Author Archives: martin

VolatilityBot – Code release

After all this time and effort, I’m happy to share this project with the community!

Documentation and installation instructions are available here: https://bitbucket.org/martink90/volatilitybot_public/downloads/Documentation_Final.pdf

Source code is available here: https://bitbucket.org/martink90/volatilitybot_public

My VB2015 slides are available here: https://www.virusbtn.com/pdf/conference_slides/2015/Korman-VB2015.pdf

For any questions, feel free to reach me via twitter (@MartinKorman)

VolatilityBot – An automated malicious code dumper

Lately, I’ve often found myself manually unpacking different versions of the same malware in order to perform static analysis with IDA and BinDiff. Therefore, I’ve decided to write a small system that will automate the entire process – the VolatilityBot.

How does VolatilityBot work?

  1. It executes the malware on a VM.
  2. It waits for a pre-defined period of time.
  3. It suspends the VM.
  4. It compares the snapshot to a golden image of the VM, finds new processes, injected code, loaded DLLs or Kernel Modules, dumps them from the memory and fixes the PE file in order to make static analysis easier.

All metadata is saved to a SQLite DB. Dumps are saved to a configured storage. All PE files  pass a short static analysis and reports are stored on Storage as well. VolatilityBot can theoretically manage an unlimited quantity of virtual machines, depending on the performance of your PC. Currently there is no UI, but the SQLite DB can be accessed by a GUI tool, like sqlitebrowser on Mac OS or sqliteman on Linux. In future versions there’ll be a small web UI in which you could submit new samples and read reports of existing ones.

In order to avoid VM detection, a few tricks were used:

  • Registry keys cleanup (all VMware stuff I don’t think there is a need to describe, as there’s a lot of information on the internet regarding this issue).
  • A macro that moves the mouse and executes the malware.
  • Of course, no VMware tools on the machine.

Here’s a short demo of two virtual machines processing three samples:

The source code and configuration instructions will be posted next week.

 

 

CyberTech 2014: My Experience

CCENIMAG0314

It has been a great experience  participating in CyberTech 2014 Conference in Tel-Aviv. I did not attend most of the speeches, Because I preferred to look at the booths. Some of them were really interesting.

 

 

 

 

IMG-20140129-WA0004Booths Review:

  • RSA had  a nice booth, in which you had to cross an obstacle course with a RC car. The obstacles were protection mechanisms, and you had to pass them in the fastest time, with your RC car. The participant with the fastest time, won a PS4. IMG-20140127-WA0004 IMAG0315
  • The IBM booth was interesting as well, A friend of mine and me got a nice (and extensive) live demonstration of IBM`s QRadar SIEM. Their SIEM looks pretty good, and has nice features like auto discovery of your network assets using netflow or Qflow, And automatic risk assessment in correlation with your vulnerability scanner and FW/IPS policies.
  • Seculert, that recently revealed an attack on Israeli organizations handed out a “APT Protection for Dummies” handbook. The handbook explains shortly about APTs, Common defense mechanisms and of course, how Seculert`s APT Protection architecture can stop them.
  • 2IMAG0335Another interesting booth was of a new Israeli startup named Cybertinel. The CEO showed us a small presentation, and showed as the capabilities of the startup. Cybertinel deploys agents on endpoints and gathers from them information.  Then it analyzes the data in depth using a  combination of analysis modules –static code, behavior, dynamic and statistical. The startup is still new,  but looks very promising.
  • Last but not least, I have participated in Symantec`s Cyber Readiness Challenge. Symantec`s CRC is a capture the flag competition, where each contestant brings his own laptop with tools and connects via a VPN to a network where you have to enumerate servers, find vulnerabilities and attack. (Approximately 50 People participated.) Each flag is a different type of question that requires  a different skill, like the ability to perform DNS enumeration, execute exploits or crack passwords. I was in the lead for the first two and a half hours, then I finished somewhere in the top 10. (They removed the scoreboard in the last half hour on purpose) Because I had the lead for 2 and a half hours, I have received a little prize:

IMAG0319

IMAG0320

A solid gold disk on key, and USB hub! (Not real gold, but it looks really cool, and the “Bank of Memory” joke is pretty funny.)

IMG-20140129-WA0002 DSC_0197

I have enjoyed the conference really much, and I will be more than happy to come next year. Especially if Symantec`s CRC will be held again.

Wisdom of the crowds: Detecting anomalous behavior based on mass memory analysis

Anomaly detection is a huge deal these days, there are some tools in the market that seem to perform the task, but they are pricey, complicated and too much for a non-enterprise organization.  I have written  a little script that takes a memory dump, Gives it a unique UUID and inserts to a MySQL database the output of the following volatility commands: psscan,sockets,connections and svcscan. That output can be queried in pretty interesting ways, and as you get more memory dumps, the statistics get more interesting, and it will be easier to find out anomalies.

For example, Here is a query that gets me the statistics about open sockets.

sockets

We can see that out of all the computers, we have 5 sockets open to the IP 172.16.112.128, which in this case was just a private IP address.

Another nice query, links sockets and process names, grouped together.

SocketsAndProcs

Here is a list of processes in the 12 computers, from the most common to the uncommon. pslist

 

After I have found that suspect process named aelas.exe, I went on and looked if it has any open sockets…

aelas_exe

This one is pretty interesting, and is a list of services binary paths. You can easily see a few suspect services here 🙂

ServicesByBinPath

 

A list of common sockets, and uncommon ones:

CommonSockets

I`m still working on this project, and trying to implement more complex commands, like apihooks,malfind and the like. Another feature I am working on right now, is that as part of the processing the script will dump all the processes and compare them with  additional process dumps from the database in order to white list the similar, and highlight the anomalies. The comparison algorithm will be based on different tools, like pehash,ssdeep, import hashing etc.

I made this test on 12 Memory dumps of different Windows XP Service Pack 2 machines, some infected with malware and some clean. As I collect more memory dumps, I keep adding them to the database and Improving the results. I will update as I progress with the development. When the project will be ripe I will be happy to open a git repository to share it.

What`s new in Cuckoo Sanbox 1.0

After almost four years of development, Version 1.0 was finally released. This release has serious improvements that make cuckoo box a fully fledged sandbox platform.  In the main screen we can already see some newly added features, like the ability to control on which machine the analysis will be performed (Letting you have Virtual Machines of different Windows versions, for example XP and 7 32/64-bit), and whether you want to capture memory or not (which will make the processing time longer). Also Cuckoo has now the ability to process RTF,VBS and CPL files, and the performance boost has made a really great difference.MainScreen

 

 

The wait queue is also pretty nice and has pagination to display practically unlimited rows of links to reports.

WaitQueue

 

On the static part of the analysis, resources are now shown too, and the virus total results are displayed in a more comfortable way, with a permalink to the scan results

Res

 

VirusTotal

There are new options to download the report in HTML format and to download the network capture in PCAP format (which is now is filtered, and does not show private network traffic).

But the main new feature is the integration of the amazing volatility framework (Which deserves a whole post by itself. There will be one soon, I promise). The virtual machine is paused to achieve a memory dump, on which volatility commands are executed. Exactly like the private networks are filtered in the PCAP capture, Hooks and processes related to cuckoo itself can be filtered too. (Requires messing a bit with the configuration files)

VolatilityMain VolaPSLIST VolaDlllist VOLApsxview

 

Version 1.0 of Cuckoo is a really great improvement, and i recommend the upgrade of your personal Malware analysis environments to this version.

 

Caught on the honeypot

A while ago, I have found a new malware in my honeypot, that virus total failed to recognize. I have resubmitted it a couple of hours ago,  and found out that the big AV companies still do not recognize the malware – 15 / 46 detection rate.

UPload-AttFromHoneypot

While analyzing the PE header for anomalies, I have found that the .data section has Read, Write and Execute permissions, which hints that the malware modifies it`s code during execution.

RWX_DataSection

This piece of malware has a lot of interesting strings. I prefer to look for strings using IDA because it makes it easier to find what each string has to do with the Malware:

The first thing I have found is a long list of common passwords. Arround 110 passwords like super,temp123,test123,secret,qwerty,password, etc…

PasswordStringsThe next one is Software\Microsoft\Windows\CurrentVersion\Run – The famous way of malware to achieve persistence. While looking for a reference to the string, I have found another string from the list: PHIME2008 which is the name of the value created in that key. The malware author did not bother itself, and the data (The name of the file to execute in startup) is the path from which the file was executed, appedend with the parameter /sync

REGwithParamI Have also found an IP Address, and a couple of strings that look like URLs. The IP Address had two cross-references:

IP-XrefsThe first one (sub_401C40) seemed to send some information to the destination IP. (Language, country, computer name and username)

senddata2This function has a lot of arguments, therefor the easiest way to understand what this Malware is trying to send, is using ApateDNS and netcat, and capturing the traffic. 

The malware tried to download a file from the path:  /updata/ACCl3.jpg in the IP I have found before. But that server does not exist anymore.  iNetSim does not  disappoint, and hands the Malware a jpg file just like it wanted.

DownloadingTheJpgIDA GettingTheJpgThat JPG the malware tried to download, apparently is not a JPG (The server is down, so we can only assume). The JPG is downloaded in the function sub_401EB0. The function tries to check if the file named msupd.exe at the system directory exists, and if it does not, it tries to download it. Now we can say for sure that this is not a JPG. The malware downloaded the supossed picture file from the internet, and placed it in system32:

fakemsupdexe

fakemsupdprobe

The fact that it saved it as with exe extension, proves the Malware intended to download an executable.

The next string I have noticed is GET /updata/TPDA.jpg. After looking for cross references in IDA, I have found some parameters appended to the HTTP request before it is sent. Again using iNetSim, I have managed to get easily which data is sent over the network.

senddata

URLParam

 

TheDataSent

The malware sends to its control server the time-stamp, country, internal IP, computer name and username.

Next post will cover the interesting network behavior of this malware (hint: password guessing) by using a higher interaction honeypot than iNetSim.

Enriching your Malware analysis reports with Open Source Intelligence (OSINT)

Often, while analyzing a malware sample, I open Google and start searching for the hash or for some other Indications in the malware sample like Mutexes, User agents, Registry keys, Filenames, URLs and  IP Addresses. Searching for all those indications in Google and other search engines is too cumbersome. A couple of days ago I came across Malformity. Malformity is a collection of Maltego transforms to assist with malware and malicious infrastructure research. Malformity queries data from many sources (Ex. VirusTotal, Bit9, ThreatExpert…) in order to perform Maltego transforms. To get started with Malformity, you create with Maltego entities from the data you already have:

entities

 

Then you can run transforms:

Screenshot from 2013-12-14 17:34:47

 

Using those transforms It is possible to get useful information about the malware you are analyzing. For example in the example below I took a malware and found out URLs related with it, and even a Mutex (The one on the left).

Screenshot from 2013-12-14 21:59:36

 

In the next example, I created a URL entity out of a URL address from which the malware sample downloaded a DAT file. I found information about the website (Infrastructure information) and also some information from known security companies.

Screenshot from 2013-12-15 21:47:59222

 

In the example below, I took the same hash and found different virus signatures, and alternative names for the same malware:

Screenshot from 2013-12-15 21:50:51

 

Maltego and Malformity are nice tools to have when researching for malware indicators and malicious infrastructure, and can be really helpful at times. It is important to note that those searches are not silent, and doing those transforms can expose and reveal that the malware has been discovered and is under investigation.

Some additional honorable mentions of tool that can help and ease the research:

Anatomy of a traffic generating trojan

This is a trojan with interesting behavior, That I came across during the third part of November. I have decided to analyze this malware (chosen from the pile of thousands i have for days of boredom…) because its behavior seemed very interesting when executing it in the sandbox. Aside from achieving persistence and making a DNS query for smtp.live.com, It did not do much. I suspected it had something to hide…

About The Analysis Process: 

After the first execution in my custom sandbox, as I have noticed nothing too exciting happened and the execution timed out after the max value set by the sandbox, I started suspecting this malware has awfully long sleep timers in its code.

I have started the static analysis phase, but noticed this malware has a small amount of imports, and a strange procedure with lots of lodsb assembly commands. That procedure was a Custom Packer, which was not identified by PEid.

The imports before unpacking:

croppedimports

For easy unpacking, I executed the malware until the return of what seemed to be the unpack procedure:

croppedunpackproc

Setting the breakpoint:

croppedbreakpoint

Right after the breakpoint, I did a took a memory memory dump to easily dump the processes from memory. Those are the imports after the unpack procedure returned:

croppedexports

While analyzing the dump I have noticed that this executable launches three svchost.exe processes. Each one of those svchost processes main purpose is traffic generation, but each one has an extra purpose. (Ex. Mutex creation, Persistence, Downloading the DAT files)

croppedpstree

A short static analysis of one of the svchost processes proved me right about the sleep timers:

croppedlongsleep

Sleep2This malware does not have to be executed from an administrator account, we can see that because it achieves its persistence by adding itself to:

HKU\software\microsoft\windows\current version\run 

with the executable pofpopitegra.exe as the value,  which is dropped at c:\document and settings\%username%\pofpopitegra.exe

Network behavior:

This malware generates a pretty big amount of web traffic, to sites it probably gets from this DAT file downloaded over the network, and from some html files with encoded comments. No evidence was found inside any of the svchost files or the malware executable itself for URL or IP addresses of any kind, except for the URL from which the DAT file is downloaded from.

unkwondatclippedcontent

DATlocation

The encoded comments:

croppedURLencoded

croppedsmtthttptrffic

The malware generated some SMTP traffic as well. The next part of the analysis, I will dive deeper into the traffic generated by this malware sample, and try to reverse engineer the encryption of the DAT file.

Network forensics methodology

Introduction

Network forensics is the process of analyzing your network traffic in order to find out vulnerabilities and attempts to exploit them in you network. Before you start performing network forensics, there are a few skills you must have in your bag:

  • Knowledge about network protocol on all layers, and their vulnerabilities or problem that they may introduce when configuring them incorrectly.
  • Malware analysis is going to be required when getting to the payload analysis step.

Another thing you must do, is prepare a network pre-analysis report that will contain the following information:

  • Protocols used on the network – This information will be used to find problematic protocols that might be used in the network (FTP,SNMPv1/2, etc.) and to find protocols that are used in the network illegitimately.
  • The type of content type traveling in the network. For example a network that is used for VOIP should not have user transferring documents across it.
  • Network “Service Providers” – The main services in the network and the servers that provide them. For example the IP addresses of the DNS servers and the DHCP server. This information will be used  to find out computers impersonating to service providers in the network, for example a rogue DHCP server, used as part of a DHCP starvation attack. The services you are looking for, are usually DHCP,LDAP,SMB,NFS,NTP,HTTP and DNS.
  • Network architecture – The structure of the network is important for the decision from where i want to capture the network traffic.

First step: Capturing the traffic

The most common way is connecting a laptop to a mirror port on the switch you want to capture traffic from, and firing up tcpdump or wireshark.

Warning: The network capture (not surprisingly) captures all traffic, and while investigating the network capture you might be exposed to private information (Personal mails, media files, pages opened by the user, credentials, etc.) It is very important to minimum the quantity of people possible will be part of the team inspecting the network capture.

The investigation process is divided into 4 parts:

  1. Frequency analysis – Inspect the reoccurence of incidents over time. Packet peaks, session peaks and massive file transfers reoccuring at fixed or non-fixed intervals. (Fixed interval peaks are not necesarily suspicious, they might be part of a IT process like backups.)
  2. Statistical and quantitive analysis – It`s all about looking for one to many, and many to one relations. One to many might be an indication for someone scanning the network, looking for lateral movement while many to one, might indicate that your network has computer infected with some kind of malware. Do not hurry and conclude that. Check that the destination is not a legitimate service provider of the network (DNS,DHCP,etc. ).
  3. Protocol analysis – Analyze the network traffic in order to find protocols that do not match the network architecture, or protocols that match but expose some kind of weakness. Like using SNMPv2. The indications you will look for are mostly sources/destinations that should not be using certain protocol, for example DHCP offers not sent by the network`s DHCP inftrastructure. Another example might be FTP traffic not heading the organization`s FTP servers, but a server on the internet instead.
  4. Payload analysis – The most complicated (and interesting) analysis type one can get into. This analysis type is about examining the content of the packets  we found suspicious on previous analysis types and examining them in an malware analysis environment in order to find out the nature of the payload (Destructive/Disruptive/non-destructive). The most common way to find suspicious traffic is looking for file/data types that should not exist in the network (IRC,XML,Binaries), inspecting their source and destination and deciding wether or not they are legitimate. The payload then should be analyzed using malware analysis methods. Since payload analysis is the most complicated analysis method to explain, I will give a few examples
  • An excel document with an embedded executable was found, we took it and ran it in a sandboxed environment to find out what that executable did.
  • A shellcode that was part of an exploitation attempt was found in traffic from the Internet to a server in the organization. That capture was replayed using tcpreplay and replayed against a similarly configured server in the lab environment.

 

I recommend working in the order stated above, because that way you can find suspicious traffic, flag it and then dive inside the packets the deepest a malware analyst can get.

How to get interesting malware samples

As an independent malware researcher, sometimes it is not easy at all getting new malware samples. I want to show you a a few methods that can get you some really interesting samples, tough they require some investment (time & money).

  • Honeypots – I invested some dollars (and a couple of hours) and configured Dionaea on a VPS. I have installed also DioaneaFR (Web front-end for Dionaea) on another server, and the bistreams,samples and additional data are copied to the server where the front-end is hosted every 10 minutes. The samples from the honeypot are automatically submitted to some online sandboxes and virus scanners, and If you are interested it can even forward them to your own sandbox.

connections

 

main

 

If you are an independent researcher, and you are interested in access to my honeypot data, Let me know in the comments of this post, and I will contact you.

 

  • MWcrawler

mwcrawler is a simple python script that parses malicious url lists from well known websites (i.e. MDL, Malc0de) in order to automatically download the malicious code. It can be used to populate malware repositories or zoos.

MWcrawler is really useful, the problem is that because of the nature of those malicious sites, (Might be up, then down 2 hours later…) You may get some samples or not. It does not hurt to have this script on your crontab 😉

  • Recommended Websites – There are some websites where you can get some interesting malware samples, although not unique. contagio is a good source for network captures,PDFs and other types of malicious files. The virus exchange forum on malwaretips offers “Malware Packs”.