Setting Up A Malware Lab - [email protected] - Setting Up...Setting up a Malware Lab Robert...
Transcript of Setting Up A Malware Lab - [email protected] - Setting Up...Setting up a Malware Lab Robert...
Robert McArdle ©2016Setting up a Malware Lab
Todaywearegoingtoconcentrateonsettingupamalwarelab.
Settingupagoodmalwaretestenvironmentisveryimportantwhenitcomestoanalysingmalware,soIwillgiveyousometipsonhowtodothiswell.
1
Robert McArdle ©2016Setting up a Malware Lab
Whenwearetalkingaboutamalwaretestenvironmentthereare4essentialcomponents:
Malwarelabsneedtobe•Easytorestore(torevertthechangesmadebythemalware).Weneedtobeabletoalterthelabenvironment,andthenreset.•Havecorrectanalysistools(beconfiguredwithallofyouranalysistoolspre-installed,forspeedoftesting)•Isolated(Isolatedfrominfectingcleansystems)BUTitmustbeeasytoconnecttotheinternetifneeded(mostmodernmalwareneedstheinternettorun)•Easytoupgrade/manage(Easytoaddnewsoftware,easilyextendable,etc).Weneedtobeabletomouldthelabtofitthethreat.E.g.DoesitneedanIRCserver?
PersonallyIuse2setups•Basic,PortableLabSetup(forwhenI’monthemoveorcarryingoutinvestigationson-site)•FullProfessionalLabSetup(forthoroughinvestigations.Ideallywithremoteaccessavailable)
2
Robert McArdle ©2016Setting up a Malware Lab
BasicLabSetup•InstallaWindows7 VirtualMachine(e.g.Vmware)onthehostmachine.DoeseveryoneknowwhataVMis?•NOTE:Irecommendtouse32 bit– asseveraltoolswillnotrunwellon64bit•Itisalsoworthtosetthepatchlevelofthemachinelow(tohelpmalwaretorun),andalsodisableandAVandFirewalls•Installallanalysistoolsandtakeasnapshot(we’llmentionthevarioustoolslaterinthelecture).Thisallowsyoutosavethecurrentstatusofthemachine
•That’sveryusefulforSettinguptheinitialstageofthesystem,soyoucanreverttoit•Butalsoveryusefulforsavinganinfectedvictimmachine,soyoucanreanalyseitlateron
•Ensureyoucanisolatethenetwork(orusehostonlynetworking)BUTcanalsoconnecttotheinternetwhenneeded•UseaADSLconnectionthatallowsyoutochangeyourexternalIP.MalwarecanblockyourIPifitrealisesyouaremonitoringit,andthenyournetworkisuseless.
•Pros•Veryportable+quicktosetup•Allowsyoutorunmultiplemachinesonetestmachine(limitedbyRAM)
•Cons•Limitedsetup•Havingsniffingtoolsonthevictimmachineisnotideal•SomemalwarewillbehavedifferentlyifitknowsitsrunninginaVirtualmachine
Havingaportablesystemisoftenveryuseful– youdonotalwayshaveaccesstoafulllabwhenyouhavetoanalyseasample– e.g.HelpingremovemalwarefromafriendsPC,whentravellingetc
Beverycarefulnottoconnectyourportablelabtoaproductionnetwork->Wormslovewhenyoudothat!
3
Robert McArdle ©2016Setting up a Malware Lab
ProfessionLabSetup•MultipleVMsofdifferentOSs/patchlevels•ConfigurableLinuxGateway•Mail/DNS/WebServers•Again– Networkmustbeisolated,butalsoensureyoucanchangetheexternalIPaddress.•Pros
•Muchmorethorough•Cons
•Morecomplicatedtosetup/maintain•RequiresmoreRAMorhardware
Letslookatadiagram– NoteallofthesemachinesareVirtual(andallrunyouranalysistools)
•YoucouldalsohaveolderOS’s inheresuchasWindows95,dependingonwhatyouaretryingtosimulate.Likewiseyoucanhavemorerecentones– ideallyyouwanttoemulateyourrealenvironment• CanalsoaddinotherOSslikeMacorSmartphoneemulators•Youridealtestnetworkmightnotbeabletoincorporateallofthis,butatleastsetupthebasicnetwork(andconsideraddingthegateway)•LinuxgatewayhelpstopreventsinfectionfromWindowsmalware.Remnux isagooddistribution(moreinaminute).•Alotofthesemachinescouldberunonthesamemachine(infactallofthemcanifyouhaveenoughRAM).E.g.placeallvictimmachinesononephysicalhost,andallGateway/ServersonanotherPhysicalmachine.Infactthosegateway/servercomponentscouldallbeononeVirtualmachine.•UseIPTablesontheGateway– redirectallSMTPtraffictomailserversoyoucananalyseSPAM,HttptraffictowebserversothatyoucanfakeresponsesanduseyourDNSserversoyoucanlieaboutDNSresults.•InadditiontousingVirtualmachines,usesomephysicalmachinesaswell.IfasuspiciousfilebehavesdifferentlyinaVMtoaphysicalmachine– thatisdefinitelyworthyofconsideration.TobeabletoquicklyreimageaPhysicalmachineIrecommendusing:
• dd (http://en.wikipedia.org/wiki/Dd_(Unix) )• SymantecGhost(https://www.symantec.com/theme/ghost )• DeepFreeze(http://www.faronics.com/standard/deep-freeze/ )
4
Robert McArdle ©2016Setting up a Malware Lab
WhenitcomestowhatOStousefortheGateway– againpeoplehavedifferentpreferences.
PersonallyIamabigfanoftheREMNux linux distributionfromLarryZeltser.ThisisadistributionbasedonUbuntu anditcomeswithalotofveryusefulanalysistoolsinstalledonit.Youcandownloaditfromhttp://zeltser.com/remnux/
Someofthefeaturesitincludesare:•InetSim•FakeDNS•IRCServer•ParosProxy•Andawholepilemore
Inetsim inparticularisveryuseful– itletsyousimulatemostwebservices.
Rememberthatyouwillalsoneed2physicalorvirtualNICsonyourgatewaytobeabletoactasabridgebetweenyourtestnetworkandtheinternet.
ForthiscoursewewillnotgooverREMnux indetail,insteadusingasuiteoftoolsforWindowscalledFakeNet.Peoplehavevaryingdegreesofexposuretolinux,anditissomethingthatisbestlearnedatyourownpace– butIdefinitelyrecommendtotakeagoodlookatREMnux afterthecourse.
GoodArticleonConfiguringRemnuxhttps://countuponsecurity.com/2015/01/13/dynamic-malware-analysis-with-remnux-v5-part-1/
5
Robert McArdle ©2016Setting up a Malware Lab
FakeNet-NGisatoolthataidsinthedynamicanalysisofmalicioussoftware. Thetool simulatesanetworksothatmalwareinteractingwitharemotehostcontinuestorunallowingtheanalysttoobservethemalware’snetworkactivityfromwithinasafeenvironment
Itallows forthingssuchasinterceptingallwebandDNStraffic,andreplyingtothemalwarewithresponsesofyourownchoosing
Theproject iseasytoinstallanduseunderWindows.Iwouldadviseinstallingthetoolonanymalwareimageyoucreate.
FurtherInfo:https://www.fireeye.com/blog/threat-research/2016/08/fakenet-ng_next_gen.html (2016 versionfromFireEye)http://practicalmalwareanalysis.com/fakenet/ (originalversion)
6
Robert McArdle ©2016Setting up a Malware Lab
VMWare isnottheonlyVirtualMachine– herearesomeothers
•VMWare – http://www.vmware.com•Parallels– http://www.parallels.com•VirtualBox –http://www.virtualbox.org/•Qemu– http://www.qemu.org•Bochs – http://bochs.sf.net
BeawarethatsomemalwareisVirtualMachineaware,inotherwordsitbehavesdifferentlyifitdetectsthatitisrunninginaVirtualMachine.Inthosecasesthebestoptionistouseatoolsuchas“Symantec Ghost”or“DeepFreeze”,whichallowsyoutoquicklyreimagePhysicalmachines(moreexpensiveonhardwarecoststhough– asyouneedonemachineperimage)
•SymantecGhost– https://www.symantec.com/theme/ghost•DeepFreeze-http://www.faronics.com/en/Products/DeepFreeze/DeepFreezeEducation.aspx
7
Robert McArdle ©2016Setting up a Malware Lab
Letsgothroughsomeadditionaltipsforsettingupalab:
PlentyofRAM:WhenbuildingVirtualLabsyounevercanhaveenoughRAM.Asaroughestimateallow1GBforanXPImage,2GBforWindows7,512MBforLinux,and1GBforthePhysicalHostIDSFileChecker: InstallaIDS(Intrusiondetectionsystem)FilecheckeronthePhysicalHost(e.g.Tripwire).ThesetoolsusecryptographichashestocheckifimportantsystemfileshavebeenmodifiedUSBKeys: BecarefulwithUSBkeysthatwhereintroducedtothenetwork– threatthemasinfectedassoonastheyareusedwiththemalwaresetup,andthenkeepthemawayfromcleanmachines.ConnectingtoInternet: BeverycarefulwhenconnectingthelabnetworktotheInternet– therecanbelegalissuesoflaunchinganattackonanothercompany.DocumentEverything: Documentyourlabsetup!Noonelikeswritingdocumentation,butthisisacrucialstepinbeingabletomaintainyourlabsetup
Andofcoursetestyourlabsetup!• Ensureallmachines/imagescanconnecttoeachother(ping)• Ensureallmachine/imagescanconnecttotheInternet• Ensurethegatewaycanmonitorandmanagealltraffic
Onelastthingthatmayseemobvious– youshouldnothaveAntiVirus softwareinyourtestenvironment!Thiscouldpreventyourmalwarefromrunning– atleastitshoulddoifitisworkingcorrectly!
8
Robert McArdle ©2016Setting up a Malware Lab
Acommonquestioniswhattoolsshouldyouinstallonyourtestingimages.Inalotofcasesthisisamatterofpersonaltaste.Youwillalsowanttoinstallpopularsoftwaresuchasbrowsers,office,IMclientsandAdobeReader.
Overthiscoursewewillcovermanytoolsthatwillhelpyouinanalysingmalware,butI’veincludedacomprehensivelistofsomeveryusefuloneshereinthenotes.Thosewitha[*]shouldbeconsidermusthavesforanytestenvironment,withothersusefuldependingonyourneeds
SetupAdvice:• HardcodeallIPaddresses• ShowallFileExtensions&HiddenFiles• DisableUAC• DisableZoneCheckingforAllusers• TurnoffAV,Firewall andAutomaticUpdates• Cmd shortcutondesktop• Copiesofallcommandlineprojectsinc:\tools\binwhichisaddedto%PATH%• Install“Vmware Tools”• Oncesystemissetup– takeinitialsnapshots,andsavethesetoabackuplocation
StandardSoftware[*]• MicrosoftOffice• AdobeReaderhttps://get.adobe.com/reader/• .NEThttps://www.microsoft.com/net• Javahttps://java.com/en/download/• Pythonhttps://www.python.org/• MicrosoftRedistributablePackhttps://www.microsoft.com/en-us/download/details.aspx?id=48145• Chrome&Firefox• WinRar
Tools• SystemTools
• [*] SysInternalSuite:http://technet.microsoft.com/en-us/sysinternals/bb842062 (inparticularProcessExplorer,ProcessMonitor,Autoruns,BgInfo,Strings,StreamsandTcpview)• TrendMicroATTKhttps://esupport.trendmicro.com/en-us/home/pages/technical- support/1059509.aspx
•ChangeAnalysis•[*]Regshot - https://sourceforge.net/projects/regshot/• FileGrab https://sourceforge.net/projects/filegrab/• OSForensicshttp://www.osforensics.com• CaptureBat https://www.honeynet.org/node/315
9
Robert McArdle ©2016Setting up a Malware Lab
Continued…
•Anti-Rootkit•RootkitBuster- www.trendmicro.com/download/rbuster.asp•[*]GMER- http://www.gmer.net/• MalwareBytesAnti-Rootkithttps://www.malwarebytes.org/antirootkit• RootRepealhttps://sites.google.com/site/rootrepeal/• Tuluka http://www.tuluka.org/
•StaticAnalysis•[*]HashmyFileshttp://www.nirsoft.net/utils/hash_my_files.html•PEBrowse- http://www.smidgeonsoft.prohosting.com/pebrowse-pro-file-viewer.html•Depends- http://www.dependencywalker.com/•[*] BinText- http://www.mcafee.com/us/downloads/free-tools/bintext.aspx•PEStudio- http://winitor.com/•Yara - http://plusvic.github.io/yara/ andhttps://code.google.com/p/yara-editor• PEVhttp://pev.sourceforge.net/•PEFrame https://github.com/guelfoweb/peframe•ResourceHackerhttp://www.angusj.com/resourcehacker/•ResourceEditorhttp://www.resedit.net•WxHexEditor https://sourceforge.net/projects/wxhexeditor/•HiEW - http://www.hiew.ru/ (TryDemoVersion)•TrID http://mark0.net/soft-trid-e.html andDefinitions
•Networking/Investigations•[*]Wireshark- www.wireshark.org•Putty- http://www.putty.org/•WinScp - http://winscp.net/eng/index.php•Netcat - http://joncraton.org/files/nc111nt.zip•[*]Fport - http://www.mcafee.com/us/downloads/free-tools/fport.aspx•Wget - http://gnuwin32.sourceforge.net/packages/wget.htm•[*]CapTipper https://github.com/omriher/CapTipper•Fakenet-NGhttps://www.fireeye.com/blog/threat-research/2016/08/fakenet-ng_next_gen.html•[*]Maltego http://paterva.com/web7/• TORhttps://www.torproject.org/
10
Robert McArdle ©2016Setting up a Malware Lab
Continued…
•PackerDetection•[*]DetectItEasy http://ntinfo.biz•[*]PeID - http://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/PEiD-updated.shtml•[*]ExeInfoPE - http://exeinfo.atwebpages.com/•RDGSoft http://www.rdgsoft.net•[*] UPXhttp://upx.sourceforge.net• DensityScouthttp://cert.at/downloads/software/densityscout_en.html
•Web•Firebug- http://getfirebug.com/•NoScript - http://noscript.net/•Converter,Revelo &JSDeobfuscator http://www.kahusecurity.com/tools/•Linkstoallyourfavouriteonlinetools
•Mobile•JD-GUI- http://jd.benow.ca/• Dex2Jarhttps://code.google.com/p/dex2jar/
•MaliciousDocuments•PDF-ID&PDF-Parserhttp://blog.didierstevens.com/programs/pdf-tools•PeePDF http://eternal-todo.com/tools/peepdf-pdf-analysis-tool• OleDump https://blog.didierstevens.com/programs/oledump-py/• OfficeMalScanner http://www.reconstructer.org/code.html
•ReverseEngineeringTools•IDAProFreeware- http://www.hex-rays.com/products/ida/support/download_freeware.shtml•Ollydbg - http://www.ollydbg.de/ andplugins:
•https://low-priority.appspot.com/ollydumpex/•https://bitbucket.org/NtQuery/scyllahide
•ImmunityDebugger-http://www.immunityinc.com/products/debugger/•LordPE - http://www.aldeid.com/wiki/LordPE• .NETReflectorhttp://gfxmafia.net/red-gate-net-reflector-9-0-1-374-vspro/• ILSpectorhttp://il4re.ml/•InteractiveDelphiReconstructor http://kpnc.org/idr32/en/•APIMonitor- http://www.rohitab.com/apimonitor•Volatility- https://code.google.com/p/volatility/• Memoryze https://www.fireeye.com/services/freeware/memoryze.html
11
Robert McArdle ©2016Setting up a Malware Lab
There isonefinalnoteIwouldliketomakeonmalwareanalysistool- whichisunfortunate– butimportanttoknow.MalwareAnalysistoolstendtofollowacertaincycle.
1.Alotofthebestmalwareanalysistoolaregenerallyfree,andcreatedbytalentedfolksasahobbytogivebacktothecommunity.Somefalloutside thisdefinitionsuchasIDA,orthetoolsfromSysInternals whicharemaintainedbyMicrosoft2.Thosetoolsbecomeactivelymaintainedforagoodwhilebythatoneperson.Howeverthatpersonthenbecomeswellknownandgetsanicejob(rightfully)basedonthetooltheywrote3.Personnowhaslesstimetomaintaintoolduetoworkcommitmentsandupdatesbecomelessfrequent4.Personnowreacheslate20searly30s,getsmarried/hasakid.Timetoworkontooldropstozero5.Toolcontinuestobepublicallyavailablewithnoupdates,butasOSormalwarechangeitbecomeslessuseful6.Eventuallyseveralyearslatersomeonewillgettiredoftheoldstoolsbeingbad,andwillwritetheirownreplacementtool- andthecyclerestarts
Rightnowthepacker detectiontoolPEIDisaroundthelaststageforexample,butothertoolswewillcoverabitlateroninthecoursearerisingtotakeitsplace
NOTE:Thislonglifetime, andlackofupdatesoftools– canregularlyleadtothemneedingolderversionsofcertainlibrariesorcodinglanguagestofunction.ForexampleitisnotuncommonformalwareanalyststorunolderversionsofPython(2.X)ontheirmachinesjusttosupportoldertoolsandscriptsthatwillneverbeupdated
12
Robert McArdle ©2016Setting up a Malware Lab
Beforewrapping uptodayitsworthpointingoutarelativelyrecenttoolsetadditionfromJune2017,FlareVMfromFireeye
InessencewhatFireEyehavedoneistomakeiteasytoinstallmanyoftheanalysistoolswehavecalledoutalready- SysInternals etc –plussomeadditionalcustomscriptsfromFireEyethemselves.
TogetsetupyousimplygetyourstartingVMandruntheinstaller–whichtakescareofinstallingmanyofthetools.SinceFlareVMhascomeout– IwouldnowrecommendfirstusingthisonthecleanWindows7image,andthengoingbackoverourtoollisttoinstalltheothertoolsthataremissingfromthepackage
More Info: https://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html
13
Robert McArdle ©2016Setting up a Malware Lab
ForthisweeksexerciseIadviseyoutousethetipsinthislecturetosetupyourownPersonalMalwareTestlab.OfcourseifyouwanttoyoucansetupafullblowntestingenvironmentwithmultipleOSetc,butfornowasinglevirtualmachine/physicalmachinewillworkfine.
Microsoft havemadesomeWindowsVMavailableforfree(for90days)thatyoudownloadandcustomise.Theyareavailableonhttps://dev.windows.com/en-us/microsoft-edge/tools/vms/windows/
Alsobesuretocheckthenotesforthislecture– asIhaveincludedlinkstoadditionalresources.
MINIMUMSETUP:Iwouldadvise ataminimumtohaveaworkingWindows732bitOS VM withasmanyofthesetoolsinstalledasyoucan,butespeciallyfocusonthoseIhavehighlightedwitha*.InstalltheFLAREVMinstallertooasthatcangetyousetupabitquicker. OnceinstalledtakeaVM snapshotofthesystemtoactasabase.Othertoolscanbeaddedlater
BETTERSETUP:Asabove,butinstallalltoolslistedinthesenotes.Tosaveyoutime,Ihavezippedupallinstallersandplacedthemonhttp://www.robertmcardle.com/Teaching/Modules/Mod3%20-%20Setting%20Up%20%20A%20Malware%20Lab/TOOLS.zip
FornowtherearenoneedtolookatthemorecomplexsetupusingtoolssuchasRemnux.
14