Capture, care and analysis of Malware made easy
Introduction
Note this is a work in progress.
One of the best ways to learn about
something is to play with it and see what it does and how it behaves in a
controlled environment. This also
applies to learning about worms and viruses, but the problem with doing this is
typically the computer you used to experiment with was trashed in the process
and rebuilding a computer from scratch can be a huge hassle.
Now if could simply drop the now infected computer in the garbage when
you were done playing, and with no cost, then there would be very little
preventing you from learning about malware, if you so wished.
What I hope to show you in this article
is how to easily and quickly create, setup, capture and do some easy basic
forensics on wild malware, and then when you are done, simply drop the infected
computer in the great big bit bucket in the sky.
This method will allow you to detect root kits, viruses, worms, adware
and spyware, in short all forms of malware.
You will even be able to compare various antivirus products and see which
one detects different malware and which don't.
The best part about this is how fast you can setup a new system and the
variety of systems you can use as victims; want to play with XP malware, or
Win2k malware, no problem..
Disclaimer (I'm not kidding)
Now before we begin you need
to understand some of the risks involved, and that while I will try to explain
how to safely capture, contain and analyze malware, remember you are playing
with malware which is designed to gain access to and infect systems.
So as all security investigators know, bad things can happen and sometime
can even happen despite all the precautions taken.
So in short if you hoop your system, I'm sorry, but this is the risk of
playing with malware. Currently I
don't know of any malware which can hack through a Virtual PC to the host
system, but in security one must consider that anything is possible and then
consider how probable it is. Using
Virtualized systems is how most of the professional anti malware shops capture
and analyze malware behavior, so in a sense we are going to give you a bit of a
peek into the world of professional researchers, sometime even bad things happen
to them, so please be warned.
That said I will hopefully
show you a safe way to capture and handle malware which is easier then you might
think.
Technologies
Given Microsoft software runs most of
the desktops and a huge portion of the servers world-wide and if you were a
hacker bent on world domination or hacking as many systems possible or stealing
as much money as possible wouldn't it be logical to target Microsoft systems?
While I know some different OS/browser users don't like to admit it,
every OS/browser has vulnerabilities (yes that includes OSX) and proof of this
is available weekly in the
US-CERT
bulletins for example. Now given I
use my iMac for little more then a music player for one of my kids, the focus of
this article is going to be malware for Windows (what version of Windows is up
to you as you an use this method with just about any version of Windows).
Now I like to monitor
network traffic so I can see where traffic is coming from and where it is going
and then analyze different trends and I do that by using a cheap home
router/firewall and Link Logger (note I
wrote Link Logger). The key piece
of technology, is the use of a virtual computer and there are generally two
players in this technology space, VMWare
and Microsoft.
Now while I use VMWare
Workstation at work, it costs about $190, but for this article we will use
Microsoft�s
Virtual PC because it is (get ready for it as it seems strange to say this
considering it's a Microsoft product), free.
I use VMWare at work (where I'm a development manager for commercial
software and we use virtual systems for testing) as it does have more features
like USB support and such, but for what we are going to do Virtual PC is more
than ample. NOTE I'm using the Virtual PC 2007 beta version.
I should point out another
reason why I use Link Logger and a firewall as sometimes I�m trying to capture
specific malware or attacks, so rather then placing the victim computer in the
firewall's DMZ or connecting it directly to the internet where it is exposed to
everything, I will just forward only selected ports to the victim system.
So for example I'm only interested in exploits on TCP port 445, I will
configure the firewall to forward only port 445 traffic to the victim computer,
thereby preventing attacks on other ports from interfering with my honey pots
and their intended targets.
Now we are going to do a little
something extra and sniff some network packets so we can get a better idea of
what scans and attack are going on and how they work.
When I want to get the raw network packets I like to use
Packetyzer
from Network Chemistry, very nice products.
We can setup the sniffer to capture the traffic going to the victim
system so we can see the exploit used to gain entry to the victim and other
information. Currently there have
been some problems getting network sniffers to work with Vista, but I have used
WireShark and Packetyzer with Vista RTM as long as I was using the latest
WinPCap version.
Setting up a virtual PC is actually
really easy, and if you can install an OS on a new computer, then you can setup
a Virtual PC, as that is really all you are doing when you create a Virtual PC.
If you want to know how to setup a basic Virtual PC I have some detailed
instructions with screen shots here that you can follow.
Now the question as to what host OS to
use, meaning what OS should we install the virtual systems on.
I have used XP Professional in the past, but now we have Microsoft Vista
which is by design a much more secure OS, so we will use that as our host
system, but if all you have is XP, no problem the steps in this article are the
same. The question of what we will
use for our victim's OS is dependent on what you are researching, but for the
purposes of this article we will use a totally unpatched version of XP SP1,
meaning no service packs or patches.
On our local ISP this means this system will be infected within 10
minutes of being exposed to the internet.
So putting all these tools and a couple
of others that I will mention later we will have a rather surprisingly complete
malware capture and analysis setup.
Setup
Microsoft's Virtual PC has
some very nice features for what we want to do, so let me explain what they are
and how to set them up. When I build a
Virtual PC I save the 'fresh install state' (before applying any patches), then
I change the write permissions on the virtual hard drive to read only.
What this does is protects your clean install from accidental corruption
and therefore allows you to use this image over and over again.
To build a fully patched system I copy the fresh install directory rename
everything, startup this new Virtual PC and then apply all the patches.
So lets start with a fresh install of XP SP1a.
First ensure that the
original disk is write protected.
Now we are going to create what is
called a Differencing Disk in Virtual PC and the idea behind this is you start
with an existing virtual disk (our OS fresh install disk) and then create a new
virtual disk that uses the initial disk as a starting point but then writes all
changes to a separate file such that the original disk is never changed.
So go to the tool bar in the Virtual PC Console and select File ->
Virtual Disk Wizard and select 'Create a new virtual disk' and then 'A virtual
hard disk' and give it a name and a location, then select 'Differencing' and
make the parent the fresh install disk (that we write protected), select Finish
and we should now have a new virtual hard drive that is basically a clone of our
fresh install.
Select our desired victim OS
But we want to change what it uses for
the system drive so we create a new virtual disk for it.
I like to put it in the same directory
so I know what it is later.
This is the key step in that we want a
Differencing disk.
Use the clean fresh install as our
starting point.
We now want to use our newly
created victim disk so we setup our target system to use it.
Now we have our victim system ready to
go.
OK now that we have our
victim ready to go, there are a couple of things we need to do to protect our
host from attack. Typically when a
system is infected they tend to scan the local network looking for other
vulnerable systems, which means that our infected client is likely to
scan/attack our host system so we need to ensure that it is safe.
I run a fully patched Vista system as my host and ensure the internal
Vista firewall is running and blocking all traffic from our victim.
This should be enough to protect the host system from any external
network based attack.
I should also point out that
I don't install the Virtual Machine Additions when setting up a virtual system
for use in malware capture and analysis.
The Virtual Machine Additions allow the host and virtual system some
forms of communication such as the clipboard and such, and while being very
handy, I'd recommend that you want as thick and strong a wall as possible
between the virtual victim and the host system so don't install the additions
when planning on using the virtual system for malware capture and analysis.
Now for this example we want to capture
the network traffic so we can see the exploit (if one is used) to break into the
system, so we will be running Packetyzer, but to minimize all the traffic we
will be seeing we will setup a capture filter such that only traffic to and from
our victim will be captured. So
start the Virtual PC and login (we logged in as Admin as we really want to get
infected) and run ipconfig so we can see what the system IP address is.
Now we setup our packet sniffer such
that it will only capture the traffic we are interested in (remember to leave
Packetyzer in promiscuous mode).
Setup the capture filter
Capture
Now that we have setup our system, we
can now configure our network to expose the victim and start capturing malware.
As I mentioned before if I was trying to capture a particular exploit or
worm, I would configure the firewall to only forward selected port traffic to my
victim system, but for this article we will place the victim system in the
firewall's DMZ so it will get the full gamut of network based attacks.
For this test we are using a Netgear
FVS318v3 with Link Logger.
Analysis
Once again all the infected systems on
our local ISP have not failed to deliver and within minutes our victim system is
totally owned, and we captured everything.
When your victim system starts scanning
out, then that is a pretty good indicator that it has been owned.
First let's see what was changed on our system (note I didn't do a reboot
so there could be some nasties waiting for a restart to install, but we
should see those). Since we used a
differencing disk, we should be able to compare that disk with the original
clean disk. NOTE I built a
differencing disk for the original disk as a security precaution, as I did with
my Vista analysis disk.
So using a tool called
WinDiff which is available as part of Microsoft's free Platform SDKs we can
compare the clean disk to the infected disk and get a list of all the files
which are new, delete or have otherwise been changed.
Ever wondered why cleaning an infected
system can be so difficult, there are literally hundreds of files that our
attacker either added or changed all over the place.
We can also use WinDiff to show us what
has changed in a file.
So here we see that our
attacker has inserted an object into all our html files, such that when the page
is viewed, the attacker executes more malware.
If we try to view one of the
malware exe's in WinDiff, OneCare notes it as malware and stops it.
Well it certainly appears
our bad boy was definitely a very busy bad boy and has totally owned our victim.
So submitting one of the
suspect files to Kaspersky it would appear we have a nasty case of
Net-Worm.Win32.Allapple.a
We could run a number of different
scanners if we wished to do a comparison of the detection rates of the different
scanners, but a couple of things to note.
First the infected registry, is not the active registry, but all malware
files are accessible and visible (meaning if they were hidden by a root kit,
they are not hidden anymore), so a scanner should have a shot at all the files.
For fun I let OneCare scan the infected
disk and the result was:
Now while it reported one
infection it removed hundreds of files.
I wasn't expecting it to do
anything about the modified html files, as I would expect it to clean out the
registry. So I restarted the victim
system and tried to open one of the modified htm files and got the following
error:
So while the system appears
to be cleaned up, there are still some lingering after effects as I would have
expected.
Looking at the Packetyzer
captures we can see a number of different attempts to exploit various
vulnerabilities including this winner:
So we have a pretty good
coverage of everything our malware did and all from the safety of a virtual
system.
Now if we wanted to
disassemble some of the malware we could and further learn about the malware, or
we could have simply left the infected system running longer so we could see
what else the infection would have done or what the botmaster had in plan for
our victim, but I wanted to show some other examples of how using this system
can help you understand malware.
Botnets
Huge armies of bots seems to be a
frequent topic in security news, but using this system, we can capture the DNS
request to get the botnet command and control center, for example when we
restarted an infected system we see a DNS call looking for the IP address for
dcz.anxau.com, followed by a IRC connection to that IP address on port 65267
(note IRC is normally on 6667, but as shown it can be configured to use other
ports), looking into the packets we can get the userid and password for the C&C
as well as other information, so for example the conversation our victim had
with the C&C was:
NICK USA|879260
USER bqvvafgq 0 0 :USA|879260
:dcz2.convicts.in.au NOTICE USA|879260 :*** If you are having problems
connecting due to ping timeouts, please type /quote pong EE86FDB7 or /raw pong
EE86FDB7 now.
PING :EE86FDB7
PONG :EE86FDB7
:dcz2.convicts.in.au 001 USA|879260 :Welcome to the irc.convicts.in.au IRC
Network USA|879260!bqvvafgq@S0106000fb5a0d56b.cg.shawcable.net
:dcz2.convicts.in.au 002 USA|879260 :Your host is dcz2.convicts.in.au, running
version Unreal3.2-beta19
:dcz2.convicts.in.au 003 USA|879260 :This server was created Sun Feb 8 18:58:31
2004
:dcz2.convicts.in.au 004 USA|879260 dcz2.convicts.in.au Unreal3.2-beta19
iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeKVfMGCuzN
:dcz2.convicts.in.au 005 USA|879260 MAP KNOCK SAFELIST HCN MAXCHANNELS=10
MAXBANS=60 NICKLEN=30 TOPICLEN=307 KICKLEN=307 MAXTARGETS=20 AWAYLEN=307 :are
supported by this server
:dcz2.convicts.in.au 005 USA|879260 WALLCHOPS WATCH=128 SILENCE=5 MODES=12
CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=be,kfL,l,psmntirRcOAQKVGCuzNSM
NETWORK=irc.convicts.in.au CASEMAPPING=ascii :are supported by this server
:dcz2.convicts.in.au 422 USA|879260 :MOTD File is missing
:USA|879260 MODE USA|879260 :+i
JOIN #dcz r00t
:USA|879260!bqvvafgq@S0106000fb5a0d56b.cg.shawcable.net JOIN :#dcz
:dcz2.convicts.in.au 332 USA|879260 #dcz :`root.start dcom135 300 5 0 -r -b -s
:dcz2.convicts.in.au 333 USA|879260 #dcz ROCK 1166026999
:dcz2.convicts.in.au 353 USA|879260 @ #dcz :USA|879260 @dcz
:dcz2.convicts.in.au 366 USA|879260 #dcz :End of /NAMES list.
USERHOST USA|879260
MODE USA|879260 -xt
JOIN #dcz r00t
USERHOST USA|879260
MODE USA|879260 -xt
JOIN #dcz r00t
USERHOST USA|879260
MODE USA|879260 -xt
JOIN #dcz r00t
:dcz2.convicts.in.au 302 USA|879260
:USA|879260=+bqvvafgq@S0106000fb5a0d56b.cg.shawcable.net
:dcz2.convicts.in.au NOTICE USA|879260 :Setting/removing of usermode(s) 'BRxp'
has been disabled.
:dcz2.convicts.in.au 302 USA|879260
:USA|879260=+bqvvafgq@S0106000fb5a0d56b.cg.shawcable.net
:dcz2.convicts.in.au NOTICE USA|879260 :Setting/removing of usermode(s) 'BRxp'
has been disabled.
:dcz2.convicts.in.au 302 USA|879260
:USA|879260=+bqvvafgq@S0106000fb5a0d56b.cg.shawcable.net
:dcz2.convicts.in.au NOTICE USA|879260 :Setting/removing of usermode(s) 'BRxp'
has been disabled.
PING :dcz2.convicts.in.au
PONG :dcz2.convicts.in.au
PING :dcz2.convicts.in.au
PONG :dcz2.convicts.in.au
And our victim did as it was told and
started scanning systems on our ISP local subnet on TCP port 135 looking for
systems which it could exploit via a DCOM at a rate of approximately 800,000
scans per hour (that's likely to chew up some bandwidth).
Root Kits
Root Kits are a popular
subject as when a hacker installs a root kit your operating system is no longer
yours, and it will hide from you files, processes, etc that the hacker wants
hidden from your view.
So for example I infected a system with HackerDefender which is a well
known Root Kit. I then enabled it
to hide some files and a directory, such that when you try to view it in Windows
Explorer or using a dir from within a command shell, everything is invisible, in
effect the root kit is now 'working' to hide stuff from the user.
Now if we mount that differencing disk and the clean disk as we did above
and do a WinDiff on it, the root kit becomes clearly visible again.
Now you see it.
Now you don't
And now you see it again.
Using virtual systems with
virtual disks is a great way to capture and analyze malware as it can't hide
from you and using tools like WinDiff allows you to see everything the malware
has done to files and such, quickly and easily.
When you are finished playing you simply
delete your 'vicitim' Differencing Disk and then you can build a new Difference
Disk next time you wish to hunting for malware within seconds so you are always
ready to go malware hunting.
Conclusion
Hopefully I've given you
enough information and examples to get you started on how to capture, analyze,
and understand malware using this simple system.
Of course there is much more that can be done, but the idea here was to
give a brief introduction, and allow you to take the ball and run with it.
A couple of things to note, first virtual systems love memory, so don't
chintz on the memory in your system, and second have fun but be careful.
As use of VM becomes more common I expect that one day someone will find
an exploit that will let them attack the host from the client, so be careful and
understand the risks and keep up to date with your patches.
Of course you can experiment
with all sorts of malware. For
example you can take email attachments and run them in a virtual victim, or
browse sites which attempt to use browser exploits, and you can capture and
easily analyze what malware does, how it tried to gain access to your system etc
and when you are done, just delete the differencing disk and your back to a
clean system.
Now some people will no
doubt argue that malware can detect when it is being run on a virtual system,
and I would agree with that 100%, but most malware doesn�t check if its being
run on a virtual pc, in fact very few do, so for all intents and purposes a
virtual system is good enough for what we are doing (I do have a number of real
systems which I use for honeypots when needed, but I'd rather use a virtual
system for a number of reasons).
Virtual PC vendors have never made the claim that it is impossible not to detect
the virtualness of their VMs, but there are ways to make it more difficult for
malware to detect VM as well (see
http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf for
example).
Page last updated on
January 03, 2007
|
Latest News