Building an Automated Behavioral Malware Analysis Environment using Free and Open-Source Software

Building an Automated Malware Behavioral Analysis Environment Using Free and Open-Source Tools
Jim Clausing, PMTS, AT&T CSO
18 Jun 2009

Thanx up front
Page 2

The Author

Page 4
Jim Clausing, GCIA, GCFA, GREM, GCIH, GCFW, GSIP, GSOC, SSP-MPA, CISSP
GCIA (Gold) #64 – 2000
GCFA (Gold) #25 – 2002
GREM (Gold) #48 – 2005
And other certs along the way…
SANS Mentor, StaySharp/STAR instructor, CommunitySANS instructor, Internet Storm Center handler since 2002
Instrument-rated private pilot – 2003/2004

The Paper

Page 6
SANSFIRE 2008

The patches and scripts
http://handlers.sans.org/jclausing/grem_gold/
http://www.giac.org/certified_professionals/practicals/grem/48.php
Page 7

The Environment – A Little History

In the beginning
Page 9

Malware DB
Page 10

Motivation – The Environment

Forest? Trees?
Page 12

Unpacking may lead to surprises – like no results 
Page 13

Page 14
We’ve got malware, now what?

Truman (well, and Joe Stewart) FTW
Page 15

The Analysis Environment

Processing a Sample

Analysis Flow
Page 18

Submission
[jac@fltruman001 ~]$ for i in 090???-*.piz; do sudo submit.sh $i && mv $i old-malware/; sleep 10; done
Archive: 090529-rnd_jpg.piz
inflating: rnd.jpg
*****Processing rnd.jpg - ONEBOOT******
interface: eth1 (4.0.0.0/255.0.0.0)
filter: (ip) and ( not port 45612 and not port 45611 and not tcp port 6987 and not udp port 32785 )
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 1514 bytes
Starting Faux FTP Server Emulation on port 21
Starting Faux MySQL Server Emulation on port 3306
Starting Faux SMTP Server Emulation on port 25
Starting Faux SMB Server Emulation on port 445
Starting Faux IRC Server Emulation on port 6667
Starting Faux DNS Server Emulation on port 53
Page 19

Monitoring
[jac@fltruman001 ~]$ alias status
alias status='cat /tmp/current.txt && echo "" && cat /tmp/sandnet*.log | tr -c "[:print:][:blank:] " "." ; tcpdump -nnr /tmp/sandnet.pcap -w - "not broadcast and (not src net 4.5.6 or not dst net 4.5.6)" | ipaudit -CST -r - -l 4.5.6.7 ; ngrep -I /tmp/sandnet.pcap "GET|POST|HEAD|OPTIONS|JOIN" "tcp port 80 and not host 4.5.6.1" | tr -c "[:print:][:blank:] " "."‘
Page 20

Monitoring, cont’d
[jac@fltruman001 ~]$ status
Server.exe
request: name=ftp.sickbassline.com, class=IN, type=A, peer=4.5.6.7
responseIP: 4.3.2.86
response: rcode=NOERROR, … …, auth=, add=, aa=1
request: name=time.windows.com, class=IN, type=A, peer=4.5.6.7
responseIP: 4.5.6.1
response: rcode=NOERROR, ans=…, auth=, add=, aa=1
Connection from 4.5.6.7
USER 0wn@sickbassline.com
PASS smokeweed
TYPE A
PORT 4,5,6,7,4,7
STOR User.mps
reading from file /tmp/sandnet.pcap, link-type EN10MB (Ethernet)
4.5.6.7 4.3.2.86 6 1030 21 674 578 9 9 2009-06-04-11:24:02.2148 2009-06-04-11:24:03.3459 1 1
4.5.6.7 224.0.0.22 2 0 0 0 108 0 2 2009-06-04-11:24:09.5569 2009-06-04-11:24:10.4709 1 1
input: /tmp/sandnet.pcap
filter: (ip) and ( tcp port 80 and not host 4.5.6.1 )
match: GET|POST|HEAD|OPTIONS|JOIN
##########exit
Page 21

Page 22
Original Truman Analysis Tools

Page 23
The 4 Areas of Analysis

The Report – Tool Output

Page 25
Identify the OS
Summary report for xxx.xxx-XPSP2-files created at ………
OS info>>>
kern - Determine OS from a Windows RAM Dump (v.0.1_20060914)
Ex: kern <path_to_dump_file>
File Description : NT Kernel & System
File Version : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Internal Name : ntoskrnl.exe
Original File Name :
Product Name : Microsoft® Windows® Operating System
Product Version : 5.1.2600.2180

Page 26
Analyzing Network Traffic – fauxdns
DNS>>>
request: name=sslrapidshare.or.tp, class=IN, type=A, peer=4.5.6.7
response: rcode=NOERROR, ans=… …, auth=, add=, aa=1
request: name=gfmd1.or.tp, class=IN, type=A, peer=4.5.6.7
response: rcode=NOERROR, ans=… …, auth=, add=, aa=1
request: name=time.windows.com, class=IN, type=A, peer=4.5.6.7
responseIP: 4.5.6.1
response: rcode=NOERROR, ans=…, auth=, add=, aa=1

Analyzing Network Traffic – fauxftp
Connection from 4.5.6.7
USER 0wn@sickbassline.com
PASS smokeweed
TYPE A
PORT 4,5,6,7,4,7
STOR User.mps
Page 27

Page 28
Analyzing Network Traffic – fauxirc
IRC>>>
2009-05-27-16:49:17: Connection from 4.5.6.7
2009-05-27-16:49:17: PASS lammers
2009-05-27-16:49:17: NICK [00|USA|296161]
2009-05-27-16:49:18: USER XP-8165 * 0 :ATT
2009-05-27-16:49:18: MODE [00|USA|296161] +iB-x
2009-05-27-16:49:18: JOIN #WiFi-a Crypt
2009-05-27-17:00:13: QUIT System shutting down.
2009-05-27-17:00:15: QUIT Leaving

Page 29
Analyzing Network Traffic – ipaudit
IP traffic>>>
srcdst proto sp dp bytes pkts start end 1 / 2
4.5.6.7 4.3.2.516 1046 80 748 346 5 5 2009-05-27-16:49:17.1300
2009-05-27-16:49:17.1473 1 2
4.5.6.7 4.3.2.104 6 1047 4242 816 697 10 10 2009-05-27-
16:49:17.1613 2009-05-27-17:00:15.5921 1 2
4.5.6.7 239.255.255.250 17 1050 1900 0 525 0 3 2009-05-27-16:49:17.3746 2009-05-27-16:49:23.3815 1 1
4.5.6.7 224.0.0.22 2 0 0 0 108 0 2 2009-05-27-17:00:14.2087 2009-05-27-17:00:14.9690 1 1

Page 30
Analyzing Network Traffic – tshark
===================================================================
Protocol Hierarchy Statistics
Filter: frame
frame frames:602 bytes:733467
eth frames:602 bytes:733467
ip frames:573 bytes:731979
tcp frames:387 bytes:146779
http frames:30 bytes:22708
short frames:5 bytes:17790
data-text-lines frames:3 bytes:644
data frames:8 bytes:849
udp frames:57 bytes:10014
nbdgm frames:11 bytes:2511
smb frames:11 bytes:2511
mailslot frames:11 bytes:2511
browser frames:11 bytes:2511
nbns frames:27 bytes:2538
dns frames:6 bytes:532
http frames:3 bytes:525
ntp frames:2 bytes:180
bootp frames:8 bytes:3728
short frames:127 bytes:575066
igmp frames:2 bytes:120
arp frames:29 bytes:1488
===================================================================

Page 31
Analyzing Network Traffic – tcptrace
HTTP>>>
mod_http: Capturing HTTP traffic (port 80)
1 arg remaining, starting with '../small.pcap'
Ostermann'stcptrace -- version 6.6.7 -- Thu Nov 4, 2004
10 packets seen, 10 TCP packets traced
elapsed wallclock time: 0:00:00.002643, 3783 pkts/sec analyzed
trace file elapsed time: 0:00:00.017257
Http module output:
4.5.6.7:1046 ==> 4.3.2.51:80 (a2b)
Server Syn Time: Wed May 27 16:49:17.130145 2009 (1243457357.130)
Client Syn Time: Wed May 27 16:49:17.130085 2009 (1243457357.130)
Server Fin Time: Wed May 27 16:49:17.146947 2009 (1243457357.147)
Client Fin Time: Wed May 27 16:49:17.147323 2009 (1243457357.147)
GET /here2 HTTP/1.0
Response Code: 404 (Not Found)
Request Length: 66
Reply Length: 468
Content Length: 289
Content Type : text/html;
Time request sent: Wed May 27 16:49:17.130584 2009 (…)
Time reply started: Wed May 27 16:49:17.146886 2009 (…)
Time reply ACKed: Wed May 27 16:49:17.147077 2009 (…)
Elapsed time: 16 ms (request to first byte sent)
Elapsed time: 16 ms (request to content ACKed)

Page 32
Analyzing Disk Image – AIDE
---------------------------------------------------
Added files:
---------------------------------------------------
added: /mnt/new/WINDOWS/avmont.exe
added: /mnt/new/Documents and Settings/All Users/Application Data/TEMP
---------------------------------------------------
Removed files:
---------------------------------------------------
removed: /mnt/new/WINDOWS/system32/CatRoot2/tmp.edb
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /mnt/new/WINDOWS/system32/drivers/etc/hosts
changed: /mnt/new/WINDOWS/WindowsUpdate.log
changed: /mnt/new/WINDOWS/setupapi.log

Page 33
Analyzing Disk Image – ADS
Alternate Data Streams>>>
/mnt/new/Documents and Settings/All Users/Application Data/TEMP -> 75443743
getfattr --absolute-names -n ntfs.streams.list -PR /mnt/new

Page 35
Analyzing Disk Image – hosts file*
Host file changes>>>
+
+127.0.0.1 www.symantec.com
+127.0.0.1 securityresponse.symantec.com
+127.0.0.1 symantec.com
+127.0.0.1 www.sophos.com
+127.0.0.1 sophos.com
+127.0.0.1 www.mcafee.com
+127.0.0.1 mcafee.com
+127.0.0.1 liveupdate.symantecliveupdate.com
+127.0.0.1 www.viruslist.com
+127.0.0.1 viruslist.com
+127.0.0.1 viruslist.com
+127.0.0.1 f-secure.com
+127.0.0.1 www.f-secure.com
+127.0.0.1 kaspersky.com
+127.0.0.1 kaspersky-labs.com
+127.0.0.1 www.avp.com
+127.0.0.1 www.kaspersky.com
+127.0.0.1 avp.com

Memory Image Analysis – Volatility
Page 36

Page 37
Analyzing Memory Image – connections
Open Ports>>>
Local Address Remote Address Pid
4.5.6.7:1047 4.3.2.104:4242 1484
896 135 6 Wed May 27 20:39:59 2009
1032 1027 17 Wed May 27 20:40:13 2009
1096 1900 17 Wed May 27 20:40:14 2009
1484 1047 6 Wed May 27 20:49:18 2009
< 908 -> 135 TCP
> 896 -> 135 TCP
9,11c9,11
< 992 -> 1032 TCP
> 1484 avmont -> 1047 TCP C:WINDOWSavmont.exe
14,15c14,16
< 992 -> 138 UDP
< 908 -> 445 UDP
> 1484 avmont -> 137 UDP C:WINDOWSavmont.exe
> 0 System -> 138 UDP
> 896 -> 445 UDP

Page 38
Memory/Static Binary Analysis – ssdeep
ssdeep info>>>
1536:RVt4qqO5FjciL3KBupEAbAX/e9SP+IaiOW:eu5tciL3KApRbAz+Ia1W,"abod.exe"
768:ruBNNTLa973GMVkIZqqnO5FDvcTsvJesUJDSP+f4/cF1oGoiOWK:YVt4qqO5FjcSe9SP+JaiOW,
"/data/forensics/abod.exe-XPSP2-files/0c596000-abod.exe“
--------------------------------------------------------------------------------
ssdeep info>>>
1536:0BlSTT+JwGgVXGsOkCMGVLwaQyafnSI0OYRr:0BYNlVXGsOtPwFtfm,
"1b1e067fdb0f2a44a50d9e290022b9ed.exe"
1b1e067fdb0f2a44a50d9e290022b9ed.exe matches e933dbd16c9509418a2212c9d62c7976.exe (80)
3072:0zhQO2dw847UiImHkwebMPK4wRE4pRThKt/94:09QbViEwEM94TThKt14,
"/data/forensics/1b1e067fdb0f2a44a50d9e290022b9ed.exe-XPSP2-files/0ca74000-sandnet.exe"
/data/forensics/1b1e067fdb0f2a44a50d9e290022b9ed.exe-XPSP2-files/0ca74000-sandnet.exe matches /data/forensics/e933dbd16c9509418a2212
c9d62c7976.exe-XPSP2-files/007bc000-sandnet.exe (96)

Page 39
Static Binary Analysis – binhash
BinHash info>>>
File: [/forensics/exes/abod.exe] b826d0f222242c1e48f4e1ebe778a534
PE Phdr: af86103672ba3bba2d21f2691465520f
PE Opt Hdr: f8ea55a399eeec409874af01ca0cf01d
Import [1] Offset: (f570) Size: (180): 93f613363a9cb87c3a20e3f2e1fc47b7
Import [12] Offset: (f000) Size: (608): eafa58275a218a26f92631bf75b10b8f
[0] (.text)
(VirtualAddress: 00001000) (PtrToData: 00001000) (SizeOfData: 0000e000)
Shdr: aaa4cacbb1cc38713961cc2e5931b982
Shdr Data: f571948f8203e66d09c87b00ae748c8d
[1] (.rdata)
(VirtualAddress: 0000f000) (PtrToData: 0000f000) (SizeOfData: 00002000)
Shdr: 46aa637bbc2c0335c427f6ca42021df9
Shdr Data: 3b10f3f4c6012e87d46686464575926c
[2] (.data)
(VirtualAddress: 00011000) (PtrToData: 00011000) (SizeOfData: 00003000)
Shdr: cff63d398711731f58eee390a6ce8513
Shdr Data: 71cc6a0ff1c18b313d21f1f03229738e

Page 40
Static Binary Analysis – packerid.py
Packer info>>>
[['Armadillo v1.71'], ['Microsoft Visual C++ v5.0/v6.0 (MFC)'], ['Microsoft Visual C++']]

Page 41
Static Binary Analysis – Volatility malfind.py*
#
# lsass.exe (Pid: 676)
#
+ VAD node @821bfb00 Start 00c60000 End 00c6ffff Tag VadS Flags 18
+ VAD node @8236b208 Start 00c80000 End 00c96fff Tag VadS Flags 18
- Status: disassembling with pydasm...
0xc80000 call 0x567d
0xc80005 retn 0x8
0xc80008 push ecx
0xc80009 push esi
0xc8000a call 0x1582
Found 2 suspicious Vad entries

Page 42
Limitations

Page 43
Future Work

Page 44
More Future Work

Questions?
E-mail: jac@att.com or jclausing@isc.sans.org
Page 45

SANS Mentor Class – SEC 508 (Forensics)
For those of you from central OH (or folks you work with), I’ll be facilitating another mentor class in the fall.
Thursday evenings from 6:30-8:30PM in Reynoldsburg, OH running 10 Sep-12 Nov.
http://www.sans.org/mentor/details.php?nid=19458
Page 46