Target Audience Something for everyone Students and instructors Beginner – getting started Intermediate – working efficiently Advanced – training your peers =========== QUICK SHOW OF HANDS
Show of hands How many never done malware analysis want training been to training taught training =========== LEARNING RESOURCES
Learning resources – Food for your Brain Reversing – Good ASM overview FS Forensics – NTFS chapter really helpful Rest – grab bag of goodness ========== HOW TO GET STARTED
Snapshot known good – app level - not VM snapshot Begin monitoring activity Infect Save volatile info Stop logging Review logs Compare ========== TOOLS
FileInsight – Select & Transform - Inflate JS in PDFs Volatility – Office Doc – nothing dropped, but beaconed! connscan explorer.exe injected ============
I'm a Systems Integrator - Write scripts to speed up processes
Unless necessary, memory generally isn't deduplicated.
Expense of CPU overhead – fit more simliar VMS. GREAT for clones!
KSM – also used in Cyanogenmod Android – not VMs only =========== RAM unmerging – RAM will go into swap.
Unique VM setups Difficult to help each other – they don't understand =================== CLONES.
Centralize VM image Everybody run this image Run Clones NETWORK PROTOCOLS ================= CPU offload benefits R/W STOMPS! HOW TO FIX
Same centralized disk as before, except read only * Export those images to analysts as before * Write changes & snaphots to CoW files * Not just snapshots – a separate file =============== ENABLING PROCESS
Libvirt – I scripted it VMWare Workstation – based on snapshots – parent cna be a “template” VMWare ESXi – can be done, but requires import/export, hand edit of config Xen- ??? =============== MY SETUP
Websites -google, checkip.dyndns.org Samba – IE, flash, java, acrobat QEMU pauses if QCOW2 can't be written to – not a problem for ram drive
ENTIRELY OPTIONAL ============== AUTOMATION Making life easier
Bindings: C/C++, Erlang, Java, OCaml, Perl, Python, Ruby. Hivex for Registry manipulation – kinda sucks. XP hostname hack works through Win8.
More than one person controlling the mouse/keyboard – Paired Reversing =========== TRAINING
VM clones – exactly the same, minimal overhead
Cd demo Screen Split Run ksmstat
Malware Analysis Collaboration Automation TrainingRichard Harman @ ShmooCon IX
Richard Harman● Lead Intrusion Analyst @ SRA, Inc SOC● Started out as a SysAdmin● Info Sec Analyst for 8 years● Member of NoVA Hackers group● Co-Founder of Nova Labs in Reston, VA xabean warewolf firstname.lastname@example.org
Ingredients● Intro to Malware Analysis & Tools● Open Source Virtualization● VM Efficiency & Consistency● Light-weight VMs & Automating them● Training – Youre Doing It Wrong
The Process1) Baseline System State2) Monitor & Log System Activity3) Infect system4) Suspend, Dump & Terminate Processes5) Stop Monitoring6) Review Monitored Activity7) Compare new state to baseline
Front-ends for sweet utilitiesTwo I use most: Procmon & Autoruns ➔ @DaveHull is working on autorunalyzer on github.com/davehull/autorunalyzer – .py is a WIP, .sh version exists ➔ I (@xabean) wrote a Procmon XML processor on github.com/warewolf/Procmon
Copy on Write is an enablerOn shared storage ● Enables live VM migration to another analystIn a RAM disk (tmpfs) ● Snapshots become REALLY FAST. ● About 1 second! (revert/save, 7 shot test)Images are only changes – theyre small ● Dead-box forensic analysis anyone?
CoW (Light-Weight) Disk Clones in Virtualization Software● VMware ● Workstation has “linked clones” ● ESX(i) wants VMWare VCenter ($$)● Xen ● OSS: ?? Commercial: yes?● VirtualBox ● Linked Clones ala VMWare Workstation● Libvirt + QEmu ● Libvirt LVM: No, QEmu QCOW2: yes (manual)
My Malware Environment● QEmu/KVM (libvirt)● Windows disk images in LVM, CoW in RAM ● $ qemu-img create -o backing_file=/dev/vg/base -o /tmp/ram/overlay.qcow2 ● RAM drive full? VMs auto-pause self!● MITM “internet” Linux VM ● Apache, iptables -J REDIRECT, dnsmasq, samba ● Apache vhosts of copies of websites – google, etc ● Connected to malware network & public network
A cluster, not a cluster- FSCKVirtualization: ● QEmu/KVM + libvirt for migrationShared disk access: ● Linux tgtd iSCSI – use gigabit ethernet! – Clustered LVM for base images – GFS for CoW storage ● Note: disable cache in tgtd
libvirt VM ManagementLife cycle management: ● Start / Pause / Stop ● Snapshot management ● Dump VM physical memoryProvisioning Automation: ● Capture “parent” XML config ● Modify & define new VM
libguestfs for Guest ManagementGuest Disk FS management: ● Supports scripting / automation ● Download & Upload files to guest file system ● Extract analyst data from a standard dir – C:malwareticket_#* --> upload to IR tracking systemWindows Registry Support: ● Change hostname to prevent NetBIOS name conflicts on same network
Provisioning & Automation● clone-vm.pl – Clone an existing VM, generate unique MAC & UUID, create Copy-On-Write disk image, change hostname in registry.● insert-zip.pl & extract-zip.pl – Insert and extract data● peek.pl –Dump physical memory of a VM for analysis● ksmstat.pl – Monitor KSM efficiency & CPU usage ala vmstat(1)
VM vncreflector(host:1) vncreflector FBS output (host:99) FBS VNC video capture
Screencasting & PlaybackScreencasting:● record-vnc.pl to record & screencastPlayback:● rfbproxy -c -p in inetd ● inetd makes rfbproxy multi-client and self-service● Shell script to feed rfbproxy VNC videos● Extra credit: rfbproxy can export to PPM stream – PPM -> MPEG2 + instructor audio = Training Video
What do you have now?● Consistent analysis VMs w/ efficient resource use.● Multi-participant, interactive, live training sessions.● Thin-provisioned VM & Acquire analysis data● Analysis session recorded for future playback ● HQ VNC jukebox (~300MB) ● Medium quality portable MPEG video (~1.5G)
Next Steps...● Diff pre/post infection of RAM and FS ● Identify injected code/new executables ● Dump, generate signatures, scan, detect variants of the same sample● Make this all a web-app; snapshots, file mgmt, java applet vnc display● Auto-provision private networks & VMs per analyst & remote (VPN) access
Thank you Jamie!● @gleeda / http://gleeda.blogspot.com● Blackbelt in Volatility & EnCase● Released a Differential EnScript – diff two versions of the same disk & report on em
Nova-Labs.org● Malware Analysis Lab● Classes on Malware Analysis / Reverse Engineering ● Expected to start in April/May● $$ not yet set (but expected to be cheap)● Various Malware samples● Learn, Teach, pass it on!
How do I ....Its all at: ● warewolf.github.com / thin-provisioning ● Automation Code ● Documentation (still working on it) ● Configs for MITM: – Apache – dnsmasq – iptables config – samba