Malware analysis

3,177 views
3,014 views

Published on

Malware Analysis: Collaboration, Automation & Tuning - from Shmoocon 2013

Published in: Technology
0 Comments
9 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,177
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
9
Embeds 0
No embeds

No notes for slide
  • ========== WHO AM I
  • ======== OVERVIEW
  • Target Audience Something for everyone Students and instructors Beginner – getting started Intermediate – working efficiently Advanced – training your peers =========== QUICK SHOW OF HANDS
  • Show of hands How many never done malware analysis want training been to training taught training =========== LEARNING RESOURCES
  • Learning resources – Food for your Brain Reversing – Good ASM overview FS Forensics – NTFS chapter really helpful Rest – grab bag of goodness ========== HOW TO GET STARTED
  • Snapshot known good – app level - not VM snapshot Begin monitoring activity Infect Save volatile info Stop logging Review logs Compare ========== TOOLS
  • FileInsight – Select & Transform - Inflate JS in PDFs Volatility – Office Doc – nothing dropped, but beaconed! connscan explorer.exe injected ============
  • I'm a Systems Integrator - Write scripts to speed up processes
  • Unless necessary, memory generally isn't deduplicated.
  • Expense of CPU overhead – fit more simliar VMS. GREAT for clones!
  • KSM – also used in Cyanogenmod Android – not VMs only =========== RAM unmerging – RAM will go into swap.
  • Unique VM setups Difficult to help each other – they don't understand =================== CLONES.
  • Centralize VM image Everybody run this image Run Clones NETWORK PROTOCOLS ================= CPU offload benefits R/W STOMPS! HOW TO FIX
  • Same centralized disk as before, except read only * Export those images to analysts as before * Write changes & snaphots to CoW files * Not just snapshots – a separate file =============== ENABLING PROCESS
  • Libvirt – I scripted it VMWare Workstation – based on snapshots – parent cna be a “template” VMWare ESXi – can be done, but requires import/export, hand edit of config Xen- ??? =============== MY SETUP
  • Websites -google, checkip.dyndns.org Samba – IE, flash, java, acrobat QEMU pauses if QCOW2 can't be written to – not a problem for ram drive
  • ENTIRELY OPTIONAL ============== AUTOMATION Making life easier
  • Bindings: C/C++, Erlang, Java, OCaml, Perl, Python, Ruby. Hivex for Registry manipulation – kinda sucks. XP hostname hack works through Win8.
  • More than one person controlling the mouse/keyboard – Paired Reversing =========== TRAINING
  • VM clones – exactly the same, minimal overhead
  • Cd demo Screen Split Run ksmstat
  • Malware analysis

    1. 1. Malware Analysis Collaboration Automation TrainingRichard Harman @ ShmooCon IX
    2. 2. Richard Harman● Lead Intrusion Analyst @ SRA, Inc SOC● Started out as a SysAdmin● Info Sec Analyst for 8 years● Member of NoVA Hackers group● Co-Founder of Nova Labs in Reston, VA xabean warewolf richard@richardharman.com
    3. 3. Ingredients● Intro to Malware Analysis & Tools● Open Source Virtualization● VM Efficiency & Consistency● Light-weight VMs & Automating them● Training – Youre Doing It Wrong
    4. 4. Malware Analysis
    5. 5. Brain Food● Books: ● Filesystem Forensic Analysis ● Windows Forensics Analysis Toolkit ● Malware Analysts Cookbook ● Practical Malware Analysis ● Reversing: Secrets of Reverse Engineering● Training: ● SANS GREM FOR610 ● ... upcoming classes ; )
    6. 6. The Process1) Baseline System State2) Monitor & Log System Activity3) Infect system4) Suspend, Dump & Terminate Processes5) Stop Monitoring6) Review Monitored Activity7) Compare new state to baseline
    7. 7. The EssentialsSystem Baseline Memory Analysis● Regshot ● Volatility Framework● AutorunsGeneral Analysis Logging / Tracing● OfficeCat ● OllyDbg & Plugins● FileInsight ● IDA Pro● Wireshark ● Procmon● Didier Stevenss Tools ● Capturebat
    8. 8. Front-ends for sweet utilitiesTwo I use most: Procmon & Autoruns ➔ @DaveHull is working on autorunalyzer on github.com/davehull/autorunalyzer – .py is a WIP, .sh version exists ➔ I (@xabean) wrote a Procmon XML processor on github.com/warewolf/Procmon
    9. 9. VirtualizationRAM efficiency
    10. 10. 512 MB 1 GB 512 MB XLS DOC sample sample
    11. 11. 512 MB 1 GB 512 MB STRESS XLS DOC sample sample
    12. 12. DEDUPLICATION1 GB NO DEDUPLICATON1 GB
    13. 13. RAM De-dupe (Merging) Support● Linux/QEMU/KVM – Kernel Samepage Merging● VMware – Transparent page sharing● VirtualBox – Page Fusion ● (requires guest support)● Xen – Memory Sharing (tech preview)● Unmerging – Host swaps, or Host asks Guest to swap.
    14. 14. VirtualizationConsistency &Disk efficiency
    15. 15. Adobe Reader 9 Office XPAdobe Reader 8 Office 2003 Adobe Reader X Office 2007 Procmon Regshot Capturebat Wireshark IDA Pro FileInsight OllyDbg Autoruns OfficeCat Olly Plugins
    16. 16. CLONES
    17. 17. RAW DISK FILE SYSTEMS iSCSI NFS ATAoE GFS FC GLUSTRE
    18. 18. Read Only Copy on Write
    19. 19. Copy on Write is an enablerOn shared storage ● Enables live VM migration to another analystIn a RAM disk (tmpfs) ● Snapshots become REALLY FAST. ● About 1 second! (revert/save, 7 shot test)Images are only changes – theyre small ● Dead-box forensic analysis anyone?
    20. 20. CoW (Light-Weight) Disk Clones in Virtualization Software● VMware ● Workstation has “linked clones” ● ESX(i) wants VMWare VCenter ($$)● Xen ● OSS: ?? Commercial: yes?● VirtualBox ● Linked Clones ala VMWare Workstation● Libvirt + QEmu ● Libvirt LVM: No, QEmu QCOW2: yes (manual)
    21. 21. My Malware Environment● QEmu/KVM (libvirt)● Windows disk images in LVM, CoW in RAM ● $ qemu-img create -o backing_file=/dev/vg/base -o /tmp/ram/overlay.qcow2 ● RAM drive full? VMs auto-pause self!● MITM “internet” Linux VM ● Apache, iptables -J REDIRECT, dnsmasq, samba ● Apache vhosts of copies of websites – google, etc ● Connected to malware network & public network
    22. 22. A cluster, not a cluster- FSCKVirtualization: ● QEmu/KVM + libvirt for migrationShared disk access: ● Linux tgtd iSCSI – use gigabit ethernet! – Clustered LVM for base images – GFS for CoW storage ● Note: disable cache in tgtd
    23. 23. Automation
    24. 24. libvirt VM ManagementLife cycle management: ● Start / Pause / Stop ● Snapshot management ● Dump VM physical memoryProvisioning Automation: ● Capture “parent” XML config ● Modify & define new VM
    25. 25. libguestfs for Guest ManagementGuest Disk FS management: ● Supports scripting / automation ● Download & Upload files to guest file system ● Extract analyst data from a standard dir – C:malwareticket_#* --> upload to IR tracking systemWindows Registry Support: ● Change hostname to prevent NetBIOS name conflicts on same network
    26. 26. Provisioning & Automation● clone-vm.pl – Clone an existing VM, generate unique MAC & UUID, create Copy-On-Write disk image, change hostname in registry.● insert-zip.pl & extract-zip.pl – Insert and extract data● peek.pl –Dump physical memory of a VM for analysis● ksmstat.pl – Monitor KSM efficiency & CPU usage ala vmstat(1)
    27. 27. Collaboration & Training
    28. 28. VM vncreflector(host:1) vncreflector FBS output (host:99) FBS VNC video capture
    29. 29. Screencasting & PlaybackScreencasting:● record-vnc.pl to record & screencastPlayback:● rfbproxy -c -p in inetd ● inetd makes rfbproxy multi-client and self-service● Shell script to feed rfbproxy VNC videos● Extra credit: rfbproxy can export to PPM stream – PPM -> MPEG2 + instructor audio = Training Video
    30. 30. What do you have now?● Consistent analysis VMs w/ efficient resource use.● Multi-participant, interactive, live training sessions.● Thin-provisioned VM & Acquire analysis data● Analysis session recorded for future playback ● HQ VNC jukebox (~300MB) ● Medium quality portable MPEG video (~1.5G)
    31. 31. DEMO
    32. 32. Next Steps...● Diff pre/post infection of RAM and FS ● Identify injected code/new executables ● Dump, generate signatures, scan, detect variants of the same sample● Make this all a web-app; snapshots, file mgmt, java applet vnc display● Auto-provision private networks & VMs per analyst & remote (VPN) access
    33. 33. Thank you Jamie!● @gleeda / http://gleeda.blogspot.com● Blackbelt in Volatility & EnCase● Released a Differential EnScript – diff two versions of the same disk & report on em
    34. 34. Nova-Labs.org● Malware Analysis Lab● Classes on Malware Analysis / Reverse Engineering ● Expected to start in April/May● $$ not yet set (but expected to be cheap)● Various Malware samples● Learn, Teach, pass it on!
    35. 35. How do I ....Its all at: ● warewolf.github.com / thin-provisioning ● Automation Code ● Documentation (still working on it) ● Configs for MITM: – Apache – dnsmasq – iptables config – samba

    ×