zen and the art of collecting and analyzing malware

Download Zen and the art of collecting and analyzing malware

Post on 06-May-2015

547 views

Category:

Technology

3 download

Embed Size (px)

TRANSCRIPT

  • 1.Zen and the art of collecting and analyzing malwareCanSecWest/core06 Zen and the art of collecting and analyzing malwareSascha Rommelfangen, Fred Arbogast

2. Zen and the art of collecting and analyzing malwareOutline Introduction Setup to collect malware Statistics Analysis Live Demo Future development early warning/reacting system approaches interactive malware database Conclusion2 3. Zen and the art of collecting and analyzing malwareDefinition of malwareUmbrella term for malicious softwareNot to be confused with defective softwareDesigned to infiltrate, damage, control or abuse computersystems without owners consentLegal vocabulary: computer contaminantAlso used: scumwareWorms, virii, root kits, spyware, adware Outline Introduction Setup to collect malware- Slide 3 -3 4. Zen and the art of collecting and analyzing malwareThe tools usedmwcollect by Georg Wicherski (http://www.mwcollect.org)Nepenthes by nepenthes team (http://nepenthes.sourceforge.net)Focus on nepenthes as mwcollect has merged withnepenthesJoint effort will result in a more powerful toolOutline Introduction Setup to collect malware - Slide 4 -4 5. Zen and the art of collecting and analyzing malwareThings both tools have in commonLow interaction honeypotspassivecatching autonomously spreading malwareRunning in non-native environmentssimulating network services mwcollect: vulnerable built-in services nepenthes: additionally pre-infected servicesacting upon exploitation attempts Downloading malwareBoth tools are Free and Open Source software Outline Introduction Setup to collect malware- Slide 5 -5 6. Zen and the art of collecting and analyzing malwareTools - nepenthesEmulates native and non-native vulnerabilitiesModular Know a new exploit, add it as a moduleSupport for geolocation informationSupport for submitting malware and additional information Other instances of nepenthes (distributed installation) XML-RPC Outline Introduction Setup to collect malware- Slide 6 -6 7. Zen and the art of collecting and analyzing malwareVulnerabilitiesnative vulnerabilities: 3rd party vulnerabilities: RPC-DCOM Kuang2 (17300) (135, 139, 445, 593) Mydoom (3127) LSASS (445) Bagle (2745) WINS (42) sasser_ftp (5554, 1023) MSSQL (1434) Sub7 (27374) ASN.1 library in IIS, SMB (80 and 445) IIS (443) NetDDE (139) Message queueing (2103, 2105, 2107) UPNP (5000)Outline Introduction Setup to collect malware - Slide 7 -7 8. Zen and the art of collecting and analyzing malwareNepenthes information flow - modules/handlers IP info DNS handler Geolookup-handlerSubmit-handlersSocketsubmit-fileVulnerability modulesubmit-nepenthes shellcode-handlersubmit-xmlrpc submit-normanDownload-handler download-http download-ftp download-tftp Outline Introduction Setup to collect malware- Slide 8 -8 9. Zen and the art of collecting and analyzing malwareCategories of modules/handlers (1)Vulnerability module Different modules for simulating the vulnerabilitiesShellcode-handler Per shellcode one module Common Shellcode Naming InitiativeOutline Introduction Setup to collect malware - Slide 9 -9 10. Zen and the art of collecting and analyzing malwareNepenthes information flow[28032006 16:36:25 spam net handler] Socket TCP (accept) 212.30.152.173:2478 -> 212.110.251.73:139 clearingDialogueList (2 entries)[28032006 16:36:25 warn module] Unknown NETDDE exploit 72 bytes State 1[28032006 16:36:25 module] =--------[ /var/log/nepenthes/hexdumps/3ebe8b34fd5d14e4f450c599b26ed6df.bin ]---------= IP infoDNS lookupGeolocationSubmitSocket raw filevulnerability nepenthes shellcode normanxmlrpcDownloadcurl, ftp, ...Outline Introduction Setup to collect malware- Slide 10 -10 11. Zen and the art of collecting and analyzing malwareNepenthes information flow [28032006 16:36:25 debug dia] Got ASN1 SMB exploit Stage #1(137) [28032006 16:36:25 debug net handler] giving data to SMBDialogue IP infoDNS lookupGeolocation Submit Socket raw file vulnerability nepenthesshellcode norman xmlrpc Download curl, ftp, ... Outline Introduction Setup to collect malware - Slide 11 -11 12. Zen and the art of collecting and analyzing malwareCategories of modules/handlers (2)Geolocation-handler (some alternatives) Resolves IP address to location informationDNS-handler Delivers resolved domain nameDownload-handler Downloads through curl Provides http and ftp protocol Download ftp Needed as curl is not the same than the messy M$ client Netcat is doing the jobOutline Introduction Setup to collect malware- Slide 12 -12 13. Zen and the art of collecting and analyzing malwareCategories of modules/handlers (3)Download-handler contd Download tftpSupport for tftp protocolMax filesize 4MBCan not handle DNS for the moment Download nepenthesListens for file transfers from other nepenthes agentsPort can be set in the config filetransfer is simple and bandwidth optimised Outline Introduction Setup to collect malware - Slide 13 -13 14. Zen and the art of collecting and analyzing malwareNepenthes information flowIP info DNS lookup GeolocationSubmit Socketraw filevulnerability nepenthes shellcode normanxmlrpc [28032006 16:36:31 debug spam fixme] [28032006 16:36:31 debug spam fixme] Adding 808f4c8 212.120.228.59 80f7620 to geolookupDownloadcurl, ftp, ...Outline Introduction Setup to collect malware- Slide 14 -14 15. Zen and the art of collecting and analyzing malwareNepenthes information flow [28032006 16:36:31 spam net handler] [28032006 16:36:31 spam mgr event] [28032006 16:36:31 spam net handler] doRecv() 1460 [28032006 16:36:31 info down handler dia] Downloaded file tftp://212.120.228.59/service.exe 229376 bytes [28032006 16:36:31 spam mgr submit] Download has flags 0 [28032006 16:36:31 info mgr submit] File dd3e4c7c94614a059263a219ff1b1339 has type MS-DOS executable (EXE), OS/2 or MS WindowsIP info DNS lookup GeolocationSubmitSocketraw filevulnerabilitynepenthes shellcodenorman xmlrpcDownloadcurl, ftp, ...Outline Introduction Setup to collect malware- Slide 15 - 15 16. Zen and the art of collecting and analyzing malwareCategories of modules/handlers (4)Submit-handlers Submit-fileDumps to a file on HDD submit-nepenthesSubmits information to a central serverCurrently receiving from Telecom Italia Early Warning Team Submit-normanSubmits file to norman sandbox Submit XML-RPCSubmits information to applications outside nepenthesOutline Introduction Setup to collect malware- Slide 16 -16 17. Zen and the art of collecting and analyzing malwareNepenthes information flow [28032006 16:36:31 debug handler submit] wrote file /var/log/nepenthes/binaries/dd3e4c7c94614a059263a219ff1b1339 229376 to disk IP infoDNS lookupGeolocation Submit Socket raw filevulnerabilitynepenthes shellcodenorman xmlrpc Download curl, ftp, ... Outline Introduction Setup to collect malware - Slide 17 -17 18. Zen and the art of collecting and analyzing malwareNepenthes information flow [28032006 16:36:31 spam down mgr] SENDING POST /nepenthes/server.php HTTP/1.0 Host: localhost Accept: */* Accept-Encoding: deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Connection: close Content-Length: 392 IP info init_session ..... lookupDNSGeolocation SubmitSocketraw filevulnerabilitynepenthes shellcodenorman xmlrpcDownloadcurl, ftp, ... Outline Introduction Setup to collect malware - Slide 18 -18 19. Zen and the art of collecting and analyzing malwareNepenthes information flow [28032006 16:36:31 debug spam fixme] [28032006 16:36:31 debug spam fixme] IP info DNS lookup Geolocation SubmitSocketraw filevulnerabilitynepenthes shellcodenorman xmlrpcDownloadcurl, ftp, ...Outline Introduction Setup to collect malware- Slide 19 - 19 20. Zen and the art of collecting and analyzing malwareAdditional information collectedExtension to nepenthes - stored in database Platform information (p0f-sql)P0f hack to submit information into DB 4 AV product results from local machineExtendableSignatures hourly updated 24 AV results from VirusTotal (added later) 2 sandbox resultsSubmitted to http://sandbox.norman.noSubmitted to our own POC sandbox (added later)Outline Introduction Setup to collect malware- Slide 20 -20 21. Zen and the art of collecting and analyzing malwareFull information set collectedVarious static analysis file, upx, hexdump, strings, objdumpNumber of hitsFirst/last seenNumber/names of recognized viriiSandbox resultsHex-dump of file (browseable)IP/URL from where fetchedSystemLatitude, Longitude, Country, City Outline Introduction Setup to collect malware - Slide 21 -21 22. Zen and the art of collecting and analyzing malwareSetup to collect malware flow DownloadNepenthesrequest NormanXMLRPC GeoIP File storage sandboxCSRRT scriptlookupsandbox Virus scan p0fDatabasePeriodicsubmissionsWeb UnixExternal Apps VirusTotalapplication tools (e.g. Malwaredatabase)Intro Setup to collect malware Statistics - Slide 22 - 22 23. Zen and the art of collecting and analyzing malwareSetup to collect malware flow DownloadNepenthesrequest NormanXMLRPC GeoIP File storage sandboxCSRRT scriptlookupsandbox Virus scan p0fDatabasePeriodicsubmissionsWeb UnixExternal Apps VirusTotalapplication tools (e.g. Malwaredatabase)Intro Setup to collect malware Statistics - Slide 23 - 23 24. Zen and the art of collecting and analyzing malwareSetup to collect malware flow DownloadNepenthesrequest NormanXMLRPC GeoIP File storage sandboxCSRRT scriptlookupsandbox Virus scan p0fDatabasePeriodicsubmissionsWeb UnixExternal Apps VirusTotalapplication tools (e.g. Malwaredatabase)Intro Setup to collect malware Statistics - Slide 24 - 24 25. Zen and the art of collecting and analyzing malwareSetup to collect malware flow DownloadNepenthesrequest NormanXMLRPC GeoIP File storage sandboxCSRRT scriptlookupsandbox Virus scan p0fDatabasePeriodicsubmissionsWeb UnixExternal Apps VirusTotalapplication tools (e.g. Malwaredatabase)Intro Setup to collect malware Statistics - Slide 25 - 25 26. Zen and the art of collecting and a

Recommended

View more >