Zen and the art of collecting and analyzing malware

of 52
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Information Report
Category:

Technology

Published:

Views: 32 | Pages: 52

Extension: PDF | Download: 0

Share
Description
1. Zen and the art of collecting and analyzing malwareCanSecWest/core06 Zen and the art of collecting and analyzing malware Sascha Rommelfangen, Fred Arbogast 2. Zen and…
Transcript
  • 1. Zen and the art of collecting and analyzing malwareCanSecWest/core06 Zen and the art of collecting and analyzing malware Sascha Rommelfangen, Fred Arbogast
  • 2. Zen and the art of collecting and analyzing malwareOutline ● Introduction ● Setup to collect malware ● Statistics ● Analysis ● Live Demo ● Future development – early warning/reacting system approaches – interactive malware database ● Conclusion 2
  • 3. Zen and the art of collecting and analyzing malwareDefinition of malware● Umbrella term for malicious software● Not to be confused with defective software● Designed to infiltrate, damage, control or abuse computer systems without owners consent● Legal vocabulary: computer contaminant● Also used: scumware● Worms, virii, root kits, spyware, adware Outline – Introduction – Setup to collect malware - Slide 3 - 3
  • 4. Zen and the art of collecting and analyzing malwareThe tools used● mwcollect by Georg Wicherski – (http://www.mwcollect.org)● Nepenthes by nepenthes team – (http://nepenthes.sourceforge.net)● Focus on nepenthes as mwcollect has merged with nepenthes● Joint effort will result in a more powerful tool Outline – Introduction – Setup to collect malware - Slide 4 - 4
  • 5. Zen and the art of collecting and analyzing malwareThings both tools have in common● “Low interaction” honeypots● passive● catching autonomously spreading malware● Running in non-native environments● simulating network services – mwcollect: vulnerable built-in services – nepenthes: additionally pre-infected services● acting upon exploitation attempts – Downloading malware● Both tools are Free and Open Source software Outline – Introduction – Setup to collect malware - Slide 5 - 5
  • 6. Zen and the art of collecting and analyzing malwareTools - nepenthes● Emulates native and non-native vulnerabilities● Modular – Know a new exploit, add it as a module● Support for geolocation information● Support for submitting malware and additional information – Other instances of nepenthes (distributed installation) – XML-RPC Outline – Introduction – Setup to collect malware - Slide 6 - 6
  • 7. Zen and the art of collecting and analyzing malwareVulnerabilities● native vulnerabilities: ● 3rd party vulnerabilities: – RPC-DCOM – Kuang2 (17300) (135, 139, 445, 593) – Mydoom (3127) – LSASS (445) – Bagle (2745) – WINS (42) – sasser_ftp (5554, 1023) – MSSQL (1434) – Sub7 (27374) – ASN.1 library in IIS, SMB (80 and 445) – IIS (443) – NetDDE (139) – Message queueing (2103, 2105, 2107) – UPNP (5000) Outline – Introduction – Setup to collect malware - Slide 7 - 7
  • 8. Zen and the art of collecting and analyzing malwareNepenthes information flow - modules/handlers IP info DNS handler Geolookup-handler Submit-handlers Socket submit-file Vulnerability module submit-nepenthes shellcode-handler submit-xmlrpc submit-norman Download-handler download-http download-ftp download-tftp Outline – Introduction – Setup to collect malware - Slide 8 - 8
  • 9. Zen and the art of collecting and analyzing malwareCategories of modules/handlers (1)● Vulnerability module – Different modules for simulating the vulnerabilities● Shellcode-handler – Per shellcode one module – Common Shellcode Naming Initiative Outline – Introduction – Setup to collect malware - Slide 9 - 9
  • 10. Zen and the art of collecting and analyzing malwareNepenthes information flow [28032006 16:36:25 spam net handler] Socket TCP (accept) 212.30.152.173:2478 -> 212.110.251.73:139 clearing DialogueList (2 entries) [28032006 16:36:25 warn module] Unknown NETDDE exploit 72 bytes State 1 [28032006 16:36:25 module] =--------[ /var/log/nepenthes/hexdumps/3ebe8b34fd5d14e4f450c599b26ed6df.bin ]---------= IP info DNS lookup Geolocation Submit Socket raw file vulnerability nepenthes shellcode norman xmlrpc Download curl, ftp, ... Outline – Introduction – Setup to collect malware - Slide 10 - 10
  • 11. Zen and the art of collecting and analyzing malwareNepenthes information flow [28032006 16:36:25 debug dia] Got ASN1 SMB exploit Stage #1(137) [28032006 16:36:25 debug net handler] giving data to SMBDialogue IP info DNS lookup Geolocation Submit Socket raw file vulnerability nepenthes shellcode norman xmlrpc Download curl, ftp, ... Outline – Introduction – Setup to collect malware - Slide 11 - 11
  • 12. Zen and the art of collecting and analyzing malwareCategories of modules/handlers (2)● Geolocation-handler (some alternatives) – Resolves IP address to location information● DNS-handler – Delivers resolved domain name● Download-handler – Downloads through curl ● Provides http and ftp protocol – Download ftp ● Needed as curl is not the same than the messy M$ client ● Netcat is doing the job Outline – Introduction – Setup to collect malware - Slide 12 - 12
  • 13. Zen and the art of collecting and analyzing malwareCategories of modules/handlers (3)● Download-handler contd – Download tftp ● Support for tftp protocol ● Max filesize 4MB ● Can not handle DNS for the moment – Download nepenthes ● Listens for file transfers from other nepenthes agents ● Port can be set in the config file ● transfer is simple and bandwidth optimised Outline – Introduction – Setup to collect malware - Slide 13 - 13
  • 14. Zen and the art of collecting and analyzing malwareNepenthes information flow IP info DNS lookup Geolocation Submit Socket raw file vulnerability nepenthes shellcode norman xmlrpc [28032006 16:36:31 debug spam fixme] <in virtual bool nepenthes::GeoLocationManager::addGeoLocation(nepenthes::GeoLocationCallback*, unsigned int, void*)> [28032006 16:36:31 debug spam fixme] Adding 808f4c8 212.120.228.59 80f7620 to geolookup Download curl, ftp, ... Outline – Introduction – Setup to collect malware - Slide 14 - 14
  • 15. Zen and the art of collecting and analyzing malwareNepenthes information flow [28032006 16:36:31 spam net handler] <in virtual int32_t nepenthes::TCPSocket::doRecv()> [28032006 16:36:31 spam mgr event] <in virtual uint32_t nepenthes::EventManager::handleEvent(nepenthes::Event*)> [28032006 16:36:31 spam net handler] doRecv() 1460 [28032006 16:36:31 info down handler dia] Downloaded file tftp://212.120.228.59/service.exe 229376 bytes [28032006 16:36:31 spam mgr submit] Download has flags 0 [28032006 16:36:31 info mgr submit] File dd3e4c7c94614a059263a219ff1b1339 has type MS-DOS executable (EXE), OS/2 or MS Windows IP info DNS lookup Geolocation Submit Socket raw file vulnerability nepenthes shellcode norman xmlrpc Download curl, ftp, ... Outline – Introduction – Setup to collect malware - Slide 15 - 15
  • 16. Zen and the art of collecting and analyzing malwareCategories of modules/handlers (4)● Submit-handlers – Submit-file ● Dumps to a file on HDD – submit-nepenthes ● Submits information to a central server ● Currently receiving from Telecom Italia Early Warning Team – Submit-norman ● Submits file to norman sandbox – Submit XML-RPC ● Submits information to applications outside nepenthes Outline – Introduction – Setup to collect malware - Slide 16 - 16
  • 17. Zen and the art of collecting and analyzing malwareNepenthes information flow [28032006 16:36:31 debug handler submit] wrote file /var/log/nepenthes/binaries/dd3e4c7c94614a059263a219ff1b1339 229376 to disk IP info DNS lookup Geolocation Submit Socket raw file vulnerability nepenthes shellcode norman xmlrpc Download curl, ftp, ... Outline – Introduction – Setup to collect malware - Slide 17 - 17
  • 18. Zen and the art of collecting and analyzing malwareNepenthes information flow [28032006 16:36:31 spam down mgr] SENDING POST /nepenthes/server.php HTTP/1.0 Host: localhost Accept: */* Accept-Encoding: deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Connection: close Content-Length: 392 IP info <methodCall><methodName>init_session</methodName> ..... lookup DNS Geolocation Submit Socket raw file vulnerability nepenthes shellcode norman xmlrpc Download curl, ftp, ... Outline – Introduction – Setup to collect malware - Slide 18 - 18
  • 19. Zen and the art of collecting and analyzing malwareNepenthes information flow [28032006 16:36:31 debug spam fixme] <in virtual void nepenthes::SubmitNorman::Submit(nepenthes::Download*)> [28032006 16:36:31 debug spam fixme] <in virtual uint32_t nepenthes::SubmitNorman::handleEvent(nepenthes::Event*)> IP info DNS lookup Geolocation Submit Socket raw file vulnerability nepenthes shellcode norman xmlrpc Download curl, ftp, ... Outline – Introduction – Setup to collect malware - Slide 19 - 19
  • 20. Zen and the art of collecting and analyzing malwareAdditional information collected● Extension to nepenthes - stored in database – Platform information (p0f-sql) ● P0f hack to submit information into DB – 4 AV product results from local machine ● Extendable ● Signatures hourly updated – 24 AV results from VirusTotal (added later) – 2 sandbox results ● Submitted to http://sandbox.norman.no ● Submitted to our own POC sandbox (added later) Outline – Introduction – Setup to collect malware - Slide 20 - 20
  • 21. Zen and the art of collecting and analyzing malwareFull information set collected● Various static analysis – file, upx, hexdump, strings, objdump● Number of hits● First/last seen● Number/names of recognized virii● Sandbox results● Hex-dump of file (browseable)● IP/URL from where fetched● System● Latitude, Longitude, Country, City Outline – Introduction – Setup to collect malware - Slide 21 - 21
  • 22. Zen and the art of collecting and analyzing malwareSetup to collect malware – flow Download Nepenthes request Norman XMLRPC GeoIP File storage sandbox CSRRT script lookup sandbox Virus scan p0f Database Periodic submissions Web Unix External Apps VirusTotal application tools (e.g. Malware database) Intro – Setup to collect malware – Statistics - Slide 22 - 22
  • 23. Zen and the art of collecting and analyzing malwareSetup to collect malware – flow Download Nepenthes request Norman XMLRPC GeoIP File storage sandbox CSRRT script lookup sandbox Virus scan p0f Database Periodic submissions Web Unix External Apps VirusTotal application tools (e.g. Malware database) Intro – Setup to collect malware – Statistics - Slide 23 - 23
  • 24. Zen and the art of collecting and analyzing malwareSetup to collect malware – flow Download Nepenthes request Norman XMLRPC GeoIP File storage sandbox CSRRT script lookup sandbox Virus scan p0f Database Periodic submissions Web Unix External Apps VirusTotal application tools (e.g. Malware database) Intro – Setup to collect malware – Statistics - Slide 24 - 24
  • 25. Zen and the art of collecting and analyzing malwareSetup to collect malware – flow Download Nepenthes request Norman XMLRPC GeoIP File storage sandbox CSRRT script lookup sandbox Virus scan p0f Database Periodic submissions Web Unix External Apps VirusTotal application tools (e.g. Malware database) Intro – Setup to collect malware – Statistics - Slide 25 - 25
  • 26. Zen and the art of collecting and analyzing malwareSetup to collect malware – flow Download Nepenthes request Norman XMLRPC GeoIP File storage sandbox CSRRT script lookup sandbox Virus scan p0f Database Periodic submissions Web Unix External Apps VirusTotal application tools (e.g. Malware database) Intro – Setup to collect malware – Statistics - Slide 26 - 26
  • 27. Zen and the art of collecting and analyzing malwareSetup to collect malware – flow Download Nepenthes request Norman XMLRPC GeoIP File storage sandbox CSRRT script lookup sandbox Virus scan p0f Database Periodic submissions Web Unix External Apps VirusTotal application tools (e.g. Malware database) Intro – Setup to collect malware – Statistics - Slide 27 - 27
  • 28. Zen and the art of collecting and analyzing malwareStatistics● There are three kinds of lies: lies, damned lies, and statistics. Benjamin Disraeli (1804 - 1881)● 1st set, collected with mwcollect: – Approx 600,000 files (9.2 GB) – 542 unique (80 MB) – 529 executables – File length: 100 to 1,145,856 Bytes – Time frame: 6 weeks (April - June 2005) – 503 MS-Windows executables – 26 MS DOS executables Setup to collect malware – Statistics – Analysis 28 - Slide 28 -
  • 29. Zen and the art of collecting and analyzing malwareStatistics● 1st set continued – 52% of the files were detected by all 4 virus scanners – 17% of the files were detected only by 3 virus scanners – 25% of the files were detected only by 2 virus scanners – 3% of the files were detected only by 1 virus scanner – 2% were defective● When scanning files later -> some files detected as Zotob – During collecting time there was no Zotob signature! ● false positive? ● test-run? Setup to collect malware – Statistics – Analysis - Slide 29 - 29
  • 30. Zen and the art of collecting and analyzing malwareStatistics● 2nd set, collected with nepenthes: ● 2,079 unique files ● 209,327 malware downloads complete ● 13% using anti debug/emulation techniques ● 1,852 MS-Windows executables ● 227 MS-DOS executables ● File length: 1,024 – 1,323,222 (1.3MB) bytes ● Time frame: December 2005 – March 2006 Setup to collect malware – Statistics – Analysis - Slide 30 - 30
  • 31. Zen and the art of collecting and analyzing malwareStatistics● Result of immediate scan: – Results of virus scan, directly after reception with up-to-date signatures: ● 69.5% Norman Sandbox ● 68.5% Bitdefender ● 58.0% Antivir ● 49.5% F-Prot ● 31.8% ClamAV – Are signature based systems really future-proof? Setup to collect malware – Statistics – Analysis - Slide 31 - 31
  • 32. Zen and the art of collecting and analyzing malwareStatistics● Results of re-scan: – 96.1% Panda – 79.8% NOD32v2 – 91.2% Norman – 78.9% UNA – 85.9% Antivir – 77.2% AVG – 85.9% Avira – 76.3% Symantec – 85.1% Kaspersky – 75.7% Ewido – 84.7% DrWeb – 72.4% F-Prot – 84.5% Fortinet – 65.9% Sophos – 83.9% McAfee – 65.1% TheHacker – 83.8% BitDefender – 64.1% Ikarus – 80.4% VBA32 – 57.2% eTrust-Inoculate – 80.1% CAT-QuickHeal – 54.3% Avast – 50.7% ClamAV 32
  • 33. Zen and the art of collecting and analyzing malwareStatistics● Packing/Encrypting statistics using bzip2 Setup to collect malware – Statistics – Analysis - Slide 33 - 33
  • 34. Zen and the art of collecting and analyzing malwareStatistics● Packing/Encrypting statistics: Setup to collect malware – Statistics – Analysis - Slide 34 - 34
  • 35. Zen and the art of collecting and analyzing malwareAnalyzing Malware - Side-effects● Malware hides from the analyzer and obfuscates its techniques● Automated processes not 100% reliable – Anti-virus products, current sandbox techniques● Last resort: manual investigation – Disassembler, Debugger, file monitors, registry monitors, Virtual Machines – Very time consuming and/or requires high skills Statistics – Analysis – Live Demo - Slide 35 - 35
  • 36. Zen and the art of collecting and analyzing malwareWays to fool the analyzer ● Modified binary – (multiple) Packing – Encrypting – Header crippling ● Test presence of Debugger/Disassembler – SoftICE, OllyDbg, Breakpoints, Vmware, ... – http://www.honeynet.org/papers/bots/botnet-code.html ● Usage of file droppers – Dropper downloads malware and executes it – Malware makes usage of other malware already downloaded (e.g. browser hijacker vmmon32.exe) Statistics – Analysis – Live Demo - Slide 36 - 36
  • 37. Zen and the art of collecting and analyzing malwareAutomated analysis● Virus Total: – Free service scanning files with 24 AV products – Submits by default samples to AV vendors – Automated submission through extensions – Virus Total sends back mail with report – Most of the time at least one AV product finds malware – Cooperativeness to extend results (e.g. XML, more details, ...) – Negative point: ● Slow – agreed on a 60s interval when sending all files (adding more resources in the future) Statistics – Analysis – Live Demo - Slide 37 - 37
  • 38. Zen and the art of collecting and analyzing malwareAutomated analysis● Norman sandbox: – APIs simulating a Windows Computer – Some of the APIs simulate the Network/Internet connectivity – Automated submission through nepenthes – Sandbox sends back mail with report – Negative points: ● often not working because of filled up mail queue – Necessity to resubmit ● Often trapped into anti-debug code – Have to trust the output! Statistics – Analysis – Live Demo - Slide 38 - 38
  • 39. Zen and the art of collecting and analyzing malware Norman Output.Googlesetup.exe : [SANDBOX] contains a security risk - W32/Spybot.gen3 (Signature:W32/Spybot.AHWZ)[ General information ] * **Locates window "NULL [class mIRC]" on desktop. * File length: 133120 bytes. * MD5 hash: df2eaaf757053a4a0209c4668efd8d1c. [ Changes to filesystem ] * Creates file C:WINDOWSSYSTEM32Googlesetup.exe. * Deletes file 1. [ Changes to registry ] * Creates value "Google service"="Googlesetup.exe" in key"HKLMSoftwareMicrosoftWindowsCurrentVersionRun".[...] [ Network services ] * Looks for an Internet connection. * Connects to "der.ifconfig.us" on port 7000 (TCP). * Connects to IRC Server. [ Signature Scanning ] * C:WINDOWSSYSTEM32Googlesetup.exe (133120 bytes) : W32/Spybot.AHWZ. Statistics – Analysis – Live Demo - Slide 39 - 39
  • 40. Zen and the art of collecting and analyzing malwareAutomated analysis using wine (1)● wine as a (cheap) sandbox approach – Why? ● Signatures suck ● wine executed 72% out of 2199 malware files – How? ● Compare .wine directory with an unmodified one ● Use debug and trace messages from wine ● Create report from what is known (~signature) – Security? ● Outbreak is possible - include an assembler program that executes linux system calls via int 80h in the .text section of the windows executable ● were using user-mode-linux Statistics – Analysis – Live Demo - Slide 40 - 40
  • 41. Zen and the art of collecting and analyzing malwareAutomated analysis using wine (2) Download Nepenthes request XML-RPC Database malware user-mode-linux malware wine Report engine Statistics – Analysis – Live Demo - Slide 41 - 41
  • 42. Zen and the art of collecting and analyzing malwareLive Demonstration● http://nepenthes.csrrt.org:10080/nepenthes/ Analysis – Live Demo – Future development - Slide 42 - 42
  • 43. Zen and the art of collecting and analyzing malwareDevelopments and future steps (1)● Early warning / reacting system (so far implemented) – Monitoring and visualization of outbreak waves – Live export of most common attacker IP list ● To be imported into Firewalls, IDS, ... – Live export of most common download locations ● To be imported into Proxies, Firewalls, IDS – Company-wide hash-scan with Encase● Better virus scanner comparison – Automatic re-scan of malware files with each signature update (partly implemented) Live Demo – Future development – Conclusion - Slide 43 - 43
  • 44. Zen and the art of collecting and analyzing malwareDevelopments and future steps (2)● Automated analysis: – Enhance wine sandbox results – rewriting DLLs to log even more – Also very interesting: ● Diploma Project about automated behavior analysis ● http://pi1.informatik.uni-mannheim.de/diplomas/show/59 ● Extensive API-hooking approach● MalwareDB – A research database for preserving malicious computer programs Live Demo – Future development – Conclusion - Slide 44 - 44
  • 45. Zen and the art of collecting and analyzing malwareIntroduction to Malware DB– ”Fred, where is the DVD with the malware collected in January?”– ”Somewhere on my desk? ... I was sure that it was laying on my desk...”– ”I really need that to test something...”● MalwareDB Scope – Simple storage mechanism to archive malware – Easy way to tag and classify the malware – Multiple interfaces to query and get the malware – Not a signature databas
  • Recommended
    View more...
    We Need Your Support
    Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

    Thanks to everyone for your continued support.

    No, Thanks
    SAVE OUR EARTH

    We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

    More details...

    Sign Now!

    We are very appreciated for your Prompt Action!

    x