2. Malware Analysis
Collaboration
Automation
Training
Richard Harman @ ShmooCon IX
3. Richard Harman
● Lead Intrusion Analyst @ SRA, Inc SOC
● Started out as a SysAdmin
● Info Sec Analyst for 8 years
● Member of NoVA Hackers group
● Co-Founder of Nova Labs in Reston, VA
xabean warewolf
richard@richardharman.com
4. Ingredients
● Intro to Malware Analysis & Tools
● Open Source Virtualization
● VM Efficiency & Consistency
● Light-weight VMs & Automating them
● Training – You're Doing It Wrong
7. The Process
1) Baseline System State
2) Monitor & Log System Activity
3) Infect system
4) Suspend, Dump & Terminate Processes
5) Stop Monitoring
6) Review Monitored Activity
7) Compare new state to baseline
8. The Essentials
System Baseline Memory Analysis
● Regshot ● Volatility Framework
● Autoruns
General Analysis Logging / Tracing
● OfficeCat ● OllyDbg & Plugins
● FileInsight ● IDA Pro
● Wireshark ● Procmon
● Didier Stevens's Tools ● Capturebat
9. Front-ends for sweet utilities
Two I use most: Procmon & Autoruns
➔ @DaveHull is working on autorunalyzer on
github.com/davehull/autorunalyzer – .py is a WIP,
.sh version exists
➔ I (@xabean) wrote a Procmon XML processor on
github.com/warewolf/Procmon
20. Copy on Write is an enabler
On shared storage
● Enables live VM migration to another analyst
In a RAM disk (tmpfs)
● Snapshots become REALLY FAST.
● About 1 second! (revert/save, 7 shot test)
Images are only changes – they're small
● Dead-box forensic analysis anyone?
21. CoW (Light-Weight) Disk Clones
in Virtualization Software
● VMware
● Workstation has “linked clones”
● ESX(i) wants VMWare VCenter ($$)
● Xen
● OSS: ?? Commercial: yes?
● VirtualBox
● Linked Clones ala VMWare Workstation
● Libvirt + QEmu
● Libvirt LVM: No, QEmu QCOW2: yes (manual)
22. My Malware Environment
● QEmu/KVM (libvirt)
● Windows disk images in LVM, CoW in RAM
● $ qemu-img create -o
backing_file=/dev/vg/base -o
/tmp/ram/overlay.qcow2
● RAM drive full? VMs auto-pause self!
● MITM “internet” Linux VM
● Apache, iptables -J REDIRECT, dnsmasq, samba
● Apache vhosts of copies of websites – google, etc
● Connected to malware network & public network
23. A cluster, not a cluster- FSCK
Virtualization:
● QEmu/KVM + libvirt for migration
Shared disk access:
● Linux tgtd iSCSI – use gigabit ethernet!
– Clustered LVM for base images
– GFS for CoW storage
● Note: disable cache in tgtd
25. libvirt VM Management
Life cycle management:
● Start / Pause / Stop
● Snapshot management
● Dump VM physical memory
Provisioning Automation:
● Capture “parent” XML config
● Modify & define new VM
26. libguestfs for Guest Management
Guest Disk FS management:
● Supports scripting / automation
● Download & Upload files to guest file system
● Extract analyst data from a standard dir
– C:malwareticket_#* --> upload to IR tracking system
Windows Registry Support:
● Change hostname to prevent NetBIOS name
conflicts on same network
27. Provisioning & Automation
● clone-vm.pl
– Clone an existing VM, generate unique MAC &
UUID, create Copy-On-Write disk image, change
hostname in registry.
● insert-zip.pl & extract-zip.pl
– Insert and extract data
● peek.pl
–Dump physical memory of a VM for analysis
● ksmstat.pl
– Monitor KSM efficiency & CPU usage ala vmstat(1)
29. VM vncreflector
(host:1) vncreflector
FBS
output
(host:99)
FBS VNC video
capture
30. Screencasting & Playback
Screencasting:
● record-vnc.pl to record & screencast
Playback:
● rfbproxy -c -p in inetd
● inetd makes rfbproxy multi-client and self-service
● Shell script to feed rfbproxy VNC videos
● Extra credit: rfbproxy can export to PPM stream
– PPM -> MPEG2 + instructor audio = Training Video
31. What do you have now?
● Consistent analysis VMs w/ efficient resource
use.
● Multi-participant, interactive, live training
sessions.
● Thin-provisioned VM & Acquire analysis data
● Analysis session recorded for future playback
● HQ VNC jukebox (~300MB)
● Medium quality portable MPEG video
(~1.5G)
33. Next Steps...
● Diff pre/post infection of RAM and FS
● Identify injected code/new executables
● Dump, generate signatures, scan, detect variants of
the same sample
● Make this all a web-app; snapshots, file mgmt,
java applet vnc display
● Auto-provision private networks & VMs per
analyst & remote (VPN) access
34. Thank you Jamie!
● @gleeda / http://gleeda.blogspot.com
● Blackbelt in Volatility & EnCase
● Released a Differential EnScript – diff two
versions of the same disk & report on 'em
35. Nova-Labs.org
● Malware Analysis Lab
● Classes on Malware Analysis
/ Reverse Engineering
● Expected to start in April/May
● $$ not yet set (but expected to be cheap)
● Various Malware samples
● Learn, Teach, pass it on!
36. How do I ....
It's all at:
● warewolf.github.com / thin-provisioning
● Automation Code
● Documentation (still working on it)
● Configs for MITM:
– Apache
– dnsmasq
– iptables config
– samba
Notes de l'éditeur
========== WHO AM I
======== OVERVIEW
Target Audience Something for everyone Students and instructors Beginner – getting started Intermediate – working efficiently Advanced – training your peers =========== QUICK SHOW OF HANDS
Show of hands How many never done malware analysis want training been to training taught training =========== LEARNING RESOURCES
Learning resources – Food for your Brain Reversing – Good ASM overview FS Forensics – NTFS chapter really helpful Rest – grab bag of goodness ========== HOW TO GET STARTED
Snapshot known good – app level - not VM snapshot Begin monitoring activity Infect Save volatile info Stop logging Review logs Compare ========== TOOLS
FileInsight – Select & Transform - Inflate JS in PDFs Volatility – Office Doc – nothing dropped, but beaconed! connscan explorer.exe injected ============
I'm a Systems Integrator - Write scripts to speed up processes
Unless necessary, memory generally isn't deduplicated.
Expense of CPU overhead – fit more simliar VMS. GREAT for clones!
KSM – also used in Cyanogenmod Android – not VMs only =========== RAM unmerging – RAM will go into swap.
Unique VM setups Difficult to help each other – they don't understand =================== CLONES.
Centralize VM image Everybody run this image Run Clones NETWORK PROTOCOLS ================= CPU offload benefits R/W STOMPS! HOW TO FIX
Same centralized disk as before, except read only * Export those images to analysts as before * Write changes & snaphots to CoW files * Not just snapshots – a separate file =============== ENABLING PROCESS
Libvirt – I scripted it VMWare Workstation – based on snapshots – parent cna be a “template” VMWare ESXi – can be done, but requires import/export, hand edit of config Xen- ??? =============== MY SETUP
Websites -google, checkip.dyndns.org Samba – IE, flash, java, acrobat QEMU pauses if QCOW2 can't be written to – not a problem for ram drive
ENTIRELY OPTIONAL ============== AUTOMATION Making life easier
Bindings: C/C++, Erlang, Java, OCaml, Perl, Python, Ruby. Hivex for Registry manipulation – kinda sucks. XP hostname hack works through Win8.
More than one person controlling the mouse/keyboard – Paired Reversing =========== TRAINING
