home ... me ... pictures ... email ... feed ... rust chronicles... twitter...

May 19, 2010

Running viruses for fun and profit

That's the title of a presentation I put together about the network logging sandbox I made for school last fall. It, like the shannon entropy project I wrote this semester for cryptography class was the result of being asked: "Go do something interesting and write about it for 40% of your grade." So I decided to work on reproducible run-time malware analysis. It was fun. I had a presentation in class, a handout to go with it, and a paper. The paper I am not feeling like revising for public consumption yet, but the presentation and the handout are ready. The core part of the sandbox, minibis, just had a new version released, here at cert.at, which I haven't had a chance to try out yet.

Check out the presentation here.

Handout is reproduced and slightly edited below, it's just a description and a list of tools, but since I bothered to clean up the html to make it presentable, I might as well add it.

Automated Malware Analysis tools and papers.
CSCI 4621 Presentation 11/24/2009

So, basically, to set this up, I had a Linux machine (ubuntu on netbook), installed VirtualBox, installed an XP image into it, then set up the minibis client and server programs. Made a minibis ftp account and turned on an ftp daemon. Went into Virtualbox, put the client program on it, started it, took a snapshot. Started server minibis program with some binaries, and went to go get some more coffee. Looked at procmon logs when it was done.

To add the network, I used a host-only network, so that it shows up as a linux device, and can be very easily sniffed. I also set up a second IP on the host-only network to run INetSim on. INetSim was easy to set up, so I just set the DNS server to always point to the host. InetSim creates nice, detailed logs. Packet sniffers weren't as useful as I initially thought - I expected more programs to call home. Static analysis comes later.

Tools for the virus-runner I built:
CERT.at: Mass Malware Analysis: A Do-It-Yourself Kit http://cert.at/downloads/papers/mass_malware_analysis_en.html
Sun's VirtualBox http://www.virtualbox.org/
Sysinternals Toolkit - for procmon and many other useful things http://www.sysinternals.com/
INetSim: Internet Services Simulation Suite. http://www.inetsim.org/about.html

Other reference material about virus runners:
Building an Automated Behavioral Malware Analysis Environment using Open Source Software http://www.giac.org/certified_professionals/practicals/grem/48.php
Truman - The Reusable Unknown Malware Analysis Net http://www.secureworks.com/research/tools/truman.html

Web based analysis services:
Anubis - service for analyzing malware http://anubis.iseclab.org/
Norman Sandbox http://www.norman.com/security_center/security_tools/en
VirusTotal - runs samples against a pile of antivirus tools http://www.virustotal.com/

General reference:
MSDN -for all you ever need to know about the windows API. http://www.msdn.com
Internet Storm Center http://isc.sans.org/
Offensive Computing is a nice sample source as well as being useful. http://www.offensivecomputing.net/

More tools:
HT Editor - small terminal-based disassembler, for unix, can handle PE files, I use it to check out binaries if they happen to be unpacked. http://hte.sourceforge.net/
Memoryze - memory dump analyzer. really nifty.http://www.mandiant.com/software/memoryze.htm

candice at May 19, 2010 10:57 PM


« married ... Current ... crepes for breakfast »