Automated Malware Analysis Sans Fire 2009 2

Building an Automated Malware Behavioral Analysis Environment Using Free and Open-Source ToolsJim Clausing, PMTS, AT&T CSO 18 Jun 2009

2009 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

Thanx up frontAT&T CSO management Ed Amoroso, AT&T Chief Security Officer Cynthia Cama Sanjay Macwan Bill OHern

The MWA team Brian Rexroad Dave Gross John Hogoboom

Authors of the tools

Page 2

The Author


Jim Clausing, GCIA, GCFA, GREM, GCIH, GCFW, GSIP, GSOC, SSP-MPA, CISSPGCIA (Gold) #64 2000 GCFA (Gold) #25 2002 GREM (Gold) #48 2005 And other certs along the way SANS Mentor, StaySharp/STAR instructor, CommunitySANS instructor, Internet Storm Center handler since 2002 Instrument-rated private pilot 2003/2004

Page 4

The Paper


SANSFIRE 2008

Facilitating SEC 610 for Lenny GREM Gold paper wrote it in my head in one evening Share lessons learned

Share tools/scriptsPage 6

The patches and scriptshttp://handlers.sans.org/jclausing/grem_gold/ http://www.giac.org/certified_professionals/practicals/grem/48.php

Page 7

The Environment A Little History


In the beginningTwiki page Unwieldy after a few hundred entries

Not particularly useful to other internal groups/customers We generate a lot of information, we need to make it available to the management, the SOC, response teams, forensics, etc. Two-way street

No FTEs Now, there is me (mostly)

Minimal budget funded from research We must have shown some value, we now have more fundingPage 9

Malware DB

MD5/ssdeep size A/V reports Which botnet

Sandbox report(s)

Malware DB

The binary

Page 10

Motivation The Environment


Forest? Trees?

Page 12

Unpacking may lead to surprises like no results

Page 13

Weve got malware, now what?Were a networking company, not an anti-virus company.What do we hope to get out of analysis? Started with no budget and no full-time staff.

Virtual machinesVMware VirtualBox*

For privacy reasons, we are conservative about what to share and with whom. So, what about the automated portals? Commercial copies?Norman sandbox CW sandbox Anubis Threat Expert Page 14

Truman (well, and Joe Stewart) FTW

Page 15

The Analysis Environment

Processing a Sample


Analysis Flow

Page 18

Submission[jac@fltruman001 ~]$ for i in 090???-*.piz; do sudo submit.sh $i && mv $i oldmalware/; sleep 10; done Archive: 090529-rnd_jpg.piz inflating: rnd.jpg *****Processing rnd.jpg - ONEBOOT****** interface: eth1 (4.0.0.0/255.0.0.0) filter: (ip) and ( not port 45612 and not port 45611 and not tcp port 6987 and not udp port 32785 ) tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 1514 bytes Starting Faux FTP Server Emulation on port 21 Starting Faux MySQL Server Emulation on port 3306 Starting Faux SMTP Server Emulation on port 25 Starting Faux SMB Server Emulation on port 445 Starting Faux IRC Server Emulation on port 6667 Starting Faux DNS Server Emulation on port 53

Page 19

Monitoring[jac@fltruman001 ~]$ alias status alias status='cat /tmp/current.txt && echo "" && cat /tmp/sandnet*.log | tr -c "[:print:][:blank:]\r\n" "." ; tcpdump -nnr /tmp/sandnet.pcap -w - "not broadcast and (not src net 4.5.6 or not dst net 4.5.6)" | ipaudit -CST -r -l 4.5.6.7 ; ngrep -I /tmp/sandnet.pcap "GET|POST|HEAD|OPTIONS|JOIN" "tcp port 80 and not host 4.5.6.1" | tr -c "[:print:][:blank:]\r\n" "."

Page 20

Monitoring, contd[jac@fltruman001 ~]$ status Server.exe request: name=ftp.sickbassline.com, class=IN, type=A, peer=4.5.6.7 responseIP: 4.3.2.86 responseIP: 4.3.2.63 response: rcode=NOERROR, , auth=, add=, aa=1 request: name=time.windows.com, class=IN, type=A, peer=4.5.6.7 responseIP: 4.5.6.1 response: rcode=NOERROR, ans=, auth=, add=, aa=1 Connection from 4.5.6.7 USER [email protected] PASS smokeweed TYPE A PORT 4,5,6,7,4,7 STOR User.mps reading from file /tmp/sandnet.pcap, link-type EN10MB (Ethernet) 4.5.6.7 4.3.2.86 6 1030 21 674 578 9 9 2009-06-04-11:24:02.2148 2009-06-0411:24:03.3459 1 1 4.5.6.7 224.0.0.22 2 0 0 0 108 0 2 2009-06-04-11:24:09.5569 2009-06-0411:24:10.4709 1 1 input: /tmp/sandnet.pcap filter: (ip) and ( tcp port 80 and not host 4.5.6.1 ) match: GET|POST|HEAD|OPTIONS|JOIN ##########exit

Page 21

Original Truman Analysis Tools

dumphive

strings

pmodump.plIntelligence

tcpdump

Page 22

The 4 Areas of AnalysisNetwork Traffic Analysisipaudit tshark ngrep tcptrace fauxservers IRC, DNS, SMB, SMTP

Disk Image AnalysisAIDE Alternate Data Streams Registry analysis dumphive, regdiff.pl, regripper

Memory Image Analysispmodump.pl Volatility

Minimal Static Analysis of BinaryA/V objdump binhash ssdeep packerid.pyPage 23

The Report Tool Output


Identify the OSSummary report for xxx.xxx-XPSP2-files created at OS info>>> kern - Determine OS from a Windows RAM Dump (v.0.1_20060914) Ex: kern File Description File Version Internal Name Product Name Product Version : NT Kernel & System : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) : ntoskrnl.exe : Microsoft Windows Operating System : 5.1.2600.2180

Original File Name :

Page 25

Analyzing Network Traffic fauxdnsDNS>>> request: name=sslrapidshare.or.tp, class=IN, type=A, peer=4.5.6.7 responseIP: 4.3.2.51 responseIP: 4.3.2.154 response: rcode=NOERROR, ans= , auth=, add=, aa=1 request: name=gfmd1.or.tp, class=IN, type=A, peer=4.5.6.7 responseIP: 4.3.2.104 responseIP: 4.3.2.240 response: rcode=NOERROR, ans= , auth=, add=, aa=1 request: name=time.windows.com, class=IN, type=A, peer=4.5.6.7 responseIP: 4.5.6.1 response: rcode=NOERROR, ans=, auth=, add=, aa=1

Page 26

Analyzing Network Traffic fauxftpConnection from 4.5.6.7 USER [email protected] PASS smokeweed TYPE A PORT 4,5,6,7,4,7 STOR User.mps

Page 27

Analyzing Network Traffic fauxircIRC>>> 2009-05-27-16:49:17: Connection from 4.5.6.7 2009-05-27-16:49:17: PASS lammers 2009-05-27-16:49:17: NICK [00|USA|296161] 2009-05-27-16:49:18: USER XP-8165 * 0 :ATT 2009-05-27-16:49:18: MODE [00|USA|296161] +iB-x 2009-05-27-16:49:18: JOIN #WiFi-a Crypt 2009-05-27-17:00:13: QUIT System shutting down. 2009-05-27-17:00:15: QUIT Leaving

Page 28

Analyzing Network Traffic ipauditIP traffic>>> src dst proto sp dp bytes pkts start end 1 / 2 4.5.6.7 4.3.2.51 6 1046 80 748 346 5 5 2009-05-27-16:49:17.1300 2009-05-27-16:49:17.1473 1 2 4.5.6.7 4.3.2.104 6 1047 4242 816 697 10 10 2009-05-2716:49:17.1613 2009-05-27-17:00:15.5921 1 2 4.5.6.7 239.255.255.250 17 1050 1900 0 525 0 3 2009-05-2716:49:17.3746 2009-05-27-16:49:23.3815 1 1 4.5.6.7 224.0.0.22 2 0 0 0 108 0 2 2009-05-27-17:00:14.2087 200905-27-17:00:14.9690 1 1

Page 29

Analyzing Network Traffic tshark=================================================================== Protocol Hierarchy Statistics Filter: frame frame frames:602 bytes:733467 eth frames:602 bytes:733467 ip frames:573 bytes:731979 tcp frames:387 bytes:146779 http frames:30 bytes:22708 short frames:5 bytes:17790 data-text-lines frames:3 bytes:644 data frames:8 bytes:849 udp frames:57 bytes:10014 nbdgm frames:11 bytes:2511 smb frames:11 bytes:2511 mailslot frames:11 bytes:2511 browser frames:11 bytes:2511 nbns frames:27 bytes:2538 dns frames:6 bytes:532 http frames:3 bytes:525 ntp frames:2 bytes:180 bootp frames:8 bytes:3728 short frames:127 bytes:575066 igmp frames:2 bytes:120 arp frames:29 bytes:1488 ===================================================================Page 30

Analyzing Network Traffic tcptraceHTTP>>> mod_http: Capturing HTTP traffic (port 80) 1 arg remaining, starting with '../small.pcap' Ostermann's tcptrace -- version 6.6.7 -- Thu Nov

4, 2004

10 packets seen, 10 TCP packets traced elapsed wallclock time: 0:00:00.002643, 3783 pkts/sec analyzed trace file elapsed time: 0:00:00.017257 Http module output: 4.5.6.7:1046 ==> 4.3.2.51:80 (a2b) Server Syn Time: Wed May 27 16:49:17.130145 2009 (1243457357.130) Client Syn Time: Wed May 27 16:49:17.130085 2009 (1243457357.130) Server Fin Time: Wed May 27 16:49:17.146947 2009 (1243457357.147) Client Fin Time: Wed May 27 16:49:17.147323 2009 (1243457357.147) GET /here2 HTTP/1.0 Response Code: 404 (Not Found) Request Length: 66 Reply Length: 468 Content Length: 289 Content Type : text/html; Time request sent: Wed May 27 16:49:17.130584 2009 () Time reply started: Wed May 27 16:49:17.146886 2009 () Time reply ACKed: Wed May 27 16:49:17.147077 2009 () Elapsed time: 16 ms (request to first byte sent) Elapsed time: 16 ms (request to content ACKed)Page 31

Analyzing Disk Image AIDE--------------------------------------------------Added files: --------------------------------------------------added: /mnt/new/WINDOWS/avmont.exe added: /mnt/new/Documents and Settings/All Users/Application Data/TEMP --------------------------------------------------Removed files: --------------------------------------------------removed: /mnt/new/WINDOWS/system32/CatRoot2/tmp.edb --------------------------------------------------Changed files: --------------------------------------------------changed: /mnt/new/WINDOWS/system32/drivers/etc/hosts changed: /mnt/new/WINDOWS/WindowsUpdate.log changed: /mnt/new/WINDOWS/setupapi.log

Page 32

Analyzing Disk Image ADSAlternate Data Streams>>> /mnt/new/Documents and Settings/All Users/Application Data/TEMP -> 75443743

getfattr --absolute-names -n ntfs.streams.list -PR /mnt/new

Page 33

Analyzing Disk Image RegRipperRegistry Run Key changes>>> Registry Service Key changes>>> +AvMont|Monitor de Antivirus|"C:\WINDOWS\avmont.exe"|0x0|Auto Start| -RemoteRegistry|Remote Registry|%SystemRoot%\system32\svchost.exe -k LocalService|Share_Process|Auto Start| +RemoteRegistry|Remote Registry|%SystemRoot%\system32\svchost.exe -k LocalService|Share_Process|Disabled| -wscsvc|Security Center|%SystemRoot%\System32\svchost.exe -k netsvcs|Share_Process|Auto Start| +wscsvc|Security Center|%SystemRoot%\System32\svchost.exe -k netsvcs|Share_Process|Disabled| Firewall changes>>> EnableFirewall -> 1

Page 34

Analyzing Disk Image hosts file*Host file changes>>> + +127.0.0.1 www.symantec.com +127.0.0.1 securityresponse.symantec.com +127.0.0.1 symantec.com +127.0.0.1 www.sophos.com +127.0.0.1 sophos.com +127.0.0.1 www.mcafee.com +127.0.0.1 mcafee.com +127.0.0.1 liveupdate.symantecliveupdate.com +127.0.0.1 www.viruslist.com +127.0.0.1 viruslist.com +127.0.0.1 viruslist.com +127.0.0.1 f-secure.com +127.0.0.1 www.f-secure.com +127.0.0.1 kaspersky.com +127.0.0.1 kaspersky-labs.com +127.0.0.1 www.avp.com +127.0.0.1 www.kaspersky.com +127.0.0.1 avp.com

Page 35

Memory Image Analysis VolatilityPrimarily used to find the malicious process in the memory image Look for processes with open connections or sockets Compare with fport/netstat/ps Misses processes doing HTTP(S) check-in, etc.

Dump process memory Use Stewarts pmodump.pl Use Volatilitys procdump/vaddump Compare results

Much more could be done here

Page 36

Analyzing Memory Image connectionsOpen Ports>>> Local Address 4.5.6.7:1047 896 1032 1096 1484 135 1027 1900 1047 6 17 17 6 Wed Wed Wed Wed Remote Address 4.3.2.104:4242 May May May May 27 27 27 27 20:39:59 20:40:13 20:40:14 20:49:18 TCP TCP TCP TCP UDP UDP UDP UDP UDP 2009 2009 2009 2009 Pid 1484

< 908 > 896 9,11c9,11 < 992 > 1484 avmont 14,15c14,16 < 992 < 908 > 1484 avmont > 0 System > 896

-> -> -> -> -> -> -> -> ->

135 135 1032 1047 138 445 137 138 445

C:\WINDOWS\avmont.exe

C:\WINDOWS\avmont.exe

Page 37

Memory/Static Binary Analysis ssdeepssdeep info>>> 1536:RVt4qqO5FjciL3KBupEAbAX/e9SP+IaiOW:eu5tciL3KApRbAz+Ia1W,"abod.exe"

768:ruBNNTLa973GMVkIZqqnO5FDvcTsvJesUJDSP+f4/cF1oGoiOWK:YVt4qqO5FjcSe9SP+JaiOW, "/data/forensics/abod.exe-XPSP2-files/0c596000-abod.exe

-------------------------------------------------------------------------------ssdeep info>>> 1536:0BlSTT+JwGgVXGsOkCMGVLwaQyafnSI0OYRr:0BYNlVXGsOtPwFtfm, "1b1e067fdb0f2a44a50d9e290022b9ed.exe" 1b1e067fdb0f2a44a50d9e290022b9ed.exe matches e933dbd16c9509418a2212c9d62c7976.exe (80)

3072:0zhQO2dw847UiImHkwebMPK4wRE4pRThKt/94:09QbViEwEM94TThKt14, "/data/forensics/1b1e067fdb0f2a44a50d9e290022b9ed.exe-XPSP2-files/0ca74000sandnet.exe" /data/forensics/1b1e067fdb0f2a44a50d9e290022b9ed.exe-XPSP2-files/0ca74000sandnet.exe matches /data/forensics/e933dbd16c9509418a2212 c9d62c7976.exe-XPSP2-files/007bc000-sandnet.exe (96)

Page 38

Static Binary Analysis binhashBinHash info>>> File: [/forensics/exes/abod.exe] b826d0f222242c1e48f4e1ebe778a534 PE Phdr: af86103672ba3bba2d21f2691465520f PE Opt Hdr: f8ea55a399eeec409874af01ca0cf01d Import [1] Offset: (f570) Size: (180): 93f613363a9cb87c3a20e3f2e1fc47b7 Import [12] Offset: (f000) Size: (608): eafa58275a218a26f92631bf75b10b8f [0] (.text) (VirtualAddress: 00001000) (PtrToData: 00001000) (SizeOfData: 0000e000) Shdr: aaa4cacbb1cc38713961cc2e5931b982 Shdr Data: f571948f8203e66d09c87b00ae748c8d [1] (.rdata) (VirtualAddress: 0000f000) (PtrToData: 0000f000) (SizeOfData: 00002000) Shdr: 46aa637bbc2c0335c427f6ca42021df9 Shdr Data: 3b10f3f4c6012e87d46686464575926c [2] (.data) (VirtualAddress: 00011000) (PtrToData: 00011000) (SizeOfData: 00003000) Shdr: cff63d398711731f58eee390a6ce8513 Shdr Data: 71cc6a0ff1c18b313d21f1f03229738e

Page 39

Static Binary Analysis packerid.py

Packer info>>> [['Armadillo v1.71'], ['Microsoft Visual C++ v5.0/v6.0 (MFC)'], ['Microsoft Visual C++']]

Page 40

Static Binary Analysis Volatility malfind.py*# # lsass.exe (Pid: 676) # + VAD node @821bfb00 Start 00c60000 End 00c6ffff Tag VadS Flags + VAD node @8236b208 Start 00c80000 End 00c96fff Tag VadS Flags - Status: disassembling with pydasm... 0xc80000 call 0x567d 0xc80005 retn 0x8 0xc80008 push ecx 0xc80009 push esi 0xc8000a call 0x1582 Found 2 suspicious Vad entries 18 18

Page 41

Limitations

Point in time Miss changes that dont persist, e.g., miss processes that dont have open connections at time of memory dump

Static analysis is weak Strings

Generic emulation of the internet No real connectivity, so we cant see what the malware might do after successful check-in

Page 42

Future WorkVolatility plugins Brendan Dolan-Gavitts in-memory registry stuff Michael Hale Lighs usermode_hooks

INetSim? Instrument the environment to collect system/library call info? Zerowine?

Other ideas?

Page 43

More Future Work

Parsing the text Automate DB insertion/update Summarize ipaudit, etc. output

Correlation/Visualization Afterglow Learn from A/V community

Page 44

Questions?E-mail: [email protected] or [email protected]

Page 45

SANS Mentor Class SEC 508 (Forensics)For those of you from central OH (or folks you work with), Ill be facilitating another mentor class in the fall. Thursday evenings from 6:30-8:30PM in Reynoldsburg, OH running 10 Sep-12 Nov. http://www.sans.org/mentor/details.php?nid=19458

Page 46

Automated Malware Analysis Sans Fire 2009 2

Documents

Transcript of Automated Malware Analysis Sans Fire 2009 2