Project 2: Malware Analysis
• Windows Malware • Android Malware • Submission
Copyright By PowCoder代写 加微信 powcoder
• Analyzing Windows Malware
• You got a malware sample from the wild. Your task is to discover what the malware does by analyzing it
• How do you discover the malware’s behaviors? • Static Analysis
• ManualReverseEngineering
• Programmingbinaryanalysis • Dynamic Analysis
• Networkbehavioraltracing
• Run-timesystembehavioraltracing(File/Process/Thread/Registry) • SymbolicExecution
• In our scenario, you are going to analyze the given malware with tools that we provide.
• These tools help you to analyze the malware with static and dynamic analysis.
• Objective
1. Findwhichservercontrolsthemalware(thecommandandcontrol(C2)
2. Discoverhowthemalwarecommunicateswiththecommandand control (C2) server
• URL and Payload
3. DiscoverwhatactivitiesaredonebytheLinuxmalware • Attack activities
• Requirement
• Make sure that no malware traffic goes out from the virtual machine
• But, updating the malware (stage 2), and downloading the Linux malware (stage 3) must be allowed for us to understand the malware’s behavior
• The command and control server is dead. You need to reconstruct it
• Use tools to reconstruct the server, then reveal hidden behaviors of the malware
• Analyze network traffic on the host, and figure out the list of available commands for the malware
• Analyze network traffic trace of the host, and figure out what malware does • Write down your answer into assignment-questionnaire.txt
Project Structure
• A Virtual Machine for Malware analysis
• Please install/update to the latest version of VirtualBox.
• https://www.virtualbox.org/wiki/Downloads • Download the VM
• Download the project VM from one of the following links
• https://www.dropbox.com/s/dnk6acztw9ewp83/Project%202.zip?dl=0
• Unarchive the file with 7zip and password is cs6262
Project Structure
• Network Configurations Ubuntu
Windows (QEMU) Analysis tools
Fake servers
Fake targets
Tap0 (NIC)
enp0s3 (NIC)
iptables (firewall)
The Internet
Project Structure
• Network Configurations
• Virtual network interface for Windows XP • IP Address: 192.168.133.101
• A network bridge between Windows XP and Ubuntu
• IP Address: 192.168.133.1 • enp0s3
• A network that faces the Internet
• IPAddress:10.0.2.15(itvarieswithyourVirtualBox settings)
Project Structure
• Open VirtualBox
• Go to File->Import Appliance.
• Select the ova file and import it.
• For detailed information on how to import the VM, see:
• https://docs.oracle.com/cd/E26217_01/E26796/html/qs-import-vm.html
• VM user credentials • Username: analysis • Password: analysis
Project Structure
• In the Virtual Machine (VM) • Files
• Thisinitializestheprojectenvironment
• TypeyourGeorgiaTechusername(yourCanvasloginname)afterrunningthis • e.g$./init.py
• update.sh
• ThisscriptupdatestheVMifanyfurtherupdatehasbeenmadebyTAs
• Please run this script when you start the project! (If it says that you’re already updated when you run it, that’s fine)
• If you have already completed stage 1 before running update.sh, you do NOT need to redo stage 1 – but you will need to run update.sh to complete stage 2
• archive.sh
• Thiswillarchivetheanswersheetforsubmission(createazipfile)
Project Structure
• In the Virtual Machine (VM)
• Directories
• AdirectorythatstorestheWindowsXPvirtualmachine(runswithQEMU)
• WeusethegivenVMforbothCuckooandatestbed.Pleaseseepage19.
• AshareddirectorybetweentheUbuntuhostandWindowsguest(XPisrunningonaVM within your project VM). You can copy/move files to or from this directory.
• Pleaseseepage22.
• Theanswersheetforprojectquestionnaire.
• Requiredfilesforsettingupthemachine.Youdon’tneedtomodify,norusethefilesinthis directory.
Project Structure
• In the Virtual Machine (VM) • Directories
• Configureyournetworkfirewallrules(iptables)byeditingiptables-rules. • Youcanallow/disallow/redirectthetrafficfromthemalware
• ‘./reset’commandinthisdirectorywillapplythechanges
• cfg-generation(CFGstandsforControl-FlowGraph)
• Ananalysistoolthathelpsyoutofindinterestingfunctionsofmaliciousactivity
• Youneedtoeditscore.htogeneratethecontrol-flowgraph • UsexdottoopenthegeneratedCFG.
Project Structure
• In the Virtual Machine (VM) • Directories
• sym-exec
• Asymbolicexecutor(basedonangr:https://github.com/angr)
• Helpsyoutofigureoutthecommandsthatmalwareexpects
• Usecfg-generationtooltofigureouttheaddressofthefunctionof interests
• c2-command
• AsimplifiedtoolforC2serverreconstruction
• Youcanwritedowncommandinthe*.txtfileasaline
• Itwillrandomlychooseonecommandatatimetosendtothe malware
Project Structure
• stage1.exe – stage 1 malware
• It will download the stage 2 malware if this malware receives the correct command
• stage2.exe – stage 2 malware
• It will download the stage 3 malware if this malware receives the correct command
• payload.exe – the linux malware attack payload
• Analyze the dynamic instruction trace
• Write a script to detect where the C&C communication happens – Find the loop entry point and function sequence in the loop
• Add constraint to symbolic execution to limit the loop to one
• Find the feasible attacks within given set of possible attacks.
Questionnaire
• 1) To get credit for the project, you have to answer the questionnaire, found at ~/report/assignment-questionnaire.txt !!!!!
• 2) Please strictly follow the format or the example answer for each
question in assignment-questionnaire.txt. TAs use a autograder for your submission.
• Windows Part
• Read ~/report/assignment-questionnaire.txt
• Carefully read the questions, and answer them in ~/report/assignment-
questionnaire.txt
• For each stage, there are 4-6 questions regarding the behavior of the malware.
• Android Part
• READ ~/Android/MaliciousMessenger/writeup.pdf
• Carefully read the writeup, answer in ~/report/assignment-questionnaire.txt
Tutorial (for stage1.exe malware)
• Update the project 3 before begin.
• Open the terminal (Ctrl-Alt-T, or choose terminal from the menu) • Run, ./update.sh
• It will update any necessary files that are required for this project.
Tutorial (for stage1.exe malware)
• Initializing the project
• Open the terminal (Ctrl-Alt-T, or choose terminal from the menu)
• Run ./init.py
• Type your Georgia Tech username (the login name used for Canvas)
• This will download the stage1 malware (stage1.exe) into the ~/shared directory
Tutorial (for stage1.exe malware)
• Special NOTE
• These are malware samples hosted under the Goergia Tech Network
• It is likely that security measures would kick in and encrypt these files • That is, all the malware samples you will be downloading during this project
• IMPORTANT
• After each download, make sure to check the type of file. • In the linux VM, execute
• $ file
• unzip
Tutorial (for stage1.exe malware)
• Special NOTE
• For stage1 and stage2, the file format should be • For stage3, the file format should be
Tutorial – Secure Experiment Environment
• We need a secure experiment environment to execute the malware.
• Insecure analysis environment could damage your system • You may not want:
• Encrypting your file during a ransomware analysis
• Infecting machines in your corporate network during a worm analysis
• Creating a tons of infected bot client in your network during a bot/trojan
• The solution:
• Contain malware in a virtual environment • Virtual Machine
• Virtual Network
• Conservative rules(allow network traffic only if it is secure) • We provide a Win XP VM as a testbed!
Tutorial – Run Win XP VM
• Run Windows XP Virtual Machine with virt-manager • Open a terminal
• Type “virt-manager” and double click “winxpsp3”
• Click the icon with the two monitors and click on “basecamp”
Tutorial – Run Win XP VM
• Run Windows XP Virtual Machine with virt-manager
• Right click on basecamp, and click “Start snapshot.” Click Yes if prompted.
• Once, virt-manager successfully calls the snapshot, click Show the graphical console.
• Click on the Windows Start Menu and Turn off Computer. • Then select Restart
Tutorial – Run Win XP VM
• DO NOT MODIFY OR DELETE THE GIVEN SNAPSHOTS!
• The given snapshots are your backups for your analysis.
• If something bad happens on your testbed, always revert back to the basecamp snapshot.
Tutorial – Copy from Shared Directory
• Go to the shared directory by clicking its icon (in Windows XP) • Copy stage1.exe into Desktop
• If you execute it in the shared directory, the error message will pop up.
Please copy the file to Desktop.
Tutorial – Run the malware!
• Now we will run the malware
• Execute stage1.exe (double click the icon)
• It will say “Executing Stage 1 Malware”. Then, click OK. • YoushouldclickOKoneachdialogtodismissit
• Otherwise,malwareexecutionwillbeblocked
Tutorial – Run the malware!
• If you want to halt the malware that is running…
• Execute stop_malware in the temp directory.
• This will stop the currently running malware.
• Please halt first before you execute another malware file.
Tutorial – Network behavioral analysis
• To analyze network behaviors, you need
• Wireshark (https://www.wireshark.org/) • Network Protocol Analyzer
• Cuckoo (https://cuckoosandbox.org/)
• Capturing & Recording inbound/outbound network packets
Tutorial – Observing Network Behavior
• By capturing and recording network packets through the tools, • Reveal C&C protocol
• Attack Source & Destination
• But, malware will not do anything. Why?
• The C2 server is dead!
• Therefore, the malware(C2 client) will never unfold its behaviors.
• Question?
• If we know C&C dialog of malware, can we build a fake C2 server in order to unfold the malware behaviors?
• Answer: Hack Yeah! That is your job for this project!
Tutorial – Wireshark
• Let’s check it through network monitoring
• Open wireshark (open a terminal. Type “sudo wireshark“ – you can ignore the error message that pops up)
• Choose br0 to capture the network traffic
• Then start capture by clicking on the shark-fin on the top left
Tutorial – Redirect Network Connection
• Redirecting Network Connection
• From WireShark, we can notice that the malware tries to connect to the host at 128.61.240.66, but it fails
Let’s make it redirect to our fake C2 server
• Go to ~/tools/network
• Edit iptables_rules to redirect the traffic to
128.61.240.66 to 192.168.133.1 (fake host)
• Whenever you edit iptables_rules, always run reset.
(type “./reset” from the ~/tools/network directory)
• IMPORTANT! If you shut down your project VM, be sure to run reset again the next time you start it up.
Tutorial – Reading C2 Traffic
• Observing C2 traffic
• In WireShark, we can notice that now the malware can communicate with our fake C2 server
• But there will not be further execution, because the command is wrong…
Tutorial – Reading C2 Traffic
• Observing C2 traffic
• You can see the contents of the traffic by right-clicking on the line, then clicking Follow – TCP Stream
Tutorial – Cuckoo
• Let’s take a look at cuckoo. Cuckoo is NOT necessarily required to complete this project, but it is a useful tool to help you understand what your malware is doing, and therefore how you might want to modify your score.h file later in the project.
• NOTE! You can’t run the testbed vm and cuckoo simultaneously.
• Always turn off the testbed vm, and follow the steps below to execute Cuckoo • Open two terminals.
• $workon cuckoo • $cuckoo –d
• $cuckoo web
#Set virtualenv as cuckoo for both terminal1 and terminal2 #To run cuckoo daemon for terminal1
#To run cuckoo webserver for terminal2
If you get an error when running cuckoo web because port 8000 Is already in use, run “sudo fuser -k 8000/tcp” and try again
Tutorial – Cuckoo
• The Cuckoo uses a snapshot of the given testbed VM. • The snapshot is 1501466914
• DO NOT TOUCH the snapshot!
• When you want to restore the test VM, • Refer to page 19.
Tutorial – Upload a file to Cuckoo
• To open the cuckoo web server, type the following URL into Chromium • http://localhost:8000
• To upload a file, click the red box and choose a file.
Tutorial – Analysis with Cuckoo
• Once you click the Analyze button, it will take some time to run the malware.
Tutorial – Figuring Out the List of Commands
• The malware does not exhibit its behavior because we did not send the correct command through our fake C2 server
• We will use
• File/Registry/Process tracing analysis to guess the malware behavior.
• control-flow graph (CFG) analysis and symbolic execution to figure out the list of the correct commands
• The purpose of tracing analysis is to draw a big picture of the malware • What kinds of System call/API does the malware use?
• Does the malware create/read/write a file? How about a registry?
• The purpose of CFG analysis is to find the exact logic that involves the interpretation of the command and the execution of malicious behavior
• Then, symbolic execution finds the command that drives the malware into that execution path
Tutorial – Tracing Analysis on Cuckoo
• On the side bar, there are useful menus for tracing
• We are focusing on:
• Static Analysis
• API/System Call.
• Behavioral Analysis
• Trace behaviors in time sequence.
Tutorial – Static Analysis on Cuckoo
• Static Analysis
• Information of the malware.
• Win32 PE format information
• Windows binary uses the PE format • Complicated structure
• Sections includes
• Strings, etc.
• .data • .idata • .reloc
• Virtual link, dynamic link, etc.
• More info: http://resources.infosecinstitute.com/2-malware-researchers-handbook-demystifying-pe- file/#gref
Tutorial – Static Analysis on Cuckoo
• Interestingly three DLL(Dynamic Link Libaries) files are imported.
• In WININET.dll, we can see that the malware uses http protocol.
• In ADVAPI32.dll, we can check if the malware touches registry files
• In Kernel32.dll, we can check the malware waiting signal, also sleep.
Tutorial – Behavior Analysis on Cuckoo
• Tracing a behavior(file/process/thread/registry/network) in time sequence.
• Useful to figure out cause-and-effect in process/file/network.
• Malware creates a new file and runs the process, then writes it to memory.
Tutorial – Cuckoo analysis result
• Based on our analysis with Cuckoo, we can determine if…
• The malware uses HTTP protocol to communicate
• Communicate with whom? C&C?
• Web server access? For checking if the C2 server is active? • Commands through http protocol? Cookies?
• The malware touches(create/write/read) a file/registry/process
• This might be a dropper? Or does it download a binary from the C2 server? • What is the purpose of creating processes? Modifying the registry?
Tutorial – Control Flow Graph Analysis
• Based on the pre-information that we collected from the previous step, we are going to perform CFG analysis & symbolic execution analysis
• graph representation of computation and control flow in the program
• Nodes are basic blocks
• Edges represent possible flow of control from the end of one block to the beginning of the other.
Tutorial – Control Flow Graph Analysis
• CFG:An Example
• But, in malware analysis, we are analyzing CFG at the instructionlevel.
Tutorial – Control Flow Graph Analysis
• We provide a tool for you that helps to find command interpretation
logic and malicious logic
• We list the functions or system calls the malware uses internally
• If you provide the score (how malicious it is, or how likely the malicious logic
is to use such a function) for the functions, then the tool will find where the malicious logic is, based on its score
• Example: if you set StrCmpNIA to have a score of 10, then the function that calls StrCmpNIA 5 times within itself will have the score 50.
• A higher score implies that more functions related to the malicious activity are used within the malware.
• Your job is to write the score value per each function
• More info:
• http://www.cs.cornell.edu/courses/cs412/2008sp/lectures/lec24.pdf
Tutorial – Control Flow Graph Analysis
• From our network analysis, we know that the malware uses an Internet connection to 128.61.240.66
• From our cuckoo-based analysis, we know that the malware uses the HTTP protocol.
• Let’s make the Internet related functions to have higher score
• Open score.h, and edit the score of all of the Internet related functions • Thescoreisthevalueattheend(allothersaresetto1)
Tutorial – Control Flow Graph Analysis
• Build control flow graph
• By executing ./generate.py stage1, the tool gives you the CFG
• This finds the function with higher score
• Implies that this calls high score functions on its execution
• For stage2
• Use ’stage2’ as argument
• Note: your graph and its memory addresses will vary from this example
• The function entry is at the address of 405190
• And, there is a function (marked as sub) of score 12 • At the address 40525a (marked in red)
• Use the block_address, not the call sub_address
• This implies that
• sub_4050c0 calls some internet related functions. • We need to find out what this command is
• Run from 405190 to 40525a
Tutorial – Finding Command
• Finding Commands with Symbolic Execution
• We want to find a command that drives malware from 405190 to 40525a • Let’s do symbolic execution to figure that out
• What is symbolic execution?
• Rather than executing the program with some input, symbolic execution treats the input data as a symbolic variable, then tries to calculate expressions for the input along the execution.
• Let’s take an example
Example – Symbolic Execution
• What is Symbolic Execution?
Symbolic execution moves along the path of conditional statements, and combines all conditions until it reaches the target function. At the end, it solves the expression to get an input that satisfies all of the conditions
• Path explosion
• Modeling statements and environments • Constraint solving
Example1 – Symbolic Execution
Code Example
Expressions
i+5 < j; i%2==0; j%3 == 0
If i%2==0 If j%3==0
i+5 < j; i%2==0
Solve the expression
j > 7, but multiple of 3 so
i=2, j=9 will lead the program to print “Correct!”
Incorrect!
Example1 – Symbolic Execution
In this example, ONLY i=2, j=9 conditions will lead the program to print “Correct!”
Symbolic execution is available to solve the expression in order to reach a target, in this case ”Correct”.
Let’s apply it into Malware Command & Control logic. A C&C bot(malware) is expecting inputs(solve the
expressions) to trigger behaviors(targets).
Example2 – Symbolic Execution
Code Example
Expressions
Command == ‘launch-attack’
Receive command
Command == ‘launch-attack’
Command == ‘remove’
Command == ‘remove’
This executes attack() on command ‘launch-attack’, and destroy_itself() on ‘remove’ command
destroy_itself()
Example2 – Symbolic Execution
In this example, ONLY ‘launch-attack’ and ‘remove’ commands(inputs) triggers attack() and destroy_itself().
Symbolic execution is able to find ”launch-attack” as an input to trigger attack(), which is a malicious behavior.
Plus, ”remove” will lead to destroy_itself(), which is another behavior.
Our job in this project with Symoblic execution is to find inputs, and then feed the inputs to trigger behaviors.
Symbolic execution engine
• Symbolic Execution Engine: Klee, Angr, Mayhem, etc. • Loading a binary into the analysis program
• Translating a binary into an intermediate representation (IR). • Translating that IR into a semantic representation
• Performing the actual analysis with symbolic execution.
For more information:
https://www.cs.umd.edu/~mwh/se-tutorial/symbolic-exec.pdf
Tutorial – Finding Comm
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com