Cornerstones of Trust 2014: http://cornerstonesoftrust.com.
Presenters: Jaime Blasco (@jaimeblascob) and Santiago Bassett (@santiagobassett). Thank you Jaime.
Threat Intelligence has become increasingly important as the number and severity of threats is growing continuously. We live in an era where our prevention technologies are not enough anymore, antivirus products fail to detect new or sophisticated pieces of malware, our firewalls and perimeter defenses are easily bypassed and the attacker’s techniques are growing in complexity. In this new landscape, sharing threat intelligence has become a key component to mitigate cyber-attacks.
In this session we will define what Threat Intelligence is and discuss how to collect and integrate threat intelligence from public sources. In addition, we’ll demonstrate how to build your own Threat Intelligence data using Open Source tools such as sandboxes, honeypots, sinkholes and other publicly available tools.
The industry’s reticence to share information about attack vectors gives the adversary a huge advantage. Using Threat Intelligence we can reduce this advantage and enable preventative response. We will guide you through the different standards (OpenIOC, STIX, MAEC, OTX, IODEF…) to describe and share cyber intelligence, as well as Open Source Frameworks such as CIF (Collective Intelligence Framework) that allows you to combine different threat sources.
One of the biggest problems with Threat Intelligence is finding out how to take advantage of the data you have to actually improve the detection/prevention capabilities in your environment. We will describe how to leverage Threat Intelligence to detect threats and provide defenses, and we will focus on how to use Open Source Tools (Suricata, OSSIM, OSSEC, Bro, Yara…) to get the most of your Threat Intelligence.
Showing posts with label cuckoo. Show all posts
Showing posts with label cuckoo. Show all posts
Sunday, October 5, 2014
Tuesday, September 23, 2014
OSSEC CON 2014 - Malware Detection with OSSEC
Happy to share my presentation from the OSSEC CON, which took place on September 16th in Cork, Ireland. Here you can find a brief explanation of different malware collection and analysis techniques, as well as a good example of how to use some IOCs to create a rootcheck signature.
And, for those interested, here is the video as well:
And, for those interested, here is the video as well:
Sunday, January 27, 2013
Installing Cuckoo Sandbox on VirtualBox Ubuntu Server LTS
Quoting their website Cuckoo sandbox is an Open Source automated malware analysis system. To do so it uses custom components that monitor the behavior of the malicious processes while running in an isolated environment (typically a Windows operating system).
It can retrieve the following type of results:
Cuckoo (version 0.5) has been developed in Python and integrated with MongoDB, Yara, SSDEEP, Tcpdump for different purposes. That is why my recommendation is to install all these packages including Cuckoo Python dependencies. Here are the necessary steps to do it:
First steps to prepare the Windows Guest system:
Our virtual machine is now ready to run malware so it's time to save the system state creating a VirtualBox snapshot.
http://www.virtualbox.org/
http://www.virustotal.com/
http://blog.michaelboman.org/
It can retrieve the following type of results:
- Traces of win32 API calls performed by all processes spawned by the malware.
- Files being created, deleted and downloaded by the malware during its execution.
- Memory dumps of the malware processes.
- Network traffic trace in PCAP format.
- Screenshots of Windows desktop taking during the execution of the malware.
- Full memory dumps of the machines.
Cuckoo (version 0.5) has been developed in Python and integrated with MongoDB, Yara, SSDEEP, Tcpdump for different purposes. That is why my recommendation is to install all these packages including Cuckoo Python dependencies. Here are the necessary steps to do it:
1.- Installing Python and dependencies
$ apt-get install python # installed by default
$ apt-get install python-magic # for identifying file formats
$ apt-get install python-dpkt # for extracting info from pcaps
$ apt-get install python-mako # for rendering html reports and web gui
$ apt-get install python-sqlalchemy
$ apt-get install python-jinja2 # necessary for web.py utility
$ apt-get install python-bottle # necessary for web.py utility
2.- Installing SSDEEP for calculating fuzzy hashes
$ apt-get install ssdeep
$ apt-get install python-pyrex # required for pyssdeep installation
$ apt-get install subversion
$ apt-get install libfuzzy-dev
$ svn checkout http://pyssdeep.googlecode.com/svn/trunk/ pyssdeep
$ cd pyssdeep
$ python setup.py build
$ python setup.py install # run as root user
3.- Installing MongoDB and Python support
$ apt-get install python-pymongo # for mongodb support
$ apt-get install mongodb # includes server and clients
4.- Installing Yara and Python support
$ apt-get install g++
$ apt-get install libpcre3 libpcre3-dev
$ wget http://yara-project.googlecode.com/files/yara-1.6.tar.gz
$ tar -xvzf yara-1.6.tar.gz
$ cd yara-1.6
$ ./configure
$ make
$ make check
$ make install # finished yara installation
$ wget http://yara-project.googlecode.com/files/yara-python-1.6.tar.gz
$ tar -xvzf yara-python-1.6.tar.gz
$ cd yara-python-1.6
$ python setup.py build
$ python setup.py install # finished python support installation
5.- Modifying Tcpdump running privileges
This is necessary so Cuckoo can run Tcpdump as non-root user. $ apt-get install libcap2-bin
$ setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
$ getcap /usr/sbin/tcpdump # to check changes have been applied
6.- Installing Cuckoo Sandbox
$ sudo useradd cuckoo
$ usermod -a -G vboxusers cuckoo # add cuckoo to vboxusers group
$ id cuckoo # checks cuckoo user details
$ apt-get install git
$ git clone git://github.com/cuckoobox/cuckoo.git
7.- Configuring Windows Guest virtual machine
At this point we need to install Cuckoo python agent in the virtual machine that we want to use to run the malware. I am going to continue the work described in my previous post and use WindowsXPVM1 for this purpose.First steps to prepare the Windows Guest system:
- Install Pyton for Windows: http://python.org/download/
- Install PIL Python module to created desktop screenshots: http://www.pythonware.com/products/pil/
- Deactivate automatic Windows updates
- Deactivate local firewall
- Optional: Install third party applications (Office 2003/2007, Acrobat Reader...): http://www.oldapps.com/
$ cp /home/santiago/cuckoo/cuckoo/agent/agent.py /home/santiago/cuckoo/shares/WindowsXPVM1/ - Copy to C:\Python27\agent.pyw
- Add it to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: Name:'Agent' Type:'REG_SZ' Data:"C:\Python27\agent.pyw"
Our virtual machine is now ready to run malware so it's time to save the system state creating a VirtualBox snapshot.
$ vboxmanage snapshot "WindowsXPVM1" take "WindowsXPVM1Snap01" --pause
$ vboxmanage controlvm "WindowsXPVM1" poweroff
$ vboxmanage snapshot "WindowsXPVM1" restorecurrent
$ vboxheadless --startvm "WindowsXPVM1"
8.- Starting Cuckoo sandbox
Before starting Cuckoo for the first time, we need to configure Cuckoo VirtualBox settings to specify the virtual machine the system will use to analyze a malware sample. To do it we edit cuckoo/conf/virtualbox.conf file and set the following variables. [virtualbox]
# Specify which VirtualBox mode you want to run your machines on.
# Can be "gui", "sdl" or "headless". Refer to VirtualBox's official
# documentation to understand the differences.
mode = headless
# Path to the local installation of the VBoxManage utility.
path = /usr/bin/VBoxManage
# Specify a comma-separated list of available machines to be used. For each
# specified ID you have to define a dedicated section containing the details
# on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3)
machines = WindowsXPVM1
[WindowsXPVM1]
# Specify the label name of the current machine as specified in your
# VirtualBox configuration.
label = WindowsXPVM1
# Specify the operating system platform used by current machine
# [windows/darwin/linux].
platform = windows
# Specify the IP address of the current machine. Make sure that the IP address
# is valid and that the host machine is able to reach it. If not, the analysis
# will fail.
ip = 192.168.56.101
root@donkey:/home/santiago/cuckoo/cuckoo# python cuckoo.py
_|
_|_|_| _| _| _|_|_| _| _| _|_| _|_|
_| _| _| _| _|_| _| _| _| _|
_| _| _| _| _| _| _| _| _| _|
_|_|_| _|_|_| _|_|_| _| _| _|_| _|_|
Cuckoo Sandbox 0.5
www.cuckoosandbox.org
Copyright (c) 2010-2012
Checking for updates...
Good! You have the latest version available.
2013-01-26 23:25:33,216 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" machine manager
2013-01-26 23:25:33,290 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2013-01-26 23:25:33,290 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks...
9.- Analyzing a malware sample
I decided to analyze the following malware sample: efeb717fdbb98d8043eb4c51254d9b74 You can find virustotal description here. We can use submit.py util for it. root@donkey:/home/santiago/cuckoo/cuckoo/utils# python submit.py /home/santiago/binaries/efeb717fdbb98d8043eb4c51254d9b74
Success: File "/home/santiago/binaries/efeb717fdbb98d8043eb4c51254d9b74" added as task with ID 4
2013-01-26 23:34:00,275 [lib.cuckoo.core.scheduler] INFO: Starting analysis of FILE "/home/santiago/binaries/efeb717fdbb98d8043eb4c51254d9b74" (task=4)
2013-01-26 23:34:00,286 [lib.cuckoo.core.scheduler] INFO: File already exists at "/home/santiago/cuckoo/cuckoo/storage/binaries/8dafb21e7d106a6c98f745f30c2577ee7b0984ec7ba2c4107f7ddcd0d127baf6"
2013-01-26 23:34:00,304 [lib.cuckoo.core.scheduler] INFO: Task #4: acquired machine WindowsXPVM1 (label=WindowsXPVM1)
2013-01-26 23:34:00,312 [lib.cuckoo.core.sniffer] INFO: Started sniffer (interface=vboxnet0, host=192.168.56.101, dump path=/home/santiago/cuckoo/cuckoo/storage/analyses/4/dump.pcap)
2013-01-26 23:34:02,063 [lib.cuckoo.core.scheduler] INFO: Task #4: analysis procedure completed
root@donkey:/home/santiago/cuckoo/cuckoo/utils# python web.py
Bottle server starting up (using WSGIRefServer())...
Listening on http://0.0.0.0:8080/
Hit Ctrl-C to quit.
References
http://www.cuckoosandbox.org/http://www.virtualbox.org/
http://www.virustotal.com/
http://blog.michaelboman.org/
Saturday, January 26, 2013
Setting up a Windows Guest on VirtualBox
I recently installed VirtualBox on Ubuntu LTS as described in my previous post. Now I am going to install a Windows XP Guest on it, so it can later be used as a platform to run malware for automatic analysis with Cuckoo sandbox.
In this case, instead of using Phpvirtualbox web interface, I will choose to use the command line so it will be easier in the future to automate the virtual machine creation process by using a bash script.
These are the specs I am going to use for the Windows XP:
http://blog.michaelboman.org/
In this case, instead of using Phpvirtualbox web interface, I will choose to use the command line so it will be easier in the future to automate the virtual machine creation process by using a bash script.
These are the specs I am going to use for the Windows XP:
- 1GB RAM memory
- 20GB of Hard Disk space
- VDI format for the virtual disk
- Dynamically allocated storage
1.- Creating the virtual machine
The command vboxmanage can be used to create the virtual machine, using settings above, and to attach a DVD drive with the ISO image of the Windows XP. In my case I decided to name it WindowsXPVM1. $ vboxmanage createvm --name "WindowsXPVM1" --ostype WindowsXP --register
$ vboxmanage modifyvm "WindowsXPVM1" --memory 1000 --acpi on --boot1 dvd --nic1 nat
$ vboxmanage createhd --filename "WinXP.vdi" --size 20000
$ vboxmanage storagectl "WindowsXPVM1" --name "IDE Controller" --add ide --controller PIIX4
$ vboxmanage storageattach "WindowsXPVM1" --storagectl "IDE Controller" --port 0 --device 0 --type hdd --medium "WinXP.vdi"
$ vboxmanage storageattach "WindowsXPVM1" --storagectl "IDE Controller" --port 0 --device 1 --type dvddrive --medium /pathtoyouriso/windowsxp.iso $ VBoxHeadless --startvm "WindowsXPVM1" 2.- Installing guest additions in our virtual machine
$ wget http://dlc.sun.com.edgesuite.net/virtualbox/4.1.12/VBoxGuestAdditions_4.1.12.iso 3.- Adding a shared folder and recording the network traffic
$ vboxmanage controlvm "WindowsXPVM1" poweroff
$ mkdir -p /home/santiago/cuckoo/shares/WindowsXPVM1
$ vboxmanage sharedfolder add "WindowsXPVM1" --name "WindowsXPVM1" --hostpath /home/santiago/cuckoo/shares/WindowsXPVM1 --automount
$ vboxmanage sharedfolder add "WindowsXPVM1" --name setup --hostpath /home/santiago/cuckoo/shares/setup --automount --readonly
$ vboxmanage modifyvm "WindowsXPVM1" --nictrace1 on --nictracefile1 /home/santiago/cuckoo/shares/WindowsXPVM1/dump.pcap
$ vboxheadless --startvm "WindowsXPVM1" 4.- Configuring virtual machine to use a host-only adapter
$ lsmod | grep vboxnetadp # module needed to add a new host-only interface at the host
$ vboxmanage list hostonlyifs # checks host-only interfaces at the host
$ vboxmanage hostonlyif create # leaving default IP 192.168.56.1/24
$ vboxmanage list dhcpservers # checks dhcp servers
$ vboxmanage list vms # checks virtual machines
$ vboxmanage showvminfo "WindowsXPVM1" # checks NICs information
$ vboxmanage controlvm "WindowsXPVM1" poweroff
$ vboxmanage modifyvm "WindowsXPVM1" --nic1 hostonly
$ vboxmanage modifyvm "WindowsXPVM1" --hostonlyadapter1 vboxnet0
$ vboxheadless --startvm WindowsXPVM1
5.- Configuring the Host IP forwarding and firewall filters
$ iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
$ iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$ iptables -A POSTROUTING -t nat -j MASQUERADE
$ sysctl -w net.ipv4.ip_forward=1
6.- Starting and stopping the virtual machine
To start VirtualBox web service and the virtual machine we need to run the following commands: $ vboxwebsrv -b
$ vboxmanage list vms # Optional to list virtual machines
$ vboxheadless --startvm "WindowsXPVM1"
$ vboxmanage controlvm "WindowsXPVM1" poweroff References
http://www.virtualbox.org/manual/http://blog.michaelboman.org/
Installing VirtualBox on Ubuntu Server LTS
I decided to install VirtualBox on Ubuntu server so I can use it later with Cuckoo Sandbox for malware analysis.
A fresh Ubuntu Server image can be downloaded from: http://www.ubuntu.com/download/server
Then you can choose to run the ISO from a USB stick or CD-ROM drive. My recommendation is to install only the base system, so we keep the server clean from packages that we won't use. The only extra package I installed was the SSH server so I can access it remotely.
Once finished the installation processes lets also upgrade the Debian packages to the latest version by
running these commands:
user: admin
password: admin
We should be know able to use our fresh installation of VirtualBox.
http://codesupply.net/content/setup-ubuntu-1110-64bit-server-headless-virtualbox-host
The steps followed for this installation are:
- Download and installation of Ubuntu Server LTS (current version 12.04.1)
- VirtualBox and dependencies installation (current stable version 4.1.12)
- Phpvirtualbox installation for headless servers (version 4.1-11)
- VirtualBox extension pack installation for VRDP support
- Starting VirtualBox and connecting to Phpvirtualbox web user interface
1.- Download and installation of Ubuntu Server LTS
I decided to use Ubuntu Server LTS as it is stable and does not require the installation of a Desktop environment, which I won't use for my purposes. The server used has a 64 bits CPU, 12GB RAM, and 514GB of hard disk space, what is more than enough to run several virtual machines in parallel.
A fresh Ubuntu Server image can be downloaded from: http://www.ubuntu.com/download/server
Then you can choose to run the ISO from a USB stick or CD-ROM drive. My recommendation is to install only the base system, so we keep the server clean from packages that we won't use. The only extra package I installed was the SSH server so I can access it remotely.
Once finished the installation processes lets also upgrade the Debian packages to the latest version by
running these commands:
$ apt-get update
$ apt-get dist-upgrade
As well I setup the hostname and network settings at /etc/hostname and /etc/network/interfaces.
2.- VirtualBox and dependencies installation
Installing Virtualbox with apt-get: $ apt-get install virtualbox
$ dpkg -l | grep -i virtualbox
ii virtualbox 4.1.12-dfsg-2ubuntu0.2 x86 virtualization solution - base binaries
ii virtualbox-dkms 4.1.12-dfsg-2ubuntu0.2 x86 virtualization solution - kernel module sources for dkms
ii virtualbox-qt 4.1.12-dfsg-2ubuntu0.2 x86 virtualization solution - Qt based user interface 3.- Installing Phpvirtualbox
First we need to install apache2 and php: $ apt-get install apache2
$ apt-get install php5
$ cd /var/www/
$ wget http://phpvirtualbox.googlecode.com/files/phpvirtualbox-4.1-11.zip
$ unzip phpvirtualbox-4.1-11.zip
$ chown -R santiago:santiago /var/www/phpvirtualbox/
$ cp /var/www/phpvirtualbox/config.php-example /var/www/phpvirtualbox/config.php
var $username = 'santiago';
var $password = 'yourpassword'; 4.- VirtualBox extension pack installation for VRDP support
Installing the extension pack will allow us to control the virtual machines desktop remotely. wget http://download.virtualbox.org/virtualbox/4.1.12/Oracle_VM_VirtualBox_Extension_Pack-4.1.12.vbox-extpack
vboxmanage extpack install Oracle_VM_VirtualBox_Extension_Pack-4.1.12.vbox-extpack 5.- Starting VirtualBox and connecting to Phpvirtualbox user interface
The following command is used to start VirtualBox web services $ vboxwebsrv -b
user: admin
password: admin
We should be know able to use our fresh installation of VirtualBox.
References
http://www.virtualbox.org/manual/http://codesupply.net/content/setup-ubuntu-1110-64bit-server-headless-virtualbox-host