All Entries Tagged With: "Malware"
Your 5-Step Malware-Analysis Toolkit
From http://www.campustechnology.com By Lenny Zeltser
A LARGE NUMBER of computer intrusions involve some form of malicious software (malware), which finds its way to the victim’s workstation or to a server. When investigating the incident, the IT responder typically seeks to answer questions such as: What actions can the malware specimen perform on the system? How does it spread? How, if at all, does it maintain contact with the attacker? These questions can all be answered by analyzing the offending malware in a controlled environment.
A simple analysis toolkit, built from free and readily available software, can help you and your IT team develop the skills critical to responding to today’s security incidents. The steps below will help get you started. We’ll focus on malware analysis in a Windows environment, since that platform is particularly popular among malware authors.
Step 1: Allocate physical or virtual systems for the analysis lab
A common approach to examining malicious software involves infecting a system with the malware specimen and then using the appropriate monitoring tools to observe how it behaves. This requires a laboratory system you can infect without affecting your production environment.
The most popular and flexible way to set up such a lab system involves virtualization software, which allows you to use a single physical computer for hosting multiple virtual systems, each running a potentially different operating system. Free virtualization software options include:
Running multiple virtual systems simultaneously on a single physical computer is useful for analyzing malware that seeks to interact with other systems, perhaps for leaking data, obtaining instructions from the attacker, or upgrading itself. Virtualization makes it easy to set up and use such systems without procuring numerous physical boxes.
Another useful feature of many virtualization tools is the ability to take instantaneous snapshots of the laboratory system. This way, you can record the state of the system before you infect it, and revert to the pristine environment with a click of a button at the end of your analysis.
If using virtualization software, install as much RAM into the physical system as you can, as the availability of memory is arguably the most important performance factor for virtualization tools. In addition, having a large hard drive will allow you to host many virtual machines, whose virtual file systems typically are stored as files on the physical system’s hard drive.
Take precautions to isolate the malware-analysis lab from the production network, to mitigate the risk that a malicious program will escape.
Because malware may detect that it’s running in a virtualized environment, some analysts prefer to rely on physical, rather than virtual, machines for implementing laboratory systems. Your old and unused PCs or servers can make excellent systems for your malware-analysis lab, which usually doesn’t need high-performing CPUs or highly redundant hardware components.
To allow malware to reach its full potential in the lab, laboratory systems typically are networked with each other. This helps you observe the malicious program’s network interactions. If using physical systems, you can connect them with each other using an inexpensive hub or a switch.
Step 2: Isolate laboratory systems from the production environment
You must take precautions to isolate the malware-analysis lab from the production network, to mitigate the risk that a malicious program will escape. You can separate the laboratory network from production using a firewall. Better yet, don’t connect laboratory and production networks at all, to avoid firewall configuration issues that might allow malware to bypass filtering restrictions.
If your laboratory network is strongly isolated, you can use removable media to bring tools and malware into the lab. It’s best to use write-once media, such as CDs, to prevent malicious software from escaping the lab’s confines by writing itself to a USB key. If using a USB key, which is more convenient than a CD, get a model that includes a physical write-protect switch.
Some malware-analysis scenarios benefit from the lab being connected to the internet. Avoid using the production network for such connectivity. If possible, provision a separate, and usually inexpensive, internet connection, perhaps by dedicating a DSL line to this purpose. Avoid keeping the lab connected to the internet all the time to minimize the chance of malware in your lab attacking someone else’s system on the internet.
If virtualizing your lab, be sure to keep up with security patches released by the virtualization-software vendor. Such software may have vulnerabilities that could allow malware to escape from the virtual system you infected and onto the physical host. Furthermore, don’t use the physical machine that’s hosting your virtualized lab for any other purpose.
Step 3: Install behavioral analysis tools
Before you’re ready to infect your laboratory system with the malware specimen, you need to install and activate the appropriate monitoring tools. Free utilities that will let you observe how Windows malware interacts with its environment include:
- File system and registry monitoring: Process Monitor and Capture BAT offer a powerful way to observe in
real time how local processes read, write, or delete
registry entries and files. These tools can help you
understand how malware attempts to embed into the
system upon infection. - Process monitoring: Process Explorer and Process Hacker replace the built-in Windows Task Manager, helping
you observe malicious processes, including local network
ports they may attempt to open. - Network monitoring:Wireshark and SmartSniff are
network sniffers, which can observe laboratory network
traffic for malicious communication attempts, such as
DNS resolution requests, bot traffic, or downloads. - Change detection: Regshot is a lightweight tool for comparing the system’s
state before and after the infection, to highlight
the key changes malware made to the file system and
the registry.
Behavioral monitoring tools can give you a sense for the key capabilities of malicious software. For further details about its characteristics, you may need to roll up your sleeves and perform some code analysis.
Step 4: Install code-analysis tools
Examining the code that comprises the specimen helps uncover characteristics that may be difficult to obtain through behavioral analysis. In the case of a malicious executable, you rarely will have the luxury of access to the source code from which it was created. Fortunately, the following free tools can help you reverse compiled Windows executables:
- Disassembler and debugger: OllyDbg and IDA Pro Freeware can parse compiled Windows
executables and, acting as disassemblers, display their
code as Intel x86 assembly instructions. These tools
also have debugging capabilities, which allow you to
execute the most interesting parts of the malicious program
slowly and under highly controlled conditions, so
you can better understand the purpose of the code. - Memory dumper: LordPE and OllyDump help obtain protected code located in the
lab system’s memory and dump it to a file. This technique
is particularly useful when analyzing packed executables,
which are difficult to disassemble because
they encode or encrypt their instructions, extracting
them into RAM only during run-time.
Step 5: Utilize online analysis tools
To round off your malware-analysis toolkit, add to it some freely available online tools that may assist with the reverse engineering process. One category of such tools performs automated behavioral analysis of the executables you supply. These applications look similar at first glance, but use different technologies on the back end. Consider submitting your malware specimen to several of these sites; depending on the specimen, some sites will be more effective than others. Such tools include:
Another set of potentially useful online tools provides details about websites that are suspected of hosting malicious code. Some of these tools examine the sites you specify in real time; others provide historical information. Consider submitting a suspicious URL to several of these sites, because each may offer a slightly different perspective on the website in question:
- Real-time threat assessment: Finjan URL Analysis, McAfee Site
Advisor, and Wepawet - Historical reputation data: Norton Safe Web
and WOT (Web of Trust)
Next Steps
With your initial toolkit assembled, start experimenting in the lab with malware you come across on the web, in your e-mail box, on your systems, and so on. You may find this one-page cheat sheet convenient.
Begin analysis with the tools and approaches most familiar to you. Then, as you become more familiar with the inner workings of the malware specimen, venture out of your comfort zone to try other tools and techniques. The tools I’ve listed within each step operate virtually identically. Since they’re all free, you should feel free to try them all. You’ll find that one tool will work better than another, depending on the situation. And with time, patience, and practice, you will learn to turn malware inside out.
Malware that operates as a Firefox extension
Here’s a good overview of malware that operates as a Firefox extension. The PDF is by Symantec via Lenny Zeltser.
Firefox Malware (32)Mass Malware Analysis: A Do-It-Yourself Kit
Theory, practice and a construction manual for an automated analysis station for malware using trivial and free instruments.
Publication Date: October, 14th 2009
Author: Christian Wojner
Original posted here.
Content
This paper outlines the relevant steps to build up a customizable automated malware analysis station by using only freely available components with the exception of the target OS (Windows XP) itself. Further a special focus lies in handling a huge amount of malware samples and the actual implementation at CERT.at. As primary goal the reader of this paper should be able to build up her own specific installation and configuration while being free in her decision which components to use.
The first part of this document will cover all the theoretical, strategic and methodological aspects. The second part is focusing on the practical aspects by diving into CERT.at’s automated malware analysis station closing with an easy to follow step-by-step tutorial, how to build up CERT.at’s implementation for your own use. So feel free to skip parts.
Mass Malware Analysis PDF (36)Deactivating the Rootkit
Title: Deactivate the Rootkit from Core Security’s Core Labs
Authors: Anibal Sacco and Alfredo Ortega
In: Black Hat Briefings 2009 USA. Las Vegas, NE. July 30
Date published: 2009-07-30
Keywords: rootkit BIOS malware computrace
Abstract
This is a report on our research into anti-theft technologies utilized in the PC BIOS. In particular, we have analyzed the Computrace BIOS agent and documented some design vulnerabilities that allow the agent’s reporting address to be controlled.
Additionally, we outline an experimental method for re-setting the permanent activation/deactivation capability of the persistent agent in the BIOS to the default factory settings and show that the software mechanisms to protect the agent embedded in BIOS from tampering and re-flashing are insufficient to prevent malicious attacks if digitally signed BIOS updates are not enforced by the manufacturers as is the case in computers deployed globally as of 2009.
As a result, the anti-theft agent allows a highly persistent and stealth form of rootkit that can re-utilize many existing features that come pre-installed in BIOS firmware and can survive operating system reinstallation and hard disk wiping or replacement
Several tools are provided to identify and mitigate the risk posed by this BIOS firmware.
To determine if the agent is embedded in the BIOS of computer we provide a small Python program that dumps the BIOS firmware to disk and searches the Option ROM code for the CompuTrace agent. The program requires work on Linux and requires three Linux utilities (flashrom, upx, dmidecode) to be installed on the system.
Another Python program can be used to redirect the outbound HTTP connection of the agent to monitoring web server.
Demos
In the next three videos we have built demonstrations of the most salient consequences of our research. In the first video we show how anyone an activate the Computrace rootkit/service:
The second video shows how to use our “dumpComputrace.py” script to dump the Computrace code in the computer’s bios:
Finally, in the third we show how to activate the service and redirect it to a server of your choice:
More details are given in the actual paper.
Attachments
Computrace_Redirector.py – Python program to modify the obfuscated Windows registry key that stores the hostname used by the Computrace agent to report
Paper-Deactivate-the-Rootkit-AOrtega-ASacco.pdf – Whitepaper describing the findings and potential risk mitigation actions
Slides-Deactivate-the-Rootkit-ASacco-AOrtega.pdf – Slides of the BlackHat Briefings 2009 talk
Stream-Computrace-nm2.pcap – A packet capture showing the Computrace agent’s plaintext HTTP outbound connection to search.namequery.com
dumpComputrace.py – Python program to dump the BIOS firmware and search for a CompuTrace Option ROM
Related information
Projects
Researchers
Scan pages for malware before visiting them
I found references to these sites on Twitter this morning, from a reputable source. Check them out.
Link Scanner
http://linkscanner.explabs.com/linkscanner/default.aspx
If you’d rather be safe than sorry, enter the URL of the site or web page you want to visit in the box below. Our free LinkScanner Online service will visit the URL in a controlled environment on our servers. Online Web Safety Scan will inspect it in real-time for whether it is hiding any exploit code and, if so, what exploit.
Use Web Safety Scan Online to inspect:
* Links forwarded by friends
* Web sites displayed on search results
* Any link with suspicious characters or web site you have never visited.
URL Analysis
http://finjan.com/Content.aspx?id=574
This tool inspects the returned content of the submitted URL only; subsequent URLs or additional content references will not be inspected.
Monitor your site for malware attacks
Have your site regularly checked against blacklists and scanned for malware.
iBotnet: Researchers find signs of zombie Macs
From http://blogs.zdnet.com/security/
April 16th, 2009
iBotnet: Researchers find signs of zombie Macs
Posted by Ryan Naraine @ 8:28 am
Malware hunters at Symantec have discovered a direct link between a malicious file embedded in pirated copies of Apple’s iWork 09 software and what appears to be the first Mac OS X botnet launching denial-of-service attacks.
Writing in the current issue of Virus Bulletin (subscription required), researchers Mario Ballano Barcena and Alfredo Pesoli found two malware variants — OSX.Iservice and OSX.Iservice.B — using different techniques to obtain the user’s password and take control of the infected Mac machine.
[ SEE: Mac OS X Malware found in pirated Apple iWork 09 ]
The variants have been found inside bogus copies of iWork ’09 and Adobe Photoshop CS4 which were shared on the popular p2p torrent network. The author of the malware downloaded the original/trial versions of each program and introduced a copy of the malicious binary into the packages. Users who then downloaded and installed the applications from the torrent download would have been infected. It is estimated that thousands of people have downloaded the infected torrent files.
They describe this as the “first real attempt to create a Mac botnet” and notes that the zombie Macs are already being used for nefarious purposes.
The researchers pointed to this blog entry that describes a a PHP script, running as root, launching attacks against an unknown Web site.
The article goes into detail on the botnet’s peer-to-peer engine, startup and encryption capabilities and configuration file structure and concludes that the person who wrote the malware is not the same as the person who actually ‘used’ it.
“The code indicates that, wherever possible, the author tried to use the most flexible and extendible approach when creating it – and therefore we would not be surprised to see a new, modified variant in the near future,” the researchers added.
