-location dataScreenshots None GoogleMaps, AfterGlow graphs, Robtex graphsIs it packed? Which No packerid.py, UPXPacker?Statistics No Yes (hit counts,RRD graphs)
  22. 22.  Analyzing malware sample‘b.aaa’
  23. 23.  Works only with Nepenthes honeypot  No search functionality VirusTotal functionality is broken (new API released by VT recently) Report cannot be exported
  24. 24.  Open-source ◦ Requires volunteers ◦ Current version – 0.04 (Releasing v0.05 today) Complete documentation available at: ◦ http://www.niiconsulting.com/nepenthesfe/ Implementation of a central NepenthesFE for multiple Nepenthes sensors ◦ As part of the Indian Honeynet Project (IHP)  http://honeynet.org.in/ Submit the malware to a sandbox environment to retrieve more in-depth analysis
  25. 25. wasimhalani@gmail.com har.duro@gmail.com

×