P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg Black-box analysis of malware Vít Bukač CROCS, Faculty of Informatics, Masaryk University Supervisor IT Security, CIRT, Honeywell Global Security •PV204 Security Technologies Black-box analysis of malware – Outline •Lecture 1.Incident response 2.Malware 3.Black-box principle 4.Tools 5.Automatic sandbox analysis •Hands-on lab •Analysis of provided malware samples 2 Analyzing intrusions Cyber Incident Response •Cyber Incident Response •“A well-organized effort by which an organization handles a cyberattack, including analysis, containment, remediation and reduction of future risks.” •Good incident response results in: •Lower costs of ongoing cyber incidents •Fewer future incidents •Cyber Kill Chain •Each incident goes through certain phases •Each phase can only continue if all previous phases completed successfully •Collecting information about each phase helps detect/prevent future incidents Cyber Kill Chain M Hutchins, Eric & J Cloppert, Michael & M Amin, Rohan. (2011). Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Leading Issues in Information Warfare & Security Research. MITRE ATT&CK Framework •Globally accessible knowledge base of adversary tactics and techniques based on real-world observations. •Good learning point about advanced attackers •Likely will replace kill chain •https://attack.mitre.org/ Malware Malware definition •“Malware, short for malicious software, is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, and other intentionally harmful programs. It can take the form of executable code, scripts, active content, and other software. Malware is defined by its malicious intent, acting against the requirements of the computer user — and so does not include software that causes unintentional harm due to some deficiency.” Malware types 9 Malware infection vectors •Email •Link •Attachment •Link + document download •Malicious website •Drive-by download •USB •Cracked software •Worms Infection vector – Phishing •Subject •“Account blocked” •“Package to be delivered” •“Expiring subscription” •“Invoice” / “Receipt” / “Parchment” •Signs •Unexpected sender address (1) •Graphic errors (2) •Erroneous info (3) •Links to unexpected URL (4) •Links to same URL •Generic salutation •Use of threats, sense of urgency • Infection vector – Drive-by download Example – Zeus infection 1.User access fake Facebook page from phishing link 2.Webpage asks to update Flash Player 3.If the user refuses to install malicious flash player, Blackhole exploit kit is attempted instead 4.Computer exploited 5.Initial callback to Smoke Loader 6.Downloads Zeus banker trojan 7.Downloads config file 8.User accesses one of UK banks 9.Zeus monitors and reports about these activities 10.C&C server instructs the bot to steal money 11.Zeus makes the transaction 12.Money is sent to a money mule in UK 13.Zeus logs successful transaction, new recipient and money volume 14.Money mule takes the money and sends them to cybercrime gang Black box malware analysis Motivation – Ask the right questions •What is the scope of compromise? What are 2nd stage callbacks? •Communication between local file server and an unknown IP address in China has been observed. What process is responsible for the communication? •Malware is creating temporary files. Where are these files located? •Malware executable is created again after system reboot. How is it possible and what is causing it? •A new type of malware has been spreading through internal network. How to quickly assess the malware capabilities? What is its purpose? Is it based on any well-known tool? • 15 Black box malware analysis •Dynamic analysis – file is executed •Analysis without internal knowledge •Observable inputs •Observable outputs •Quick, simple •Common monitoring tools •Collected indicators about •Filenames, process names, process parent/child relationships, temporal relationships, domain names, IP addresses, registry keys, persistence methods, cleanup operations etc. •Can be highly automated Black box malware analysis – Principle 1.Prepare analysis environment 2.Create snapshot 3.Run monitoring tools 4.Run malware 5.Collect and observe interactions between malware and VM 6.Restore snapshot 7.Repeat 3-6 as needed 8. Analysis environment •Virtual Machine •Limited/no connectivity •Virtualized services (DNS, HTTP,…) •Several VMs for various host types •Software •Monitoring tools •Often exploited applications •Risks •VM isolation breach •Malware inactivity in VM Virtual machine snapshot •Snapshots •Saved state of VM •Disk state, memory state •Quick restoration of previous state Tools Network analysis •Capturing sent/received packets •Protocol dissection •Promiscuous mode •Tools •Tcpdump, Wireshark, NetworkMiner •Indicators •Domain names, IP addresses, protocols, ports, HTTP parameters •Q&A •Who is this program communicating with? What reputation does the partner have? What data is exchanged? Is it encrypted or obfuscated? • Network analysis – What to look for •New established connections – HTTP 80/8080 •Direct calls for domains without DNS lookup •Random domain names (e.g., rpxiodffd.biz) •Suspicious domain names (e.g., gooogle.org) •Similarly looking domain names (e.g., osinstall.biz, swinstall.biz, swinstall.com) •Outgoing portscans •Ping/DNS request for well known services •Connection availability test •Be aware of background OS/processes activities! • Example – Wireshark File system •Observing file accesses and modifications •Background file manipulation •Tools •Procmon, Handle •Indicators •File names, folder names, order of actions, compromise spread through local system •Q&A •Where is malware copied after the initial infection? What filenames are used? Where is the collected data stored? File system – What to look for •New file names & folders •New created files and folders •Batch files (.cmd, .bat, .vbs, .ps1) •Known favorite malware file names (e.g., 1.exe, test.exe, new.exe) •Known file names in uncommon folders (e.g., C:\Temp\svchost.exe) •Recycler •Modifications of system files •Temporary storage files, encrypted archives Example – Procmon Registry •Regedit •Windows built-in registry editor •RegRipper •Extracts relevant forensic artifacts from registry •Autoruns •Lists all programs set to start after system boot Registry – What to look for •Well-known locations •Autorun locations •Task scheduler •Changes tracking •Keywords fulltext search •Filenames •Processes •Domain names Registry – Regedit Processes •Observing initial system compromise •Processes parent/child relationships •Tools •Process Explorer, Procmon •Indicators •Process names, order of execution, dropper activity •Q&A •What processes are run after malware binary is executed? Are batch files involved? Are there watcher processes? Processes – What to look for •Order of executables •Initial malware •Dropper/downloader •Persistence executable •Final malware •Command line interpreters •cmd.exe •Powershell •Cscript, wscript Example – Process Explorer Executable file analysis •Cryptographic hash •Hash function which is considered practically impossible to invert •Unique identification of file •Counter: Polymorphism •MD5, SHA1 •Fuzzy hash •Context triggered piecewise hash •Families of files •ssdeep •Strings • Example – Strings •server.exe •AppData •4bcce4de98bcdb4d29f66c0fe1ffe002 •hackerhani.no-ip.biz •Software\Microsoft\Windows\CurrentVersion\Run •Software\ •yy-MM-dd •??-??-?? •Microsoft •Windows •SystemDrive •netsh firewall delete allowedprogram " •Software •cmd.exe /c ping 0 -n 2 & del " •SEE_MASK_NOZONECHECKS •netsh firewall add allowedprogram " Commands to be executed Domain name Persistence registry key MD5: 5d347384ea978a96bc842ad9f29e95f2 Analysis Black box analysis – indicator interpretation •Network analysis – domain & IP verification, processes communicating •Hash comparison •Collisions, same-hash files •Behavior analysis •System processes, created processes, persistence •File manipulation • 36 Document analysis – Quick insight •EXIF information •File metadata •Document sandboxing •Document interpretation ambiguity •Practical examples •Double extensions, different content in different viewers, code block obfuscation & hiding Automated sandbox analysis Automated sandboxing •Automated 1.Execute malware in sandbox 2.Wait a few seconds 3.Receive summary report 4.Investigate report •Non-interactive •Known tools •Cuckoo, Norman, Anubis etc. 1. Cuckoo sandbox •Open source malware analysis system •Can analyze •Windows executables, DLLs, PDF documents, URLs, HTML files, PHP scripts, Visual Basic scripts, ZIP archives, Python files, etc. •Modular, scriptable •Full memory dump (for Volatility Framework) •Django web interface •Mongo (NoSQL) database Cuckoo – Architecture Cuckoo – GUI Internet sandbox services •Public service •OpSEC issues •Huge comparison database •Exact match by hash •Similarity search by keywords • •Malwr.com (public Cuckoo sandbox) •VirusTotal.com •ThreatExpert.com •Hybrid-Analysis.com Operational security (OpSec) •Advanced attackers monitor victim’s actions •Unique indicators visible on Google? •Attacker host monitoring for incoming traffic •Keywords search in mails, PDFs… •Basics of OpSec •“Think before you act” mentality •Limited information sharing •Trace removal •PassiveTotal.org • OpSec – Basic rules •No ping •No DNS lookup •No accessing to suspicious domains •No premature remediation steps (reboot, antivirus scan, OS reinstall) •No upload of samples •No indicator validation on external sources • •NOT EVEN through 3rd parties Anti-sandbox techniques •Continuous development – sandbox vs. anti-sandbox •Malware inactive in analysis environment •Tools presence detection (Wireshark, etc.) •Virtualization detection •Registry (key existence, key value) •File system (file existence, drivers) •Processes (syscall response) •Human presence detection •Mouse movement •Keyboard activity •File artefacts • • Lab Lab – Overview •Hands-on experience of manual black-box analysis •Guided analysis of selected malware samples •Tools •Wireshark – Network activity •Process Monitor – File system activity, process creation •Autoruns – Persistence •Regshot – Registry changes •Process explorer – Process map • • Lab – Samples •2-3 samples from different malware families •Commodity malware – Zeus, ZeroAccess, Generic Trojans,… •Students will execute samples in virtual environment •Provided simple analysis virtual machine (Windows) •Indicators collected – network, files, persistence •Discussion about interpretation of facts •Homework •2 samples for analysis independently •Write a cohesive report and present key information to the reader • • •