Download as PDF, PPTX
![TrueSec
Extract Those Files!
37
global ext_map: table[string] of string = {
["application/x-dosexec"] = "exe",
} &default ="";
!
event file_new(f: fa_file) {
local ext = “data";
!
if ( f?$mime_type )
ext = ext_map[f$mime_type];
!
local fname = fmt("%s-%s.%s",
f$source, f$id, ext);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
[$extract_filename=fname]);
}](https://image.slidesharecdn.com/malware-analysis-free-software-rmll2014-140708082623-phpapp01/85/Malware-Analysis-Using-Free-Software-37-320.jpg)
![TrueSec
Extract Those Files!
37
global ext_map: table[string] of string = {
["application/x-dosexec"] = "exe",
} &default ="";
!
event file_new(f: fa_file) {
local ext = “data";
!
if ( f?$mime_type )
ext = ext_map[f$mime_type];
!
local fname = fmt("%s-%s.%s",
f$source, f$id, ext);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
[$extract_filename=fname]);
}](https://image.slidesharecdn.com/malware-analysis-free-software-rmll2014-140708082623-phpapp01/75/Malware-Analysis-Using-Free-Software-37-2048.jpg)
Uploaded byXavier Mertens
Malware Analysis Using Free Software
This document discusses setting up an automated malware analysis sandbox using Cuckoo and Bro. It recommends using Cuckoo to dynamically analyze malware samples and Bro to monitor network traffic and extract suspicious files. Bro scripts are shown to extract files and submit them to Cuckoo for analysis. The talk emphasizes automating the analysis workflow and correlating indicators from Cuckoo with external threat intelligence in OSSEC to aid detection.
More Related Content
Similar to Malware Analysis Using Free Software
Malware Analysis Using Free Software
- 1. Malware Analysis Free Toolbox RMLL- Montpellier - July 2014 - Xavier Mertens
- 2. TrueSec $ whoami • XavierMertens (@xme) ! • Consultant @ day ! • Blogger, Hacker @ night ! • BruCON co-organizer 2
- 3. TrueSec $ cat ~/.profile •I like (your) data • Offensive / defensive security • Security visualization • I like to play! 3
- 4. TrueSec $ cat disclaimer.txt “Theopinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.” 4
- 5. TrueSec Agenda • Introduction • Buildyour lab • Automate • Conclusions 5
- 6.
- 7.
- 8. TrueSec Today’s Facts 8 29.122.849 unique maliciousobjects: scripts, web pages, exploits, executable files, etc. 81.736.783 unique URLs were recognized as malicious by web antivirus. Q1 2014 (source: Kaspersky Security Network)
- 9. TrueSec Sources 9 • My spamfolder (rootshell.be has been registered in 2001) • Torrents (Keygens) • P0rn sites • You & me!
- 10. TrueSec Motivations 10 • Plenty ofmaterial • To improve our security (integration with other tools) • Because I’m lazy! (automation) • Because it’s fun!
- 11.
- 12.
- 13. TrueSec Be Dynamic 13 • Executethe malware in a safe environment and watch what it does • Goals • Understand how malwares work • Get IOC’s
- 14.
- 15. TrueSec We Need “IOC”! 15 •Hashes • IP addresses • Domain names • Files • Registry keys • URLs Share!
- 16. TrueSec Today’s Market 16 • Aniche market • Big players (read: $$$) • Integrated into an existing platform (Many 2.0 or NG firewalls)
- 17. TrueSec An Attack in5 Steps 17 Persistence Exploit Plan a Backdoor Initial intrusion Reconnaissance Pwned!
- 18. TrueSec The Patient “0” 18 Theindex case or primary case is the initial patient in the population of an epidemiological investigation (Source:Wikipedia)
- 19. TrueSec Agenda • Introduction • Buildyour lab • Automate • Conclusions 19
- 20. TrueSec Requirements 20 • Free (becausewe are @ RMLL!) • Virtualized (easy & snapshots) • Open (to interconnect with other tools) • Automatization
- 21. TrueSec Cuckoo 21 • Dynamic codeanalysis framework developed in Python • “Python” means “open, modular, easy to modify” • Based on the classic “sandboxing” system
- 22. TrueSec Features 22 • Automation • Capturedata • API calls • Network traffic • Screenshots • Filesystem / Registry operations • Memory dump • Reporting in many formats
- 23.
- 24.
- 25.
- 26. TrueSec Basic Installation 26 • VirtualBox(recommended) • Lot of Python lib dependencies • Recommended platform: Ubuntu • Ninja mode: OSX
- 27. TrueSec We Need Intertubes 27 •Use Host-only networking withVirtualbox • Connect to the world # sysctl -w net.ipv4.ip_forward=1 # iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.1.0/24 -m conntrack -ctstate NEW -j ACCEPT # iptables -A FORWARD -m conntrack -ctstate ESTABLISHED,RELATED -j ACCEPT # iptables -A POSTROUTING -t nat -j MASQUERADE OSX Ninja?Visit http://goo.gl/aEM7gO
- 28. TrueSec “Your” Sandbox 28 • WindowsXP SP3 or Windows 7 SP1 32bits • Acrobat Reader, M$ Office, Browsers • Generate some content (cookies, browsers history) • Install the Cuckoo agent • Disable all security features!
- 29. TrueSec VM Hardening 29 • VMmust be “vulnerable” but hardened against anti-VM detection • http://github.com/markedoe/cuckoo- sandbox • https://github.com/a0rtega/pafish
- 30. TrueSec Attack of theClones 30
- 31.
- 32. TrueSec Agenda • Introduction • Buildyour lab • Automate • Conclusions 32
- 33. TrueSec Automation 33 Cuckoo is anice tool to analyse files on demand but some automation will be helpful to detect more suspicious stuff!
- 34. TrueSec Bro IDS 34 • Brois a powerful network analysis framework. Bro is not only a IDS • Bro comes with analysers for many protocols which allow processing at layer-7 • http://bro.org
- 35. TrueSec Bro Scripting 35 Bro hasa simple and powerful scripting language.All the output generated by Bro is based on scripts!
- 36. TrueSec Extract Those Files! 36 •Bro can extract files from network streams and save them on the file system • There is an “extraction” analyzer to perform this task
- 37. TrueSec Extract Those Files! 37 globalext_map: table[string] of string = { ["application/x-dosexec"] = "exe", } &default =""; ! event file_new(f: fa_file) { local ext = “data"; ! if ( f?$mime_type ) ext = ext_map[f$mime_type]; ! local fname = fmt("%s-%s.%s", f$source, f$id, ext); Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]); }
- 38.
- 39. TrueSec And URLs? 39 • ExtractingURLs from network? • Flood! (“HTTP is the new TCP”) • Analysing one-time URLs may break some tools (think about password recovery)
- 40. TrueSec Sniff! 40 # cd /tools/bro/logs #vi extract.bro # mkdir extract_files # ../bin/bro -i eth1 extract.bro listening on eth1, capture length 8192 bytes
- 41. TrueSec Feed Cuckoo! 41 # cd/tools/bro/logs/extract_files # inotifywait -m -q -e create —format %f . | while read F do case “${F##*.}” in “zip|exe|doc|dll|jar|msi”) /tools/cuckoo/utils/submit.py $F esac done
- 42. TrueSec Want Data? 42 • Cuckoohas a REST API • Useful to automate even more
- 43. TrueSec Get results! 43 # curlhttp://localhost:8090/tasks/list # curl http://localhost:8090/tasks/view/10 # curl http://localhost:8090/tasks/report/10 # curl http://localhost:8090/files/view/md5/xxxxxx !
- 44. TrueSec Extract IOC’s 44 #curl -shttp://localhost:8090/tasks/report/2/json | python extract-domains.py premiercrufinewine.co.uk 188.65.114.122 fidaintel.com 216.224.182.75
- 45. TrueSec Feed OSSEC 45 • CreateCDB lists (“active lists”) <ossec_config> <rules> <list>lists/baddomains.cdb</list> <list>lists/badips.cdb</list> </rules> </ossec_config> • Populate them • Re-generate them /var/ossec/bin/ossec-makelists
- 46. TrueSec Correlate 46 <rule id=“99001” level=“10”> <decoded_as>bind9</decoded_as> <listfield=“url”>lists/baddomains</list> <description>DNS query: malicious domain</description> </rule>
- 47. TrueSec Agenda • Introduction • Buildyour lab • Automate • Conclusions 47
- 48.
- 49. TrueSec Conclusions 49 • We don’thave time to handle such amount of data! • Know your Enemy! • Correlate your logs with external content
- 50.