And, for those interested, here is the video as well:
Showing posts with label virustotal. Show all posts
Showing posts with label virustotal. Show all posts
Tuesday, September 23, 2014
OSSEC CON 2014 - Malware Detection with OSSEC
Happy to share my presentation from the OSSEC CON, which took place on September 16th in Cork, Ireland. Here you can find a brief explanation of different malware collection and analysis techniques, as well as a good example of how to use some IOCs to create a rootcheck signature.
And, for those interested, here is the video as well:
And, for those interested, here is the video as well:
Sunday, January 27, 2013
Installing Cuckoo Sandbox on VirtualBox Ubuntu Server LTS
Quoting their website Cuckoo sandbox is an Open Source automated malware analysis system. To do so it uses custom components that monitor the behavior of the malicious processes while running in an isolated environment (typically a Windows operating system).
It can retrieve the following type of results:
Cuckoo (version 0.5) has been developed in Python and integrated with MongoDB, Yara, SSDEEP, Tcpdump for different purposes. That is why my recommendation is to install all these packages including Cuckoo Python dependencies. Here are the necessary steps to do it:
First steps to prepare the Windows Guest system:
Our virtual machine is now ready to run malware so it's time to save the system state creating a VirtualBox snapshot.
http://www.virtualbox.org/
http://www.virustotal.com/
http://blog.michaelboman.org/
It can retrieve the following type of results:
- Traces of win32 API calls performed by all processes spawned by the malware.
- Files being created, deleted and downloaded by the malware during its execution.
- Memory dumps of the malware processes.
- Network traffic trace in PCAP format.
- Screenshots of Windows desktop taking during the execution of the malware.
- Full memory dumps of the machines.
Cuckoo (version 0.5) has been developed in Python and integrated with MongoDB, Yara, SSDEEP, Tcpdump for different purposes. That is why my recommendation is to install all these packages including Cuckoo Python dependencies. Here are the necessary steps to do it:
1.- Installing Python and dependencies
$ apt-get install python # installed by default
$ apt-get install python-magic # for identifying file formats
$ apt-get install python-dpkt # for extracting info from pcaps
$ apt-get install python-mako # for rendering html reports and web gui
$ apt-get install python-sqlalchemy
$ apt-get install python-jinja2 # necessary for web.py utility
$ apt-get install python-bottle # necessary for web.py utility
2.- Installing SSDEEP for calculating fuzzy hashes
$ apt-get install ssdeep
$ apt-get install python-pyrex # required for pyssdeep installation
$ apt-get install subversion
$ apt-get install libfuzzy-dev
$ svn checkout http://pyssdeep.googlecode.com/svn/trunk/ pyssdeep
$ cd pyssdeep
$ python setup.py build
$ python setup.py install # run as root user
3.- Installing MongoDB and Python support
$ apt-get install python-pymongo # for mongodb support
$ apt-get install mongodb # includes server and clients
4.- Installing Yara and Python support
$ apt-get install g++
$ apt-get install libpcre3 libpcre3-dev
$ wget http://yara-project.googlecode.com/files/yara-1.6.tar.gz
$ tar -xvzf yara-1.6.tar.gz
$ cd yara-1.6
$ ./configure
$ make
$ make check
$ make install # finished yara installation
$ wget http://yara-project.googlecode.com/files/yara-python-1.6.tar.gz
$ tar -xvzf yara-python-1.6.tar.gz
$ cd yara-python-1.6
$ python setup.py build
$ python setup.py install # finished python support installation
5.- Modifying Tcpdump running privileges
This is necessary so Cuckoo can run Tcpdump as non-root user. $ apt-get install libcap2-bin
$ setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
$ getcap /usr/sbin/tcpdump # to check changes have been applied
6.- Installing Cuckoo Sandbox
$ sudo useradd cuckoo
$ usermod -a -G vboxusers cuckoo # add cuckoo to vboxusers group
$ id cuckoo # checks cuckoo user details
$ apt-get install git
$ git clone git://github.com/cuckoobox/cuckoo.git
7.- Configuring Windows Guest virtual machine
At this point we need to install Cuckoo python agent in the virtual machine that we want to use to run the malware. I am going to continue the work described in my previous post and use WindowsXPVM1 for this purpose.First steps to prepare the Windows Guest system:
- Install Pyton for Windows: http://python.org/download/
- Install PIL Python module to created desktop screenshots: http://www.pythonware.com/products/pil/
- Deactivate automatic Windows updates
- Deactivate local firewall
- Optional: Install third party applications (Office 2003/2007, Acrobat Reader...): http://www.oldapps.com/
$ cp /home/santiago/cuckoo/cuckoo/agent/agent.py /home/santiago/cuckoo/shares/WindowsXPVM1/ - Copy to C:\Python27\agent.pyw
- Add it to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: Name:'Agent' Type:'REG_SZ' Data:"C:\Python27\agent.pyw"
Our virtual machine is now ready to run malware so it's time to save the system state creating a VirtualBox snapshot.
$ vboxmanage snapshot "WindowsXPVM1" take "WindowsXPVM1Snap01" --pause
$ vboxmanage controlvm "WindowsXPVM1" poweroff
$ vboxmanage snapshot "WindowsXPVM1" restorecurrent
$ vboxheadless --startvm "WindowsXPVM1"
8.- Starting Cuckoo sandbox
Before starting Cuckoo for the first time, we need to configure Cuckoo VirtualBox settings to specify the virtual machine the system will use to analyze a malware sample. To do it we edit cuckoo/conf/virtualbox.conf file and set the following variables. [virtualbox]
# Specify which VirtualBox mode you want to run your machines on.
# Can be "gui", "sdl" or "headless". Refer to VirtualBox's official
# documentation to understand the differences.
mode = headless
# Path to the local installation of the VBoxManage utility.
path = /usr/bin/VBoxManage
# Specify a comma-separated list of available machines to be used. For each
# specified ID you have to define a dedicated section containing the details
# on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3)
machines = WindowsXPVM1
[WindowsXPVM1]
# Specify the label name of the current machine as specified in your
# VirtualBox configuration.
label = WindowsXPVM1
# Specify the operating system platform used by current machine
# [windows/darwin/linux].
platform = windows
# Specify the IP address of the current machine. Make sure that the IP address
# is valid and that the host machine is able to reach it. If not, the analysis
# will fail.
ip = 192.168.56.101
root@donkey:/home/santiago/cuckoo/cuckoo# python cuckoo.py
_|
_|_|_| _| _| _|_|_| _| _| _|_| _|_|
_| _| _| _| _|_| _| _| _| _|
_| _| _| _| _| _| _| _| _| _|
_|_|_| _|_|_| _|_|_| _| _| _|_| _|_|
Cuckoo Sandbox 0.5
www.cuckoosandbox.org
Copyright (c) 2010-2012
Checking for updates...
Good! You have the latest version available.
2013-01-26 23:25:33,216 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" machine manager
2013-01-26 23:25:33,290 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2013-01-26 23:25:33,290 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks...
9.- Analyzing a malware sample
I decided to analyze the following malware sample: efeb717fdbb98d8043eb4c51254d9b74 You can find virustotal description here. We can use submit.py util for it. root@donkey:/home/santiago/cuckoo/cuckoo/utils# python submit.py /home/santiago/binaries/efeb717fdbb98d8043eb4c51254d9b74
Success: File "/home/santiago/binaries/efeb717fdbb98d8043eb4c51254d9b74" added as task with ID 4
2013-01-26 23:34:00,275 [lib.cuckoo.core.scheduler] INFO: Starting analysis of FILE "/home/santiago/binaries/efeb717fdbb98d8043eb4c51254d9b74" (task=4)
2013-01-26 23:34:00,286 [lib.cuckoo.core.scheduler] INFO: File already exists at "/home/santiago/cuckoo/cuckoo/storage/binaries/8dafb21e7d106a6c98f745f30c2577ee7b0984ec7ba2c4107f7ddcd0d127baf6"
2013-01-26 23:34:00,304 [lib.cuckoo.core.scheduler] INFO: Task #4: acquired machine WindowsXPVM1 (label=WindowsXPVM1)
2013-01-26 23:34:00,312 [lib.cuckoo.core.sniffer] INFO: Started sniffer (interface=vboxnet0, host=192.168.56.101, dump path=/home/santiago/cuckoo/cuckoo/storage/analyses/4/dump.pcap)
2013-01-26 23:34:02,063 [lib.cuckoo.core.scheduler] INFO: Task #4: analysis procedure completed
root@donkey:/home/santiago/cuckoo/cuckoo/utils# python web.py
Bottle server starting up (using WSGIRefServer())...
Listening on http://0.0.0.0:8080/
Hit Ctrl-C to quit.
References
http://www.cuckoosandbox.org/http://www.virtualbox.org/
http://www.virustotal.com/
http://blog.michaelboman.org/
Sunday, September 23, 2012
OSSIM hands-on 7: Detecting network attacks with Snort IDS
In this practical exercise we are going to analyze a botnet traffic with different tools, using Snort IDS to alert OSSIM. For distributed deployments, please follow these steps at your OSSIM sensor (in our case 10.0.0.31).
# ifconfig dummy0 up (waking up dummy0)
# ifconfig dummy0 promisc (setting the interface to promiscuous mode)
b) tcpdump -r /root/zeus-sample-3.pcap (reading the pcap file)
c) tcpdump -s 0 -AA -r /root/zeus-sample-3.pcap (showing the packet payloads)
d) tshark -R "tcp.port==80" -r /root/zeus-sample-3.pcap (filtering port 80 traffic)
e) Filtering HTTP POST and GET methods:
# tshark -R 'http.request.method == "GET" || http.request.method == "POST"' -r /root/zeus-sample-3.pcap
b) Enable snortunified plugin (using ossim-setup)
c) Check previous configurations in /etc/ossim/ossim_setup.conf
[sensor]
detectors=snortunified
interfaces=dummy0
d) Check that Snort process is running on dummy0 interface:
sensor1:~# ps aux | grep -i snort
output alert_fast: /var/log/snort/snort.alert
b) Check that the following rules are loaded
include $RULE_PATH/emerging-trojan.rules (or emerging_pro-trojan.rules)
include $RULE_PATH/emerging-info.rules (or emerging_pro-info.rules)
include $RULE_PATH/file-identify.rules
include $RULE_PATH/shellcode.rules
c) Restart snort process
# /etc/init.d/snort_dummy0 restart
d) Check that ossim-agent process is reading snort unified output
#sensor1:~# lsof +d /var/log/snort
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
snort_dum 9247 root 4w REG 202,1 3185 184565605 /var/log/snort/snort.alert
snort_dum 9247 root 8w REG 202,1 48284 184565614 /var/log/snort/snort_dummy0.1348372798
ossim-age 18247 root 38r REG 202,1 48284 184565614 /var/log/snort/snort_dummy0.1348372798
# tcpreplay -i dummy0 -t zeus-sample-3.pcap
b) See alerts in /var/log/snort/snort.alert
b) Click on Unique Events to see the different types of alerts collected
c) Check payload of alerts with the signature snort: "ET TROJAN Zeus POST Request to CnC - URL agnostic"
POST /kartos/youyou.php
Host: ishi-bati.com
b) Search domain: ishi-bati.com
http://communities.alienvault.com
http://virustotal.com
http://support.clean-mx.de
1.- Setting up a dummy interface in promiscuous
# lsmod | grep dummy (checking that dummy module is loaded)# ifconfig dummy0 up (waking up dummy0)
# ifconfig dummy0 promisc (setting the interface to promiscuous mode)
2.- Analyzing a traffic sample with tcpdump and tshark
a) Download the traffic sample: zeus-sample-3.pcap (more samples can be found in https://www.openpacket.org)b) tcpdump -r /root/zeus-sample-3.pcap (reading the pcap file)
c) tcpdump -s 0 -AA -r /root/zeus-sample-3.pcap (showing the packet payloads)
d) tshark -R "tcp.port==80" -r /root/zeus-sample-3.pcap (filtering port 80 traffic)
e) Filtering HTTP POST and GET methods:
# tshark -R 'http.request.method == "GET" || http.request.method == "POST"' -r /root/zeus-sample-3.pcap
4 0.110877 192.168.3.65 -> 188.72.243.72 HTTP 229 GET /kartos/kartos.bin HTTP/1.1
239 30.255596 192.168.3.65 -> 188.72.243.72 HTTP 527 POST /kartos/youyou.php HTTP/1.1
240 30.255632 192.168.3.65 -> 188.72.243.72 HTTP 611 POST /kartos/youyou.php HTTP/1.1
247 30.749280 192.168.3.65 -> 188.72.243.72 HTTP 226 GET /kartos/krt.exe HTTP/1.1
386 33.850475 192.168.3.65 -> 188.72.243.72 HTTP 425 POST /kartos/youyou.php HTTP/1.1
394 35.078393 192.168.3.65 -> 188.72.243.72 HTTP 221 GET /ser.exe HTTP/1.1
1099 51.216823 192.168.3.65 -> 188.72.243.72 HTTP 425 POST /kartos/youyou.php HTTP/1.1 3.- Enabling Snort plugin
a) Configure Snort to listen in dummy0 interface (using ossim-setup)b) Enable snortunified plugin (using ossim-setup)
c) Check previous configurations in /etc/ossim/ossim_setup.conf
[sensor]
detectors=snortunified
interfaces=dummy0
d) Check that Snort process is running on dummy0 interface:
sensor1:~# ps aux | grep -i snort
root 9247 0.0 9.9 506352 392020 ? Ssl 20:59 0:00 /usr/sbin/snort_dummy0 -m 027 -D -d -l /var/log/snort -u root -g snort -c /etc/snort/snort.dummy0.conf -S HOME_NET=[192.168.0.0/16,172.16.0.0/12,10.0.0.0/8] -i dummy0 4.- Configuring Snort IDS
a) Enable fast syslog output (editing /etc/snort/snort.dummy0.conf)output alert_fast: /var/log/snort/snort.alert
b) Check that the following rules are loaded
include $RULE_PATH/emerging-trojan.rules (or emerging_pro-trojan.rules)
include $RULE_PATH/emerging-info.rules (or emerging_pro-info.rules)
include $RULE_PATH/file-identify.rules
include $RULE_PATH/shellcode.rules
c) Restart snort process
# /etc/init.d/snort_dummy0 restart
d) Check that ossim-agent process is reading snort unified output
#sensor1:~# lsof +d /var/log/snort
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
snort_dum 9247 root 4w REG 202,1 3185 184565605 /var/log/snort/snort.alert
snort_dum 9247 root 8w REG 202,1 48284 184565614 /var/log/snort/snort_dummy0.1348372798
ossim-age 18247 root 38r REG 202,1 48284 184565614 /var/log/snort/snort_dummy0.1348372798
5.- Injecting the network traffic
a) Use tcpreplay to inject the network traffic (-t for top speed)# tcpreplay -i dummy0 -t zeus-sample-3.pcap
b) See alerts in /var/log/snort/snort.alert
09/22-21:03:36.305795 [**] [1:2013976:10] ET TROJAN Zeus POST Request to CnC - URL agnostic [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.3.65:1033 -> 188.72.243.72:80
09/22-21:03:36.305834 [**] [1:2013976:10] ET TROJAN Zeus POST Request to CnC - URL agnostic [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.3.65:1034 -> 188.72.243.72:80
09/22-21:03:36.306197 [**] [1:2014819:1] ET INFO Packed Executable Download [**] [Classification: Misc activity] [Priority: 3] {TCP} 188.72.243.72:80 -> 192.168.3.65:1033
09/22-21:03:36.306197 [**] [1:15306:12] FILE-IDENTIFY Portable Executable binary file magic detection [**] [Classification: Misc activity] [Priority: 3] {TCP} 188.72.243.72:80 -> 192.168.3.65:1033
09/22-21:03:36.314984 [**] [1:2013976:10] ET TROJAN Zeus POST Request to CnC - URL agnostic [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.3.65:1034 -> 188.72.243.72:80
09/22-21:03:36.316004 [**] [1:16435:6] FILE-IDENTIFY Ultimate Packer for Executables/UPX v0.62-v1.22 packed file magic detection [**] [Classification: Misc activity] [Priority: 3] {TCP} 188.72.243.72:80 -> 192.168.3.65:1035
09/22-21:03:36.317775 [**] [1:12798:4] SHELLCODE base64 x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 188.72.243.72:80 -> 192.168.3.65:1035
09/22-21:03:36.317808 [**] [1:12798:4] SHELLCODE base64 x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 188.72.243.72:80 -> 192.168.3.65:1035
09/22-21:03:36.341320 [**] [1:12798:4] SHELLCODE base64 x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 188.72.243.72:80 -> 192.168.3.65:1035
09/22-21:03:36.341381 [**] [1:12798:4] SHELLCODE base64 x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 188.72.243.72:80 -> 192.168.3.65:1035
09/22-21:03:36.341565 [**] [1:12798:4] SHELLCODE base64 x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 188.72.243.72:80 -> 192.168.3.65:1035
09/22-21:03:36.341625 [**] [1:12798:4] SHELLCODE base64 x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 188.72.243.72:80 -> 192.168.3.65:1035
09/22-21:03:36.341958 [**] [1:2013976:10] ET TROJAN Zeus POST Request to CnC - URL agnostic [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.3.65:1036 -> 188.72.243.72:80 6.- Using the SIEM interface to analyze the attack
a) Go to Analysis -> Security Events and search for IP address 192.168.3.65 (use IDM search filters)b) Click on Unique Events to see the different types of alerts collected
c) Check payload of alerts with the signature snort: "ET TROJAN Zeus POST Request to CnC - URL agnostic"
POST /kartos/youyou.php
Host: ishi-bati.com
7.- Searching for the domain name in CLEAN MX database
a) Go to http://support.clean-mx.de/clean-mx/viruses.phpb) Search domain: ishi-bati.com
8.- Outcome analysis
In the results table we have a link to virustotal (click here for direct access), where we can download a malware sample for reverse engineering. As well we can see that 25 antivirus out of 41 detected it as malware, most of them naming it as a Zeus bot. Actually, in the latest scan, the number of antivirus detecting it goes up to 39.
References
http://alienvault.comhttp://communities.alienvault.com
http://virustotal.com
http://support.clean-mx.de