Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Malware Analysis Using Free Software

3,998 views

Published on

How to build a malware analysis toolbox usinf free software

Published in: Technology
  • DOWNLOAD FULL BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Malware Analysis Using Free Software

  1. 1. Malware Analysis Free Toolbox RMLL - Montpellier - July 2014 - Xavier Mertens
  2. 2. TrueSec $ whoami • Xavier Mertens (@xme) ! • Consultant @ day ! • Blogger, Hacker @ night ! • BruCON co-organizer 2
  3. 3. TrueSec $ cat ~/.profile • I like (your) data • Offensive / defensive security • Security visualization • I like to play! 3
  4. 4. TrueSec $ cat disclaimer.txt “The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.” 4
  5. 5. TrueSec Agenda • Introduction • Build your lab • Automate • Conclusions 5
  6. 6. TrueSec Why This Talk? 6
  7. 7. TrueSec Don’t expect this! 7
  8. 8. TrueSec Today’s Facts 8 29.122.849 unique malicious objects: scripts, web pages, exploits, executable files, etc. 81.736.783 unique URLs were recognized as malicious by web antivirus. Q1 2014 (source: Kaspersky Security Network)
  9. 9. TrueSec Sources 9 • My spam folder (rootshell.be has been registered in 2001) • Torrents (Keygens) • P0rn sites • You & me!
  10. 10. TrueSec Motivations 10 • Plenty of material • To improve our security (integration with other tools) • Because I’m lazy! (automation) • Because it’s fun!
  11. 11. TrueSec 11 “APT” VS “BPT” The AttackVector
  12. 12. TrueSec Analysis 12
  13. 13. TrueSec Be Dynamic 13 • Execute the malware in a safe environment and watch what it does • Goals • Understand how malwares work • Get IOC’s
  14. 14. TrueSec We Need “IOC”! 14
  15. 15. TrueSec We Need “IOC”! 15 • Hashes • IP addresses • Domain names • Files • Registry keys • URLs Share!
  16. 16. TrueSec Today’s Market 16 • A niche market • Big players
 (read: $$$) • Integrated into an existing platform
 (Many 2.0 or NG firewalls)
  17. 17. TrueSec An Attack in 5 Steps 17 Persistence Exploit Plan a Backdoor Initial intrusion Reconnaissance Pwned!
  18. 18. TrueSec The Patient “0” 18 The index case or primary case is the initial
 patient in the population of an epidemiological
 investigation (Source:Wikipedia)
  19. 19. TrueSec Agenda • Introduction • Build your lab • Automate • Conclusions 19
  20. 20. TrueSec Requirements 20 • Free (because we are @ RMLL!) • Virtualized (easy & snapshots) • Open (to interconnect with other tools) • Automatization
  21. 21. TrueSec Cuckoo 21 • Dynamic code analysis framework developed in Python • “Python” means “open, modular, easy to modify” • Based on the classic “sandboxing” system
  22. 22. TrueSec Features 22 • Automation • Capture data • API calls • Network traffic • Screenshots • Filesystem / Registry operations • Memory dump • Reporting in many formats
  23. 23. TrueSec Cuckoo 23
  24. 24. TrueSec Architecture 24
  25. 25. TrueSec Setup 25
  26. 26. TrueSec Basic Installation 26 • VirtualBox (recommended) • Lot of Python lib dependencies • Recommended platform: Ubuntu • Ninja mode: OSX
  27. 27. TrueSec We Need Intertubes 27 • Use Host-only networking withVirtualbox • Connect to the world # sysctl -w net.ipv4.ip_forward=1 # iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.1.0/24 -m conntrack -ctstate NEW -j ACCEPT # iptables -A FORWARD -m conntrack -ctstate ESTABLISHED,RELATED -j ACCEPT # iptables -A POSTROUTING -t nat -j MASQUERADE OSX Ninja?Visit http://goo.gl/aEM7gO
  28. 28. TrueSec “Your” Sandbox 28 • Windows XP SP3 or Windows 7 SP1 32bits • Acrobat Reader, M$ Office, Browsers • Generate some content (cookies, browsers history) • Install the Cuckoo agent • Disable all security features!
  29. 29. TrueSec VM Hardening 29 • VM must be “vulnerable” but hardened against anti-VM detection • http://github.com/markedoe/cuckoo- sandbox • https://github.com/a0rtega/pafish
  30. 30. TrueSec Attack of the Clones 30
  31. 31. TrueSec Demo! 31
  32. 32. TrueSec Agenda • Introduction • Build your lab • Automate • Conclusions 32
  33. 33. TrueSec Automation 33 Cuckoo is a nice tool to analyse files on demand but some automation will be helpful to detect more suspicious stuff!
  34. 34. TrueSec Bro IDS 34 • Bro is a powerful network analysis framework. Bro is not only a IDS • Bro comes with analysers for many protocols which allow processing at layer-7 • http://bro.org
  35. 35. TrueSec Bro Scripting 35 Bro has a simple and
 powerful scripting
 language.All the
 output generated by
 Bro is based on
 scripts!
  36. 36. TrueSec Extract Those Files! 36 • Bro can extract files from network streams and save them on the file system • There is an “extraction” analyzer to perform this task
  37. 37. TrueSec Extract Those Files! 37 global ext_map: table[string] of string = { ["application/x-dosexec"] = "exe", } &default =""; ! event file_new(f: fa_file) { local ext = “data"; ! if ( f?$mime_type ) ext = ext_map[f$mime_type]; ! local fname = fmt("%s-%s.%s",
 f$source, f$id, ext); Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
 [$extract_filename=fname]); }
  38. 38. TrueSec Juicy Files 38 application/x-dosexec application/vnc.ms-cab-compressed application/pdf application/x-shockware-flash application/x-java-applet application/jar application/zip
  39. 39. TrueSec And URLs? 39 • Extracting URLs from network? • Flood! (“HTTP is the new TCP”) • Analysing one-time URLs may break some tools (think about password recovery)
  40. 40. TrueSec Sniff! 40 # cd /tools/bro/logs # vi extract.bro # mkdir extract_files # ../bin/bro -i eth1 extract.bro listening on eth1, capture length 8192 bytes
  41. 41. TrueSec Feed Cuckoo! 41 # cd /tools/bro/logs/extract_files # inotifywait -m -q -e create —format %f . | while read F do case “${F##*.}” in “zip|exe|doc|dll|jar|msi”) /tools/cuckoo/utils/submit.py $F esac done
  42. 42. TrueSec Want Data? 42 • Cuckoo has a REST API • Useful to automate even more
  43. 43. TrueSec Get results! 43 # curl http://localhost:8090/tasks/list # curl http://localhost:8090/tasks/view/10 # curl http://localhost:8090/tasks/report/10 # curl http://localhost:8090/files/view/md5/xxxxxx !
  44. 44. TrueSec Extract IOC’s 44 #curl -s http://localhost:8090/tasks/report/2/json | python extract-domains.py premiercrufinewine.co.uk 188.65.114.122 fidaintel.com 216.224.182.75
  45. 45. TrueSec Feed OSSEC 45 • Create CDB lists (“active lists”) <ossec_config>
 <rules> <list>lists/baddomains.cdb</list> <list>lists/badips.cdb</list> </rules> </ossec_config> • Populate them • Re-generate them
 /var/ossec/bin/ossec-makelists
  46. 46. TrueSec Correlate 46 <rule id=“99001” level=“10”> <decoded_as>bind9</decoded_as> <list field=“url”>lists/baddomains</list> <description>DNS query: malicious domain</description> </rule>
  47. 47. TrueSec Agenda • Introduction • Build your lab • Automate • Conclusions 47
  48. 48. TrueSec Conclusions 48
  49. 49. TrueSec Conclusions 49 • We don’t have time to handle such amount of data! • Know your Enemy! • Correlate your logs with external content
  50. 50. TrueSec Thank you! @xme xavier@truesec.be http://blog.rootshell.be https://www.truesec.be 50

×