Monthly Archives: January 2014

Wisdom of the crowds: Detecting anomalous behavior based on mass memory analysis

Anomaly detection is a huge deal these days, there are some tools in the market that seem to perform the task, but they are pricey, complicated and too much for a non-enterprise organization.  I have written  a little script that takes a memory dump, Gives it a unique UUID and inserts to a MySQL database the output of the following volatility commands: psscan,sockets,connections and svcscan. That output can be queried in pretty interesting ways, and as you get more memory dumps, the statistics get more interesting, and it will be easier to find out anomalies.

For example, Here is a query that gets me the statistics about open sockets.

sockets

We can see that out of all the computers, we have 5 sockets open to the IP 172.16.112.128, which in this case was just a private IP address.

Another nice query, links sockets and process names, grouped together.

SocketsAndProcs

Here is a list of processes in the 12 computers, from the most common to the uncommon. pslist

 

After I have found that suspect process named aelas.exe, I went on and looked if it has any open sockets…

aelas_exe

This one is pretty interesting, and is a list of services binary paths. You can easily see a few suspect services here 🙂

ServicesByBinPath

 

A list of common sockets, and uncommon ones:

CommonSockets

I`m still working on this project, and trying to implement more complex commands, like apihooks,malfind and the like. Another feature I am working on right now, is that as part of the processing the script will dump all the processes and compare them with  additional process dumps from the database in order to white list the similar, and highlight the anomalies. The comparison algorithm will be based on different tools, like pehash,ssdeep, import hashing etc.

I made this test on 12 Memory dumps of different Windows XP Service Pack 2 machines, some infected with malware and some clean. As I collect more memory dumps, I keep adding them to the database and Improving the results. I will update as I progress with the development. When the project will be ripe I will be happy to open a git repository to share it.

What`s new in Cuckoo Sanbox 1.0

After almost four years of development, Version 1.0 was finally released. This release has serious improvements that make cuckoo box a fully fledged sandbox platform.  In the main screen we can already see some newly added features, like the ability to control on which machine the analysis will be performed (Letting you have Virtual Machines of different Windows versions, for example XP and 7 32/64-bit), and whether you want to capture memory or not (which will make the processing time longer). Also Cuckoo has now the ability to process RTF,VBS and CPL files, and the performance boost has made a really great difference.MainScreen

 

 

The wait queue is also pretty nice and has pagination to display practically unlimited rows of links to reports.

WaitQueue

 

On the static part of the analysis, resources are now shown too, and the virus total results are displayed in a more comfortable way, with a permalink to the scan results

Res

 

VirusTotal

There are new options to download the report in HTML format and to download the network capture in PCAP format (which is now is filtered, and does not show private network traffic).

But the main new feature is the integration of the amazing volatility framework (Which deserves a whole post by itself. There will be one soon, I promise). The virtual machine is paused to achieve a memory dump, on which volatility commands are executed. Exactly like the private networks are filtered in the PCAP capture, Hooks and processes related to cuckoo itself can be filtered too. (Requires messing a bit with the configuration files)

VolatilityMain VolaPSLIST VolaDlllist VOLApsxview

 

Version 1.0 of Cuckoo is a really great improvement, and i recommend the upgrade of your personal Malware analysis environments to this version.

 

Caught on the honeypot

A while ago, I have found a new malware in my honeypot, that virus total failed to recognize. I have resubmitted it a couple of hours ago,  and found out that the big AV companies still do not recognize the malware – 15 / 46 detection rate.

UPload-AttFromHoneypot

While analyzing the PE header for anomalies, I have found that the .data section has Read, Write and Execute permissions, which hints that the malware modifies it`s code during execution.

RWX_DataSection

This piece of malware has a lot of interesting strings. I prefer to look for strings using IDA because it makes it easier to find what each string has to do with the Malware:

The first thing I have found is a long list of common passwords. Arround 110 passwords like super,temp123,test123,secret,qwerty,password, etc…

PasswordStringsThe next one is Software\Microsoft\Windows\CurrentVersion\Run – The famous way of malware to achieve persistence. While looking for a reference to the string, I have found another string from the list: PHIME2008 which is the name of the value created in that key. The malware author did not bother itself, and the data (The name of the file to execute in startup) is the path from which the file was executed, appedend with the parameter /sync

REGwithParamI Have also found an IP Address, and a couple of strings that look like URLs. The IP Address had two cross-references:

IP-XrefsThe first one (sub_401C40) seemed to send some information to the destination IP. (Language, country, computer name and username)

senddata2This function has a lot of arguments, therefor the easiest way to understand what this Malware is trying to send, is using ApateDNS and netcat, and capturing the traffic. 

The malware tried to download a file from the path:  /updata/ACCl3.jpg in the IP I have found before. But that server does not exist anymore.  iNetSim does not  disappoint, and hands the Malware a jpg file just like it wanted.

DownloadingTheJpgIDA GettingTheJpgThat JPG the malware tried to download, apparently is not a JPG (The server is down, so we can only assume). The JPG is downloaded in the function sub_401EB0. The function tries to check if the file named msupd.exe at the system directory exists, and if it does not, it tries to download it. Now we can say for sure that this is not a JPG. The malware downloaded the supossed picture file from the internet, and placed it in system32:

fakemsupdexe

fakemsupdprobe

The fact that it saved it as with exe extension, proves the Malware intended to download an executable.

The next string I have noticed is GET /updata/TPDA.jpg. After looking for cross references in IDA, I have found some parameters appended to the HTTP request before it is sent. Again using iNetSim, I have managed to get easily which data is sent over the network.

senddata

URLParam

 

TheDataSent

The malware sends to its control server the time-stamp, country, internal IP, computer name and username.

Next post will cover the interesting network behavior of this malware (hint: password guessing) by using a higher interaction honeypot than iNetSim.