Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Malware Analysis Free
Toolbox
RMLL - Montpellier - July 2014 - Xavier Mertens
TrueSec
$ whoami
• Xavier Mertens (@xme)	

!
• Consultant @ day	

!
• Blogger, Hacker @ night	

!
• BruCON co-organizer
2
TrueSec
$ cat ~/.profile
• I like (your) data	

• Offensive / defensive security	

• Security visualization	

• I like to p...
TrueSec
$ cat disclaimer.txt
“The opinions expressed in this presentation
are those of the speaker and do not necessarily
...
TrueSec
Agenda
• Introduction	

• Build your lab	

• Automate	

• Conclusions
5
TrueSec
Why This Talk?
6
TrueSec
Don’t expect this!
7
TrueSec
Today’s Facts
8
29.122.849	

unique malicious objects: scripts, web pages, exploits,
executable files, etc.	

81.73...
TrueSec
Sources
9
• My spam folder (rootshell.be has been
registered in 2001)	

• Torrents (Keygens)	

• P0rn sites	

• Yo...
TrueSec
Motivations
10
• Plenty of material	

• To improve our security (integration with
other tools)	

• Because I’m laz...
TrueSec 11
“APT”	

VS	

“BPT”
The AttackVector
TrueSec
Analysis
12
TrueSec
Be Dynamic
13
• Execute the malware in a safe environment
and watch what it does	

• Goals	

• Understand how malw...
TrueSec
We Need “IOC”!
14
TrueSec
We Need “IOC”!
15
• Hashes	

• IP addresses	

• Domain names	

• Files	

• Registry keys	

• URLs
Share!
TrueSec
Today’s Market
16
• A niche market	

• Big players

(read: $$$)	

• Integrated into an existing platform

(Many 2....
TrueSec
An Attack in 5 Steps
17
	

 	

 	

 	

 	

 	

 	

 	

 	

 	

 Persistence	

	

 	

 	

 	

 	

 	

 	

 	

 	

 ...
TrueSec
The Patient “0”
18
The index case or primary case is the initial

patient in the population of an epidemiological
...
TrueSec
Agenda
• Introduction	

• Build your lab	

• Automate	

• Conclusions
19
TrueSec
Requirements
20
• Free (because we are @ RMLL!)	

• Virtualized (easy & snapshots)	

• Open (to interconnect with ...
TrueSec
Cuckoo
21
• Dynamic code analysis framework
developed in Python	

• “Python” means “open, modular, easy to
modify”...
TrueSec
Features
22
• Automation	

• Capture data	

• API calls	

• Network traffic	

• Screenshots	

• Filesystem / Regist...
TrueSec
Cuckoo
23
TrueSec
Architecture
24
TrueSec
Setup
25
TrueSec
Basic Installation
26
• VirtualBox (recommended)	

• Lot of Python lib dependencies	

• Recommended platform: Ubun...
TrueSec
We Need Intertubes
27
• Use Host-only networking withVirtualbox	

• Connect to the world
# sysctl -w net.ipv4.ip_f...
TrueSec
“Your” Sandbox
28
• Windows XP SP3 or Windows 7 SP1 32bits	

• Acrobat Reader, M$ Office, Browsers	

• Generate som...
TrueSec
VM Hardening
29
• VM must be “vulnerable” but hardened
against anti-VM detection	

• http://github.com/markedoe/cu...
TrueSec
Attack of the Clones
30
TrueSec
Demo!
31
TrueSec
Agenda
• Introduction	

• Build your lab	

• Automate	

• Conclusions
32
TrueSec
Automation
33
Cuckoo is a nice tool to analyse files on
demand but some automation will be helpful to
detect more s...
TrueSec
Bro IDS
34
• Bro is a powerful network analysis
framework. Bro is not only a IDS	

• Bro comes with analysers for ...
TrueSec
Bro Scripting
35
Bro has a simple and

powerful scripting

language.All the

output generated by

Bro is based on
...
TrueSec
Extract Those Files!
36
• Bro can extract files from network streams
and save them on the file system	

• There is a...
TrueSec
Extract Those Files!
37
global ext_map: table[string] of string = {
["application/x-dosexec"] = "exe",
} &default ...
TrueSec
Juicy Files
38
application/x-dosexec
application/vnc.ms-cab-compressed
application/pdf
application/x-shockware-fla...
TrueSec
And URLs?
39
• Extracting URLs from network?	

• Flood! (“HTTP is the new TCP”)	

• Analysing one-time URLs may br...
TrueSec
Sniff!
40
# cd /tools/bro/logs
# vi extract.bro
# mkdir extract_files
# ../bin/bro -i eth1 extract.bro
listening o...
TrueSec
Feed Cuckoo!
41
# cd /tools/bro/logs/extract_files
# inotifywait -m -q -e create —format %f . |
while read F
do
ca...
TrueSec
Want Data?
42
• Cuckoo has a REST API	

• Useful to automate even more
TrueSec
Get results!
43
# curl http://localhost:8090/tasks/list
# curl http://localhost:8090/tasks/view/10
# curl http://l...
TrueSec
Extract IOC’s
44
#curl -s http://localhost:8090/tasks/report/2/json | 
python extract-domains.py
premiercrufinewin...
TrueSec
Feed OSSEC
45
• Create CDB lists (“active lists”)	

<ossec_config>

<rules>
<list>lists/baddomains.cdb</list>
<lis...
TrueSec
Correlate
46
<rule id=“99001” level=“10”>
<decoded_as>bind9</decoded_as>
<list field=“url”>lists/baddomains</list>...
TrueSec
Agenda
• Introduction	

• Build your lab	

• Automate	

• Conclusions
47
TrueSec
Conclusions
48
TrueSec
Conclusions
49
• We don’t have time to handle such amount
of data!	

• Know your Enemy!	

• Correlate your logs wi...
TrueSec
Thank you!	

@xme	

xavier@truesec.be	

http://blog.rootshell.be	

https://www.truesec.be
50
Prochain SlideShare
Chargement dans…5
×

Malware Analysis Using Free Software

3 940 vues

Publié le

How to build a malware analysis toolbox usinf free software

Publié dans : Technologie
  • DOWNLOAD FULL BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici

Malware Analysis Using Free Software

  1. 1. Malware Analysis Free Toolbox RMLL - Montpellier - July 2014 - Xavier Mertens
  2. 2. TrueSec $ whoami • Xavier Mertens (@xme) ! • Consultant @ day ! • Blogger, Hacker @ night ! • BruCON co-organizer 2
  3. 3. TrueSec $ cat ~/.profile • I like (your) data • Offensive / defensive security • Security visualization • I like to play! 3
  4. 4. TrueSec $ cat disclaimer.txt “The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.” 4
  5. 5. TrueSec Agenda • Introduction • Build your lab • Automate • Conclusions 5
  6. 6. TrueSec Why This Talk? 6
  7. 7. TrueSec Don’t expect this! 7
  8. 8. TrueSec Today’s Facts 8 29.122.849 unique malicious objects: scripts, web pages, exploits, executable files, etc. 81.736.783 unique URLs were recognized as malicious by web antivirus. Q1 2014 (source: Kaspersky Security Network)
  9. 9. TrueSec Sources 9 • My spam folder (rootshell.be has been registered in 2001) • Torrents (Keygens) • P0rn sites • You & me!
  10. 10. TrueSec Motivations 10 • Plenty of material • To improve our security (integration with other tools) • Because I’m lazy! (automation) • Because it’s fun!
  11. 11. TrueSec 11 “APT” VS “BPT” The AttackVector
  12. 12. TrueSec Analysis 12
  13. 13. TrueSec Be Dynamic 13 • Execute the malware in a safe environment and watch what it does • Goals • Understand how malwares work • Get IOC’s
  14. 14. TrueSec We Need “IOC”! 14
  15. 15. TrueSec We Need “IOC”! 15 • Hashes • IP addresses • Domain names • Files • Registry keys • URLs Share!
  16. 16. TrueSec Today’s Market 16 • A niche market • Big players
 (read: $$$) • Integrated into an existing platform
 (Many 2.0 or NG firewalls)
  17. 17. TrueSec An Attack in 5 Steps 17 Persistence Exploit Plan a Backdoor Initial intrusion Reconnaissance Pwned!
  18. 18. TrueSec The Patient “0” 18 The index case or primary case is the initial
 patient in the population of an epidemiological
 investigation (Source:Wikipedia)
  19. 19. TrueSec Agenda • Introduction • Build your lab • Automate • Conclusions 19
  20. 20. TrueSec Requirements 20 • Free (because we are @ RMLL!) • Virtualized (easy & snapshots) • Open (to interconnect with other tools) • Automatization
  21. 21. TrueSec Cuckoo 21 • Dynamic code analysis framework developed in Python • “Python” means “open, modular, easy to modify” • Based on the classic “sandboxing” system
  22. 22. TrueSec Features 22 • Automation • Capture data • API calls • Network traffic • Screenshots • Filesystem / Registry operations • Memory dump • Reporting in many formats
  23. 23. TrueSec Cuckoo 23
  24. 24. TrueSec Architecture 24
  25. 25. TrueSec Setup 25
  26. 26. TrueSec Basic Installation 26 • VirtualBox (recommended) • Lot of Python lib dependencies • Recommended platform: Ubuntu • Ninja mode: OSX
  27. 27. TrueSec We Need Intertubes 27 • Use Host-only networking withVirtualbox • Connect to the world # sysctl -w net.ipv4.ip_forward=1 # iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.1.0/24 -m conntrack -ctstate NEW -j ACCEPT # iptables -A FORWARD -m conntrack -ctstate ESTABLISHED,RELATED -j ACCEPT # iptables -A POSTROUTING -t nat -j MASQUERADE OSX Ninja?Visit http://goo.gl/aEM7gO
  28. 28. TrueSec “Your” Sandbox 28 • Windows XP SP3 or Windows 7 SP1 32bits • Acrobat Reader, M$ Office, Browsers • Generate some content (cookies, browsers history) • Install the Cuckoo agent • Disable all security features!
  29. 29. TrueSec VM Hardening 29 • VM must be “vulnerable” but hardened against anti-VM detection • http://github.com/markedoe/cuckoo- sandbox • https://github.com/a0rtega/pafish
  30. 30. TrueSec Attack of the Clones 30
  31. 31. TrueSec Demo! 31
  32. 32. TrueSec Agenda • Introduction • Build your lab • Automate • Conclusions 32
  33. 33. TrueSec Automation 33 Cuckoo is a nice tool to analyse files on demand but some automation will be helpful to detect more suspicious stuff!
  34. 34. TrueSec Bro IDS 34 • Bro is a powerful network analysis framework. Bro is not only a IDS • Bro comes with analysers for many protocols which allow processing at layer-7 • http://bro.org
  35. 35. TrueSec Bro Scripting 35 Bro has a simple and
 powerful scripting
 language.All the
 output generated by
 Bro is based on
 scripts!
  36. 36. TrueSec Extract Those Files! 36 • Bro can extract files from network streams and save them on the file system • There is an “extraction” analyzer to perform this task
  37. 37. TrueSec Extract Those Files! 37 global ext_map: table[string] of string = { ["application/x-dosexec"] = "exe", } &default =""; ! event file_new(f: fa_file) { local ext = “data"; ! if ( f?$mime_type ) ext = ext_map[f$mime_type]; ! local fname = fmt("%s-%s.%s",
 f$source, f$id, ext); Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
 [$extract_filename=fname]); }
  38. 38. TrueSec Juicy Files 38 application/x-dosexec application/vnc.ms-cab-compressed application/pdf application/x-shockware-flash application/x-java-applet application/jar application/zip
  39. 39. TrueSec And URLs? 39 • Extracting URLs from network? • Flood! (“HTTP is the new TCP”) • Analysing one-time URLs may break some tools (think about password recovery)
  40. 40. TrueSec Sniff! 40 # cd /tools/bro/logs # vi extract.bro # mkdir extract_files # ../bin/bro -i eth1 extract.bro listening on eth1, capture length 8192 bytes
  41. 41. TrueSec Feed Cuckoo! 41 # cd /tools/bro/logs/extract_files # inotifywait -m -q -e create —format %f . | while read F do case “${F##*.}” in “zip|exe|doc|dll|jar|msi”) /tools/cuckoo/utils/submit.py $F esac done
  42. 42. TrueSec Want Data? 42 • Cuckoo has a REST API • Useful to automate even more
  43. 43. TrueSec Get results! 43 # curl http://localhost:8090/tasks/list # curl http://localhost:8090/tasks/view/10 # curl http://localhost:8090/tasks/report/10 # curl http://localhost:8090/files/view/md5/xxxxxx !
  44. 44. TrueSec Extract IOC’s 44 #curl -s http://localhost:8090/tasks/report/2/json | python extract-domains.py premiercrufinewine.co.uk 188.65.114.122 fidaintel.com 216.224.182.75
  45. 45. TrueSec Feed OSSEC 45 • Create CDB lists (“active lists”) <ossec_config>
 <rules> <list>lists/baddomains.cdb</list> <list>lists/badips.cdb</list> </rules> </ossec_config> • Populate them • Re-generate them
 /var/ossec/bin/ossec-makelists
  46. 46. TrueSec Correlate 46 <rule id=“99001” level=“10”> <decoded_as>bind9</decoded_as> <list field=“url”>lists/baddomains</list> <description>DNS query: malicious domain</description> </rule>
  47. 47. TrueSec Agenda • Introduction • Build your lab • Automate • Conclusions 47
  48. 48. TrueSec Conclusions 48
  49. 49. TrueSec Conclusions 49 • We don’t have time to handle such amount of data! • Know your Enemy! • Correlate your logs with external content
  50. 50. TrueSec Thank you! @xme xavier@truesec.be http://blog.rootshell.be https://www.truesec.be 50

×