Chapter 2. Malware Analysis in VMs
Gradings If you scored you earned at least 85% A- 70% B- 55% C-
Undergrad/Grad Some homework later in the course will be distributed to graduate students (research-oriented) – CS595 Undergrad students: not necessary – CS495 Bonus questions: distributed later in the course for both CS495/595 students
Project Survey Programming Language (Python) Pcap Deep learning frameworks (Caffe/Tensorflow/Theano/PyTorch)
Honeypot Project Honeypot Use for IDS/Malware monitoring – real-time Gather traces for analysis
Research: DEF Con - Evade Anti-Virus Hackers use OpenAI Gym toolkit (reinforcement learning) to evade anti-virus detection OpenAI is an organization in AI research – Elon Musk. https://github.com/endgameinc/gym-malware Change the PE file, receive the feedback/rewards; repeat Applies to behavior ? Deep reinforcement learning Playing Atari with Deep Reinforcement Learning, NIPS, 2013. https://github.com/kuz/DeepMind-Atari-Deep-Q-Learner
VMs Most malware must be executed in order to analyze them Running on production machine -> spread to others (worms) Requires a safe environment with no risk VirtualBox, Vmware Host-only networking to monitor network traffic Snapshots and roll-back Record and replay execution
VM Structure Guest OS installed inside host OS as a VM VM is isolated from the host OS
Host-only Networking Host-only networking: creates a separate private LAN between the host OS and the guest OS Malware is contained in VM, but not the Internet
Host-only Networking
Connecting VM to the Internet Default option in VirtualBox (NAT) NAT mode shares the host IP; host acts as a router and translates all the requests from VM In real malware analysis: Cautious – spreading worm, becoming botnet for DDoS, spamming Malware authors may notice you are connecting to the control server and trying to analyze
VM: Snapshot Snapshot is unique to VM Allows you to save the current state and possibly return to this state in future Extremely helpful in malware analysis Usually after you install all the tools, make a snapshot, or before you analyze some unknown program
Virtual Box Snapshot Under Machine -> Snapshot, view all the snapshots taken
Risks of using VM Malware can detect it is in VM and behave differently VM also have bugs, cause the host OS to crash or run the code on host OS (through the share folder possibly) Make sure the host OS is fully patched Avoid using a sensitive machine to perform malware analysis (save some of the non-personal files to the cloud like dropbox)
Chapter 3. Basic Dynamic Analysis
Dynamic Analysis When static analysis is exhausted; monitor the malware after it is executed; identify its functionality Usually performed after static analysis is completed; could put your system and network at risks Not all the malware functionalities can be explored in dynamic analysis (limitation)
Sandbox Simpler alternative to VMs Isolation and track of malware behavior Example from the book – GFI SandBox – generated logs File activity (modified files) Mutexes created Registry activity (changes to the registry) Network activity (Events, traffic and DNS requests)
Drawbacks of Sandbox Malware detects in a VM – stops running Certain registry keys/files are not included in Sandbox DLL malware will not run as an executable in Sandbox Only reports the logs and left the analysis to the analyst
Running DLL Malware Difference between EXE and DLL EXE: DLL Executable file No export is called, only the module entry point A new process is launched DLL A dynamic linked library Multiple exported symbols System loads DLL into an existing process Purpose is to have a collection of methods/classes that can be reused by other applications Malware in DLL format may not executable, need rundll32.exe, know Install is in the Export Table (PEview)
Turning DLL into EXE Force DLL into executable by modifying the PE header Remove IMAGE_FILE_DLL flag in IMAGE_FILE_HEADER - > it will run the DLLMain The rest of the program may crash Achieve our purpose to analyze the malicious payload
Process Monitor Process Monitor (procmon) www.sysinternals.com Monitor certain registry, file system, network, process, and thread activity Combines FileMon and RegMon to track execution behavior Might cause performance degradation on VM (limited virtual memory assigned), run for a few minutes
Demo of Procmon
Demo of Procmon - Filter Do not forget to Add the filter after defining the rules
Process Explorer Downloaded here: https://docs.microsoft.com/en- us/sysinternals/downloads/process-explorer List active processes, DLLs loaded by a process and properties Can be used to kill process, log out users and validate process Shown in tree structure with parent and child processes
Process Explorer Pink: services; Blue: processes; New Process: green; terminated process: red
Thread Tab: Active threads TCP/IP: active connections/ports
Verify button: verifies the executable is from Microsoft (against process Replacement by attacker) Or use Strings tab to compare Strings to see the differences Malicious process could have strings Very different from the normal ones
Find Handle or DLL Already know a DLL Is malicious -> find All the processes using the DLL
Registry Snapshot (Regshot) Take snapshot before and after execution of malware to see the keys being modified Listing 3-1, Example in book Note the noise being captured as the random seed is different
Faking a Network Create a fake network, without actually connecting to the Internet – prevent malware from knowing it is in a virtual environment ApateDNS – see DNS requests made by malware; redirect the DNS request from the malware, e.g. dest – evil.malwar3.com, to something else (a fake virtual web server) Netcat Monitoring – can be used for both inbound/outbound connections. Listen mode: acts as a server – connect mode, client Netcat combined with reverse shell (Listing 3-2)
Reverse Shell What is a shell ? What is a reverse shell ? Shell is a program which can be used to gain code or command execution on a device. What is a reverse shell ? Target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved. – Why ? Ingress/egress firewall config
Network Tools Packet Sniffing with WireShark INetSim Can be used to sniff passwords (sent in plaintext), reverse- engineering protocols, steal sensitive information, listen to online chat INetSim Linux-based simulation of Internet services – need virtual machine if on windows Provides a wide range of fake services: HTTP/HTTPS, FTP, IRC, DNS, SMTP, etc. Does its best to respond malware request – if a request is not satisfied, return 404 error
Using the combination of tools Go through the example at p. 56 Analyze malware called: msts.exe Summary of tools at hand: Procmon: set a filter to be the name of msts.exe Process Explorer: start before launch malware RegShot: gather a first snapshot INetSim and ApateDNS: set up virtual network Wireshark: log network traffic
Virtual Network Set up two VMs – windows running malware; linux running web services ApateDNS redirect to 192.168.117.169
Analysis of Recordings/Logs 1. ApateDNS shows DNS requests performed 2. Create a file called winhlp2.exe under system 32 (windows help) 3. Registry snapshot shows the malware is set to autorun in startup
Analysis of Recordings/Logs 4. Process Explorer: examine the process – see a mutex is created – ensure one malware version is running at a time
Analysis of Recordings/Logs 5. Review INetSim logs to see connection attempted Capture communication via port 443 (SSL) though failed 6. Wireshark should capture similar protocol activities
In-class Homework Do In-class homework hw_2_in.docx