Zen and the art of collecting and analyzing malware

Zen and the art of collecting and analyzing malware
CanSecWest/core06

Zen and the art of collecting
and analyzing malware
Sascha Rommelfangen, Fred Arbogast

Outline

●
Introduction
●
Setup to collect malware
●
Statistics
●
Analysis
●
Live Demo
●
Future development
– early warning/reacting system approaches
– interactive malware database
●
Conclusion

2

Definition of malware

●
Umbrella term for malicious software
●
Not to be confused with defective software
●
Designed to infiltrate, damage, control or abuse computer
systems without owner's consent
●
Legal vocabulary: computer contaminant
●
Also used: scumware
●
Worms, virii, root kits, spyware, adware

Outline – Introduction – Setup to collect malware
- Slide 3 - 3

The tools used

●
mwcollect by Georg Wicherski
– (http://www.mwcollect.org)

●
Nepenthes by nepenthes team
– (http://nepenthes.sourceforge.net)

●
Focus on nepenthes as mwcollect has merged with
nepenthes

●
Joint effort will result in a more powerful tool

- Slide 4 - 4

Things both tools have in common

●
“Low interaction” honeypots
●
passive
●
catching autonomously spreading malware
●
Running in non-native environments
●
simulating network services
– mwcollect: vulnerable built-in services
– nepenthes: additionally 'pre-infected' services
●
acting upon exploitation attempts
– Downloading malware
●
Both tools are Free and Open Source software

- Slide 5 - 5

Tools - nepenthes

●
Emulates native and non-native vulnerabilities
●
Modular
– Know a new exploit, add it as a module
●
Support for geolocation information
●
Support for submitting malware and additional information
– Other instances of nepenthes (distributed installation)
– XML-RPC

- Slide 6 - 6

Vulnerabilities

●
'native' vulnerabilities: ●
3rd party vulnerabilities:
– RPC-DCOM – Kuang2 (17300)
(135, 139, 445, 593) – Mydoom (3127)
– LSASS (445) – Bagle (2745)
– WINS (42) – sasser_ftp (5554, 1023)
– MSSQL (1434) – Sub7 (27374)
– ASN.1 library in IIS, SMB
(80 and 445)
– IIS (443)
– NetDDE (139)
– Message queueing
(2103, 2105, 2107)
– UPNP (5000)
- Slide 7 - 7

Nepenthes information flow - modules/handlers

IP info
DNS handler
Geolookup-handler

Submit-handlers
Socket submit-file
Vulnerability module submit-nepenthes
shellcode-handler submit-xmlrpc
submit-norman

Download-handler
download-http
download-ftp
download-tftp

- Slide 8 - 8

Categories of modules/handlers (1)

●
Vulnerability module
– Different modules for simulating the vulnerabilities
●
Shellcode-handler
– Per shellcode one module
– Common Shellcode Naming Initiative

- Slide 9 - 9

Nepenthes information flow

[28032006 16:36:25 spam net handler] Socket TCP (accept) 212.30.152.173:2478 -> 212.110.251.73:139 clearing
DialogueList (2 entries)
[28032006 16:36:25 warn module] Unknown NETDDE exploit 72 bytes State 1
[28032006 16:36:25 module] =--------[ /var/log/nepenthes/hexdumps/3ebe8b34fd5d14e4f450c599b26ed6df.bin ]---------=

IP info
DNS lookup
Geolocation

Submit
Socket raw file
vulnerability nepenthes
shellcode norman
xmlrpc

Download
curl, ftp, ...

- Slide 10 - 10


[28032006 16:36:25 debug dia] Got ASN1 SMB exploit Stage #1(137)
[28032006 16:36:25 debug net handler] giving data to SMBDialogue

IP info
DNS lookup
Geolocation

Submit
Socket raw file
shellcode norman
xmlrpc

Download
curl, ftp, ...

- Slide 11 - 11


●
Geolocation-handler (some alternatives)
– Resolves IP address to location information
●
DNS-handler
– Delivers resolved domain name
●
Download-handler
– Downloads through curl
●
Provides http and ftp protocol
– Download ftp
●
Needed as curl is not the same than the messy M$ client
●
Netcat is doing the job

- Slide 12 - 12


●
Download-handler cont'd
– Download tftp
●
Support for tftp protocol
●
Max filesize 4MB
●
Can not handle DNS for the moment

– Download nepenthes
●
Listens for file transfers from other nepenthes agents
●
Port can be set in the config file
●
transfer is simple and bandwidth optimised

- Slide 13 - 13


IP info
DNS lookup
Geolocation

Submit
Socket raw file
shellcode norman
xmlrpc

[28032006 16:36:31 debug spam fixme] <in virtual bool
nepenthes::GeoLocationManager::addGeoLocation(nepenthes::GeoLocationCallback*, unsigned int, void*)>
[28032006 16:36:31 debug spam fixme] Adding 808f4c8 212.120.228.59 80f7620 to geolookup
Download
curl, ftp, ...

- Slide 14 - 14


[28032006 16:36:31 spam net handler] <in virtual int32_t nepenthes::TCPSocket::doRecv()>
[28032006 16:36:31 spam mgr event] <in virtual uint32_t nepenthes::EventManager::handleEvent(nepenthes::Event*)>
[28032006 16:36:31 spam net handler] doRecv() 1460
[28032006 16:36:31 info down handler dia] Downloaded file tftp://212.120.228.59/service.exe 229376 bytes
[28032006 16:36:31 spam mgr submit] Download has flags 0
[28032006 16:36:31 info mgr submit] File dd3e4c7c94614a059263a219ff1b1339 has type MS-DOS executable (EXE), OS/2
or MS Windows
IP info
DNS lookup
Geolocation

Submit
Socket raw file
shellcode norman
xmlrpc

Download
curl, ftp, ...

- Slide 15 - 15


●
Submit-handlers
– Submit-file
●
Dumps to a file on HDD
– submit-nepenthes
●
Submits information to a central server
●
Currently receiving from Telecom Italia Early Warning Team
– Submit-norman
●
Submits file to norman sandbox
– Submit XML-RPC
●
Submits information to applications outside nepenthes

- Slide 16 - 16


[28032006 16:36:31 debug handler submit] wrote file
/var/log/nepenthes/binaries/dd3e4c7c94614a059263a219ff1b1339 229376 to disk
IP info
DNS lookup
Geolocation

Submit
Socket raw file
shellcode norman
xmlrpc

Download
curl, ftp, ...

- Slide 17 - 17


[28032006 16:36:31 spam down mgr] SENDING POST /nepenthes/server.php HTTP/1.0
Host: localhost
Accept: */*
Accept-Encoding: deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: close
Content-Length: 392
IP info
<methodCall><methodName>init_session</methodName> ..... lookup
DNS
Geolocation

Submit
Socket raw file
shellcode norman
xmlrpc

Download
curl, ftp, ...

- Slide 18 - 18


[28032006 16:36:31 debug spam fixme] <in virtual void nepenthes::SubmitNorman::Submit(nepenthes::Download*)>
[28032006 16:36:31 debug spam fixme] <in virtual uint32_t nepenthes::SubmitNorman::handleEvent(nepenthes::Event*)>

IP info
DNS lookup
Geolocation

Submit
Socket raw file
shellcode norman
xmlrpc

Download
curl, ftp, ...

- Slide 19 - 19

Additional information collected

●
Extension to nepenthes - stored in database
– Platform information (p0f-sql)
●
P0f hack to submit information into DB
– 4 AV product results from local machine
●
Extendable
●
Signatures hourly updated
– 24 AV results from VirusTotal (added later)
– 2 sandbox results
●
Submitted to http://sandbox.norman.no
●
Submitted to our own POC sandbox (added later)

- Slide 20 - 20

Full information set collected

●
Various static analysis
– file, upx, hexdump, strings, objdump
●
Number of hits
●
First/last seen
●
Number/names of recognized virii
●
Sandbox results
●
Hex-dump of file (browseable)
●
IP/URL from where fetched
●
System
●
Latitude, Longitude, Country, City
- Slide 21 - 21

Setup to collect malware – flow

Download
Nepenthes
request

Norman XMLRPC GeoIP
File storage
sandbox CSRRT script lookup
sandbox

Virus scan
p0f
Database
Periodic
submissions

Web Unix External Apps
VirusTotal
application tools (e.g. Malware
database)

Intro – Setup to collect malware – Statistics
- Slide 22 - 22


Download
Nepenthes
request

Norman XMLRPC GeoIP
File storage
sandbox

Virus scan
p0f
Database
Periodic
submissions

VirusTotal
database)

- Slide 23 - 23


Download
Nepenthes
request

Norman XMLRPC GeoIP
File storage
sandbox

Virus scan
p0f
Database
Periodic
submissions

VirusTotal
database)

- Slide 24 - 24


Download
Nepenthes
request

Norman XMLRPC GeoIP
File storage
sandbox

Virus scan
p0f
Database
Periodic
submissions

VirusTotal
database)

- Slide 25 - 25


Download
Nepenthes
request

Norman XMLRPC GeoIP
File storage
sandbox

Virus scan
p0f
Database
Periodic
submissions

VirusTotal
database)

- Slide 26 - 26


Download
Nepenthes
request

Norman XMLRPC GeoIP
File storage
sandbox

Virus scan
p0f
Database
Periodic
submissions

VirusTotal
database)

- Slide 27 - 27

Statistics

●
There are three kinds of lies: lies, damned lies, and
statistics. Benjamin Disraeli (1804 - 1881)
●
1st set, collected with mwcollect:
– Approx 600,000 files (9.2 GB)
– 542 unique (80 MB)
– 529 executables
– File length: 100 to 1,145,856 Bytes
– Time frame: 6 weeks (April - June 2005)
– 503 MS-Windows executables
– 26 MS DOS executables

Setup to collect malware – Statistics – Analysis
28
- Slide 28 -

Statistics

●
1st set continued
– 52% of the files were detected by all 4 virus scanners
– 17% of the files were detected only by 3 virus scanners
– 25% of the files were detected only by 2 virus scanners
– 3% of the files were detected only by 1 virus scanner
– 2% were defective
●
When scanning files later -> some files detected as Zotob
– During collecting time there was no Zotob signature!
●
false positive?
●
test-run?

- Slide 29 - 29

Statistics

●
2nd set, collected with nepenthes:
●
2,079 unique files
●
209,327 malware downloads complete
●
13% using anti debug/emulation techniques
●
1,852 MS-Windows executables
●
227 MS-DOS executables
●
File length: 1,024 – 1,323,222 (1.3MB) bytes
●
Time frame: December 2005 – March 2006

- Slide 30 - 30

Statistics

●
Result of immediate scan:
– Results of virus scan, directly after reception with
up-to-date signatures:
●
69.5% Norman Sandbox
●
68.5% Bitdefender
●
58.0% Antivir
●
49.5% F-Prot
●
31.8% ClamAV
– Are signature based systems really future-proof?

- Slide 31 - 31

Statistics

●
Results of re-scan:
– 96.1% Panda – 79.8% NOD32v2
– 91.2% Norman – 78.9% UNA
– 85.9% Antivir – 77.2% AVG
– 85.9% Avira – 76.3% Symantec
– 85.1% Kaspersky – 75.7% Ewido
– 84.7% DrWeb – 72.4% F-Prot
– 84.5% Fortinet – 65.9% Sophos
– 83.9% McAfee – 65.1% TheHacker
– 83.8% BitDefender – 64.1% Ikarus
– 80.4% VBA32 – 57.2% eTrust-Inoculate
– 80.1% CAT-QuickHeal – 54.3% Avast
– 50.7% ClamAV 32

Statistics

●
Packing/Encrypting statistics using bzip2

- Slide 33 - 33

Statistics

●
Packing/Encrypting statistics:

- Slide 34 - 34

Analyzing Malware - Side-effects

●
Malware hides from the analyzer and obfuscates its
techniques
●
Automated processes not 100% reliable
– Anti-virus products, current sandbox techniques
●
Last resort: manual investigation
– Disassembler, Debugger, file monitors, registry
monitors, Virtual Machines
– Very time consuming and/or requires high skills

Statistics – Analysis – Live Demo
- Slide 35 - 35

Ways to fool the analyzer

●
Modified binary
– (multiple) Packing
– Encrypting
– Header crippling
●
Test presence of Debugger/Disassembler
– SoftICE, OllyDbg, Breakpoints, Vmware, ...
– http://www.honeynet.org/papers/bots/botnet-code.html
●
Usage of file droppers
– Dropper downloads malware and executes it
– Malware makes usage of other malware already
downloaded (e.g. browser hijacker vmmon32.exe)
- Slide 36 - 36

Automated analysis

●
Virus Total:
– Free service scanning files with 24 AV products
– Submits by default samples to AV vendors
– Automated submission through extensions
– Virus Total sends back mail with report
– Most of the time at least one AV product finds
malware
– Cooperativeness to extend results (e.g. XML, more
details, ...)
– Negative point:
●
Slow – agreed on a 60s interval when sending
all files (adding more resources in the future)
- Slide 37 - 37

Automated analysis

●
Norman sandbox:
– APIs simulating a Windows Computer
– Some of the APIs simulate the Network/Internet
connectivity
– Automated submission through nepenthes
– Sandbox sends back mail with report
– Negative points:
●
often not working because of filled up mail queue
– Necessity to resubmit
●
Often trapped into anti-debug code
– Have to trust the output!
- Slide 38 - 38

Norman Output
.
Googlesetup.exe : [SANDBOX] contains a security risk - W32/Spybot.gen3 (Signature:
W32/Spybot.AHWZ)
[ General information ]
* **Locates window "NULL [class mIRC]" on desktop.
* File length: 133120 bytes.
* MD5 hash: df2eaaf757053a4a0209c4668efd8d1c.

[ Changes to filesystem ]
* Creates file C:WINDOWSSYSTEM32Googlesetup.exe.
* Deletes file 1.

[ Changes to registry ]
* Creates value "Google service"="Googlesetup.exe" in key
"HKLMSoftwareMicrosoftWindowsCurrentVersionRun".
[...]

[ Network services ]
* Looks for an Internet connection.
* Connects to "der.ifconfig.us" on port 7000 (TCP).
* Connects to IRC Server.

[ Signature Scanning ]
* C:WINDOWSSYSTEM32Googlesetup.exe (133120 bytes) : W32/Spybot.AHWZ.

- Slide 39 - 39

Automated analysis using wine (1)

●
wine as a (cheap) sandbox approach
– Why?
●
Signatures suck
●
wine executed 72% out of 2199 malware files
– How?
●
Compare .wine directory with an unmodified one
●
Use debug and trace messages from wine
●
Create report from what is known (~signature)
– Security?
●
Outbreak is possible - include an assembler program that
executes linux system calls via int 80h in the .text section of
the windows executable
●
we're using user-mode-linux
- Slide 40 - 40

Automated analysis using wine (2)

Download Nepenthes
request
XML-RPC Database

malware

user-mode-linux

malware

wine Report engine

- Slide 41 - 41

Live Demonstration

●
http://nepenthes.csrrt.org:10080/nepenthes/

Analysis – Live Demo – Future development
- Slide 42 - 42

Developments and future steps (1)

●
Early warning / reacting system (so far implemented)
– Monitoring and visualization of outbreak waves
– Live export of most common attacker IP list
●
To be imported into Firewalls, IDS, ...
– Live export of most common download locations
●
To be imported into Proxies, Firewalls, IDS
– Company-wide hash-scan with Encase
●
Better virus scanner comparison
– Automatic re-scan of malware files with each signature
update (partly implemented)

Live Demo – Future development – Conclusion
- Slide 43 - 43

Developments and future steps (2)

●
Automated analysis:
– Enhance wine sandbox results
– rewriting DLLs to log even more
– Also very interesting:
●
Diploma Project about automated behavior analysis
●
http://pi1.informatik.uni-mannheim.de/diplomas/show/59
●
Extensive API-hooking approach
●
MalwareDB
– A research database for preserving malicious computer
programs

- Slide 44 - 44

Introduction to Malware DB

– ”Fred, where is the DVD with the malware
collected in January?”
– ”Somewhere on my desk? ... I was sure that
it was laying on my desk...”
– ”I really need that to test something...”

●
MalwareDB Scope
– Simple storage mechanism to archive malware
– Easy way to tag and classify the malware
– Multiple interfaces to query and get the malware
– Not a signature database
– Not exhaustive

- Slide 45 - 45

MalwareDB data store (v1)

●
MalwareDB only contains metadata for each malware
●
Files are stored on the filesystem
●
Malware is identified by SHA-2 (256bits)
●
For managing collisions (if any), MalwareDB keeps track of:
– the original filename
– information about file (like magic code, mime/type...)
●
Source is a unique field to identify the origin of the malware
– who or what is submitting the malware
●
MalwareDB supports free tagging for classification, excluded
are some reserved prefixes like RFC, CVE, OSVDB,..

- Slide 46 - 46

Query the MalwareDB

●
Using the web interface : http://www.csrrt.org/maldb/index.pl
●
Using the RSS feed : http://www.csrrt.org/ml/rss/latest.xml
●
Using the DNS interface to check the existence of a malware
from its fingerprint:
– dig -t TXT 3d5a9097cda0565ccc4a0e8aaa703b8543.187
31eb80bce12e8d9958f115fa468.sha1.maldb.csrrt.org
– 63 bytes have to be separated by a dot to split into
“subdomains”, server reassembles accordingly
– You could use the DNS interface as an RBL-like interface
for early detection/warning but don’t forget that the
database is not exhaustive.

- Slide 47 - 47

Conclusion about the MalwareDB

●
First try for a malware database (far from being perfect)
●
Legal implication (copyright, computer security,...)
●
Could be used by attackers as a repository
(measure must be taken to avoid that)

- Slide 48 - 48

Conclusions

●
Nepenthes provides a nice way to collect malware
●
It can also be used to block intruders/malicious URLs
●
Early reaction is possible for the attacking vectors implemented
in nepenthes
●
Signature based systems definitely not fulfilling requirements
●
Signature based plus behavioral analysis is definitely a way to
pursue
●
Automated analysis is a need, especially when receiving large
feeds
●
Hopefully increased joint-effort for sandbox-alike tools in the
future

Future Development – Conclusion – The End
- Slide 49 - 49

Thanks to

●
mwcollect.org
– Thorsten Holz, Markus Kötter
– Paul Baecher, Georg Wicherski
●
CSRRT-LU
– Alexandre Dulaunoy
– Gerard Wagener
●
Hispasec Sistemas (VirusTotal)
– Julio Canto
●
Telecom Italia (Early Warning Team)
– Gaetano Zappulla

50

Questions?

51

Thank you

52

Zen and the art of collecting and analyzing malware

More Related Content

What's hot (11)

Similar to Zen and the art of collecting and analyzing malware (20)

More from Gaetano Zappulla (8)

Recently uploaded (20)

Zen and the art of collecting and analyzing malware