Advertisement
joemccray

Malware Analysis Basics

Mar 21st, 2015
6,883
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.54 KB | None | 0 0
  1. Here is the material from the Malware Analysis for Vets class:
  2.  
  3. Here is the class video:
  4. https://s3.amazonaws.com/StrategicSec-Videos/2014-01-18+09.16+Malware+Analysis+For+Vets.wmv
  5.  
  6. Here is the courseware:
  7. https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/Docs/Basic-Malware_Analysis_Labs.docx
  8.  
  9. Malware Analysis Tools:
  10. https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/MalwareAnalysisTools.zip
  11.  
  12. Software you may find useful:
  13. https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/Software.zip
  14.  
  15. Actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
  16. https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  17.  
  18.  
  19. Class virtual machines:
  20.  
  21. ** Linux VM **
  22. https://s3.amazonaws.com/StrategicSec-VMs/Malware.vmwarevm.rar
  23. user: malware
  24. pass: malware
  25.  
  26. ** Windows VM **
  27. https://s3.amazonaws.com/StrategicSec-VMs/Malware_Windows.vmwarevm(1).rar
  28.  
  29.  
  30.  
  31.  
  32.  
  33. Malware can only do 4 things:
  34.  
  35. 1. Modify the filesystem
  36. 2. Modify the registry
  37. 3. Modify processes/services
  38. 4. Connect to the Internet/local network
  39.  
  40.  
  41. Reverse Engineering malware is different:
  42. 1. Encryption/Obfuscation
  43. 2. Payload
  44. 3. Programming Style
  45. 4. Motive/Intent
  46.  
  47.  
  48. Note: If you seriously want to do Reverse Engineering at work, then you need at least 10 million samples of malware.
  49.  
  50. Here is a small database to play with:
  51. http://derekmorton.name/files/malware_12-14-12.sql.bz2
  52. 855MB file size - be sure to run in a VM
  53.  
  54.  
  55. Good reference links:
  56. http://www.garykessler.net/library/file_sigs.html <-- file headers
  57.  
  58. Things we did to the malware on the Windows VM:
  59. - PEID
  60. - StudPE
  61. - saw 'ABC0' as entry point and we thought that was strange
  62. - Hex Editor
  63. - Strings
  64.  
  65. Open a command prompt:
  66. cd c:\Documents and Settings\Administrator\Desktop\Strings
  67. copy "c:\Documents and Settings\Administrator\Desktop\malware\malware.exe" .
  68. - strings.exe malware.exe | findstr ".dll"
  69. - strings.exe malware.exe | more <-- let's you page through the data by pressing the space bar
  70. - strings.exe malware.exe | findstr "ABC"
  71. -ABC0
  72. -ABC1
  73. -ABC2
  74. -ABC!
  75. -ABC^
  76. - strings.exe malware.exe | findstr ".dll"
  77. We googled ws2_32.dll and found out it does windows sockets
  78. - strings.exe malware.exe | findstr "IRC"
  79. - strings.exe malware.exe | findstr "JOIN"
  80. List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
  81. - strings.exe malware.exe | findstr "ADMIN"
  82. - strings.exe malware.exe | findstr "LIST"
  83.  
  84. Let's check to see if it modifies the registry
  85. - strings.exe malware.exe | findstr "REG"
  86. - strings.exe malware.exe | findstr "HKEY"
  87. We didn't see anything like HKLM, HKCU or other registry type stuff
  88.  
  89.  
  90. ##############################
  91. # Moving to the Linux system #
  92. ##############################
  93. Log in to your Ubuntu system with the username 'malware' and the password 'malware'.
  94.  
  95. After logging please open a terminal window and type the following commands:
  96.  
  97. cd Desktop/
  98.  
  99.  
  100. This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
  101.  
  102. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  103. wget http://www.beenuarora.com/code/analyse_malware.py
  104.  
  105. unzip malware-password-is-infected.zip
  106. infected
  107.  
  108. file malware.exe
  109.  
  110. mv malware.exe malware.pdf
  111.  
  112. file malware.pdf
  113.  
  114. mv malware.pdf malware.exe
  115.  
  116. hexdump -n 2 -C malware.exe
  117.  
  118. ***What is '4d 5a' or 'MZ'***
  119. Reference: http://www.garykessler.net/library/file_sigs.html
  120.  
  121.  
  122. objdump -x malware.exe
  123.  
  124. strings malware.exe
  125.  
  126. strings --all malware.exe | head -n 6
  127.  
  128. strings malware.exe | grep -i dll
  129.  
  130. strings malware.exe | grep -i library
  131.  
  132. strings malware.exe | grep -i reg
  133.  
  134. strings malware.exe | grep -i hkey
  135.  
  136. strings malware.exe | grep -i hku
  137.  
  138. - We didn't see anything like HKLM, HKCU or other registry type stuff
  139.  
  140. strings malware.exe | grep -i irc
  141.  
  142. strings malware.exe | grep -i join
  143.  
  144. strings malware.exe | grep -i admin
  145.  
  146. strings malware.exe | grep -i list
  147.  
  148.  
  149. - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
  150. sudo apt-get install -y python-pefile
  151.  
  152. vi analyse_malware.py
  153.  
  154. python analyse_malware.py malware.exe
  155.  
  156.  
  157. Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
  158. http://derekmorton.name/files/malware_12-14-12.sql.bz2
  159.  
  160.  
  161. Malware Repositories:
  162. http://malshare.com/index.php
  163. http://www.malwareblacklist.com/
  164. http://www.virusign.com/
  165. http://virusshare.com/
  166. http://www.tekdefense.com/downloads/malware-samples/
  167.  
  168. ###############################
  169. # Creating a Malware Database #
  170. ###############################
  171.  
  172. Creating a malware database (sqlite)
  173. ------------------------------------
  174. wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
  175. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  176. unzip malware-password-is-infected.zip
  177. infected
  178. python avsubmit.py --init
  179. python avsubmit.py -f malware.exe -e
  180.  
  181.  
  182.  
  183.  
  184.  
  185. Creating a malware database (mysql)
  186. -----------------------------------
  187. Step 1: Installing MySQL database
  188. Run the following command in the terminal:
  189.  
  190. sudo apt-get install mysql-server
  191.  
  192. Step 2: Installing Python MySQLdb module
  193. Run the following command in the terminal:
  194.  
  195. sudo apt-get build-dep python-mysqldb
  196. sudo apt-get install python-mysqldb
  197.  
  198. Step 3: Logging in
  199. Run the following command in the terminal:
  200.  
  201. mysql -u root -p (set a password of 'malware')
  202.  
  203. Then create one database by running following command:
  204.  
  205. create database malware;
  206.  
  207.  
  208.  
  209. wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
  210.  
  211. vi mal_to_db.py -i (fill in database connection information)
  212.  
  213. python mal_to_db.py -i
  214.  
  215. python mal_to_db.py -i -f malware.exe -u
  216.  
  217.  
  218. mysql -u root -p
  219. malware
  220.  
  221. mysql> use malware;
  222.  
  223. select id,md5,sha1,sha256,time FROM files;
  224.  
  225. mysql> quit;
  226.  
  227.  
  228.  
  229.  
  230.  
  231. ##############################
  232. # Lesson 32: Setting up Yara #
  233. ##############################
  234.  
  235.  
  236. sudo apt-get install clamav clamav-freshclam
  237.  
  238. sudo freshclam
  239.  
  240. sudo Clamscan
  241.  
  242. sudo apt-get install libpcre3 libpcre3-dev
  243.  
  244. wget https://github.com/plusvic/yara/archive/v3.1.0.tar.gz
  245.  
  246. wget http://yara-project.googlecode.com/files/yara-python-1.4.tar.gz
  247.  
  248. tar -zxvf v3.1.0.tar.gz
  249.  
  250. cd yara-3.1.0/
  251.  
  252. ./bootstrap.sh
  253.  
  254. ./configure
  255.  
  256. make
  257.  
  258. make check
  259.  
  260. sudo make install
  261.  
  262. cd yara-python/
  263.  
  264. python setup.py build
  265.  
  266. sudo python setup.py install
  267.  
  268. cd ..
  269.  
  270. yara -v
  271.  
  272. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py
  273.  
  274. sigtool -u /var/lib/clamav/main.cvd
  275.  
  276. python clamav_to_yara.py -f main.ndb -o clamav.yara
  277.  
  278. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  279.  
  280. unzip malware-password-is-infected.zip
  281. infected
  282.  
  283. mkdir malcode/
  284.  
  285. mv malware.exe malcode/
  286.  
  287. vi testrule.yara
  288. ----------------
  289. rule IsPE
  290. {
  291. meta:
  292. description = "Windows executable file"
  293.  
  294. condition:
  295. // MZ signature at offset 0 and ...
  296. uint16(0) == 0x5A4D and
  297. // ... PE signature at offset stored in MZ header at 0x3C
  298. uint32(uint32(0x3C)) == 0x00004550
  299. }
  300.  
  301. rule has_no_DEP
  302. {
  303. meta:
  304. description = "DEP is not enabled"
  305.  
  306. condition:
  307. IsPE and
  308. uint16(uint32(0x3C)+0x5E) & 0x00100 == 0
  309. }
  310.  
  311. rule has_no_ASLR
  312. {
  313. meta:
  314. description = "ASLR is not enabled"
  315.  
  316. condition:
  317. IsPE and
  318. uint16(uint32(0x3C)+0x5E) & 0x0040 == 0
  319. }
  320. ----------------
  321.  
  322.  
  323. yara testrule.yara malcode/malware.exe
  324.  
  325. mkdir rules/
  326.  
  327. cd rules/
  328.  
  329. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/5/capabilities.yara
  330.  
  331. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/6/magic.yara
  332.  
  333. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/4/packer.yara
  334.  
  335. cd ..
  336.  
  337. yara rules/ malcode/malware.exe
  338.  
  339. wget https://github.com/Xen0ph0n/YaraGenerator/archive/master.zip
  340.  
  341. unzip master.zip
  342.  
  343. cd YaraGenerator-master/
  344.  
  345. python yaraGenerator.py ../malcode/ -r Test-Rule-2 -a "Joe McCray" -d "Test Rule Made With Yara Generator" -t "TEST" -f "exe"
  346.  
  347. cat Test-Rule-2.yar
  348.  
  349. wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  350.  
  351. yara Test-Rule-2.yar putty.exe
  352.  
  353.  
  354.  
  355.  
  356. ####################
  357. # Additional Tasks #
  358. ####################
  359.  
  360. - PE Scanner:
  361. https://malwarecookbook.googlecode.com/svn/trunk/3/8/pescanner.py
  362. http://www.beenuarora.com/code/analyse_malware.py
  363.  
  364. - AV submission:
  365. http://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
  366. https://raw.githubusercontent.com/dcmorton/MalwareTools/master/vtsubmit.py
  367.  
  368. - Malware Database Creation:
  369. https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
  370.  
  371.  
  372.  
  373.  
  374. cd /home/malware/Desktop/Browser\ Forensics
  375.  
  376. ls | grep pcap
  377.  
  378. perl chaosreader.pl suspicious-time.pcap
  379.  
  380. firefox index.html
  381.  
  382. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
  383.  
  384. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
  385.  
  386. sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
  387.  
  388.  
  389.  
  390.  
  391. for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
  392.  
  393.  
  394. tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  395.  
  396.  
  397. tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  398.  
  399.  
  400. tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'
  401.  
  402.  
  403. tshark –r suspicious-time.pcap -Tfields -e “eth.src” | sort | uniq
  404.  
  405.  
  406. tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq
  407.  
  408. tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq
  409.  
  410. tshark -r suspicious-time.pcap -qz ip_hosts,tree
  411.  
  412. tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
  413.  
  414. tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
  415.  
  416.  
  417. whois rapidshare.com.eyu32.ru
  418.  
  419. whois sploitme.com.cn
  420.  
  421.  
  422.  
  423.  
  424.  
  425. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
  426.  
  427. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
  428.  
  429. tshark -r suspicious-time.pcap -qz http_req,tree
  430.  
  431. tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
  432.  
  433. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
  434.  
  435.  
  436.  
  437.  
  438.  
  439. cd /home/malware/Desktop/Banking\ Troubles/Volatility
  440.  
  441. python volatility
  442. python volatility pslist -f ../hn_forensics.vmem
  443. python volatility connscan2 -f ../hn_forensics.vmem
  444. python volatility memdmp -p 888 -f ../hn_forensics.vmem
  445. python volatility memdmp -p 1752 -f ../hn_forensics.vmem
  446. ***Takes a few min***
  447. strings 1752.dmp | grep "^http://" | sort | uniq
  448. strings 1752.dmp | grep "Ahttps://" | uniq -u
  449. cd ..
  450. cd foremost-1.5.7/
  451. foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2
  452. cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/
  453. cat audit.txt
  454. cd pdf
  455. ls
  456. grep -i javascript *.pdf
  457.  
  458.  
  459.  
  460. cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf
  461. /opt/Python-2.6.2/python /home/malware/Desktop/Banking\ Troubles/pdf-parser.py -s javascript --raw 00600328.pdf
  462. /opt/Python-2.6.2/python /home/malware/Desktop/Banking\ Troubles/pdf-parser.py --object 11 00600328.pdf
  463. /opt/Python-2.6.2/python /home/malware/Desktop/Banking\ Troubles/pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js
  464.  
  465. cat malicious.js
  466.  
  467.  
  468. *****Sorry - no time to cover javascript de-obfuscation today*****
  469.  
  470.  
  471. cd /home/malware/Desktop/Banking\ Troubles/Volatility/
  472. python volatility files -f ../hn_forensics.vmem > files
  473. cat files | less
  474. python volatility malfind -f ../hn_forensics.vmem -d out
  475. ls out/
  476. python volatility hivescan -f ../hn_forensics.vmem
  477. python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
  478. for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement