Malware Analysis Using Free Software
10 likes4,303 views
This document discusses setting up an automated malware analysis sandbox using Cuckoo and Bro. It recommends using Cuckoo to dynamically analyze malware samples and Bro to monitor network traffic and extract suspicious files. Bro scripts are shown to extract files and submit them to Cuckoo for analysis. The talk emphasizes automating the analysis workflow and correlating indicators from Cuckoo with external threat intelligence in OSSEC to aid detection.
![TrueSec
Extract Those Files!
37
global ext_map: table[string] of string = {
["application/x-dosexec"] = "exe",
} &default ="";
!
event file_new(f: fa_file) {
local ext = “data";
!
if ( f?$mime_type )
ext = ext_map[f$mime_type];
!
local fname = fmt("%s-%s.%s",
f$source, f$id, ext);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
[$extract_filename=fname]);
}](https://image.slidesharecdn.com/malware-analysis-free-software-rmll2014-140708082623-phpapp01/85/Malware-Analysis-Using-Free-Software-37-320.jpg)
Malware Analysis Using Free Software
- 1. Malware Analysis Free Toolbox RMLL - Montpellier - July 2014 - Xavier Mertens
- 2. TrueSec $ whoami • Xavier Mertens (@xme) ! • Consultant @ day ! • Blogger, Hacker @ night ! • BruCON co-organizer 2
- 3. TrueSec $ cat ~/.profile • I like (your) data • Offensive / defensive security • Security visualization • I like to play! 3
- 4. TrueSec $ cat disclaimer.txt “The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.” 4
- 5. TrueSec Agenda • Introduction • Build your lab • Automate • Conclusions 5
- 8. TrueSec Today’s Facts 8 29.122.849 unique malicious objects: scripts, web pages, exploits, executable files, etc. 81.736.783 unique URLs were recognized as malicious by web antivirus. Q1 2014 (source: Kaspersky Security Network)
- 9. TrueSec Sources 9 • My spam folder (rootshell.be has been registered in 2001) • Torrents (Keygens) • P0rn sites • You & me!
- 10. TrueSec Motivations 10 • Plenty of material • To improve our security (integration with other tools) • Because I’m lazy! (automation) • Because it’s fun!
- 13. TrueSec Be Dynamic 13 • Execute the malware in a safe environment and watch what it does • Goals • Understand how malwares work • Get IOC’s
- 15. TrueSec We Need “IOC”! 15 • Hashes • IP addresses • Domain names • Files • Registry keys • URLs Share!
- 16. TrueSec Today’s Market 16 • A niche market • Big players (read: $$$) • Integrated into an existing platform (Many 2.0 or NG firewalls)
- 17. TrueSec An Attack in 5 Steps 17 Persistence Exploit Plan a Backdoor Initial intrusion Reconnaissance Pwned!
- 18. TrueSec The Patient “0” 18 The index case or primary case is the initial patient in the population of an epidemiological investigation (Source:Wikipedia)
- 19. TrueSec Agenda • Introduction • Build your lab • Automate • Conclusions 19
- 20. TrueSec Requirements 20 • Free (because we are @ RMLL!) • Virtualized (easy & snapshots) • Open (to interconnect with other tools) • Automatization
- 21. TrueSec Cuckoo 21 • Dynamic code analysis framework developed in Python • “Python” means “open, modular, easy to modify” • Based on the classic “sandboxing” system
- 22. TrueSec Features 22 • Automation • Capture data • API calls • Network traffic • Screenshots • Filesystem / Registry operations • Memory dump • Reporting in many formats
- 25. TrueSec Setup 25
- 26. TrueSec Basic Installation 26 • VirtualBox (recommended) • Lot of Python lib dependencies • Recommended platform: Ubuntu • Ninja mode: OSX
- 27. TrueSec We Need Intertubes 27 • Use Host-only networking withVirtualbox • Connect to the world # sysctl -w net.ipv4.ip_forward=1 # iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.1.0/24 -m conntrack -ctstate NEW -j ACCEPT # iptables -A FORWARD -m conntrack -ctstate ESTABLISHED,RELATED -j ACCEPT # iptables -A POSTROUTING -t nat -j MASQUERADE OSX Ninja?Visit http://goo.gl/aEM7gO
- 28. TrueSec “Your” Sandbox 28 • Windows XP SP3 or Windows 7 SP1 32bits • Acrobat Reader, M$ Office, Browsers • Generate some content (cookies, browsers history) • Install the Cuckoo agent • Disable all security features!
- 29. TrueSec VM Hardening 29 • VM must be “vulnerable” but hardened against anti-VM detection • http://github.com/markedoe/cuckoo- sandbox • https://github.com/a0rtega/pafish
- 30. TrueSec Attack of the Clones 30
- 31. TrueSec Demo! 31
- 32. TrueSec Agenda • Introduction • Build your lab • Automate • Conclusions 32
- 33. TrueSec Automation 33 Cuckoo is a nice tool to analyse files on demand but some automation will be helpful to detect more suspicious stuff!
- 34. TrueSec Bro IDS 34 • Bro is a powerful network analysis framework. Bro is not only a IDS • Bro comes with analysers for many protocols which allow processing at layer-7 • http://bro.org
- 35. TrueSec Bro Scripting 35 Bro has a simple and powerful scripting language.All the output generated by Bro is based on scripts!
- 36. TrueSec Extract Those Files! 36 • Bro can extract files from network streams and save them on the file system • There is an “extraction” analyzer to perform this task
- 37. TrueSec Extract Those Files! 37 global ext_map: table[string] of string = { ["application/x-dosexec"] = "exe", } &default =""; ! event file_new(f: fa_file) { local ext = “data"; ! if ( f?$mime_type ) ext = ext_map[f$mime_type]; ! local fname = fmt("%s-%s.%s", f$source, f$id, ext); Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]); }
- 39. TrueSec And URLs? 39 • Extracting URLs from network? • Flood! (“HTTP is the new TCP”) • Analysing one-time URLs may break some tools (think about password recovery)
- 40. TrueSec Sniff! 40 # cd /tools/bro/logs # vi extract.bro # mkdir extract_files # ../bin/bro -i eth1 extract.bro listening on eth1, capture length 8192 bytes
- 41. TrueSec Feed Cuckoo! 41 # cd /tools/bro/logs/extract_files # inotifywait -m -q -e create —format %f . | while read F do case “${F##*.}” in “zip|exe|doc|dll|jar|msi”) /tools/cuckoo/utils/submit.py $F esac done
- 42. TrueSec Want Data? 42 • Cuckoo has a REST API • Useful to automate even more
- 43. TrueSec Get results! 43 # curl http://localhost:8090/tasks/list # curl http://localhost:8090/tasks/view/10 # curl http://localhost:8090/tasks/report/10 # curl http://localhost:8090/files/view/md5/xxxxxx !
- 44. TrueSec Extract IOC’s 44 #curl -s http://localhost:8090/tasks/report/2/json | python extract-domains.py premiercrufinewine.co.uk 188.65.114.122 fidaintel.com 216.224.182.75
- 45. TrueSec Feed OSSEC 45 • Create CDB lists (“active lists”) <ossec_config> <rules> <list>lists/baddomains.cdb</list> <list>lists/badips.cdb</list> </rules> </ossec_config> • Populate them • Re-generate them /var/ossec/bin/ossec-makelists
- 46. TrueSec Correlate 46 <rule id=“99001” level=“10”> <decoded_as>bind9</decoded_as> <list field=“url”>lists/baddomains</list> <description>DNS query: malicious domain</description> </rule>
- 47. TrueSec Agenda • Introduction • Build your lab • Automate • Conclusions 47
- 49. TrueSec Conclusions 49 • We don’t have time to handle such amount of data! • Know your Enemy! • Correlate your logs with external content