Black-box analysis of malware Vít Bukač CROCS, Faculty of Informatics, Masaryk University Sr Cyber Security Supervisor, Honeywell Global Security PV204 Security Technologies Black-box analysis of malware – Outline • Lecture 1. Incident response 2. Malware 3. Black-box principle 4. Tools 5. Automatic sandbox analysis • Hands-on lab • Analysis of provided malware samples 2 Analyzing intrusions Cyber Incident Response • Cyber Incident Response • “A well-organized effort by which an organization handles a cyberattack, including analysis, containment, remediation and reduction of future risks.” • Good incident response results in: • Lower costs of ongoing cyber incidents • Fewer future incidents • Cyber Attack Incident • Each incident goes through certain phases • Collecting information about each phase and modifying defenses accordingly helps detect/prevent future incidents Malware definition “Malware is short for malicious software and is typically used as a catch-all term to refer to any software designed to cause damage to a single computer, server, or computer network, whether it's a virus, spyware, et al.” Robert Moir, Defining Malware: FAQ, 2009. URL: https://technet.microsoft.com/en-us/library/dd632948.aspx Malware types • Trojan • Fake AV • Backdoor • Remote Access Tool (RAT) • Dropper • Downloader • Information stealer • Keylogger • Ransomware • Coinminer • Sniffer • Virus • Worm/Self-spreading malware • Spyware • Adware • Botnet 6 Malware infection vectors • Email • Link • Attachment • Link + document download • Worms • Lateral movement with legitimate credentials • Lateral movement via vulnerabilities (Petya, Not Petya, WannaCry,…) • Malicious website • Drive-by download • USB • Cracked software Case Study: Emotet Don Ovid Ladores, EMOTET Returns, Starts Spreading via Spam Botnet, 2017. URL: https://www.trendmicro.com/en_us/research/17/i/emotet-returns-starts-spreading-via-spam-botnet.html Emotet: Infection vector – Phishing • Subject • “Account blocked” • “Package to be delivered” • “Expiring subscription” • “Invoice” / “Receipt” / “Parchment” • Signs • Unexpected sender address (1) • Graphic errors (2) • Erroneous info (3) • Links to unexpected URL (4) • Links to same URL • Generic salutation • Use of threats, sense of urgency Emotet: Macros and Powershell Security Magic Blog, July 2018, Emotet Encoded Powershell Observed. URL: https://security5magics.blogspot.com/2018/07/july- emotet-encoded-powershell-observed.html Emotet: 2nd stage example Malwareless/Fileless attack 1. Has no identifiable code or signature that allows typical antivirus tools to detect it. 2. Lives in your computer's RAM. Thus, it is also known as memory-based malware. 3. Uses processes that are native to the operating system you are using in order to carry out the attack. 4. May be paired with other types of malware. 5. May be able to circumvent application whitelisting, a process that allows only approved applications to be installed on a machine. Fileless malware takes advantage of approved applications that are already on your system. Ellen Zhang, What is Fileless Malware (or a Non-Malware Attack)? Definition and Best Practices for Fileless Malware Protection, 2018. URL: https://digitalguardian.com/blog/what-fileless-malware-or-non-malware-attack-definition-and-best-practices-fileless- malware MITRE ATT&CK Framework • Globally accessible knowledge base of adversary tactics and techniques based on real-world observations. • Good learning point about advanced attackers • Community-driven • Allows mapping attack steps • Knowing what is possible in each step facilitates incident analysis and allows planning defenses • Provides info about • Attack tools • Threat actor groups • Protection strategies • https://attack.mitre.org/ MITRE ATT&CK Framework MITRE ATT&CK example - Emotet • Reconnaissance: Gather Victim Identity Information – Email Addresses • Resource Development: • Initial Access: Phishing – Spearphishing Link • Execution: Command and Scripting Interpreter – PowerShell • Persistence: Boot or Logon Initialization Scripts – Registry Run Keys • Privilege Escalation: • Defense Evasion: Obfuscated Files or Information, Software Packing • Discovery: Process Discovery • Command and Control: Non-standard Port • Exfiltration: Exfiltration Over C2 channel • Impact: Data Encrypted for Impact Black box malware analysis Motivation – Ask the right questions • What is the scope of compromise? What are 2nd stage callbacks? • Communication between local file server and an unknown IP address in China has been observed. What process is responsible for the communication? • Malware is creating temporary files. Where are these files located? • Malware executable is created again after system reboot. How is it possible and what is causing it? • A new type of malware has been spreading through internal network. How to quickly assess the malware capabilities? What is its purpose? Is it based on any well-known tool? 20 Black box malware analysis • Dynamic analysis – file is executed • Analysis without internal knowledge • Observable inputs • Observable outputs • Quick, simple • Common monitoring tools • Collected indicators about • Filenames, process names, process parent/child relationships, temporal relationships, domain names, IP addresses, registry keys, persistence methods, cleanup operations etc. • Can be highly automated Black box malware analysis – Principle 1. Prepare analysis environment 2. Create snapshot 3. Run monitoring tools 4. Run malware 5. Collect and observe interactions between malware and VM 6. Restore snapshot 7. Repeat 3-6 as needed Analysis environment • Virtual Machine • Limited/no connectivity • Virtualized services (DNS, HTTP,…) • Several VMs for various host types • Software • Monitoring tools • Often exploited applications • Snapshots(!) • Risks • VM isolation breach • Malware inactivity in VM Tools Network analysis • Capturing sent/received packets • Protocol dissection • Promiscuous mode • Tools • Tcpdump, Wireshark, NetworkMiner • Indicators • Domain names, IP addresses, protocols, ports, HTTP parameters • Q&A • Who is this program communicating with? What reputation does the partner have? What data is exchanged? Is it encrypted or obfuscated? Network analysis – What to look for • New established connections – HTTP 80/8080 • Direct calls for domains without DNS lookup • Random domain names (e.g., rpxiodffd.biz) • Suspicious domain names (e.g., gooogle.org) • Similarly looking domain names (e.g., osinstall.biz, swinstall.biz, swinstall.com) • Outgoing portscans • Ping/DNS request for well known services • Connection availability test • Be aware of background OS/processes activities! Example – Wireshark File system • Observing file accesses and modifications • Background file manipulation • Tools • Procmon, Handle • Indicators • File names, folder names, order of actions, compromise spread through local system • Q&A • Where is malware copied after the initial infection? What filenames are used? Where is the collected data stored? File system – What to look for • New file names & folders • New created files and folders • Batch files (.cmd, .bat, .vbs, .ps1) • Known favorite malware file names (e.g., 1.exe, test.exe, new.exe) • Known file names in uncommon folders (e.g., C:\Temp\svchost.exe) • Recycler • Modifications of system files • Temporary storage files, encrypted archives Example – Procmon Registry • Regedit • Windows built-in registry editor • RegRipper • Extracts relevant forensic artifacts from registry • Autoruns • Lists all programs set to start after system boot Registry – What to look for • Well-known locations • Autorun locations • Task scheduler • Changes tracking • Keywords fulltext search • Filenames • Processes • Domain names Registry – Regedit Processes • Observing initial system compromise • Processes parent/child relationships • Tools • Process Explorer, Procmon • Indicators • Process names, order of execution, dropper activity • Q&A • What processes are run after malware binary is executed? Are batch files involved? Are there watcher processes? Processes – What to look for • Order of executables • Initial malware • Dropper/downloader • Persistence executable • Final malware • Command line interpreters • cmd.exe • Powershell • Cscript, wscript Example – Process Explorer Executable file analysis • Cryptographic hash • Hash function which is considered practically impossible to invert • Unique identification of file • Counter: Polymorphism • MD5, SHA1 • Fuzzy hash • Context triggered piecewise hash • Families of files • ssdeep • Strings Example – Strings server.exe AppData 4bcce4de98bcdb4d29f66c0fe1ffe002 hackerhani.no-ip.biz Software\Microsoft\Windows\CurrentVersion\Run Software\ yy-MM-dd ??-??-?? Microsoft Windows SystemDrive netsh firewall delete allowedprogram " Software cmd.exe /c ping 0 -n 2 & del " SEE_MASK_NOZONECHECKS netsh firewall add allowedprogram " Commands to be executed Domain name Persistence registry key MD5: 5d347384ea978a96bc842ad9f29e95f2 Analysis Black box analysis – indicator interpretation • Network analysis – domain & IP verification, processes communicating • Hash comparison • Collisions, same-hash files • Behavior analysis • System processes, created processes, persistence • File manipulation 41 Timeline • Timeline helps understand the logic of malware sample • Temporal order of steps • Intentional waiting • Beaconing intervals • Advanced sandboxes can build timeline from multiple tools Document analysis – Quick insight • EXIF information • File metadata • Document sandboxing • Document interpretation ambiguity • Practical examples • Double extensions, different content in different viewers, code block obfuscation & hiding Automated sandbox analysis Automated sandboxing • Automated 1. Execute malware in sandbox 2. Wait 1-2 minutes 3. Receive summary report 4. Investigate report • Cuckoo, Norman, Anubis etc. Cuckoo sandbox • Open source malware analysis system • Can analyze • Windows executables, DLLs, PDF documents, URLs, HTML files, PHP scripts, Visual Basic scripts, ZIP archives, Python files, etc. • Modular, scriptable • Full memory dump (for Volatility Framework) • Django web interface • Mongo (NoSQL) database Cuckoo – Architecture Internet sandbox services • Public service • OpSEC issues • Huge comparison database • Exact match by hash • Similarity search by keywords • Malwr.ee (public Cuckoo sandbox) • Any.run • ThreatExpert.com • Hybrid-Analysis.com • VirusTotal.com Operational security (OpSec) • Advanced attackers monitor victim’s actions • Unique indicators visible on Google? • Attacker host monitoring for incoming traffic • Keywords search in mails, PDFs… • Basics of OpSec • “Think before you act” mentality • Limited information sharing • Trace removal • PassiveTotal.org OpSec – Basic rules • No ping • No DNS lookup • No accessing to suspicious domains • No premature remediation steps (reboot, antivirus scan, OS reinstall) • No upload of samples • No indicator validation on external sources • NOT EVEN through 3rd parties Anti-sandbox techniques • Continuous development – sandbox vs. anti-sandbox • Malware inactive in analysis environment • Tools presence detection (Wireshark, etc.) • Virtualization detection • Registry (key existence, key value) • File system (file existence, drivers) • Processes (syscall response) • Human presence detection • Mouse movement • Keyboard activity • File artefacts Lab Lab – Overview • Hands-on experience of manual black-box analysis • Guided analysis of selected malware samples • Tools • Wireshark – Network activity • Process Monitor – File system activity, process creation • Autoruns – Persistence • Regshot – Registry changes • Process explorer – Process map Lab – Samples • 2-3 samples from different malware families • Commodity malware – Zeus, ZeroAccess, Generic Trojans,… • Students will execute samples in virtual environment • Provided simple analysis virtual machine (Windows) • Indicators collected – network, files, persistence • Discussion about interpretation of facts • Homework • 2 samples for analysis independently • Write a cohesive report and present key information to the reader