Several Posts on Malware Analysis Tools

image

In the past weeks I published several posts describing malware analysis tools and approaches at other blogs:

  • Automating Static Malware Analysis With MASTIFF: MASTIFF is an open source framework for automating static malware analysis. This tool, created by Tyler Hudak, determines the type of file that is being analyzed and then applies only the static analysis techniques that are appropriate for that file type. MASTIFF offers a useful way for performing triage on a large set of suspicious files. Extra: See my MASTIFF demo as part of the What’s New in REMnux v4 for Malware Analysis webcast.
  • Tools for Examining XOR Obfuscation for Malware Analysis: There are numerous ways of concealing sensitive data and code within malicious files and programs. Fortunately, attackers use one particular XOR-based technique very frequently, because offers sufficient protection and is simple to implement. Here’s a look at several tools for deobfuscating XOR-encoded data during static malware analysis. Extra: Experiment with Thomas Chopitea’s unXOR tool.

Also, on my own blog I took a look at Cylance’Accelerify tool for speeding up the lab system’s clock for malware analysis.

Lenny Zeltser

Anticipating Cyber Threats Beyond APT

image

Some organizations have encountered Advanced Persistent Threat over 5 years ago—earlier than most of us. Because of the types of data they process, these initial APT victims were exposed to carefully-orchestrated, espionage-motivated attacks before they spread to a wider range of targets.

Now, half a decade later, might the time to look at the attacks that the initial APT victims are fighting nowadays to forecast the threats that will eventually reach other companies. I am wondering:

  • Will traditional APT actors eventually disengage from early APT targets, perhaps after obtaining the necessary data, finding the cost of maintaining presence too costly or deciding to focus on easier-to-attack victims? Have they done this already?
  • Will APT groups remain engaged, but drastically change tactics according to new goals and in response to new defensive elements? How have these tactics changed in the recent years?
  • What can we learn by treating initial APT targets as predictors of threat dynamics that will eventually affect a broader set of victims? What attacks are effective today against the organizations that had the time and skills to adapt to initial APT tactics?

It’s hard to answer these questions without first-hand access to the companies that witnessed the first wave of APT attacks. Furthermore, the dilution of the term APT by marketing departments makes it harder to differentiate between reliable APT insights, such as what Mandiant has been publishing, from generic APT-themed sales collateral peppered throughout the web.

Based on public information and observations, I suspect the threat landscape over the next few years will involve:

  • A greater use of purchased non-public exploits. (See Reuters’ article on the trends in the exploits market.)
  • More professional oversight of multiple aspects of attack operations and logistics to improve effectiveness and efficiency.
  • Smarter mining of stolen data (“big data”) to derive intel for subsequent attacks, discover relationships and spot other valuable information.
  • The adoption of the techniques seen in “military-grade” malware, such as Stuxnet, by a broader range of attack groups. (See Eugene Kaspersky’s concerns over military’s use of malware.)
  • Increased use of anti-forensics and evasion techniques to conceal attackers’ capabilities and motives. (See Eugene Rodionov and Alexandr Matrosov’s overview of anti-forensics malware features.)

These are just conjectures. I don’t have the answers to the questions I posed above; however, I thought I’d at least ask them and explore the idea of looking at early APT targets’ current state to anticipate advanced threats that will later affect other organizations.

Related articles you might like:

Lenny Zeltser

Speeding up the Clock for Malware Analysis With Accelerify

Sometimes malware doesn’t perform “interesting” actions until some time has passed, stretching out its activities over hours or days. This approach tricks some automated analysis tools and helps evade detection. Cylance’s free tool Accelerify helps analysts in such situations by accelerating the lab system’s clock.

Accelerify modifies the system’s time at the rate specified by the analyst. For instance, in the video attached to this article, I directed the tool to modify the clock every second, advancing it by 300 seconds. This had the effect of accelerating the time by the factor of 300.

The “-i” parameter sets the interval, in seconds, between adjusting the time. I used 1; the default is 10. The “-a” parameter specifies the number of seconds by which to advance the clock. I used 300; the default is 3600.

You can use Accelerify in conjunction with behavioral monitoring tools to explore situations where the specimen’s actions are triggered by the passage of time or by specific date and time values. In such scenarios, you could activate the monitoring tools, launch Accelerify, infect the laboratory system and see what develops.

Lenny Zeltser

Live and Recorded Malware Forensics Webcasts

image

In the field of IT in general and digital forensics in particular, you become obsolete the moment you stop learning. Here are several free webcasts related to reverse-engineering and malware analysis that will help you keep your skills up to date.

Upcoming live malware forensics webcasts:

Previously-recorded malware forensics webcasts:

Lenny Zeltser

New Release of REMnux Linux Distro for Malware Analysis

image

I’m pleased to announce the release of version 4 of the REMnux Linux distribution for reverse-engineering malicious software. The new version includes a variety of new malware analysis tools and updates the utilities that have already been present on the distro.

What’s new in REMnux v4? See the details below and register for a free webcast where I will showcase some of the key additions. You can download the latest release at REMnux.org.

What’s New in REMnux v4

REMnux is now available as a Open Virtualization Format (OVF/OVA) file for improved compatibility with virtualization software, including VMware and VirtualBox. (Here’s how to easily install the REMnux virtual appliance.) A proprietary VMware file is also available. You can also get REMnux as an ISO image of a Live CD.

Key updates to existing tools and components:

New tools added to REMnux:

Getting Started With REMnux

The one-page REMnux Usage Tips cheat sheet outlines some of the more popular tools installed on REMnux. Feel free to customize it to incorporate your own tips and tricks.

The recorded Malware Analysis Essentials Using REMnux webcast provides a good overview and examples of some of the tools for performing static malware analysis. I also recorded a webcast to discuss What’s New in REMnux v4 for Malware Analysis and to demonstrate the new tools.

If you find REMnux useful, take a look at the reverse-engineering malware course that my colleagues and I teach at SANS. It makes use of REMnux and various other tools.

If you haven’t already, download the REMnux distro at REMnux.org.

For tips, issues and workarounds related to installing REMnux v4, see REMnux Version 4 Installation Notes.

Lenny Zeltser

Two-Step Verification for Apple ID Consistent With Authentication Trends

Apple’s introduction of two-step verification for Apple IDs is consistent with the trend in the industry to strengthen user authentication practices. Facebook has been experimenting with one-time passwords and social CAPTCHA authentication; Google began offering 2-step verification a while back. It’s great to see Apple get onto this bus.

Apple explains that “two-step verification is an optional security feature for your Apple ID.” To activate it, sign into My Apple ID on Apple’s website and go to the Password and Security area. You will then have the ability to specify which “trusted devices” associated with your Apple ID you wish to use as the second authentication token.

When designating a trusted device, such as an iPhone or an iPad, Apple will send a 4-digit verification code, which will pop up on the device almost instantaneously. You’ll need to enter the code on Apple’s website to confirm that you’re in the possession of the device.

Once you’ve enabled two-step verification, you’ll need to verify that you still have the device whenever you login to the My Apple ID website, when you “make an iTunes, App Store, or iBookstore purchase from a new device” or when you attempt to “get Apple ID-related support from Apple.”

For example, after signing into the My Apple ID website with your username and password, you’ll be presented with the prompt to “verify your identity” using one of the enrolled devices.

image

A pop-up like this will appear on the designated trusted device:

image

If your device is locked when the code is delivered, you will need to unlock it before seeing the code. The overall experience is a bit more streamlined than what Google uses, because Google requires the user to install and the activate the Google Authenticator app on the mobile device.

Receiving the code requires an active data connection. If you are using an iPhone, don’t have data but are able to receive SMS, Apple can send a verification code to your a verified phone via SMS. To take advantage of this feature, you need to verify the phone number through the My Apple ID website.

When activating the two-step verification option, Apple automatically generates a Recovery Key, which can be used as an authentication token if you lose access to a trusted device:

image

Google, Apple and to some extent Facebook now give users the option of strengthening their account authentication process. It’s only a matter of time before other industry giants, such as Twitter, jump in. Perhaps stronger authentication becomes the norm, we might see some innovation in making it more reliable and convenient for end-users.

Lenny Zeltser

Indicators of Compromise Entering the Mainstream Enterprise?

image

The need to define custom, incident-specific signatures is slowly gaining traction in the mainstream enterprise. A few years ago this concept, often called Indicators of Compromise (IOCs), was mostly discussed by government organizations and defense contractors who were coming to terms with Advanced Persistent Threat (APT) attacks.

Madiant began popularizing the term IOC around 2007. Kris Kendall’s paper Practical Malware Analysis mentioned IOCs in the context of malware reversing at Black Hat DC 2007. For a precursor to this, see Kevin Mandia’s Foreign Attacks on Corporate America slides from Black Hat Federal 2006. At the time, few organizations saw the need to go beyond antivirus-based detection by analyzing the adversary’s artifacts to define custom host-level signatures.

Now, several years later, the term IOC is pretty well-known in the infosec industry. More companies are adding malware and related analysis skills to incident response teams. As Jake Williams put it, such firms know how to examine new malware and extract IOCs. “These are then fed back into the system and scans are repeated until no new malware is found.” Automated analysis products from vendors such as Norman, Mandiant, FireEye and HB Gary are being increasingly positioned as IR triage-enablers.

That said, the knowledge and skills for deriving and using IOCs is far from being mainstream. Anton Chuvakin highlighted the distinction between security haves and have-nots along the lines of this capability. The haves know how to reverse-engineer malware to “extract the IOCs FAST (or get those IOCs shared with you by trusted friends) and then look for them on other systems.”

IOC techniques haven’t entered the mainstream just yet. But we’re heading in that direction, as more people attain forensics skills and as more tools become available for defining and making use of such custom, incident-specific signatures.

To learn how to define and make use of IOCs, take a look at:

Lenny Zeltser

Hiring a Software Engineering Manager in Dallas, TX

image

Update: This position has been filled.

I’m looking for a software engineering manager to join my team at NCR in Dallas, TX. The person leads the efforts to develop and maintain software that addresses our customers’ information technology needs. To accomplish this, the manager motivates team members and oversees their activities in the context of Agile-inspired development practices.

Some of the required skills and proficiency levels include:

  • Experience managing a software engineering team
  • Past experience developing applications using C, C++, C#/.NET or Java
  • Experience in overseeing the development of mission-critical software projects from design to completion
  • A cultural fit that allows the person and the team to have fun and be productive

Are you such a person or do you know someone like this?

Lenny Zeltser

Proxify and BadAssProxy in Action

GNUCITIZEN released a lightweight proxy called Proxify, designed to conveniently integrate with other tools. Proxify can handle both HTTP and HTTPS, displaying or saving the interactions between the client and the server. Its authors expect the tool to be embedded in applications that require proxy functionality, explaining that:

“The tool will do all the hard work and you just need to provide a very simple restful HTTP service to do the forwarding of data between the browser and the remote target. “

Proxify is easy to run from the command-line, as you can see in the video attached to this post. In this example, I directed Proxify to listen on port 8080 and save all requests and responses it intercepts to the “output” directory.

Proxify is free for non-commercial use, and is available in a binary form for Windows, Linux and OS X.

For an example of a GUI tool that uses Proxify behind the scenes, take a look at BadAssProxy (BAP), released for free by Websecurify. The initial release of BAP isn’t as full-featured as the established tools in this category, such as Fiddler and Burp. However, it has a clean user interface and promises additional functionality in future versions.

BAP is available as a free Windows download. It requires Microsoft Visual C++ 2010 Redistributable Package to run.

I like the simplicity of Proxify and the convenience of being able to run it from the command-line to examine web traffic. I wish it offered the convenience of easily carving files from HTTP responses, though. (I am planning to include Proxify in the next release of the REMnux distro.) BAP looks nice as a proof-of-concept and is built using a promising (Java-free) architecture; I’m looking forward to seeing this tool’s future releases with more functionality.

Lenny Zeltser

Name That Malware!

image

Think you know malware? I created a new fun quiz to see whether you can recognize the 10 malware specimens you should probably know by name. Test your knowledge and learn something along the way.

Take the 10-question Name That Malware! quiz.

If you like this approach to learning, here are two more quizzes I put together:

— Lenny Zeltser