Posts tagged malware analysis

Several Posts on Malware Analysis Tools

image

In the past weeks I published several posts describing malware analysis tools and approaches at other blogs:

  • Automating Static Malware Analysis With MASTIFF: MASTIFF is an open source framework for automating static malware analysis. This tool, created by Tyler Hudak, determines the type of file that is being analyzed and then applies only the static analysis techniques that are appropriate for that file type. MASTIFF offers a useful way for performing triage on a large set of suspicious files. Extra: See my MASTIFF demo as part of the What’s New in REMnux v4 for Malware Analysis webcast.
  • Tools for Examining XOR Obfuscation for Malware Analysis: There are numerous ways of concealing sensitive data and code within malicious files and programs. Fortunately, attackers use one particular XOR-based technique very frequently, because offers sufficient protection and is simple to implement. Here’s a look at several tools for deobfuscating XOR-encoded data during static malware analysis. Extra: Experiment with Thomas Chopitea’s unXOR tool.

Also, on my own blog I took a look at Cylance’Accelerify tool for speeding up the lab system’s clock for malware analysis.

Lenny Zeltser

Speeding up the Clock for Malware Analysis With Accelerify

Sometimes malware doesn’t perform “interesting” actions until some time has passed, stretching out its activities over hours or days. This approach tricks some automated analysis tools and helps evade detection. Cylance’s free tool Accelerify helps analysts in such situations by accelerating the lab system’s clock.

Accelerify modifies the system’s time at the rate specified by the analyst. For instance, in the video attached to this article, I directed the tool to modify the clock every second, advancing it by 300 seconds. This had the effect of accelerating the time by the factor of 300.

The “-i” parameter sets the interval, in seconds, between adjusting the time. I used 1; the default is 10. The “-a” parameter specifies the number of seconds by which to advance the clock. I used 300; the default is 3600.

You can use Accelerify in conjunction with behavioral monitoring tools to explore situations where the specimen’s actions are triggered by the passage of time or by specific date and time values. In such scenarios, you could activate the monitoring tools, launch Accelerify, infect the laboratory system and see what develops.

Lenny Zeltser

Live and Recorded Malware Forensics Webcasts

image

In the field of IT in general and digital forensics in particular, you become obsolete the moment you stop learning. Here are several free webcasts related to reverse-engineering and malware analysis that will help you keep your skills up to date.

Upcoming live malware forensics webcasts:

Previously-recorded malware forensics webcasts:

Lenny Zeltser

New Release of REMnux Linux Distro for Malware Analysis

image

I’m pleased to announce the release of version 4 of the REMnux Linux distribution for reverse-engineering malicious software. The new version includes a variety of new malware analysis tools and updates the utilities that have already been present on the distro.

What’s new in REMnux v4? See the details below and register for a free webcast where I will showcase some of the key additions. You can download the latest release at REMnux.org.

What’s New in REMnux v4

REMnux is now available as a Open Virtualization Format (OVF/OVA) file for improved compatibility with virtualization software, including VMware and VirtualBox. (Here’s how to easily install the REMnux virtual appliance.) A proprietary VMware file is also available. You can also get REMnux as an ISO image of a Live CD.

Key updates to existing tools and components:

New tools added to REMnux:

Getting Started With REMnux

The one-page REMnux Usage Tips cheat sheet outlines some of the more popular tools installed on REMnux. Feel free to customize it to incorporate your own tips and tricks.

The recorded Malware Analysis Essentials Using REMnux webcast provides a good overview and examples of some of the tools for performing static malware analysis. I also recorded a webcast to discuss What’s New in REMnux v4 for Malware Analysis and to demonstrate the new tools.

If you find REMnux useful, take a look at the reverse-engineering malware course that my colleagues and I teach at SANS. It makes use of REMnux and various other tools.

If you haven’t already, download the REMnux distro at REMnux.org.

For tips, issues and workarounds related to installing REMnux v4, see REMnux Version 4 Installation Notes.

Lenny Zeltser

Indicators of Compromise Entering the Mainstream Enterprise?

image

The need to define custom, incident-specific signatures is slowly gaining traction in the mainstream enterprise. A few years ago this concept, often called Indicators of Compromise (IOCs), was mostly discussed by government organizations and defense contractors who were coming to terms with Advanced Persistent Threat (APT) attacks.

Madiant began popularizing the term IOC around 2007. Kris Kendall’s paper Practical Malware Analysis mentioned IOCs in the context of malware reversing at Black Hat DC 2007. For a precursor to this, see Kevin Mandia’s Foreign Attacks on Corporate America slides from Black Hat Federal 2006. At the time, few organizations saw the need to go beyond antivirus-based detection by analyzing the adversary’s artifacts to define custom host-level signatures.

Now, several years later, the term IOC is pretty well-known in the infosec industry. More companies are adding malware and related analysis skills to incident response teams. As Jake Williams put it, such firms know how to examine new malware and extract IOCs. “These are then fed back into the system and scans are repeated until no new malware is found.” Automated analysis products from vendors such as Norman, Mandiant, FireEye and HB Gary are being increasingly positioned as IR triage-enablers.

That said, the knowledge and skills for deriving and using IOCs is far from being mainstream. Anton Chuvakin highlighted the distinction between security haves and have-nots along the lines of this capability. The haves know how to reverse-engineer malware to “extract the IOCs FAST (or get those IOCs shared with you by trusted friends) and then look for them on other systems.”

IOC techniques haven’t entered the mainstream just yet. But we’re heading in that direction, as more people attain forensics skills and as more tools become available for defining and making use of such custom, incident-specific signatures.

To learn how to define and make use of IOCs, take a look at:

Lenny Zeltser

Tips on Malware Analysis from Jake Williams

image

I had the pleasure of speaking with Jake Williams, my colleague at SANS Institute, about his perspective on various malware analysis and reverse-engineering topics. You can read the interview in three parts:

  • Part 1: Getting into digital forensics, crafting a strong malware analysis reports and making use of the analyst’s findings
  • Part 2: Acting upon malware analyst’s findings and the role of indicators of compromise (IOCs) in the incident response effort
  • Part 3: Various approaches to malware analysis, including behavioral, dynamic, static and memory forensics 

Jake is highly experienced in this space and shared helpful insights in the interview above. Jake will be teaching FOR610: Reverse-Engineering Malware on several occasions at SANS this year.

Lenny Zeltser

Using Free Windows XP Mode as a VMware Virtual Machine

It’s becoming hard to obtain a licensed copy of Windows XP. Yet, many IT professionals, including malware analysts, like having Windows XP in their virtualized labs. After all, Windows XP is still running on numerous personal and business systems. Fortunately, you can download a virtualized instance of Windows XP from Microsoft for free if you are running Windows 7 Professional, Enterprise, or Ultimate on your base system.

Microsoft calls this virtualized instance of Windows XP “Windows XP Mode,” and distributes it in the Windows Virtual PC format. If you prefer to use VMware Workstation or VMware Player instead of Virtual PC, follow instructions below.

Download Windows XP Mode from Microsoft. You’ll need to go through the Windows validation wizard to confirm you’re running a licensed copy of the appropriate version of Windows 7. You’ll have the option of downloading and installing Windows Virtual PC software, but you don’t need it if you’ll be using VMware.

Install the downloaded Windows XP Mode executable. The installation wizard will give you a chance to specify where the files installed, placing them in “C:\Program Files\Windows XP Mode” by default. This folder will contain, among other files, the 1GB+ file “Windows XP Mode base.vhd” representing the hard drive of the Windows XP virtual machine.

Launch VMware Workstation or Player. Go to the File > Import Windows XP Mode VM menu.

VMware will launch the wizard that will automatically create the Windows XP VMware virtual machine using the Windows XP Mode files you installed in the previous step.

Using VMware Workstation or Player, power on the Windows XP Mode virtual machine that VMware created. Go through the Windows XP setup wizard the same way you would do it for a regular Windows XP system.

At this point, you should have a VMware virtual machine running Windows XP. It will be connected to the network using the VMWare “NAT” mode, so if your base system has Internet access, so would the virtual machine.

There two other ways of obtaining Windows virtual machines, both using Windows Virtual PC. In both cases, you can download Windows Virtual PC files and convert them into the VMware format by using VMware vCenter Converter or by using File > Import or Export… in VMware Workstation. You can download Windows XP, Vista and 7 virtual machines from Microsoft’s Internet Explorer Application Compatibility VPC Image page. You can also download Windows XP and Vista VMs from the NIST Federal Desktop Core Configuration FDCC page. You’ll need to supply valid Windows licenses to activate these OS instances; you may be able to use them for some time period in a limited manner without activation.

If this topic is interesting to you, take a look at my Reverse-Engineering Malware course.

Hand-picked related items:

Lenny Zeltser

Version 3 Release of REMnux Linux Distro is Now Available

image

I’m happy to announce the release of version 3 of the REMnux Linux distribution for reverse-engineering malware. This release incorporates many usability improvements, software updates and new tools to make the environment even more useful for analyzing malicious software.

REMnux is available as a VMware virtual appliance and as an ISO image of a Live CD. The easiest way to get started with and derive the most value from REMnux is to refer to the new REMnux Usage Tips cheat sheet.

Here’s what’s new in REMnux v3:

REMnux was rebuilt to be based on Ubuntu 11.10 to improve maintainability, while maintaining backwards compatibility wherever practical.

The desktop environment on REMnux has been migrated to use LXDE for improved usability, while maintaining the lightweight nature of the distribution.

The malware analysis tools available in the earlier version of REMnux have been upgraded to the latest stable versions to provide the latest features and improvements. The most significant updates include:

  • Volatility Framework 2.0 for memory forensics with the latest malware and timeliner modules
  • Origami Framework 1.2.3 for PDF analysis, including pdfcop, pdfextract, pdfwalker, pdfsh, etc.

REMnux includes several malware analysis tools that were not present in earlier versions of the distribution, including:

For more information about REMnux, including download instructions, please refer to the distribution’s official website. If you find REMnux useful, take a look at the reverse-engineering malware course I teach at SANS, which makes use of REMnux and various other tools.

A big thank you to the individuals who tested beta releases of REMnux v3. Thank you for lending your time and expertise to this project!

Lenny Zeltser

Extracting Malicious Flash Objects from PDFs Using SWF Mastah

PDF files designed for infecting computer systems can include a malicious Flash/SWF program that’s designed to aid in exploiting a vulnerability in Adobe Reader or Flash Player. In an earlier article I explained how to extract SWF object from a PDF file using PDF Stream Dumper and pdf-parser. A new tool SWF Mastah, by Brandon Dixon, can assist with this process as well.

SWF Mastah makes use of Brandon’s PDF X-RAY framework and Jose Miguel Esparza’s Peepdf tool and to handle complex PDF files even in situations where pdf-parser might fail at locating or extracting the SWF object. Here’s a quick example, which uses the malicious PDF file “The Obama Administration and the Middle East.pdf” that was documented on Contagio Malware Dump.

SWF Mastah (a.k.a. swf_mastah.py) can scan the PDF file, automatically locate a Flash object and extract it, all in one step:

The screen shots above show SWF Mastah running on the REMnux v3 distro, which I am planning to release shortly. For another example of SWF Mastah in action, see Brandon’s blog posting in which he introduced the tool to the world.

Lenny Zeltser

3 Free Tools to Fake DNS Responses for Malware Analysis

When analyzing malware using behavioral techniques, it’s often useful to intercept network connections in your lab. Since malicious software commonly uses hostnames when communicating with network resources, you can redirect such connections by defining the desired hostname to IP address mapping. Here are 3 free tools that can make it easy to accomplish this.

Rather than providing the malicious program the IP address of the actual host it’s trying to access, you can provide the IP address of an internal laboratory system. It’s possible to define this mapping in the “hosts” file on the infected laboratory computer. Alternatively, you can use a DNS server provide falsified DNS responses to queries. If you don’t want to configure a full-blown DNS server, you can use specialized tools such as ApateDNS, FakeDNS and fakeDNS.py.

ApateDNS in Action on Windows

Mandiant recently released a Windows tool called ApateDNS, written by Steve Davis. ApateDNS’s DNS responses will specify the desired IP address of your choosing, regardless of which hostname is being resolved. The tool logs all DNS queries it processes.

To use ApateDNS, you’ll need to point your infected laboratory system to the host where ApateDNS is running. In most scenarios, though, you’ll probably run ApateDNS directly on the infected host. While the tool attempts to automatically configure your local system to use localhost as the DNS server while ApateDNS is running, this doesn’t always work; be prepared to manually modify your DNS settings for this purpose.

FakeDNS in Action on Windows

FakeDNS is a free Windows tool from Verisign’s iDefense group, which is part of the larger Malcode Analysis Pack distribution. Though the original Malcode Analysis Pack web page is no longer accessible, you can still download the executable’s installer file from the iDefense website.

Like ApateDNS, FakeDNS responds to all DNS queries with the specified IP address, logging the details of the received requests and transmitted responses.

fakedns.py in Action on Linux

Another option for falsifying DNS responses in a malware analysis lab is the fakedns.py script by Francisco Santos. It’s written in Python, and will run on most platforms as long as Python is installed on the system. A version of this script is included in the REMnux Linux distribution.

The fakedns.py script is a command-line tool. By default, it will respond to DNS queries with the IP address of the host where the script is running, but this behavior can be modified using a command-line option.


To see how fake DNS servers can be used for malware analysis, take a look at my recorded Introduction to Malware Analysis webcast.

Hand-picked related posts:

Lenny Zeltser