ses2017 - dynamic analysisquerzoni/.../1718/...analysis.pdf · dynamic analysis systems and...
TRANSCRIPT
![Page 1: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/1.jpg)
Research Center for Cyber Intelligence and information Security
CIS SapienzaResearch Center for Cyber Intelligence
and information Security
CIS Sapienza
DynamicAnalysis
SystemsandEnterpriseSecurity2017-2018Dr.GiuseppeLaurenza,Ph.D.Student,[email protected]
![Page 2: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/2.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline
• VirtualMachineandSandboxing• Manualdynamic analysis tools• Analysisofpersistence• Dynamic analysis withCuckoo Sandbox• DLL/Codeinjection
![Page 3: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/3.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
VirtualMachine[VM]
• AVMemulates thebehaviour ofafullphysicalmachineinwhich it is possible torun thedesiredoperating system:– Host:machineinwhich it is run theVMsoftware.– Guest:theVMitself.
• AVMprovided afake andseparatedenvironment;
• it is possible toexecute suspicious softwareinisolation.
![Page 4: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/4.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
VirtualMachine[VM]:Snapshot
• Manyvirtualizationsoftwaresprovidethepossibilitytocreatesnapshot;
• asnapshotrepresentsaphotographyofthecurrentstateoftheVM;
• itallowstorestoreapreviousstateofthesystem.
![Page 5: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/5.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
VirtualMachine[VM]:Snapshot
• Snapshotsareanimportant resource fordynamic malaware analysis,infact analysts:– createandconfigure aVM;– createsnapshotoftheVM,readyfortheanalysis– run themalware;– study theexecution andtheeffects ofthesample;– restore thesnapshotinorder tobereadyforthenext analysis.
![Page 6: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/6.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
VirtualMachine[VM]:Virtualbox[1]
• VirtualBox is anopen-sourcevirtualizationsoftwaredeveloped forWindows,LinuxandMacOs;
• it allows theexecution ofvarious operatingsystems,including Windows,Linuxe*BSD;
• it offers asnapshotsystemtosave andrestorethestateoftheVM.
[1]https://www.virtualbox.org
![Page 7: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/7.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
VirtualMachine[VM]:SnapshotExercise
• Boot uptheVM;• openVirtualbox intheVM;• restore thesnapshotSnapshot2;• starttheVMcuckoo1;• observe thestateoftheVM,trying toexecutesomemalware;
• shutdown theVMandrestore thesnapshotSnapshot1;
• run again theVMandobserve any changes.
![Page 8: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/8.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Sandbox• Itconsistsofexecutingthemalwareinacontrolledenvironmentinordertoobservemalwarebehavior;
• thisapproachusesemulationorvirtualizationsoftwareproductstoexecutemalwareinisolation;
• asandboxcanproducedepthreportsusingsignaturestodetectpatternsofactions;
• itcanalsoprovideadditionalinformationlikecreatedfileornetworktrafficgeneratedbythesample.
![Page 9: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/9.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline
• VirtualMachineandSandboxing• Manualdynamic analysis tools• Analysisofpersistence• Dynamic analysis withCuckoo Sandbox• DLL/Codeinjection
![Page 10: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/10.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
RegShot
• It is anopen-sourceutilitytocompareinstances ofWindowsregistry;
• it enables tostorethecurrent stateoftheregistry andcompareit withanother createdafter somemodifications;
• it is widely used todiscover which registrykeys aremodified bythemalwareexecution.
![Page 11: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/11.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
RegShot– Exercise• RestorethesnapshotSnapshot2oftheinternalVM;• bootuptheVM;• runexecutableregshot intheRegshot folderonthedesktop;• use1-shottostorethecurrentstateofregistry;• changedesktopbackground;• use2-shottostorethenewstateoftheregistry;• comparethe2snapshotswithcompare;• changelogsformatwithHTML;• usecleartodeletethe2ndshot;• performanewcomparisonandobservethedifferencesinthe
report.
![Page 12: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/12.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
AutoRuns
• UtilitydevelopeddirectlybyMicrosoft;• itallowaneasyinspectionofdifferentaspectoftheoperatingsystem,like:– thesystemlocationstomodifyinordertoloadapplicationduringOSboot;
– Explorerextensions;– toolbars.
![Page 13: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/13.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
AutoRuns- Exercise• RestorethesnapshotSnapshot2oftheinternalVM;
• bootuptheVM;• launchAutoruns,ifaskedaccepttheEULA;• observethevarioustabs;• savecurrentstateofthesoftware;• modify/deletesomeelements;• usecompareinthefilemenutoperformacomparisonbetweentheprevioussavedstate.
![Page 14: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/14.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline
• VirtualMachineandSandboxing• Manualdynamic analysis tools• Analysisofpersistence• Dynamic analysis withCuckoo Sandbox• DLL/Codeinjection
![Page 15: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/15.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Persistence
• Setoftechniquesthatguaranteestomalwaretosurvivesystemreboot;
• currently,mainapproachesarefour:– creationormodificationofregistrykeys;– creationoffileinstartuplocations;– creationofWindowsServices;– modificationoftheMasterBootRecord(MBR)ortheBIOS
![Page 16: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/16.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Persistence:creation ormodification ofregistry keys• Windowsregistry contains informationaboutwhat mustbestarted at boot,like:– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run– HKLM\System\CurrentControlSet\Control\SessionManager\KnownDlls– HKCU\Software\Microsoft\Windows\CurrentVersion\Run– HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\
• this approach consists ofcreateormodifythese keys tolaunch malwareat thestartup.
![Page 17: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/17.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Persistence:creation offileinstartuplocations
• During theboot,WindowsOSchecks somedirectories which contain softwaretostart,like:– %USERPROFILE%\StartMenu\Programs\Startupcontainingsingleusersoftware;
– %ALLUSERSPROFILE%\StartMenu\Programs\Startupcontainingalluserssoftware.
![Page 18: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/18.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Persistence:creationofWindowsServices
• Windowsservicesareexecutableslaunchedinthebackgroundwithouthanyinteractionswiththeusers(like*nixdaemons);
• theycanbeconfiguredtobeautomaticallystartedduringthebootprocess;
• tipicallymalwaretrytocreatenewservices,moreovertheyusuallyimitatenamesofsystemservicestoremainhidden.
![Page 19: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/19.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Persistence:modification oftheMBRortheBIOS• It is anadvanced technique toachievepersistence;
• Advantages:– difficult todetect;– extremely difficult toremove.
• Disadvantages:– highdifficulty toapply this approach.
![Page 20: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/20.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Persistence:Exercise1AnalysiswithRegshot
• RestorethesnapshotSnapshot2oftheinternalVM;
• bootuptheVM;• useregshot todiscover which registry keys areused bymalwareImworm toobtainpersistence.
![Page 21: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/21.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Persistence:Exercise2AnalysiswithAutoruns
• RestoresnapshotSnapshot2oftheinternalVM;
• bootuptheVM;• useAutoruns todiscover someoftheeffectsofmalwareIMWorm onthesystems.
![Page 22: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/22.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Persistence:Exercise3AnalysiswithAutoruns
• RestoresnapshotSnapshot2oftheinternalVM;
• bootuptheVM;• useAutoruns todiscover someoftheeffectsofmalwareHydraq onthesystems.
![Page 23: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/23.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline
• VirtualMachineandSandboxing• Manualdynamic analysis tools• Analysisofpersistence• Dynamic analysis withCuckoo Sandbox• DLL/Codeinjection
![Page 24: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/24.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
CuckooSandbox
• Opensourcesystemtoautomatically analyzefiles andURLs;
• it tracks all theAPIs calls andthegeneralbehaviour ofthefile;
• it analyzesalso thenetworktraffic;• it allows anadvanced systemmemoryanalysis;
![Page 25: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/25.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
CuckooSandbox
• it is developed inpython withamodularstructure,soit canbeeasily extended;
• it contains avery longlistofsignaturesofsuspicious behaviours;
• it allows thepossibility ofinteraction throughthree different interfaces:– Python scripts;– RESTAPIs;– Webinterface.
![Page 26: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/26.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Cuckoo Sandbox – Exercise 1
• Openterminalandsubmit amalwarewiththecommand:python /opt/cuckoo/utils/submit.pyfilename
• Cuckoo Sandbox assigns anIDtothesubmission;
• after acouple ofminuteschecks thedirectory/opt/cuckoo/storage/analyses/ID/reports/andopenthevarious reports.
![Page 27: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/27.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Cuckoo Sandbox – Exercise 2
• OpenFirefoxandtheCuckoo Sandboxbookmarks;
• logininthewebinterface (user:cuckoo,password:cuckoo);
• inspect thevarious sections ofthewebinterfaceandsubmit asampleusing thesubmission tab;
• after theendoftheanalysis,consult thereportinorder tounderstand its structure;
![Page 28: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/28.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline
• VirtualMachineandSandboxing• Manualdynamic analysis tools• Analysisofpersistence• Dynamic analysis withCuckoo Sandbox• DLL/Codeinjection
![Page 29: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/29.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
DLL/codeinjection
• This approach consists ofload amalicious DLLinto oneormoreprocesses;
• inthis waymalicious codewill beexecutedinto alegitimate process;
• this process canbeaneffective waytoovercome securitysoftware.
![Page 30: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/30.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
DLL/codeinjection
• Main approaces are:– takeadvantagesofAppInit_DLLs registrykeythatcontainsthelistofalltheDLLthathavetobeloadedtogetherwithuser32.dll;
– manipulate existing processes through anexternaldynamic load.
![Page 31: SES2017 - Dynamic Analysisquerzoni/.../1718/...analysis.pdf · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, laurenza@dis.uniroma1.it](https://reader034.vdocuments.us/reader034/viewer/2022042215/5ebcd0e11e1a1b22ec62fe15/html5/thumbnails/31.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
DLL/codeinjection:Exercise
• OpenCuckoo Sandbox WebInterface;• Submit– Parite– onlinegames 2;
• After theanalysis,checkreportstofind anyDLLinjection attack.