Malware Analysis Free
Toolbox
RMLL - Montpellier - July 2014 - Xavier Mertens
TrueSec
$ whoami
• Xavier Mertens (@xme)	

!
• Consultant @ day	

!
• Blogger, Hacker @ night	

!
• BruCON co-organizer
2
TrueSec
$ cat ~/.profile
• I like (your) data	

• Offensive / defensive security	

• Security visualization	

• I like to p...
TrueSec
$ cat disclaimer.txt
“The opinions expressed in this presentation
are those of the speaker and do not necessarily
...
TrueSec
Agenda
• Introduction	

• Build your lab	

• Automate	

• Conclusions
5
TrueSec
Why This Talk?
6
TrueSec
Don’t expect this!
7
TrueSec
Today’s Facts
8
29.122.849	

unique malicious objects: scripts, web pages, exploits,
executable files, etc.	

81.73...
TrueSec
Sources
9
• My spam folder (rootshell.be has been
registered in 2001)	

• Torrents (Keygens)	

• P0rn sites	

• Yo...
TrueSec
Motivations
10
• Plenty of material	

• To improve our security (integration with
other tools)	

• Because I’m laz...
TrueSec 11
“APT”	

VS	

“BPT”
The AttackVector
TrueSec
Analysis
12
TrueSec
Be Dynamic
13
• Execute the malware in a safe environment
and watch what it does	

• Goals	

• Understand how malw...
TrueSec
We Need “IOC”!
14
TrueSec
We Need “IOC”!
15
• Hashes	

• IP addresses	

• Domain names	

• Files	

• Registry keys	

• URLs
Share!
TrueSec
Today’s Market
16
• A niche market	

• Big players

(read: $$$)	

• Integrated into an existing platform

(Many 2....
TrueSec
An Attack in 5 Steps
17
	

 	

 	

 	

 	

 	

 	

 	

 	

 	

 Persistence	

	

 	

 	

 	

 	

 	

 	

 	

 	

 ...
TrueSec
The Patient “0”
18
The index case or primary case is the initial

patient in the population of an epidemiological
...
TrueSec
Agenda
• Introduction	

• Build your lab	

• Automate	

• Conclusions
19
TrueSec
Requirements
20
• Free (because we are @ RMLL!)	

• Virtualized (easy & snapshots)	

• Open (to interconnect with ...
TrueSec
Cuckoo
21
• Dynamic code analysis framework
developed in Python	

• “Python” means “open, modular, easy to
modify”...
TrueSec
Features
22
• Automation	

• Capture data	

• API calls	

• Network traffic	

• Screenshots	

• Filesystem / Regist...
TrueSec
Cuckoo
23
TrueSec
Architecture
24
TrueSec
Setup
25
TrueSec
Basic Installation
26
• VirtualBox (recommended)	

• Lot of Python lib dependencies	

• Recommended platform: Ubun...
TrueSec
We Need Intertubes
27
• Use Host-only networking withVirtualbox	

• Connect to the world
# sysctl -w net.ipv4.ip_f...
TrueSec
“Your” Sandbox
28
• Windows XP SP3 or Windows 7 SP1 32bits	

• Acrobat Reader, M$ Office, Browsers	

• Generate som...
TrueSec
VM Hardening
29
• VM must be “vulnerable” but hardened
against anti-VM detection	

• http://github.com/markedoe/cu...
TrueSec
Attack of the Clones
30
TrueSec
Demo!
31
TrueSec
Agenda
• Introduction	

• Build your lab	

• Automate	

• Conclusions
32
TrueSec
Automation
33
Cuckoo is a nice tool to analyse files on
demand but some automation will be helpful to
detect more s...
TrueSec
Bro IDS
34
• Bro is a powerful network analysis
framework. Bro is not only a IDS	

• Bro comes with analysers for ...
TrueSec
Bro Scripting
35
Bro has a simple and

powerful scripting

language.All the

output generated by

Bro is based on
...
TrueSec
Extract Those Files!
36
• Bro can extract files from network streams
and save them on the file system	

• There is a...
TrueSec
Extract Those Files!
37
global ext_map: table[string] of string = {
["application/x-dosexec"] = "exe",
} &default ...
TrueSec
Juicy Files
38
application/x-dosexec
application/vnc.ms-cab-compressed
application/pdf
application/x-shockware-fla...
TrueSec
And URLs?
39
• Extracting URLs from network?	

• Flood! (“HTTP is the new TCP”)	

• Analysing one-time URLs may br...
TrueSec
Sniff!
40
# cd /tools/bro/logs
# vi extract.bro
# mkdir extract_files
# ../bin/bro -i eth1 extract.bro
listening o...
TrueSec
Feed Cuckoo!
41
# cd /tools/bro/logs/extract_files
# inotifywait -m -q -e create —format %f . |
while read F
do
ca...
TrueSec
Want Data?
42
• Cuckoo has a REST API	

• Useful to automate even more
TrueSec
Get results!
43
# curl http://localhost:8090/tasks/list
# curl http://localhost:8090/tasks/view/10
# curl http://l...
TrueSec
Extract IOC’s
44
#curl -s http://localhost:8090/tasks/report/2/json | 
python extract-domains.py
premiercrufinewin...
TrueSec
Feed OSSEC
45
• Create CDB lists (“active lists”)	

<ossec_config>

<rules>
<list>lists/baddomains.cdb</list>
<lis...
TrueSec
Correlate
46
<rule id=“99001” level=“10”>
<decoded_as>bind9</decoded_as>
<list field=“url”>lists/baddomains</list>...
TrueSec
Agenda
• Introduction	

• Build your lab	

• Automate	

• Conclusions
47
TrueSec
Conclusions
48
TrueSec
Conclusions
49
• We don’t have time to handle such amount
of data!	

• Know your Enemy!	

• Correlate your logs wi...
TrueSec
Thank you!	

@xme	

xavier@truesec.be	

http://blog.rootshell.be	

https://www.truesec.be
50
Upcoming SlideShare
Loading in …5
×

Malware Analysis Using Free Software

3,646 views

Published on

How to build a malware analysis toolbox usinf free software

Published in: Technology
0 Comments
8 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,646
On SlideShare
0
From Embeds
0
Number of Embeds
450
Actions
Shares
0
Downloads
109
Comments
0
Likes
8
Embeds 0
No embeds

No notes for slide

Malware Analysis Using Free Software

  1. 1. Malware Analysis Free Toolbox RMLL - Montpellier - July 2014 - Xavier Mertens
  2. 2. TrueSec $ whoami • Xavier Mertens (@xme) ! • Consultant @ day ! • Blogger, Hacker @ night ! • BruCON co-organizer 2
  3. 3. TrueSec $ cat ~/.profile • I like (your) data • Offensive / defensive security • Security visualization • I like to play! 3
  4. 4. TrueSec $ cat disclaimer.txt “The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.” 4
  5. 5. TrueSec Agenda • Introduction • Build your lab • Automate • Conclusions 5
  6. 6. TrueSec Why This Talk? 6
  7. 7. TrueSec Don’t expect this! 7
  8. 8. TrueSec Today’s Facts 8 29.122.849 unique malicious objects: scripts, web pages, exploits, executable files, etc. 81.736.783 unique URLs were recognized as malicious by web antivirus. Q1 2014 (source: Kaspersky Security Network)
  9. 9. TrueSec Sources 9 • My spam folder (rootshell.be has been registered in 2001) • Torrents (Keygens) • P0rn sites • You & me!
  10. 10. TrueSec Motivations 10 • Plenty of material • To improve our security (integration with other tools) • Because I’m lazy! (automation) • Because it’s fun!
  11. 11. TrueSec 11 “APT” VS “BPT” The AttackVector
  12. 12. TrueSec Analysis 12
  13. 13. TrueSec Be Dynamic 13 • Execute the malware in a safe environment and watch what it does • Goals • Understand how malwares work • Get IOC’s
  14. 14. TrueSec We Need “IOC”! 14
  15. 15. TrueSec We Need “IOC”! 15 • Hashes • IP addresses • Domain names • Files • Registry keys • URLs Share!
  16. 16. TrueSec Today’s Market 16 • A niche market • Big players
 (read: $$$) • Integrated into an existing platform
 (Many 2.0 or NG firewalls)
  17. 17. TrueSec An Attack in 5 Steps 17 Persistence Exploit Plan a Backdoor Initial intrusion Reconnaissance Pwned!
  18. 18. TrueSec The Patient “0” 18 The index case or primary case is the initial
 patient in the population of an epidemiological
 investigation (Source:Wikipedia)
  19. 19. TrueSec Agenda • Introduction • Build your lab • Automate • Conclusions 19
  20. 20. TrueSec Requirements 20 • Free (because we are @ RMLL!) • Virtualized (easy & snapshots) • Open (to interconnect with other tools) • Automatization
  21. 21. TrueSec Cuckoo 21 • Dynamic code analysis framework developed in Python • “Python” means “open, modular, easy to modify” • Based on the classic “sandboxing” system
  22. 22. TrueSec Features 22 • Automation • Capture data • API calls • Network traffic • Screenshots • Filesystem / Registry operations • Memory dump • Reporting in many formats
  23. 23. TrueSec Cuckoo 23
  24. 24. TrueSec Architecture 24
  25. 25. TrueSec Setup 25
  26. 26. TrueSec Basic Installation 26 • VirtualBox (recommended) • Lot of Python lib dependencies • Recommended platform: Ubuntu • Ninja mode: OSX
  27. 27. TrueSec We Need Intertubes 27 • Use Host-only networking withVirtualbox • Connect to the world # sysctl -w net.ipv4.ip_forward=1 # iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.1.0/24 -m conntrack -ctstate NEW -j ACCEPT # iptables -A FORWARD -m conntrack -ctstate ESTABLISHED,RELATED -j ACCEPT # iptables -A POSTROUTING -t nat -j MASQUERADE OSX Ninja?Visit http://goo.gl/aEM7gO
  28. 28. TrueSec “Your” Sandbox 28 • Windows XP SP3 or Windows 7 SP1 32bits • Acrobat Reader, M$ Office, Browsers • Generate some content (cookies, browsers history) • Install the Cuckoo agent • Disable all security features!
  29. 29. TrueSec VM Hardening 29 • VM must be “vulnerable” but hardened against anti-VM detection • http://github.com/markedoe/cuckoo- sandbox • https://github.com/a0rtega/pafish
  30. 30. TrueSec Attack of the Clones 30
  31. 31. TrueSec Demo! 31
  32. 32. TrueSec Agenda • Introduction • Build your lab • Automate • Conclusions 32
  33. 33. TrueSec Automation 33 Cuckoo is a nice tool to analyse files on demand but some automation will be helpful to detect more suspicious stuff!
  34. 34. TrueSec Bro IDS 34 • Bro is a powerful network analysis framework. Bro is not only a IDS • Bro comes with analysers for many protocols which allow processing at layer-7 • http://bro.org
  35. 35. TrueSec Bro Scripting 35 Bro has a simple and
 powerful scripting
 language.All the
 output generated by
 Bro is based on
 scripts!
  36. 36. TrueSec Extract Those Files! 36 • Bro can extract files from network streams and save them on the file system • There is an “extraction” analyzer to perform this task
  37. 37. TrueSec Extract Those Files! 37 global ext_map: table[string] of string = { ["application/x-dosexec"] = "exe", } &default =""; ! event file_new(f: fa_file) { local ext = “data"; ! if ( f?$mime_type ) ext = ext_map[f$mime_type]; ! local fname = fmt("%s-%s.%s",
 f$source, f$id, ext); Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
 [$extract_filename=fname]); }
  38. 38. TrueSec Juicy Files 38 application/x-dosexec application/vnc.ms-cab-compressed application/pdf application/x-shockware-flash application/x-java-applet application/jar application/zip
  39. 39. TrueSec And URLs? 39 • Extracting URLs from network? • Flood! (“HTTP is the new TCP”) • Analysing one-time URLs may break some tools (think about password recovery)
  40. 40. TrueSec Sniff! 40 # cd /tools/bro/logs # vi extract.bro # mkdir extract_files # ../bin/bro -i eth1 extract.bro listening on eth1, capture length 8192 bytes
  41. 41. TrueSec Feed Cuckoo! 41 # cd /tools/bro/logs/extract_files # inotifywait -m -q -e create —format %f . | while read F do case “${F##*.}” in “zip|exe|doc|dll|jar|msi”) /tools/cuckoo/utils/submit.py $F esac done
  42. 42. TrueSec Want Data? 42 • Cuckoo has a REST API • Useful to automate even more
  43. 43. TrueSec Get results! 43 # curl http://localhost:8090/tasks/list # curl http://localhost:8090/tasks/view/10 # curl http://localhost:8090/tasks/report/10 # curl http://localhost:8090/files/view/md5/xxxxxx !
  44. 44. TrueSec Extract IOC’s 44 #curl -s http://localhost:8090/tasks/report/2/json | python extract-domains.py premiercrufinewine.co.uk 188.65.114.122 fidaintel.com 216.224.182.75
  45. 45. TrueSec Feed OSSEC 45 • Create CDB lists (“active lists”) <ossec_config>
 <rules> <list>lists/baddomains.cdb</list> <list>lists/badips.cdb</list> </rules> </ossec_config> • Populate them • Re-generate them
 /var/ossec/bin/ossec-makelists
  46. 46. TrueSec Correlate 46 <rule id=“99001” level=“10”> <decoded_as>bind9</decoded_as> <list field=“url”>lists/baddomains</list> <description>DNS query: malicious domain</description> </rule>
  47. 47. TrueSec Agenda • Introduction • Build your lab • Automate • Conclusions 47
  48. 48. TrueSec Conclusions 48
  49. 49. TrueSec Conclusions 49 • We don’t have time to handle such amount of data! • Know your Enemy! • Correlate your logs with external content
  50. 50. TrueSec Thank you! @xme xavier@truesec.be http://blog.rootshell.be https://www.truesec.be 50

×