Malware Analysis Part 2: First Attempt

Please read part 1 first if you would like to know how the analysis lab is setup.

There are various sites you can use to download sample malicious software. The one i used is called openmalware.org. I wasn’t completely sure which sample to choose. I wanted one which was recent so i decided to get a a sample called “BC.Heuristic.Trojan.SusPacked.BF-6.A” I’m not going to link to it for obvious reasons but the MD5 hash of the sample is 0148d6e7f75480b3353f1416328b5135. This can be used as a search term on the open malware site to find sample i used in this analysis attempt.

Once i downloaded the file i took a snapshot of the registry and files on the machine using Regshot. I then ran the file, took another snapshot and compared the two. The restults shows that multiple files and folders were created when it executed.

Files added: 3
----------------------------------
C:\Program Files\Windos\logg.dat
C:\Program Files\Windos\Windos.exe
C:\WINDOWS\Prefetch\MALWARE.EXE-155B9235.pf
----------------------------------
Files [attributes?] modified: 3
----------------------------------
C:\Documents and Settings\james\NTUSER.DAT.LOG
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\system.LOG
----------------------------------
Folders added: 1
----------------------------------
C:\Program Files\Windos
----------------------------------

I also noticed that the Debian server has received a flood of DNS requests from the malware infected machine.

Untitled-1

So the malware is attempting to fetch its IP for its server and i assume either download additional stuff or send some data to the server.

Because of this DNS request the next step i figured was to put my DNS server to good use and respond to the request with one of my own IP’s to see what it did next. So i opened the /etc/hosts file and added a new entry pointing se7aaaaa.no-##.### (redacted) to my debian server 192.168.56.101. I then started Wireshark on the malware infested machine and reset the DNS daemon.

Untitled-2

This part i’m not 100% sure on. But what i can gather from this is that it is trying to start a TCP connection with my Debian server on the port 81 which is the TOR port. although it doesn’t necessarily mean its trying to connect in any way to the TOR network. Obviously whatever its trying to do the server isn’t responding appropriately (or not at all) and therefore the connection isn’t fully made. The next step i made was to set a netcat listener on the port and see what is being sent. To do this i entered the following command:

nc -l -p 81

-l specifies a listener and -p the port i want to listen on.

Untitled-1As you can see what i received is unintelligible.

In my next posting i will continue the analysis of this file. Once i figured out where to go from here 🙂

Malware Analysis Part 1: Lab Setup

At this stage I know very little about the Malware analysis process. I recently purchased a book on the subject called “Practical Malware Analysis” by Michael Sikorski and Andrew Honig. My aim is to read through the book and practice the techniques taught on real examples of malicious code. Updating this blog as i progress.

The first step, which I will detail today is the setup of my virtual lab. For the hardware I have used my old gaming computer. Its not very good at running games anymore but perfect for the malware analysis. I have it installed with Debian Linux distribution and have also installed VirtualBox.

There are pros and cons for using virtualisation for malware analysis. The pros include the ability to create snapshots of the working environment and having the ability to create virtual networks. Which i will explain later. One downside i have read about is some malware will behave differently if it discovers its being run in a virtualised environment. With the sole purpose of preventing it being analysed.

So in my setup i am using VirtualBox to create the virtual machines. I am using a Windows XP Professional machine. Loaded with any tools which i may need. Along with a Debian machine used as a DNS / Mail / IRC / ETC server. Some malware will attempt to communicate in some way with something on the internet. Weather it be through IRC, a simple DNS request or through mail protocol. Having a virtual Debian machine with these services installed it allows me to receive the requests and see in more detail what they are doing.

Screenshot

As you can see from the screenshot. I have created clones of both the virtual machines. This allows me to easily start afresh without having to reinstall all the tools again. Both the machines are in Host only mode and connected to a virtual network called vboxnet0. This prevents the malware escaping from the virtual machine and propagating throughout my network. I am also extremely paranoid and will unplug my network cable from the computer when performing the analysis.

The only software i will install on Debian to start with is a DNS server. This will allow me to redirect any DNS queries the malware may make to a computer of my choice (Mine). I decided to use Dnsmasq for this purpose as its very simple to setup.

I simply installed Dnsmasq with the command:

apt-get install dnamasq

And edited the /etc/dnsmasq.conf file to to only allow queries on a specific interface. In my case eth0

# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
interface=eth0

and to allow for logging of dns requests:

# For debugging purposes, log each DNS query as it passes through
# dnsmasq.
log-queries

I also added into the /etc/hosts file a test record pointing the domain james.com to IP address 66.66.66.66.

1

Next i’m going to setup Windows XP to use my virtual Debian machine as a DNS server. I’m not going to explain how i did this. If your reading this you probably know already. I tested the configuration with nslookup.

2

As you can see the DNS server responded with the test ip of 66.66.66.66.

I can monitor the DNS requests being made to the server by using the command:

tail -f /var/log/syslog

This should turn out useful when running the malware.

3

Now I’m going to detail some of the software I have installed on the target machine. At this stage I haven’t even attempted to look at any malware so I am likely missing some necessary tools. Once the malware is on the machine it won’t have access to the internet. Because of this I have tried to plan ahead and install everything I suspect I will need. There’s a high chance I will miss something having never done this before.

Regshot
This tool allows you to take a snapshot of your machine in two different states and then compare them. For example, you may make a snapshot before and after you have run some malware. Comparing the two snapshots will allow you to see the changes the malware has made to the system. It records new files / folders and registry changes.

Process Explorer
This is basically task manager in steroids. It allows you to see the processes that are running

Wireshark
This allows you to monitor network traffic In this case in particular, traffic created by the malware.

Process Monitor
Allows you to see events which happen when a program is run. For example changes, modifications and execution of files.

CaptureBAT
Allows you to monitor files and network activity

OllyDebug
I have never used this software before. From general reading, it allows you to run a program through it and watch how it interacts with the underlying system. It allows you to see the instructions it executes in the form of assembly language and also the data it stores.

Notepad++
A more powerful version of Windows notepad.

Strings
Part of the SysInternals suite. It allows you to scan a file for strings (sequence of readable characters)

Once I installed the software above I saved the virtual machine and cloned it. This lets me work on the cloned version when analysing the malware and reverting back to the original clean machine if I need to start again.

True Random Number Generator using the Raspberry Pi

Last weekend i made my Raspberry Pi into a true random number generator using the static from a TV. Here in the UK we no longer receive analog terrestrial broadcasting so finding static on my TV is as simple as putting it on the analogue channel.

The setup i was using is an eSecure – USB 8MP webcam plugged into the Raspberry Pi and i pointed this at the TV. I used a python script to calculate the random numbers. I also made a video of the process which can be found at this link here.

The first step was to take a picture of the static on the TV. To do this i used the subprocess module in python.

captureImage = subprocess.Popen(["fswebcam", "-r", "356x292", "-d", "/dev/video0", "static.jpg", "--skip", "10"], stdout=devNull, stderr=devNull)
captureImage.communicate()

As you can see this simple spawns the fswebcam process to take a picture and save it as static.jpg These pictures look like the following:

static1 static2

The next stage is to convert these images into a black/white image. I imported the Python image library into my script to manipulate and read the image files.

staticImage = Image.open("static.jpg")
bW_Image = staticImage.convert('1')

bw1bw2

The next stage was to iterate over the static image and read the value of each pixel. Each value being either 0 or 255 depending on if the pixel was white or black. The value was entered into a variable called randomBits with 0 for a white pixel and 1 for a black pixel.

while pixelRow < staticImage.size[0]:
    while pixelColumn < staticImage.size[1]:
        if imageToProcess[pixelRow, pixelColumn] == 0:
            randomBits = randomBits + "0"
        else:
            randomBits = randomBits + "1"
        pixelColumn = pixelColumn + 1
    pixelRow = pixelRow + 1
    pixelColumn = 0

This randomBits variable is then written to an output files as a base 10 number. This means that the long binary string is converted to a decimal value and written to the output file. This decimal number is the random value calculated from the image.

output = open('output.txt', 'w')
    output.write(str(int(randomBits, 2)))
    print int(randomBits, 2)
    output.close()

The full source code can be copied from the box below.

import Image
import subprocess
devNull = open('/dev/null', 'w')#used to output the fswebcam stdout and stderr
name = 0
while True:
    name = name + 1
    randomBits = ""
    pixelRow = 0
    pixelColumn = 0
    captureImage = subprocess.Popen(["fswebcam", "-r", "356x292", "-d", "/dev/video0", "static.jpg", "--skip", "10"], stdout=devNull, stderr=devNull)
    captureImage.communicate()#executes the command detailed above with takes a picture using the webcam
    staticImage = Image.open("static.jpg")#Opens the image
    bW_Image = staticImage.convert('1')#Converts the image to a black or white image
    imageToProcess = bW_Image.load()#Saves the image to a variable that can be iterated through
    while pixelRow < staticImage.size[0]:#Iterates through the image pixel by pixel
        while pixelColumn < staticImage.size[1]:
            if imageToProcess[pixelRow, pixelColumn] == 0:
                randomBits = randomBits + "0"#Adds a 0 to the randomBits variable if the current pixel is white
            else:
                randomBits = randomBits + "1"#Adds a 1 to the randomBits variable if the current pixel is black
            pixelColumn = pixelColumn + 1
        pixelRow = pixelRow + 1
        pixelColumn = 0
    output = open('output.txt', 'w')
    output.write(str(int(randomBits, 2)))#Writes the randomBits Variable to the output file converted to a decimal number
    print int(randomBits, 2)#Also prints this decimal number to the terminal
    output.close()

Packet Sniffing using the Raspberry Pi

In this post i intend to detail how i setup the raspberry pi to perform packet sniffing between two network devices. I made a YouTube video in which i explain how it works and below you will find both the shell script and python script i used to setup the bridge and dump the packets respectively.

The network was setup like this:

diagram showing the network layout. from right to left. computer, raspberry pi, laptop

The raspberry pi is placed in the middle and any data traveling between each device is captured by it. A second USB to Ethernet adapter is used to provide the second interface. The adapter i used is a USB to Fast Ethernet 10100 Mbps Network LAN Adapter Vista Linux 27723.

When the Raspberry pi starts it loads two scripts. The first is this shell script below:

ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0
brctl addbr bridge0
brctl addif bridge0 eth0
brctl addif bridge0 eth1
dhclient bridge0
ifconfig bridge0 up

This script removed the IP address from eth0 and eth1. It then creates a bridge called bridge0. Adds the interfaces to bridge0 and starts the bridge.

##Edit## The shell script now also assigns a network address to the bridge interface to allow for network connectivity. (dhclient bridge0)

The second script that starts after the one above is this python script below. It implements the Python Dropbox Uploader package which can be downloaded here.

import subprocess
from dbupload import upload_file #Used for Dropbox uploading
from datetime import datetime # Used the genreate the filename
count = 0 #Counts the number of files that have been dumped
while True:
    count = count + 1
    fileName = str(datetime.now().day) + "-" + str(datetime.now().month) + "-" + str(datetime.now().year) + " AT " + str(datetime.now().hour) + "-" + str(datetime.now().minute)
    tcpDumpProcess = subprocess.Popen(["tcpdump", "-Z", "root", "-w", fileName, "-i", "bridge0", "-G", "60", "-W", "1"]) #Sets up the TCPDump command
    tcpDumpProcess.communicate() #Runs the TCPDump command
    print "Currently dumping file number " + str(count) + "."
    upload_file(fileName,"/",fileName, "YOUR_EMAIL","YOUR_PASSWORD") #Uploads the dump file to dropbox
    print "File uploaded Successfully"

This can obviously be done without using python and running the TCPDump command from command line. My intention was to integrate Dropbox uploading to the process but failed due to the inability to gain an internet connection from the raspberry pi when configured with a software bridge.
An internet connection can be configured on the Raspberry Pi simply by adding network settings to the bridge interface. in my case i used DHCP to automatically do this by adding dhclient bridge0 to the shell script.

With both these files saves onto the raspberry pi and executed from the rc.local file at startup it will allow the raspberry pi to automatically capture network traffic between two devices.