SHOW:
|
|
- or go back to the newest paste.
1 | Here is the material from the Malware Analysis for Vets class: | |
2 | ||
3 | Here is the class video: | |
4 | https://s3.amazonaws.com/StrategicSec-Videos/2014-01-18+09.16+Malware+Analysis+For+Vets.wmv | |
5 | ||
6 | Here is the courseware: | |
7 | https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/Docs/Basic-Malware_Analysis_Labs.docx | |
8 | ||
9 | Malware Analysis Tools: | |
10 | https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/MalwareAnalysisTools.zip | |
11 | ||
12 | Software you may find useful: | |
13 | https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/Software.zip | |
14 | ||
15 | Actual Malware (remmeber to run it in a VM - the password to extract it is 'infected': | |
16 | https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip | |
17 | ||
18 | ||
19 | Class virtual machines: | |
20 | ||
21 | ** Linux VM ** | |
22 | https://s3.amazonaws.com/StrategicSec-VMs/Malware.vmwarevm.rar | |
23 | user: malware | |
24 | pass: malware | |
25 | ||
26 | ** Windows VM ** | |
27 | https://s3.amazonaws.com/StrategicSec-VMs/Malware_Windows.vmwarevm(1).rar | |
28 | ||
29 | ||
30 | ||
31 | ||
32 | ||
33 | Malware can only do 4 things: | |
34 | ||
35 | 1. Modify the filesystem | |
36 | 2. Modify the registry | |
37 | 3. Modify processes/services | |
38 | 4. Connect to the Internet/local network | |
39 | ||
40 | ||
41 | Reverse Engineering malware is different: | |
42 | 1. Encryption/Obfuscation | |
43 | 2. Payload | |
44 | 3. Programming Style | |
45 | 4. Motive/Intent | |
46 | ||
47 | ||
48 | Note: If you seriously want to do Reverse Engineering at work, then you need at least 10 million samples of malware. | |
49 | ||
50 | Here is a small database to play with: | |
51 | http://derekmorton.name/files/malware_12-14-12.sql.bz2 | |
52 | 855MB file size - be sure to run in a VM | |
53 | ||
54 | ||
55 | Good reference links: | |
56 | http://www.garykessler.net/library/file_sigs.html <-- file headers | |
57 | ||
58 | Things we did to the malware on the Windows VM: | |
59 | - PEID | |
60 | - StudPE | |
61 | - saw 'ABC0' as entry point and we thought that was strange | |
62 | - Hex Editor | |
63 | - Strings | |
64 | ||
65 | Open a command prompt: | |
66 | cd c:\Documents and Settings\Administrator\Desktop\Strings | |
67 | copy "c:\Documents and Settings\Administrator\Desktop\malware\malware.exe" . | |
68 | - strings.exe malware.exe | findstr ".dll" | |
69 | - strings.exe malware.exe | more <-- let's you page through the data by pressing the space bar | |
70 | - strings.exe malware.exe | findstr "ABC" | |
71 | -ABC0 | |
72 | -ABC1 | |
73 | -ABC2 | |
74 | -ABC! | |
75 | -ABC^ | |
76 | - strings.exe malware.exe | findstr ".dll" | |
77 | We googled ws2_32.dll and found out it does windows sockets | |
78 | - strings.exe malware.exe | findstr "IRC" | |
79 | - strings.exe malware.exe | findstr "JOIN" | |
80 | List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands | |
81 | - strings.exe malware.exe | findstr "ADMIN" | |
82 | - strings.exe malware.exe | findstr "LIST" | |
83 | ||
84 | Let's check to see if it modifies the registry | |
85 | - strings.exe malware.exe | findstr "REG" | |
86 | - strings.exe malware.exe | findstr "HKEY" | |
87 | We didn't see anything like HKLM, HKCU or other registry type stuff | |
88 | ||
89 | ||
90 | ############################## | |
91 | # Moving to the Linux system # | |
92 | ############################## | |
93 | Log in to your Ubuntu system with the username 'malware' and the password 'malware'. | |
94 | ||
95 | After logging please open a terminal window and type the following commands: | |
96 | ||
97 | cd Desktop/ | |
98 | ||
99 | ||
100 | This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected': | |
101 | ||
102 | wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip | |
103 | wget http://www.beenuarora.com/code/analyse_malware.py | |
104 | ||
105 | unzip malware-password-is-infected.zip | |
106 | infected | |
107 | ||
108 | file malware.exe | |
109 | ||
110 | mv malware.exe malware.pdf | |
111 | ||
112 | file malware.pdf | |
113 | ||
114 | mv malware.pdf malware.exe | |
115 | ||
116 | hexdump -n 2 -C malware.exe | |
117 | ||
118 | ***What is '4d 5a' or 'MZ'*** | |
119 | Reference: http://www.garykessler.net/library/file_sigs.html | |
120 | ||
121 | ||
122 | objdump -x malware.exe | |
123 | ||
124 | strings malware.exe | |
125 | ||
126 | strings --all malware.exe | head -n 6 | |
127 | ||
128 | strings malware.exe | grep -i dll | |
129 | ||
130 | strings malware.exe | grep -i library | |
131 | ||
132 | strings malware.exe | grep -i reg | |
133 | ||
134 | strings malware.exe | grep -i hkey | |
135 | ||
136 | strings malware.exe | grep -i hku | |
137 | ||
138 | - We didn't see anything like HKLM, HKCU or other registry type stuff | |
139 | ||
140 | strings malware.exe | grep -i irc | |
141 | ||
142 | strings malware.exe | grep -i join | |
143 | ||
144 | strings malware.exe | grep -i admin | |
145 | ||
146 | strings malware.exe | grep -i list | |
147 | ||
148 | ||
149 | - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands | |
150 | sudo apt-get install -y python-pefile | |
151 | ||
152 | vi analyse_malware.py | |
153 | ||
154 | python analyse_malware.py malware.exe | |
155 | ||
156 | ||
157 | Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with: | |
158 | http://derekmorton.name/files/malware_12-14-12.sql.bz2 | |
159 | ||
160 | ||
161 | Malware Repositories: | |
162 | http://malshare.com/index.php | |
163 | http://www.malwareblacklist.com/ | |
164 | http://www.virusign.com/ | |
165 | http://virusshare.com/ | |
166 | http://www.tekdefense.com/downloads/malware-samples/ | |
167 | ||
168 | ############################### | |
169 | # Creating a Malware Database # | |
170 | ############################### | |
171 | ||
172 | Creating a malware database (sqlite) | |
173 | ------------------------------------ | |
174 | wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py | |
175 | wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip | |
176 | unzip malware-password-is-infected.zip | |
177 | infected | |
178 | python avsubmit.py --init | |
179 | python avsubmit.py -f malware.exe -e | |
180 | ||
181 | ||
182 | ||
183 | ||
184 | ||
185 | Creating a malware database (mysql) | |
186 | ----------------------------------- | |
187 | Step 1: Installing MySQL database | |
188 | Run the following command in the terminal: | |
189 | ||
190 | sudo apt-get install mysql-server | |
191 | ||
192 | Step 2: Installing Python MySQLdb module | |
193 | Run the following command in the terminal: | |
194 | ||
195 | sudo apt-get build-dep python-mysqldb | |
196 | sudo apt-get install python-mysqldb | |
197 | ||
198 | Step 3: Logging in | |
199 | Run the following command in the terminal: | |
200 | ||
201 | mysql -u root -p (set a password of 'malware') | |
202 | ||
203 | Then create one database by running following command: | |
204 | ||
205 | create database malware; | |
206 | ||
207 | ||
208 | ||
209 | wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py | |
210 | ||
211 | vi mal_to_db.py -i (fill in database connection information) | |
212 | ||
213 | python mal_to_db.py -i | |
214 | ||
215 | python mal_to_db.py -i -f malware.exe -u | |
216 | ||
217 | ||
218 | mysql -u root -p | |
219 | malware | |
220 | ||
221 | mysql> use malware; | |
222 | ||
223 | select id,md5,sha1,sha256,time FROM files; | |
224 | ||
225 | mysql> quit; | |
226 | ||
227 | ||
228 | ||
229 | ||
230 | ||
231 | ############################## | |
232 | # Lesson 32: Setting up Yara # | |
233 | ############################## | |
234 | ||
235 | ||
236 | sudo apt-get install clamav clamav-freshclam | |
237 | ||
238 | sudo freshclam | |
239 | ||
240 | sudo Clamscan | |
241 | ||
242 | sudo apt-get install libpcre3 libpcre3-dev | |
243 | ||
244 | wget https://github.com/plusvic/yara/archive/v3.1.0.tar.gz | |
245 | ||
246 | wget http://yara-project.googlecode.com/files/yara-python-1.4.tar.gz | |
247 | ||
248 | tar -zxvf v3.1.0.tar.gz | |
249 | ||
250 | cd yara-3.1.0/ | |
251 | ||
252 | ./bootstrap.sh | |
253 | ||
254 | ./configure | |
255 | ||
256 | make | |
257 | ||
258 | make check | |
259 | ||
260 | sudo make install | |
261 | ||
262 | cd yara-python/ | |
263 | ||
264 | python setup.py build | |
265 | ||
266 | sudo python setup.py install | |
267 | ||
268 | cd .. | |
269 | ||
270 | yara -v | |
271 | ||
272 | wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py | |
273 | ||
274 | sigtool -u /var/lib/clamav/main.cvd | |
275 | ||
276 | python clamav_to_yara.py -f main.ndb -o clamav.yara | |
277 | ||
278 | wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip | |
279 | ||
280 | unzip malware-password-is-infected.zip | |
281 | infected | |
282 | ||
283 | mkdir malcode/ | |
284 | ||
285 | mv malware.exe malcode/ | |
286 | ||
287 | vi testrule.yara | |
288 | ---------------- | |
289 | rule IsPE | |
290 | { | |
291 | meta: | |
292 | description = "Windows executable file" | |
293 | ||
294 | condition: | |
295 | // MZ signature at offset 0 and ... | |
296 | uint16(0) == 0x5A4D and | |
297 | // ... PE signature at offset stored in MZ header at 0x3C | |
298 | uint32(uint32(0x3C)) == 0x00004550 | |
299 | } | |
300 | ||
301 | rule has_no_DEP | |
302 | { | |
303 | meta: | |
304 | description = "DEP is not enabled" | |
305 | ||
306 | condition: | |
307 | IsPE and | |
308 | uint16(uint32(0x3C)+0x5E) & 0x00100 == 0 | |
309 | } | |
310 | ||
311 | rule has_no_ASLR | |
312 | { | |
313 | meta: | |
314 | description = "ASLR is not enabled" | |
315 | ||
316 | condition: | |
317 | IsPE and | |
318 | uint16(uint32(0x3C)+0x5E) & 0x0040 == 0 | |
319 | } | |
320 | ---------------- | |
321 | ||
322 | ||
323 | yara testrule.yara malcode/malware.exe | |
324 | ||
325 | mkdir rules/ | |
326 | ||
327 | cd rules/ | |
328 | ||
329 | wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/5/capabilities.yara | |
330 | ||
331 | wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/6/magic.yara | |
332 | ||
333 | wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/4/packer.yara | |
334 | ||
335 | cd .. | |
336 | ||
337 | yara rules/ malcode/malware.exe | |
338 | ||
339 | wget https://github.com/Xen0ph0n/YaraGenerator/archive/master.zip | |
340 | ||
341 | unzip master.zip | |
342 | ||
343 | cd YaraGenerator-master/ | |
344 | ||
345 | python yaraGenerator.py ../malcode/ -r Test-Rule-2 -a "Joe McCray" -d "Test Rule Made With Yara Generator" -t "TEST" -f "exe" | |
346 | ||
347 | cat Test-Rule-2.yar | |
348 | ||
349 | wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe | |
350 | ||
351 | yara Test-Rule-2.yar putty.exe | |
352 | ||
353 | ||
354 | ||
355 | ||
356 | #################### | |
357 | # Additional Tasks # | |
358 | #################### | |
359 | ||
360 | - PE Scanner: | |
361 | https://malwarecookbook.googlecode.com/svn/trunk/3/8/pescanner.py | |
362 | http://www.beenuarora.com/code/analyse_malware.py | |
363 | ||
364 | - AV submission: | |
365 | http://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py | |
366 | https://raw.githubusercontent.com/dcmorton/MalwareTools/master/vtsubmit.py | |
367 | ||
368 | - Malware Database Creation: | |
369 | https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py | |
370 | ||
371 | ||
372 | ||
373 | ||
374 | cd /home/malware/Desktop/Browser\ Forensics | |
375 | ||
376 | ls | grep pcap | |
377 | ||
378 | perl chaosreader.pl suspicious-time.pcap | |
379 | ||
380 | firefox index.html | |
381 | ||
382 | cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | |
383 | ||
384 | cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr | |
385 | ||
386 | sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs | |
387 | ||
388 | ||
389 | ||
390 | ||
391 | for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u | |
392 | ||
393 | ||
394 | tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u | |
395 | ||
396 | ||
397 | tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u | |
398 | ||
399 | ||
400 | tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?' | |
401 | ||
402 | ||
403 | tshark –r suspicious-time.pcap -Tfields -e “eth.src” | sort | uniq | |
404 | ||
405 | ||
406 | tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq | |
407 | ||
408 | tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq | |
409 | ||
410 | tshark -r suspicious-time.pcap -qz ip_hosts,tree | |
411 | ||
412 | tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq | |
413 | ||
414 | tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name" | |
415 | ||
416 | ||
417 | whois rapidshare.com.eyu32.ru | |
418 | ||
419 | whois sploitme.com.cn | |
420 | ||
421 | ||
422 | ||
423 | ||
424 | ||
425 | tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | |
426 | ||
427 | tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org' | |
428 | ||
429 | tshark -r suspicious-time.pcap -qz http_req,tree | |
430 | ||
431 | tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst | |
432 | ||
433 | tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g' | |
434 | ||
435 | ||
436 | ||
437 | ||
438 | ||
439 | cd /home/malware/Desktop/Banking\ Troubles/Volatility | |
440 | ||
441 | python volatility | |
442 | python volatility pslist -f ../hn_forensics.vmem | |
443 | python volatility connscan2 -f ../hn_forensics.vmem | |
444 | python volatility memdmp -p 888 -f ../hn_forensics.vmem | |
445 | python volatility memdmp -p 1752 -f ../hn_forensics.vmem | |
446 | ***Takes a few min*** | |
447 | strings 1752.dmp | grep "^http://" | sort | uniq | |
448 | strings 1752.dmp | grep "Ahttps://" | uniq -u | |
449 | cd .. | |
450 | cd foremost-1.5.7/ | |
451 | foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2 | |
452 | cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/ | |
453 | cat audit.txt | |
454 | cd pdf | |
455 | ls | |
456 | grep -i javascript *.pdf | |
457 | ||
458 | ||
459 | ||
460 | cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf | |
461 | /opt/Python-2.6.2/python /home/malware/Desktop/Banking\ Troubles/pdf-parser.py -s javascript --raw 00600328.pdf | |
462 | /opt/Python-2.6.2/python /home/malware/Desktop/Banking\ Troubles/pdf-parser.py --object 11 00600328.pdf | |
463 | /opt/Python-2.6.2/python /home/malware/Desktop/Banking\ Troubles/pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js | |
464 | ||
465 | cat malicious.js | |
466 | ||
467 | ||
468 | *****Sorry - no time to cover javascript de-obfuscation today***** | |
469 | ||
470 | ||
471 | cd /home/malware/Desktop/Banking\ Troubles/Volatility/ | |
472 | python volatility files -f ../hn_forensics.vmem > files | |
473 | cat files | less | |
474 | python volatility malfind -f ../hn_forensics.vmem -d out | |
475 | ls out/ | |
476 | python volatility hivescan -f ../hn_forensics.vmem | |
477 | python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon | |
478 | for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done |