Lab Setup Part 3
Video Activity
In the previous session, we learned how to install Windows XP machine, VMware, and Kali. In this session, we'll learn more about malware analysis tools that are used for virtual machine. These include: SysInternals, MAP Pack, 010, PE Viewer (such as CFF Explorer, PE Explorer, PE View, PE Studio), IDA Pro, Cygwin, and Notepad++. There are several to...
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9
Video Description
In the previous session, we learned how to install Windows XP machine, VMware, and Kali. In this session, we'll learn more about malware analysis tools that are used for virtual machine. These include: SysInternals, MAP Pack, 010, PE Viewer (such as CFF Explorer, PE Explorer, PE View, PE Studio), IDA Pro, Cygwin, and Notepad++. There are several tools available that are used for dynamic analysis. These are Capture BAT, RegShot, PEiD, LordPE, Import Reconstructor, OllyDbg 2.0, and many more. You will also understand some limitations of VirtualBox (or VBox) and Windows Vista. Additionally, you'll learn why taking snapshots for every major update, service pack, and software version is important in preventing malware attack. We will conclude with the different levels of automation that can be done in the malware analysis arena. Several tools such as Zen, Malware Farms, Cuckoo Sandbox, FireEye, Joe Sandbox, ThreatGrid, VirusTotal, Anubis, Hyper-V allow you to automate malware analysis and sometimes removal. Although these tools help in capturing report data, signatures, and indicators, they are unable to replace human malware analysts. And finally, there are some good resources that will help you establish expertise: Cuckoo Malware Analysis by Digit Octavianto, Iqbal Muhardianto; Malware Analysis Cookbook by Michael Ligh, Steven Adair, Blake Hartstein; Gray Hat Python by Justin Seitz.
Video Transcription
00:03
>> What are the tools
00:03
>> we just copied in our virtual machine?
00:03
>> The first is SysInternals from Microsoft,
00:03
made by Mark Russinovich.
00:03
They are very useful.
00:03
I think, they're fantastic, they're amazing.
00:03
The second is the MAP Pack by Dave Simmer.
00:03
We discussed some of these tools last time,
00:03
and we installed them,
00:03
and I showed you how to use all of them.
00:03
I suggest 010, the hex editor,
00:03
some PE viewer like CFF Explorer,
00:03
PE Explorer, PE View, PE Studio.
00:03
I just saw another one today that I didn't know
00:03
of, it's like beardiff.
00:03
IDA Pro is a free disassembler, at least,
00:03
a 5.0 version or five point something version.
00:03
The 6.0 version is also free,
00:03
but will not let you save your analysis.
00:03
But if you upgrade to a pay for version,
00:03
it will let you save it, and it's about $700.
00:03
There are free versions out there,
00:03
but they're not nearly as good.
00:03
As I said last time,
00:03
Cygwin with GCC, Binutils, XXT,
00:03
and has its own version of Python built-in,
00:03
this is something I suggest as a personal preference
00:03
of mine, and Notepad++.
00:03
Tools for our virtual machine
00:03
for dynamic malware analysis,
00:03
I would suggest these;
00:03
Capture BAT is usually my first since my default.
00:03
It just captures major system events.
00:03
Regshot captures changes to the registry and it
00:03
can also be configured to watch
00:03
for any file system changes.
00:03
PEiD is a static file analysis,
00:03
and parser, and signature scanner.
00:03
It will look for common packers,
00:03
see if the malware is encrypted with
00:03
something that we can easily find.
00:03
LordPE helps you dump something out of memory.
00:03
If you start executing something,
00:03
a piece of malware and it's
00:03
just running as a regular program,
00:03
you can just dump it straight to disk,
00:03
and then you can use Import Reconstructor to
00:03
rebuild some of the structures that
00:03
lost when you dumped it to disk.
00:03
This is useful for malware that's packed.
00:03
If it unfolds or decrypts in memory,
00:03
you just want that end result,
00:03
you don't want to have to
00:03
unpack it manually. Although, you can.
00:03
It's a bit harder. OllyDbg is
00:03
a very common debugger for reverse engineers.
00:03
It's just very user-friendly comparatively.
00:03
It has a lot of plugins,
00:03
but we'll cover that later in
00:03
more advanced dynamic analysis
00:03
because it allows you to step through
00:03
the instructions and execute them one-by-one.
00:03
Just a few notes about
00:03
what we did before just like I said,
00:03
VirtualBox, or VBox, Oracle.
00:03
VirtualBox is open-source,
00:03
it's free, it's very useful.
00:03
I find it that it runs very fast,
00:03
but it sometimes corrupts a little easier.
00:03
There is some differences.
00:03
Like I said, one of the reasons why I chose Windows XP,
00:03
because the permissions are a lot easier to deal with.
00:03
A lot of malware targets Windows XP,
00:03
because it's still fairly common not the wild.
00:03
But Windows Vista and up,
00:03
7, 8, 10,
00:03
they have different permission architectures,
00:03
and different security architectures,
00:03
and usually, much better security.
00:03
But a lot of malware will mess up,
00:03
or fail, or just assume the wrong things.
00:03
That's why I like working with
00:03
Windows XP, but generally,
00:03
I have a Windows 7 computer
00:03
on-hand for more modern threats.
00:03
Rootkits and 64-bit programs really need WinDbg.
00:03
It is the debugger supplied by Windows.
00:03
It is very powerful,
00:03
very difficult to use.
00:03
It's [LAUGHTER] not user-friendly at all.
00:03
If you get good at it, you will absolutely know what
00:03
was going on within your operating system,
00:03
within any program you want?
00:03
That includes the kernel,
00:03
the core operating system.
00:03
You can really figure out what's going on in there.
00:03
Even with Vista 7, 8, and 10,
00:03
even when they have all the security precautions
00:03
like the UAC prompt,
00:03
the user account control, ALSR,
00:03
the address layout space randomization,
00:03
DEP, data execution prevention, and so on.
00:03
As I said before, I took a snapshot of
00:03
every major update every month
00:03
>> after every patch Tuesday.
00:03
>> I really never had to use that to
00:03
verify that vulnerability was
00:03
being exploited by malware,
00:03
but you might want to.
00:03
I want to talk about the
00:03
>> different levels of automation.
00:03
>> We just set up a local VM,
00:03
we just put some tools in there,
00:03
and we can throw some malware in there,
00:03
and just start executing it, and see what comes out,
00:03
and we will do that in the next video,
00:03
just coming right up.
00:03
But I do want you to know that VMware can be scripted.
00:03
There is an API,
00:03
an application programming interface
00:03
>> for VMware and VBox.
00:03
>> That's awesome. You can write
00:03
a program to download some malware automatically,
00:03
and then pop it in the virtual machine,
00:03
automatically set up your tools,
00:03
and execute the malware.
00:03
Then you can write
00:03
some more programs plot report
00:03
and then you can just go on and on.
00:03
These solutions already do exist.
00:03
There are people who've automated things
00:03
and scripted ESXi,
00:03
which is the server hypervisor version of VMware.
00:03
Zen is another VM hosting
00:03
hypervisor and HyperV is
00:03
Microsoft's version. Zen is open-source.
00:03
There's Cuckoo Sandbox,
00:03
which is built on
00:03
VirtualBox and it does automated malware analysis.
00:03
You can just upload malware to it,
00:03
and it has a little web interface,
00:03
and it'll produce this nice report
00:03
afterwards about what the program did.
00:03
There's whole malware farms out there and then there's
00:03
websites that do this on
00:03
a massive scale like VirusTotal,
00:03
or Anubis, or any of the others.
00:03
They go through tens of thousands
00:03
of malware samples per minute.
00:03
There's even commercial products like
00:03
Joe Sandbox and Threat Grid that do this.
00:03
There's even appliances like FireEye,
00:03
they sell you a computer and sits on your network.
00:03
Any program that gets downloaded over your network,
00:03
FireEye will just grab out of the network and
00:03
throw in it's proprietary virtual machines,
00:03
execute it, and just immediately
00:03
tell you if there's something dangerous about it.
00:03
You might be thinking, ''Well,
00:03
why am I even dealing with any of this
00:03
since there's already tools
00:03
>> out there to do it for me.''
00:03
>> When we go back to what I said before,
00:03
which was, you really need a human
00:03
to analyze this stuff.
00:03
Antivirus companies have been trying for
00:03
years to develop algorithms,
00:03
to develop software, to
00:03
determine if something is malicious,
00:03
and they have come up against a wall,
00:03
they really cannot do it.
00:03
Part of being a malware analyst is being able to just
00:03
look at something and get a good feeling for it.
00:03
You get these uncanny feelings
00:03
because you know what
00:03
a normal program is supposed to look like,
00:03
you know what malware is supposed to look like?
00:03
Every time you automate something,
00:03
>> you assume something.
00:03
>> Most sandboxes out there,
00:03
like Joe Sandbox or Threat Grid,
00:03
they'll only run the malware for five minutes.
00:03
A lot of malware have built-in timers to
00:03
just wait longer than
00:03
five minutes before it starts executing.
00:03
It's a very simple defense mechanism.
00:03
Or a lot of malware out there
00:03
will look to see if it's on a real machine
00:03
or if it's running very slow because a lot of
00:03
these systems like VirusTotal or Threat Grid,
00:03
they have thousands of
00:03
virtual machines running on the same hardware,
00:03
so of course, they're going to run a bit slower.
00:03
The malware thinks like,
00:03
''I'm going to run on Windows 7,
00:03
or I'm going to run on XP.''
00:03
It's like, I should be on
00:03
some relatively modern hardware.
00:03
If I'm not executing fast enough,
00:03
then I'm just going to die
00:03
because I'm probably in a virtual machine,
00:03
someone's trying to analyze me.
00:03
Cuckoo, Sandbox,
00:03
and others are great for
00:03
collecting indicators of compromise,
00:03
and just turning out reports, and signatures,
00:03
but it really doesn't help when it comes down to it.
00:03
When you get some incident in your organization,
00:03
and your boss goes over,
00:03
and he's just like, "What is this?"
00:03
You can't pop it into
00:03
Cuckoo and it give you a good answer.
00:03
You can't use FireEye and it give you a good answer.
00:03
Those solutions are great generally,
00:03
but if something actually
00:03
happens to you and you need to know what it is,
00:03
you can't really rely on those solutions.
00:03
It says, generic threat or generic Trojan.
00:03
It's like, now what?
00:03
It's like, how much of a risk is it?
00:03
How much of an impact we'll have on our organization?
00:03
How much resources do we put in this?
00:03
Those appliances, those solutions don't tell you that.
00:03
Since they've automated everything,
00:03
they make really common mistakes.
00:03
I have seen malware out there that checks to
00:03
see if it's filename is
00:03
sample or if it's filename is malware?
00:03
If it is, it just dies,
00:03
it doesn't execute, or does something crazy.
00:03
It just creates tons of random events and
00:03
so the logs just turn out and say,
00:03
''This thing created 1,001 files,
00:03
it beaconed out to Google,
00:03
it beaconed out bing.com,
00:03
maybe those are now malicious domains,
00:03
and blah-blah, so it's really
00:03
easy to just mess things up.
00:03
>> One of those sandboxes made the mistake of saying,
00:03
I'm just going to rename all the malware samples,
00:03
malware.exe and then execute it or
00:03
sample.exe and then drop it into the VM and execute it.
00:03
It's making an assumption and
00:03
the malware is taking advantage of that assumption
00:03
and that's really why humans still
00:03
needed to do all this
00:03
and I don't see that changing anytime soon.
00:03
A human has the intelligence to
00:03
just look at these things and know
00:03
them and computers and algorithms just simply do not.
00:03
Notes for the paranoid.
00:03
There have been vulnerabilities in VMware.
00:03
I've never seen malware exploit any of them in
00:03
the wild but there have
00:03
been proof of concepts where
00:03
some malicious code could theoretically get out.
00:03
There have been proof of concepts where malware will
00:03
act differently if VMware Tools is
00:03
installed in its environment.
00:03
I've heard about it a few times,
00:03
I've never really seen it
00:03
and I think it's becoming less common
00:03
because more and more people
00:03
>> are working on workstations.
00:03
>> I think it's more common that malware chooses
00:03
not to be all crazy units in a virtual machine
00:03
but instead to have other kind of anti analysis
00:03
and other kind of defenses
00:03
built-in that we'll go over in the future.
00:03
But some of them do
00:03
so that's why I recommend changing your MAC address.
00:03
That's why I recommend only
00:03
running one or two virtual machines on
00:03
your computer at a time and maybe
00:03
letting the malware out onto the Internet to not spoof
00:03
every IP address that you see because I have seen
00:03
some malware that will do an IP address check.
00:03
It'll go and check for
00:03
google.com and see what IP addresses come back.
00:03
If it's not any of
00:03
the Google IP addresses that it knows about,
00:03
it just will not work,
00:03
it assumes that it can't get to
00:03
the Internet and if it can't get to the Internet,
00:03
then it's useless as a bot so it doesn't need
00:03
to run and it's probably in a virtual machine anywhere.
00:03
If you're worried about your privacy being
00:03
compromised by running malware,
00:03
like if you got some malware from a sensitive source,
00:03
you can run it through a VPN.
00:03
May or may not be a good idea
00:03
depending on your situation.
00:03
I've seen malware where it executes in
00:03
the target environment only and
00:03
it does that by checking it's IP address.
00:03
It goes out to some servers and
00:03
says what is my IP address and it's like,
00:03
okay, I'm in the range of
00:03
the company I'm attacking, okay good.
00:03
But if you say, oh,
00:03
I'm going to upload it to VirusTotal
00:03
or I'm going to upload it to Joe sandbox or
00:03
whatever and it does
00:03
a check to see what IP address its coming from.
00:03
It says, oh, I'm coming from
00:03
an IP address that's
00:03
known to be from an antivirus or I know
00:03
I'm coming from an IP address known to becoming
00:03
from something other than
00:03
my target company, it won't work right.
00:03
It will alert the attacker that something is going on,
00:03
that someone is analyzing their malware.
00:03
I suggest having in your organization
00:03
your own dedicated environment
00:03
>> that's routed straight to
00:03
>> the Internet or is proxied or
00:03
something so that you can simulate it
00:03
kind of being in a real environment and
00:03
use generic names for your user,
00:03
for your computer, but not so
00:03
generic as to like the username be
00:03
user or your malware always
00:03
being a file called malware.exe.
00:03
Because I've seen malware that checks to see
00:03
if the username is user or
00:03
analysis machine or malware machine,
00:03
and it won't work if it sees that.
00:03
Just a recap of what we did,
00:03
we set up our malware analysis lab in here.
00:03
In the next video, we're just going to start running
00:03
some malware and seeing what we can do with it.
00:03
You can do it all for free and
00:03
there are multiple levels of automation,
00:03
you can make this, I suggest for now,
00:03
let's not do any automation.
00:03
Let's just run some tools,
00:03
let's see what we can get from
00:03
our malware samples and let's just have fun with it.
00:03
That's really the best way to go but we are
00:03
going to have to configure them and slightly
00:03
tune them and I'll show you that in the next video.
00:03
Some good resources if you like this kind of stuff,
00:03
there is a book out there like
00:03
the Cuckoo Malware Analysis book and
00:03
there's a malware analysts cookbook and DVD,
00:03
I highly suggest that.
00:03
It's written by a very smart guy or guys
00:03
and they've contributed a lot of
00:03
code to malware analysts.
00:03
A lot of it's really helpful,
00:03
a lot of it is in Python if you like that
00:03
and when you start looking at the stuff,
00:03
you're just like, wow, that's hopefully.
00:03
This dumps all the function calls it's going to make.
00:03
Wow, this program will generate your signatures or
00:03
this program will automatically
00:03
hash it and check bars total,
00:03
>> this program will do this.
00:03
>> It's really easy to get carried away with
00:03
automating whatever setup you have and I
00:03
would suggest doing your analysis
00:03
and then if you have a question about something,
00:03
check the cookbook, see if they already have
00:03
an answer for that and
00:03
occasionally read through what
00:03
you can do with it but it's
00:03
important not to let your tools drive your analysis.
00:03
Your analysis should drive your tools.
00:03
If you think there's
00:03
a resource in your malware that you need to pull out,
00:03
then look up a recipe for pulling out
00:03
the resource or do it however, you can.
00:03
Don't just make a giant script
00:03
to do 99 percent of what could be done.
00:03
I remember when I first started in this industry,
00:03
I read through a bunch
00:03
of these books and I was just like, oh,
00:03
I can do this and this and this and I wrote
00:03
five or six different scripts
00:03
to dump the headers and then dump
00:03
the sections and show me
00:03
the entropy of the sections to show me if there's
00:03
any major differences between virtual size and size
00:03
on disk and any interesting sections and dump
00:03
the process once it's in memory and just see
00:03
if it's injected any other processes,
00:03
all this other stuff.
00:03
I remember I got into this reversing group at
00:03
my company and really smart guys,
00:03
they're watching me do this,
00:03
they got a sample and I'm just like,
00:03
I have all these scripts, blah, blah.
00:03
I went and I run all my scripts I'm just like, okay.
00:03
They looked at me and they're just like,
00:03
>> "Okay now what?
00:03
>> I was just like, "I don't know.''
00:03
They're just like, ''You don't know
00:03
because the question you were asked was,
00:03
is this plug x,
00:03
is this Zeus, is this whatever the question was,
00:03
does this beacon out to this IP address?''
00:03
That was the question and my tools didn't
00:03
answer that and to answer that question,
00:03
all I had to do was execute it in
00:03
a VM and see if it was doing anything or
00:03
execute it on a real machine and see if it was doing
00:03
anything but just in case it was VMware.
00:03
That was the question I needed to answer.
00:03
My scripts were driving my idea
00:03
of what I should do and that's
00:03
not how we should do things.
00:03
We should be thinking,
00:03
what is the information we need?
00:03
Usually, the thing that your boss wants to know is,
00:03
what is the risk?
00:03
What is the impact? Who sent this?
00:03
Can we expect them again?
00:03
How can we better defend ourselves?
00:03
These questions we can answer with our analysis.
00:03
Thank you for watching the video,
00:03
and I'll see you next time.
Up Next
Instructed By
Similar Content
