|By Cory Marchand||
|June 27, 2012 07:00 AM EDT||
Malware analysis can be a time consuming process, especially when dealing with a sample from skilled attackers with time and money on their side . There is no doubt that fully reversing malware and finding out how it works is the most effective way to learn how to defend against it, but most businesses don't have the time or the professional resources to do it.
There are ways in which you, a Computer Network Defender, can glean enough information from malware to be used in IDS and AV signature creation, DNS poisoning and blocking as well as sharing with the CND community. This can be accomplished in a cost effective manner (maybe even free) and in an efficient manner that can rival very long code based analysis. There are even cases where in depth knowledge of how to fully reverse the sample is not needed.
It should be noted that this is a low tech, high level mechanism for capturing indicators from malware. It should not be considered a substitute for fully analyzing malicious software, as sophisticated samples can defeat a lab environment similar to this quite easily. I will not be covering anything related to debugging the malware, that is outside of the intention of this "How-to".
Before we start, you will need to procure a few bits and pieces:
- Host machine with enough storage and memory to run at least 2 virtual machines concurrently, 4GB of ram and at least 30GB would be the minimum requirement.
- A virtualization platform, there are several on the market, some of them are free to use, VirtualBox and Xen to name a couple. I will be using VMWare Fusion for this demonstration.
- A copy of "REMNUX", a reverse-engineering malware linux distribution available at http://zeltser.com/remnux/.
- A licensed copy of MS Windows (this will be your victim host). I will be using WindowsXP for this demonstration.
- Free and open source tools for analysis of the Windows host (Putty, RegShot, Sysinternals, etc etc)
Setting Up the Victim Host Machine
Something to consider when setting up your victim host machine is system and software patches. Depending on what you are testing on your victim host, it may only affect a certain version of Windows, or possibly only to a certain patch level. Something I like to do is to "snapshot" my "victim" host machines through various patch stages, that way if I need to roll back, it's as easy as choosing a snapshot and "rolling back". This also applies to the types of software you install on your victim, snapshot your host with different versions of java, flash and adobe reader to be able to quickly select a vulnerable configuration. Consider outfitting your malware analysis lab setup with hosts that mimic your native operating environment. If you only utilize Windows 7 and do not allow Firefox on your network, then set up your victim machines to match that configuration.
Once you have finished patching your host, downloading and installing various types of software to aid in allowing successful exploitation you are going to setup a new network adapter, and set it for "host-only". This will keep your host from accidentally reaching the Internet once infected. It will also allow you to send the traffic to another machine to analyze what your victim is trying to do once successful exploitation has taken place.
- Set the IP on your victim host to a non-routable address, for instance 10.1.1.10.
- Set your router or gateway to be 10.1.1.1, this will the IP address of your REMNUX virtual machine.
Setting Up the REMNUX Host Machine
One of the main purposes for the REMNUX virtual machine in this demonstration is simply to act as a catch-all for network traffic originating from your now exploited victim host. REMNUX has many uses and capabilities both for the beginner and advanced malware reverse engineer, but we want fast indicators from our malware sample so that we can start defending against it immediately.
The REMNUX virtual machine is ready to go once imported into your virtualization platform with minimal modifications. We are simply going to add a network adapter in "host-only" mode and set the IP address to a non-routable IP. REMNUX will act as the internet "gateway" and DNS server for our victim machine. This will allow us to see all network requests and DNS requests that come from our infected victim host.
Infecting the Host
Now that you have the infrastructure in place, test your connectivity between the victim virtual machine and the gateway virtual machine. Have Wireshark running on the gateway box to verify successful connectivity. Attempt to SSH from your victim host to the gateway using putty. You can use "pscp.exe" within the Putty suite to move the original malware, and any malicious files the malware creates or drops onto your victim. Once you have moved the file over to your REMNUX host, you can take the MD5 of the original malware, before it is run. This will help in creating virus signatures and give you the required information for sharing within the CND community.
Utilizing "Regshot", take a snapshot of the "C:" drive pre infection, that way you will have something to compare after your host is infected. Regshot will record the current windows registry, all windows directories and files before infection, allow you to record again after infection, and then compare the changes made to the host.
You can now move your malware sample to the victim host. Ensure that you are running the necessary services and tools on your REMNUX host to capture the traffic. If you are not looking to interact with the malware, Wireshark can provide a wealth of data with not much in-depth knowledge. If you are looking to interact however, please consult the REMNUX readme for more information on "honeyd", "farpd" and "fakedns".
I also recommend running some kind of process explorer on the victim host to monitor what the malware does, any new processes it may spawn or kill. Sysinternals suite has several great tools, Process Explorer and Process Monitor are my two favorites.
Capturing the Indicators
Once executed on your victim host, you can record the information being fed to ProcMon, allowing you to watch what the malware does. You may see new applications start, processes get killed and new processes start. These are all indicators of the malware, and essential data to capture.
Watch your REMNUX host, check to see if any callouts are being made by the malware and see if it attempts to resolve DNS addresses. Often times once the DNS has successfully resolved, you will witness the malware attempt to connect to the Command & Control domain over an HTTP/HTTPS port.
A Note on DNS Resolution with Malware
The malware may attempt to resolve a known good website, this can be for internet connectivity checking as well as an attempt to fool someone monitoring it. If the malware is unable to resolve lets say “google.com” it may simply die on the victim host, and never try to reach the real command and control domain (CnC). This is when you want to have “fakedns” running on your REMNUX host, it will resolve any domain asked, this will then give the malware the positive connectivity test it is looking for, at which point may try to resolve the actual CnC domain.
Once you are satisfied with the length of time you have let the malware run, 10 minutes or less usually suffices, you can take the second “Regshot’ of the system. This will capture any changes made to the system by the malware. Once it has completed the second pass, compare the two and analyze the output. “Regshot” will reveal any new files created, deleted or modified. It will show you if any new registry keys were added or changed and any services that were created. It is an essential tool in the analysis toolbox.
As you can see with the "dir /ah" command, the files that were hidden on the victim. These files were all dropped from the malicious word document.
Once you have located the dropped or newly added malware on the victim host, you should move them over to your "REMNUX" host for analysis. These files are also indicators of a positive infection and should be included in your analysis of the initial malware. The MD5 hashes of these files are just as relevant for blocking and signature development as the principle delivery of these files, e.g. malicious word document, can easily change in future attempts.
Share Your Findings - One of the Most Important Pieces to Computer Network Defense
From this quick, and high level analysis of the malicious word document you were presented with several indicators that can benefit other Computer Network Defenders. One thing that I have learned is that not everyone catches or sees something the way I may I see it. So when I look at a piece of malware, no matter how simple I think it may be, I share it with the hopes that the indicators could assist others.
It is essential that you share as much information as you are comfortable with, as it may help to thwart future attempts against other targets. Collaboration amongst teams can help to stop these types of infections and identify current infections if they exist within your network. If possible, share any Command & Control Domains, MD5 Hashes, IP addresses, File Names and Sizes and anything else you feel is relevant to the infection.
In his session at 16th Cloud Expo, Simone Brunozzi, VP and Chief Technologist of Cloud Services at VMware, reviewed the changes that the cloud computing industry has gone through over the last five years and shared insights into what the next five will bring. He also chronicled the challenges enterprise companies are facing as they move to the public cloud. He delved into the "Hybrid Cloud" space and explained why every CIO should consider ‘hybrid cloud' as part of their future strategy to achi...
Jul. 1, 2015 11:10 AM EDT Reads: 106
"We have a tagline - "Power in the API Economy." What that means is everything that is built in applications and connected applications is done through APIs," explained Roberto Medrano, Executive Vice President at Akana, in this SYS-CON.tv interview at 16th Cloud Expo, held June 9-11, 2015, at the Javits Center in New York City.
Jul. 1, 2015 11:00 AM EDT Reads: 276
"We got started as search consultants. On the services side of the business we have help organizations save time and save money when they hit issues that everyone more or less hits when their data grows," noted Otis Gospodnetić, Founder of Sematext, in this SYS-CON.tv interview at @DevOpsSummit, held June 9-11, 2015, at the Javits Center in New York City.
Jul. 1, 2015 11:00 AM EDT Reads: 860
Internet of Things is moving from being a hype to a reality. Experts estimate that internet connected cars will grow to 152 million, while over 100 million internet connected wireless light bulbs and lamps will be operational by 2020. These and many other intriguing statistics highlight the importance of Internet powered devices and how market penetration is going to multiply many times over in the next few years.
Jul. 1, 2015 10:30 AM EDT Reads: 2,073
Containers are changing the security landscape for software development and deployment. As with any security solutions, security approaches that work for developers, operations personnel and security professionals is a requirement. In his session at DevOps Summit, Kevin Gilpin, CTO and Co-Founder of Conjur, will discuss various security considerations for container-based infrastructure and related DevOps workflows.
Jul. 1, 2015 10:30 AM EDT Reads: 703
Internet of Things (IoT) will be a hybrid ecosystem of diverse devices and sensors collaborating with operational and enterprise systems to create the next big application. In their session at @ThingsExpo, Bramh Gupta, founder and CEO of robomq.io, and Fred Yatzeck, principal architect leading product development at robomq.io, discussed how choosing the right middleware and integration strategy from the get-go will enable IoT solution developers to adapt and grow with the industry, while at th...
Jul. 1, 2015 09:45 AM EDT Reads: 1,906
The most often asked question post-DevOps introduction is: “How do I get started?” There’s plenty of information on why DevOps is valid and important, but many managers still struggle with simple basics for how to initiate a DevOps program in their business. They struggle with issues related to current organizational inertia, the lack of experience on Continuous Integration/Delivery, understanding where DevOps will affect revenue and budget, etc. In their session at DevOps Summit, JP Morgenthal...
Jul. 1, 2015 09:32 AM EDT Reads: 339
Agile, which started in the development organization, has gradually expanded into other areas downstream - namely IT and Operations. Teams – then teams of teams – have streamlined processes, improved feedback loops and driven a much faster pace into IT departments which have had profound effects on the entire organization. In his session at DevOps Summit, Anders Wallgren, Chief Technology Officer of Electric Cloud, will discuss how DevOps and Continuous Delivery have emerged to help connect dev...
Jul. 1, 2015 09:30 AM EDT Reads: 744
Malicious agents are moving faster than the speed of business. Even more worrisome, most companies are relying on legacy approaches to security that are no longer capable of meeting current threats. In the modern cloud, threat diversity is rapidly expanding, necessitating more sophisticated security protocols than those used in the past or in desktop environments. Yet companies are falling for cloud security myths that were truths at one time but have evolved out of existence.
Jul. 1, 2015 09:15 AM EDT Reads: 2,114
Overgrown applications have given way to modular applications, driven by the need to break larger problems into smaller problems. Similarly large monolithic development processes have been forced to be broken into smaller agile development cycles. Looking at trends in software development, microservices architectures meet the same demands. Additional benefits of microservices architectures are compartmentalization and a limited impact of service failure versus a complete software malfunction. ...
Jul. 1, 2015 09:00 AM EDT Reads: 803
Today air travel is a minefield of delays, hassles and customer disappointment. Airlines struggle to revitalize the experience. GE and M2Mi will demonstrate practical examples of how IoT solutions are helping airlines bring back personalization, reduce trip time and improve reliability. In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect with GE, and Dr. Sarah Cooper, M2Mi’s VP Business Development and Engineering, will explore the IoT cloud-based platform technologies drivi...
Jul. 1, 2015 08:00 AM EDT Reads: 795
In the midst of the widespread popularity and adoption of cloud computing, it seems like everything is being offered “as a Service” these days: Infrastructure? Check. Platform? You bet. Software? Absolutely. Toaster? It’s only a matter of time. With service providers positioning vastly differing offerings under a generic “cloud” umbrella, it’s all too easy to get confused about what’s actually being offered. In his session at 16th Cloud Expo, Kevin Hazard, Director of Digital Content for SoftL...
Jun. 30, 2015 05:00 PM EDT Reads: 2,108
It is one thing to build single industrial IoT applications, but what will it take to build the Smart Cities and truly society-changing applications of the future? The technology won’t be the problem, it will be the number of parties that need to work together and be aligned in their motivation to succeed. In his session at @ThingsExpo, Jason Mondanaro, Director, Product Management at Metanga, discussed how you can plan to cooperate, partner, and form lasting all-star teams to change the world...
Jun. 30, 2015 02:15 PM EDT Reads: 2,202
Containers have changed the mind of IT in DevOps. They enable developers to work with dev, test, stage and production environments identically. Containers provide the right abstraction for microservices and many cloud platforms have integrated them into deployment pipelines. DevOps and Containers together help companies to achieve their business goals faster and more effectively. In his session at DevOps Summit, Ruslan Synytsky, CEO and Co-founder of Jelastic, reviewed the current landscape of...
Jun. 30, 2015 01:30 PM EDT Reads: 2,130
The cloud has transformed how we think about software quality. Instead of preventing failures, we must focus on automatic recovery from failure. In other words, resilience trumps traditional quality measures. Continuous delivery models further squeeze traditional notions of quality. Remember the venerable project management Iron Triangle? Among time, scope, and cost, you can only fix two or quality will suffer. Only in today's DevOps world, continuous testing, integration, and deployment upend...
Jun. 30, 2015 12:30 PM EDT Reads: 1,861