Learn Learning Malware

A study group around Practical Malware Analysis, Part I

Get the book: http://nostarch.com/malware

Slides for sessions 0, 1, 2 in PDF: http://dfirfiles.net/myslides/

Malware Study Group Session 3 : Chapter 2: VMs for Analysis

  • Virtualization technology intro/Q&A
    • diff VMWare products, VirtualBox (OSE)
      • VMWare: sophisticated family of commercial products, nocost player
      • VBox: effective free/opensource app, commerical support and addons available
    • VMWare tools / VBox extensions
      • useful for high interaction VMs
      • carry some risk, so not always wanted (Cuckoo)
  • RIP WinXP, welcome Win10
    • WinXP is no longer available
      • Book samples use WinXP and might misbehave on newer windows :(
    • current Windows product evaluations: Win8 Ent, Win10 Ent
      • http://www.microsoft.com/en-us/evalcenter/
    • Analysis tools run well on Win8,Win10
  • REMNux : “free Linux toolkit for assisting malware analysts with reverse-engineering malicious software”
    • Linux VM preconfigured for static,dynamic analysis -> comes with all the tools
    • Developed and maintained by Lenny Zeltser for FOR610 + community
    • https://remnux.org/
  • Sandbox and static tools VMs (Remnux): [redacted]
    • CS/TS & Abuse
    • Security Analysis
  • Also mailing:
    • Let’s Learn Virt slides
    • Blog post, docs on Remnux tools for peheaders
      • http://www.aldeid.com/wiki/Pescanner , good overview of pescanner
      • https://remnux.org/docs/distro/tools/#statically-examine-pe-files


Dynamic host and network analysis (PMA Chapter 3)

  • Sandboxes and malware execution strategy and tactics
  • Host tools (procmon, procexp, regshot, captureBAT)
  • Net tools ( apateDNS, fakenet, inetsim, netcat/wireshark )
  • Dynamic analysis lab and process

Sandbox examples

  • FireEye: what goes ping : very nice, but nothing’s perfect
  • Cuckoo : a sandbox assembly toolkit
    • Malwr.com: a public Cuckoo instance

Host tools

  • Sysinternals
    • procexp (show) : now with strings, sigcheck (Verified), and VT integration in v16
      • generally very useful for tech and sec, some features migrated into 8,10
    • procmon (show) : capture filters and display filters (like tshark)
      • pinned down some sophisticated malware on a windows server …
  • Snapshots
    • regshot (show)
    • capture BAT : can get deleted files, network traffic with options
    • memory capture? … with careful timing this can be really useful, but:
      • http://cuckoo.readthedocs.org/en/latest/faq/#general-volatility

Network tools

  • Network capture
    • local capture : ncat … tcpdump, dumpcap ==> Wireshark, Bro IDS
    • lab design , leading us to …
  • Fake the internet!?
    • one protocal or app at a time : apateDNS
    • all at once : InetSim
    • bit of both (fig. 3-12)

Dynamic analysis

  • Science!
    • records
    • reproducibility
    • experiment design : controls and variables, blinds?
  • normality and baselines
    • try out tools on normal/healthy systems first
    • start recording, take an action, stop recording, review recording … repeat
  • remember our goals of (safe) malware analysis:
    • how bad is this thing?
    • what should we do about it?

Next time Chp3 lab samples, volunteers welcome :)

  • sysinternals: https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx
  • ISC, Didier VirusTotal in ProcExp: https://isc.sans.edu/forums/diary/Process+Explorer+and+VirusTotal/19931/
  • Honeynet Project for CaptureBAT: https://www.honeynet.org/node/315
  • RE SE, awesome resource: http://reverseengineering.stackexchange.com/
  • RegShot archive on GCode: https://code.google.com/p/regshot/
  • VT ToS: https://www.virustotal.com/en/about/terms-of-service/
  • Sick Anti Forensics Mechanisms in the Wild - YouTube (SANS DFIR)
  • video by Alissa Torres / @sibertor https://www.youtube.com/watch?v=adJ_QZxW7Ck


SN did 3-1 and 3-2 , leaving 3-3 and 3-4 for me .. intro

  • dynamic analysis gotchas
    • capture filter versus display filter ..
    • Locard’s principle of exchange
      • monitoring tools change the system
      • can “cross the streams”
    • try try again
      • snapshots!
  • Lab setup review
    • set up my XP vm and snapped to Readied state in VMWare Fusion .
    • Apate DNS manually set and checked with nslookup
    • VM network disabled .. pretty safe
  • 3-3 run through .. focus on procmon, good for 3-3 (CaptureBAT is not in book, is from 610)
    • review procmon filters : filter vmware, lsass … svchost ?
    • where’d the malware cmd go?
    • anything happen in labs folder?
      • created file by name, whoo …
  • 3-4 , ibid
    • how many cmd are there?
    • anything happen in labs folder?
      • answers question 3.4.2 ?

Wrapping up the malware study group:

More malware?

  • You’ll need to learn more about processors, assembly, and the OS (Windows?)
  • The rest of PMA, and the MAC : http://www.malwarecookbook.com/
  • http://opensecuritytraining.info/Training.html for classes and links (free)
  • FOR610 : Malware analysis and Reversing by Lenny Zeltser (SANS) (tuition)
  • many awesome blogs and webcasts : MTA (Brad), Contagio (Mila), Didier’s tools, blog
  • IDA Freeware or Hopper .. radare2 (free/cheap for education)
  • reversing, debugging, cracking tutorials : Random, Lena (free, malware-ridden)

More study groups?

  • Need your topics, votes for next year.
  • Vote for something cooler than CISSP prep, or else that’s first up in 2016
  • My vote: OSCP labs (or even just WebGoat) for some attack skills (HTID first?)
  • Also doing well in polls: Wireshark book

Thank you all for learning with us!

Written on October 20, 2015