Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEIThe Third Hacking and Digital Forensics Exposed

28 November 2015 | Hotel Indoluxe | Yogyakarta, Indonesia

Malware Analysis

About MeCharles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEIResearcher – Information Security Research Group and LecturerSwiss German UniversityCharles.lims [at] gmail.com and charles.lim [at] sgu.ac.idhttp://people.sgu.ac.id/charleslim

I am currently doing my doctoral study in Universitas Indonesia

Research Interest

CommunityIndonesia Honeynet Project - Chapter Lead

Academy CSIRT – member

Asosiasi Digital Forensik Indonesia - member

MalwareIntrusion DetectionThreats Intelligence

Vulnerability AnalysisDigital ForensicsCloud Security

Agenda

• About Honeynet

• What is Malware?

• Why Malware Analysis?

• Types of Malware Analysis

• Static Analysis

• Dynamic Analysis

• Memory Analysis

• Case Study

• Future Challenges

About Honeynet• Volunteer open source computer security

research organization since 1999 (US 501c3 non-profit)

• Mission: ¨learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned¨ -http://www.honeynet.org

About Honeynet• Share all of our tools, research and findings, at

no cost to the public – “Know Your Tools” (KYT)

• “Know Your Enemy”(KYE) white papers regularly published on current research topics

• Members release regular activity status reports

• Committed to open source and creative commons

• Partially funded by sponsors, nothing to sell!

About Honeynet

Honeynet Project Workshop | 18-20 May 2015 | Stavanger, Norway

About Honeynet

CONPOT 0.5.0 Release | 13 November 2015

About Honeynet

55 Chapters and 37 Countries

About Indonesia Honeynet Project• 15 passionate security

professionals, academicians and government officials met signed a petition in 25 November 2011

• Indonesia Chapter officially recognized 9 January 2012

• Current members: 130 (20 active members)

About Indonesia Honeynet Project• Yearly Seminar and Workshop since 2012

• Focus on Security Awareness and Security Research

• Honeynet communities: Jakarta, Semarang, Surabaya, Yogya, Denpasar, Palembang, Lampung

• Research Topics: Incident handling, Vulnerability Analysis, Malware, Digital Forensics, Penetration Testing, Threats Intelligence

About Indonesia Honeynet Project

Honeynet Seminar & Workshop | 10-11 Juni 2015 | Lampung, Indonesia

Honeypots Research & Deployment

2009 2011 2013 2015

LearningPeriod

Early Period

GrowingPeriod

ExpandingPeriod

Honeypot: Nepenthes

Honeypot:Nepenthes, Dionaea

Honeypot:Dionaea

Honeypot:Dionaea, Kippo, Glastopf, Honeytrap

Learning How to install and configure

Deployed 1st

Honeypot in SGUTarget: Academic, Government, ISP

Coverage: Java, Bali, Sumatera,

# Honeypots deployed: None

# Honeypots deployed: 1

# Honeypotsdeployed: 5

# Honeypots deployed: 16

Hardware: Client Hardware: SimpleClient and Server

Hardware: Mini PC and Server

Hardware: Raspberry Pi and Dedicated servers

Our Contribution

Our Contribution

Attacker Statistics: Attacker IP, Malware, Targeted Ports, Provinces attacked

Our Contribution

Attacker Statistics: Attacker IP, Malware, Targeted Ports, Provinces attacked

Other Research

Second Hand USB Forensics and Publications

Join Us

• Indonesia Honeynet Project

• idhoneynet

• http://www.honeynet.or.id

• http://groups.google.com/group/id-honeynet

What is Malware?• Malware (Malicious Software)

– all kind of software that disrupt computer operations, gather sensitive information, or gain access to private computer systems

• Type of Malware

– Viruses

– Worms

– Trojans

– Ransomeware

– Rootkits

What is Malware?

Reference: PandaLabs Q2 2015 Report

Why Malware Analysis?• To gain insight into nature and purpose of

malware

• To identify host-based and network indicators Forensics: Indicators of Compromise (IOC)

• To understand malware behaviors and its persistence mechanism

• Extract information used for learning and malware detection

Types of Malware Analysis

Static

Analysis

A method of examining computer program/code without executing the

program

Dynamic

Analysis

Memory

Analysis

A method of examining computer program/code while executing the

program in a real or virtual processor

A method of examining computer program/code after executing the

program in a real or virtual processor

Static Analysis• To perform disassembling the given binary

or Dynamic Load Library (DLL) or APK (mobile apps)

• To extract static features, such as metadata of the files (section names) and the body of the files (strings, code, import libraries)

Static Analysis• Input File Type: EXE, DLL, documents, etc.

• Output:

– Metadata

– Code

– Data

Static AnalysisTools

File Binaries

Static Features:MetadataCodeData

Static Analysis Tools• PEiD (http://bob.droppages.com/projects/peid) –

Packer and compiler detector• Pafish (https://github.com/a0rtega/pafish) - checking

for anti sandbox and anti-vm• Yara (https://plusvic.github.io/yara/) – pattern

matching for malware analysis• Ssdeep (https://pypi.python.org/pypi/ssdeep) – fuzzy

hash• Strings Utility (https://technet.microsoft.com/en-

us/sysinternals/strings.aspx) – Strings extraction tool• Olly Dbg (http://www.ollydbg.de/) – Code Debugger• IDA Pro (https://www.hex-rays.com/products/ida/) –

Disassembler, Debugger

PE (Portable Executable) Header

PE (Portable Executable) Header

Source: https://code.google.com/p/corkami/wiki/PE101

PE (Portable Executable) Header

Static Analysis• Questions to answer:

– Is the malware binary packed?

– Can the malware binary be unpacked?

– What are the important static features to be extracted?

• If the malware can be unpacked (due to complexity of packing method), then we can only rely on Dynamic Analysis

Static Analysis (Packer Landscape)

https://code.google.com/p/corkami/downloads/detail?name=packers.pdf

Static Analysis• PE Header Section

Entropy > 6.67 indicates that data section is packed/encrypted

Static Analysis – Static Features• Strings (one of the most important)

• Import DLL

• Assembly Code

• Byte Code

Strings Example - Brute Force Dictionary Password (Allaple Malware Samples)

Dynamic Analysis• To gain insight into malware behaviors

(interactions malware binaries with operating system)

• Important Features:

– File System Activities

– Process Activities

– Network Activities

– System Calls

Dynamic Analysis• Input File Type: EXE, DLL, documents, etc.

• Output:

– File System Activities

– Process Activities

– Network Activities

– System Calls

SandboxOr

Virtual Env.

File Binaries

Dynamic Features:File System ActivitiesProcess ActivitiesNetwork ActivitiesSystem Calls

Dynamic Analysis Tools• Detours (http://research.microsoft.com/en-

us/projects/detours/) – Binary instrumentation for Win32 functions

• Sandboxes:

– Cuckoo Sandbox (http://www.cuckoosandbox.org/)

– Anubis (http://anubis.iseclab.org/)

– ThreatTrack(http://www.threattracksecurity.com/resources/sandbox-malware-analysis.aspx)

– Comodo Automated Analysis (http://camas.comodo.com/)

Dynamic Analysis

File System Activities, Network Activities, Process Activities

Dynamic Analysis• Questions to answer:

– Does the malware seems to execute properly?

– Does the malware stop while executed?

– Is there any unique execution? (File System, Process, Network, System Calls)

• If the malware has anti-analysis, anti anti-analysis must be done first (Pafish is a good tool)

• Maybe sequence of instructions can be good features

Memory Analysis• To gain insight into malware “footprints” in

memory

• Important Features:– Running Processes

– Shared Libraries

– Network Connections

– Hooking Detection

– Rootkit Detection

– Code Injection

– Hidden artifacts

Memory Analysis Tools• Volatility

(https://code.google.com/p/volatility/) –Framework for memory analysis

• Dynamic Binary Instrumentation (DBI)

– Pin Tools (https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool)

– Valgrind (http://valgrind.org/)

Memory Analysis

Start with what we know

Memory Analysis

Yara Scan of the known process;

Memory Analysis

Suspicious mutex is making connection

Memory Analysis

File Handles that starts with TDSS

Memory Analysis

File Handles that starts with TDSS and detect the hidden file

Case Study• Huge Traffic detected on MRTG (outbound)

Case Study• Isolate and reconstruct the incident

• Sniff the traffic while the server is running

Virtual Server with VM1 running

Switch

Desktop as Gateway

Case Study• Sending Huge Syn Packet to China IP

Address

• We found that it was user .Iptables that was sending the huge traffic

Case Study• The malware must have entered the system through

a service. We noticed that ssh service is running

• We also noticed that the root account was enabled

Case Study• ssh authentication was successful

• We found that the password for root password using easy to guess 7 characters (combination of alpha and numeric)

• It was a Korean IP address that made the connection

Case Study (Lesson Learned)• The user (also an admin) installed the

system, made some simple but devastating mistakes:

– Use a simple (easy to guess) password

– Root of account of ssh service was enabled

• The malware caused a Denial of Service attack using Syn Flooding

• A Reverse Engineering of the malware showed that the malware could also perform DNS Flooding

Current and Future Challenges• Malware Packers or Crypter

• Anti-Analysis (Anti-Debugging, Anti-Disassembler, Anti-Sandbox, Anti-Emulation,

• NO SILVER BULLET

• Must use combination of all malware analysis techniques

• Machine Learning is also a big help

Related Publications• Joshua Tommy Juwono, Charles Lim, Alva Erwin, A Comparative Study

of Behavior Analysis Sandboxes in Malware Detection, The 3rd International Conference on New Media 2015, Jakarta, Indonesia, 2015

• Charles Lim, Nicsen, Mal-EVE Static Detection Model for Evasive Malware, 10th EAI International Conference on Communications and Networking in China, Shanghai, China, 2015

• Charles Lim, Darryl Y. Sulistyan, Suryadi, and Kalamullah Ramli, Experiences in Instrumented Binary Analysis for Malware, The 3rd International Conference on Internet Services Technology and Information Engineering 2015 (ISTIE 2015), Bali, 2015

• Charles Lim, Meily, Nicsen, and Herry Ahmadi, Forensics Analysis of USB Flash Drives in Educational Environment, The 8th International Conference on Information & Communication Technology and Systems, Surabaya, 2014

• Charles Lim, and Kalamullah Ramli, Mal-ONE: A Unified Framework for Fast and Efficient Malware Detection, 2014 2nd International Conference on Technology, Informatics, Management, Engineering & Environment, Bandung, 2014.

Conclusion• Malware continue to rise in numbers and

sophistication

• Malware authors usually combine common malware modules with few changes

• Packers and Anti Analysis are real challenges

• Malware analysis usually part of Threats Intelligence, Incident Response, and Digital Forensics.

• There is no silver bullet for Malware Analysis

Call for More Research

• Indonesia Honeynet Project

• idhoneynet

• http://www.honeynet.or.id

• http://groups.google.com/group/id-honeynet