Why Study Malware????”

Malware Forensics, Sandbox and Investigation Techniques for Network Engineers

Joseph Muniz – Architect / Researcher @SecureBlogger www.thesecurityblogger.com

BRKSEC-2498 Cisco Webex Teams

Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space

Network Engineer Focused

https://tinyurl.com/ycwt2moz

https://tinyurl.com/y6uurzuu

[email protected]

Security Architect – Americas Sales Organization

Security Researcher –www.thesecurityblogger.com

Speaker: Cisco Live / DEFCON / RSA / (ISC)2

Avid Futbal (Soccer for USA people) Player and Musician

Twitter @SecureBlogger

Agenda

• Industry Concepts • Basic Analysis • Malware – Know Thy Enemy • Static Analysis • Investigating Malware • Dynamic Analysis • Gearing Up • Continue Your Journey • Understanding Malware Behavior

• Tune your tools • Adjust your security strategies • Improve your incident response • Find the binary = How to detect malware and contain damage Common weakest link is breach detection!

BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 SOC Common Services • Risk Management • Vulnerability Management • Compliance • Incident Response • Analysis • Situational and Security Awareness • Research and Development • Digital Forensics

Great Reference for PSIRT / CSIRT = https://www.first.org/

Vulnerability Type: Apache vulnerability Threat Description: Three vulnerabilities in the Apache Struts 2 package Existing Controls: Firewalled and monitored by IPS Probability: Unlikely (not web facing)

Impact: Critical http://cve.mitre.org/about/faqs.html

Software programs designed to damage or do other unwanted actions on a computer system

• Downloads other • Malware that presents malicious software. unwanted advertising to user • Typically used for initial compromise of target • Often included with free software and browser toolbars

• Allows attacker to • Designed to conceal the connect to compromised existence of other system and take control malware • RATs, Reverse Shell, • Often Rootkits hide Metetpreter, Trojan, etc. backdoors

• Network of remote • Scares victim into controlled private purchasing something or computers with paying ransomware. backdoors controlled by command and control • Scareware = blackmail | server Ransomware = encrypted data • Often send SPAM and perform distributed denial-of-service attack

• Malware that replicates • Malware that replicates itself to spread to other itself into other systems applications, files or even • Uses network, P2P the boot sector. networks, email or direct • Can harm computers, exploitation of target steal data or other nefarious actions.

• Sends spam from • Malware designed to compromised system capture specific data • Common part of botnet • Keystrokes, credit card and which could also numbers, bank accounts, perform DDoS other personal data

• New files may be created and/or existing files may be modified

• May move or copy to known location such as Windows system folder • Malware here can run with user permissions

• May not produce executable, but rather DLL or batch script

• May delete temporary files that it had created

• Likely to create registry entries (may control network adaptors)

• May create unique identifier that are benign but for detecting malware families

• May disable security such as the Windows Firewall

• May call out to malicious source

• Don’t get caught up in details • Different tools are good for different jobs • If one tool or approach fails, try another • The is no “one approach” • Don’t dwell too long on one issue

• Determine something is bad = Stop and remove • Tip: Do quick static analysis first!!! • Understand who is impacted = hash and scan • Prevent future attack = Identify exploited vulnerability • Stop the attack = Develop legal case (if possible, likely a pipedream)

Forenics must be done right from the start!!!!!

• 1: Review existing data from security tools (IE indicators) • 2: Static analysis using quick tools (AV, Cloud Sandbox, Malware Lists) • 3: Static Analysis of Portable Executable • 4: Dynamic Analysis – Run in a sandbox and monitor changes it makes • 5: Deep Analysis – Dissemble and debug

Virtualization – Clonezilla, dd, FOG, PTE Booting Dissembler / Debugger – Ghidra, Radare2, IDA Pro, x64dbg / x32dbg, perframe Packet Capture – Wireshark, TCP Dump, Netcat Scanning Tools – Antivirus, Database of malware Honeypot – Learn malware behavior Sandbox – Cucukoo, Memory Forensics – Scylla dump, Volatility exam Runtime Tools – Process Explorer, RegShot, fakends File Detectors – Detect It Easy, PiED, TrIDNET

Real malware analysis means bare metal testing

Open Source Penetration Testing Arsenal Many Great Forensics Tools

Download www.kali.org

Metasploit can create samples for testing too (ex malicious PDF)

• ANY.RUN: Registration required • Malware DB

• Contagio Malware Dump: Password required • Objective-See Collection: Mac malware

• CAPE Sandbox • PacketTotal: Malware inside downloadable PCAP files

• Das Malwerk • SNDBOX: Registration required • theZoo aka Malware DB • Eicar https://www.eicar.org/?page_id=3950 • URLhaus: Links to live sites hosting malware • FreeTrojanBotnet: Registration required • VirusBay: Registration required • Hybrid Analysis: Registration required • VirusShare • KernelMode.info: Registration required • Virusign • MalShare: Registration required • VirusSign: Registration required • Malware.lu’s AVCaesar: Registration required

• Honeypot platform based on established honeypots and IDS/IPS technology

• Learn malware and attack behavior

• Collect Samples

• Detect internal attacks (inside network deployment)

Cloud – External Samples Inside Network – Internal Attacks

• Must use Debian now

• AWS free tier wasn’t enough power

• Google Cloud offers $300 US giving you a few months for free

• Best practice is locking down access to GUIs to your own IP but you don’t have too

• Malware samples downloaded at /data/dionaea/binaries

How to install T-POT on AWS or Google Cloud http://www.thesecurityblogger.com/installing-t-pot-honeypot-on-aws-and- google-cloud-in-2019/

• Let malware run and learn behavior • Cucukoo • Zero Wine • All process and files changes logged • Sandboxi • Buster Sandbox • All files downloaded, created and deleted recorded

• Memory dumps of malware process

• Network traffic via PCAP dumps

• https://www.joesandbox.com/ • Virus Total - https://www.virustotal.com/gui/home • YaraRules – https://yararules.com • https://sandbox.anlyz.io/dashboard • https://app.any.run/ • https://valkyrie.comodo.com/ • https://www.hybrid-analysis.com/ • https://analyze.intezer.com/#/ • https://www.secondwrite.com/ • https://vicheck.ca/ • http://jevereg.amnpardaz.com/ • http://cloud.iobit.com/

Regshot - registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one

Procmon - Process monitor shows real- time file system, Registry and process/thread activity

INetSim – Simulate common internet services

• Perform Static Analysis • Old Version Free!

Also install the Cisco Talos FIRST plugin https://talosintelligence.com/first

https://www.nsa.gov/resources/everyone/ghidra/

Free Linux toolkit for reserve engineering and analyzing malware Docker images for tools also available

https://remnux.org/ • Examine browser malware • Analyze malicious document files • Extract and decode suspicious artifacts • Handle laboratory network interactions • Review multiple malware samples • Examine properties and contents of suspicious files • Investigate Linux and Windows malware • Perform memory forensics

• Warning: This could be illegal and put your system at risk!

• Use an anonymity tool such as Tor or online proxy / web-based anonymizer • Note if an attacker sees this, it shows you are hiding and can tip them off

• Use a tunnel

• Use Cell connection

• Use Cloud service as proxy point

Note: Clicking search results will still activates links associated with the site

Changed ICON Use tool like TrIDNET to Identify the File

This is a binary

• File types have magic numbers

• http://asecuritysite.com/forensics/magic

Example GIF = 47 49 46 39 as well as GIF8 will always be at start

http contains ”\x47\x49\x46\x39” or http contains “GIF8”

• Most malware hides its internals (example Packing) • Goal = binary and textual data unreadable or hard to understand • Examples: • Exclusive or operation (XOR) – Swapping characters via a pattern • Base64 encoding • ROT13 – Rotate or substitute letters • Runtime packer – Entire malware program is obfuscated (until malware is in memory)

Coder Team Packer Team 3 group members 9 group members 6AM-8PM GMT ~10AM - 10:30PM GMT Mo-Fr* (Su) Mo-Sa* (Su)

Developing and maintaining malware and a malicious infrastructure is a full-time job !

PE Header Original Header Packet Section Often Changed

.text Packed Section(s)

.data, .rsrs, Malware Codes .rdata, etc Doesn’t Change Often Decompression Stub

int c; push ebp printf(“Hello World\n”); move ebp, esp exit(0) sub esp, 0x40

Compiler Dissembler Write Program (The Malware Analyst Source Code): Use a 55 review Low-Level language like Python, 8B EC Language via C or Ruby 8B EC 40 dissembler

• Stub – small portion of code that contains decryption / decompression agent used to decrypt packed file • During packing process, original entry point relocated / obfuscated in packed section. Makes identifying import address table (IAT) and entry point difficult • Commerical Packers • UPX, Themida, The Enigma Protector, VMProtect, Obsidium, ExeStealth but could also be custom packing • If you can identify the tool, you can use that tool to unpack it!

• Indicator 1: Packed and obfuscated code will at least include functions like LoadLibrary and Get ProcAddress, which are used to load and gain access to additional functions. This is a giveaway its malware

• Indicator 2: Packer signature detected

• Indicator 3: Abnormal Entry Point / Section (example .test section in PE)

• Indicator 4: Section or memory with WRE Permissions – Obvious one since compilers don’t do that due to security reasons.

• Indicator 5: Large difference between physical size and run size of program

• Indicator 6: Data size is too large (likely contains a executable)

• Indicator 7: Too few import functions.

Common packers File Identification Tools • UPX can sometimes detect commercial packers – • PECompact PEiD or Detect it Easy • ASPack • Petiet • WinUnpack • Themedia

• Format used by Windows executables, object codes and DLLs.

• PE begin with a header that includes • Info about code | Type of application | Required library functions | Space requirements

• See imports functions from other libraries used by malware

• Exports functions in malware meant to be called by other programs or libraries

• Time date stamp time when the program was compiled

• Sections names of sections in the file and their sizes on disk and in memory

• Command Line or GUI program?

• Resources Strings, icons, menus, and other information included in the file

• Don’t execute code (dynamic analysis) or dig into disassembly.

• Obtain quick overview of structure of sample

• See where else sample is found (using hash)

• Identify low hanging fruit aka quick indicators of what it is ips / domains / hash lookups / even keyword phrases

• Look at security tool logs • Malicious = URLs, behavior, unusual activity, etc.

• Look at endpoint behavior • Indication of compromise, related unusual network behavior

• First review data you have about malware through security tools … NOT malware analysis

• Live capture tools (Wireshark), Event Logs, SIEM alerts

• Example bad network activity • Domain www.badsite.com (123.123.123.10) • IP address 123.64.64.64 • GET request GET /index.htm HTTP 1.1 • Accept: */* • User-Agent: Wefa7e • Cache-Control: no

Calculate the Hash value and match to original evidence ▪ Evidence must maintain the same value as copies ▪ Hash value tools can validate disk images to original

▪ HashCalc ▪ MD5 Calculator ▪ HashMyFiles ▪ Md5sum ▪ Chaosmd5 ▪ Autospy ▪ dc3dd ▪ Etc. etc. etc. etc.

• Source / destination, class of service, cause of congestion, etc. • NetFlow version 9 is the latest / sFlow is not the same • Devices export flow to a collector • Less storage and quicker search

Package Capture – Live traffic

• Capture all traffic • More details • More storage and more search • Sometimes required

A single NetFlow Record provides a wealth of information

Router# show flow monitor CYBER-MONITOR cache … IPV4 SOURCE ADDRESS: 192.168.100.100 IPV4 DESTINATION ADDRESS: 192.168.20.6 TRNS SOURCE PORT: 47321 TRNS DESTINATION PORT: 443 INTERFACE INPUT: Gi0/0/0 IP TOS: 0x00 IP PROTOCOL: 6 ipv4 next hop address: 192.168.20.6 tcp flags: 0x1A interface output: Gi0/1.20 counter bytes: 1482 counter packets: 23 timestamp first: 12:33:53.358 timestamp last: 12:33:53.370 ip dscp: 0x00 ip ttl min: 127 ip ttl max: 127 application name: nbar secure-http …

BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 65 BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 66 System Logs Operating System Logs • Great for identifying or investigating suspicious activities Application Logs • List all events logged by programs – what applications are doing Security Software Logs • Host security alarms - attack details or events like a file being deleted

Windows log files stored at %systemroot%\system32\winevt\logs system.evtx | Security.evtx | Application.evtx

Tools: Event Log Explorer, Event Reporter, Kiwi Log Viewer,

• DIG / nslookup • https://www.abuseipdb.com/ • https://www.brightcloud.com/tools/url-ip-lookup.php • https://transparencyreport.google.com/safe-browsing/search • https://www.joesandbox.com/ • https://www.trustedsource.org/ • https://www.virustotal.com/gui/home/upload • And many more …. Like Cisco Umbrella Investigate!

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 70 Static Analysis Static Analysis

Analyze artifact to determine its function without running or executing them

• Look at logs within security tools for unusual or malicious behavior • Compare artifact against threat intelligence • Scan with antivirus or cloud sandbox and see results • Dissemble and debug to make a best guess of what it does

• Online scanner like VirusTotal

• Local scanner like Symantec / McAfee / Sophos / Cisco ClaimAV

• Security tool logs (IPS / Network or Host antimalware)

• Job done if bad unless you need to find it within your network • Collect Hash and Scan • Update Security Tools

Execute Quick Static Analysis Tool Dissemble and Debug

• Gather initial assessment of file • Breakdown logic of how program works • Identify imported / exported functions and strings • Identify links and other key finds to • Creates MD5 hashes of sections to truly identify program’s intent validate IoC of sections • Static “code” analysis • Flag aspect of code that is malicious • Identify unknown malware • Query Virus Total • Validate false positives PE Studio | Peframe | ExifTool | String2 IDA Pro| Ghidra | Tools within REMnux

int c; push ebp printf(“Hello World\n”); move ebp, esp exit(0) sub esp, 0x40

Compiler Dissembler Write Program (The Malware Analyst Source Code): Use a 55 review Low-Level language like Python, 8B EC Language via C or Ruby 8B EC 40 dissembler

• A computer microprocessor manages activities but only understands 1’s and 0’s aka binary aka 1 = ON and 0 = OFF

• Very difficult to program or understand machine language instructions

• Low level Assembly Language designed for specific family of processors representing instructions in symbolic code

• See how programs interface with OS, Processor and BIOS • See how data is represented in memory • See process execution instructions or instructions access process data • See how program accesses external devices

3 steps happen • Fetching the instruction from memory • Decoding or identifying the instruction • Executing the instruction

Registers = internal memory storage locations to speed up this process

Divided into 3 Sections

data Section – declaring initialized data and constants

bss section - variables

text section – the code

• cdecl – c programing language compiler calling convention via x86 • syscall – similar to cdecl pushing the arguments right-to-left • optlink – pushes arguments right to left

Data movement Example calling a function # Call foo(1, 15) Registries movq $1, %rdi # Move 1 into %rdi movq $15, %rsi # Move 15 into %rsi call foo # Push return address and jump to label foo

• Different compilers give different assembly results

• Reverse engineering programs means understanding both sides of the program.

• EX: A function in a common programming language means to reference reusable code. Why create a clock when you can call a clock function?

• In assembly, cdecl is used for a “call statement” meaning calling a function

• Imports – Executables may import functions • Windows executable imports from DLL (Dynamic Linked Libraries) • EX: Malware authors may pack their executables at load time (usually import table contains Kernal32.dll and the functions LoadLibrary and GetProcAddress”/

•https://resources.infosecinstitute.com/windows-functions-in-malware-analysis-cheat-sheet-part-1/#article •https://resources.infosecinstitute.com/windows-functions-in-malware-analysis-cheat-sheet-part-2/#gref

• Exports – Functions that a DLL / .exe may “export” or show that allow other programs to leverage • Example: Function = WindowsImportRequest needs to import WININET.dll library. • Malware authors can create their own libraries and use names that cause an analyst to infer functionality or make them look benign.

• Compiled code is mapped into different sections.

• The .txt section is where the code begins.

• Code is likely packed but tools like PEiD can not only detect file types but if a commercial packer is used! • Example database https://raw.githubusercontent.com/ynadji/peid/master/userdb.txt

• You can detect embedded resources. • Embedded options not clear text • XOR the file with single byte XOR key • Base64 encode strings • ZLIB compress object

Malware author attempts to trick dissembler into showing a lit of instructions different from what was executed.

Anti-disassembly targets limitations of disassemblers

1) Jump instructions: jumps into same location + 1 or 2 bytes to mislead interpretation of code 2) Jump instruction to same target or multiple fake jump instructions 3) Usage of function pointers 4) Junk Code 5) Code obfuscation

Running or executing artifact to determine its function

• Quarantine and monitor infected system in snapshot (Clonezilla) • Run in controlled environment (sandbox) • Monitor local interactions (process explorer, process monitor, etc) • Detect changes (RegShot, Autoruns) • Monitor Network (Wireshark) • Adjust environment (services and redirecting network traffic)

Import Address Table (IAT) – Manipulating the import address table for redirecting API functions into a desired memory address

• Send to another API function, malicious shellcode or another part of program

• Hooking example = Redirect “TermianteProcess” to message box shell code to prevent termination

• Hiding example = Hooking “NtQuerySystemInformation” to prevent retrieval of any system information. Instead return blank

• Modifying Registry Keys • Run/RunOnce Keys (ex HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run) • BootExecute Key • Keys used by WinLogon Process • Startup Keys • Services • Browser Help Objects • AppInit_DLLs • File Association Keys

• DLL Search Order Hijacking

• Shortcut Hijacking

• Launcher – (loader) performs covert execution. Likely downloading full malware payload

• Process Injection –Popular covert launching technique (DLL injection)

• Direct Injection – Insert code into memory space of a remote process

• Process Replacement – Overwrite memory space with malicious executable

• Hook Injection – Use windows hooks to load malware

• Detours – Use library to import table modification such as attaching DDLs and function hooks

• Binary Guard - http://www.binaryguard.com/

• CAPE Sandbox - https://cape.contextis.com/submit/

• Hybrid Analysis - https://www.hybrid- analysis.com/

• ViCheck - https://www.vicheck.ca/submitfile.php

• Joebox - https://www.joesandbox.com/

Option 1: Dedicated machine / Airgap network * Note: Do not put online. Malware is hard to remove * Malware may run different on virtual machine

Option 2: Virtual Machine * Use “host-only” networking to simulate network services * Take snap shops and disable security * Warning: Some malware is Vmware aware. Malware may run differently or attempt to crash your system

Warning: Never connect malware to the internet until you have a basic idea what it will do when connected!!!!

• (old) Virtualization artifacts such as the Vmware string

• (still used) Implantation of artifacts (vendor MAC, device IDs or CPU ID

• No mouse movements may mean fake system • Sandbox can beat this. Example Cucukoo can simulate mouse movement

• Malware can look to at registry values (HKEY_LOCAL_MACHINE\SOFTWARE)

• Environment too clean aka no cookies or history

• Files and settings specific to virtualization manufacture

• Process Monitor / Process Explorer / ProcDOT, Noriben – Monitor local interactions and behavior

• Regshot / Auto Runs – Detect major local changes on system

• Fakedns / FakeNet - NG - Redirect traffic

• Local services – Activate to see malware behavior

Process Memory Open Files Logged-In Users

• Pmdump.exe • PsLoggedOn • Net file command

• Pd.exe • Net Sessions • PsFile utility

• Userdump.exe • LogonSession • OpenFiles command • Adplus.vbs

System Restore Process Information Registry Settings Points Pslist / Pslist –x • Reg.exe • Rp.log Tasklist • Win Registry Editor • Change.log.x files Fport • Regedit.exe Listdlls • Rededit32.exe © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Collecting Linux / MacOS Data with System Access

System Resources

• top

• atop (apt-get this)

• htop (apt-get this)

• ps

• Ps –a | grep

• Pstree

• Pgrep

BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 99 Netstat ▪ Gather local host network information and machine behavior ▪ Windows, MAC, Linux All Connections = -a TCP Routing = -nr

• A debugger is a piece of software or hardware used to test or examine the execution of another program.

• Provide information you couldn’t get from a disassembler

• Two options: Can open the application using the debugger or start the application and attach debugger as a running process

• Single Step - Execute line by line

• Breaking Points – Stop execution at a given address

• Exception – Caused by accessing an invalid memory location or exception causing action.

• Malware authors assume files in the wild are analyzed / debugged • If debugging works, you understand behavior mechanisms and capabilities

• Anti-debugging slows down debugging process

• Windows API • IsDebuggerPresent • CheckRemoteDebuggerPresent • NtQueryInformationProcess • OutputDebugString

SANS = GIAC Malware Analysis Certification: GREM CREST Certified Malware Reverse Engineer Certified Reverse Engineering Analyst (CREA) Certified Expert Malware Analyst (CEMA)

Youtube = Free!

https://tinyurl.com/y6uurzuu

[email protected]

BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 106 Complete your online session • Please complete your session survey survey after each session. Your feedback is very important.

• Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live t-shirt.

• All surveys can be taken in the Cisco Events Mobile App or by logging in to the Content Catalog on ciscolive.com/emea.

Cisco Live sessions will be available for viewing on demand after the event at ciscolive.com.

Demos in the Walk-In Labs Cisco Showcase

Meet the Engineer Related sessions 1:1 meetings