malware analysis' by pp singh
Post on 01-Sep-2014
2.398 Views
Preview:
DESCRIPTION
TRANSCRIPT
AN OVERVIEW – PART I
OUR GAME PLAN TODAY – A THEORETICAL OVERVIEW
FOLLOWED BY A CASE STUDY DETAILED PRESENTATIONS ABOUT EACH
COMPONENT.
VIRTUALIZATION.
HONEYPOTS / HONEYNETS.
DEBUGGING
AND SO ON (HOPEFULLY)
CAPABILITY FOR ‘ABSTRACT MATHEMATICS’
ASSEMBLY LANGUAGE
LACK OF SOCIAL LIFE
ADEQUATE ‘BEHAVIOR MODIFICATION’ OR‘TRANCE INDUCING’ MATERIALS.
BASICS SETTING UP A LAB ENVIRONMENT ANALYSIS
o NETWORK TRAFFIC
o DISK IMAGE / FILE SYSTEM
o MEMORY IMAGE
o STATIC ANALYSIS
TRADITIONALLY WE HAD – SOURCE CODE AUDITING – PRIME REQUIREMENT WAS SAFETY OF CODE.
THEN CAME PROPRIETARY CODE AND WITH IT ‘BLACK BOX TESTING’
ALONG CAME MODULAR COMPONENTS AND WE GRADUATED TO ‘REVERSE ENGINEERING’
WITH COTS PRODUCT CAME ISSUES OF TRUST – MICROSOFT IS SAFE BUT WHAT ABOUT THE GUYS WHO MADE THE DLL.
SUGGESTED READING ‘WYSINWYX’ GOGULBALAKRISHNAN’s PHD THESIS.
METHOD TO REVERSE ENGINEERING ALONG WITH ALL ASSOCIATED LIBRARIES ‘HOLISTIC REVERSE ENGINEERING’
A FOCUSED APPLICATION– MALWARE ANALYSIS.
WHY – TRADITIONAL SIGNATURE BASED ANALYSIS IS FUTILE GIVEN THE EVOLVING MALWARE.
SAME LOGIC HAS MULTIPLE ‘SIGNATURES’ HENCE ‘BEHAVIORAL ANALYSIS’
PROS & CONS OF BOTH STATIC ANALYSIS & BEHAVIORAL ANALYSIS.
LARGER VOLUMES OF SAMPLES NECESSITATE ‘AUTOMATION’.
ENTER CWSANDBOX, NORMAN SANDBOX & OTHERS
BUT WE NEED ‘MORE’
OVERLAPPED WITH FORENSICS. PRIVACY & POLICY ISSUES. WISH TO LEARN ‘LIVE’ EXERCISE – PART OF GROWING UP FIELD OF WORK REQUIREMENT OF CUSTOMIZED DATA COMPLEXITIES IN THE MALWARE WORLD
BASICS SETTING UP A LAB ENVIRONMENT ANALYSIS
o STATIC ANALYSIS
o NETWORK TRAFFIC
o DISK IMAGE / FILE SYSTEM
o MEMORY IMAGE
A CONTROLLED ENVIRONMENT.
▪ MALWARE COLLECTION. MALWARE COLLECTIONTHROUGH SPAM TRAPS, HONEY POTS AND SHAREDDATA. NEPENTHES AS AN EXAMPLE.
▪ VICTIM MACHINES. VIRTUALISATION OR REAL.VIRTUAL MACHINES ARE EASIER TO MANAGE BUTMALWARE INCREASINGLY BECOMING MORE AWAREOF THEM. VIRTUAL MACHINES LIKE VMWARE,PARALLELS, QEMU AND BOCHS ARE AVAILABLE.
▪ SUPPORT TOOLS.
▪ NETWORK SIMULATION. INTERNET CONNECTION, DNS CONNECTION, IRC, WEB, SMTP, SERVER
▪ ANALYSIS TOOLS. SUPPORT OF ONLINE RESOURCES LIKE VIRUS TOTAL.
IT SHOULD BE ISOLATED.
IT SHOULD PROVIDE A FULL SIMULATION.
FRIENDS
ONLINE RESOURCES
HONEYPOTS
o AMUN
o NEPENTHES
o ….
WINDOWS OS START – WINDOW IMAGE USING LINUX THE RE-USABLE MALWARE ANALYSIS NET
‘TRUMAN’ VIRTUAL MACHINES NORTON GHOST / UDPCAST / ACRONIS HARDWARE – CORE RESTORE MICROSOFT – STEADY STATE
THIS MINI LINUX IMPLEMENTATIONCONTAINS TOOLS LIKE PARTIMAGE,NTFSRESIZE, AND FDISK AND IS BASEDAROUND THE FANTASTIC BUSYBOX.
IT ENABLES YOU TO PXE BOOT A PC INTO ALINUX CLIENT WHICH CAN CREATE AN NTFSPARTITION, GRAB A WINDOWS DISK IMAGEFROM THE NETWORK, WRITE IT TO A LOCALDISK AND THEN RESIZE THAT PARTATION.
TWO MINIMUM MACHINES. LINUX BASED SERVER TRUMAN MACHINE AS CLIENT (XP
WITHOUT PATCHES). INSTALLATION FAQON NSMWIKI.
VIRTUAL NETWORK SIMULATION
MAVMM: LIGHTWEIGHT AND PURPOSEBUILT VMM FOR MALWARE ANALYSIS
AUTHORS - ANH M. NGUYEN, NABILSCHEAR, HEEDONG JUNG, APEKSHAGODIYAL, SAMUEL T. KING, HAI D. NGUYEN
A SPECIAL PURPOSE VIRTUAL MACHINEFOR MALWARE ANALYSIS
ACADEMIC VERSION OF XP AVAILABLE.
INSTRUMENTATION OF CODE FEASIBLE
CREATION OF ‘SPECIAL WINDOWS’ BOXES
BASICS SETTING UP A LAB ENVIRONMENT ANALYSIS
o STATIC ANALYSIS
o NETWORK TRAFFIC
o DISK IMAGE / FILE SYSTEM
o MEMORY IMAGE
CREATE A CONTROLLED ENVIRONMENT. VIRTUAL OR REAL.
BASELINE THE ENVIRONMENT:-
▪ VICTIM MACHINE. FILE SYSTEM, REGISTRY, RUNNING PROCESSES, OPEN PORTS, USERS, GROUPS, NETWORK SHARES, SERVICES ETC.
▪ NETWORK TRAFFIC.
▪ EXTERNAL VIEW.
INFORMATION COLLECTION.
▪ STATIC. STRINGS, RESOURCES, SCRIPTS, FILE PROPERTIES ETC
▪ DYNAMIC.
INFORMATION ANALYSIS. INVOLVES INFORMATION COLLATION, INTERNET SEARCHES, STARTUPMETHODS, COMMUNICATION PROTOCOLS, SPREADING MECHANISMS ETC
RECONSTRUCTING THE BIG PICTURE.
DOCUMENTATION.
PSEXEC – PART OF SYSINTERNALSPSTOOLS KIT.
MS REMOTE DESKTOP VIRTUAL NETWORK COMPUTING (VNC) ULTRAVNC – SOURCEFORGE
IF YOU ARE COMFORTABLE WITH REMOTECOMMAND LINE – PSEXEC
BASELINE INFORMATION
o NETWORK TRAFFIC
o FILE SYSTEM
o REGISTRY
o MEMORY IMAGE
REMEMBER IT IS ‘MALWARE’
USE PKZIP TO HANDLE THE SAMPLE
COMMAND LINE METHOD
IF YOU ARE SUBMITTING SAMPLES ONLINE PASSWORD = ‘infected’
DISK IMAGE ANALYSIS ADVANCED INTRUSIONDETECTION ENVIRONMENT FOR COMPARING DISKIMAGES BEFORE AND AFTER.
NTFS-3G DRIVERS & GETFATTR FOR ADS STREAMS.
REGISTRY USING DUMPHIVE
COMPARE REGISTRY DUMP BEFORE AND AFTER USINGLINUX DIFF –U COMMAND
MEMORY IMAGE ANALYSIS. PMODUMP.PL MODIFIEDTO HANDLE PEB RANDOMISATIONS, VOLATILITYFRAMEWORK USED FOR ANALYSIS.
OUTPUTS OF MULTIPLE TOOLS USED TO COMPAREAND ANALYSE.
FILE SYSTEM AND REGISTRY MONITORING:PROCESS MONITOR AND CAPTURE BAT
PROCESS MONITORING: PROCESSEXPLORER AND PROCESS HACKER
NETWORK MONITORING: WIRESHARK ANDSMARTSNIFF
CHANGE DETECTION: REGSHOT
A GOOD WAY TO SEE CHANGES TO THENETWORK IS WITH A TOOL CALLED NDIFF.
NDIFF IS A TOOL THAT UTILIZES NMAPOUTPUT TO IDENTIFY THE DIFFERENCES,OR CHANGES THAT HAVE OCCURRED INYOUR ENVIRONMENT.
NDIFF CAN BE DOWNLOADED FROMhttp://www.vinecorp.com/ndiff/.
TCPDUMP – CONSOLE WINDUMP – CONSOLE
WIRESHARK – GUI
THE OPTIONS OFFERED IN NDIFF INCLUDE:ndiff [-b|-baseline <file-or-:tag>] [-o|-observed <file-or-:tag>][-op|-output-ports <ocufx>] [-of|-output-hosts <nmc>][-fmt|-format <terse | minimal | verbose | machine | html | htmle>]
NDIFF OUTPUT MAY BE REDIRECTED TO A WEB PAGE:ndiff –b base-line.txt –o tested.txt –fmt machine | ndiff2html >
differences.html
THE OUTPUT FILE, “DIFFERENCES.HTML”, MAY BE DISPLAYEDIN A WEB BROWSER. THIS WILL SEPARATE HOSTS INTO THREEMAIN CATEGORIES:o NEW HOSTS,o MISSING HOSTS, ANDo CHANGED HOSTS.
NETSTAT FPORT
TCPVcon – CONSOLE TCPView – GUI
HANDLE – CONSOLE PROCESS EXPLORER – GUI
USE PID TO CORRELATE OUTPUTS
HASHING FUNCTIONS
o MD5DEEP – JESSE KORNBLUM
FUZZY HASHING
o SSDEEP – AGAIN JESSE
ONLINE HASHES OF GOOD FILES – NIST
A GOOD START
VIRUSTOTAL
VIRUSSCAN
AND MANY MORE
HELP RETAIN FOCUS
virus@ca.com sample@nod32.com samples@f-secure.com newvirus@kaspersky.com
VIRUSTOTAL, JOTTI, VIRUS.ORG
MANY MORE
PEID
POLYUNPACK
RENOVO – PART OF BIT BLAZEBASED ON MEMORY UNPACKING
AND MANY MORE
TOOLS:-o PEVIEW
o DEPENDS
o PE BROWSE PRO
o OBJ DUMP
o RESOURCE HACKER
o STRINGS DETERMINE THE DATE/ TIME OF COMPILATION,
FUNCTIONS IMPORTED BY THE PROGRAM, ICONS,MENUS, VERSION, INFO AND STRINGS EMBEDDEDIN THE RESOURCES.
STRINGS VIP UTILITY –
www.freespaceinternetsecurity.com InCtrl5 SANDBOXIE FILEMON REGMON AUTORUNS HIJACK THIS ……..
PE FORMATNEED I SAY MORE. LORD PE CAN ALSO DO MEMORY
DUMPS PETOOLS PEIDTO FIND PACKER DETAILS
WINDBG OLLYDBG IDA PRO SYSRDBG – KERNEL LEVEL ? KERNEL DEBUGGER FROM MS
KNOWLEDGE OF ASSEMBLY LANGUAGECRITICAL
TRAP – API EMULATION
JAVASCRIPT OBFUSCATION – SPIDER MONKEY. TOOLS FOR MS OFFICE FORMATS:-
OFFICEMALSCANNER
OFFVIS
OFFICE BINARY TRANSLATOR (INCLUDES BIFFVIEWTOOL).
OFFICECAT.
FILEHEX AND FILEINSIGHT HEX EDITORS CAN PARSEAND EDIT OLE STRUCTURES.
SIMILARLY TOOLS FOR PDF, FLASH ETC
EXTENSIVE FEATURES ≠ GOOD TOOL
REQUIREMENT TO SCRIPT & PARSEOUTPUTS INTO A ‘READABLE REPORT’
COMMAND LINE / GUI OPTIONS
COMPARISON OF MULTIPLE TOOLS ASVERIFICATION
RAPID ASSESSMENT & POTENTIALINCIDENT EXAMINATION REPORT
RAPIER IS A SECURITY TOOL BUILT TOFACILITATE FIRST RESPONSE PROCEDURESFOR INCIDENT HANDLING.
OVERLAP BETWEEN FORENSICS ANDMALWARE ANALYSIS.
TO ILLUSTRATE THE REQUIREMENT TO‘SCRIPT AROUND GUI TOOLS’
AS PART OF ANALYSIS, TRY TO IDENTIFYTHE SOURCE.
BLOCK LISTS OF SUSPECTED MALICIOUSIPS AND URLS
LOOKING UP POTENTIALLY MALICIOUSWEBSITES
INITIAL VECTOR – BROWSER HISTORY,EMAIL LOGS
SIMILARITY STUDIES:-
http://code.google.com/p/yara-project/
GENOME BASED CLASSIFICATION
MALWARE SIMILARITY ANALYSIS – BLACK HAT09 - DANIEL RAYGOZA
BLAST: BASIC LOCAL ALIGNMENT SEARCHTOOL BASED CLASSIFICATION
FUZZY CLARITY – DIGITAL NINJA
RESEARCH IS ON FOR CLASSIFICATIONACCORDING TO:-
o OPCODE DISTRIBUTION
o API CALLS MADE
o COMPILER PARAMETER
o ……
o WILL GIVE THE ‘HEURISTICS'
ALWAYS CORRELATE THE ANALYSIS:-o ANUBIS (FORMERLY TTANALYSE)
o BIT BLAZE ( COUSIN OF WEB BLAZE PROJECT)
o COMODO
o CWSANDBOX
o EUREKA
o JOEBOX
o NORMAN SANDBOX
o THREAT EXPERT
o XANDORA
SUGGESTED READING
o WILDCAT: AN INTEGRATED STEALTHENVIRONMENT FOR DYNAMIC MALWAREANALYSIS – AMIT VASUDEVAN
o ‘WYSINWYX’ WHAT YOU SEE IS NOT WHATYOU EXECUTE - GOGUL BALAKRISHNAN
o LARGE-SCALE DYNAMIC MALWARE ANALYSIS- ULRICH BAYER
top related