P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg Black-box analysis of malware Vít Bukač CROCS, Faculty of Informatics, Masaryk University IT Security Specialist, CIRT, Honeywell Global Security •PV204 Security Technologies Black-box analysis of malware – Outline •Lecture •Malware •Black-box principle •Tools •Automatic sandbox analysis •Document analysis •Hands-on lab •Analysis of provided malware samples 2 Malware Malware types 4 Malware infection vectors •Email •Link •Attachment •Malicious website •Drive-by download •USB •Cracked software •Worms •Social engineering Infection vector – Phishing •Subject •“Account blocked” •“Package to be delivered” •“Expiring subscription” •“Please process payment” •Signs •Unexpected sender address (1) •Graphic errors (2) •Erroneous info (3) •Links to unexpected URL (4) •Links to same URL •Use of threats •Sense of urgency • Infection vector – Drive-by download Infection vector – USB Example – Zeus infection 1.Fake Facebook page 2.User asked to download fake Flash player (bot itself) 3.If user does not download, he is aimed at Blackhole exploit server 4.Successful compromise 5.Report to Smoke Loader 6.Download Banker Trojan from a legitimate server 7.Downloaded configuration file 8.User accesses bank webpage 9.Zeus reports user activities from bank page 10.Command and Control server orders how to manipulate payments 11.Payment details are changed 12.Money is sent to money mule 13.Zeus reports details of the successful transaction 14.Mule extracts money and send them to botnet owner Malware Kill Chain 10 •Each phase requires successful previous phases •Various detection methods at each phase Black box malware analysis Use cases •Communication between local file server and an unknown IP address in China has been observed. What process is responsible for the communication? •Malware is creating temporary files. Where are these files located? •Malware executable is created again after system reboot. How is it possible and what is causing it? •A new type of malware has been spreading through internal network. How to quickly assess the malware capabilities? What is its purpose? Is it based on any well-known tool? • 12 Black box malware analysis •Dynamic analysis – file is executed •Analysis without internal knowledge •Observable inputs •Observable outputs •Quick, simple •Common monitoring tools •Collected indicators about •Filenames, process names, process parent/child relationships, temporal relationships, domain names, IP addresses, registry keys, persistence methods, cleanup operations etc. •Can be highly automated Black box malware analysis – Basic 1.Prepare analysis environment 2.Create snapshot 3.Run monitoring tools 4.Run malware 5.Collect and observe interactions between malware and VM 6.Restore snapshot 7.Repeat 3-6 as needed 8. Analysis environment •Virtual Machine •Limited/no connectivity •Virtualized services (DNS, HTTP,…) •Several VMs for various host types •Software •Monitoring tools •Often exploited applications •Risks •VM isolation breach •Malware inactivity in VM Virtual machine snapshot •Snapshots •Saved state of VM •Disk state, memory state •Quick restoration of previous state Tools Network analysis •Capturing sent/received packets •Protocol dissection •Promiscuous mode •Tools •Tcpdump, Wireshark, NetworkMiner •Indicators •Domain names, IP addresses, protocols, ports, HTTP parameters •Q&A •Who is this program communicating with? What reputation does the partner have? What data is exchanged? Is it encrypted or obfuscated? • Network analysis – What to look for •New established connections – HTTP 80/8080 •Direct calls for domains without DNS lookup •Random domain names (e.g., rpxiodffd.biz) •Suspicious domain names (e.g., gooogle.org) •Similarly looking domain names (e.g., osinstall.biz, swinstall.biz, swinstall.com) •Outgoing portscans •Ping/DNS request for well known services •Connection availability test •Be aware of background OS/processes activities! • Example – Wireshark File system •Observing file accesses and modifications •Background file manipulation •Tools •Procmon, Handle •Indicators •File names, folder names, order of actions, compromise spread through local system •Q&A •Where is malware copied after the initial infection? What filenames are used? Where is the collected data stored? File system – What to look for •New file names & folders •New created files and folders •Batch files (.cmd, .bat, .vbs, .ps1) •Known favorite malware file names (e.g., 1.exe, test.exe, new.exe) •Known file names in uncommon folders (e.g., C:\Temp\svchost.exe) •Recycler •Modifications of system files •Temporary storage files, encrypted archives Example – Procmon Registry •Registry DB changes •Persistence •Tools •Regedit, RegRipper, Autoruns https://help.comodo.com/uploads/Comodo%20Cloud%20Scanner/4adb8933a1ad9f6b700a9b17c268798c/5eac818f1 e1c4adc19d335055b06586b/2ee56f433864c6dfcc5c4fb82ebff414/ccs_appendix2.png Registry – What to look for •Well-known locations •Autorun locations •Task scheduler •Changes tracking •Keywords fulltext search •Filenames •Processes •Domain names Registry – Regedit Processes •Observing initial system compromise •Processes parent/child relationships •Tools •Process Explorer, Procmon •Indicators •Process names, order of execution, dropper activity •Q&A •What processes are run after malware binary is executed? Are batch files involved? Are there watcher processes? Processes – What to look for •Order of executables •Initial malware •Dropper/downloader •Persistence executable •Final malware •Command line interpreters •cmd.exe •Powershell •Cscript, wscript Example – Process Explorer Executable file analysis •Cryptographic hash •Hash function which is considered practically impossible to invert •Unique identification of file •Counter: Polymorphism •MD5, SHA1 •Fuzzy hash •Context triggered piecewise hash •Families of files •ssdeep •Strings • Example – Strings •server.exe •AppData •4bcce4de98bcdb4d29f66c0fe1ffe002 •hackerhani.no-ip.biz •Software\Microsoft\Windows\CurrentVersion\Run •Software\ •yy-MM-dd •??-??-?? •Microsoft •Windows •SystemDrive •netsh firewall delete allowedprogram " •Software •cmd.exe /c ping 0 -n 2 & del " •SEE_MASK_NOZONECHECKS •netsh firewall add allowedprogram " Commands to be executed Domain name Persistence registry key MD5: 5d347384ea978a96bc842ad9f29e95f2 Automated sandbox analysis Automated sandboxing •Automated 1.Execute malware in sandbox 2.Wait a few seconds 3.Receive summary report 4.Investigate report •Non-interactive •Known tools •Cuckoo, Norman, Anubis etc. 1. Cuckoo sandbox •Open source malware analysis system •Can analyze •Windows executables, DLLs, PDF documents, URLs, HTML files, PHP scripts, Visual Basic scripts, ZIP archives, Python files, etc. •Modular, scriptable •Full memory dump (for Volatility Framework) •Django web interface •Mongo (NoSQL) database Cuckoo – Architecture Cuckoo – GUI Internet sandbox services •Public service •OpSEC issues •Huge comparison database •Exact match by hash •Similarity search by keywords • •Malwr.com (public Cuckoo sandbox) •VirusTotal.com •ThreatExpert.com Operational security (OpSec) •Advanced attackers monitor victim’s actions •Unique indicators visible on Google? •Attacker host monitoring for incoming traffic •Keywords search in mails, PDFs… •VirusTotal uploads •Basics of OpSec •“Think before you act” mentality •Limited information sharing •Trace removal • OpSec – Basic rules •No ping •No DNS lookup •No accessing to suspicious domains •No premature remediation steps (reboot, antivirus scan, OS reinstall) •No upload of samples •No indicator validation on external sources • •NOT EVEN through 3rd parties Anti-sandbox techniques •Continuous development – sandbox vs. anti-sandbox •Malware inactive in analysis environment •Tools presence detection (Wireshark, etc.) •Virtualization detection •Registry (key existence, key value) •File system (file existence, drivers) •Processes (syscall response) •Human presence detection •Mouse movement •Keyboard activity •File artefacts • • Document analysis – Quick insight •File metadata •EXIF information on pictures •Creator, creation time, photo source, photo GPS •exiftool •Document sandboxing possible •Document interpretation ambiguity •Practical examples •Double extensions, different content in different viewers, code block obfuscation & hiding Lab exercise Lab – Overview •Hands-on experience of manual black-box analysis •Guided analysis of selected malware samples •Tools •Wireshark – Network activity •Process Monitor – File system activity, process creation •Autoruns – Persistence •Process explorer – Process map • • Lab – Samples •2-3 samples from different malware families •Commodity malware – Zeus, ZeroAccess, Generic Trojans,… •Students will execute samples in virtual environment •Provided simple analysis virtual machine (Windows) •Indicators collected – network, files, persistence •Discussion about interpretation of facts •Homework •Samples for analysis independently •Write a cohesive report and present key information to the reader • • •