Learn Learning Malware
A study group around Practical Malware Analysis, Part I
Get the book: http://nostarch.com/malware
Slides for sessions 0, 1, 2 in PDF: http://dfirfiles.net/myslides/
Malware Study Group Session 3 : Chapter 2: VMs for Analysis
- Virtualization technology intro/Q&A
- diff VMWare products, VirtualBox (OSE)
- VMWare: sophisticated family of commercial products, nocost player
- VBox: effective free/opensource app, commerical support and addons available
- VMWare tools / VBox extensions
- useful for high interaction VMs
- carry some risk, so not always wanted (Cuckoo)
- diff VMWare products, VirtualBox (OSE)
- RIP WinXP, welcome Win10
- WinXP is no longer available
- Book samples use WinXP and might misbehave on newer windows :(
- current Windows product evaluations: Win8 Ent, Win10 Ent
- http://www.microsoft.com/en-us/evalcenter/
- Analysis tools run well on Win8,Win10
- WinXP is no longer available
- REMNux : “free Linux toolkit for assisting malware analysts with reverse-engineering malicious software”
- Linux VM preconfigured for static,dynamic analysis -> comes with all the tools
- Developed and maintained by Lenny Zeltser for FOR610 + community
- https://remnux.org/
- Sandbox and static tools VMs (Remnux): [redacted]
- CS/TS & Abuse
- Security Analysis
- Also mailing:
- Let’s Learn Virt slides
- Blog post, docs on Remnux tools for peheaders
- http://www.aldeid.com/wiki/Pescanner , good overview of pescanner
- https://remnux.org/docs/distro/tools/#statically-examine-pe-files
malware4
Dynamic host and network analysis (PMA Chapter 3)
- Sandboxes and malware execution strategy and tactics
- Host tools (procmon, procexp, regshot, captureBAT)
- Net tools ( apateDNS, fakenet, inetsim, netcat/wireshark )
- Dynamic analysis lab and process
Sandbox examples
- FireEye: what goes ping : very nice, but nothing’s perfect
- Cuckoo : a sandbox assembly toolkit
- Malwr.com: a public Cuckoo instance
Host tools
- Sysinternals
- procexp (show) : now with strings, sigcheck (Verified), and VT integration in v16
- generally very useful for tech and sec, some features migrated into 8,10
- procmon (show) : capture filters and display filters (like tshark)
- pinned down some sophisticated malware on a windows server …
- procexp (show) : now with strings, sigcheck (Verified), and VT integration in v16
- Snapshots
- regshot (show)
- capture BAT : can get deleted files, network traffic with options
- memory capture? … with careful timing this can be really useful, but:
- http://cuckoo.readthedocs.org/en/latest/faq/#general-volatility
Network tools
- Network capture
- local capture : ncat … tcpdump, dumpcap ==> Wireshark, Bro IDS
- lab design , leading us to …
- Fake the internet!?
- one protocal or app at a time : apateDNS
- all at once : InetSim
- bit of both (fig. 3-12)
Dynamic analysis
- Science!
- records
- reproducibility
- experiment design : controls and variables, blinds?
- normality and baselines
- try out tools on normal/healthy systems first
- start recording, take an action, stop recording, review recording … repeat
- remember our goals of (safe) malware analysis:
- how bad is this thing?
- what should we do about it?
Next time Chp3 lab samples, volunteers welcome :)
Links:
- sysinternals: https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx
- ISC, Didier VirusTotal in ProcExp: https://isc.sans.edu/forums/diary/Process+Explorer+and+VirusTotal/19931/
- Honeynet Project for CaptureBAT: https://www.honeynet.org/node/315
- RE SE, awesome resource: http://reverseengineering.stackexchange.com/
- RegShot archive on GCode: https://code.google.com/p/regshot/
- VT ToS: https://www.virustotal.com/en/about/terms-of-service/
- Sick Anti Forensics Mechanisms in the Wild - YouTube (SANS DFIR)
- video by Alissa Torres / @sibertor https://www.youtube.com/watch?v=adJ_QZxW7Ck
malware5
SN did 3-1 and 3-2 , leaving 3-3 and 3-4 for me .. intro
- dynamic analysis gotchas
- capture filter versus display filter ..
- Locard’s principle of exchange
- monitoring tools change the system
- can “cross the streams”
- try try again
- snapshots!
- Lab setup review
- set up my XP vm and snapped to Readied state in VMWare Fusion .
- Apate DNS manually set and checked with nslookup
- VM network disabled .. pretty safe
- 3-3 run through .. focus on procmon, good for 3-3 (CaptureBAT is not in book, is from 610)
- review procmon filters : filter vmware, lsass … svchost ?
- where’d the malware cmd go?
- anything happen in labs folder?
- created file by name, whoo …
- 3-4 , ibid
- how many cmd are there?
- anything happen in labs folder?
- answers question 3.4.2 ?
Wrapping up the malware study group:
More malware?
- You’ll need to learn more about processors, assembly, and the OS (Windows?)
- The rest of PMA, and the MAC : http://www.malwarecookbook.com/
- http://opensecuritytraining.info/Training.html for classes and links (free)
- FOR610 : Malware analysis and Reversing by Lenny Zeltser (SANS) (tuition)
- many awesome blogs and webcasts : MTA (Brad), Contagio (Mila), Didier’s tools, blog
- IDA Freeware or Hopper .. radare2 (free/cheap for education)
- reversing, debugging, cracking tutorials : Random, Lena (free, malware-ridden)
More study groups?
- Need your topics, votes for next year.
- Vote for something cooler than CISSP prep, or else that’s first up in 2016
- My vote: OSCP labs (or even just WebGoat) for some attack skills (HTID first?)
- Also doing well in polls: Wireshark book
Thank you all for learning with us!
Written on October 20, 2015