Your SlideShare is downloading. ×
Cutting out Malware
Cutting out Malware
Cutting out Malware
Cutting out Malware
Cutting out Malware
Cutting out Malware
Cutting out Malware
Cutting out Malware
Cutting out Malware
Cutting out Malware
Cutting out Malware
Cutting out Malware
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cutting out Malware

775

Published on

Day by day, we store more and more confidential information on our computers, from sites account credentials to our bank account. Every day, malware becomes more and more silent, they don’t want you …

Day by day, we store more and more confidential information on our computers, from sites account credentials to our bank account. Every day, malware becomes more and more silent, they don’t want you to be suspicious, they just want to stay into your device to do something …that you don’t really want.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
775
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. LUIGI CAPUZZELLO Cutting out Malware Integrated malware analysis. Versione: 1.0 Luigi Capuzzello 11/01/2014 http://www.linkedin.com/pub/luigi-capuzzello/7/561/12a http://www.slideshare.net/luigicapuzzello @FisherKasparov luigi.capuzzello A good introduction to malware analysis, offering detailed coverage of all the essential skills required to understand the specific challenges presented by modern malware.
  • 2. Introduction.2 Sommario Introduction..........................................................................................................................................3 What you will learn..........................................................................................................................3 What you should know.....................................................................................................................3 Basic Static Analysis............................................................................................................................3 Hashing: [winMD5free]...................................................................................................................3 String: [strings].................................................................................................................................3 Packed software [PEiD / exeinfope].................................................................................................4 PE Header [Dependency Walker / PEView / Resource Hacker Tool].............................................5 Basic Dynamic Analysis......................................................................................................................7 Monitor malware activity [procmon / regshot / Process Explorer]..................................................7 Go deep into network traffic.............................................................................................................9 So what the hell can we do ?..............................................................................................................11 Summary............................................................................................................................................11 On the Web.........................................................................................................................................11 About the author.................................................................................................................................12 Other Specification.............................................................................................................................12 Luigi Capuzzello
  • 3. Introduction.3 Introduction. An email arrives in your inbox; it’s your girlfriend Ann. She invites you to see her in a very funny picture. -Click !“But! What? This picture is not really funny, and …she is not Ann”. Day by day we store more and more confidential information on our computers, from sites account credentials to our bank account. Day by day malware becomes more and more silent, they don’t want you to be suspicious, they just want to stay into your device to do something …that you don’t want. What you will learn... - Configuring a malware analysis lab Assembling a really toolkit for malware forensics Performing behavioral analysis of malicious Windows executables Performing static and dynamic code analysis of malicious Windows executables - What is a PE Header Knowledge about network protocol Basic knowledge about windows registry and processes What you should know... Basic Static Analysis. Static Analysis describes the process of analyzing the code and the structure of a program to determine its main feautures. In this phase of your analysis the program itself is not running; we are just analyzing a file, a sequence of bytes. We have to find as many information as possible. All the information, even the ones apparently trivial, are actually extremely important, above all when you go deep into the malware analysis You can find several tools to implement static analysis but just a few of them are really interesting. In the next section I will describe all the most juicy tools and I show to you how you can use them. Hashing: [winMD5free]. First of all it could be a good idea to get the a fingerprint of the malware. Hashing is a common method used to uniquely identify malware; the Message Digest Algorithm 5 (MD5) and Secure Hash Algorithm (SHA-1) are the method most commonly used. For example we can use winMD5Free to get the hash and then we can search for it online. If the malware is a well known one you will find all about it; if you know what malware is able to do then it can not hurt you anymore. This is an example of winMD5Tool; it can calculate MD5 Hash of a particular program Once you have the identity card of the malware you can use it on google to discover all about it. String: [strings]. Another method to find some usefull hints about a malware is to get all the strings from the malware Luigi Capuzzello
  • 4. Introduction.4 Strings program can anlyze a file to extract both ASCII and UNICODE (indeed the windows implementation of unicode string also well-known as wide character string); this program ignore the context and formatting, it just analyze all the bytes one by one. Because of this mechanism it could be find characters or strings when they are not. You can use strings from command line: E:>strings.exe Lab01-01.exe Strings v2.51 Copyright (C) 1999-2013 Mark Russinovich Sysinternals - www.sysinternals.com !This program cannot be run in DOS mode. Richm .text `.rdata @.data _^[ UVWj @jjj D$0 _controlfp _stricmp kerne132.dll Kernel32. Lab01-01.dll C:WindowsSystem32Kernel32.dll WARNING_THIS_WILL_DESTROY_YOUR_MACHINE Error Messages and IP addresses are the most interesting information we can found on a file. In the above example I have highlighted some important strings Packed software [PEiD / exeinfope] Sometime the malware we are analyzing could be packed. This is a problem because the packer hide us a lot of information, so that static analysis becomes almost useless. There are many software that could help us to find the packer used. For example: PEiD: it is a detector for PE (Portable Executable - Exe/Dll) files, similar to an anti-virus except it detects what a file is, not what it does. Mostly it detects packer and protector programs like UPX, PECompact, Armadillo etc but has a customisable database to add your own detections Be careful because of this has been disconnected from April 2011 and because many PEiD plugins will run the executable without warning. Despite of this, it is the best tool available for packer detection. - exeinfope is another good tool. Here is an example of PEiD interface Luigi Capuzzello
  • 5. Introduction.5 PE Header [Dependency Walker / PEView / Resource Hacker Tool] PE Header can give us many information about executable behaviuor. Using Dependency Walker program we can find information about: dinamically linked functions; imported dll; For example in the above image, at pane 3, we can find all the imported function of the kernl32.dll. If we know which function are used, we can deduce the malware behavior. There is also a way to import function ‘on the fly’, using some important function: LoadLibrary GetProcAddress LdrGetProcAddress LdrLoadDll So if you find this functions, it means that the malware is going to hide you what is its intention. If you want to understand more in details its behavior you have to debug it (but this is a story that will relate you another time). As just said, we can find information about the all dll imported into the executable file and each of them can tell us something. Dll Description Advapi32.dll This DLL provides access to the Service Manager and Registry. User32.dll This DLL contains all the user-interface components, such as buttons, scrollbars, and components for controlling and responding to user actions. Gdi32.dll This DLL contains functions for displaying and manipulating graphics Kernel32.dll This is a very common DLL that contains core functionality, such as access and manipulation of memory, files, and hardware. Shell32.dll Tell us that the program can launch other program. Ntdll.dll This DLL is the interface to the Windows kernel. Executables generally do not import this file directly, although it is always imported indirectly by Kernel32.dll. If an executable imports this file, it means that the author intended to use functionality not normally available to Windows programs. Some tasks, such as hiding functionality or manipulating processes, will use this interface. WSock32.dll - Ws2_32.dll These are networking DLLs. A program that accesses either of these most likely connects to a network or performs network-related tasks. Wininet.dll This DLL contains higher-level networking functions that implement protocols such as FTP, HTTP, and NTP. Luigi Capuzzello
  • 6. Introduction.6 We can also get information about PE header using PEView tool. Sections are very important because we can see if there are only standard section (as listed below) or also custom sections, in this case we are dealing with a packer. Section Description .text Contains the executable code .rdata Holds read-only global data that is accessible within the program .data Stores global data accessed throughout the program .idata Sometimes present and stores the import function information; if this section is not present, the import function information is stored in the .rdata section .edata Sometimes present and stores the export function information; if this section is not present, the export function information is stored in the .rdata section .pdata Present only in 64-bit executables and stores exception-handling information .rsrc Stores resources needed by the executable .reloc Contains information for relocation of library files We can also look at .rsrc section (looking for interesting string) using the free Resource Hacker tool. Luigi Capuzzello
  • 7. Introduction.7 Basic Dynamic Analysis. Dynamic analysis techniques are the second step in the malware analysis process. Dynamic analysis is typically performed after basic static analysis has reached a dead end, whether due to obfuscation, packing, or the analyst having exhausted the available static analysis techniques. Monitor malware activity [procmon / regshot / Process Explorer] Process Monitor, or procmon, is an advanced monitoring tool for Windows that provides a way to monitor certain registry, file system, network, process, and thread activity. It combines and enhances the functionality of two legacy tools: FileMon and RegMon. If you want to filter the activity of a particoular file you have to choose the “Filter  Filter” Menu option and you have to spacify the filename you are looking for. There are also four important filter on the menu side bar that allow to filter: Registry File system Process activity Network: attention this logging not work consistently across Microsoft Windows version. It is very usefull to use promon because it is very usefull to know what our target is doing with the external environment (registry, file system and network). Sometime our target generates many operation especially on registry. So it could be very usefull to have a tool that compare two snapshots and give us just the differences between them. Regshot is an open source registry comparison tool that allows you to take and compare two registry snapshots. It is very simple to use regshot. There are only three operation you have to do: Click on ‘1st shot’ button; Execute malware ; Click on ‘2nd shot’ button when you think malware has finished its activity Click on ‘cOmpare’ button At the end the software will give you a list of the operations the malware has implemented on the registry. This type of information could be very usefull because it is not a simple log, it is an elaborated one. Here is an example of the regshot output: ==================================================================== Regshot 1.9.0 x86 ANSI Comments: Datetime: 2014/2/1 21:12:14 , 2014/2/1 21:13:07 Computer: TESTXP , TESTXP Username: admin , admin ---------------------------------Keys added: 1 ---------------------------------HKUS-1-5-21-725345543-73586283-682003330-1003SoftwareMicrosoftMultimediaWaveOwner ---------------------------------Values added: 19 Luigi Capuzzello
  • 8. Introduction.8 ---------------------------------HKUS-1-5-21-725345543-73586283-682003330-1003SoftwareMicrosoftWindowsShellBags1DesktopScrollPos1313x932(1).x: 0x00000000 HKUS-1-5-21-725345543-73586283-682003330-1003SoftwareMicrosoftWindowsShellBags1DesktopScrollPos1313x932(1).y: 0x00000000 HKUS-1-5-21-725345543-73586283-682003330-1003SoftwareMicrosoftWindowsShellNoRoamBags381ShellMinPos1313x932(1).x :… HKUS-1-5-21-725345543-73586283-682003330-1003SoftwareMicrosoftWindowsShellNoRoamMUICache@shell32.dll,-31237: "Crea una nuova cartella, vuota, nella cartella aperta." ---------------------------------Values modified: 18 ---------------------------------HKLMSYSTEMControlSet001ControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Left: 0xFFFFF729 HKLMSYSTEMControlSet001ControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Left: 0xFFFFF566 HKLMSYSTEMControlSet001ControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Right: 0xFFFFF729 HKLMSYSTEMControlSet001ControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Right: 0xFFFFF566 HKLMSYSTEMControlSet001ControlDeviceClasses{6994AD04-93EF-11D0-A3CC-00A0C9223196}##? #PCI#VEN_1274&DEV_1371&SUBSYS_13711274&REV_02#4&47B7341&0&0888#{6994ad04-93ef-11d0-a3cc … HKLMSYSTEMCurrentControlSetControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Left: 0xFFFFF729 HKLMSYSTEMCurrentControlSetControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Left: 0xFFFFF566 HKLMSYSTEMCurrentControlSetControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Right: 0xFFFFF729 HKLMSYSTEMCurrentControlSetControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Right: 0xFFFFF566 ==================================================================== Another important tool is Process Explorer. This tool monitors the processes running on a system and shows them in a tree structure that displays child and parent relationships. Process Explorer could also be usefull in detecting if a file is Microsoft signed. You can achive this task in many way: - Click on verify button to verify that the image on disk is, in fact, the Microsoft signed binary. Because Microsoft uses digital signatures for most of its core executables, when Process Explorer verifies that a signature is valid, you can be sure that the file is actually the executable from Microsoft. - Comparing in memory string and string in the disk executable image. Luigi Capuzzello
  • 9. Introduction.9 Go deep into network traffic. Malware, often, needs to connect to a remote server for many reasons. For example it needs to provide information to that remote host or it need to get commands from that remote host. So it is very important to understand which sort of traffic is generated from and to the malware. To achive this hint we have to implement a sort of MITM (Man In The Middle) attack against the malware. First of all we have to use ApateDNS (a free tool from Mandiant) to see the DNS request made by malware. To use ApateDNS you have to set: DNS Reply IP: the IP address ypu want sent in DNS response; # of NXDOMAIN’s: this is an option that can help us to find all the domain the malware will loop through; Selected interface: the ethernet interface we want to use We can set ‘DNS Reply IP’ to localhost (as in the above example) or we can set it to redirect all the traffic to another machine, for example a linux machine, or better, a virtual linux machine. On the linux machine we can install INetSim, a free, Linux-based software suite for simulating common Internet services. INetSim does its best to look like a real server. And because INetSim is built with malware analysis in mind, it offers many unique features, such as its Dummy service, a feature that logs all data received from the client, regardless of the port. The Dummy service is most useful for capturing all traffic sent from the client to ports not bound to any other service module. You can use it to record all ports to which the malware connects and the corresponding data that is sent. Here is an example of all the port the tool is going to start up. * * * * * * * * * * * dns 53/udp/tcp - started (PID 9992) http 80/tcp - started (PID 9993) https 443/tcp - started (PID 9994) smtp 25/tcp - started (PID 9995) irc 6667/tcp - started (PID 10002) smtps 465/tcp - started (PID 9996) ntp 123/udp - started (PID 10003) pop3 110/tcp - started (PID 9997) finger 79/tcp - started (PID 10004) syslog 514/udp - started (PID 10006) tftp 69/udp - started (PID 10001) Luigi Capuzzello
  • 10. Introduction.10 * * * * * * * * * * * * * * * * * * pop3s 995/tcp - started (PID 9998) time 37/tcp - started (PID 10007) ftp 21/tcp - started (PID 9999) ident 113/tcp - started (PID 10005) time 37/udp - started (PID 10008) ftps 990/tcp - started (PID 10000) daytime 13/tcp - started (PID 10009) daytime 13/udp - started (PID 10010) echo 7/tcp - started (PID 10011) echo 7/udp - started (PID 10012) discard 9/udp - started (PID 10014) discard 9/tcp - started (PID 10013) quotd 17/tcp - started (PID 10015) quotd 17/udp - started (PID 10016) chargen 19/tcp - started (PID 10017) dummy 1/udp - started (PID 10020) chargen 19/udp - started (PID 10018) dummy 1/tcp - started (PID 10019) There is another very interesting tool we must use to monitor the network traffic: wireshark. Wireshark is a network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It has a reach and powerful feauture set.The most common and useful one is the possibility to let you view the contents of a TCP session; you have just to right-click any TCP packet and select ‘Follow TCP Stream’. Attention: wireshark is known to have many security vulnerabilities, so be sure to run it in a safe envronment. Luigi Capuzzello
  • 11. Introduction.11 So what the hell can we do ? We have analyze all the principal tool we need to performe a dynamic analysis; so how can we put all these software together to maximize our analysis ? We have a windows machine and we have to make some things on it: 1. We have to start procmon, making a filter on the malware name 2. We have to start the Process Explorer 3. We have to get the first snapshot with regshot 4. We have to configure our virtual network (ApateDNS – INetSim) 5. We have to start wireshark to get all the network traffic. We also have a linux machine with INetSim installed on it. So this is the situation: Windows Virtual Machine IP: 192.168.110.1 Tool: ApateDNS Procmon regShot process Explorer wireshark Linux Virtual Machine IP: 192.168.110.2 Target Malware DNS 53: ApateDNS redirect 192.168.110.2 Tool: INetSim HTTP: 80 HTTPS: 443 FTP: 21 SMTP: 25 ecc.. At this point we can run the malware and we can look at our tool to find as many information as we need. 1. 2. 3. 4. 5. We can analyzed ApateDNS to see which DNS request were performed; We can look at procmon to find which file and folder our malwere has modified or created; We can compare the snapshots of regshot to see what malware has done on our registry We can see on Process Explorer to see if the malware has generated threads We can also see the wireshark traffic according to the information we have obtained from ApateDNS and INetSim. Summary Static and dynamic malware analysis help us to understand in detail what behavior was implemented into malware. If we know which register keys/values it has modified, which file it has created, if we know what the malware has notified to a remote server and which command it has recived from that host, thenwe can safely think that it is possible, and not so tricky, to cut out the malware from our pc. However sometimes it is necessary to go mach more deeper; for example, what can we do if the malware comunicate to the remote host using a cripted custom comunication ? In this case, and in some others, we need to make a reverse engineering of the malware code. This will be the subject of next episode ‘Inside Windows Malicious Software’. On the Web ● ● ● ● ● ● ● http://bit.ly/ic4plL - strings tool http://woodmann.com/BobSoft/Pages/Programs/PEiD - PEiD tool http://www.woodmann.com/collaborative/tools/index.php/ExeInfo_PE - exeinfope tool http://www.dependencywalker.com/ - Dependency Walker tool http://peview.sourceforge.net/ - PEView tool http://www.angusj.com/resourcehacker/ - Resource Hacker tool http://download.sysinternals.com/files/ProcessMonitor.zip - procmon tool Luigi Capuzzello
  • 12. Introduction.12 ● ● ● ● ● http://sourceforge.net/projects/regshot/ - regshot tool http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx - Process Explorer tool https://www.mandiant.com/resources/download/research-tool-mandiant-apatedns - ApateDNS tool http://www.inetsim.org/downloads.html - INetSim tool http://www.wireshark.org/download.html - wireshark tool About the author Luigi Capuzzello has started with informatics in late 1986 (with a beautiful Apple IIe) when he was thirteen years old. After taking a degree in robotics he has working for more than fifteen years in several areas of IT, but now he is strong focused on IT security. His main tasks are related to test applications safety (especially web application) and in reverse engineering techniques. Specialties: Project Managment, Information Security, Vulnerability Analysis, Penetration Testing, Ethical Hacking, Web Application Security You can find him on http://www.linkedin.com/pub/luigi-capuzzello/7/561/12a Other Specification - Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code [Paperback] - The Hands-On Guide to Dissecting Malicious Software by Michael Sikorski and Andrew Honig Luigi Capuzzello

×