Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Malware Analysis  Collaboration   Automation    TrainingRichard Harman @ ShmooCon IX
Richard Harman●   Lead Intrusion Analyst @ SRA, Inc SOC●   Started out as a SysAdmin●   Info Sec Analyst for 8 years●   Me...
Ingredients● Intro to Malware Analysis & Tools● Open Source Virtualization● VM Efficiency & Consistency● Light-weight VMs ...
Malware Analysis
Brain Food●   Books:    ●   Filesystem Forensic Analysis    ●   Windows Forensics Analysis Toolkit    ●   Malware Analysts...
The Process1) Baseline System State2) Monitor & Log System Activity3) Infect system4) Suspend, Dump & Terminate Processes5...
The EssentialsSystem Baseline              Memory Analysis●   Regshot                  ●   Volatility Framework●   Autorun...
Front-ends for sweet utilitiesTwo I use most: Procmon & Autoruns  ➔     @DaveHull is working on autorunalyzer on      gith...
VirtualizationRAM efficiency
512 MB    1 GB   512 MB  XLS             DOC sample          sample
512 MB    1 GB     512 MB          STRESS  XLS               DOC sample            sample
DEDUPLICATION1 GB       NO DEDUPLICATON1 GB
RAM De-dupe (Merging) Support●   Linux/QEMU/KVM – Kernel Samepage Merging●   VMware – Transparent page sharing●   VirtualB...
VirtualizationConsistency &Disk efficiency
Adobe Reader 9                    Office XPAdobe Reader 8   Office 2003                     Adobe Reader X                ...
CLONES
RAW DISK    FILE SYSTEMS    iSCSI   NFS   ATAoE    GFS      FC    GLUSTRE
Read Only   Copy on Write
Copy on Write is an enablerOn shared storage  ●   Enables live VM migration to another analystIn a RAM disk (tmpfs)  ●   S...
CoW (Light-Weight) Disk Clones      in Virtualization Software●   VMware    ●   Workstation has “linked clones”    ●   ESX...
My Malware Environment●   QEmu/KVM (libvirt)●   Windows disk images in LVM, CoW in RAM    ●   $ qemu-img create -o        ...
A cluster, not a cluster- FSCKVirtualization:  ●   QEmu/KVM + libvirt for migrationShared disk access:  ●   Linux tgtd iSC...
Automation
libvirt VM ManagementLife cycle management:  ●   Start / Pause / Stop  ●   Snapshot management  ●   Dump VM physical memor...
libguestfs for Guest ManagementGuest Disk FS management:  ●   Supports scripting / automation  ●   Download & Upload files...
Provisioning & Automation●   clone-vm.pl       –   Clone an existing VM, generate unique MAC &           UUID, create Copy...
Collaboration      &  Training
VM        vncreflector(host:1)                   vncreflector               FBS                             output        ...
Screencasting & PlaybackScreencasting:●   record-vnc.pl to record & screencastPlayback:●   rfbproxy -c -p in inetd    ●   ...
What do you have now?●   Consistent analysis VMs w/ efficient resource    use.●   Multi-participant, interactive, live tra...
DEMO
Next Steps...●   Diff pre/post infection of RAM and FS    ●   Identify injected code/new executables    ●   Dump, generate...
Thank you Jamie!●    @gleeda / http://gleeda.blogspot.com●   Blackbelt in Volatility & EnCase●   Released a Differential E...
Nova-Labs.org●   Malware Analysis Lab●   Classes on Malware Analysis    / Reverse Engineering    ●   Expected to start in ...
How do I ....Its all at:    ●   warewolf.github.com / thin-provisioning    ●   Automation Code    ●   Documentation (still...
Malware analysis
Malware analysis
Upcoming SlideShare
Loading in …5
×

Malware analysis

3,864 views

Published on

Malware Analysis: Collaboration, Automation & Tuning - from Shmoocon 2013

Published in: Technology
  • Be the first to comment

Malware analysis

  1. 1. Malware Analysis Collaboration Automation TrainingRichard Harman @ ShmooCon IX
  2. 2. Richard Harman● Lead Intrusion Analyst @ SRA, Inc SOC● Started out as a SysAdmin● Info Sec Analyst for 8 years● Member of NoVA Hackers group● Co-Founder of Nova Labs in Reston, VA xabean warewolf richard@richardharman.com
  3. 3. Ingredients● Intro to Malware Analysis & Tools● Open Source Virtualization● VM Efficiency & Consistency● Light-weight VMs & Automating them● Training – Youre Doing It Wrong
  4. 4. Malware Analysis
  5. 5. Brain Food● Books: ● Filesystem Forensic Analysis ● Windows Forensics Analysis Toolkit ● Malware Analysts Cookbook ● Practical Malware Analysis ● Reversing: Secrets of Reverse Engineering● Training: ● SANS GREM FOR610 ● ... upcoming classes ; )
  6. 6. The Process1) Baseline System State2) Monitor & Log System Activity3) Infect system4) Suspend, Dump & Terminate Processes5) Stop Monitoring6) Review Monitored Activity7) Compare new state to baseline
  7. 7. The EssentialsSystem Baseline Memory Analysis● Regshot ● Volatility Framework● AutorunsGeneral Analysis Logging / Tracing● OfficeCat ● OllyDbg & Plugins● FileInsight ● IDA Pro● Wireshark ● Procmon● Didier Stevenss Tools ● Capturebat
  8. 8. Front-ends for sweet utilitiesTwo I use most: Procmon & Autoruns ➔ @DaveHull is working on autorunalyzer on github.com/davehull/autorunalyzer – .py is a WIP, .sh version exists ➔ I (@xabean) wrote a Procmon XML processor on github.com/warewolf/Procmon
  9. 9. VirtualizationRAM efficiency
  10. 10. 512 MB 1 GB 512 MB XLS DOC sample sample
  11. 11. 512 MB 1 GB 512 MB STRESS XLS DOC sample sample
  12. 12. DEDUPLICATION1 GB NO DEDUPLICATON1 GB
  13. 13. RAM De-dupe (Merging) Support● Linux/QEMU/KVM – Kernel Samepage Merging● VMware – Transparent page sharing● VirtualBox – Page Fusion ● (requires guest support)● Xen – Memory Sharing (tech preview)● Unmerging – Host swaps, or Host asks Guest to swap.
  14. 14. VirtualizationConsistency &Disk efficiency
  15. 15. Adobe Reader 9 Office XPAdobe Reader 8 Office 2003 Adobe Reader X Office 2007 Procmon Regshot Capturebat Wireshark IDA Pro FileInsight OllyDbg Autoruns OfficeCat Olly Plugins
  16. 16. CLONES
  17. 17. RAW DISK FILE SYSTEMS iSCSI NFS ATAoE GFS FC GLUSTRE
  18. 18. Read Only Copy on Write
  19. 19. Copy on Write is an enablerOn shared storage ● Enables live VM migration to another analystIn a RAM disk (tmpfs) ● Snapshots become REALLY FAST. ● About 1 second! (revert/save, 7 shot test)Images are only changes – theyre small ● Dead-box forensic analysis anyone?
  20. 20. CoW (Light-Weight) Disk Clones in Virtualization Software● VMware ● Workstation has “linked clones” ● ESX(i) wants VMWare VCenter ($$)● Xen ● OSS: ?? Commercial: yes?● VirtualBox ● Linked Clones ala VMWare Workstation● Libvirt + QEmu ● Libvirt LVM: No, QEmu QCOW2: yes (manual)
  21. 21. My Malware Environment● QEmu/KVM (libvirt)● Windows disk images in LVM, CoW in RAM ● $ qemu-img create -o backing_file=/dev/vg/base -o /tmp/ram/overlay.qcow2 ● RAM drive full? VMs auto-pause self!● MITM “internet” Linux VM ● Apache, iptables -J REDIRECT, dnsmasq, samba ● Apache vhosts of copies of websites – google, etc ● Connected to malware network & public network
  22. 22. A cluster, not a cluster- FSCKVirtualization: ● QEmu/KVM + libvirt for migrationShared disk access: ● Linux tgtd iSCSI – use gigabit ethernet! – Clustered LVM for base images – GFS for CoW storage ● Note: disable cache in tgtd
  23. 23. Automation
  24. 24. libvirt VM ManagementLife cycle management: ● Start / Pause / Stop ● Snapshot management ● Dump VM physical memoryProvisioning Automation: ● Capture “parent” XML config ● Modify & define new VM
  25. 25. libguestfs for Guest ManagementGuest Disk FS management: ● Supports scripting / automation ● Download & Upload files to guest file system ● Extract analyst data from a standard dir – C:malwareticket_#* --> upload to IR tracking systemWindows Registry Support: ● Change hostname to prevent NetBIOS name conflicts on same network
  26. 26. Provisioning & Automation● clone-vm.pl – Clone an existing VM, generate unique MAC & UUID, create Copy-On-Write disk image, change hostname in registry.● insert-zip.pl & extract-zip.pl – Insert and extract data● peek.pl –Dump physical memory of a VM for analysis● ksmstat.pl – Monitor KSM efficiency & CPU usage ala vmstat(1)
  27. 27. Collaboration & Training
  28. 28. VM vncreflector(host:1) vncreflector FBS output (host:99) FBS VNC video capture
  29. 29. Screencasting & PlaybackScreencasting:● record-vnc.pl to record & screencastPlayback:● rfbproxy -c -p in inetd ● inetd makes rfbproxy multi-client and self-service● Shell script to feed rfbproxy VNC videos● Extra credit: rfbproxy can export to PPM stream – PPM -> MPEG2 + instructor audio = Training Video
  30. 30. What do you have now?● Consistent analysis VMs w/ efficient resource use.● Multi-participant, interactive, live training sessions.● Thin-provisioned VM & Acquire analysis data● Analysis session recorded for future playback ● HQ VNC jukebox (~300MB) ● Medium quality portable MPEG video (~1.5G)
  31. 31. DEMO
  32. 32. Next Steps...● Diff pre/post infection of RAM and FS ● Identify injected code/new executables ● Dump, generate signatures, scan, detect variants of the same sample● Make this all a web-app; snapshots, file mgmt, java applet vnc display● Auto-provision private networks & VMs per analyst & remote (VPN) access
  33. 33. Thank you Jamie!● @gleeda / http://gleeda.blogspot.com● Blackbelt in Volatility & EnCase● Released a Differential EnScript – diff two versions of the same disk & report on em
  34. 34. Nova-Labs.org● Malware Analysis Lab● Classes on Malware Analysis / Reverse Engineering ● Expected to start in April/May● $$ not yet set (but expected to be cheap)● Various Malware samples● Learn, Teach, pass it on!
  35. 35. How do I ....Its all at: ● warewolf.github.com / thin-provisioning ● Automation Code ● Documentation (still working on it) ● Configs for MITM: – Apache – dnsmasq – iptables config – samba

×