Dynamic Analysis Part 2.2

Video Activity

This module will explore further into the basic malware dynamic analysis. We'll be demonstrating this using a malware called IllusionBot that has been downloaded from the Github website. A useful tip for Linux virtual machine, particularly Kali, is to change the settings for the display if the VMware tools don't automatically resize the interface. ...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9
Video Description

This module will explore further into the basic malware dynamic analysis. We'll be demonstrating this using a malware called IllusionBot that has been downloaded from the Github website. A useful tip for Linux virtual machine, particularly Kali, is to change the settings for the display if the VMware tools don't automatically resize the interface. You'll learn about the various tools that are used for the dynamic analysis such as CaptureBAT, inetsim, netstat –untap, service_bind_address. We'll begin with the identification of certain network indictors. We'll also discuss about other tools like Process Explorer which is like a powerful task manager, and is similar to Process Hacker. Process Explorer allows us to watch the processes very closely. You'll also learn about Autorun and the different files types it has.

Video Transcription
00:03
>> Today, our demo will be working with the IllusionBot,
00:03
and you can download it from this URL from
00:03
the same GitHub that we got the direct sample.
00:03
We're going to take our Windows VMs that we made
00:03
previously and reset it.
00:03
You can reset your Linux VM as well.
00:03
A common trick for a Linux VM, particularly Kali,
00:03
is to change the settings for
00:03
the display if the VMware Tools
00:03
doesn't automatically resize the interface.
00:03
That's much better. Let me confirm our IP address.
00:03
On this one we have 10.0.0.1,
00:03
which should be on
00:03
the same little network as our Windows box.
00:03
It's 10.0.0.2.
00:03
It should be able to ping each other and just
00:03
make sure before I begin infecting things,
00:03
I always like to double-check my network to make
00:03
sure it's not going out to the Internet,
00:03
it's not added like this option.
00:03
It is indeed on our own custom VNet.
00:03
I'll select to run Wireshark
00:03
>> on my Linux routing machine.
00:03
>> Since we are going to start running services
00:03
here that catch and
00:03
analyze network traffic and other things,
00:03
I should warn you that it is very dumb
00:03
to do it as root like I'm doing right now.
00:03
Don't do that. But I'm going to do it anyway.
00:03
Because if the program like Wireshark gets compromised,
00:03
which is completely possible because it has
00:03
lots and lots of different plugins modules
00:03
for protocols contributed by
00:03
lots of people and they haven't fully been vetted,
00:03
it can be a very bad thing.
00:03
We're going to just look at what
00:03
IP address the different interfaces have on Wireshark,
00:03
and we are going to watch the 10.0.0.1
00:03
interface because that is where
00:03
the traffic from the infected machine will be going.
00:03
There's no traffic right now and we're going to just do
00:03
a full ping on 10.0.0.1.
00:03
We are getting something back.
00:03
Pop over here.
00:03
We see these echo ping requests
00:03
and then we have these ARP requests.
00:03
Completely normal traffic.
00:03
This time we're going to be working with
00:03
the IllusionBot downloaded from
00:03
the same place as the dire
00:03
>> example we were working with.
00:03
>> The industry-standard password is infected.
00:03
Antivirus companies usually know better than to try
00:03
to open zip files with that password.
00:03
We're going to simply do
00:03
some dynamic analysis on this malware.
00:03
We're going to, what I typically do,
00:03
cert capture that and start the binary.
00:03
Then watch the traffic.
00:03
We see from this IP address is
00:03
trying to reach out to this internet
00:03
IP address and is
00:03
trying to go over port.
00:03
Its origin port is not a big deal,
00:03
but its destination port is 6667.
00:03
What we want is the malware to act normally,
00:03
to think it's in a safe environment.
00:03
What we're going to use is a few tools,
00:03
particularly a tool called INetSim.
00:03
INetSim is a tool that basically emulates
00:03
many different services listing
00:03
on standard default ports.
00:03
INetSim is all we need to type in.
00:03
It starts listening on all these ports.
00:03
It'll tell you the process ID's.
00:03
It'll tell you where it's storing the logs,
00:03
where it's getting its data from,
00:03
and where it's producing its report.
00:03
Here, in particular, we want to see
00:03
where the config file is coming from.
00:03
I can highlight this in the terminal and do
00:03
Control Shift C to copy within the terminal,
00:03
and I'm going to kill these processes
00:03
>> by hitting "Control C".
00:03
>> The simulation has stopped,
00:03
>> nothing is listed on those ports anymore.
00:03
We can verify this by doing
00:03
netstat -untap is what I usually go with.
00:03
You can look up for yourself what the options are,
00:03
and we can see DHCP client
00:03
is running on those ports
00:03
which are standard DHCP client ports.
00:03
I'm going to use Vim space Control Shift V
00:03
to paste what I copied before,
00:03
which is the INetSim config file.
00:03
Vim is VI improved.
00:03
It's the my default text editor,
00:03
command-line text editor.
00:03
There are friendlier ones like Nano, but I like vim.
00:03
The first thing we're going to do when we're
00:03
editing our config file is I want to
00:03
do a slash and then 10.0.0.1,
00:03
or 10. is fine.
00:03
It's basically searching the document for 10.
00:03
Here, the first line is where
00:03
we see a service bind address parameter.
00:03
We're going to uncomment this line,
00:03
which means to start paying attention to it,
00:03
which tells INetSim that it should start paying
00:03
attention to this parameter that we're
00:03
giving it and serve whatever default it has.
00:03
I'm going to change the address
00:03
that it should bind to 10.0.0.1.
00:03
The reason is if we were to pull up
00:03
another terminal and do
00:03
an IF config to see our IP address,
00:03
we'll have one Internet behind the Net.
00:03
It goes out to the Internet and it has
00:03
this IP address and then
00:03
our other interface has this IP address.
00:03
By default, it would probably go
00:03
with zero and it would emulate
00:03
all the services on the ports
00:03
on this IP address, this interface.
00:03
We want to guarantee that it's
00:03
>> running on this interface.
00:03
>> I'm going to hit "Escape"
00:03
>> because them syntax is a little
00:03
>> weird and do another search for DNS.
00:03
The first option is a DNS bind port.
00:03
We're going to keep it as default.
00:03
Hit "N" for next,
00:03
hit "N" for next.
00:03
DNS default IP, "N" for next,
00:03
"N" for next, and "I" for insert.
00:03
I'm going to delete the comment on this line.
00:03
I'm going to specify that the address,
00:03
it should return for
00:03
all DNS queries will be this one, a 10.0.0.1.
00:03
I'm specifying that not only am
00:03
I everything it's ever looking for,
00:03
but I am also all these things.
00:03
There's a fixed time server on here.
00:03
There's a fake HTTP server and all sorts of good stuff.
00:03
Now we've configured INetSim to how we
00:03
want it. Execute again.
00:03
Again, we probably shouldn't be running this as root.
00:03
But we can over
00:03
our Windows computer just open up Internet Explorer.
00:03
It goes to Microsoft.com
00:03
but it's intercepted by our INetSim program.
00:03
The DNS server says, "Oh,
00:03
Microsoft.com has this IP address, 10.0.0.1."
00:03
It goes there and the web server that
00:03
INetSim has set up will
00:03
>> return this page for everything.
00:03
>> Google.com will return this page anything I want.
00:03
You can also specify particular files.
00:03
All PHP files will return something,
00:03
or all EXE files will return a file that
00:03
>> I have pre-specified for INetSim.
00:03
>> Here we are, and we see all this traffic.
00:03
This was from the browser that I just opened.
00:03
I'm going to reset it and
00:03
our malware should still be active.
00:03
It doesn't look like it's calling out
00:03
anymore. There it is.
00:03
You'll see that it's not using
00:03
DNS to resolve an IP address,
00:03
it's trying to contact that IP address directly.
00:03
That might tell us one of a few things.
00:03
One, it might be clumsily written piece of malware
00:03
because it's not taking
00:03
into account machines that are behind proxies.
00:03
But that's not our problem.
00:03
Our problem is, we want to know
00:03
what traffic is being sent out.
00:03
We want to know what it's doing.
00:03
There is something cool we can do,
00:03
in that we can redirect not only all domains,
00:03
but all IP addresses.
00:03
We can do that pretty simply.
00:03
I'm going to stop capture about for money.
00:03
I will try to grab hosts indicators later,
00:03
but now I'm trying to collect more network indicators.
00:03
In order to capture all the IP addresses,
00:03
instead of just domain names,
00:03
I'm going to add a route.
00:03
This syntaxes route add.
00:03
I'm going to give it a base address,
00:03
0.0.0.0 mask, what it should ignore, 255.255.255.255,
00:03
and then the IP address of
00:03
where I want all this traffic to go.
00:03
Let find the all traffic should be funneled to
00:03
this IP address, which is 10.0.0.0.1.
00:03
Over on the Linux side,
00:03
I'm going to have to open another terminal
00:03
Control Shift N,
00:03
and I'm going to add an IP tables route.
00:03
Iptables -t nat -A PREROUTING -i
00:03
eth1 because that's where we want to
00:03
direct all of our traffic to,
00:03
and then -j for redirect.
00:03
Now suddenly, it made a successful connection.
00:03
We can look at the successful TCP connection,
00:03
and we can see that it's IRC.
00:03
In the red, we can see
00:03
the victim network traffic first since pass 2580,
00:03
and its nickname it's username pretty much is this.
00:03
The server responded with notice authentication.
00:03
Welcome to irc.inetsim.org because
00:03
IRC is also emulated here.
00:03
Then it tries to join
00:03
the channel skaters underscored 1990.
00:03
If we were security researchers,
00:03
we could hop onto that IP address,
00:03
the IRC channel skaters 1990 on that IP address,
00:03
and we could find other bots there.
00:03
That's happened before,
00:03
>> I've had numerous people tell me
00:03
>> that they were working on hosting
00:03
provider and someone notified them
00:03
that they're hosting some malicious content
00:03
and they look at it and it's an IRC chatroom,
00:03
and a lot of old malware use
00:03
that as command and control mechanism,
00:03
because they could still say relatively anonymous.
00:03
But the problem is that
00:03
they usually didn't have good authentication.
00:03
The password we can see to this channel was 2580,
00:03
so we can hop on this channel now.
00:03
Maybe I want to interact with this bot.
00:03
Maybe I want to send it commands.
00:03
Maybe I want to try to control
00:03
it. Well, how can I do that?
00:03
Well, luckily for us,
00:03
we can simply change the config again for INetSim.
00:03
Go to IRC, see where it's starting that service,
00:03
for pound sign to comment it out,
00:03
Escape Colon W Q for write to then quit,
00:03
and then rerun INetSim.
00:03
It's doing everything it did before except now
00:03
the IRC port and process are no longer listening.
00:03
We can see that there's
00:03
an attempted connection and it's rejected.
00:03
The attempt in connection came
00:03
>> from 10.0.0.2 from vector to
00:03
>> machine tried to go to this IP address
00:03
is a synchronized packet,
00:03
and then our machine said reset.
00:03
I would really like to introduce if
00:03
you don't already know about a program called Netcat.
00:03
Of course, like INetSim,
00:03
you can just say man,
00:03
and then the command nc,
00:03
and it'll tell you all about it and how to use it.
00:03
I'm going to use nc - l for listen,
00:03
and then -p and specify a port.
00:03
I'm going to say nc -l and then -p for 6667,
00:03
so now listening on that port.
00:03
It looks like our malware isn't calling back anymore.
00:03
I wonder why, they did call back.
00:03
Let me just wait in a second.
00:03
We're listening on this port
00:03
and we see it gave the same password.
00:03
It's using the same the name,
00:03
which is that looks like the host name of the machine.
00:03
We can verify that.
00:03
Certainly, when you right-click on my computer.
00:03
That's the host name.
00:03
Using the host name of the infected computer.
00:03
I'd be willing to bet that's a time stamp.
00:03
Maybe something else, I don't know.
00:03
We could do more analysis.
00:03
It is the same number,
00:03
it might be some identifier,
00:03
like a campaign code built-in to the malware.
00:03
Further reverse engineering would
00:03
reveal exactly what it is.
00:03
But I'm not sure if it's important right now,
00:03
but I can guess is maybe not.
00:03
Here with Netcat, I can also send commands back.
00:03
It's not responding to some commands here,
00:03
so maybe it needs some
00:03
>> specific string before it reacts.
00:03
>> I'm going to just play with things
00:03
because I like poking at things and send a lot of As,
00:03
and then Control C will kill the connection.
00:03
Let me see if that did anything.
00:03
But binary.exe has crashed.
00:03
Apparently the malware author,
00:03
didn't write this malware very well.
00:03
This interesting to me.
00:03
If we were vigilantes,
00:03
we could get on to this IP address using this password,
00:03
and we could jump on there using some host name,
00:03
maybe even this and this user,
00:03
join this channel and then send all these
00:03
A's to everything that is listening on that channel.
00:03
Crash all of the malware on all those computers,
00:03
and let's see if it calls back.
00:03
Reset, clear it,
00:03
and it doesn't look like it's calling back.
00:03
I will say it is a reckless endeavor
00:03
and it may not be appropriate.
00:03
In fact, I'm pretty sure it is illegal
00:03
because you are executing code,
00:03
or actually you're stopping code
00:03
from executing on other people's machines.
00:03
Those are not your computers,
00:03
even if they're compromise.
00:03
The appropriate thing might be
00:03
>> to notify law enforcement.
00:03
>> They probably wouldn't do anything though,
00:03
because they're even bound more
00:03
tightly about what they can and can't do.
00:03
They probably would shut
00:03
down the command and control server,
00:03
or they would bring
00:03
in an expert to come
00:03
in and dismantle the botnet, if you will.
00:03
Microsoft has done that with law enforcement
00:03
to take down large botnets.
00:03
Sometimes it's been very successful,
00:03
sometimes it has not been.
00:03
But if you interfere like that,
00:03
I'm not a lawyer, so I'm not going to say
00:03
that is legal or not.
00:03
If we wanted to play with this and more,
00:03
I would suggest using this build.exe.
00:03
Here we have some interesting options, binary.
00:03
It says open 1.1 bot binary.
00:03
I'm just going to go with this.
00:03
Here it looks like this was
00:03
the IP address that it was picking out to,
00:03
this port, the channel,
00:03
the password it was using.
00:03
Let's test our DNS resolving
00:03
manipulation capabilities like freenode.net.
00:03
>> Usually malware has this backup command
00:03
and control server functionality.
00:03
I'm just going to go to Google.com.
00:03
I'm going to change this to, I don't know,
00:03
555 and 111 just to see what happens.
00:03
It looks like there's a web panel that would open,
00:03
refresh every five seconds.
00:03
It looks like that Socks4 and Socks5 proxy setting
00:03
that we see here, can be verified.
00:03
It looks like it will open up FTP server.
00:03
It looks like on the IRC,
00:03
the bot password is this.
00:03
I don't know what this does.
00:03
It looks like there's a firewall bypass,
00:03
and we can see that in here.
00:03
Authorized applications.
00:03
It looks like it
00:03
white-listed itself in the location
00:03
that it was executed,
00:03
so an attacker would
00:03
probably compromise a machine drawn into
00:03
a directory somewhere that a user's not likely
00:03
>> to access and then execute the malware.
00:03
>> It looks like it has a kernel driver as well,
00:03
so save services state in the registry.
00:03
These are all interesting options
00:03
that I would suggest that you play with.
00:03
I'm going to say save, and that is saved.
00:03
Also going to show another tool here.
00:03
Process Explorer,
00:03
it's basically Task Manager on steroids,
00:03
it is incredibly powerful.
00:03
A Process Hacker is very similar
00:03
in interface and very similar in function.
00:03
But it lets us watch processes very
00:03
closely and identify the DLLs
00:03
that are injected into them.
00:03
I would also like to run autoruns;
00:03
bit of a screen, autoruns.exe and autorunsc.exe,
00:03
is this one will produce a console output,
00:03
and this one will produce a GUI.
00:03
The console output is useful
00:03
for if you want to chunk all of
00:03
the current autorun entries into a file,
00:03
and then compare that file
00:03
to another file of
00:03
the autorun entries after the malware has been run,
00:03
so you can see if anything's been added.
00:03
It looks like autorun is having some trouble.
00:03
It's okay, it happens.
00:03
It maybe the malware, probably not.
00:03
It's highlighted some things here.
00:03
In the configuration for
00:03
the malware it mentioned kernel driver.
00:03
We might want to check drivers and see where this it,
00:03
we might like to look at the host log and
00:03
see one of these files.
00:03
See if there's any mention of them,
00:03
it doesn't look like it.
00:03
We could look through all of these individually and we
00:03
can take a before and after snapshot,
00:03
because remember, we've already
00:03
executed this binary before,
00:03
or a similar one.
00:03
But the best way to
00:03
be sure is to keep running over and over again.
00:03
But it may not have a persistence mechanism.
00:03
Now on my wall it does.
00:03
Autoruns usually finds when malware is doing something.
00:03
Let's see what's going on here.
00:03
It looks like our victim machine is trying
00:03
to connect to this port,
00:03
but it's closed, so I'm
00:03
going to start listening within that cat again.
00:03
There was our DNS query, freenode.net.
00:03
Let's see if it made another query.
00:03
We can do that just by typing DNS.
00:03
I tried to resolve crl.microsoft.com
00:03
and we gave it our own IP address.
00:03
Again, it was probably some internal Microsoft tool,
00:03
and here it was asking for freenode.net,
00:03
and it's connected in given us
00:03
the same configuration data.
00:03
It's given us the password of 2580
00:03
so not the other value
00:03
that we had before that
00:03
we entered into the configuration.
00:03
That is interesting.
00:03
This did not change.
00:03
But let's see if the other value did.
00:03
Yes, the channel I
00:03
tried to join was one that we had defined.
00:03
It looks like this malware is configurable.
00:03
I like to crash things,
00:03
so I'm going to send it a bunch
00:03
of data and see if it crashed it.
00:03
It did indeed crash it. I hope
00:03
that you play with us and enjoy it.
Up Next