Here is the material from the Malware Analysis for Vets class:

Here is the class video:

https://s3.amazonaws.com/StrategicSec-Videos/2014-01-18+09.16+Malware+Analysis+For+Vets.wmv

Here is the courseware:

https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/Docs/Basic-Malware_Analysis_Labs.docx

Malware Analysis Tools:

https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/MalwareAnalysisTools.zip

Software you may find useful:

https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/Software.zip

Actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':

https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip

Class virtual machines:

** Linux VM **

https://s3.amazonaws.com/StrategicSec-VMs/Malware.vmwarevm.rar

user: malware

pass: malware

** Windows VM **

https://s3.amazonaws.com/StrategicSec-VMs/Malware_Windows.vmwarevm(1).rar

Malware can only do 4 things:

1. Modify the filesystem

2. Modify the registry

3. Modify processes/services

4. Connect to the Internet/local network

Reverse Engineering malware is different:

1. Encryption/Obfuscation

2. Payload

3. Programming Style

4. Motive/Intent

Note: If you seriously want to do Reverse Engineering at work, then you need at least 10 million samples of malware.

Here is a small database to play with:

http://derekmorton.name/files/malware_12-14-12.sql.bz2

855MB file size - be sure to run in a VM

Good reference links:

http://www.garykessler.net/library/file_sigs.html 	<-- file headers

Things we did to the malware on the Windows VM:

- PEID

- StudPE

	- saw 'ABC0' as entry point and we thought that was strange

- Hex Editor

- Strings

Open a command prompt:

cd c:\Documents and Settings\Administrator\Desktop\Strings

copy "c:\Documents and Settings\Administrator\Desktop\malware\malware.exe" .

	- strings.exe malware.exe | findstr ".dll"

	- strings.exe malware.exe | more	<-- let's you page through the data by pressing the space bar

	- strings.exe malware.exe | findstr "ABC"

		-ABC0

		-ABC1

		-ABC2

		-ABC!

		-ABC^

	- strings.exe malware.exe | findstr ".dll"

		We googled ws2_32.dll and found out it does windows sockets

	- strings.exe malware.exe | findstr "IRC"

	- strings.exe malware.exe | findstr "JOIN"

		List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands

	- strings.exe malware.exe | findstr "ADMIN"

	- strings.exe malware.exe | findstr "LIST"

Let's check to see if it modifies the registry

	- strings.exe malware.exe | findstr "REG"

	- strings.exe malware.exe | findstr "HKEY"

		We didn't see anything like HKLM, HKCU or other registry type stuff

##############################

# Moving to the Linux system #

##############################

Log in to your Ubuntu system with the username 'malware' and the password 'malware'.

After logging please open a terminal window and type the following commands:

cd Desktop/

This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':

wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip

wget http://www.beenuarora.com/code/analyse_malware.py

unzip malware-password-is-infected.zip

	infected

file malware.exe

mv malware.exe malware.pdf

file malware.pdf

mv malware.pdf malware.exe

hexdump -n 2 -C malware.exe

***What is '4d 5a' or 'MZ'***

Reference: http://www.garykessler.net/library/file_sigs.html

objdump -x malware.exe

strings malware.exe

strings --all malware.exe | head -n 6

strings malware.exe | grep -i dll

strings malware.exe | grep -i library

strings malware.exe | grep -i reg

strings malware.exe | grep -i hkey

strings malware.exe | grep -i hku

							- We didn't see anything like HKLM, HKCU or other registry type stuff

strings malware.exe | grep -i irc

strings malware.exe | grep -i join			

strings malware.exe | grep -i admin

strings malware.exe | grep -i list

							- List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands

sudo apt-get install -y python-pefile

vi analyse_malware.py

python analyse_malware.py malware.exe

Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:

http://derekmorton.name/files/malware_12-14-12.sql.bz2

Malware Repositories:

http://malshare.com/index.php

http://www.malwareblacklist.com/

http://www.virusign.com/

http://virusshare.com/

http://www.tekdefense.com/downloads/malware-samples/

###############################

# Creating a Malware Database #

###############################

Creating a malware database (sqlite)

------------------------------------

wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py

wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip

unzip malware-password-is-infected.zip

	infected

python avsubmit.py --init

python avsubmit.py -f malware.exe -e

Creating a malware database (mysql)

-----------------------------------

Step 1: Installing MySQL database

Run the following command in the terminal:

sudo apt-get install mysql-server

Step 2: Installing Python MySQLdb module

Run the following command in the terminal:

sudo apt-get build-dep python-mysqldb

sudo apt-get install python-mysqldb

Step 3: Logging in 

Run the following command in the terminal:

mysql -u root -p					(set a password of 'malware')

Then create one database by running following command:

create database malware;

wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py

vi mal_to_db.py -i			(fill in database connection information)

python mal_to_db.py -i

python mal_to_db.py -i -f malware.exe -u

mysql -u root -p

	malware

mysql> use malware;

select id,md5,sha1,sha256,time FROM files;

mysql> quit;

##############################

# Lesson 32: Setting up Yara #

##############################

sudo apt-get install clamav clamav-freshclam

sudo freshclam

sudo Clamscan

sudo apt-get install libpcre3 libpcre3-dev

wget https://github.com/plusvic/yara/archive/v3.1.0.tar.gz

wget http://yara-project.googlecode.com/files/yara-python-1.4.tar.gz

tar -zxvf v3.1.0.tar.gz

cd yara-3.1.0/

./bootstrap.sh

./configure

make

make check

sudo make install

cd yara-python/

python setup.py build

sudo python setup.py install

cd ..

yara -v

wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py

sigtool -u /var/lib/clamav/main.cvd

python clamav_to_yara.py -f main.ndb -o clamav.yara

wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip

unzip malware-password-is-infected.zip

	infected

mkdir malcode/

mv malware.exe malcode/

vi testrule.yara

----------------

rule IsPE

{

meta:

description = "Windows executable file"

condition:

// MZ signature at offset 0 and ...

uint16(0) == 0x5A4D and

// ... PE signature at offset stored in MZ header at 0x3C

uint32(uint32(0x3C)) == 0x00004550

}

rule has_no_DEP

{

meta:

description = "DEP is not enabled"

condition:

IsPE and

uint16(uint32(0x3C)+0x5E) & 0x00100 == 0

}

rule has_no_ASLR

{

meta:

description = "ASLR is not enabled"

condition:

IsPE and

uint16(uint32(0x3C)+0x5E) & 0x0040 == 0

}

----------------

yara testrule.yara malcode/malware.exe

mkdir rules/

cd rules/

wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/5/capabilities.yara

wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/6/magic.yara

wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/4/packer.yara

cd ..

yara rules/ malcode/malware.exe

wget https://github.com/Xen0ph0n/YaraGenerator/archive/master.zip

unzip master.zip

cd YaraGenerator-master/

python yaraGenerator.py ../malcode/ -r Test-Rule-2 -a "Joe McCray" -d "Test Rule Made With Yara Generator" -t "TEST" -f "exe"

cat Test-Rule-2.yar

wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

yara Test-Rule-2.yar putty.exe

####################

# Additional Tasks #

####################

- PE Scanner:

https://malwarecookbook.googlecode.com/svn/trunk/3/8/pescanner.py

http://www.beenuarora.com/code/analyse_malware.py

- AV submission:

http://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py

https://raw.githubusercontent.com/dcmorton/MalwareTools/master/vtsubmit.py

- Malware Database Creation:

https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py

cd /home/malware/Desktop/Browser\ Forensics

ls | grep pcap

perl chaosreader.pl suspicious-time.pcap

firefox index.html

cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"

cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr

sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs   

for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' |  cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' |  cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host";  done | sort -u

tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u

tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u

tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'

tshark –r suspicious-time.pcap -Tfields -e “eth.src” | sort | uniq

tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq

tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq

tshark -r suspicious-time.pcap -qz ip_hosts,tree

tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq

tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"

whois rapidshare.com.eyu32.ru

whois sploitme.com.cn

tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' 

tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'

tshark -r suspicious-time.pcap -qz http_req,tree

tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst

tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico'  | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'

cd /home/malware/Desktop/Banking\ Troubles/Volatility

python volatility

python volatility pslist -f ../hn_forensics.vmem

python volatility connscan2 -f ../hn_forensics.vmem

python volatility memdmp -p 888 -f ../hn_forensics.vmem

python volatility memdmp -p 1752 -f ../hn_forensics.vmem

				***Takes a few min***

strings 1752.dmp | grep "^http://" | sort | uniq

strings 1752.dmp | grep "Ahttps://" | uniq -u

cd ..

cd foremost-1.5.7/

foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2

cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/

cat audit.txt

cd pdf

ls

grep -i javascript *.pdf

cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf

/opt/Python-2.6.2/python /home/malware/Desktop/Banking\ Troubles/pdf-parser.py -s javascript --raw 00600328.pdf

/opt/Python-2.6.2/python /home/malware/Desktop/Banking\ Troubles/pdf-parser.py --object 11 00600328.pdf

/opt/Python-2.6.2/python /home/malware/Desktop/Banking\ Troubles/pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js

cat malicious.js

*****Sorry - no time to cover javascript de-obfuscation today*****

cd /home/malware/Desktop/Banking\ Troubles/Volatility/

python volatility files -f ../hn_forensics.vmem > files

cat files | less

python volatility malfind -f ../hn_forensics.vmem -d out

ls out/

python volatility hivescan -f ../hn_forensics.vmem									

python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon	

for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done