irma - hack in the box security conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... ·...
TRANSCRIPT
![Page 1: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/1.jpg)
IRMAIncident Response & Malware Analysis
Hack in the Box - Amsterdam - 2015Guillaume Dedrie - Alexandre Quint - Fernand Lone Sang
![Page 2: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/2.jpg)
Agenda
1. Problematic
2. Internals and results
3. A community project
4. Workshop
5. Conclusion
![Page 3: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/3.jpg)
Agenda
1. Problematic
2. Internals and results
3. A community project
4. Workshop
5. Conclusion
![Page 5: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/5.jpg)
Problematic
Solution #1 : scan it with your antivirus.
Is BestCatScreensaverEver.exe clean?
5
![Page 6: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/6.jpg)
Problematic
Solution #1 : scan it with your antivirus.
+ easy
Is BestCatScreensaverEver.exe clean?
6
![Page 7: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/7.jpg)
Problematic
Solution #1 : scan it with your antivirus.
+ easy+ quick (well… often)
Is BestCatScreensaverEver.exe clean?
7
![Page 8: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/8.jpg)
Problematic
Solution #1 : scan it with your antivirus.
+ easy+ quick (well… often)- all the security based on one vendor
Is BestCatScreensaverEver.exe clean?
8
![Page 9: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/9.jpg)
Problematic
Solution #1 : scan it with your antivirus.
Good but not enough
+ easy+ quick (well… often)- all the security based on one vendor
Is BestCatScreensaverEver.exe clean?
9
![Page 10: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/10.jpg)
Problematic 10
Solution #2 : send it to a website for scanning
Is BestCatScreensaverEver.exe clean?
![Page 11: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/11.jpg)
Problematic
+ many sites freely available:virustotal.comavcaesar.malware.lumetascan.com
11
Solution #2 : send it to a website for scanning
Is BestCatScreensaverEver.exe clean?
![Page 12: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/12.jpg)
Problematic
+ many sites freely available:virustotal.comavcaesar.malware.lumetascan.com
+ many antivirus supported
12
Solution #2 : send it to a website for scanning
Is BestCatScreensaverEver.exe clean?
![Page 13: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/13.jpg)
Problematic
+ many sites freely available:virustotal.comavcaesar.malware.lumetascan.com
+ many antivirus supported- one file at a time
13
Solution #2 : send it to a website for scanning
Is BestCatScreensaverEver.exe clean?
![Page 14: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/14.jpg)
Problematic
+ many sites freely available:virustotal.comavcaesar.malware.lumetascan.com
+ many antivirus supported- one file at a time- files are sent on the Internet
14
Solution #2 : send it to a website for scanning
Is BestCatScreensaverEver.exe clean?
![Page 15: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/15.jpg)
Problematic
+ many sites freely available:virustotal.comavcaesar.malware.lumetascan.com
+ many antivirus supported- one file at a time- files are sent on the Internet- scan settings are unknown
15
Solution #2 : send it to a website for scanning
Is BestCatScreensaverEver.exe clean?
![Page 16: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/16.jpg)
Problematic
Good but not enough
+ many sites freely available:virustotal.comavcaesar.malware.lumetascan.com
+ many antivirus supported- one file at a time- files are sent on the Internet- scan settings are unknown
16
Solution #2 : send it to a website for scanning
Is BestCatScreensaverEver.exe clean?
![Page 17: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/17.jpg)
Problematic
Solution #3 : Open the file #YOLO
17
Is BestCatScreensaverEver.exe clean?
![Page 18: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/18.jpg)
Problematic
Solution #3 : Open the file #YOLO
18
Is BestCatScreensaverEver.exe clean?
![Page 19: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/19.jpg)
Problematic
Solution #3 : Open the file #YOLO
+ opportunity to test your backup/restore procedures
19
Is BestCatScreensaverEver.exe clean?
![Page 20: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/20.jpg)
Problematic
Solution #3 : Open the file #YOLO
No comment
+ opportunity to test your backup/restore procedures
20
Is BestCatScreensaverEver.exe clean?
![Page 21: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/21.jpg)
New threats → New tools 21
Companies and public CERT share the same analysis:
Use of a single antivirus is not enough, but antivirus cannot beavoided.
Antivirus are a source of information, among other ones, in the incident response process.
![Page 22: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/22.jpg)
New threats → New tools 22
Companies and public CERT share the same analysis:
Use of a single antivirus is not enough, but antivirus cannot beavoided.
Antivirus are a source of information, among other ones, in the incident response process.
To handle all these sources and gather the most information, a modular, scalable tool which can rely on a community of users/contributors is needed.
![Page 23: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/23.jpg)
Joint initiative 23
![Page 24: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/24.jpg)
IRMA
• Private file analysis platform• Open source (Apache V2 license)• Customisable
Incident Response & Malware Analysis
24
![Page 25: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/25.jpg)
Key features
• Private platform: no data ever leaves your network
• Analyze files, and not only with antivirus
(24 analyzers available)
• Several files simultaneously analyzed
• Open source (code hosted on GitHub)
• Customizable (API, plugins)
25
![Page 26: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/26.jpg)
Analysis modules
ANTIVIRUS
AVAST
BITDEFENDER
COMODO
ESETNOD32
FPROT
MCAFEE
EXTERNAL
DATABASE
METADATA VIRUSTOTAL
NSRLPEiDYARA
PE STATIC ANALYSIS
AVIRA
GDATA
MCAFEE
SYMANTEC
26
EMSISOFT
KASPERSKY
SOPHOS
ANTIVIRUS
AVG
CLAMAV
DrWEB
ESCAN
FSECURE
SOPHOS
VIRUSBLOKADA
ZONER
![Page 27: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/27.jpg)
Other usage examples 27
• Web API
![Page 28: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/28.jpg)
Other usage examples 28
• Web API
• Any client can access it
• New usages!
![Page 29: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/29.jpg)
Other usage examples
Cleaning kiosk for USB keys
29
![Page 30: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/30.jpg)
Other usage examples
Cleaning kiosk for USB keys Filter for mail attachments
30
![Page 31: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/31.jpg)
A few figures 31
• Project started in November 2013.• 3 Quarkslab engineers.• 1 Orange intern for 6 months.
Total: 680 days at the end of 2014 (3 man-years).
![Page 32: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/32.jpg)
Agenda
1. Problematic
2. Internals and results
3. A community project
4. Workshop
5. Conclusion
![Page 33: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/33.jpg)
Global architecture 33
![Page 34: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/34.jpg)
Adding analysers
• Each analysis module is a plugin.
• Separated in two parts:
- Interface, specific to IRMA
- The processing part, which analyses the file. It is independant from IRMA and canbe reused in another project.
• Plugins are automatically discovered when a probe is started.
34
![Page 35: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/35.jpg)
Customizing the results
• Each analysis result can be independently filtered.
• Plugins are dynamically discovered when the frontend is started.
• Results are kept in raw form in the database.
35
![Page 36: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/36.jpg)
Customizing the results
• Each analysis result can be independently filtered.
• Plugins are dynamically discovered when the frontend is started.
• Results are kept in raw form in the database.
36
![Page 37: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/37.jpg)
Demo 37
![Page 38: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/38.jpg)
Agenda
1. Problematic
2. Internals and results
3. A community project
4. Workshop
5. Conclusion
![Page 39: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/39.jpg)
Building a community
Creating an open source project is good
If the project has users, it is better.
If it has contributors, it is even better.
39
![Page 40: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/40.jpg)
Building a community
Creating an open source project is good
If the project has users, it is better.
If it has contributors, it is even better.
Need for a simple, deterministic installation system
40
![Page 41: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/41.jpg)
Installation v1.0
ETA: Unknown
41
![Page 42: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/42.jpg)
Installation v1.1.0
ETA: 5 minutes
42
![Page 43: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/43.jpg)
Installation v1.1.0
$ git clone https://github.com/quarkslab/irma-ansible$ cd irma-ansible$ ansible-galaxy install -r ansible-requirements.yml$ vagrant up
$ sudo pip install ansible
Installing Ansible :
Installing Vagrant :
https://www.vagrantup.com/downloads.html
Installing IRMA:
43
![Page 44: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/44.jpg)
The birth of a community 44
2 contributors, 3 new probes:
• YARA• GDATA for Windows• AVIRA for Windows
HITB challenge:
• Outlook submitter (scan all attachments)• ICAP probe
![Page 45: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/45.jpg)
Agenda
1. Problematic
2. Internals and results
3. A community project
4. Workshop
5. Conclusion
![Page 46: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/46.jpg)
Workshop agenda 46
• PROBE - Create your own probe• PROBE - Integrate it in IRMA• FRONTEND - Add a formatter to customize its output• FRONTEND - API 101
![Page 47: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/47.jpg)
Workshop agenda 47
• PROBE - Create your own probe• PROBE - Integrate it in IRMA• FRONTEND - Add a formatter to customize its output• FRONTEND - API 101
![Page 48: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/48.jpg)
Probe skeleton 48
![Page 49: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/49.jpg)
Probe skeleton 49
python module
![Page 50: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/50.jpg)
Probe skeleton 50
IRMA plugin code
![Page 51: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/51.jpg)
Probe skeleton 51
dependencies
![Page 52: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/52.jpg)
Probe Creation – Balbuzard probe 52
Author: Philippe LagadecHomepage: http://www.decalage.info/python/balbuzard
Balbuzard - malware analysis tools to extract patterns of interest and crack obfuscation such as XOR
![Page 53: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/53.jpg)
Balbuzard 101 53
>> from balbuzard.balbuzard import patterns, Balbuzard>> Bal = Balbuzard(patterns=patterns)>> data = open("./attachment1.exe").read()>> list(Bal.scan(data))[(<balbuzard.balbuzard.Pattern at 0x7fd37cda23d0>, [(0, 'MZ'), (15320, 'MZ')]),(<balbuzard.balbuzard.Pattern at 0x7fd37cda2410>,[(232, 'PE'), (9541, 'PE'), (50172, 'PE'), (78332, 'PE')]),
[…],(<balbuzard.balbuzard.Pattern at 0x7fd37cda2710>, [(27129, 'Pop')])]
![Page 54: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/54.jpg)
Balbuzard probe – connect to VM 54
Credentials: vagrant/vagrant
VM ADDRESS ?
SSH TIME
$ ssh vagrant@vm_address -i vagrant_insecure_private_key
vagrant@brain:~$
![Page 55: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/55.jpg)
Balbuzard probe – level 0 55
Create directory
• Copy Skeleton directory
$ sudo su deploy$ cd /opt/irma/irma-probe/current/modules/metadata$ git clone https://github.com/quarkslab/irma-probe-tutorial balbuzard_analyzer$ cd balbuzard_analyzer$ git checkout origin/balbuzard-level0
![Page 56: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/56.jpg)
Balbuzard probe – level 1 56
• Rename all Skeleton in Balbuzard• Update Metadata
Update metadata
![Page 57: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/57.jpg)
Balbuzard probe – level 1 57
Update metadata
• Rename all Skeleton in Balbuzard• Update Metadata
$ git diff origin/balbuzard-level1$ git checkout –f origin/balbuzard-level1
![Page 58: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/58.jpg)
Balbuzard probe – level 2 58
Handle dependencies
• declare module dependencies
![Page 59: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/59.jpg)
Balbuzard probe - dependencies - level 2 59
>> from balbuzard.balbuzard import patterns, Balbuzard
_plugin_dependencies_ = [ModuleDependency(
'balbuzard',help='See requirements.txt for needed dependencies'
),
![Page 60: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/60.jpg)
Balbuzard probe - dependencies - level2 60
>> from balbuzard.balbuzard import patterns, Balbuzard
_plugin_dependencies_ = [ModuleDependency(
'balbuzard',help='See requirements.txt for needed dependencies'
),
balbuzard>=0.19
![Page 61: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/61.jpg)
Balbuzard probe - dependencies - level2 61
>> from balbuzard.balbuzard import patterns, Balbuzard
_plugin_dependencies_ = [ModuleDependency(
'balbuzard',help='See requirements.txt for needed dependencies'
),
balbuzard>=0.19
$ git diff origin/balbuzard-level2$ git checkout –f origin/balbuzard-level2
![Page 62: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/62.jpg)
Balbuzard probe – level 3 62
Output results
• use analysis module to output interesting results
![Page 63: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/63.jpg)
Balbuzard probe - processing - level3 63
>> Bal = Balbuzard(patterns=patterns)>> data = open("./attachment1.exe").read()>> list(Bal.scan(data))
def __init__(self):module = sys.modules['balbuzard.balbuzard']patterns = module.patternsself.Analyzer = module.Balbuzard(patterns=patterns)
def run(self, paths):[…]try:
started = timestamp(datetime.utcnow())with open(paths, "rb") as f:
data = f.read()res = list(self.Analyzer.scan(data))
response.results = res
![Page 64: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/64.jpg)
Balbuzard probe - processing - level3 64
>> Bal = Balbuzard(patterns=patterns)>> data = open("./attachment1.exe").read()>> list(Bal.scan(data))
def __init__(self):module = sys.modules['balbuzard.balbuzard']patterns = module.patternsself.Analyzer = module.Balbuzard(patterns=patterns)
def run(self, paths):[…]try:
started = timestamp(datetime.utcnow())with open(paths, "rb") as f:
data = f.read()res = list(self.Analyzer.scan(data))
response.results = res
$ git diff origin/balbuzard-level3$ git checkout –f origin/balbuzard-level3
![Page 65: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/65.jpg)
Test it 65
vagrant@brain:~$ sudo su irma
irma@brain:~$ cd /opt/irma/irma-probe/current
irma@brain:~$ venv/bin/python –m tools.run_module
irma@brain:~$ venv/bin/python –m tools.run_module Balbuzard /bin/ls[…]{'duration': 0.03014206886291504,'error': None,'name': 'Balbuzard',[…]'type': 'metadata','version': None}
![Page 66: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/66.jpg)
Workshop agenda 66
• PROBE - Create your own probe• PROBE - Integrate it in IRMA• FRONTEND - Add a formatter to customize its output• FRONTEND - API 101
![Page 67: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/67.jpg)
Use it 67
vagrant@brain:~$ sudo supervisorctl restart probe_appprobe_app: stoppedprobe_app: started
vagrant@brain:~$ sudo supervisorctl tail probe_app[…]WARNING:probe.tasks: *** [metadata] Plugin Balbuzard successfully loaded
![Page 68: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/68.jpg)
Job done! 68
![Page 69: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/69.jpg)
Workshop agenda 69
• PROBE - Create your own probe• PROBE - Integrate it in IRMA• FRONTEND - Add a formatter to customize its output• FRONTEND - API 101
![Page 70: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/70.jpg)
Formatter files 70
![Page 71: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/71.jpg)
Balbuzard probe – level 0 71
Empty formatter
• Create empty formatter directory• Apply only current formatter to balbuzard probe
$ sudo su deploy$ cd /opt/irma/irma-frontend/current/frontend/helpers/formatters$ git clone https://github.com/quarkslab/irma-formatter-tutorial balbuzard$ cd balbuzard$ git checkout origin/balbuzard-level0
![Page 72: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/72.jpg)
Test it 72
vagrant@brain:~$ sudo supervisorctl restart frontend_apifrontend_api: stoppedfrontend_api: started
![Page 73: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/73.jpg)
Balbuzard probe – level 1 73
First shot
• return something
$ git diff origin/balbuzard-level1$ git checkout –f origin/balbuzard-level1
![Page 74: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/74.jpg)
Balbuzard probe – level 2 74
Exception handling
• catch exceptions in format
$ git diff origin/balbuzard-level2$ git checkout –f origin/balbuzard-level2
![Page 75: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/75.jpg)
Balbuzard probe – level 3 75
Pretty output
• iterate through results items to pretty print it
$ git diff origin/balbuzard-level3$ git checkout –f origin/balbuzard-level3
![Page 76: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/76.jpg)
Use it 76
vagrant@brain:~$ sudo supervisorctl restart frontend_apifrontend_api: stoppedfrontend_api: started
![Page 77: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/77.jpg)
Goal 77
• PROBE - Create your own probe• PROBE - Integrate it in IRMA• FRONTEND - Add a formatter to customize its output• FRONTEND - API 101
![Page 78: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/78.jpg)
Swagger documentation 78
visit http://<vm_address>/swagger
![Page 79: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/79.jpg)
Swagger documentation 79
![Page 80: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/80.jpg)
Agenda
1. Problematic
2. Internals and results
3. A community project
4. Workshop
5. Conclusion
![Page 81: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/81.jpg)
Modular solution to face malware infections
• File analysis framework.
• Private, customisable.
• Central brick for incident response.
• Various usages.
81
![Page 82: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/82.jpg)
Contact
https://github.com/quarkslab/irma
@qb_irma
#qb_irma@freenode
http://irma.quarkslab.com - [email protected]
![Page 83: IRMA - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2015ams/wp-content/... · 2017-10-15 · Incident Response & Malware Analysis Hack in the Box - Amsterdam](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f19d28e9f190449991bd093/html5/thumbnails/83.jpg)
[email protected] | @quarkslab