cutting out malware
DESCRIPTION
Day by day, we store more and more confidential information on our computers, from sites account credentials to our bank account. Every day, malware becomes more and more silent, they don’t want you to be suspicious, they just want to stay into your device to do something …that you don’t really want.TRANSCRIPT
LUIGI CAPUZZELLO
Cutting out Malware Integrated malware analysis.
Versione: 1.0
Luigi Capuzzello
11/01/2014
A good introduction to malware analysis, offering detailed coverage of all the essential skills required to understand the specific challenges presented by modern malware.
http://www.linkedin.com/pub/luigi-capuzzello/7/561/12a
http://www.slideshare.net/luigicapuzzello
@FisherKasparov
luigi.capuzzello
1
Luigi Capuzzello
SommarioIntroduction..........................................................................................................................................2
What you will learn..........................................................................................................................2What you should know.....................................................................................................................2
Basic Static Analysis............................................................................................................................2Hashing: [winMD5free]...................................................................................................................2String: [strings].................................................................................................................................2Packed software [PEiD / exeinfope]................................................................................................3PE Header [Dependency Walker / PEView / Resource Hacker Tool].............................................4
Basic Dynamic Analysis......................................................................................................................6Monitor malware activity [procmon / regshot / Process Explorer]..................................................6Go deep into network traffic............................................................................................................8
So what the hell can we do ?..............................................................................................................10Summary............................................................................................................................................10On the Web.........................................................................................................................................10About the author.................................................................................................................................11Other Specification.............................................................................................................................11
2Introduction.
Luigi Capuzzello
Introduction.An email arrives in your inbox; it’s your girlfriend Ann. She invites you to see her in a very funny picture. -Click !- “But! What? This picture is not really funny, and …she is not Ann”. Day by day we store more and more confidential information on our computers, from sites account credentials to our bank account.Day by day malware becomes more and more silent, they don’t want you to be suspicious, they just want to stay into your device to do something …that you don’t want.
What you will learn...- Configuring a malware analysis lab- Assembling a really toolkit for malware forensics- Performing behavioral analysis of malicious Windows executables- Performing static and dynamic code analysis of malicious Windows executables
What you should know...- What is a PE Header- Knowledge about network protocol- Basic knowledge about windows registry and processes
Basic Static Analysis.Static Analysis describes the process of analyzing the code and the structure of a program to determine its main feautures.In this phase of your analysis the program itself is not running; we are just analyzing a file, a sequence of bytes.We have to find as many information as possible. All the information, even the ones apparently trivial, are actually extremely important, above all when you go deep into the malware analysisYou can find several tools to implement static analysis but just a few of them are really interesting.In the next section I will describe all the most juicy tools and I show to you how you can use them.
Hashing: [winMD5free].First of all it could be a good idea to get the a fingerprint of the malware.Hashing is a common method used to uniquely identify malware; the Message Digest Algorithm 5 (MD5) and Secure Hash Algorithm (SHA-1) are the method most commonly used.For example we can use winMD5Free to get the hash and then we can search for it online.If the malware is a well known one you will find all about it; if you know what malware is able to do then it can not hurt you anymore.
This is an example of winMD5Tool; it can calculate MD5 Hash of a particular program
Once you have the identity card of the malware you can use it on google to discover all about it.
String: [strings].Another method to find some usefull hints about a malware is to get all the strings from the malwareStrings program can anlyze a file to extract both ASCII and UNICODE (indeed the windows implementation of unicode string also well-known as wide character string); this program ignore the context and formatting, it just analyze all the bytes one by one. Because of this mechanism it could be find characters or strings when they are not.
You can use strings from command line:E:\>strings.exe Lab01-01.exe
3Basic Static Analysis.
Luigi Capuzzello
Strings v2.51Copyright (C) 1999-2013 Mark RussinovichSysinternals - www.sysinternals.com
!This program cannot be run in DOS mode.Richm.text`[email protected]_^[UVWj@jjjD$0_controlfp_stricmpkerne132.dllKernel32.Lab01-01.dllC:\Windows\System32\Kernel32.dllWARNING_THIS_WILL_DESTROY_YOUR_MACHINE
Error Messages and IP addresses are the most interesting information we can found on a file.In the above example I have highlighted some important strings
Packed software [PEiD / exeinfope]Sometime the malware we are analyzing could be packed. This is a problem because the packer hide us a lot of information, so that static analysis becomes almost useless.There are many software that could help us to find the packer used. For example:
- PEiD: it is a detector for PE (Portable Executable - Exe/Dll) files, similar to an anti-virus except it detects what a file is, not what it does.Mostly it detects packer and protector programs like UPX, PECompact, Armadillo etc but has a customisable database to add your own detections
Be careful because of this has been disconnected from April 2011 and because many PEiD plugins will run the executable without warning. Despite of this, it is the best tool available for packer detection.
- exeinfope is another good tool.
Here is an example of PEiD interface
4Basic Static Analysis.
Luigi Capuzzello
PE Header [Dependency Walker / PEView / Resource Hacker Tool]
PE Header can give us many information about executable behaviuor.Using Dependency Walker program we can find information about:
- dinamically linked functions;- imported dll;
For example in the above image, at pane 3, we can find all the imported function of the kernl32.dll. If we know which function are used, we can deduce the malware behavior.There is also a way to import function ‘on the fly’, using some important function:
- LoadLibrary- GetProcAddress- LdrGetProcAddress- LdrLoadDll
So if you find this functions, it means that the malware is going to hide you what is its intention. If you want to understand more in details its behavior you have to debug it (but this is a story that will relate you another time).
As just said, we can find information about the all dll imported into the executable file and each of them can tell us something.Dll DescriptionAdvapi32.dll This DLL provides access to the Service Manager and Registry.
User32.dll This DLL contains all the user-interface components, such as buttons, scrollbars, and components for controlling and responding to user actions.
Gdi32.dll This DLL contains functions for displaying and manipulating graphics
Kernel32.dll This is a very common DLL that contains core functionality, such as access and manipulation of memory, files, and hardware.
Shell32.dll Tell us that the program can launch other program.
Ntdll.dll This DLL is the interface to the Windows kernel. Executables generally do not import this file directly, although it is always imported indirectly by Kernel32.dll. If an executable imports this file, it means that the author intended to use functionality not normally available to Windows programs. Some tasks, such as hiding functionality or manipulating processes, will use this interface.
WSock32.dll - Ws2_32.dll These are networking DLLs. A program that accesses either of these mostlikely connects to a network or performs network-related tasks.
Wininet.dll This DLL contains higher-level networking functions that implement protocols such as FTP, HTTP, and NTP.
We can also get information about PE header using PEView tool. Sections are very important because we can see if there are only standard section (as listed below) or also custom sections, in this case we are dealing with a packer.Section Description.text Contains the executable code
5Basic Static Analysis.
Luigi Capuzzello
.rdata Holds read-only global data that is accessible within the program
.data Stores global data accessed throughout the program
.idata Sometimes present and stores the import function information; if this section is not present, the import function information is stored in the .rdata section
.edata Sometimes present and stores the export function information; if this section is not present, the export function information is stored in the .rdata section
.pdata Present only in 64-bit executables and stores exception-handling information
.rsrc Stores resources needed by the executable
.reloc Contains information for relocation of library files
We can also look at .rsrc section (looking for interesting string) using the free Resource Hacker tool.
6Basic Dynamic Analysis.
Luigi Capuzzello
Basic Dynamic Analysis.Dynamic analysis techniques are the second step in the malware analysis process. Dynamic analysis is typically performed after basic static analysis has reached a dead end, whether due to obfuscation, packing, or the analyst having exhausted the available static analysis techniques.
Monitor malware activity [procmon / regshot / Process Explorer]
Process Monitor, or procmon, is an advanced monitoring tool for Windows that provides a way to monitor certain registry, file system, network, process, and thread activity. It combines and enhances the functionality of two legacytools: FileMon and RegMon.
If you want to filter the activity of a particoular file you have to choose the “Filter Filter” Menu option and you have to spacify the filename you are looking for.
There are also four important filter on the menu side bar that allow to filter:- Registry- File system- Process activity- Network: attention this logging not work consistently across Microsoft Windows version.
It is very usefull to use promon because it is very usefull to know what our target is doing with the external environment (registry, file system and network).
Sometime our target generates many operation especially on registry. So it could be very usefull to have a tool that compare two snapshots and give us just the differences between them.Regshot is an open source registry comparison tool that allows you to take and compare two registry snapshots.
It is very simple to use regshot. There are only three operation you have to do:- Click on ‘1st shot’ button;- Execute malware ;- Click on ‘2nd shot’ button when you think malware has finished its activity- Click on ‘cOmpare’ button
At the end the software will give you a list of the operations the malware has implemented on the registry.This type of information could be very usefull because it is not a simple log, it is an elaborated one.Here is an example of the regshot output:
====================================================================Regshot 1.9.0 x86 ANSIComments: Datetime: 2014/2/1 21:12:14 , 2014/2/1 21:13:07Computer: TESTXP , TESTXPUsername: admin , admin
----------------------------------Keys added: 1----------------------------------HKU\S-1-5-21-725345543-73586283-682003330-1003\Software\Microsoft\Multimedia\WaveOwner
----------------------------------Values added: 19----------------------------------
7Basic Dynamic Analysis.
Luigi Capuzzello
HKU\S-1-5-21-725345543-73586283-682003330-1003\Software\Microsoft\Windows\Shell\Bags\1\Desktop\ScrollPos1313x932(1).x: 0x00000000HKU\S-1-5-21-725345543-73586283-682003330-1003\Software\Microsoft\Windows\Shell\Bags\1\Desktop\ScrollPos1313x932(1).y: 0x00000000HKU\S-1-5-21-725345543-73586283-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\381\Shell\MinPos1313x932(1).x:…HKU\S-1-5-21-725345543-73586283-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31237: "Crea una nuova cartella, vuota, nella cartella aperta."
----------------------------------Values modified: 18----------------------------------HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0000\Settings\CDVol_Left: 0xFFFFF729HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0000\Settings\CDVol_Left: 0xFFFFF566HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0000\Settings\CDVol_Right: 0xFFFFF729HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0000\Settings\CDVol_Right: 0xFFFFF566HKLM\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_1274&DEV_1371&SUBSYS_13711274&REV_02#4&47B7341&0&0888#{6994ad04-93ef-11d0-a3cc…HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0000\Settings\CDVol_Left: 0xFFFFF729HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0000\Settings\CDVol_Left: 0xFFFFF566HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0000\Settings\CDVol_Right: 0xFFFFF729HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0000\Settings\CDVol_Right: 0xFFFFF566====================================================================
Another important tool is Process Explorer. This tool monitors the processes running on a system and shows them in a tree structure that displays child and parent relationships.
Process Explorer could also be usefull in detecting if a file is Microsoft signed.You can achive this task in many way:
- Click on verify button to verify that the image on disk is, in fact, the Microsoft signed binary. Because Microsoft uses digital signatures for most of its core executables, when Process Explorer verifies that a signature is valid, you can be sure that the file is actually the executable from Microsoft.
- Comparing in memory string and string in the disk executable image.
8Basic Dynamic Analysis.
Luigi Capuzzello
Go deep into network traffic.Malware, often, needs to connect to a remote server for many reasons. For example it needs to provide information to that remote host or it need to get commands from that remote host.So it is very important to understand which sort of traffic is generated from and to the malware.To achive this hint we have to implement a sort of MITM (Man In The Middle) attack against the malware.
First of all we have to use ApateDNS (a free tool from Mandiant) to see the DNS request made by malware.To use ApateDNS you have to set:
- DNS Reply IP: the IP address ypu want sent in DNS response;- # of NXDOMAIN’s: this is an option that can help us to find all the domain the malware will loop through;- Selected interface: the ethernet interface we want to use
We can set ‘DNS Reply IP’ to localhost (as in the above example) or we can set it to redirect all the traffic to another machine, for example a linux machine, or better, a virtual linux machine.
On the linux machine we can install INetSim, a free, Linux-based software suite for simulating common Internetservices. INetSim does its best to look like a real server.And because INetSim is built with malware analysis in mind, it offers many unique features, such as its Dummy service, a feature that logs all data received from the client, regardless of the port. The Dummy service is mostuseful for capturing all traffic sent from the client to ports not bound to any other service module. You can use it to record all ports to which the malware connects and the corresponding data that is sent. Here is an example of all the port the tool is going to start up.
* dns 53/udp/tcp - started (PID 9992)* http 80/tcp - started (PID 9993)* https 443/tcp - started (PID 9994)* smtp 25/tcp - started (PID 9995)* irc 6667/tcp - started (PID 10002)* smtps 465/tcp - started (PID 9996)* ntp 123/udp - started (PID 10003)* pop3 110/tcp - started (PID 9997)* finger 79/tcp - started (PID 10004)* syslog 514/udp - started (PID 10006)* tftp 69/udp - started (PID 10001)* pop3s 995/tcp - started (PID 9998)* time 37/tcp - started (PID 10007)* ftp 21/tcp - started (PID 9999)
9Basic Dynamic Analysis.
Luigi Capuzzello
* ident 113/tcp - started (PID 10005)* time 37/udp - started (PID 10008)* ftps 990/tcp - started (PID 10000)* daytime 13/tcp - started (PID 10009)* daytime 13/udp - started (PID 10010)* echo 7/tcp - started (PID 10011)* echo 7/udp - started (PID 10012)* discard 9/udp - started (PID 10014)* discard 9/tcp - started (PID 10013)* quotd 17/tcp - started (PID 10015)* quotd 17/udp - started (PID 10016)* chargen 19/tcp - started (PID 10017)* dummy 1/udp - started (PID 10020)* chargen 19/udp - started (PID 10018)* dummy 1/tcp - started (PID 10019)
There is another very interesting tool we must use to monitor the network traffic: wireshark.
Wireshark is a network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It has a reach and powerful feauture set.The most common and useful one is the possibility to let you view the contents of a TCP session; you have just to right-click any TCP packet and select ‘Follow TCP Stream’.
Attention:wireshark is known to have many security vulnerabilities, so be sure to run it in a safe envronment.
10So what the hell can we do ?
Luigi Capuzzello
So what the hell can we do ?
We have analyze all the principal tool we need to performe a dynamic analysis; so how can we put all these software together to maximize our analysis ?
We have a windows machine and we have to make some things on it:1. We have to start procmon, making a filter on the malware name2. We have to start the Process Explorer3. We have to get the first snapshot with regshot4. We have to configure our virtual network (ApateDNS – INetSim)5. We have to start wireshark to get all the network traffic.
We also have a linux machine with INetSim installed on it.
So this is the situation:
At this point we can run the malware and we can look at our tool to find as many information as we need.
1. We can analyzed ApateDNS to see which DNS request were performed;2. We can look at procmon to find which file and folder our malwere has modified or created;3. We can compare the snapshots of regshot to see what malware has done on our registry4. We can see on Process Explorer to see if the malware has generated threads5. We can also see the wireshark traffic according to the information we have obtained from ApateDNS and
INetSim.
SummaryStatic and dynamic malware analysis help us to understand in detail what behavior was implemented into malware. If we know which register keys/values it has modified, which file it has created, if we know what the malware has notified to a remote server and which command it has recived from that host, thenwe can safely think that it is possible, and not so tricky, to cut out the malware from our pc.
However sometimes it is necessary to go mach more deeper; for example, what can we do if the malware comunicate to the remote host using a cripted custom comunication ? In this case, and in some others, we need to make a reverse engineering of the malware code.This will be the subject of next episode ‘Inside Windows Malicious Software’.
On the Web● http://bit.ly/ic4plL - strings tool● http://woodmann.com/BobSoft/Pages/Programs/PEiD - PEiD tool● http://www.woodmann.com/collaborative/tools/index.php/ExeInfo_PE - exeinfope tool● http://www.dependencywalker.com/ - Dependency Walker tool● http://peview.sourceforge.net/ - PEView tool● http://www.angusj.com/resourcehacker/ - Resource Hacker tool● http://download.sysinternals.com/files/ProcessMonitor.zip - procmon tool● http://sourceforge.net/projects/regshot/ - regshot tool● http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx - Process Explorer tool
Windows Virtual MachineIP: 192.168.110.1
Tool:ApateDNSProcmonregShotprocess Explorerwireshark
Linux Virtual MachineIP: 192.168.110.2
Tool:INetSim
DNS 53:ApateDNS redirect 192.168.110.2
HTTP: 80HTTPS: 443FTP: 21SMTP: 25ecc..
TargetMalware
11On the Web
Luigi Capuzzello
● https://www.mandiant.com/resources/download/research-tool-mandiant-apatedns - ApateDNS tool● http://www.inetsim.org/downloads.html - INetSim tool● http://www.wireshark.org/download.html - wireshark tool
About the authorLuigi Capuzzello has started with informatics in late 1986 (with a beautiful Apple IIe) when he was thirteen years old. After taking a degree in robotics he has working for more than fifteen years in several areas of IT, but now he is strong focused on IT security.His main tasks are related to test applications safety (especially web application) and in reverse engineering techniques.Specialties: Project Managment, Information Security, Vulnerability Analysis, Penetration Testing, Ethical Hacking, Web Application SecurityYou can find him on http://www.linkedin.com/pub/luigi-capuzzello/7/561/12a
Other Specification- Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code [Paperback]
- The Hands-On Guide to Dissecting Malicious Softwareby Michael Sikorski and Andrew Honig