workshop on setting up malware lab
DESCRIPTION
This slide is presented during the Academy CSIRT 2 in ITS SurabTRANSCRIPT
M l LMalware L
25 MeWorkshop AcWorkshop Ac
Institut TeknologiSurabaya,y ,
Charles Lim, Msc., ECSADipl-inf. Randy An
MiMicWillia
L b SLab Setup
i 2011, cademy CERT cademy CERT, Sepuluh Nopember, Indonesia,A, ECSP, ECIH, CEH, CEI
nthony, S.Kom, CEHh lchael
am Ang
A
BackgroundThe Search for MalwarThe Search for MalwarSGU Malware ResearcHoneypot – Randy AnDionaea – Michael & WDionaea Michael & WMalware Sample ResuThe call for Indonesia Dionaea – Setting up (Dionaea Setting up (Questions & Answers
S W I S S G E R M A N U N I V E R S I T Y Malware
Agenda
re Samplesre Samplesch & Malware LabnthonyWilliam AngWilliam Angults
Honeynet(step-by-step)(step by step)
e Setup Workshop 2
Bac
It all began with …Students wants to learnStudents wants to learn using data mining technWe contacted ThorstenWe contacted Thorsten gave us their malware saBut we need Indonesian
We invited Aat Shadewshare his experienceshare his experienceHe had several local st lto analyzeBut, we need more sam
S W I S S G E R M A N U N I V E R S I T Y Malware
ckground
about analyzing malwareabout analyzing malware iquesHolz (U of Mannheim), heHolz (U of Mannheim), he amples
n (local) samples( ) pwa (virologi.info) to
samples that we can use
mples …
e Setup Workshop 3
The search fo
After discussing with best ways to collect m
User submitting malwarehttp://anubis.iseclab.orgCollect from public sites People Flash Disk)Purchase email accountget malware from SPAMCatch your own malwarethis later)
S W I S S G E R M A N U N I V E R S I T Y Malware
r malware samples
several experts, the malware is the following:
e (e.g. , http://virustotal.com) (Copy Center, Warnet,
ts on several ISP and begin M email etc.e using honeypot (more about
e Setup Workshop 4
SGU M
We began with our goTo be able to obtain malTo be able to obtain malTo be able to analyze mTo be able to analyze mTo be able to analyze manalysis
Our Research focusesOur Research focusestechniques to classify
The results have been pConference in Decembe
S W I S S G E R M A N U N I V E R S I T Y Malware
Malware Lab
als:lware sampleslware samplesalware using static analysisalware using behavioralware using behavior
s on using Data Minings on using Data Mining y Local Malware.published in IEEE International er 2010.
e Setup Workshop 5
SGU M
Our MethodologyStatStatAna
MalwareMalwareCapture
DynaAna
S W I S S G E R M A N U N I V E R S I T Y Malware
Malware Lab
icic lysis
ReportingReporting
amiclysis
e Setup Workshop 6
SGU M
Our Methodology (in d
S W I S S G E R M A N U N I V E R S I T Y Malware
Malware Lab
detail)
e Setup Workshop 7
SGU M
We began with the Ro
S W I S S G E R M A N U N I V E R S I T Y Malware
Malware Lab
om Blueprint
e Setup Workshop 8
SGU M
We simulate using 3D
S W I S S G E R M A N U N I V E R S I T Y Malware
Malware Lab
images of the room
e Setup Workshop 9
SGU M
SGU Malware Lab
S W I S S G E R M A N U N I V E R S I T Y Malware
Malware Lab
e Setup Workshop 10
SGU M
We design the isolated
S W I S S G E R M A N U N I V E R S I T Y Malware
Malware Lab
d network
e Setup Workshop 11
SGU M
Our Hardware SpecProcessor: Dual CoreProcessor: Dual CoreRAM 2GB DDRIIHard Disk 160GB
The tools for analysThe tools for analysDebugger : OllyDBGPacker Detector : PEMonitoring tools (regig ( gRegshot, Wireshark,
S W I S S G E R M A N U N I V E R S I T Y Malware
Malware Lab
cificatione 2 5 Ghze 2.5 Ghz
sis that used:sis that used:
iDstry, network, process): y, , p )Process Monitor
e Setup Workshop 12
SGU Malware ReFirdausi I., Lim C., Erwin A., NugrohTechniques Used in Behavior-BaseInternational Conference on AdvanT l i ti T h l iTelecommunication Technologies,
Simanjuntak D. A., Ipung H. P., Lim Techniques Used to Faciliate CyberSecond International Conference oand Telecommunication Technolog
Christian R., Lim C., Nugroho A. S.,Christian R., Lim C., Nugroho A. S.,Analysis Using Clustering Techniqu2010 Second International ConferenControl, and Telecommunication Te2010.
Endy, Lim C., Eng K.I., Nugroho A.SSearching Using Self-Organizing MSearching Using Self Organizing MContaining Information in Relation International Conference on AdvanTelecommunication Technologies,
S W I S S G E R M A N U N I V E R S I T Y Malware
esearch Publicationsho A. S., “Analysis of Machine learning ed Malware Detection,” 2010 Second ces in Computing, Control, and J k t 2 D b 2010Jakarta, 2 December 2010.
C., Nugroho A. S., “Text Classification r Terrorism Investigation,” 2010 n Advances in Computing, Control,
gies, Jakarta, 2 December 2010.
, Kisworo M., “Integrating Dynamic, Kisworo M., Integrating Dynamic ues for local Malware in Indonesia,” nce on Advances in Computing, echnologies, Jakarta, 2 December
S., “Implementation of Intelligent Map for Webmining Used in DocumentMap for Webmining Used in Document
to Cyber Terrorism,” 2010 Second ces in Computing, Control, and Jakarta, 2 December 2010.
e Setup Workshop 13
SGU Curr
Indonesia Malware Forensic ResearchForensic Research Cloud Securityy
S W I S S G E R M A N U N I V E R S I T Y Malware
rent Research
Profilingon Remnant Dataon Remnant Data
e Setup Workshop 14
A
BackgroundThe Search for MalwarThe Search for MalwarSGU Malware ResearcHoneypot – Randy AnDionaea – Michael & WDionaea Michael & WMalware Sample ResuThe call for Indonesia Dionaea – Setting up (Dionaea Setting up (Questions & Answers
S W I S S G E R M A N U N I V E R S I T Y Malware
Agenda
re Samplesre Samplesch & Malware LabnthonyWilliam AngWilliam Angults
Honeynet(step-by-step)(step by step)
e Setup Workshop 15
Ho
S W I S S G E R M A N U N I V E R S I T Y Malware
oneypot
e Setup Workshop 16
Why Using Honeypo
Used to capture AutonoMalware / Worm.We as a CERT ( CompuResponse Team) mustResponse Team) must spreading and the counLate response on WormLate response on Wormmassive damage.Example : Conficker WoCaused around 9.1 Bill78 triliun Rupiah
S W I S S G E R M A N U N I V E R S I T Y Malware
ot in Malware Analysis Lab
omous Spreading
uter Emergency find a way to stop thefind a way to stop the ter measure.
m infection can causem infection can cause
orm (2008 – 2009)ion USD /
e Setup Workshop 17
Introductio
“Is a decoy that is used to lu(hacker).”
“It is a computer that have ncompromised or destroyed shof the companies.”
S W I S S G E R M A N U N I V E R S I T Y Malware
on to Honeypot
ured malware or attacker
no production value, so if it is hould not affect the activities
e Setup Workshop 18
Honeypot Bas
Two kinds of honeypoTwo kinds of honeypo
Low Interaction Honeypo
High Interaction Honeyp
S W I S S G E R M A N U N I V E R S I T Y Malware
sed on Interaction
ot :ot :
ot
pot
e Setup Workshop 19
Low Intera
Do not implements Disguise as a real sDisguise as a real sGood for finding kngexpected behaviorUsually automatedUsually automatedLower cost neededExample : Nepenthe
S W I S S G E R M A N U N I V E R S I T Y Malware
ction Honeypot
actual servicesystemsystem
own attack and
es, Amun, Dionaea
e Setup Workshop 20
High Intera
It is a “real” systemdifferent configuratgsystem.Riskier than Lo InRiskier than Low-In“Allow all” configurDifficult to maintainconfigureconfigureHigher cost neededExample : Physical
S W I S S G E R M A N U N I V E R S I T Y Malware
action Honeypot
m usually with ion than the real
teracti it d e toteractivity due to rationn and manually
HIH, Virtual HIH
e Setup Workshop 21
Table of
Low-inte
Degree of interaction Lo
Real operating system N
Risk Lo
Knowledge gain ConnectioKnowledge gain Connectio
Can be conquered NCan be conquered N
Maintenance time Lo
S W I S S G E R M A N U N I V E R S I T Y Malware
f Comparison
eraction High-interaction
ow High
No Yes
ow High
on/Request Everythingon/Request Everything
No YesNo Yes
ow High
e Setup Workshop 22
Choosin
Must know the puDetecting attackerDetecting attacker Risk Identification ?Risk Mitigation & AId tif i thIdentifying new threResearch ?
S W I S S G E R M A N U N I V E R S I T Y Malware
ng Honeypot
urpose :???
Analysis ?t ?eats ?
e Setup Workshop 23
SWISS GERMASWISS GERMAHONEYPOT 201
S W I S S G E R M A N U N I V E R S I T Y Malware
AN UNIVERSITYAN UNIVERSITY 0 - NEPENTHES
e Setup Workshop 24
Nep
Low interaction HonResource needed :Resource needed : New Vulnerabilities : New Exploits : Maintenance Time :Maintenance Time : Risk :
I t ll d VMWInstalled on VMWarWindows -> Ubuntu -
S W I S S G E R M A N U N I V E R S I T Y Malware
penthes
neypotLowLowNoYesLowLowLow
re-> Nepenthesp
e Setup Workshop 25
SGU Honeyne
S W I S S G E R M A N U N I V E R S I T Y Malware
et Physical Design
e Setup Workshop 26
SGU Honeyn
S W I S S G E R M A N U N I V E R S I T Y Malware
net Logical Design
e Setup Workshop 27
Malware Capture
427 Malwares and 111 Uniqu
S W I S S G E R M A N U N I V E R S I T Y Malware
427 Malwares and 111 Uniqu
ed ( 3.06.10 – 24.07.10)
ue Malwares
e Setup Workshop 28
ue Malwares
Dynamic AnaType Na
Trojan Horse Backdoor Rbot.INTrojan Horse Generic15.EHTTrojan Horse Generic17.ASMDTrojan Horse Generic2_c.AGVTrojan Horse IRC/Backdoor SdBot2.HHBTrojan Horse IRC/Backdoor SdBot2.KWDTrojan Horse IRC/Backdoor SdBot2.RJWTrojan Horse SpamTool.EZWVi B kD Rb tVirus BackDoor.RbotWin32 Virus HeurWin32 Virus VirutWin32 Virus Virut AAWin32 Virus Virut.AAWorm Allaple.AWorm Allaple.BWorm Allaple.CWorm Allaple.CWorm Allaple.DWorm Allaple.EWorm Allaple.L
S W I S S G E R M A N U N I V E R S I T Y
pUnknown Unknown
Malware
alysis Using AVGame Total
11
D 1VC 1
741911127339307711312
e Setup Workshop 29
Dynamic AnalysType Na
Backdoor FlyAgent.k
Backdoor Nepoe mkBackdoor Nepoe.mk
Backdoor Nepoe.tv
Backdoor Rbot.adqd
Backdoor Rbot.advj
Backdoor Rbot.aftu
Backdoor Rbot.bniBackdoor Rbot.bni
Backdoor Rbot.bqj
Net-Worm Allaple.b
N t W All l dNet-Worm Allaple.d
Net-Worm Allaple.e
Trojan-PSW Kukudva.ad
Trojan Agent.ayuc
Trojan VB.ahzy
Virus Virut av
S W I S S G E R M A N U N I V E R S I T Y
Virus Virut.av
Unknown Unknown
Malware
sis Using Kasperskyame Total
1
11
1
7
1
21
44
6
39
22
17
1
1
1
33
5
e Setup Workshop 30
A
BackgroundThe Search for MalwarThe Search for MalwarSGU Malware ResearcHoneypot – Randy AnDionaea – Michael & WDionaea Michael & WMalware Sample ResuThe call for Indonesia Dionaea – Setting up (Dionaea Setting up (Questions & Answers
S W I S S G E R M A N U N I V E R S I T Y Malware
Agenda
re Samplesre Samplesch & Malware LabnthonyWilliam AngWilliam Angults
Honeynet(step-by-step)(step by step)
e Setup Workshop 31
D
S W I S S G E R M A N U N I V E R S I T Y Malware
ionaea
e Setup Workshop 32
D
Dionaea is NepheDionaea is lo intDionaea is low intDionaea has manyDionaea has manysuch as using libeand IPv6and IPv6.Dionaea using PyDionaea using Pylanguage
S W I S S G E R M A N U N I V E R S I T Y Malware
ionaea
entes predecessor.teraction hone potteraction honeypoty new functions,y new functions, emu, support TLS
yhton as scriptingyhton as scripting
e Setup Workshop 33
How Dio
Dionaea works like Dionaea intentisonDionaea intentisonexposed by servicenet orknetwork.In order to minimizebugs, dionaea can dchroot.chroot.Dionaea using SMB
t lprotocol
S W I S S G E R M A N U N I V E R S I T Y Malware
onaea works
Nephentes.is to trap malwareis to trap malware s offered by a
e the possible of pdrop privileges and
B protocol as the main
e Setup Workshop 34
How Diona
Dionaea using SMBprotocol.pDionaea using libeme al ate the pa loaevaluate the payloaOnce dionaea gainegfile, the attacker wafrom the shellcode,from the shellcode, download the file.
S W I S S G E R M A N U N I V E R S I T Y Malware
aea Work(Cont.)
B protocol as the
mu to detect and dd.
ed the location of the nts it to downloads dionaea will trydionaea will try
e Setup Workshop 35
Malwares co
70
60
64
40
50 6264
30
10
20
10
1
1
S W I S S G E R M A N U N I V E R S I T Y Malware
12/5/2011 13/5/2011 14/5/2011
ollected in a day
56 5356
1010
e Setup Workshop 36
18/5/2011 19/5/2011 20/5/2011
Attack in a week1600
1400
1600
1200
Attack in a w
1000
Attack in a w
600
800
400
200
S W I S S G E R M A N U N I V E R S I T Y Malware
00 1 2 3 4 5 6 7 8 9 10 11
k (List every one hour)
week (List every one hour)week (List every one hour)
e Setup Workshop 37
12 13 14 15 16 17 18 19 20 21 22 23 24
A
BackgroundThe Search for MalwarThe Search for MalwarSGU Malware ResearcHoneypot – Randy AnDionaea – Michael & WDionaea Michael & WMalware Sample ResuThe call for Indonesia Dionaea – Setting up (Dionaea Setting up (Questions & Answers
S W I S S G E R M A N U N I V E R S I T Y Malware
Agenda
re Samplesre Samplesch & Malware LabnthonyWilliam AngWilliam Angults
Honeynet(step-by-step)(step by step)
e Setup Workshop 38
Malware M
S W I S S G E R M A N U N I V E R S I T Y Malware
ap in Indonesia
e Setup Workshop 39
Future Malwar
IndoneMalwar
S W I S S G E R M A N U N I V E R S I T Y Malware
re Map in Indonesia
sia Honeynetre Repository
e Setup Workshop 40
The call for In
Malware collected fIndonesia
All malware sampleMalware repositoryp y
Lots of research cathese malware sam
S W I S S G E R M A N U N I V E R S I T Y Malware
ndonesia Honeynet
rom all universities in
es sent to IDSIRTII for
n be performed on plesp
e Setup Workshop 41
A
BackgroundThe Search for MalwarThe Search for MalwarSGU Malware ResearcHoneypot – Randy AnDionaea – Michael & WDionaea Michael & WMalware Sample ResuThe call for Indonesia Dionaea – Setting up (Dionaea Setting up (Questions & Answers
S W I S S G E R M A N U N I V E R S I T Y Malware
Agenda
re Samplesre Samplesch & Malware LabnthonyWilliam AngWilliam Angults
Honeynet(step-by-step)(step by step)
e Setup Workshop 42
La
Setup D(step-b
S W I S S G E R M A N U N I V E R S I T Y Malware
ab Time
Dionaeaby-step)
e Setup Workshop 43
Setup
Requirement:Ubuntu 9 10 or 10 1Ubuntu 9.10 or 10.1Honeypot ( Dionaeay (Internet Connection
Software downloadSoftware download
S W I S S G E R M A N U N I V E R S I T Y Malware
Information
00a))n (IP Public)
from:from:
e Setup Workshop 44
Question
S W I S S G E R M A N U N I V E R S I T Y Malware
ns & Answers
e Setup Workshop 45