Lately, I’ve often found myself manually unpacking different versions of the same malware in order to perform static analysis with IDA and BinDiff. Therefore, I’ve decided to write a small system that will automate the entire process – the VolatilityBot.
How does VolatilityBot work?
It executes the malware on a VM.
It waits for a pre-defined period of time.
It suspends the VM.
It compares the snapshot to a golden image of the VM, finds new processes, injected code, loaded DLLs or Kernel Modules, dumps them from the memory and fixes the PE file in order to make static analysis easier.
All metadata is saved to a SQLite DB. Dumps are saved to a configured storage. All PE files pass a short static analysis and reports are stored on Storage as well. VolatilityBot can theoretically manage an unlimited quantity of virtual machines, depending on the performance of your PC. Currently there is no UI, but the SQLite DB can be accessed by a GUI tool, like sqlitebrowser on Mac OS or sqliteman on Linux. In future versions there’ll be a small web UI in which you could submit new samples and read reports of existing ones.
In order to avoid VM detection, a few tricks were used:
Registry keys cleanup (all VMware stuff I don’t think there is a need to describe, as there’s a lot of information on the internet regarding this issue).
A macro that moves the mouse and executes the malware.
Of course, no VMware tools on the machine.
Here’s a short demo of two virtual machines processing three samples:
The source code and configuration instructions will be posted next week.
It has been a great experience participating in CyberTech 2014 Conference in Tel-Aviv. I did not attend most of the speeches, Because I preferred to look at the booths. Some of them were really interesting.
RSA had a nice booth, in which you had to cross an obstacle course with a RC car. The obstacles were protection mechanisms, and you had to pass them in the fastest time, with your RC car. The participant with the fastest time, won a PS4.
The IBM booth was interesting as well, A friend of mine and me got a nice (and extensive) live demonstration of IBM`s QRadar SIEM. Their SIEM looks pretty good, and has nice features like auto discovery of your network assets using netflow or Qflow, And automatic risk assessment in correlation with your vulnerability scanner and FW/IPS policies.
Seculert, that recently revealed an attack on Israeli organizations handed out a “APT Protection for Dummies” handbook. The handbook explains shortly about APTs, Common defense mechanisms and of course, how Seculert`s APT Protection architecture can stop them.
Another interesting booth was of a new Israeli startup named Cybertinel. The CEO showed us a small presentation, and showed as the capabilities of the startup. Cybertinel deploys agents on endpoints and gathers from them information. Then it analyzes the data in depth using a combination of analysis modules –static code, behavior, dynamic and statistical. The startup is still new, but looks very promising.
Last but not least, I have participated in Symantec`s Cyber Readiness Challenge. Symantec`s CRC is a capture the flag competition, where each contestant brings his own laptop with tools and connects via a VPN to a network where you have to enumerate servers, find vulnerabilities and attack. (Approximately 50 People participated.) Each flag is a different type of question that requires a different skill, like the ability to perform DNS enumeration, execute exploits or crack passwords. I was in the lead for the first two and a half hours, then I finished somewhere in the top 10. (They removed the scoreboard in the last half hour on purpose) Because I had the lead for 2 and a half hours, I have received a little prize:
A solid gold disk on key, and USB hub! (Not real gold, but it looks really cool, and the “Bank of Memory” joke is pretty funny.)
I have enjoyed the conference really much, and I will be more than happy to come next year. Especially if Symantec`s CRC will be held again.